English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware
8.2.2018 thehahckernews CyberSpy  CoinMine

Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.
Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.
Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.
However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.
The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.
Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.

If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting "down.pzchao.com," which resolved to an IP address (125.7.152.55) in South Korea at the time of the investigation.
The threat actors behind the attack campaign have control over at least five malicious subdomains of the "pzchao.com" domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.
The payloads deployed by the threat actors are "diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," researchers noted.
The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a 'java.exe' file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.
For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.
PZChao's final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.
The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:
Real-time and offline remote keystroke logging
Listing of all active processes and opened windows
Listening in on conversations via microphone
Eavesdropping on webcams' live video feed
Allowing for remote shutdown and reboot of the system
Downloading binaries from the Internet to remote host
Modifying and stealing files and more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.
While the tools used in the PZChao campaign are a few years old, "they are battle-tested and more than suitable for future attacks," researchers say.
Active since 2010, Iron Tiger, also known as "Emissary Panda" or "Threat Group-3390," is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.
Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.
For further insights, you can read the detailed technical paper published by Bitdefender.


Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data
8.2.2018 thehahckernews
Vulnerebility

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users' accounts, including their personal documents and records, vulnerable to remote hackers.
According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of Grammarly exposed authentication tokens to all websites that could be grabbed by remote attackers with just 4 lines of JavaScript code.
In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user's account and access every "documents, history, logs, and all other data" without permission.
"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," Ormandy said in a vulnerability report. "Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."
Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user's access token with just four lines of code.

This high-severity flaw was discovered on Friday and fixed early Monday morning by the Grammarly team, which, according to the researcher, is "a really impressive response time" for addressing such bugs.
Security updates are now available for both Chrome and Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.
A Grammarly spokesperson also told in an email that the company has no evidence of users being compromised by this vulnerability.
"Grammarly resolved a security bug reported by Google's Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue," the spokesperson said.
"We're continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users."
Stay tuned for more updates.


Watch Out! New Cryptocurrency-Mining Android Malware is Spreading Rapidly
8.2.2018 thehahckernews Android  CoinMine

Due to the recent surge in cryptocurrency prices, threat actors are increasingly targeting every platform, including IoT, Android, and Windows, with malware that leverages the CPU power of victims' devices to mine cryptocurrency.
Just last month, Kaspersky researchers spotted fake antivirus and porn Android apps infected with malware that mines Monero cryptocurrency, launches DDoS attacks, and performs several other malicious tasks, causing the phone's battery to bulge out of its cover.
Now, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new piece of wormable Android malware, dubbed ADB.Miner, that scans wide-range of IP addresses to find vulnerable devices and infect them to mine digital cryptocurrency.
According to the researchers, ADB.Miner is the first Android worm to reuse the scanning code programmed in Mirai—the infamous IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns.
ADB.Miner scans for Android devices—including smartphones, smart TVs, and TV set-top boxes—with publicly accessible ADB debug interface running over port 5555 and then infects them with a malware that mines Monero cryptocurrency for its operators.
Android Debug Bridge (ADB) is a command-line tool that helps developers debug Android code on the emulator and grants access to some of the operating system’s most sensitive features.
It should be noted that almost all Android devices by default come with the ADB port disabled, so botnet would target only those devices that have manually been configured to enable port 5555.
Besides mining Monero cryptocurrency, ADB.Miner installed on an infected device also attempts to propagate itself by scanning for more targets on the Internet.
Researchers did not reveal exactly how or by exploiting which ADB flaw hackers are installing malware onto Android devices.
However, the researchers believed hackers are not exploiting any vulnerability that targets any specific device vendor since they found devices from a wide range of manufacturers impacted.
According to the researchers, the infection started on January 21, and the number of attacks has increased recently. As of Sunday, the researchers detected 7,400 unique IP addresses using the Monero mining code—that's more than 5,000 impacted devices in just 24 hours.
Based on the scanning IP addresses, the highest number of infection has been noticed in China (40%) and South Korea (31%), the researchers estimated.
In order to fight against such malware Android users are advised not to install unnecessary and untrusted applications from the app store, even from Google Play Store, and keep your devices behind a firewall or a VPN.


Researcher Claims Hotspot Shield VPN Service Exposes You on the Internet
8.2.2018 thehahckernews
Vulnerebility

Virtual Private Network (VPN) is one of the best solutions you can have to protect your privacy and data on the Internet, but you should be more vigilant while choosing a VPN service which truly respects your privacy.
If you are using the popular VPN service Hotspot Shield for online anonymity and privacy, you may inadvertently be leaking your real IP address and other sensitive information.
Developed by AnchorFree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an estimated 500 million users around the world.
The service promises to "secure all online activities," hide users' IP addresses and their identities and protect them from tracking by transferring their internet and browsing traffic through its encrypted channel.
However, an 'alleged' information disclosure vulnerability discovered in Hotspot Shield results in the exposure of users data, like the name of Wi-Fi network name (if connected), their real IP addresses, which could reveal their location, and other sensitive information.
The vulnerability, assigned CVE-2018-6460, has been discovered and reported to the company by an independent security researcher, Paulos Yibelo, but he made details of the vulnerability to the public on Monday after not receiving a response from the company.
According to the researcher claims, the flaw resides in the local web server (runs on a hardcoded host 127.0.0.1 and port 895) that Hotspot Shield installs on the user's machine.
This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests as well that in response could reveal sensitive information about the active VPN service, including its configuration details.
"http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details," Yibelo claims.
"User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine," the vulnerability description reads.
Yibelo has also publicly released a proof-of-concept (PoC) exploit code—just a few lines of JavaScript code—that could allow an unauthenticated, remote attacker to extract sensitive information and configuration data.
However, ZDNet reporter Zack Whittaker tries to verify researcher's claim and found that the PoC code only revealed the Wi-Fi network name and country, but not the real IP address.

In a statement, AnchorFree spokesperson acknowledged the vulnerability but denied the disclosure of real IP address as claimed by Yibelo.
"We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country," the spokesperson told ZDNet.
The researcher also claims that he was able to leverage this vulnerability to achieve remote code execution.
Hotspot Shield also made headlines in August last year, when the Centre for Democracy and Technology (CDT), a US non-profit advocacy group for digital rights, accused the service of allegedly tracking, intercepting and collecting its customers' data.


Intel Releases New Spectre Patches for Skylake CPUs
8.2.2018 securityweek 
Vulnerebility
Intel has started releasing new microcode updates that should address one of the Spectre vulnerabilities after the first round of patches caused significant problems for many users.

The company has so far released new firmware updates only for its Skylake processors, but expects updates to become available for other platforms as well in the coming days. Customers and partners have been provided beta updates to ensure that they can be extensively tested before being moved into production.

The chipmaker started releasing microcode patches for the Spectre and Meltdown vulnerabilities shortly after the attack methods were disclosed by researchers. However, the company was forced to suspend updates due to frequent reboots and other unpredictable system behavior. Microsoft and other vendors also disabled mitigations or stopped providing firmware updates due to Intel’s buggy patches.Intel provides new microcode updates for Skylake CPUs

Intel claims to have identified the root of an issue that caused systems to reboot more frequently after the patches were installed.

The company initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior was later observed on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms as well.

The problem appears to be related to the fix for CVE-2017-5715, one of the flaws that allows Spectre attacks, specifically Spectre Variant 2. Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Both Intel and AMD announced recently that they are working on processors that will have built-in protections against exploits such as Spectre and Meltdown.

In the meantime, Intel has urged customers to always install updates as soon as they become available. On the other hand, many users might decide to take a risk and not immediately apply fixes in order to avoid potential problems such as the ones introduced by the first round of Spectre and Meltdown patches.

Intel has admitted that researchers or malicious actors will likely find new variants of the Spectre and Meltdown attacks.

Security firms have already spotted more than 100 malware samples exploiting the Spectre and Meltdown vulnerabilities. While a majority appeared to be in the testing phase, we could soon start seeing attacks in the wild, especially since the samples analyzed by experts are designed to work on major operating systems and browsers.

Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities.


U.S. Announces Takedown of Global Cyber Theft Ring
8.2.2018 securityweek  IT
The US Justice Department announced indictments Wednesday for 36 people accused of running a transnational ring stealing and selling credit card and personal identity data, causing $530 million in losses.

Thirteen members of the "Infraud Organization" were arrested in the United States, Australia, Britain, France, Italy, Kosovo and Serbia, it said.

Created in Ukraine in 2010 by Svyatoslav Bondarenko, Infraud was a key hub for card fraud, touting itself with the motto "In Fraud We Trust."

It was "the premier one-stop shop for cybercriminals worldwide," said Deputy Assistant Attorney General David Rybicki.

Members could buy and sell card and personal data for use to buy goods on the internet, defrauding the card owners, card issuers and vendors.

Infraud operated automated vending sites to make it easy for someone to buy card and identity data from them. It had 10,901 approved "members" registered to buy and sell with them in early 2017, and maintained a rating and feedback system for members.

The senior administrators continuously screened the products and services of vendors "to ensure quality products," said the indictment.

The group operated moderated web forums to share advice among customers, and operated an "escrow" service for payments in digital currencies like Bitcoin, the Justice Department said.

"As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale," said Acting Assistant Attorney General John Cronan.

The network of indicted Infraud leaders included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

Bondarenko remains at large, but the number two figure in the organization, Russian co-founder Sergey Medvedev has been arrested, according to US officials.


Bangladesh to File U.S. Suit Over Central Bank Heist
8.2.2018 securityweek  Cyber
Bangladesh's central bank will file a lawsuit in New York against a Philippine bank over the world's largest cyber heist, the finance minister said Wednesday.

Unidentified hackers stole $81 million in February 2016 from the Bangladesh central bank's account with the US Federal Reserve in New York.

The money was transferred to a Manila branch of the Rizal Commercial Banking Corp (RCBC), then quickly withdrawn and laundered through local casinos.

With only a small amount of the stolen money recovered and frustration growing in Dhaka, Bangladesh's Finance Minister A.M.A Muhith said last year he wanted to "wipe out" RCBC.

On Wednesday he said Bangladesh Bank lawyers were discussing the case in New York and may file a joint lawsuit against the RCBC with the US Federal Reserve.

"It will be (filed) in New York. Fed may be a party," he told reporters in Dhaka.

The deputy central bank governor Razee Hassan told AFP the case would be filed in April.

"They (RCBC) are the main accused," he said.

"Rizal Commercial Banking Corporation (RCBC) and its various officials are involved in money heist from Bangladesh Bank's reserve account and the bank is liable in this regard," Hassan said in a written statement.

The Philippines in 2016 imposed a record $21 million fine on RCBC after investigating its role in the audacious cyber heist.

Philippine authorities have also filed money-laundering charges against the RCBC branch manager.

The bank has rejected the allegations and last year accused Bangladesh's central bank of a "massive cover-up".

The hackers bombarded the US Federal Reserve with dozens of transfer requests, attempting to steal a further $850 million.

But the bank's security systems and typing errors in some requests prevented the full theft.

The hack took place on a Friday, when Bangladesh Bank is closed. The Federal Reserve Bank in New York is closed on Saturday and Sunday, slowing the response.

The US reserve bank, which manages the Bangladesh Bank reserve account, has denied its own systems were breached.


Cryptocurrency Mining Malware Hits Monitoring Systems at European Water Utility
8.2.2018 securityweek  CoinMine
Malware Chewed Up CPU of HMI at Wastewater Facility

Cryptocurrency mining malware worked its way onto four servers connected to an operational technology (OT) network at a wastewater facility in Europe, industrial cybersecurity firm Radiflow told SecurityWeek Wednesday.

Radiflow says the incident is the first documented cryptocurrency malware attack to hit an OT network of a critical infrastructure operator.

The servers were running Windows XP and CIMPLICITY SCADA software from GE Digital.

“In this case the [infected] server was a Human Machine Interface (HMI),” Yehonatan Kfir, CTO at Radiflow, told SecurityWeek. “The main problem,” Kfir continued “is that this kind of malware in an OT network slows down the HMIs. Those servers are responsible for monitoring physical processes.”

Radiflow wasn’t able to name the exact family of malware it found, but said the threat was designed to mine Monero cryptocurrency and was discovered as part of routine monitoring of the OT network of the water utility customer.

“A cryptocurrency malware attack increases device CPU and network bandwidth consumption, causing the response times of tools used to monitor physical changes on an OT network, such as HMI and SCADA servers, to be severely impaired,” the company explained. “This, in turn, reduces the control a critical infrastructure operator has over its operations and slows down its response times to operational problems.”

While the investigation is still underway, Radiflow’s team has determined that the cryptocurrency malware was designed to run in a stealth mode on a computer or device, and even disable its security tools in order to operate undetected and maximize its mining processes for as long as possible.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical process of a critical infrastructure operator,” Kfir said. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

“PCs in an OT network run sensitive HMI and SCADA applications that cannot get the latest Windows, antivirus and other important updates, and will always be vulnerable to malware attacks,” Kfir said.

While the malware was able to infect an HMI machine at a critical infrastructure operator, the attack was likely not specifically targeted at the water utility.

Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a 2017 report by industrial cybersecurity firm Dragos.

Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT). It its report, Dragos set out to provide more realistic numbers on malware infections in ICS, based on information available from public sources such as VirusTotal, Google and DNS data.

As part of a project it calls MIMICS (malware in modern ICS), Dragos was able to identify roughly 30,000 samples of malicious ICS files and installers dating back to 2003. Non-targeted infections involving viruses such as Sivis, Ramnit and Virut are the most common, followed by Trojans that can provide threat actors access to Internet-facing environments.

These incidents may not be as severe as targeted attacks and they are unlikely to cause physical damage or pose a safety risk. However, they can cause liability issues and downtime to operations, which leads to increased financial costs, Robert M. Lee, CEO and founder of Dragos, told SecurityWeek in March 2017.

One example is the incident involving a German nuclear energy plant in Gundremmingen, whose systems got infected with Conficker and Ramnit malware. The malware did not cause any damage and it was likely picked up by accident, but the incident did trigger a shutdown of the plant as a precaution.


Stealthy Data Exfiltration Possible via Magnetic Fields
8.2.2018 securityweek 
Virus
Researchers have demonstrated that a piece of malware present on an isolated computer can use magnetic fields to exfiltrate sensitive data, even if the targeted device is inside a Faraday cage.

A team of researchers at the Ben-Gurion University of the Negev in Israel have created two types of proof-of-concept (PoC) malware that use magnetic fields generated by a device’s CPU to stealthily transmit data.

A magnetic field is a force field created by moving electric charges (e.g. electric current flowing through a wire) and magnetic dipoles, and it exerts a force on other nearby moving charges and magnetic dipoles. The properties of a magnetic field are direction and strength.

The CPUs present in modern computers generate low frequency magnetic signals which, according to researchers, can be manipulated to transmit data over an air gap.

The attacker first needs to somehow plant a piece of malware on the air-gapped device from which they want to steal data. The Stuxnet attack and other incidents have shown that this task can be accomplished by a motivated attacker.

Once the malware is in place, it can collect small pieces of information, such as keystrokes, passwords and encryption keys, and send it to a nearby receiver.

The malware can manipulate the magnetic fields generated by the CPU by regulating its workload – for example, overloading the processor with calculations increases power consumption and generates a stronger magnetic field.

The collected data can be modulated using one of two schemes proposed by the researchers. Using on-off keying (OOK) modulation, an attacker can transmit “0” or “1” bits through the signal generated by the magnetic field – the presence of a signal represents a “1” bit and its absence a “0” bit.

Since the frequency of the signal can also be manipulated, the malware can use a specific frequency to transmit “1” bits and a different frequency to transmit “0” bits. This is known as binary frequency-shift keying (FSK) modulation.

Ben Gurion University researchers have developed two pieces of malware that rely on magnetic fields to exfiltrate data from an air-gapped device. One of them is called ODINI and it uses this method to transmit the data to a nearby magnetic sensor. The second piece of malware is named MAGNETO and it sends data to a smartphone, which typically have magnetometers for determining the device’s orientation.

In the case of ODINI, experts managed to achieve a maximum transfer rate of 40 bits/sec over a distance of 100 to 150 cm (3-5 feet). MAGNETO is less efficient, with a rate of only 0.2 - 5 bits/sec over a distance of up to 12.5 cm (5 inches). Since transmitting one character requires 8 bits, these methods can be efficient for stealing small pieces of sensitive information, such as passwords.

Researchers demonstrated that ODINI and MAGNETO also work if the targeted air-gapped device is inside a Faraday cage, an enclosure used to block electromagnetic fields, including Wi-Fi, Bluetooth, cellular and other wireless communications.

In the case of MAGNETO, the malware was able to transmit data even if the smartphone was placed inside a Faraday bag or if the phone was set to airplane mode.



Ben-Gurion researchers have found several ways of exfiltrating data from air-gapped networks, including through infrared cameras, router LEDs, scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.


Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.
8.2.2018 securityaffairs
Attack

Researchers from Princeton University have developed an app called PinME to locate and track smartphone without using GPS.
The research team led by Prateek Mittal, assistant professor in Princeton’s Department of Electrical Engineering and PinMe paper co-author developed the PinMe application that mines information stored on smartphones that don’t require permissions for access.

The data is processed alongside with public available maps and weather reports resulting on information if a person is traveling by foot, car, train or airplane and their travel route. The applications for intelligence and law enforcement agencies to solve crimes like kidnapping, missing people and terrorism are very significant.

As the researchers notice, the application utilizes a series of algorithms to locate and track someone using information like the phone IP address and time zone combined with data from its sensors. The phone sensors collect compass details from the gyroscope, air pressure reading from barometer and accelerometer data while remaining undetected from the user. The resulting data processed can be used to extract contextual information about users’ habits, regular activities, and even relationships.

This technology as many others have two sides: Help solving crimes at large, and implications on privacy and security of the users. The researchers hope to be fomenting the development of security measures to switch off sensor data by revealing this sensor security flaw. Nowadays such sensor data is collected by fitness and game applications to track people movement.

Another key point where the application can be a game changer is an alternative navigation tool, as highlighted by the researchers. Gps signals used in autonomous cars and ships can be the target of hackers putting the safety of the passengers in danger. The researchers conducted their experiment using Galaxy S4 i9500, iPhone 6 and iPhone 6S. To determine the last Wi-Fi connection, the PinMe application read the latest IP address used and the network status.

pinme

To determine how a user is traveling, the application utilizes a machine learning algorithm that recognizes the different patterns of walking, driving and flying by gathering data from the phones sensor like speed, direction of travel, delay between movement and altitude.

Once determined the pattern of activity of a user, the application then executes one of four additional algorithms to determine the type transportation. By comparing the phone data against public information the route of the user is determined. Maps from Google and the U.S. Geological Survey were used to determine the altitude details of every point on Earth. Details regarding temperature, humidity, and air pressure reports were also used to determine the use of trains or planes.

The researchers wanted also to raise the question about privacy and data collected without the user consent as Prateek Mittal states: “PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives”.

Sources:

https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371

https://nakedsecurity.sophos.com/2017/12/19/gps-is-off-so-you-cant-be-tracked-right-wrong/

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services

https://www.theregister.co.uk/2018/02/07/boffins_crack_location_tracking_even_if_youve_turned_off_the_gps/

https://www.helpnetsecurity.com/2018/02/07/location-tracking-no-gps/

https://www.bleepingcomputer.com/news/security/apps-can-track-users-even-when-gps-is-turned-off/

https://arxiv.org/pdf/1802.01468.pdf

http://ieeexplore.ieee.org/document/8038870/?reload=true


For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA
8.2.2018 securityaffairs
Vulnerebility

Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.
At the end of January, the company released security updates the same flaw in Cisco ASA software. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.


The vulnerability resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software, it was discovered by the researcher Cedric Halbronn from NCC Group.

The flaw received a Common Vulnerability Scoring System base score of 10.0.

According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

Further investigation of the flaw revealed additional attack vectors, for this reason, the company released a new update. The researchers also found a denial of service issue affecting Cisco ASA platforms.

“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” reads a blog post published by Cisco.

The experts noticed that the flaw ties with the XML parser in the CISCO ASA software, an attacker can trigger the vulnerability by sending a specifically crafted XML file to a vulnerable interface.

CISCO ASA attack

The list of affected CISCO ASA products include:

3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
According to Cisco experts, there is no news about the exploitation of the vulnerability in the wild, anyway, it is important to apply the security updates immediately.


Automation Software Flaws Expose Gas Stations to Hacker Attacks
7.2.2018 securityweek CyberCrime
Gas stations worldwide are exposed to remote hacker attacks due to several vulnerabilities affecting the automation software they use, researchers at Kaspersky Lab reported on Wednesday.

The vulnerable product is SiteOmat from Orpak, which is advertised by the vendor as the “heart of the fuel station.” The software, designed to run on embedded Linux machines or a standard PC, provides “complete and secure site automation, managing the dispensers, payment terminals, forecourt devices and fuel tanks to fully control and record any transaction.”

Kaspersky researchers discovered that the “secure” part is not exactly true and more than 1,000 of the gas stations using the product allow remote access from the Internet. Over half of the exposed stations are located in the United States and India.

Gas stations exposed to hacker attacks

“Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong,” explained Kaspersky’s Ido Naor. “With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.”

According to the security firm, the vulnerabilities affecting SiteOmat could be exploited by malicious actors for a wide range of purposes, including to modify fuel prices, shut down fueling systems, or cause a fuel leakage.

The security holes can also allow hackers to move laterally within the targeted company’s network, gain access to payment systems and steal financial data, and obtain information on the station’s customers (e.g. license plates, driver identity data). Another possible scenario described by Kaspersky involves disrupting the station’s operations and demanding a ransom.

These attacks are possible due to a series of vulnerabilities, including hardcoded credentials (CVE-2017-14728), persistent XSS (CVE-2017-14850), SQL injection (CVE-2017-14851), insecure communications (CVE-2017-14852), code injection (CVE-2017-14853), and remote code execution (CVE-2017-14854). Exploiting the flaws does not require advanced hacking skills, Naor said.

The fact that the vendor has made available technical information about the device and a detailed user manual made it easier for experts to find the security holes.

The systems analyzed by Kaspersky were often embedded in fueling systems and researchers believe they had been connected to the Internet for more than a decade.

Orpak was informed about the flaws in September and the company told researchers a month later that it had been in the process of rolling out a hardened version of its system, but it has since not shared any updates on the status of patches. SecurityWeek has reached out to the vendor for comment and will update this article if the company responds.


Hackers From Florida, Canada Behind 2016 Uber Breach
7.2.2018 securityweek Hacking
Uber shares more details about 2016 data breach

Two individuals living in Canada and Florida were responsible for the massive data breach suffered by Uber in 2016, the ride-sharing company’s chief information security officer said on Tuesday.

In a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Uber CISO John Flynn shared additional details on the data breach that the company covered up for more than a year.

The details of 57 million Uber riders and drivers were taken from the company’s systems between mid-October and mid-November 2016. The compromised data included names, email addresses, phone numbers, user IDs, password hashes, and the driver’s license numbers of roughly 600,000 drivers. The incident was only disclosed by Uber’s CEO, Dara Khosrowshahi, on November 21, 2017.

Flynn told the Senate committee on Tuesday that the data accessed by the hackers had been stored in an Amazon Web Services (AWS) S3 bucket used for backup purposes. The attackers had gained access to it with credentials they had found in a GitHub repository used by Uber engineers. Uber decided to stop using GitHub for anything other than open source code following the incident.

Uber’s security team was contacted on November 14, 2016, by an anonymous individual claiming to have accessed Uber data and demanding a six-figure payment. After confirming that the data obtained by the hackers was valid, the company decided to pay the attackers $100,000 through its HackerOne-based bug bounty program to have them destroy the data they had obtained.

While some members of Uber’s security team were working on containing the incident and finding the point of entry, others were trying to identify the attackers. The man who initially contacted Uber was from Canada and his partner, who actually obtained the data, was located in Florida, the Uber executive said.

“Our primary goal in paying the intruders was to protect our consumers’ data,” Flynn said in a prepared statement. “This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.”

A code of conduct added by HackerOne to its disclosure guidelines last month includes an entry on extortion and blackmail, prohibiting “any attempt to obtain bounties, money or services by coercion.” It’s unclear if this is in response to the Uber incident, but the timing suggests that it may be.

The Uber CISO has not said if any actions have been taken against the hackers, but Reuters reported in December that the Florida resident was a 20-year-old who was living with his mother in a small home, trying to help pay the bills. The news agency learned from sources that Uber had decided not to press charges as the individual did not appear to pose a further threat.

Flynn admitted that “it was wrong not to disclose the breach earlier,” and said the ride-sharing giant has taken steps to ensure that such incidents are avoided in the future. He also admitted that the company should not have used its bug bounty program to deal with extortionists.

Uber’s chief security officer, Joe Sullivan, and in-house lawyer Craig Clark were fired over their roles in the breach. Class action lawsuits have been filed against the company over the incident and some U.S. states have announced launching investigations into the cover-up.

U.S. officials are not happy with the way Uber has handled the situation.

“The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said Sen. Jerry Moran, chairman of the congressional committee.

Just before the Senate hearing, Congresswoman Jan Schakowsky and Congressman Ben Ray Lujan highlighted that Uber had deceived the Federal Trade Commission (FTC) by failing to mention the 2016 breach while the agency had been investigating another, smaller cybersecurity incident suffered by the firm in 2014.


XSS, SQL Injection Flaws Patched in Joomla
7.2.2018 securityweek
Vulnerebility
One SQL injection and three cross-site scripting (XSS) vulnerabilities have been patched with the release of Joomla 3.8.4 last week. The latest version of the open-source content management system (CMS) also includes more than 100 bug fixes and improvements.

The XSS and SQL injection vulnerabilities affect the Joomla core, but none of them appear to be particularly dangerous – they have all been classified by Joomla developers as “low priority.”

The XSS flaws affect the Uri class (versions 1.5.0 through 3.8.3), the com_fields component (versions 3.7.0 through 3.8.3), and the Module chrome (versions 3.0.0 through 3.8.3).

The SQL injection vulnerability is considered more serious – Joomla developers have classified it as low severity, but high impact.

The security hole, tracked as CVE-2018-6376, affects versions 3.7.0 through 3.8.3. The issue was reported to Joomla by RIPS Technologies on January 17 and a patch was proposed by the CMS’s developers the same day.

In a blog post published on Tuesday, RIPS revealed that the vulnerability found by its static code analyzer is a SQL injection that can be exploited by an authenticated attacker with low privileges (i.e. Manager account) to obtain full administrator permissions.

“An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code,” said RIPS researcher Karim El Ouerghemmi.

The researcher explained that this is a two-phase attack. First, the attacker injects arbitrary content into the targeted site’s database, and then they create a special SQL query that leverages the previously injected payload to obtain information that can be used to gain admin privileges.

This is not the first time RIPS has found a vulnerability in Joomla. In September, the company reported identifying a flaw that could have been exploited by an attacker to obtain an administrator’s username and password by guessing the credentials character by character.


Questionable Interpretation of Cybersecurity's Hidden Labor Cost
7.2.2018 securityweek Cyber
Report Claims a 2,000 Employee Organization Spends $16 Million Annually on Incident Triaging

The de facto standard for cybersecurity has always been detect and respond: detect a threat and respond to it, either by blocking its entry or clearing its presence. A huge security industry has evolved over the last two decades based on this model; and most businesses have invested vast sums in implementing the approach. It can be described as 'detect-to-protect'.

In recent years a completely different isolation cyber security paradigm has emerged. Rather than detect threats, simply isolate applications from them. This is achieved by running the app in a safe container where malware can do no harm. If an application is infected, the container and the malware is abandoned, and a clean version of the application is loaded into the container. There is no need to spend time and money on threat detection since it can do no harm. This is the isolation model.

The difficulty for vendors of isolation technology is that potential customers are already heavily invested in the detect paradigm. Getting them to switch to isolation is tantamount to asking them to abandon their existing investment as a waste of money.

Bromium, one of the earliest and leading isolation companies, has chosen to demonstrate the unnecessary continuing manpower cost of operating a detect-to-protect model, together with the unnecessary cybersecurity technology that supports it.

Bromium commissioned independent market research firm Vanson Bourne to survey 500 CISOs (200 in the U.S.; 200 in the UK; and 100 Germany) in order to understand and demonstrate the operational cost of detect-to-protect. All the surveyed CISOs are employed by firms with between 1000 and 5000 employees, allowing the research to quote figures based on an average organization of 2000 employees.

The bottom-line of this research (PDF) is that a company with 2,000 employees spends $16.7 million dollars every year on protect-to-detect. No comparable figure is given for an isolation model, but the reader is allowed to assume it would be considerably less.

The total cost is achieved by combining threat triaging costs, computer rebuilds, and emergency patching costs to provide the overall labor cost, plus the technology cost of nearly $350,000. The implication is that it is not so worrying to abandon $350,000 for a saving of $16 million -- and indeed, that would be true if the manpower costs are valid. But they are questionable.

All costs in the report are based on figures returned by the survey respondents. For example, according to the report, "Our research showed that enterprises issue emergency patches five times per month on average, with each fix taking 13 hours to deploy. That’s 780 hours a year, which—multiplied by the $39.24 average hourly rate for a cybersecurity professional—incurs costs of $30,607 per year."

But since these are emergency patches, we can add an additional $19,900 in overtime and/or contractor costs: a total of $49,900 every year that could be all but eliminated by switching to an isolation model.

The cost of computer rebuilds comes from the cost of rebuilding compromised computers that detect-to-protect has failed to protect. "On average," says the report, "organizations rebuild 51 devices every month, with each taking four hours to rebuild—equating to 2,448 hours each year. When multiplied by the average hourly wage of a cybersecurity professional, $39.24, that’s an average cost of $96,059 per year."

All these costs would seem to be realistic for a detect-to-protect model. The implication is that a switch to the isolate model would save nearly $500,000 per year to offset the cost of isolation. But the report goes much further, and suggests that much of a colossal $16 million can also be saved every year by an organization with 2,000 employees that will no longer require incident triaging by the security team.

How? "Well," claims the report, "on average SOC teams triage 796 alerts per week, taking an average of 10 hours per alert—that’s 413,920 hours across the year. When you consider that the average hourly rate for a cybersecurity professional is $39.24, that’s an annual average cost of more than $16 million each year."

The math works. But an alternative way of looking at these figures is that 7,960 hours of triaging would take more than 47 employees doing nothing but triaging 24 hours a day, seven days a week. Frankly, I doubt if any company with 2,000 employees does anything near this amount of triaging. It is, I suggest, misleading to state bluntly (as the report does): "Organizations spend $16 million per year triaging alerts."

“Application isolation provides the last line of defense in the new security stack and is the only way to tame the spiraling labor costs that result from detection-based solutions,” says Gregory Webb, CEO at Bromium. “Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned. It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyze the full kill chain.”

All of this is perfectly valid -- except for the $16 million annual detect-to-protect triaging claim. SecurityWeek has invited Bromium to comment on our concerns, and will update this article with any response.


Capable Luminosity RAT Apparently Killed in 2017
7.2.2018 securityweek
Virus
The prevalence of the Luminosity remote access Trojan (RAT) is fading away after the malware was supposedly killed half a year ago, Palo Alto Networks says.

First seen in April 2015, Luminosity, also known as LuminosityLink, has seen broad use among cybercriminals, mainly due to its low price and long list of capabilities. Last year, Nigerian hackers used the RAT in attacks aimed at industrial firms.

Luminosity’s author might have claimed that the RAT was a legitimate tool, but its features told a different story: surveillance (remote desktop, webcam, and microphone), smart keylogger (record keystrokes, target specific programs, keylogger viewer), crypto-currency miner, distributed denial of service (DDoS) module.

Earlier this week, Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) announced a law enforcement operation targeting sellers and users of the Luminosity Trojan, but Palo Alto says the threat appears to have died about half a year ago, long before this announcement.

The luminosity[.]link and luminosityvpn[.]com, domains associated with the malware, have been taken down as well. In fact, the sales of the RAT through luminosity[.]link ceased in July 2017, and customers started complaining about their licenses no longer working.

With Luminosity’s author, who goes by the online handle of KFC Watermelon, keeping a low profile and closing down sales, and with Nanocore RAT author arrested earlier, speculation emerged on the developer being arrested as well. It was also suggested that he might have handed over his customer list.

To date, however, no report of an arrest in the case of the Luminosity author has emerged, and Europol’s announcement focuses on the RAT’s users, without mentioning the developer. According to Palo Alto, this author (who also built Plasma RAT) lives in Kentucky, which would also explain his online handle.

The security firm collected over 43,000 unique Luminosity samples during the two years when the threat was being sold, and says that thousands of customers submitted samples for analysis.

To verify the legitimate use of the RAT, the command and control servers had to contact a licensing server. In July 2017, researchers observed a sharp drop in sales, with the licensing server going down, despite some samples still being seen. Palo Alto believes the RAT’s prevalence was likely fueled by cracked versions, as development had already stopped.

“Based on our analysis and the recent Europol announcement, it does seem though that LuminosityLink is indeed dead, and we await news of what has indeed happened to the author of this malware. In support of this, we have seen LuminosityLink prevalence drop significantly and we believe any remaining observable instances are likely due to cracked versions,” Palo Alto notes.

The researchers also note that, although some of the Luminosity’s features might be put to legitimate use, the “preponderance of questionable or outright illegitimate features discredit any claims to legitimacy” that the RAT’s author might have.


The Argument Against a Mobile Device Backdoor for Government
7.2.2018 securityweek Mobil
Just as the Scope of 'Responsible Encryption' is Vague, So Too Are the Technical Requirements Necessary to Achieve It

The 'responsible encryption' demanded by law enforcement and some politicians will not prevent criminals 'going dark'; will weaken cyber security for innocent Americans; and will have a hit on the U.S. economy. At the same time, there are existing legal methods for law enforcement to gain access to devices without requiring new legislation.

These are the conclusions of Riana Pfefferkorn, cryptography fellow at the Center for Internet and Society at the Stanford Law School in a paper published Tuesday titled, The Risks of “Responsible Encryption” (PDF).

One of the difficulties in commenting on government proposals for responsible encryption is that there are no proposals -- merely demands that it be introduced. Pfefferkorn consequently first analyzes the various comments of two particularly vocal proponents: U.S. Deputy Attorney General, Rod Rosenstein, and the current director of the FBI, Christopher Wray to understand what they, and other proponents, might be seeking.

Wray seems to prefer a voluntary undertaking from the technology sector. Rosenstein is looking for a federal legislative approach. Rosenstein seems primarily concerned with mobile device encryption. Wray is also concerned with access to encrypted mobile devices (and possibly other devices), but sees responsible encryption also covering messaging apps (but perhaps not other forms of data in transit).

Just as the scope of 'responsible encryption' is vague, so too are the technical requirements necessary to achieve it.

"The only technical requirement that both officials clearly want," concludes Pfefferkorn, "is a key-escrow model for exceptional access, though they differ on the specifics. Rosenstein seems to prefer that the provider store its own keys; Wray appears to prefer third-party key escrow."

The basic argument is that golden keys to devices and/or messaging apps should be maintained somewhere that law enforcement can access with a court order: that is, some form of key escrow. This is a slightly lesser ambition than that sought by government in the mid-1990s in the discussions between government (then, as now, not just in the U.S.) and technologists during what became known as the First Crypto War. At that time, government sought much wider control over encryption, and access to everyone's computer at chip level. New America published a history (PDF) of that era in 2015.

Rosenstein has argued that device and application manufacturers already have and use a form of key escrow to manage and perform software updates. The argument is that if they can do this for themselves, they can do it for government to prevent criminal communications from 'going dark'. Pfefferkorn, however, offers four arguments against this.

First, the scale is completely different. The software update key is known and used by only a very small number of internal and highly trusted staff, and then used only infrequently. But, suggests Pfefferkorn, "with law enforcement agencies from around the globe sending in requests to the manufacturer or third-party escrow agent at all hours (and expecting prompt turn-around), the decryption key would likely be called into use several times a day, every day. This, in turn, means the holder of the key would have to provide enough staff to comply expeditiously with all those demands."

Increased use of the key increases the risk of loss through human error or malfeasance (such as extortion or bribery) -- and the loss of that key could be catastrophic.

Second, attackers will seek to exploit the process through social engineering with spear-phishing attacks against the vendor's or escrow agent's employees; and it is generally only a matter of time before spear-phishing succeeds. The likelihood of spear-phishing succeeding will increase with the sheer volume of LEA demands received. The FBI has claimed that it had around 7,800 seized phones it could not unlock in the last fiscal year. These alone, not including any phones seized by the thousands of State and local law enforcement offices, would average at more than 20 key requests every day, making a spear-phishing attempt less obvious.

Third, it would harm the U.S. economy both through loss of market share at home and abroad (since security could not be guaranteed), and through the economic effect of ID and IP theft following the likely abuse of the system.

Finally, Pfefferkorn argues that access to devices through key escrow still won't necessarily provide access to communications or content if these are separately encrypted by the user. "If the user chooses a reasonable password for the app," she says, "then unlocking the phone will not do any good... In short, an exceptional-access mandate for devices will never be completely effective."

Pfefferkorn goes further by suggesting that there are already numerous ways in which LEAs can obtain information from mobile devices. If the device is locked with a biometric identifier, the police can compel its owner to unlock it (not so with a password lock). If it is synced with other devices or backed up to the cloud, then access may be easier from these other destinations. Law enforcement already claims wide-ranging powers under the Stored Communications Act to access stored communications and transactional records held by ISPs -- as seen in the long-running battle between Microsoft and the government.

Metadata is another source of legal information. This can be gleaned from message headers, while cell towers can provide location and journey tracking. Far more metadata is likely to become available through the internet of things.

Finally, there are forensics and 'government hacking' opportunities. In early 2016 the FBI asked, and then got a court order, for Apple to provide access to the locked iPhone of Syed Rizwan Farook, known as the San Bernardino Shooter. Apple declined -- but either through contract hackers or a forensics company such as Cellebrite, the FBI eventually succeeded without help from Apple. "The success of tools such as Cellebrite’s in circumventing device encryption," says Pfefferkorn, "stands as a counterpoint to federal officials’ asserted need to require device vendors by law to weaken their own encryption."

Pfefferkorn's opinion in the ongoing argument for law enforcement to be granted an 'exceptional-access' mandate is clear: "It would be unwise."


Automated Hacking Tool Autosploit Cause Concerns Over Mass Exploitation
7.2.2018 securityaffairs
Exploit

The Autosploit hacking tool was developed aiming to automate the compromising of remote hosts both by collecting automatically targets as well as by using Shodan.io API.
Users can define its platform search queries like Apache, IIS and so forth to gather targets to be attacked. After gathering the targets, the tool uses Metasploit modules of its exploit component to compromise the hosts.

The Metasploit modules to be used will depend on the comparison of the name of the module and the query search. The developer also added a type of attack where all modules can be used at once. As the author noticed, Metasploit modules were added with the intent of enabling Remote Code Execution as well as gaining Reverse TCP Shell or Meterpreter Sessions.

Autosploit

There are different opinions about the release of the tool by experts. As noticed by Bob Noel, Director of Strategic Relationships and Marketing at Plixer:

“AutoSploit doesn’t introduce anything new in terms of malicious code or attack vectors. What it does present is an opportunity for those who are less technically adept to use this tool to cause substantial damage. Once initiated by a person, the script automates and couples the process of finding vulnerable devices and attacking them. The compromised devices can be used to hack Internet entities, mine cryptocurrencies, or be recruited into a botnet for DDoS attacks. The release of tools like these exponentially expands the threat landscape by allowing a wider group of hackers to launch global attacks at will”.

On the other hand, Chris Roberts, chief security architect at Acalvio states:

” The kids are not more dangerous. They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem”.

The recent revelation that adult sex toys can be accessed remotely by hackers using Shodan is a scenario where the tool can represent a great and grave danger.

The risks and dangers looming around always existed. The release of the tool is not a new attack vector itself according to Gavin Millard, Technical Director at Tenable:

“Most organizations should have a process in place for measuring their cyber risk and identifying issues that could be easily leveraged by automated tools. For those that don’t, this would be an ideal time to understand where those exposures are and address them before a curious kid pops a web server and causes havoc with a couple of commands”.

A recommendation is given by Jason Garbis, VP at Cyxtera: ” In order to protect themselves, organizations need to get a clear, accurate, and up-to-date picture of every service they expose to the Internet. Security teams must combine internal tools with external systems like Shodan to ensure they’re aware of all their points of exposure”.

Sources:

https://www.scmagazine.com/autosploit-marries-shodan-metasploit-puts-iot-devices-at-risk/article/740912/
https://motherboard.vice.com/en_us/article/xw4emj/autosploit-automated-hacking-tool
https://arstechnica.com/information-technology/2018/02/threat-or-menace-autosploit-tool-sparks-fears-of-empowered-script-kiddies/
https://www.wired.com/story/autosploit-tool-makes-unskilled-hacking-easier-than-ever/
https://n0where.net/automated-mass-exploiter-autosploit
http://www.informationsecuritybuzz.com/expert-comments/autosploit/
https://securityledger.com/2018/02/episode-82-skinny-autosploit-iot-hacking-tool-get-ready-gdpr
https://www.kitploit.com/2018/02/autosploit-automated-mass-exploiter.html
https://www.darkreading.com/threat-intelligence/autosploit-mass-exploitation-just-got-a-lot-easier-/a/d-id/1330982
http://www.securityweek.com/autosploit-automated-hacking-tool-set-wreak-havoc-or-tempest-teapot


Hackers can remotely access adult sex toys compromising at least 50.000 users
7.2.2018 securityaffairs Hacking

Researchers discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.
As a result for Master Thesis by Werner Schober in cooperation with SEC Consult and the University of Applied Sciences St. Pölten, it was discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.

In an astonishing revelation, multiple vulnerabilities were discovered in “Vibratissimo” secy toys and in its cloud platform that compromised not only the privacy and data protection but also physical safety of owners.

sexy toys

The database pertaining all customers data was accessible via internet in such a way that explicit images, chat logs, sexual orientation, email addresses and passwords in clear text were compromised.

A total lack of security measures had caused the enumeration of all explicit images of users compromising their identities due to the utilization of predictable numbers and absence of authorization verification. Hackers could even give pleasure to users without their consent using the internet or standing nearby the address within the range of Bluetooth. These are only a few dangers users are exposed once connected to the world of the Internet of Things (IoT).

The Internet of Things (IoT) is a technology that comprises a myriad of devices connected to the internet and has evolved in such way that is present in many products used in a daily basis, from cars to home utilities. Once taking this into account we see the arising of a new sub-category within the Internet of Things (IoT) named Internet of Dildos (IoD). The Internet of Dildos (IoD) comprehends every device connected to networks that give mankind pleasure. According to the article, the term from 1975 given to this area of research is the following: “Teledildonics (also known as “cyberdildonics”) is technology for remote sex (or, at least, remote mutual masturbation), where tactile sensations are communicated over a data link between the participants”.

The products from Amor Gummiwaren GmbH that are vulnerable are the following: Vibratissimo Panty Buster, MagicMotion Flamingo, and Realov Lydia. The analysis of researchers focused on Vibratissimo Panty Buster. The panty buster is a sex toy that can be controlled remotely with mobile applications (Android, iOS), but the mobile application, the backend server, hardware, and firmware are developed by third-party company. The application presents many interactive features that enable extensive communication and sharing capabilities, in such a manner that creates a social network where users can expand their experience. Some features are: Search for other users, the creation of friends lists, video chat, message board and sharing of image galleries that can be stored across its social network.

The vulnerabilities found were: Customer Database Credential Disclosure, Exposed administrative interfaces on the internet, Cleartext Storage of Passwords, Unauthenticated Bluetooth LE Connections, Insufficient Authentication Mechanism, Insecure Direct Object Reference, Missing Authentication in Remote Control and Reflected Cross-Site Scripting. As we start taking a glimpse at the vulnerabilities discovered we can consider the following: All credentials of Vibratissimo database environment were leaked on the internet, alongside with the PHPMyAdmin interface that can have allowed hackers to access the database and dump all content.

The PHPMyAdmin interface was accessible throughout the URL http://www.vibratissimo.com/phpmyadmin/ with the stored passwords without encryption in clear text format. The content pertained to the database might have the following data: Usernames, Session Tokens, Cleartext passwords, chat histories and explicit image galleries created by the users themselves. The DS_STORE file and config.ini.php was found on the web server of Vibratissimo in such way that hackers could exploit attack vector like directory listing and discover the operating system which in this case is a MAC OSX.

Also, as disclosed by the researchers, there are great dangers to users in the remote control of the vibrator. The first is related to the connection between the Bluetooth LE of the vibrator and the smartphone application that could lead to eavesdropping, replay and MitM attacks. Although the equipment offers several pairing methods the most dangerous is “no pairing” as noted in the report. This method can allow hackers to search for information on the device as well as write data. If a hacker is in range, he could take control of the device. Also, a man in the middle attack is possible due to the lack of authentication, where a hacker can create a link for itself and then decrement or increment the ID to get direct access to the link used by the person. Due to the lack of authentication, a reflected cross-site scripting is also possible, but as noticed by the researchers it is not as dangerous as the other security issues.

Last but not least the researchers recommend a complete update in the software and mobile application used by the devices. It is highly recommended for all users to change their login information as well as their passwords for greater protection. Not all security flaws were addressed and corrected, therefore there are some dangers loaming around that can be exploited by tools like Shodan and autosploit. It is a social security concern these vulnerabilities since they pose a grave danger to user’s reputation, that can lead to suicide.

Sources:

http://www.securitynewspaper.com/2018/02/03/internet-dildos-long-way-vibrant-future-iot-iod/

https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html

https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-whole-vibratissimo-smart-sex-toy-product-range/index.html

https://www.theregister.co.uk/2018/02/02/adult_fun_toy_security_fail/

http://www.zdnet.com/article/this-smart-vibrator-can-be-easily-hacked-and-remotely-controlled-by-anyone

https://mashable.com/2018/02/01/internet-of-dildos-hackers-teledildonics

https://www.cnet.com/news/beware-the-vibratissimo-smart-vibrator-is-vulnerable-to-hacks/

http://www.wired.co.uk/article/sex-toy-bluetooth-hacks-security-fix

https://www.forbes.com/sites/thomasbrewster/2018/02/01/vibratissimo-panty-buster-sex-toy-multiple-vulnerabilities/#37ec1d25a944


9 Tips to Prevent WordPress Hacks in this Dangerous Digital World
7.2.2018 securityaffairs Hacking

WordPress hacks are increasingly common. Whether it’s for malicious reasons, to harm a site or to just insert backlinks, WordPress can be very vulnerable if not cared for and updated regularly. How to Prevent hacks?
So, how do you prevent these security blips – this post aims to show how.

Backup
Regular data backup can save you lots of frustration and headache, and especially after a hack. Taking the necessary measures to ensure information on your WordPress site or blog is backed up before making any significant changes, and doing the same after updates are recommended.

Although most people prefer to backup their data manually, using a plugin can make your work much more manageable. Plugins provide a convenient way to handle data backups at set times or intervals. Backup buddy (a plugin) is pretty good at this.

Although a paid option, this plugin exports everything on your WP from settings, files, images, and content on the database. You could also opt for free plugins as well.

Update the WordPress Version as Quickly as the New Comes
Updating your blog/site to the latest WP version can also save you lots of trouble. The regular updates are not only meant to make your experience much better but also patches security loopholes that could otherwise be manipulated by hackers.

You can simply follow WordPress feeds to find out about new updates, or just log in to the blog as admin. Be sure to follow WordPress Development blogs to get the latest updates on when the next patch or fixed will be released.

Check Themes and Plugins for Continued Support
Only used plugins and themes with continuous support and updates. It is through the continued support that developers of the same can release patches to make their plugins hacker-proof.

Any outdated or plugins/themes that no longer receive updates should be avoided, or uninstalled altogether. Most developers only provide support for about a year or two, then discontinue support for the same.

Be sure to look for themes or plugins with active support, receives frequent updates, well-rated, and customer support. You will be surprised to know most of the top-selling themes are outdated or longer receive updates. Look at the comment section for red flags and other indicators of flaws in the same before making an order.

Most of the premium WordPress themes will come bundled with third-party plugins. Some of the plugins bundled with the theme may or may not receive frequent updates.

Revolution Slider is an excellent example of plugins that come bundled with lots of themes on ThemeForest. This plugin had a major vulnerability back in 2014.

The thousands of sites that used this plugin were hacked with most of the hacks redirecting traffic to malicious sites. Although the developers of the same were pushing out updates for their themes, one loophole cost many websites a fortune.

As a precaution, consider investing in plugins that aren’t bundled with extra ‘freebies’. If need be, buy each plugin individually to reduce vulnerabilities to your site. You also need to turn on updates on these plugins to keep your site safe as well.

Keep the WP Admin Directory Protected
The admin directory in WP should always be password protected at all times. It holds the key to every function and security of the site. Password protecting the WP-admin directory helps keep hackers and other malicious people at bay.

This also means the admin will be required to enter two passwords to access the admin directory. The first password gives access to the login page with the WP-Admin directory still protected. The fun part about password-protecting this directory is that you get to control all aspects of the site, including unlocking various parts for access to authorized users only.

One way to protect the WP-admin directory is by installing the AskApache Password Protect plugin. The plugin configures enhanced security file permissions and encrypts the directory with a .htpasswd file.

Encrypt Data with Secure Socket Layer (SSL) Certificate
Using the SSL certificate to secure the Admin panel is not only wise but a smart move. This certification ensures data transfer between the server and user browsers is encrypted and almost impossible to breach.

This enhances data security on the site. Getting an SSL certificate is easy too. You can have your hosting firm for one, or just buy the certificate from a dedicated company.

The Let’s Encrypt SSL certificate is available for free and is an open source product as well. This means it does a pretty good job of keeping your site and data secure. Using an SSL certificate on your WP site can also help boost the site’s rankings on Google

Rename the Login URL
Changing the default WP login address to a different one gives your site an extra layer of security. You can do this by accessing the site’s admin URL.

Renaming the URL makes it hard for hackers to brute force their way into the site. Test the new login details with GWDb to see if anyone can guess your login details.

Although a simple maneuver, this trick helps restrict unauthorized entry to your login page. Only individuals with the login URL and details can access the dashboard. You could also use the iThemes Security plugin to rename your login address.


Never use Public Wi-Fi to Log In
Although public Wi-Fi may seem convenient, it poses multiple threats to your devices, sites, and online activity. Any malicious person on the same network or running packet sniffing software can sniff out any personal data you send via the same. If you have to log in to your WP site admin panel, then ensure you have an SSL certificate installed, or better still, use a virtual private network (VPN).

Have a VPN service installed on your computer or any other device just in case you need to log in to your site. It would also be a good habit to have the VPN running even with the SSL certificate installed. Never underestimate the skills of a black hat hacker targeting your site.

Disable File Editing
Users with admin access to your WP site or dashboard can edit or even change files on the site. This includes themes and plugins already installed in the same.

Disabling file editing on the site means only you can make changes to the site, and also helps make it almost impossible for hackers to change anything on the site. Any hacker that gains access to the WP dashboard will find it hard to change or modify files already on the site. Consider disallowing other users adding content and scripts to the site as well.

To do this, add these commands to the wp-config.php file located at the very end.

Define (‘DISALLOW_FILE_EDIT’, true);

Use the Right Server Configurations and Connections
According to matthewwoodward.co.uk you should only connect the server through SSH or SFTP when setting up the site for the first time. SFTP has more security features enabled as compared to the traditional FTP protocol. These security features are also not attributed to FTP, thus enhanced security.

Connecting the server via SFTP and SSH guarantees secure file transfer. Most web hosting providers can provide this service on request, with some offering it as a part of their packages. You can also enable these features manually too. Some expert knowledge may be needed to connect such safety and without much struggle.


BSides NYC, a volunteer organized event put on by and for the community
7.2.2018 Kaspersky  Congress
Another edition of BSides NYC has passed, and as first time attendee and presenter, I was genuinely impressed with the impeccable organization, the content shared, and the interesting conversations that took place among enthusiasts and professionals from all over the world. I’ve been a long time follower and supporter of BSides events in Latin America, mainly due to the fact that they offer a relaxed venue for sharing and learning about the newest topics in information security, all while bringing together people from different backgrounds in a community-driven event.

This year’s edition of BSides NYC took place at the John Jay College of Criminal Justice, with faculty member and the deputy CISO of the City of New York opening the event along some additional memorable keynotes given by Runa Sandvik from the New York Times, and Amber Baldet from JP Morgan. Once the initial kick-off was done, each attendee was able to choose from two technical tracks, an entrepreneur track, or any of the available villages and workshops. It was certainly tough for everyone how to decide where to spend their time, taking a coffee break here and there to meet and greet colleagues, friends, and keep enjoying all the activities happening around.

After lunch, I began my presentation on “Threat hunting .NET malware with YARA”, giving some examples of how to use YARA and the newly added .NET module, particularly useful for tracking the growing number of malware relying on Microsoft’s flagship framework. For learning purposes I chose a very popular malware targeting Latin American ATMs named Ploutus, which has landed in US territory just recently. It was quite an experience to fit an entire day of YARA content in less than an hour, but fortunately everyone at the presentation was extremely supportive, whether they have been using the tool since the beginning or never heard about it before.

From https://twitter.com/mathmare_/status/954786901621387264

Then it was the turn for Dmitry Bestuzhev, Director of Kaspersky Lab’s Global Research and Analysis Team in Latin America, who gave an astonishing presentation titled “Moving like a Spook through Walls Or how to be only a shadow for APT detectors”. It’s always interesting to observe how the community sees the Latin American threat landscape, which sometimes would seem as it’s not getting the attention it deserves. There wasn’t enough room in the auditorium to fit all the people interested in the talk, however since coffee and pastries were waiting for us after the presentation, the conversation could be continued with all of those that were eager to keep the debate open.

From https://twitter.com/pentest_it/status/954789778528096256

The biggest surprise for me was the addition of an entrepreneur track, something that undoubtedly every attendee was thankful for. Sometimes we are guilty of getting lost in the technical side of things, forgetting about the business and how to actually make our idea reach the audience we want it to. There were presentations from different startups, and remarkable information on how to grow your business, monetize it, and ultimately how not to lose sight of your original concept or idea even when dealing with venture capitals and external pressures.

It’s one of those events that you can’t miss, whether it’s playing the custom capture the flag game with your team, building weird antennas in the hacking village, or participating in any of the tracks, you’ll find something in BSides NYC for you. Oh, and don’t forget, there’s always conference swag!


Proofpoint to Acquire Security Awareness Training Firm Wombat Security for $225 Million
7.2.2018 securityweek IT
Cybersecurity firm Proofpoint on Tuesday announced that it has agreed to acquire Wombat Security Technologies for $255 million in cash.

Wombat, which helps companies educate employees on the dangers of phishing attacks and how to avoid them, grew out of a research project at Carnegie Mellon University in 2008.

The purchase of Wombat is the second acquisition north of $100 million by Proofpoint in recent months. Proofpoint also acquired messaging security firm Cloudmark in November 2017 for $110 million in cash.

Proofpoint LogoBest known for its email security offerings, Proofpoint says the acquisition will help its customers use data from active phishing campaigns for simulations.

The company explains that by integrating Wombat’s technology with Proofpoint’s threat detection and intelligence, enterprises will have insights into their employees’ vulnerability to the real phishing attacks that strike every day.

“Because threat actors target employees as the weakest link, companies need to continuously train employees and arm them with real-time threat data,” said Gary Steele, Proofpoint CEO. “The acquisition of Wombat gives us greater ability to help protect our customers from today’s people-centric cyberattacks, as cybercriminals look for new ways to exploit the human factor. We are thrilled to welcome Wombat’s employees to the Proofpoint team.”

The integrated solution will become part of Proofpoint's advanced email solution suite, and is scheduled to be available in the first half of 2018.

The agreement is subject to customary closing conditions and is expected to close in the first quarter of 2018, Proofpoint said.

Following the acquisition, Proofpoint expects Wombat will increase its 2018 revenue range by $30 – $32 million, and increase the free cash flow range by $2 million for the year.


Business Wire Hit by Ongoing DDoS Attack
7.2.2018 securityweek
Attack
Newswire service Business Wire said Tuesday that it has been under a sustained Distributed Denial of Service (DDoS) attack for almost a week.

The company said that since last Wednesday, January 31, the attack has been attempting to render the newswire service portal unavailable.

As a frequent user of Business Wire services, SecurityWeek can confirm that the web-based service has been often unresponsive or seen performance being extremely degraded in recent days.

In a customer advisory, Richard DeLeo, Chief Operating Officer at Business Wire, said there is no evidence that any systems or client information have been compromised.

DeLeo said the company is working closely with unnamed partners to mitigate and resolve the attacks and stabilize the environment, but did not share any details, other than calling it a “directed and persistent” attack.

A traceroute shows that the company utilizes Akamai as a content delivery network to handle web requests to www.businesswire.com.

In August 2015, Berkshire Hathaway-owned Business Wire was victim of a cyberattack that allowed malicious actors to gain unauthorized access to non-public, market-moving information stored on its news distribution platform. Soon after, the Securities and Exchange Commission (SEC) announced that a cybercriminal group allegedly hacked into multiple newswire services to steal non-public information about corporate earnings announcements that were used to make financial trades that generated more than $100 million in illegal profits.

According to Arbor Networks’ 13th Annual Worldwide Infrastructure Security Report (WISR), 57% of enterprise, government and education (EGE) respondents and 45% of data center operators had their network resources depleted due to DDoS attacks in 2017. Arbor observed 7.5 million DDoS attacks in 2017.

Arbor also found that attack durations surged in 2017, with 29% of service providers saying they experienced attacks of over 12 hours. 45% of respondents said they experienced more than 21 attacks per month, while 17% were hit more than 500 times per month.


Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea
7.2.2018 securityaffairs
Vulnerebility

Adobe rolled out an emergency patch that fixed two critical remote execution vulnerabilities, including the CVE-2018-4878 flaw exploited by North Korea.
Adobe has rolled out an emergency patch to address two Flash player vulnerabilities after North Korea’s APT group was spotted exploiting one of them in targeted attacks.

Last week, South Korea’s Internet & Security Agency (KISA) warned of a Flash zero-day vulnerability (CVE-2018-4878) that has reportedly been exploited in attacks by North Korea’s hackers.

According to the alert published by the KISA, the vulnerability affects the latest Flash Player version 28.0.0.137 and earlier.

The zero-day vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

“A zero-day vulnerability has been found in Adobe Flash Player. An attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,” reads the advisory published by the Korean CERT.

According to the researcher Simon Choi the Flash Player zero-day has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Hackers exploited the vulnerability to deliver a malware, in the image shared by Choi on Twitter shows that the exploit has been delivered via malicious Microsoft Excel files.

Simon Choi
@issuemakerslab
Flash 0day vulnerability that made by North Korea used from mid-November 2017. They attacked South Koreans who mainly do research on North Korea. (no patch yet)

11:11 AM - Feb 1, 2018
208
234 people are talking about this
Twitter Ads info and privacy
Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

Adobe addressed the bug with an emergency patch that also fixed another remote code execution vulnerability, tracked as CVE-2018-4877, that was discovered by researchers at Qihoo 360 Vulcan Team.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could lead to remote code execution in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.” reads the security advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”

The two vulnerabilities are rated critical for all supported operating systems, the unique exception is the Linux build of Adobe Flash Player Desktop Runtime.

There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for vulnerabilities like these ones to be exploited.


Researchers ported the NSA EternalSynergy, EternalRomance, and EternalChampion to Metasploit
7.2.2018 securityaffairs BigBrothers

Security researcher Sean Dillon ported three NSA-linked exploits, EternalSynergy, EternalRomance, and EternalChampion, to the Metasploit platform.
The security researcher at RiskSense Sean Dillon (@zerosum0x0) ported the Rapid7 Metasploit three hacking tools supposedly stolen from the NSA-linked Equation Group.

The researcher modified the exploits to use them also against latest windows versions and merged them into the Metasploit Framework, they should work on all unpatched versions of Windows based on x86 and x64 architectures.

The three exploits are EternalSynergy, EternalRomance, and EternalChampion that were leaked by the hacker crew Shadow Brokers in April 2017.

Metasploit exploits NSA EternalRomance

The tools were later used in several attacks in the wild, for example, the EternalRomance exploit was used in the massive Bad Rabbit ransomware attack.

The versions ported to Metasploit could be used to target all Windows versions since Windows 2000.


zǝɹosum0x0🦉
@zerosum0x0
MS17-010 #EternalSynergy #EternalRomance #EternalChampion exploit and auxiliary modules for @Metasploit. Support for Windows 2000 through 2016. I basically bolted MSF psexec onto @sleepya_ zzz_exploit. https://github.com/rapid7/metasploit-framework/pull/9473 …

5:54 AM - Jan 29, 2018
655
503 people are talking about this
Twitter Ads info and privacy
The EternalChampion and EternalSynergy exploits trigger a race condition with Transaction requests tracked as CVE-2017-0146, while the EternalRomance and EternalSynergy exploits trigger the CVE-2017-0143, a type confusion between WriteAndX and Transaction requests.

The expert explained that the tool can be used to run any command as System or to stage Meterpreter.

“You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.” Dillon explained.

“This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).”

The Metasploit module does not implement shellcode execution, instead, it overwrites the SMB connection session structures instead to obtain Admin/SYSTEM session.

“The exploit chain is an almost 1:1 skid port of @worawit awesome zzz_exploit adaptation, which brings a few improvements over the original Eternal exploits. Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session.” wrote the expert.

“The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit’s psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB,”

Further info and the “MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules” are available on GitHub.


TLS-Abusing Covert Data Channel Bypasses Network Defenses
6.2.2018 securityweek Krypto
Researchers from Fidelis Cybersecurity have discovered a new method of abusing the X.509 public key certificates standard for covert channel data exchange following initial system compromise.

The standard is used in both Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic Internet protocol implementations, but the manner in which the certificates are exchanged can be abused to hijack them for command and control (C&C) communication, the researchers say.

The X.509 extensions can be used for covert channel data transfer to bypass network protection methods that do not inspect certificate values, the researchers say. To date, no confirmed cases of this technique being abused have been observed, but the widespread use of certificates could put many organizations at risk, Fidelis researchers argue.

To demonstrate their theory, Fidelis Cybersecurity revealed a custom-built framework that serves as proof of concept. However, the researchers point out that detection is possible and that the community can implement protections to identify possible abuse of the covert channel data transfer mechanism.

The use of covert channels for data transfer across the network is not new, and the possible abuse of X.509 certificates for covert network communication was demonstrated before. In fact, the use of the TLS protocol to establish hidden communication channels was detailed a decade ago.

The new research (PDF) by Fidelis’ Jason Reaves into the use of X.509 extensions for covert channel purposes expands on the previous findings to describe a system that could be used to send or receive data from both a client and a server perspective.

Using previous demonstrations that arbitrary data can be placed into X.509 certificates and that these certs can be used as a covert channel, the researcher argues that a sufficiently motivated attacker could “utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process.”

Reaves analyzed X.509 certificate extensions, which “provide methods for associating additional attributes with users or public keys and for managing relationships between CAs,” but which can be abused for malicious purposes due to ambiguity in the language, which led to relaxed implementations.

Because TLS X.509 certificates have a large number of fields where strings can be stored, actors can take advantage of this to hide data transfer inside one of these fields. The certificates are exchanged before the TLS session is established, meaning that the data transfer doesn’t show up, although it was performed within the certificate exchange itself.

“Testing shows that using this methodology for communication and control in malware will not result in anything beyond an SSL negotiation which could bypass common security mechanisms that are not looking for abnormal data being passed in X.509 certificates,” Reaves says.

Fidelis also came up with a proof of concept to show that file transfer using the X.509 covert channel would be possible. For their demonstration, they chose to simulate a threat actor transferring the password stealing tool Mimikatz to a compromised system.


Cisco Reissues Patches for Critical Firewall Flaw
6.2.2018 securityweek
Vulnerebility
Cisco has reissued patches for a critical vulnerability affecting some of the company’s security appliances after identifying new attack vectors and additional affected features, and determining that the original fix had been incomplete.

The networking giant informed customers in late January that its Adaptive Security Appliance (ASA) software is affected by a serious flaw that can be exploited by a remote and unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition.

The vulnerability, tracked as CVE-2018-0101, affects several products running ASA software, including Firepower firewalls, 3000 series industrial security appliances, ASA 5000 and 5500 series appliances, 1000V cloud firewalls, ASA service modules for routers and switches, and Firepower Threat Defense (FTD) software.

The details of the security hole were disclosed on February 2 at a conference by Cedric Halbronn, an NCC Group researcher who reported the bug to Cisco.

“When exploited, this vulnerability known as CVE-2018-0101 allows the attacker to see all of the data passing through the system and provides them with administrative privileges, enabling them to remotely gain access to the network behind it,” NCC Group said in a blog post. “Targeting the vulnerability without a specially-crafted exploit would cause the firewall to crash and would potentially disrupt the connectivity to the network.”

Cisco initially told customers that the vulnerability is related to the webvpn feature, but further analysis revealed additional attack vectors and impacted features.

In an updated advisory published on Monday, the company said the flaw affects more than a dozen features, including Adaptive Security Device Manager (ASDM), AnyConnect IKEv2 Remote Access and SSL VPN, Cisco Security Manager, Clientless SSL VPN, Cut-Through Proxy, Local Certificate Authority, Mobile Device Manager Proxy, Mobile User Security, Proxy Bypass, the REST API, and Security Assertion Markup Language (SAML) Single Sign-on (SSO).

A specific configuration for each of these features introduces the vulnerability, but some of the configurations are reportedly common for the affected firewalls.

Cisco has now released a new set of patches after discovering that the initial fixes were vulnerable to additional DoS attacks.

“While Cisco PSIRT is not aware of any malicious use of this vulnerability, Cisco highly recommends all customers upgrade to a fixed software version,” said Omar Santos, principal engineer in the Cisco Product Security Incident Response Team (PSIRT). “This proactive patching is especially important for those customers whose devices and configurations include potential exposure through the expanded attack surface.”

Cato Networks reported that there are roughly 120,000 ASA devices with the webvpn feature enabled accessible from the Internet. Furthermore, some system administrators have complained about the availability of patches and the time it takes to apply them.

System admin Colin Edwards posted a blog post suggesting that Cisco may have started patching the vulnerability 80 days before publishing a security advisory to warn customers.

“I can understand some of the challenges that Cisco and their peers are up against. But even with that, I’m not sure that customers should be willing to accept that an advisory like this can be withheld for eighty days after some fixes are already available,” Edwards said. “Eighty days is a long time, and it’s a particularly long time for a vulnerability with a CVSS Score of 10 that affects devices that are usually directly connected to the internet.”

Santos said the company published the advisory shortly after learning that there had been public knowledge of the vulnerability.


NSA-Linked Hacking Tools Ported to Metasploit
6.2.2018 securityweek BigBrothers
Three hacking tools supposedly stolen from the National Security Agency-linked Equation Group and made public last year were recently ported to Rapid7’s Metasploit Framework.

The three exploits – EternalSynergy, EternalRomance, and EternalChampion – were released publicly in April 2017 alongside the more popular EternalBlue, one month after Microsoft patched them.

The tools could previously be used only on several, older Windows releases, although EternalSynergy was modified to target recent Windows versions as well. Last year, EternalRomance was used in the global Bad Rabbit ransomware attack.

All three exploits can now be used to target all Windows versions since Windows 2000, Sean Dillon, a security researcher with RiskSense who goes by the online handle of @zerosum0x0, reveals. The researcher modified the exploits and merged them into the open-source Metasploit Framework.

The three tools target two vulnerabilities in Microsoft’s platform, namely CVE-2017-0146, a race condition with Transaction requests exploited by EternalChampion and EternalSynergy, and CVE-2017-0143, a type confusion between WriteAndX and Transaction requests exploited by EternalRomance and EternalSynergy.

The researcher explains that the module does not use kernel shellcode to stage Meterpreter, meaning that those interested in leveraging it would need to use evasion for their payloads. However, the tool can be used to run any command as System or to stage Meterpreter.

“This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild),” the researcher says.

The module does not attempt shellcode execution, but overwrites the SMB connection session structures instead, thus achieving Admin/SYSTEM session.

“The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB,” the researcher explains.

The exploits can be used on both 32-bit and 64-bit architectures and target all platform iterations from Windows 2000 to Windows 10 and Windows Server 2016.

The module is available on GitHub. As Dillon points out, it has been created for academic research and the development of defenses, not to be used in attacks, except where explicitly authorized.


Duo Charged Over ATM "Jackpotting" Attacks
6.2.2018 securityweek
Attack
Two men were charged in the United States with bank fraud from their involvement an alleged ATM "jackpotting" operation.

Alex Alberto Fajin-Diaz, 31, a citizen of Spain, and Argenys Rodriguez, 21, of Springfield, Massachusetts, were both arrested on related state charges on January 27 and are currently detained.

ATM jackpotting is an attack technique targeting automated teller machines (ATMs), where criminals connect to these devices and install malware or use specialized hardware to control the operations of the machine and cause them to dispense cash.

While the attack method hasn’t been seen in the United States until recently, ATM makers and the U.S. Secret Service issued alerts last month on the technique being used in attacks in the U.S. as well. The alerts warned that ATMs located in pharmacies, big box retailers, and drive thru ATMs were being targeted by jackpotting attacks.

A Department of Justice announcement on Monday revealed that ATM jackpotting incidents recently occurred in Hamden, Guilford, and Providence, Rhode Island, and that federal, state and local law enforcement agencies have been investigating the attacks.

According to the criminal complaint, on January 27, 2018, Fajin-Diaz and Rodriguez were found near an ATM compromised with jackpotting malware and which “was in the process of dispensing $20 bills,” the DoJ announcement reads. On the same date, Citizens Bank investigators had contacted police after an apparent attack on an ATM in Cromwell.

“A search of Fajin-Diaz and Rodriguez’s vehicle, which had a license plate that was assigned to another vehicle, revealed tools and electronic devices consistent with items needed to compromise an ATM machine to dispense its cash contents. Faji-Diaz and Rodriguez also possessed more than $9,000 in $20 bills,” the DoJ says.

If found guilty of bank fraud, the two face a maximum sentence of 30 years in prison.

Although widely reported on only last week, ATM jackpotting attacks in the U.S. appear to have started several months ago, with the first suspects arrested in November 2017, as Oil City News reported at the time.


Cisco, Apple Launch Cyber Risk Offering With Insurance Giant Allianz
6.2.2018 securityweek Cyber
Cisco, Apple, Aon, Allianz Partner to Help Businesses Protect Against Common Malware Threats

Munich, Germany-based Allianz -- named by Forbes as the world's second largest insurance firm -- is offering cyber insurance at competitive premiums with reduced deductibles; but only if the insured is risk-assessed by Aon and uses certain Cisco and Apple products.

Over the last few years, information security has increasingly been seen as a risk management issue. One of the traditional options for risk management is risk transfer; that is, insurance. But while the cyber insurance option has increased in visibility, its adoption remains relatively low. In 2016, US cyber insurance premiums were reported to be $1.35 billion. This is just 3.3% of the total premiums for U.S. commercial line insurers. Clearly, there is an opportunity for insurance companies to increase their own share of a potentially large market.

At the same time, product vendors are always looking for new opportunities to sell their products. The potential for linking specific product to reduced insurance premiums could help both industries to increase market share.

This has been slow to materialize because insurance works on detailed statistics between risk and premiums. It has decades of statistics for motor vehicles, and perhaps hundreds of years for shipping -- but only a few years' experience of a continuously changing and worsening infosecurity world. The natural effect of this is that premiums have to be set at the higher end of the possible scale simply because nobody really understands the full risk.

Apple and Cisco have been working to change this. In June 2017, Cisco's David Ulevitch (VP, security business group) announced, "We’re collaborating with insurance industry heavyweights to lead the way in developing the architecture that enables cyber insurance providers to offer more robust policies to our customers."

This collaboration surfaced yesterday in the announcement of a deal with Allianz: "a new cyber risk management solution for businesses, comprised of cyber resilience evaluation services from Aon, the most secure technology from Cisco and Apple, and options for enhanced cyber insurance coverage from Allianz," said Apple. However, it should be noted that this is not a general cyber insurance offering, but one specifically related to "cyber risk associated with ransomware and other malware-related threats, which are the most common threats faced by organizations today."

There are three elements that could lead to the insurance deal. The first is that the candidate company is risk assessed by Aon, who will examine the company's existing cyber security posture and make recommendations on how to improve existing defenses.

The second is that the candidate company should use Cisco Ransomware Defense and/or qualified Apple products iPhone, iPad and Mac. The third is that insured companies will then have access to Cisco and Aon incident response teams in the event of a malware attack.

With any contract, and an insurance policy is just a contract, the devil is always in the detail. It isn't clear from the current announcement whether the insurance will go beyond just a malware attack -- into, for example, data manipulation or theft because of the malware attack. That may vary from contract to contract depending on the result of the Aon assessment.

For the moment, there is just the bald statement that if a company uses certain Cisco and Apple product, and presumably 'passes' a risk assessment by Aon, that company might possibly qualify for lower deductibles in a malware-related cyber insurance policy underwritten by Allianz.


Windows 10 Ransomware Protection Easily Bypassed, Researcher Says
6.2.2018 securityweek
Ransomware
It’s rather trivial to bypass the anti-ransomware feature that Microsoft introduced in its Windows 10 Fall Creators Update, a security researcher claims.

Dubbed Controlled folder access, the anti-ransomware feature was announced as part of Windows Defender Exploit Guard, a new set of host intrusion prevention capabilities in Microsoft’s latest platform iteration.

When announcing the feature, Microsoft described it as a layer of real-time protection that would allow users to prevent ransomware from accessing their data by defining what programs have access to certain folders. Thus, malware and other unauthorized apps would not be able to touch the files in those directories.

According to Yago Jesus, however, this added protection can be easily bypassed by using an authorized application such as Office to access the data.

This would be possible because Office executables are by default whitelisted and allowed to make changes to files placed in protected folders, without restrictions, even when a malicious actor uses OLE/COM objects to control Office executables programmatically.

“So, a ransomware developer could adapt their software to use OLE objects to change / delete / encrypt files invisibly for the files owner,” the researcher explains.

Thus, an attacker capable of creating code leveraging OLE Word Object for execution would be able to bypass the anti-ransomware feature in Windows 10. Windows Defender would do nothing to stop the code from execution, because the entire operation would rely on the native encryption feature in Microsoft Office.

This technique, the researcher argues, renders Windows Defender Exploit Guard’s Controlled folder access functionality useless in an environment where both Office and Windows are employed. In addition to documents, the method can also be used to target PDFs, images, and other file types that Office can edit.

“While this capability is designed to protect against ransomware, it’s not surprising that it’s unable to handle all ransomware scenarios. The use of Microsoft Office files, which is described in the recent documented bypass, has been an effective way for attackers to get around AV tools,” Lenny Zeltser, Vice President of Products at Israel-based Minerva Labs, told SecurityWeek via email.

Another exploitation scenario, Jesus reveals, would involve the use of Selection.Copy / Selection.Paste methods to copy the content of a protected file to another file located outside the protected folder, delete the content of the original file or replace it with a ransom note, and then encrypt the new file normally.

The researcher says he informed Microsoft on his findings and that the company confirmed that they would resolve the issue “through an improvement to the Controlled Folder Access functionality.” However, it appears that the tech giant doesn’t see the bug as a security vulnerability, “because Defender Exploit Guard isn't meant to be a security boundary.”

According to Joseph Carson, chief security scientist at Washington D.C. based Thycotic, such a response from Microsoft is unacceptable.

"Frankly, this is a classic example of being misleading,” he told SecurityWeek via email. “It's like a security guard at the door of a building checking to ensure that anyone entering has the correct access, when you've left the backdoor wide open. It is a false sense of protection as you are purely relying on cybercriminals being honest.”

“When you call a product ‘Windows Defender’, or use terms such as ‘Defender Exploit Guard’, and when notified by a security researcher on a security bypass, the response of course is legally correct stating ‘we aren't classifying this as a security vulnerability because Defender Exploit Guard isn't meant to be a security boundary’,” Carson said.

He also pointed out that this bypass technique might have been already exploited in attacks against businesses and that companies should not simply rely on Windows Defender as the only security control, especially if Microsoft themselves say it isn’t even a security boundary.

“Immediately change the name to what it is rather than misleading consumers into a false sense of security and protection,” Carson concluded.

Meni Farjon, Co-Founder and CTO at Israel-based SoleBIT Labs, also believes that attackers are bound to leverage Office capabilities to bypass Microsoft’s ransomware protection. The main vulnerability, he told SecurityWeek, is that there’s a whitelist of programs such as Office that are allowed to make changes to protected folders without restrictions.

“Today we see an increase in macro-based malware, leveraging Office active-content capabilities to deliver ransomware. Generally speaking, I believe Windows Defender’s ransomware protection should not be considered a fully functional anti-ransomware feature, but more like a data protection feature. I would advise users to augment such defenses with vulnerability and active content detection solutions to combat ransomware on the network level, before it even reaches the endpoint,” Farjon concluded.

Microsoft hasn’t responded yet to SecurityWeek’s request for a comment on the matter.


One Computer Can Knock Almost Any WordPress Site Offline
6.2.2018 securityweek
Vulnerebility
As if there aren't enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.

The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as 'reserved' for future use. Details, however, can be found in a Barak Tawily blog post published Monday. It is an abuse of the WordPress load-scripts.php function, which exists to allow administrators/web designers to improve website performance by combining multiple JavaScript files into a single request at the server end.

Tawily's DoS methodology makes use of two elements. Firstly, use of load-scripts.php requires no user authentication -- it can be invoked by anyone. The second element is that load-scripts.php receives a parameter called 'load[]', which is an array. The purpose of the array is to be able to specify which scripts should be combined and loaded to improve performance. Since it is also used to improve performance of the wp-login.php page, it can be invoked before any user authorization is required.

Within WordPress there is a wp_scripts list containing defined paths for all the 181 script files. The intention is that the administrator or web designer can include the path for specific scripts within the load[] parameter, and improve performance according to the supplied value from the user. The wp_scripts list is hard-coded in the script-loader.php file.

"I wondered," writes Tawily "what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response. I did so..."

The result took 2.2 seconds and was almost 4 Mb of data -- making the server work hard to comply.

Tawily's next step was to use a python script he had written himself to send repeated identical requests to the server. And this time it worked. "As long as I kept sending those requests to the server, it was too busy to handle any other request, and I had effectively (and easily) caused DoS."

He used HackerOne to report the issue to WordPress, even though DoS is outside the scope of WordPress bounties. Nevertheless, it is a vulnerability that needed to be reported. The response, however, was muted: "This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress's control," said WordPress.

That's debatable on two counts. First, many WordPress sites are blogs and micro-business sites run cheaply on shared servers with the respective service providers, and with little technical skill among the owners. There is simply no way that such sites can be mitigated at the server or network level.

Second, Tawily goes on to show that mitigation isn't really that difficult if you know what to do (which many WordPress users do not). He "forked WordPress project and patched it so no one but authenticated users can access the load-*.php files, without actually harming the wp-login.php file functionality." He goes further to provide a bash script that modifies the relevant files to mitigate the vulnerability.


SSL Increasingly Abused by Malware, Phishing: Report
6.2.2018 securityweek
Phishing
There has been a significant increase in the number of phishing and malware attacks abusing SSL and TLS technology, according to Zscaler’s SSL Threat Report for the second half of 2017.

In the first half of 2017, Zscaler’s products blocked roughly 600,000 threats hidden in encrypted traffic every day, but that number grew to 800,000 in the second half of the year, which represents an increase of 30 percent.

Malicious actors have used SSL-encrypted channels for the initial delivery of malvertising, phishing and compromised websites, to distribute malware payloads and exploits, and for communications between the infected host and command and control (C&C) servers.

In the case of phishing attempts, Zscaler saw a 400 percent increase in the first half of 2017 compared to 2016. Overall, in 2017, phishing activity jumped by nearly 300 percent.

Phishing pages served over HTTPS are either hosted on a compromised website that has an SSL certificate, or they are hosted on malicious sites that imitate well-known brands and rely on certificates obtained by the cybercriminals themselves. Services such as Let’s Encrypt make it easier for malicious actors to obtain free certificates that they can use in their operations.

Most phished brands

In the case of malware attacks, Zscaler said SSL/TLS channels were used 60 percent of the time to deliver banking Trojans throughout 2017, and ransomware was spotted in one-quarter of attempts. Many attackers obtained an encrypted distribution channel for their malware by hosting it on legitimate services such as Box, Dropbox, Google and AWS.

An analysis of roughly 6,700 SSL transactions blocked by Zscaler showed that a majority of abused certificates belonged to legitimate sites that had been compromised.

The security firm also found that the types of certificates that are most abused by cybercriminals are domain validated (DV) certificates, which have a validity of three months and are obtained more easily. DV certificates, particularly ones obtained for free, were spotted in 75 percent of cases.

More than half of certificates were valid for less than one year, and roughly one-third of those had a validity period of three months or less.


Adobe Patches Flash Zero-Day Exploited by North Korean Hackers
6.2.2018 securityweek
Vulnerebility
Adobe updated Flash Player on Tuesday to address a zero-day vulnerability exploited by what experts believe to be a North Korean hacker group in attacks aimed at individuals in South Korea.

The existence of the vulnerability, tracked as CVE-2018-4878, came to light on January 31 when South Korea’s Internet & Security Agency (KISA) issued an alert. Cybersecurity experts based in the country said the flaw had been used by North Korean threat actors against South Koreans who focus on North Korea research.

Adobe has promised to release a patch sometime this week and it has kept its promise. Flash Player version 28.0.0.161 should fix the vulnerability, which the company has described as a use-after-free bug that allows remote code execution.

The security hole, which affects Flash Player 28.0.0.137 and earlier, was brought to the company’s attention by South Korea's KrCERT/CC.

The latest Flash release also patches CVE-2018-4877, which is also a use-after-free vulnerability that allows remote code execution. The flaw was reported to Adobe by bo13oy of Qihoo 360 Vulcan Team via Trend Micro’s Zero Day Initiative (ZDI). Adobe does not appear to be aware of any attacks exploiting CVE-2018-4877.

FireEye has analyzed the attacks involving CVE-2018-4878 and believes the zero-day has been used by a group it tracks as TEMP.Reaper. The security firm determined that these hackers are likely based in North Korea based on IP addresses used to access command and control (C&C) servers.

“The majority of their targeting has been South Korea focused, targeting the government, military, and defense industrial base as well as other industry,” FireEye said. “They have also taken an interest in predictable North Korean interests such as unification efforts and defectors.”

The attacks observed by FireEye involved malicious Office documents and spreadsheets designed to exploit the Flash Player zero-day in an effort to deliver a piece of malware tracked by the company as DOGCALL.

Cisco Talos has also analyzed the campaign and attributed it to an actor it tracks as Group 123. While Cisco has not explicitly blamed North Korea for attacks launched by Group 123, the company has detailed several campaigns aimed at South Korea that often use North Korea-related topics as a lure when delivering malware.

Researchers pointed out that the addition of a zero-day exploit to its arsenal shows that the group has become highly motivated and sophisticated.


Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation
6.2.2018 securityaffairs
Virus

The Europol’s European Cybercrime Centre along with the UK NSA disclosed the details of an international law enforcement operation that dismantled a crime ring linked to Luminosity RAT.
The Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

Luminosity RAT

In September 2016, the UK law enforcement arrested a man that was linked to the threat. The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.

“The Luminosity Link RAT (a Remote Access Trojan) enabled hackers to connect to a victim’s machine undetected. They could then disable anti-virus and anti-malware software, carry out commands such as monitoring and recording keystrokes, steal data and passwords, and watch victims via their webcams.” states the press release published by NCA.

“The RAT cost as little as £30 and users needed little technical knowledge to deploy it.

A small network of UK individuals supported the distribution and use of the RAT across 78 countries and sold it to more than 8,600 buyers via a website dedicated to hacking and the use of criminal malware.”

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Law enforcement believes that thousands of individuals were infected with the RAT.

“Victims are believed to be in the thousands, with investigators having already identified evidence of stolen personal details, passwords, private photographs, video footage and data. Forensic analysis on the large number of computers and internet accounts seized continues.” reads the announcement published by the Europol.

“Through such strong, coordinated actions across national boundaries, criminals across the world are finding out that committing crimes remotely offers no protection from arrests. Nobody wants their personal details or photographs of loved ones to be stolen by criminals. We continue to urge everybody to ensure their operating systems and security software are up to date”. said Steven Wilson, Head of Europol’s European Cybercrime Centre.


Abusing X.509 Digital Certificates to establish a covert data exchange channel
6.2.2018 securityaffairs Security

Researcher at Fidelis Cybersecurity devised a new technique that abuses X.509 Digital Certificates to establish a covert data exchange channel
Last year, during the Bsides conference in July 2017, the security researcher at Fidelis Cybersecurity Jason Reaves demonstrated how to covertly exchange data using X.509 digital certificates, now the same expert published the proof-of-concept code.

The X.509 is a standard that defines the format of public key certificates currently used in many Internet protocols, including TLS/SS. TLS, for example, uses X.509 for certificate exchange, during the handshake process that establishes an encrypted communication.

The covert channel devised by Reaves uses fields in X.509 extensions to carry data, it could be exploited by an attacker to exfiltrate data from a target organization without being detected.

“The research demonstrates that a sufficiently motivated attacker can utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process.” reads the paper published by the expert.

“In brief, TLS X.509 certificates have many fields where strings can be stored. You can see them in this image[16]. The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself. “

The proof-of-concept code published by Reaves uses the field ‘class=wrap_text>SubjectKeyIdentifier‘

Digital certificate extensions were added in version 3 of the X.509 protocol and allow the CAs to add descriptions to a certificate, unfortunately, they can be abused to embed malicious data.

Attackers can send small amounts of data to an external server without being noticed.

Anyway, these extensions can be very large, for this reason, many libraries attempt to limit the ultimate handshake packet size. The expert noticed that the extension in the certificate itself can be created to a length that appears to only be limited by memory.

Data hidden in the X.509 metadata are impossible to detect, the PoC code published transfers the Mimikatz post-exploit attack tool in the TLS negotiation:

x.509 certificates embedded mimikatz

As possible mitigations, Reaves suggests to block self-signed certificates such the ones used in the PoC and check for executables in certificates.


British Hacker 'Lauri Love' will not be extradited to US, Court Rules
6.2.2018 thehackernews BigBrothers

British citizen and hacker Lauri Love, who was accused of hacking into United States government websites, will not be extradited to stand trial in the U.S., the High Court of England and Wales ruled today.
Love, 33, is facing a 99-year prison sentence in the United States for allegedly carrying out series of cyber attacks against the FBI, US Army, US Missile Defence Agency, National Aeronautics and Space Administration (NASA), and New York's Federal Reserve Bank between 2012 and 2013.
The High Court ruled Monday that Love should be tried in U.K. after Lord Chief Justice Lord Burnett of Maldon and Justice Ouseley heard he suffered severe mental illness like Asperger syndrome, eczema, asthma, and depression, and may kill himself if extradited.
At Westminster Magistrates' Court in London in late 2016, District Judge Nina Tempia ordered Love to be extradited to the U.S. to stand trial, although his lawyers appealed the decision, arguing that he should be tried for his alleged crimes in the UK.
The court accepted both of the arguments advanced by Love's lawyers and ruled that extradition would be "oppressive" due to his serious health conditions and it would be likely that he would be kept in solitary confinement in the American prison system if extradited.
The court burst in applause and cheering when the judgment was handed down by Lord Burnett, who asked Love supporters to be quiet, saying "This is a court, not a theatre."
The Crown Prosecution Service (CPS), which acts on behalf of the US authorities, said it would read the judgment before deciding whether to appeal the high court decision to the supreme court.
According to US Prosecutors, Love was allegedly involved in #OpLastResort, an online protest linked with the Anonymous collective following the persecution and untimely death of hacktivist Aaron Swartz, who committed suicide in 2013 while under federal charges for data theft.
Love, who lives near Newmarket, was arrested from his home in Stradishall, England in October 2013, when the British police seized his encrypted laptops and hard drives.
Britain's National Crime Agency (NCA) also asked the courts to force Love to turn over keys to decrypt his encrypted computer's hard drives, but Love won the case against the agency in early 2016.
If extradited to the United States and found guilty, Love could have sentenced to up to 99 years in prison and a potential fine of up to $9 million (£6.3 million).
Speaking outside the Royal Courts of Justice, Love expressed his thanks to the judges and said: "I'm thankful for all the support we've had, without which I'm not sure I would have made it this far."
WikiLeaks founder Julian Assange, who is also fighting US extradition, congratulate Love in a Tweet, saying: "VICTORY: @LauriLove wins UK appeal against US extradition. Congratulations to Lauri, his lawyers & family, @CourageFound and many supporters on an excellent campaign."
Right now, it is not clear if Love, who denies all wrongdoings, would face a prison sentence in the UK following his five years of legal battle.


Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites
6.2.2018 thehackernews
Vulnerebility

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.
Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).
Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests.
For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request.
However, to make "load-scripts.php" work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.

Depending upon the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the "load" parameter, separated by a comma, like in the following URL:
https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery
While loading the website, the 'load-scripts.php' (mentioned in the head of the page) tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user's web browser.
How WordPress DoS Attack Works

According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, making the targeted website slightly slow by consuming high CPU and server memory.
"There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user," Tawily says.
Although a single request would not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible and bring it down.
The Hacker News has verified the authenticity of the DoS exploit that successfully took down one of our demo WordPress websites running on a medium-sized VPS server.
"It is time to mention again that load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn't respond at all any more, or returned 502/503/504 status code errors," Tawily says.
However, attack from a single machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power and memory.

But that doesn't mean the flaw is not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets and bandwidth to achieve the same goal—to take down a site.
So attackers with more bandwidth or a few bots can exploit this flaw to target big and popular WordPress websites as well.
No Patch Available – Mitigation Guide

Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.
Knowing that DoS vulnerabilities are out-of-scope from the WordPress bug bounty program, Tawily responsibly reported this DoS vulnerability to the WordPress team through HackerOne platform.
However, the company refused to acknowledge the issue, saying that this kind of bug "should really get mitigated at the server end or network level rather than the application level," which is outside of WordPress's control.
The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers and making them unavailable for their legitimate users.
For websites that can't afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked version of WordPress, which includes mitigation against this vulnerability.
However, I personally wouldn't recommend users to install modified CMS, even if it is from a trusted source other than the original author.
Besides this, the researcher has also released a simple bash script that fixes the issue, in case you have already installed WordPress.


How to Mitigate the Threat Cryptocurrency Mining Poses to Enterprise Security
6.2.2018 thehackernews CoinMine

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.
To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company's Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)
Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is not likely to be a direct outcome of crypto mining.
However, there are significant risks of increased facility cost that must be addressed.
Understanding Blockchain and Crypto Mining
Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.
Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming "mining pools" where collections of computers work together to calculate the hash.
The more compute resources contributed to the pool, the greater the chance of mining a new block and collecting the reward. It's this search for more compute resources that have led some miners to exploit enterprise and cloud networks.
Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.
Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections and run Stratum over HTTP/S.
The Risk Crypto Mining Poses to the Enterprise
Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.
Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.
How To Protect Against Crypto Mining
Cato Research Labs recommends blocking crypto mining on your network. This can be done by disrupting the process of joining and communicating with the mining pool.
The deep packet inspection (DPI) engine in many firewalls can be used to detect and block Stratum over TCP. Alternatively, you can block the addresses and domains for joining public mining pools.
Approach 1: Blocking Unencrypted Stratum Sessions with DPI
DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.
DPI rules should be configured for JSON. Stratum payloads are simple, readable JSON-RPC messages (see Figure 2).
Stratum uses a request/response over JSON-RPC:

Figure 2: Detail of a JSON-RPC batch call (reference: http://www.jsonrpc.org/specification)
A subscription request to join a pool will have the following entities: id, method, and params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.
{"id": 1, "method": "mining.subscribe", "params": []}
Three parameters are used in a subscription request message when joining a pool.
Approach 2: Blocking Public Mining Pool Addresses
However, some mining pools create secure, Stratum channels. This is particularly true for JavaScript-based applications that often run Stratum over HTTPS.
Detecting Stratum, in that case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses and domains that form the public blockchain pools.
To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill in the following details:
the appropriate pool address (domain or IP)
a wallet address to receive equity
the password for joining the pool
The configuration information is usually passed via JSON or via command-line arguments (see Figure 3).

Figure 3: A JSON file providing the necessary miner pool configuration
Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting Started” page
Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking would be time-consuming.
IT professionals would be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance and updates.
Cato Research Labs Publishes List of Mining Pool Addresses
To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Figure 5: Partial list of mining pool addresses compiled by Cato Research Labs
Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.
Final Thoughts
The combined risk of impairing devices, increasing costs, and botnet infections led Cato Research Labs to strongly recommend IT prevent and remove crypto mining from enterprise networks.
Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections and cleaning those machines to reduce any risk to organization's data.
Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there's always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.


Grammarly Rushes to Patch Flaw Exposing User Data
6.2.2018 securityweek 
Vulnerebility
Google Project Zero researcher Tavis Ormandy discovered a vulnerability in the online grammar checker Grammarly that could have been exploited by malicious websites to access user data. The app’s developers quickly patched the flaw after learning of its existence.

Ormandy found that the Grammarly browser extension, which has roughly 20 million users on Chrome and 645,000 on Firefox, exposed authentication tokens to third-party websites.

An attacker could have obtained authentication tokens and used them to access the target’s Grammarly.com account simply by getting them to visit a specially crafted website. This was a serious flaw considering that some Grammarly accounts could contain highly sensitive information.

“I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in an advisory. “Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites.”

In a blog post covering the Google researcher’s findings, Sophos expert Paul Ducklin explained how authentication tokens work.

“An authentication token is a one-time cryptographic string that is set by a server as a browser cookie after you’ve successfully logged into a website. Your browser sends that cookie back to the site with every subsequent web transaction, thus signalling to the server that it’s you coming back for more,” Ducklin said. “Without this sort of arrangement, you’d have to supply your username and password for every web request you wanted to make.”

Ducklin highlighted that online services should protect these tokens by using HTTPS, and by enforcing the same-origin policy (SOP), which prevents websites from interacting with each other.

Ormandy reported the vulnerability to Grammarly on Friday and the company said it rolled out a fix within hours. Users are not required to take any action as the affected browser extensions should be updated automatically.

Grammarly pointed out that the security hole only affected text saved in the Grammarly Editor, and it did not impact Grammarly Keyboard, the Microsoft Office add-in, or any text typed in websites while using the extension.

“At this time, Grammarly has no evidence that any user information was compromised by this issue,” Grammarly said. “We’re continuing to monitor actively for any unusual activity.”

This is not the first vulnerability disclosed by Ormandy this year. He has also reported finding a critical remote code execution vulnerability in the Transmission BitTorrent client, and a code execution flaw affecting all games from Blizzard.


Crypto-mining Botnet Targets Android Devices
6.2.2018 securityweek Android
A new crypto-mining botnet has been growing and targeting Android devices with an open ADB port, Qihoo 360's NetLab researchers reveal.

The attacks started last week, targeting port 5555, which is the working port for the adb debug interface on Android devices. While this port should be normally closed on all devices, sometimes it could remain open, thus allowing devices to be compromised.

Courtesy of scanning code borrowed from the infamous Mirai botnet – which targets Internet of Things (IoT) devices – the new threat can spread as a worm, NetLab reports. Each of the infected bots would continue to scan for open 5555 adb ports to spread further.

This is the first time the Mirai code has been reused to target Android devices, the researchers point out.

The infection appears to have started on January 21, 2018, and the researchers say that the number of attacks has increased recently.

As of February 4, between 2,700 and 5,500 devices had been affected by the botnet, with most of them located in China (40%) and South Korea (31%) – based on the scanning IP addresses targeted devices include smartphones and smart TVs (TV set-top boxes), the security researchers say.

It appears that the botnet isn’t targeting vulnerabilities affecting only specific devices, mainly because models from a broad range of manufacturers have been already impacted. However, the security firm hasn’t provided details on the impacted device models.

The purpose of the newly created botnet, NetLab reports, is to mine for the Monero crypto-currency. The malware’s configuration shows the use of two mining pools, but both groups of devices are using the same wallet address.

The researchers revealed that no payment had been made to the used wallet by the time of their report, but also said they would continue watching and analyzing the threat to provide additional details.


Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled
6.2.2018 securityaffairs Crime

The popular British hacker Lauri Love (33) will not be extradited to stand trial in the US, the High Court of England and Wales ruled.
Lauri Love was accused of hacking into United States government websites, will not be extradited to stand trial in the U.S., the High Court of England and Wales ruled today.

The list of victims of the hacker includes the FBI, the Federal Reserve Bank, US Missile Defence Agency, National Aeronautics and Space Administration (NASA), and the US Missile Defence Agency.

The decision of the Lauri Love’s extradition was taken at Westminster Magistrates’ Court in London in 2016, by District Judge Nina Tempia. If extradited, Love risks a sentence to up to 99 years in prison and a potential fine of up to $9 million.

Actually, the man would face a prison sentence in the UK following his five years of legal battle.

US Prosecutors believe that Lauri Love is a member of a hacker crew, they sustain that he was also involved in the OpLastResort campaign launched by Anonymous against the US Government.

Lauri Love hacktivist

Lord Chief Justice Lord Burnett of Maldon and Justice Ouseley halted the extradition after heard Lauri Love suffered severe mental illness, including Asperger syndrome, and depression, they fear the man should commit suicide if extradited.

“There have not been any incidents of self-harm in the past but I accept Mr Love has experienced suicidal thoughts intermittently, both in the past and now. Mr Love denied any suggestion that he had exaggerated his symptoms and his suicide risk which I accept given the medical evidence.” the High Court ruled on Monday.
“I also accept Professor Baron-Cohen and Professor Kopelman’s evidence that he would attempt suicide before extradition to the United States. Both are of the opinion he would be at high risk of suicide. I accept Professor BaronCohen’s oral evidence that Mr Love’s intention is not a reflection of a voluntary plan or act but due to his mental health being dependant on him being at home with his parents and not being detained for an indefinite period.”

The court recognized that extradition would be “oppressive” due to the man’s health conditions. Love supporters that were present in the court applauded the judgment.

The Crown Prosecution Service (CPS), which acts on behalf of the US authorities, would examine the judgment before deciding whether to appeal the high court decision to the supreme court.

“I’m thankful for all the support we’ve had, without which I’m not sure I would have made it this far.” commented Love expressing gratitude to the judges.

The judgment was accepted with joy in the hacking community and by human rights advocates.


ADB.Miner, the Android mining botnet that targets devices with ADB interface open
6.2.2018 securityaffairs BotNet

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet that targets devices with ADB interface open.
Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet over the weekend. The malicious code ADB.Miner targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

“Spread of time : the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the afternoon of 2018-02-03 and is still on the rise.” reads the analysis published by Netlab.

“Infected port : 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened.”

Starting from February 3, the expert noticed a rapid growth of the volume of scan traffic on port 5555 associated with the ADB.Miner:

ADB.Miner

Once the ADB.Miner has infected a device, the compromised system start scanning the Internet for other devices to infect.

According to the experts, ADB.miner borrowed the scanning code implemented by the Mirai botnet, this is the first time that the Mirai code is used by an Android threat.

The researchers did not reveal the way the malware infects the Android devices, it is likely it exploits a flaw in the ADB interface.

The number of infected devices is rapidly growing, according to different caliber statistics, there are 2.75 ~ 5.5k, and this figure is rapidly growing.

The two sources reported by Netlab are:

Statistics from scanmon : 2.75k, mainly from China (40%) and South Korea (31%).
Statistics from our botnet tracking system: 5.5k
At the time of writing the number of ADB.miner scans reached 75,900 unique IP addresses.

ADB.Miner traffic 2.png

Most IP addresses scanning the port 5555 are located in China (~40%) and South Korea (~30%).

The operators of the botnet are using the following Monero wallet address:

44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr
That still has not received the first payment for the mine.


Gold Dragon Implant Linked to Pyeongchang Olympics Attacks
5.2.2018 securityweek APT
McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

In early January, McAfee's security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea's National Counter-Terrorism Center.

The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

McAfee has since published a report detailing additional implants used in the attacks, which were used to gain persistence on targeted systems and for continued data exfiltration, including Gold Dragon, Brave Prince, Ghost419, and RunningRat.

Gold Dragon, a Korean-language implant observed on December 24, 2017, is believed to be the second-stage payload in the Olympics attack, with a much more robust persistence mechanism than the initial PowerShell implant.

Designed as a data-gathering implant, Gold Dragon has the domain golddragon.com hardcoded and acts as a reconnaissance tool and downloader for subsequent payloads. It also generates a key to encrypt data gathered from the system, which is then sent to the server ink.inkboom.co.kr.

Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

The malware lists the directories in the user’s Desktop folder, in the user’s recently accessed files, and in the system’s %programfiles% folder, and gathers this information along with system details, the ixe000.bin file from the current user’s UserProfiles, and registry key and value information for the current user’s Run key, encrypts the data, and sends it to the remote server.

The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

Also a Korean-language implant featuring similarities to Gold Dragon, Brave Prince too was designed for system profiling, capable of gathering information on directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware was first seen in December 13, 2017. It is also capable of terminating a process associated with a tool that can block malicious code.

First observed in the wild in December 18, 2017, Ghost419 is a Korean-language implant that can be traced to July 29, 2017, to a sample that only shares 46% of the code used in the December samples. This malware appears based on Gold Dragon and Brave Prince, featuring shared elements and code, especially related to system reconnaissance.

The attackers also used a remote access Trojan (RAT) in the Pyeongchang Olympics attacks, the security researchers say. Dubbed RunningRat, this tool operates with two DLLs, the first of which kills any antimalware solution on the system and unpacks and executes the main RAT DLL, in addition to gaining persistence.

The second DLL, which employs anti-debugging techniques, is decompressed in memory, which results in a fileless attack, as it never touches the user’s file system. The malware gathers information about the operating system, along with driver and processor information, and starts capturing user keystrokes and sending them to the C&C server.

“From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

All of these implants can establish a permanent presence on the victim’s system, but they require a first-stage malware that provides the attacker with an initial foothold on the victim’s system. Some of the implants would only achieve persistence if Hangul Word (the South Korean-specific alternative to Microsoft Office) is running on the system.

“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” McAffee concludes.


Alleged Kelihos Botnet Mastermind Extradited to U.S.
5.2.2018 securityweek BotNet
A 37-year-old Russian national accused of being the mastermind behind the notorious Kelihos botnet has been extradited from Spain to the United States.

The U.S. Justice Department announced that Peter Yuryevich Levashov, also known as Petr Levashov, Pyotr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, Russia, was arraigned on Friday in Connecticut. He has pleaded not guilty to the charges brought against him.

Levashov was arrested in April 2017 by Spanish authorities based on a U.S. warrant and has been in custody ever since. The suspect had been on holiday at the time of his arrest, which coincided with a takedown operation targeting the Kelihos botnet. He was indicted roughly two weeks later by a federal grand jury in Connecticut.

Russia had attempted to block his extradition to the United States. Levashov claimed that he had previously worked for President Vladimir Putin's United Russia party, and feared that he would be killed if extradited to the U.S. Initial media reports said his arrest may be linked to the U.S. election hacks, but officials denied there was any connection.

The suspect has been charged on eight counts, including causing intentional damage to a protected computer, conspiracy, accessing protected computers in furtherance of fraud, wire fraud, threatening to damage a protected computer, fraud in connection with email, and aggravated identity theft. He faces more than 50 years in prison for these charges.

According to U.S. authorities, Levashov controlled and operated the Kelihos botnet, using it to send spam, harvest personal information, and deliver other malware. At the time of his arrest, investigators said the botnet at times had ensnared as many as 100,000 computers, including many in the United States.

While some security firms track Kelihos as Waldac, many have classified it as a successor of Waledac, a botnet disrupted by authorities in 2010.

Another Russian national who will be extradited to the United States is Alexander Vinnik, owner of the cryptocurrency exchange BTC-e. Greece’s Supreme Court recently approved the extradition of Vinnik, who is said to have laundered $4 billion using bitcoins.

Yevgeni Nikulin, who U.S. authorities say hacked into the systems of LinkedIn, Formspring and Dropbox, will also soon be extradited after a high court in the Czech Republic upheld an earlier ruling authorizing his extradition.


Multiple Flaws Patched in WD MyCloud Device Firmware
5.2.2018 securityweek
Vulnerebility
Vulnerabilities that could allow unauthorized file deletion, unauthorized command execution and authentication bypass impacted WD (Western Digital) MyCloud devices, Trustwave reports.

The vulnerabilities were discovered in the MyCloud personal storage device and were reported to Western Digital last year. The company has already released a firmware update to address them.

All of the issue were found by Trustwave security researcher Martin Rakhmanov in the nas_sharing.cgi binary.

The first of them was the inclusion of hardcoded credentials in the binary, which could allow anyone to authenticate to the device.

The hardcoded username was "mydlinkBRionyg" and represents an issue that other security researchers observed as well. Earlier this year, GulfTech’s James Bercegay revealed that this admin user can be used with password “abc12345cba” as a backdoor that could be turned into a root shell. D-Link devices were previously impacted by the same issue.

The nas_sharing.cgi binary, Rakhmanov discovered, would also allow any user to execute shell commands as root. An attacker looking to exploit the issue can use the “artist” parameter to execute a command to create a file, for example.

The same faulty binary can be used for arbitrary file deletion, an operation possible through manipulating the “path” parameter, the security researcher says. A command using the “path” parameter can be passed using base64 encoding, the same as with the “artist” parameter.

Rakhmanov explains that “usually on embedded systems many processes run unrestricted (i.e. as root) so no security checks are performed at all once a command (file deletion in this case) is about to execute.”

Trustwave’s researcher also published proof of concept code that combines the hardcoded credential issue with command execution and arbitrary file deletion, respectively.

Western Digital apparently resolved these issues with the release of firmware version 2.30.172 a couple of months ago.

The update patched a SMB server (samba) security vulnerability (CVE-2017-7494), along with “critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass,” the company revealed in the release notes (PDF).


UK Judges Block US Extradition of Alleged Hacker Lauri Love
5.2.2018 securityweek Crime
British judges on Monday rejected a US request for the extradition of a man accused of hacking into thousands of US government computers in a ruling that could set a precedent for similar pending cases.

Lauri Love, 33, faces charges in the United States for allegedly hacking into the networks of the US Federal Reserve, US Army and NASA, among others, in 2012 and 2013.

"The reason I've gone through this ordeal is not just to save myself from being kidnapped and locked up for 99 years in a country I've never visited, said Love, who has dual British and Finnish citizenship.

Love suffers from Asperger's syndrome and has also been diagnosed with depression. He was arrested at his home in Britain in October 2013.

"But it's to set a precedent whereby this will not happen to other people in the future," Love told reporters outside High Court in London.

"If there is suspected criminality then it will be tried here in the UK and America will not try to exercise exorbitant extra-territorial jurisdiction." Kaim Todner, the law firm representing Love, hailed what it called a "landmark judgement".

"The British justice system has taken the stance that we should deal with the matter ourselves, rather than accept the US government's demands," it said.

"It has also been recognised that mental health provisions in US prisons are not adequate to satisfy us that Lauri would not have come to serious harm if he were extradited," the firm said in a statement.

Judge Ian Burnett handed down the ruling, to cheers from people in the court's public gallery.

The defense said the United States now has 14 days in which to appeal the ruling at the UK Supreme Court.

Love had appealed against a 2016 British court ruling that he could be extradited to the United States to face the charges.


Hackers Linked to Luminosity RAT Targeted by Law Enforcement
5.2.2018 securityweek CyberCrime
Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) on Monday released the details of an international law enforcement operation targeting sellers and users of the Luminosity Trojan.

Over a dozen law enforcement agencies from Europe, the US and Australia took part in a joint campaign carried out in September 2017 – details are made public only now due to operational reasons.

Authorities in the United Kingdom learned of Luminosity, also known as LuminosityLink, back in September 2016 when they arrested an individual suspected of hacking-related offences as part of a separate investigation.

That individual’s arrest led to an international operation that, according to Europol and the NCA, resulted in Luminosity no longer being available and no longer working for those who purchased it.

Since September, law enforcement agencies executed arrests, search warrants, and cease and desist notifications across Europe, America and Australia, targeting both sellers and users of Luminosity. The NCA said a small network of individuals in the UK was responsible for the distribution of the remote access trojan (RAT) to more than 8,600 buyers across 78 countries.

Luminosity first emerged in May 2015 and it had been available for purchase for as little as $40. The RAT allowed hackers to easily take complete control of infected computers, including disable security software, log keystrokes, steal passwords and other data, and spy on victims via the device’s webcam.

Luminosity RAT was one of the pieces of malware used last year by Nigerian cybercriminals in attacks aimed at industrial firms.

Investigators have identified passwords, photos, videos and other data stolen from thousands of victims, but the number is expected to increase significantly as devices seized from suspects continue to be analyzed. The NCA said police seized more than 100 devices during the operation in the UK.

“The sale and deployment of this hacking tool were uncovered following a single arrest and the subsequent forensic examination of the computer,” said Detective Inspector Ed Heath, head of the South West Regional Cyber Crime Unit, which led the investigation. “More than a year’s complex work with international policing partners led us to identify a large number of offenders.”


Booz Allen Hamilton Awarded $621 Million DHS Cyber Contract
5.2.2018 securityweek IT
Technology consulting firm Booz Allen has been awarded a $621 million contract by the Department of Homeland Security (DHS) to support the government-wide Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Program.

Created help defend Federal IT networks from cyber threats, the CDM program was designed to provide continuous monitoring sensors (tools), diagnosis, mitigation tools, dashboards, and Continuous Monitoring as a Service (CMaaS).

The program is the result of the executive order from President Barack Obama which requires the DHS to ensure unclassified government networks are scanned constantly for threats, defended from attacks, and regularly audited to be compliant with computer security rules.

For more than two years, Booz Allen says that it has helped 13 Federal Agencies deploy cybersecurity tools to protect four million computers through DHS CDM efforts.

According to Booz Allen, the new contract will extend across the three current and possible future CDM Phases and is part of the larger DEFEND Program, which has a total value of up to $3.4 billion.

McLean, Virginia-based Booz Allen has more than 24,000 employees globally, and annual revenue of approximately $5.8 billion.


MacUpdate Distributes Mac Crypto-Mining Malware
5.2.2018 securityweek Apple
Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.

The issue was observed on Friday, one day after maliciously modified versions of Firefox, OnyX, and Deeper applications started being distributed via the website. MacUpdate was quick to acknowledge the issue, and revealed in a comment that it was their fault and that the legitimate apps weren’t compromised.

What led to this situation is pretty straightforward: instead of linking to the applications’ official download websites, MacUpdate ended up linking to fake domains that resembled the legitimate ones.

Thus, instead of titanium-software.fr, it listed titaniumsoftware.org (registered on January 23) for the download URLs of OnyX and Deeper (both products made by Titanium Software). The download link for Firefox was even more crafty, using the domain download-installer.cdn-mozilla.net, instead of mozilla.net.

For all three applications, however, users ended up downloading disk image files (.dmg) that looked pretty convincing, Malwarebytes says. They also asked the user to drag the file into the Applications folder, just as the legitimate apps would.

The fake applications were created by Platypus, a developer tool used to build macOS software from scripts such as shell or Python.

Once installed, the fake apps download and install a payload from public.adobecc.com (a legitimate site owned by Adobe), after which it attempts to open a copy of the legitimate app as decoy. This operation, however, isn’t always successful, due to various errors the actor behind the fake apps made.

The security researchers discovered that the malicious OnyX app would run on Mac OS X 10.7 and up, but the decoy app requires macOS 10.13 and up, which means that only the malware is executed on systems with previous platform versions.

When it comes to the fake Deeper app, things are similar, but the reason is laughable. The actor included an OnyX app instead of Deeper as decoy, which clearly results the decoy not executing to cover the malicious behavior.

Upon execution, a script in the fake app checks whether it already runs and, if not, it downloads the malware and unzips it into the Library folder, which is hidden by default. A malicious launch agent file named MacOSupdate.plist is installed, designed to recurrently run another script.

The launch agent downloads a new MacOS.plist file and installs it, but first removes the previous MacOS.plist file, supposedly to update it. The downloaded MacOS.plist file was observed loading a malicious sysmdworker process and passing in arguments, including an email address.

“That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the login,” Malwarebytes explains.

To stay protected from this and similar threats, users are advised to always download applications from the legitimate websites only, such as the developer’s site or the Mac App Store.

As Malwarebytes points out, this is not the first time MacUpdate has been abused for malicious purposes. A couple of years ago, it fell to a similar hack and ended up distributing the OSX.Eleanor malware.


Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild
5.2.2018 securityaffairs BigBrothers

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.
There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”


Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
5.2.2018 securityaffairs Hacking

Other problems for the Amazon Key technology, a hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.
Earlier in November, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.

A few days after the announcement, researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier access the customers’ home.

Amazon Key app.png

Unfortunately, the technology seems to be totally secure, a hacker has in fact demonstrated another attack on the Amazan Key.

The hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

MG
@_MG_
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).

It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't.

10:50 PM - Feb 4, 2018
39 39 Replies 1,035 1,035 Retweets 1,187 1,187 likes
Twitter Ads info and privacy
Technical details of the attack are not available, the hacker used a “dropbox” device that appears as tiny PC with Wi-Fi connectivity that is able to control the Amazon Key.

The Dropbox can be used to unlock the Amazon Key or to trigger a DoS condition in which the Amazon’s device is not able to lock the door after a courier accessed the customers’ home.


Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw
5.2.2018 securityaffairs
Vulnerebility

The Israeli security researcher Barak Tawily a vulnerability tracked as CVE-2018-6389 that could be exploited to trigger DoS condition of WordPress websites.
The expert explained that the CVE-2018-6389 flaw is an application-level DoS issued that affects the WordPress CMS and that could be exploited by an attacker even without a massive amount of malicious traffic.

“In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this vulnerability being exploited.” reads the analysis of the expert.

Tawily revealed that the flaw exists in almost all versions of WordPress released in last nine years, including the latest one (Version 4.9.2).
The flaw affects the “load-scripts.php” WordPress script, it receives a parameter called load[] with value is ‘jquery-ui-core’. In the response, the CMS provides the JS module ‘jQuery UI Core’ that was requested.

CVE-2018-6389 WordPress flaw

As you know, WordPress is open-source project, for this reason, it was easy for the expert to perform code review and analyzed the feature in detail.

The load-scripts.php file was designed for WordPress admins and allows to load multiple JavaScript files into a single request, but the researcher noticed that that is is possible to call the function before login allowing anyone to invoke it.

The response provided by the WordPress CMS depends upon the installed plugins and modules. It is possible to load them by simply passing the module and plugin names, separated by a comma, to the load-scripts.php file through the “load” parameter.
https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous

The ‘load-scripts.php’ finds the JavaScript files included in the URL and appends their content into a single file and then send back it to the user’s web browser.

The researcher highlighted that the wp_scripts list is hard-coded and is defined in the script-loader.php file, so he decided to send a request that in response will get all the JS module of the WordPress instance.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user.”

“I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.”

Tawily developed a proof-of-concept (PoC) python script called doser.py that he used to makes large numbers of concurrent requests to the same URL to saturate the resources of the servers.

An attacker with a good bandwidth or a limited number of bots can trigger the CVE-2018-6389 vulnerability to target popular WordPress websites.

Below a video PoC of the attack.

Tawily reported this DoS vulnerability to the WordPress team through HackerOne platform, but the company refused to acknowledge the flaw.

“After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that:
“This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.“” Tawily wrote.

The expert has implemented the mitigation against this vulnerability in a forked version of WordPress, he has also released a bash script that addresses the issue.


Flash Zero-Day Attacks Analyzed by FireEye, Cisco
5.2.2018 securityweek
Vulnerebility
FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.

South Korea’s Internet & Security Agency (KISA) warned last week of a zero-day flaw in Flash Player. Some local security experts said the vulnerability had been exploited by North Korean hackers since mid-November 2017 in attacks aimed at individuals in South Korea.

Adobe has confirmed the existence of the flaw, which affects Flash Player 28.0.0.137 and earlier, and it plans on patching it sometime this week. The security hole, tracked as CVE-2018-4878, is a use-after-free issue that can allow a remote attacker to execute arbitrary code.

FireEye has launched an investigation following the alert from KISA and linked the attack to a group it tracks as TEMP.Reaper. This threat actor is believed to be operating out of North Korea based on the fact that it has been spotted interacting with command and control (C&C) servers from IP addresses associated with Star JV, the North Korean-Thai joint venture that connects the country to the Internet.

“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors,” FireEye said.

FireEye said its researchers spotted a new wiper malware, dubbed “RUHAPPY,” being developed by the Reaper group in the past year. North Korean threat actors have been known to use wiper malware, but Reaper has not been seen using RUHAPPY in attacks.

The security firm’s analysis showed that the hackers have exploited the Flash Player zero-day vulnerability using malicious Office documents and spreadsheets containing a specially crafted SWF file. If the flaw is exploited successfully, a piece of malware named by FireEye “DOGCALL” is delivered.

Cisco Talos has published several reports in the past months on this remote access trojan (RAT), which it tracks as ROKRAT.

The company has attributed the Flash Player zero-day attacks to an actor it has named “Group 123.” Talos last month detailed several campaigns conducted by this group against South Korean targets, but researchers have refrained from explicitly attributing the operations to North Korea.

“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” Talos researchers said in a blog post on Friday. “They have used an Adobe Flash 0 day which was outside of their previous capabilities - they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”


Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users
5.2.2018 securityaffairs BigBrothers

The image of a memo leaked online suggests US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero,
US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero, this is the truth revealed by a photo alleged leaked by US Army.
The image revealed a joint project to track anonymous cryptocurrencies conducted by US Army’s Cyber Protection Team (CPT) from the Cyber Protection Brigade and NSA.
The photo of the memo is dated August 21, 2017, and was posted in the biz section of 4chan. The content reads:
“MEMORANDUM FOR RECORD

SUBJECT: Additional resource request for ACC project

2nd Battalion’s joint NSA/CPT [Cyber Protection Team] anonymous cryptocurrency project needs additional support in the form of new hires and additional funding to meet GWOT [Global War On Terror] and drug interdiction objectives outlined in July’s Command update brief.
• Requesting authorization to add additional civilian consultants to the ACC project and to initiate their SCI investigations
• Requesting additional funds for class 7 and 9, amounts indicated in attached cost analysis worksheet.
The success we have had with Tor, I2P, and VPN cannot be replicated with those currencies that do not rely on nodes [?]. There is a growing trend in the employment of Stealth address and ring signatures that will require additional R&D. Please reference the weekly SITREP [SITuation REPort] ON SIPR for more details regarding the TTPs involved.
BLUF [Bottom Line, Up Front]: In order to put the CPT back on track, we need to identify and employ additional personnel who are familiar with the CryptoNote code available for use in anonymous currencies.
Include this request for discussion at the next training meeting.
Point of contact for this memorandum is CW4 Henry, James P. at DSN (312)-780-2222.
JAMES,HENRY
.P1363921716

JAMES P. HENRY
CW4, USASPB”

NSA US army unmask Monero Tor I2P VPN

The memo explicitly refers to the difficulties in unmasking cryptocurrencies that are based on the CryptoNote that is an application layer protocol implemented in the scheme of several decentralized privacy oriented digital currencies.

The document requests the allocation of additional resources to track anonymous cryptocurrencies like Monero (XMR), Anonymous Electronic Online CoiN (AEON), DarkNet Coin (DNC), Fantomcoin (FCN), and Bytecoin (BCN).

The US authorities believe that Monero would become the main cryptocurrency in the criminal underground.

Researchers at DeepDotWeb verified the authenticity of Defense Switched Network (DSN) phone number listed for James P. Henry

“There is a Defense Switched Network (DSN) phone number listed for James P. Henry. When this DSN phone number was converted into a phone number that can be reached from the regular commercial phone network and called, the number was in fact the US Army’s Cyber Protection Brigade located in Fort Gordon, Georgia, just as the document purported to originate from.” states the blog post published by DeepDotWeb.

“While it is possible someone could have done a search for the Cyber Protection Brigade telephone number and used the conversion chart to recreate the DSN version of the phone number, it should be noted that the DSN phone number was not published on the internet prior to the release of this leak.”

DeepDotWeb requested comments from a Monero developer and others sources who were formerly in the Army, they all confirmed that the document appears to be authentic and its content plausible.

DeepDotWeb cited an anonymous source who is still serving in the US Army, that after analyzed the document said it was accurate.

Security experts believe that the US intelligence and military are using internal resources to conduct surveillance on blockchains.

It is still unclear who leaked the memo, someone speculates it was intentionally published with a deterrence purpose.

Tor, I2P, and VPNs are not completely compromised by the intelligence agency, persistent attackers have already proposed and implemented techniques to unmask users but that are not effective for dragnet surveillance.

Documents leaked by Edward Snowden revealed that the NSA is able to unmask VPN solutions based on vulnerable VPN protocols such as the PPTP, however, VPNs which rely on OpenVPN may not be compromised.

Don’t forget that anonymizing networks are essential to fight censorship and to ensure freedom of speech.

Looking at the photo it is possible to note above the laptop’s monitor, in the bottom right of the photo, a Common Access Card (CAC) that is a smart ID card used by the Department of Defense.

I believe it was intentionally put there with a diversionary intent.


GandCrab, a new ransomware-as-a-service emerges from Russian crime underground
3.2.2018 securityaffairs
Ransomware

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.
Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
Large’ partners are able to increase their percentage of proceeds to 70 per cent
As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.
The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.


More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails
3.2.2018 securityaffairs
Phishing

Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.
Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.

The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.

During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.

The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.

The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.

Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.

“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.

After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:

https://medium.com/@thebeetoken/security-notice-6edb5741039b
https://medium.com/@thebeetoken/security-update-38d5bbfaa50e
https://medium.com/@thebeetoken/bee-token-security-announcement-2-7397f32f5bf6
“The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/” reads one of the Bee Token Security Notice.

The Bee Token team also created a Google scam reporting form to allow users to report scams.

The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:

0xe336327426b8f95A5F5eB1f74144fD9065069C28
0x2A6D8021861f27aB992572D8689017b7A83C989D
a third one was reported on Reddit by users:

0xdf1ec2E44a8B1774B068eCfc5EF1c937A86bAf3E
The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.

Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.


UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine
3.2.2018 securityaffairs BigBrothers

Aiming to tackle threats from rogue nations and hackers The UK Government urges to boost security measures of services in critical sectors.
On November 2016 United Kingdom published the National Cyber Security Strategy to address cyber threats from rogue nations like Iran, Russia, China, terrorists, states sponsored hackers and cyber menaces like ransomware against the national infrastructure.

On August 2017 UK government published a public consultation to improve United Kingdom essential services in electricity, transport, water, energy, health and digital infrastructure in accordance with the Directive of Security of Network and Information Systems (known as NIS Directive) in cooperation with the Member States within the European Union (EU).

The NIS Directive consultation covered six main topics that are the following: identification of essential services, national Framework to manage implementation, security requirements for operators of essential services, incident reporting requirements for operators of essential services, requirements on Digital Service Providers and proposed penalty regime.

The Directive comes into play to cover aspects of network security that are not present in GDPR. Regarding GDPR the Directive aligns itself with the deadline for the implementation.

It is important to notice that there are two major and distinct bodies inspecting the compliance of the NIS Directive, the Competent Authorities, and NCSC. NCSC stands for National Cyber Security Centre a part of GCHQ, while Competent Authority stands for Regulator Body defined in NIS Directive scope for different critical sectors. This division aims to allow NCSC to carry out its function in providing expert advice and incident response capability to cyber attacks.

The NIS Directive is established in a layered fashion with a mandatory security outcome to be achieved with each principle like the NIST Security Framework. This assures that the NIS Directive can be implemented throughout the whole industry regardless their sectors. The layered approach takes into account the implementation of the principles without discarding the actual infrastructure.

The NIS Directive is composed of 14 principles that can be divided into four major objectives: Management of security risks (Governance, Risk Management, Asset Management, Supply chain), Protection of cyber attacks (Service protection policies and processes, Identity and access control, Data Security, System security, Resilient Networks & Systems, Staff Awareness & Training), Detection of cyber security events (Security Monitoring, Anomaly Detection) and reduction of the impact of cyber security events (Response and Recovery Planning, Improvements).

The directive sets the scope for the identification of operators of essential services and significant disruptive effects that that may pose a threat to national security, the potential threat to public safety and the possibility of significant adverse social or economic impact. The NIS Directive lay the ground for a national framework where Government ensures that the Competent Authorities have the necessary legislative provision to accomplish their duties and the necessary resources to conduct their activities.

The penalty will only be applied once the operator of essential service fails to comply with the directive tacking into account these following criteria listed in article 14, Security requirements and incident notification: the number of users affected by the disruption of the essential service, duration of the incident and the geographical spread with regard to the area affected by the incident. The fine will be judged and decided upon the accordance with the proper measures that were not taken and nor implemented, with a maximum value of €17 million. There are some uncertainties if essential services providers can accomplish the implementation requirements of NIS Directive until May 2018.

Sources:

http://www.bbc.com/news/technology-42861676
http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
https://www.infosecurity-magazine.com/news/uk-government-warns-of-17m/
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
http://www.businessinsurance.com/article/20180129/STORY/912318798/UK-to-fine-firms-up-to-%2424-million-for-lax-cybersecurity
https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack
https://www.scmagazineuk.com/uk-companies-warned-to-boost-cyber-security-or-face-fines/article/740029/
https://www.computing.co.uk/ctg/news/3025464/critical-infrastructure-firms-could-be-fined-up-to-gbp17m-for-lacklustre-cyber-security
http://www.computerweekly.com/news/252433946/Hefty-fines-confirmed-for-CNI-providers-with-poor-cyber-security
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf
https://www.ncsc.gov.uk/guidance/nis-directive-top-level-objectives
https://www.ncsc.gov.uk/guidance/nis-guidance-collection
https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC


Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack
3.2.2018 securityaffairs BigBrothers

Cryptocurrencies are in the middle of a Tempest, on Thursday India announced it would adopt measures to prevent the use of virtual currencies in the country, the value of Bitcoin dropped below $9,000 for the first time since November. Finance Minister Arun Jaitley, in his annual budget, explained its government would “take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system”.

coincheck hack coindesk

A week after the security breach suffered by the virtual currency exchange Coincheck, Japanese authorities raided the company.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

After the MtGox case, the Japanese government passed a law on cryptocurrencies that assigns to the FSA the tack of regulating the exchanges operating in the country.

Coincheck had submitted an application to the FSA for a licence, the company was waiting for the permission.

This week, Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia. The company announced it will refund about $400 million to customers after the hack.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

On Friday, agents of the Financial Services Agency raided the Coincheck’s headquarters in Tokyo’s Shibuya district with the intent to verify that the company adopted proper security measures to protect its assets.

“We have launched an on-site inspection to ensure preservation of clients’ assets,” said Finance Minister Taro Aso.

Japan’s Financial Services Agency gave Coincheck until February 13 to investigate the hack, implements additional security measures and “properly” deal with the affected clients.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.


Why are we all silent on the surveillance?
3.2.2018 securityaffairs BigBrothers

Silicon Valley with its bright minds has come to a point where almost every day they collect information about individuals. Why are we all silent on the surveillance?
NSA spying apart, what Facebook, Apple, and Google know about their usual users is quite overwhelming. Each of these major players is trying to find more about us. They even go to our friends, family and job network.

The big guns know when you are sad, happy, as well as your general internet spendings and many more.

Technology is changing so dramatically and has the power to find every bit of information about you. A perfect example of this is the Google Home Assistant or the new self-driving cars that shockingly knows where you want to go, or where’s your home.

In quick succession, step by step these big guys are creating probably the most invasive surveillance population in time.

It is quite worrisome how a group of known criminals hack them pretty often. Take Uber as an example; the ride-sharing firm is accused of getting hacked for multiple times – not just once or twice.

Californians, the world, and privacy

From all of this, you might think Californians are often talking about the privacy policy not only in most private sector, where is believed that law is more occasionally meeting with people.

But they actually talk in the private sector, where they have the protection of the 4th Amendment if they encounter problems as “unreasonable” searches.

I wish to have a talk at a coffee or a dinner with a tech investor and to ask him “What is your company doing with all the information?” For the moment, there is no possibility of a confrontation at this.

Even if California, for the USA, is the center of everything. As for technology, investors, the most brilliant minds, residents and elected officials are the targeted ones when it comes to the privacy policy. And, for sure, as in everything, there are exceptions.

I would love to see in the next US elections to prioritize this issue, or it can be an impactful subject in a ballot initiative.

Unfortunately, not so many exceptions for tech employees to feel human again. However, the one pushing is the employer, who digs deep into the privacy and enjoys it.

surveillance

The idea to do good is far to be reached

As I stated above, California might encounter the most impactful debate regarding privacy in the whole world in coming future. Do you consider letting companies keep user data forever? To move in a way and change the terms of service, so they breach privacy?

Should they share information with governments? Would there be an option purge information after a while or to just request to anonymize? It’s an option for only a company to sell information and meanwhile, they discharge the debt in bankruptcy?

What obligation parents have regarding their children’s privacy? It is awkward how Instagram tracks kids’ behavior before reaching the age of consent. Should Instagram keep that information until they are adults?

A very out of date law from California gives us a glimpse of how out of date they are: prohibiting someone to record a phone call without the consent of the other party.

For sure it is not a bad law, however, restricts everyone just for the idea of privacy. Sadly, this rule is not applied since data is gathered without shame. We can imagine revenging porn laws that protect us from unauthorized shops from centerfolds.

All in all, we exposed ourselves to comprehensive, intrusive, relentless surveillance at our daily activities.

John Naughton an Irish academic affirmed, “and we have no idea what the long-term implications of this (surveillance) will be.”

Some end thoughts

Some of this is the threat when others are scared by the idea of imposed limits. Yet, people value privacy and having it updated can mean a better future. For sure it is impossible to stop privacy threats sometimes.

But in exchange shouldn’t we prioritize and make things better? Californians have a high position here, more than anyone, yet they haven’t made a bit of effort.

And of course, not just the ones living in California – we all, no one, should keep their voice low against the surveillance. Speak up!


Western Digital My Cloud flaws allows local attacker to gain root access to the devices
3.2.2018 securityaffairs
Attack

Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to gain root access to the NAS devices.
Researchers at Trustwave disclosed two new vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to delete files stored on devices or to execute shell commands as root.

The two Western Digital My Cloud flaws are an arbitrary command execution vulnerability and an arbitrary file deletion issue. The arbitrary command execution vulnerability affects the common gateway interface script “nas_sharing.cgi” that allows a local user to execute shell commands as root. Hardcoded credentials allows any users to authenticate to the device using the username “mydlinkBRionyg.”

“The first finding was discovering hardcoded administrator credentials in the nas_sharing.cgibinary. These credentials allow anyone to authenticate to the device with the username “mydlinkBRionyg”.” states the analysis published by Trustwave. “Considering how many devices are affected this is very serious one. Interestingly enough another researcher independently released details on the same issue less than a month ago.”

The arbitrary file deletion vulnerability is also tied to the common gateway interface script “nas_sharing.cgi”.

“Another problem I discovered in nas_sharing.cgi is that it allows any user execute shell commands as root. To exploit this issue the “artist” parameter can be used.” continues the analysis.

Western Digital My Cloud

Chaining the two flaws it is possible to execute commands as root, a local attacker could log in using the hardcoded credentials and executing a command that is passed inside the “artist” parameter using base64 encoding.

The Western Digital models affected are My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Trustwave reported the issues to Western Digital in 2017, according to the researchers the flaws are addressed with the firmware (version 2.30.172 ) update, released on Nov. 16, 2017.

“As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.” recommends Western Digital.


JenX botnet leverages Grand Theft Auto videogame community to infect devices
3.2.2018 securityaffairs BotNet

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.
Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

CVE-2014-8361 “Realtek SDK Miniigd UPnP SOAP Command Execution” vulnerability and related exploit.
CVE-2017–17215 “Huawei Router HG532 – Arbitrary Command Execution” vulnerability and related exploit.” states Radware in a blog post.
“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”

JenX also implemented some techniques used by the recently discovered PureMasuta botnet.

The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS option offered by San Calvicie is called “Corriente Divina.”

The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

jenx botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.

The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.

“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”


Japan Raids Hacked Crypto Exchange, Bitcoin Plunges Further
3.2.2018 securityweek Hacking
Japanese authorities on Friday raided virtual currency exchange Coincheck, a week after the Tokyo-based firm lost $530 million in cryptocurrency to hackers.

The raid comes as bitcoin dipped below $9,000 for the first time since November after India said Thursday it would take measures to prevent the use of cryptocurrencies.

The search of Coincheck's headquarters in Tokyo's Shibuya district was carried out by the Financial Services Agency, which had already slapped the company with an administrative order following the hack.

"We have launched an on-site inspection to ensure preservation of clients' assets," Finance Minister Taro Aso said at a briefing.

Japanese officials have suggested Coincheck lacked proper security measures, making itself vulnerable to theft.

The January 26 hack, which saw thieves syphon away 523 million units of the cryptocurrency NEM, exceeds the $480 million stolen in 2014 from another Japanese virtual currency exchange, MtGox.

Earlier this week, Japan's FSA gave Coincheck until February 13 to investigate the cause of the incident, "properly" deal with clients, strengthen risk management and take preventive measures.

Coincheck has said it will use its own funds to reimburse all 260,000 customers who lost holdings, at a rate of 88.549 yen per NEM.

The refund, which will be paid in yen, not virtual currency, will set the firm back about 46.3 billion yen ($422 million).

In the wake of the MtGox scandal, Japan passed a law on cryptocurrencies that requires exchanges to be regulated by the FSA. The law went into effect in 2017.

Coincheck had submitted an application to the FSA for a licence and was allowed to continue operating while it awaited a decision, the agency said.

Japan is a leading market for cryptocurrencies, with nearly a third of global bitcoin transactions in December denominated in yen, according to specialist website jpbitcoin.com.

Virtual currencies are popular elsewhere in Asia, including South Korea and China, but India's government on Thursday said it would crack down on their use.

Finance Minister Arun Jaitley, in his annual budget, said New Delhi would "take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system".

Bitcoin, which soared to nearly $20,000 a unit in December, was down at $8,800 on Friday, while other digital units such as Litecoin and Ethereum have also suffered massive losses from their recent peaks.


Kaspersky Patches Vulnerabilities in Secure Mail Gateway
3.2.2018 securityweek
Vulnerebility
Kaspersky Lab this week released an update for its Secure Mail Gateway to resolve a series of vulnerabilities that could lead to account takeover, code execution, and privilege escalation.

The Kaspersky Secure Mail Gateway is an integrated email system and security solution that comes bundled with anti-spam, anti-malware, and anti-phishing and deployed on a virtual appliance.

Core Security Technologies found four security flaws in Kaspersky’s product, including Cross-Site Request Forgery, Improper Neutralization of Special Elements in Output Used by a Downstream Component, Improper Privilege Management, and Improper Neutralization of Input during Web Page Generation.

A remote attacker could exploit these issues to gain command execution as root, Core Security's researchers say. The bugs were found in Kaspersky Secure Mail Gateway 1.1.0.379.

Kaspersky Secure Mail Gateway comes with a Web Management Console to monitor the application status and manage operations, but has no cross-site request forgery protection site-wide, which could lead to administrative account takeover, Core Security's advisory noted.

An attacker could submit authenticated requests when an authenticated user browses an attacker-controlled domain, the researchers explain. Thus, a feature that allows users to restore a backup file that overwrites the appliance's configuration can be abused to overwrite the original passwd file and provide the attacker with admin access.

Furthermore, an attacker who accesses the Web Console could gain command execution as root through the injection of arbitrary content into the appliance's Postfix configuration.

The console makes it possible to add a "BCC Address for all Messages", a configuration parameter written verbatim to the appliance's Postfix main.cf configuration file. When adding LF characters to it, an attacker could inject a configuration parameter to execute arbitrary commands on the appliance as root.

This allows the attacker to execute any binary on the system, but can’t pass arguments to it. However, it is possible to overcome this by abusing another Web Console functionality to upload a Python script to the file system, the researchers discovered.

The third issue could allow an attacker to elevate privileges from kluser to root by abusing a setuid binary shipped with the appliance and execute a script on the attacker-controlled location with root privileges.

A reflected cross-site scripting flaw also impacts the Management Console. The issue resides in the callback parameter of the importSettings action method.

The security researchers reported the bugs to Kaspersky in early October 2017. On February 1, 2017, Kaspersky published an advisory to announce the patching of these issues in Kaspersky Secure Mail Gateway 1.1 MR1. Impacted customers are advised to upgrade to the new release as soon as possible.


Chinese Iron Tiger APT is back, a close look at the Operation PZChao
3.2.2018 securityaffairs APT

Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.
Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.

The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”

It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).

The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.

The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.

Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “125.7.152.55” in South Korea and hosts the “down.pzchao.com”.

Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.

Operation PZChao

The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.

The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.

But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.

The most important component in the arsenal of the attacker remains the powerful Gh0sT RAT malware that allows controlling every aspect of the infected system.

“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,” concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”


Does The U.S. Need a National Cybersecurity Safety Board?
2.2.2018 securityweek BigBrothers
It is time, suggest two academics from Indiana University-Bloomington, for Congress to establish a National Cybersecurity Safety Board (NCSB) as an analogue of the National Transportation Safety Board (NTSB), to improve the level of cybersecurity in the U.S.

The argument is that the NTSB helped to improve the safety of air travel while still stimulating growth and innovation in the industry. "Today," they say in a paper published this week, "air travel is widely regarded as among the safest forms of mass transportation. Can the same feat be replicated in cyberspace?"

Scott J. Shackelford JD, PhD, and Austin E. Brady argue, in their paper "Is it Time for a National Cybersecurity Safety Board? Examining the Policy Implications and Political Pushback' that it is both time, and possible (although not immediately probable). "A NCSB is politically unlikely in the near term, but we believe that the creation of such a body is overdue... All that is needed is the political will to act, the desire to experiment with new models of cybersecurity governance, and the recognition that we should learn from history."

The paper argues that there have been many propositions for strengthening U.S. cybersecurity, "from federally sponsored cyber risk insurance programs to allowing companies to have a freer hand to engage in proactive cybersecurity measures." The former would allow the insurer to impose cybersecurity conditions, while the latter would allow 'active defense' or even the right to 'hack back' . Across most of these proposals, it suggests, "are more robust data breach investigation requirements."

This connection is not clearly established in the paper, although it precisely aligns with the transportation functions of the NTSB. The argument is that we can better prevent future cybersecurity breaches by more fully understanding past breaches, and that this process needs to be established by government.

There is an alternative model for improving cybersecurity that is not mentioned in this paper: an American Cybersecurity Association (ACA) that uses the American Medical Association (AMA) as the model. This argument argues that professionalizing the cybersecurity workforce in the same way that the AMA professionalized the medical profession would raise the standard and quality of organizations' cybersecurity.

The ACA approach has been described by Martin Zinaich, Information Security Officer at the City of Tampa, FL. In his paper, 'What does Information Security have in common with Eastern Air Lines Flight 401?', he argues, "The AMA accelerated the professionalization of medicine and the establishment of minimum standards in medical training, education and apprenticeship requirements to gain entry to the profession. The same could and should be done in the Information Security field with a similar cybersecurity national body and professional associations."

The difference between the two approaches is that one imposes regulations from outside of the profession, while the other generates standards from within the profession. Both, however, suffer from inertia, and Shackelford and Brady argue that Congress should force the issue by establishing a national safety board.

"Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams (CERTs), and aide in effective policy making at both the state and federal level given the lack of hard, verifiable data on the scope and scale of cyber attacks. The creation of a NCSB could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI. Along with the ISACs, this would be a boon to academics needing reliable data to undertake scholarly analysis, as well as national security organizations, and U.S. strategic partners around the world."

Interestingly, the authors spend some time looking at the European cybersecurity model depicted by the General Data Protection Regulation (GDPR) and the Network Information Systems Directive (NISD) both coming into force in May 2018. "Although neither the GDPR nor the NIS Directive includes a version of a regional Cybersecurity Safety Board, the elements it does include moves the EU in this direction, which could make an analogous U.S. body that much more effective," they write. "Such developments would be an important step on the long journey to a positive and sustainable cyber peace."

However, GDPR is far removed from any form of a national cybersecurity safety board. The authors say, "it centralizes data protection authority in the EU into a single regulatory body, as compared with the EU Data Privacy Directive’s (DPD) utilization of national data protection authorities for each Member State." This isn't strictly true -- each member state will retain its own regulatory body, and there are many areas within the regulation where national transposition has a degree of flexibility over implementation and interpretation. While GDPR is a unifying force, its application will still vary slightly between different member states.

Such minor differences are likely to be exacerbated by the concept of national security -- which again varies between different member states. "The extent of some of these obligations, however, is still unclear, as States may see cyber threats as falling in the realm of national security, and therefore outside the scope of this strata of EU governance," note the authors.

The interplay between national security and cybersecurity is not discussed within this paper; and yet it is fundamental to the way in which any overarching regulation -- whether the EU's GDPR or a proposed U.S. NCSB -- can actually operate. In the name of national security there will always be areas where intelligence agencies, and politicians, will seek to keep the true nature of events secret. There is likely to be considerable pushback from the intelligence agencies against any national body that has the independence of the NTSB, and the independence proposed for an NCSB.

How, for example, could an NCSB handle an investigation into a breach such as the Belgacom telco hack that was revealed in 2013? According to leaked documents (Snowden) it was undertaken by GCHQ using the NSA's 'quantum insertion' technology.

Martin Zinaich certainly has his concerns over an NCSB. "I support anything that might solidify a structuring of Information Security into a normalized business risk profile," he told SecurityWeek. "However, it seems to me a National Cybersecurity Safety Board might not be the best place to start. I also do not think a NCSB could be agile enough to keep pace.

"If there is one area where Cyber Security professionals excel," he continued, "it is in the identification of cyber-attacks and breaches. Too often, the cause is not a mystery where an investigative body would expose an unknown risk that could then be shared to make the industry safer (as does the current NTSB). No, too often the cause is well-known and age old. Take the 2017 Equifax breach. The vector was an Apache Struts vulnerability that had already been patched but the patch was not applied (and there are a lot of non-technical reasons why that can be so)."

Zinaich retains his belief that the best way to improve cybersecurity is by professionalizing the practitioners. "The issue is the integration of Information Security into the business at a level where it has an impact -- be the business a manufacturer of IoT devices or a credit lending institution. I still hold that professionalizing this field is the place to start, but I predict legislation will come first."

While there are strong arguments, as outlined in this paper, for the formation of a National Cybersecurity Safety Board, it is probably not achievable in the current geopolitical climate. Similarly, while there are strong arguments in favor of an American Cybersecurity Association, existing practitioners are generally too busy firefighting cybersecurity incidents to get it started.

The greater likelihood is that the current tendency for government to impose regulations to improve cybersecurity will probably just continue and gather pace.


Web Server Used in 100 ICS Products Affected by Critical Flaw
2.2.2018 securityweek ICS
A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.

Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.

“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.

The vendor says that while there is no evidence that the flaw has been exploited in the wild, even an attacker with low skill may be able to exploit it remotely.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8. CODESYS v2.3 web servers running on any version of Windows (including Windows Embedded Compact) as stand-alone or part of the CODESYS runtime system prior to version 1.1.9.19 are affected. Version 1.1.9.19, which is also part of the CODESYS 2.3.9.56 setup, patches the vulnerability.

While 3S-Smart Software Solutions says it has not identified any workarounds for this security hole, the company has advised organizations to ensure that access to controllers is restricted through minimization of network exposure, and the use of firewalls and VPNs. The company has also published a white paper with general recommendations on security in industrial control applications.

Vulnerabilities in CODESYS components are not uncommon. Last April, industrial cybersecurity startup CyberX uncovered several critical flaws in the CODESYS web server. More recently, SEC Consult reported that a CODESYS component flaw exposed PLCs from WAGO and possibly other vendors to attacks.

Shodan has been crawling port 2455, which is specific to the CODESYS protocol, since 2014. The search engine currently shows more than 5,600 systems reachable via this port, with a majority in the United States, Germany, Turkey, China and France.

Shodan map shows CODESYS devices


New Botnet Is Recruiting IoT Devices
2.2.2018 securityweek BotNet
A new botnet is recruiting Internet of Things (IoT) devices by exploiting two vulnerabilities already popular among IoT botnets, Radware has discovered.

Dubbed JenX, the threat is abusing the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP Command Execution) and CVE-2017–17215 (Huawei Router HG532 – Arbitrary Command Execution) vulnerabilities. Both of these security issues were previously abused by the Mirai variant Satori.

The new threat also uses techniques associated with the recently detailed PureMasuta variant of Mirai, which recently had its source code published on an invite-only dark forum.

The botnet’s command and control (C&C) server also provides gaming mod servers and distributed denial of service (DDoS) services, Radware's researchers discovered.

The DDoS feature includes attack vectors such as Valve Source Engine Query and 32bytes floods, TS3 scripts, and a Down OVH option (likely a reference the Mirai attack on a cloud hosting provider OVH in September 2016). The miscreants guarantee attack volumes of 290-300Gbps, supposedly leveraging the power of the new botnet.

JenX uses servers to perform the scanning and exploit operations, unlike previously observed IoT botnets such as Mirai, Hajime, Persirai, Reaper, Satori, and Masuta, which leverage infected systems for scanning and exploiting (which also fuels an exponential growth of the botnet).

Because it does not include scanning and exploit payloads, JenX’ code is unsophisticated and lighter on the delivery, Radware says. With centralized scan and exploit functionality, the operators also have increased flexibility to expand and improve the functionality without impacting the size of the bot.

Because there are fewer nodes scanning and exploiting, the botnet is less noisy and can better avoid being detected by honeypots. This also makes it more difficult to estimate the botnet’s size, without accessing the C&C server, the security researchers say. On top of that, the botnet only impacts the victim’s network connection when instructed to perform an attack.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” Radware notes.

The malware is protected with anti-debugging detection and its binary forks three processes obfuscated in the process table much like Mirai. All processes listen to a port bound to localhost while one opens a TCP socket to the C&C at 80.82.70.202 on port 127. The bot uses XOR obfuscation with the exact same key used in PureMasuta.

When executed, the malware connects to the C&C server located by the hostname ‘skids.sancalvicie.com’ using the TCP session (the domain is registered to Calvos S.L.). The server supposedly provides a command line interface.

The code has indicators of a Valve Source Engine Query attack payload, likely because of the GTA San Andreas multiplayer servers on the domain. The attack vector was included in the original Mirai code that went public in October 2016, and Radware believes the botnet is being built by the San Calvicie hacker group and served through their Clearnet website.

“Unless you frequently play GTA San Andreas, you will probably not be directly impacted. The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet! But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month,” Radware’s Pascal Geenens note.

Two providers informed on the issue have already taken down the exploit servers hosted in their datacenters, but some servers remain active and the botnet is still operational, Geenens says. However, should the attackers decide to move their exploit servers to the darknet, the botnet’s takedown would be much more difficult, as was the case with BrickerBot.

“JenX, in particular, can be easily concealed and hardened against takedowns. As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones. These providers do not care about abuse,” Geenens says.


Hundreds of ICS products affected by a critical flaw in CODESYS WebVisu
2.2.2018 securityaffairs ICS

Researcher discovered a critical vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product currently used in 116 PLCs and HMIs from many vendors,
Security researcher Zhu WenZhe from Istury IOT discovered a critical stack-based buffer overflow vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product that allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8, and the worst news is that it is quite easy to exploit.

The WebVisu product is currently used in 116 PLCs and HMIs from many vendors, including Schneider Electric, Hitachi, Advantech, Berghof Automation, Hans Turck, and NEXCOM.

An attacker can remotely trigger the flaw to cause a denial-of-service (DoS) condition and under some conditions execute arbitrary code on the web server.

“A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server. ” reads the security advisory issued by CODESYS.

According to CODESYS, there is no evidence that the flaw has been exploited in the wild.

The flaw affects all Microsoft Windows (also WinCE) based CODESYS V2.3 web servers running stand-alone or as part of the CODESYS runtime system prior version V1.1.9.19.

The company has released the CODESYS web server V.1.1.9.19 for CODESYS V2.3 to
address the flaw. This is also part of the CODESYS setup V2.3.9.56.

The vendor also recommends organizations to restrict access to controllers, use firewalls to control the accesses and VPNs.

In December 2017, security researchers at SEC Consult discovered a flaw in version 2.4.7.0 of the CODESYS runtime which is included on PFC200s with firmware version 02.07.07. The CODESYS runtime is commonly included on PLCs to allow for easy programming by users. 17 models of WAGO PFC200 Series PLC were found vulnerable to remote exploit.

A PLC flaw can be a serious threat to production and critical infrastructure

Back to the present, querying the Shodan search engine for port 2455 used by CODESYS protocol we can find more than 5,600 systems are exposed online, most of them in the United States, Germany, Turkey, and China.

CODESYS hack


DDG, the second largest mining botnet targets Redis and OrientDB servers
2.2.2018 securityaffairs BotNet

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.
A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.

“Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG.” reads the analysis published by Netlab.

The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.

Yesterday I wrote about the greatest mining botnet called Smominru that has infected over 526,000 Windows machines, its operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

The malware exploits the remote code execution vulnerability CVE-2017-11467 to compromise OrientDB databases and targets Redis servers via a brute-force attack.

Crooks are focusing their efforts on attacks against servers that usually have significant computing capabilities.

The attack chain described by the researchers from Qihoo 360’s Netlab is composed of the following steps:

Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
Stage 1: Attackers modify local Crontab scheduled tasks, download and execute i.sh (hxxp: //218.248.40.228:8443/i.sh) on the primary server and keep it synchronized every 5 minutes
Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker’s wallet.
The following image shows the DDG Mining Botnet attack process:

DDG botnet
The researchers conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections is in China (73%), followed by the United States (11%), the botnet is mainly composed of compromised Redis databases (88%).

Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).

“The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where “Total Paid” is not consistent with the summary of all tractions’ amount. We cannot confirm which number is more accurate, so we show both numbers here.” continues the analysis.

Further information including the IoCs are included in the technical report published by Qihoo 360’s Netlab.


It's Time For Machine Learning to Prove Its Own Hype
2.2.2018 securityweek IT

Machine Learning in Cybersecurity

Machine Learning is a Black Box that is Poorly Understood

2017 was the year in which 'machine learning' became the new buzzword -- almost to the extent that no new product could be deemed new if it didn't include machine learning.

Although the technology has been used in cybersecurity for a decade or more, machine learning is now touted as the solution rather than part of the solution.

But doubts have emerged. Machine learning is a black box that is poorly understood; and security practitioners like to know exactly what it is they are buying and using.

The problem, according to Hyrum Anderson, technical director of data science at Endgame (a vendor that employs machine learning in its own endpoint protection product), is that users don't know how it works and therefore cannot properly evaluate it. To make matters worse, machine learning vendors do not really understand what their own products do -- or at least, how they come to the conclusions they reach -- and therefore cannot explain the product to the satisfaction of many security professionals.

The result, Anderson suggests in a blog post this week, is "growing veiled skepticism, caveated celebration, and muted enthusiasm."

It's not that machine learning doesn't work -- it clearly does. But nobody really understands how it reaches its decisions.

Anderson quotes Ali Rahimi. "He compared some trends, particularly in deep learning, to the medieval practice of Alchemy. 'Alchemy ‘worked’,' Ali admitted. 'Alchemists invented metallurgy, ways to dye textiles, our modern glass-making processes, and medications. Then again, Alchemists also believed they could cure diseases with leeches, and turn base metals into gold'."

"If the physicist’s mantra is Feynman’s 'What I cannot create, I do not understand'," he continues, "then the infosec data scientist should adopt, 'What cannot be understood, should be deployed with care.' Implied, but not spoken, is 'if at all'.

This problem of not understanding how a conclusion is reached could become much worse if a possible interpretation of Article 22 of the EU's General Data Protection Regulation (GDPR) is enforced to its full potential. This states, "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

This should not directly affect machine-learning malware detection because data subjects are not directly involved, but could have implications for other applications used by both IT and security departments.

GDPR's Recital 71 clarifies the requirement. It adds, "In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision."

Right now, suggests Anderson, this would be largely impossible. "The point is that although some models may reach impressive predictive performance, it may not be clear what information in the data directly determine the decisions. Ironically, machine learning is such that even with full access to the source code and data, it may still be very difficult to determine 'why' a model made a particular decision."

A partial solution for infosec practitioners would come from the increased involvement of the machine learning industry with third party testing. This would at least enable the practitioners to understand how effective the algorithms are, even if not how they work. Although some machine-learning, so-called next-gen, endpoint protection vendors have been slow and reluctant to embrace third-party testing, Endgame is not one of them.

"Fortunately," writes Anderson, "there are technique-agnostic methods to compare solutions. We have previously argued that AV can be compared apples-to-apples to ML by comparing both false positive and true positive rates, for example, whereas 'accuracy' is wholly inadequate and may hide all manner of sins... In the endpoint security space, vendors are beginning to offer holistic breach tests rather than AV-only tests, which help customers value a broader protection landscape."

But ultimately, it is the lack of visibility into the working of machine learning and AI algorithms that must change. "My call for 2018," says Anderson, "is to continue to address what is still particularly needed in ML infosec research: more cross-pollination between academia and industry, more open community engagement from security vendors, and more open datasets for reproducible research. By doing this, we’ll continue to move ML in infosec from the dark arts of Alchemy to rigorous Science."

Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under current CEO Nate Fick's leadership, it has grown its commercial offering using more than $100 million in funding, including a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.


Crypto-Mining Botnet Ensnares 500,000 Windows Machines
2.2.2018 securityweek BotNet
Focused on mining Monero crypto-currency, a new botnet has managed to ensnare over half a million machines to date, Proofpoint reports.

Dubbed Smominru, the botnet managed to infect over 526,000 Windows hosts to date, most of which are believed to be servers. After conducting a sinkholing operation, the security researchers discovered that the infected machines are distributed worldwide, with the highest numbers in Russia, India, and Taiwan.

The Monero miner, which is also known as Ismo, has been observed since the end of May 2017 spreading via EternalBlue, the National Security Agency-linked exploit that targets a vulnerability (CVE-2017-0144) in Windows’ Server Message Block (SMB) on port 445. The exploit was previously used in other global attacks, including WannaCry and NotPetya.

The miner itself has been detailed numerous times before, and was associated with various attacks, including those perpetrated by an established Chinese crime group (Hex Men).

What makes it stand out in the crowd is the use of Windows Management Infrastructure for infection, a method recently noticed in the WannaMine crypto-mining worm too (which also uses EternalBlue to spread).

The hash power associated with the Monero payment address for Smominru reveals that the botnet was likely twice the size of Adylkuzz, the first crypto-mining botnet to abuse EternalBlue. According to Proofpoint, Smominru’s operators already mined around 8,900 Monero (between $2.8 million and $3.6 million), at a rate of around 24 Monero per day.

In a recent report diving into the huge financial gains crypto-miner operators register, Talos revealed that an adversary controlling 1,000 systems would make around $90,000 per year. The security firm also says it “has observed botnets consisting of millions of infected systems,” which “could be leveraged to generate more than $100 million per year theoretically.”

While investigating Smominru, Proofpoint discovered that at least 25 of the hosts were attempting to infect new machines via EternalBlue (the hosts are placed behind the network autonomous system AS63199).

Last week, NetLab 360 security researchers published a post on what they call the MyKings botnet, which appears to be none other than Smominru, based on the used Monero address. NetLab revealed that the mining operation was performed by a sub-botnet, while another was focused on scanning and spreading, capable of mobilizing over 2400 host IP addresses.

According to Proofpoint, some of the distribution attacks are likely performed using MySQL, while others supposedly leverage the NSA-linked exploit EsteemAudit (CVE-2017-0176).

Both NetLab and Proofpoint findings fall in line with GuardiCore’s report on the Hex Men, a group using three malware families, namely Hex, Hanako and Taylor, each targeting different SQL servers with its own goals, scale and target services.

The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, Proofpoint’s security researchers have discovered. The company was informed on the issue.

MineXMR was also contacted regarding the Monero address associated with Smominru, and the mining pool banned the address. This prompted the botnet operators to register new domains and mining to a new address on the same pool. This switch apparently resulted in the operators losing control over one third of the bots.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” Proofpoint notes.

The use of standalone coin miners and coin mining modules in existing malware has proliferated rapidly over the past year, fueled by the surge in value crypto-coins such as Bitcoin and Monero have registered. With Bitcoin resource-intensive to mine outside of dedicated mining farms, Monero has registered massive interest from cybercriminals.

Smominru’s operators have likely registered significant profits from their operation and the resilience of the botnet and its infrastructure suggest that the activities will continue, the researchers say. The potential impacts on infected nodes will continue as well, and other botnets featuring similar purpose and methods might emerge as well, the researchers say.

“We repeatedly see threat actors ‘follow the money’ - over the last several months, the money has been in cryptocurrency and actors are turning their attention to a variety of illicit means to obtain both Bitcoins and alternatives,” Kevin Epstein, VP Threat Operations, Proofpoint, said in an emailed comment.

“This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe. Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching,” Epstein concluded.


The Price of Cybercrime: 9 Years in One Case, 6 Months in Another
2.2.2018 securityweek Crime
Travon Williams, 33, was sentenced by the District Court for the Eastern District of Virginia to 9 years in jail for his role in a credit card fraud and identity theft scheme.

For more than two years, Williams led a gang that purchased thousands of stolen credit and debit card numbers from the dark web. The numbers were then encoded onto fraudulent cards and used to purchase merchandise such as gift cards and cigarette cartons. The cigarettes were sold on to buyers from New York City, who drove down to Northern Virginia to transport the cigarettes.

Williams is one of 12 defendants arrested in August 2017. He obtained $415,000 in proceeds from his crimes.

All 12 defendants have pleaded guilty for their roles in the scheme. Williams is the sixth to have been sentenced. The remaining six are due to be sentenced in February and March.

One day earlier, Thursday, Jan. 25, the DOJ announced that Jonathan Powell had been sentenced to six months in jail, 2 years supervised release and a restitution payment of $278,855 for computer fraud. He had obtained access to more than 1,000 email accounts from a New York City university in order to download sexually explicit photos and videos.

Powell had earlier pleaded guilty to the charge on August 9, 2017 in Manhattan federal court.

"Jonathan Powell used his computer skills to breach the security of a university to gain access to their students’ personal accounts," said U.S. Attorney Geoffrey S. Berman. "Once Powell had access, he searched the accounts for compromising photos and videos."

Specifically, he used the password reset utility to change email account passwords. He then used control over the email accounts to request password resets for the victims' online accounts such as iCloud, Facebook, Google, LinkedIn and Yahoo. "POWELL then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts," reports the DOJ announcement. "In one instance, POWELL searched a University-1 student’s linked Gmail account for digital photographs and for various lewd terms."

Subsequent analysis of logs showed that Powell had accessed the password reset utility approximately 18,640 times between October 2015 and September 2016, attempting 18,600 password changes in connection with more than 2000 unique email accounts -- succeeding in making 1378 changes to 1035 unique accounts.

After his arrest, he admitted to compromising email accounts at other educational institutions in Arizona, Florida, Ohio and Texas.


Researchers discovered several zero-day flaws in ManageEngine products
2.2.2018 securityaffairs
Vulnerebility

Security experts at Digital Defense have discovered several vulnerabilities in the products of the Zoho-owned ManageEngine.
The list of vulnerabilities discovered includes a flaw that could be exploited by an attacker to take complete control over the vulnerable application.

The flaws affect ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.

ManageEngine has more than 40,000 customers worldwide and provides complete solutions for IT management.

manageengine products

One of the vulnerabilities affects the ManageEngine ServiceDesk Plus help desk software, the experts discovered an unauthenticated file upload flaw that could be exploited by an attacker to upload a JavaScript web shell and use it to execute arbitrary commands with SYSTEM privileges.

Researchers also discovered several blind SQL injection vulnerabilities that could be triggered by an unauthenticated attacker to take complete control of an application.

These ManageEngine products are also affected by an enumeration flaw that can be exploited to access user personal data, including usernames, phone numbers, and email addresses.

“[Digital Defense] announced that its Vulnerability Research Team (VRT) uncovered multiple, previously undisclosed vulnerabilities within several ManageEngine products, allowing unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.” reads the press release issued by the company.

“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”

ManageEngine promptly released security updates to address the vulnerabilities discovered by researchers at Digital Defense report.


(Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild
2.2.2018 thehackernews 
Vulnerebility

Another reason to uninstall Adobe Flash Player—a new zero-day Flash Player exploit has reportedly been spotted in the wild by North Korean hackers.
South Korea's Computer Emergency Response Team (KR-CERT) issued an alert Wednesday for a new Flash Player zero-day vulnerability that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea.
Simon Choi of South Korea-based cybersecurity firm Hauri first reported the campaign on Twitter, saying the North Korean hackers have been using the Flash zero-day against South Koreans since mid-November 2017.
Although Choi did not share any malware sample or details about the vulnerability, the researcher said the attacks using the new Flash zero-day is aimed at South Korean individuals who focus on researching North Korea.
Adobe also released an advisory on Wednesday, which said the zero-day is exploiting a critical 'use-after-free' vulnerability (CVE-2018-4878) in its Flash media software that leads to remote code execution.

The critical vulnerability affects Adobe Flash Player version 28.0.0.137 and earlier versions for:
Desktop Runtime (Win/Mac/Linux)
Google Chrome (Win/Mac/Linux/Chrome OS)
Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1)
"Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users," the advisory said. "These attacks leverage Office documents with embedded malicious Flash content distributed via email. Adobe will address this vulnerability in a release planned for the week of February 5."
To exploit the vulnerability, all an attacker need to do is trick victims into opening Microsoft Office documents, web pages, or spam messages that contain a maliciously crafted Adobe Flash file.
The vulnerability can be leveraged by hackers to take control of an affected computer.
Choi also posted a screenshot to show that the Flash Player zero-day exploit has been delivered via malicious Microsoft Excel files.
Adobe said in its advisory that the company has planned to address this vulnerability in a "release planned for the week of February 5," through KR-CERT advises users to disable or completely remove the buggy software.


Meltdown/Specter-based Malware Coming Soon to Devices Near You, Are You Ready?
2.2.2018 thehackernews  Safety

It has been few weeks since the details of the Spectre, and Meltdown processor vulnerabilities came out in public and researchers have discovered more than 130 malware samples trying to exploit these chip flaws.
Spectre and Meltdown are security vulnerabilities disclosed by security researchers earlier this month in many processors from Intel, ARM and AMD used in modern PCs, servers and smartphones, among other devices.
These CPU vulnerabilities could enable attackers to bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys and other private information.
Researchers from independent antivirus testing firm AV-TEST detected at least 139 malware samples, as of today, which are related to these CPU vulnerabilities, as shown in the growth graph.
You can find SHA256 hashes for all malware samples here.

Meanwhile, cybersecurity firm Fortinet also tracked and analyzed many malware samples 'trying to exploit' recently disclosed CPU vulnerabilities, most of which includes re-compiled or extended version of the JavaScript-based proof-of-concept (PoC) exploit released last month.
"The rate at which the cybercriminal community is targeting known vulnerabilities is clearly accelerating, with the WannaCry and NotPetya exploits serving as perfect examples of the need to patch vulnerable systems as soon as possible," Fortinet said.
"Which is why our concerns were raised when we recently learned about some of the largest vulnerabilities ever reported—ones that affect virtually every processor developed since 1995 by chip manufacturers Intel, AMD, and ARM."
Another news makes this situation, even more, worse—Intel halted all its CPU firmware patches for the Meltdown and Spectre flaws last week after it caused issues like spontaneous reboots and other 'unpredictable' system behaviour on affected PCs.
So, until Intel and other vendors do not come up with stable security patches for the Meltdown and Spectre attacks that don’t cause systems to break, users are recommended to keep their operating system, web browsers, antivirus and other software up-to-date.


Increasing Number of Industrial Systems Accessible From Web: Study
2.2.2018 securityweek ICS
The number of industrial control systems (ICS) accessible from the Internet has increased significantly in the past year, reaching more than 175,000 components, according to a new report from Positive Technologies.

Using the Shodan, Censys and Google search engines, researchers identified 175,632 ICS components accessible from the Web. In comparison, similar searches conducted in the previous year uncovered just over 162,000 systems.

Of all the systems identified in 2017, more than 66,000 were accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework (39,000), Ethernet/IP (25,000), BACnet (13,000), and the Lantronix discovery protocol (10,000).

The highest percentage of exposed devices, representing 42% of the total, was spotted in the United States. The number of Internet-accessible ICS components in the U.S. increased by 10% compared to 2016, from roughly 50,000 to 64,000. The U.S. is followed at a distance by Germany (13,000 accessible systems), France (7,000), and Canada (7,000).

Many of the industrial systems connected to the Web come from Honeywell (26,000), Lantronix (12,000), SMA (9,000), Beck IPC (9,000), Siemens (6,000) and Rockwell Automation (5,000).

The distribution of Internet-exposed components by type has remained largely the same compared to 2016. Types of ICS components exposed to the Internet

John Matherly, CEO of the search engine Shodan, has confirmed for SecurityWeek that there has been an increase of roughly 10% year-over-year in terms of ICS exposure on the Internet.

“The increase is mostly in building automation protocols and despite the news coverage we haven't seen any decrease in devices,” Matherly said.

According to Positive Technologies, a total of nearly 200 new vulnerabilities were disclosed in 2017, compared to 115 in 2016. Worryingly, 61% of the flaws whose existence was made public last year were rated critical and high severity.

The most common types of vulnerabilities were remote code execution (24%), information disclosure (17%), and buffer overflows (12%). “Most vulnerabilities detected in 2017 can be exploited remotely without needing to obtain any privileges in advance,” Positive Technologies said in its report.

A report published in October by CyberX revealed that one-third of industrial and critical infrastructure systems had been connected to the Internet, based on data obtained by the industrial security firm by passively monitoring traffic from hundreds of operational technology (OT) networks.


AutoSploit: Automated Hacking Tool Set to Wreak Havoc or a Tempest in a Teapot?
2.2.2018 securityweek
Virus

AutoSploit Automatically Finds Vulnerable Targets via Shodan and Uses Metasploit Exploits to Compromise Hosts

AutoSploit is a tool designed to automate the use of Metasploit exploits. It was announced on Twitter on Wednesday.

"I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE," announced Twitter user VectorSEC, Wednesday. Just to be clear, this tool automatically finds vulnerable targets and uses Metasploit exploits to provide remote code execution for the user.

No great skill is necessary: all that is required is AutoSploit (available from GitHub), Python Blessings, Shodan, and Metasploit. Shodan locates the targets, Metasploit provides the exploits, and AutoSploit actions them. Since new vulnerability exploits are added to Metasploit faster than many companies can apply vulnerability patches, the immediate concern is whether this new tool will further commoditize cybercrime by facilitating a new army of unskilled, wannabee, skiddie, hackers able to hack computers automatically.

Just how dangerous is this? Opinions are varied. "[AutoSploit] makes being a script kiddie infinitely easier," comments Chris Morales, head of security analytics at Vectra Networks. "It is combining a whole set of automated tools for identifying exposed hosts and then executing exploits. Where I think this will have the most dramatic effect, and what scares me most, is with IoT. I’m predicting a rash of new IoT DOS, cryptocurrency mining, and general debauchery."

But he notes that it will simply lead to a compromised host -- something security teams have to handle every day. There is still time for incident response. "We cannot rely on prevention and need to be vigilant in finding attackers once they infect systems and before they can cause real damage.”

Chris Roberts, chief security architect at Acalvio, agrees that it will attract the wannabees. “Good to know we’ve weaponized for the masses. Everyone can now be a script kiddie simply by plugging, playing and attacking." But he points out that attack tools with 'very nice interfaces' are not new, and only exist because the root problem is the bad products, code, systems and infrastructures used by everyone.

"The kids are not more dangerous," he says. "They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem.”

"The basic functionalities [of AutoSploit] were already accessible," says ESET senior research fellow, David Harley, "but AutoSploit lowers the level of knowledge and competence necessary to take advantage of them. So, I guess there could be more skiddies snapping at the heels of companies and individuals whose patching isn’t up to scratch."

He warns that companies cannot rely on prevention technologies to neutralize AutoSploit. "Security companies watch Metasploit with the intention of remediating where they can, so some (at least) of the modules used will be less effective on well-protected systems. Sadly, not every exploit can be 100% defended against by third-party security software. Not every system out there is well-protected. And it sounds as if AutoSploit will make it easier to find and probe systems that are less likely to be properly patched or defended with security software. Like the Internet-of-unnecessarily-interconnected-things…"

AutoSploit Hacking Tool

There are others who simply dismiss AutoSploit. Jerry Gamblin, lead security analyst at Carfax, tweeted, "While everyone is freaking out I hacked together antiautosploit to stop autosploit from sploiting you (This just blocks Shodan from scanning you)."

The general consensus from the security industry seems to be that AutoSploit will attract the kiddies but won't change the current threat landscape -- beyond perhaps making existing good practice (patching, incident response) more important and urgent.

"This doesn't really change anything from way things are already," says F-Secure principal researcher Jarno Niemela. "My 11-year-old son learned Metasploit when he was 10 years old, and there is a ton of tradecraft videos in YouTube for anyone who is interested... This tool simply makes something that was already very easy just a bit easier."

But he also has a word of warning for wannabees attracted by AutoSploit. "The fact that something is really easy, does not make unauthorized computer access any less a crime. And tools like this leave a forensic footprint that is miles wide. Yes, you can compromise poorly protected systems very easily with this tool, but you can also end up in a lot of trouble."


Legacy Malware and Legacy Systems Are Not a Legacy Problem
2.2.2018 securityweek
Virus
Companies must be wary of chasing shiny new threats with shiny new defenses, while leaving legacy systems vulnerable to legacy malware.

Trend Micro calls the legacy threat 'Throwhack'; after the more benign 'Throwback Thursday' social media trend; but, says principal security strategist Bharat Mistry in a blog published today, "there’s nothing entertaining about this list of legacy security challenges."

Mistry points to Conficker (dating back to 2008). "Throughout 2017 we saw monthly detections of around 20,000; meaning it’s still highly active." In conversation with SecurityWeek, he agreed that the majority of detections were in the Far East with few appearing in the U.S. or Europe; but warned that Far East breaches could get into the supply chain of Western organizations.

Heartbleed is another old threat that hasn't gone away. "Despite surfacing and being patched in 2014, nearly 200,000 servers and devices were reported as exposed last year."

The problem goes deeper than just old malware -- it is exacerbated by the continued use of old and unsupported systems. "Spiceworks has claimed that 68% of US, Canadian and US firms still run Office 2007, while it has also been reported that around 20% of US and UK healthcare organizations still run Windows XP. It doesn’t take much to understand the dangers of running unsupported systems," he writes.

One of the problems, he told SecurityWeek, is that new security products are not always old problem aware. "Machine learning systems," he said, "often 'learn' to detect malware based on current threats. They simply aren't taught to detect old behaviors; and can miss them."

To be fair, he isn't advocating abandoning new machine learning detection products or methods, only pointing out that on their own they aren't enough. "Wherever possible," he said, "organizations should employ traditional anti-malware products as well as new machine learning products." He added that the challenge of the smaller processing overhead from ML systems has spurred traditional anti-malware into designing and implementing new approaches that reduce their own overhead.

Nevertheless, he stresses that one of the best solutions to legacy malware is to update or upgrade legacy systems: newer versions of old operating systems are no longer susceptible to old vulnerabilities.

"If updating your OS is not possible, for whatever reason, use vulnerability shielding/virtual patching on the endpoint or intrusion prevention at the network level. It’s ideal for mitigating the impact of older malware like Conficker which exploits vulnerabilities. It protects legacy systems by providing convenient and automatic updates, allowing organizations to maintain protection while minimizing their patch management costs."


South Korea Warns of Flash Zero-Day Exploited by North Korea
2.2.2018 securityweek BigBrothers
South Korea’s Internet & Security Agency (KISA) has issued an alert for a zero-day vulnerability in Flash Player that has reportedly been exploited in attacks by North Korean hackers.

Few details have been provided, but KISA says the vulnerability affects Flash Player 28.0.0.137 and earlier. Version 28.0.0.137 is the latest, released by Adobe in January as part of the Patch Tuesday updates.

The security hole can be exploited by getting a user to open a document, web page or email containing a specially crafted Flash file, KISA said on Wednesday.

Simon Choi of South Korea-based cybersecurity firm Hauri said on Twitter the Flash Player zero-day has been exploited by North Korea since mid-November 2017 in attacks aimed at South Korean individuals who focus on researching North Korea.

According to the expert, the flaw has been leveraged to distribute malware. A screenshot he posted appears to show that the exploit has been delivered via malicious Microsoft Excel files.
Flash zero-day exploited by North Korea - credits: Simon Choi (@issuemakerslab)

Flash zero-day exploited by North Korea - credits: Simon Choi (@issuemakerslab)

SecurityWeek has reached out to Adobe for comment and will update this article once the company responds. Since the activities of North Korean threat actors have been closely monitored by several security firms, it’s possible that Adobe has already been made aware of the zero-day and is working on a patch.

UPDATE. Adobe says it's aware of a report that an exploit for a vulnerability it tracks as CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. The company says it will address the flaw with an update planned for the week of February 5.

In an advisory, Adobe said the vulnerability is a critical use-after-free that allows remote code execution. Until a patch becomes available, the company has provided some mitigations.

"Beginning with Flash Player 27, administrators have the ability to change Flash Player's behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content," Adobe said. "Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode."


Kaspersky Launches New Security Product for Exchange Online
2.2.2018 securityweek Safety
Kaspersky Lab has expanded its small and medium-sized business (SMB) offering with a new cloud-based product designed to provide an extra layer of security for the Exchange Online email service in Microsoft Office 365.

The new product, Kaspersky Security for Microsoft Office 365, is designed to protect users against malware, phishing, spam, and other email-borne threats.

Exchange Online includes built-in anti-malware and anti-spam features, but Kaspersky says its own product – part of the company’s Business Hub offering – works in conjunction with Microsoft’s protections and offers native integration.

Kaspersky says its product relies on various security technologies, including machine learning-based detection, an anti-phishing engine that uses neural networks, sandboxing, attachment filtering mechanisms, and data from the company’s threat intelligence network.

The new product analyzes incoming emails and places suspicious messages in quarantine. Administrators are informed of the potential threats via a central console shared with the Kaspersky Endpoint Security Cloud product. The console allows customers to view each potentially malicious email and restore them in case of false positives.

According to the security firm, Kaspersky Security for Microsoft Office 365 is capable of recognizing if a file attached to an email is the type it claims to be, and it can detect malicious macros hidden in harmless-looking Office documents.

Kaspersky launches new security product for Exchange Online

Since there has been a lot of debate recently on the implications of the physical location of data stored in the cloud, Kaspersky allows users to specify which data center they want to use for processing emails.

Furthermore, given the recent controversy regarding the company uploading sensitive files from an NSA contractor’s computer to its own servers, Kaspersky has highlighted that the new product does not upload any files to its systems. Instead, quarantined emails are stored in the customer’s Exchange Online account.


Watch out, cyber criminals are using fake FBI emails to infect your computer
2.2.2018 securityaffairs BigBrothers

The FBI Internet Crime Complaint Center (IC3) is warning of a new malware campaign aimed at infecting victims with weaponized attachments.
The Feds’ Internet Crime Complaint Center (IC3) is warning of a new spam campaign aimed at infecting victims with a ransomware. According to an alert issued on Wednesday by the IC3, numerous citizens filled complaints after received emails purporting to be from IC3. The message pretends to be the compensation from a cyber attack and asks the victims to fill the attached document, but the file is laced with malware.

The story is interesting, the email reports that a Nigerian cyber criminal had been arrested and feds have found the recipient’s email address of the alleged scammer’s PC. The email asks victims to return the document with recipient info and wait for the refund to arrive. Once the victim has opened the document, the infection process will start.

FBI

The FBI has identified at least three other versions of the IC3 impersonation scam:

“The first involved a fake IC3 social media page, which advertised itself as the FBI Cyber Crime Department (IC3) and requested recipients provide personal information in order to report an internet crime.” states the alert issued by the FBI. “
“The second involved an email which stated the recipient was treated unfairly by various banks and courier companies. The email claimed the recipient’s name was found in a financial company’s database and that they will be compensated for this unfair treatment.”
“The third example involved an email from the Internet Crime Investigation Center/Cyber Division and provided an address in Minneapolis, Minnesota. The email also included a case reference number in the subject line. The email informed the recipient that their IP address was referred to the IC3 as a possible victim of a federal cyber-crime. The email then requests the recipient to contact the sender via telephone.”
FBI is currently investigating the cases, victims of an online scam can file a complaint with the IC3 at www.ic3.gov.


WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit
2.2.2018 securityaffairs
Virus

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.
This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike.

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.


WannaMine Malware Spreads via NSA-Linked Exploit
1.2.2018 securityweek
Virus  Exploit
A piece of crypto-mining malware is using sophisticated tools for its operations, including a Windows exploit linked to the National Security Agency, security researchers warn.

Dubbed WannaMine, the crypto-mining worm spreads using EternalBlue, the NSA-linked tool that became public in April 2017, just one month after Microsoft released a patch for it.

Leveraging a vulnerability in Windows’ Server Message Block (SMB) on port 445, the exploit became famous after the WannaCry ransomware was found exploiting it for distribution. Other malware families abused it as well, including botnets, backdoors, NotPetya, and banking Trojans.

Now, the same exploit is being used to spread WannaMine, a piece of malware focused on mining for the Monero crypto-currency, but which uses sophisticated capabilities, such as persistence and distribution mechanisms similar to those used by nation-state actors, CrowdStrike says.

WannaMine, the security researchers explain, employs “living off the land” techniques for persistence, such as Windows Management Instrumentation (WMI) permanent event subscriptions. The malware has a fileless nature, leveraging PowerShell for infection, which makes it difficult to block without the appropriate security tools.

The malware uses credential harvester Mimikatz to acquire legitimate credentials that would allow it to propagate and move laterally. If that fails, however, the worm attempts to exploit the remote system via EternalBlue.

To achieve persistence, WannaMine sets a permanent event subscription that would execute a PowerShell command located in the Event Consumer every 90 minutes.

The malware targets all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003. However, it uses different files and commands for Windows Vista and newer platform iterations.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” the security company notes.

As Sophos points out, organizations that find the WannaMine malware in their network are also at risk of other malware, including ransomware. It is not uncommon to find multiple malware families on machines that have been compromised once.

Designed to mine for Monero, not to steal user information or crypto-coins, WannaMine would still slow down the infected machines. Laptops could even be damaged, if the malware runs on them continuously for several hours, as the device gets hotter. Also, the battery is drained faster than usual, Sophos points out.

An antivirus application should keep users protected from this malware family. Keeping systems up to date at all times and using strong passwords should also help avoiding a WannaMine infection.


Google Adds Custom Roles Feature to Cloud IAM
1.2.2018 securityweek IT
The Identity & Access Management (IAM) service in the Google Cloud Platform (GCP) now includes a feature that allows users to assign custom roles for finer-grained security.

The custom roles feature was first announced back in October when the beta version was introduced. The tech giant announced on Wednesday that nearly all permissions can now be customized.

Granting users excessive privileges to services, applications and data can introduce serious security risks, which is why it’s crucial for administrators to ensure that users only have the permissions needed to perform their jobs.

Customers of Google’s cloud platform now have full control over more than 1,200 public permissions, providing them fine-grained access control for enforcing the principle of least privilege. The principle of least privilege is a concept that promotes minimal user profile privileges based on job necessities.

In the case of GCP, administrators can rely on the IAM service to assign a predefined role to users - for example, allow them to view or modify data stored in the cloud. However, these predefined roles are sometimes not enough for implementing the principle of least privilege.

Custom roles, on the other hand, can be used to remix permissions across all services to ensure that users do not receive privileges other than ones required to do their job.

“Consider a tool that needs access to multiple GCP services to inventory Cloud Storage buckets, BigQuery tables and Cloud Spanner databases. Enumerating data doesn’t require privileges to decrypt that data. While predefined roles to view an entire project may grant .query,.decrypt and .get as a set, custom roles make it possible to grant .get permission on its own,” Google’s Rohit Khare and Pradeep Madhavarapu explained in a blog post.

Except for certain permissions that are only supported in predefined roles, all permissions are now customizable. A list of all supported permissions has been made available and users can keep track of changes via a central change log.

In the future, Google wants to further enhance its IAM service, including by using research from the company’s Forseti open source initiative to help explain why a specific permission has been granted or denied.


Siemens fixed three flaws in plant management product Siemens TeleControl Basic system
1.2.2018 securityaffairs
Vulnerebility

Siemens has patched three security vulnerabilities in its Plant Management Product, the Siemens TeleControl Basic system.
The system is used in water treatment facilities, traffic monitoring systems, and energy distribution plants. The TeleControl Basic control center runs the TeleControl Server Basic software. The Siemens TeleControl Basic system allows organizations to monitor and control processes in industrial environment and operation of municipal facilities.

The TeleControl Server Basic system is affected by three vulnerabilities that could be exploited by an attacker to conduct different types of attacks, including privilege escalation, bypass authentication, and denial-of-service (DoS) attacks.

“The latest update for TeleControl Server Basic resolves three vulnerabilities. One of these vulnerabilities could allow an authenticated attacker with network access to escalate his privileges and perform administrative actions.” reads the security advisory published by Siemens.

“Siemens recommends updating to the new version.”

This is the first time that Siemens publishes a security advisory released by Siemens and ICS-CERT for a vulnerability that affects TeleControl products

The flaws affect TeleControl Server Basic versions prior to V3.1, the most severe one is tracked as CVE-2018-4836 and rated high severity.

Below the list of the vulnerabilities and related descriptions:

Vulnerability (CVE-2018-4835) [CVSS v3.0 Base Score 5.3] – It could be exploited by an attacker with network access to the TeleControl Server Basic’s port 8000/tcp to bypass the authentication mechanism and access limited information.
Vulnerability (CVE-2018-4836) [CVSS v3.0 Base Score 8.8] – It could be exploited by an authenticated attacker with a low-privileged account to the TeleControl Server Basic’s port 8000/tcp to escalate privileges and perform administrative operations.
Vulnerability (CVE-2018-4837) [CVSS v3.0 Base Score 5.3] – It could be exploited by an attacker with access to the TeleControl Server Basic’s webserver (port 80/tcp or 443/tcp) to cause a DoS condition on the web server.
Siemens also provided some workarounds to mitigate the risk of attacks, including the blocking of TCP port 8000 through the Windows firewall for both CVE-2018-4835, CVE-2018-4836 and the blocking of the ports 80 and 443 for the CVE-2018-4837.

The US ICS-CERT also published a detailed advisory for the vulnerabilities in the Siemens TeleControl Basic.


Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit
1.2.2018 thehackernews
Virus


2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals.
Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the same NSA exploit that was leaked by the hacking group Shadow Brokers and responsible for the devastating widespread ransomware threat WannaCry.
Researchers from Proofpoint discovered a massive global botnet dubbed "Smominru," a.k.a Ismo, that is using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master.
Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers.
"Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz," the researchers said.
The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems.

The highest number of Smominru infection has been observed in Russia, India, and Taiwan, the researchers said.
The command and control infrastructure of Smominru botnet is hosted on DDoS protection service SharkTech, which was notified of the abuse but the firm reportedly ignored the abuse notifications.
According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers and also using leaked NSA's RDP protocol exploit, EsteemAudit (CVE-2017-0176), for infection.
"As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators," the researchers concluded.
"The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes."
Another security firm CrowdStrike recently published a blog post, reporting another widespread cryptocurrency fileless malware, dubbed WannaMine, using EternalBlue exploit to infect computers to mine Monero cryptocurrency.
Since it does not download any application to an infected computer, WannaMine infections are harder to detect by antivirus programs. CrowdStrike researchers observed the malware has rendered "some companies unable to operate for days and weeks at a time."
Besides infecting systems, cybercriminals are also widely adopting cryptojacking attacks, wherein browser-based JavaScript miners utilise website visitors' CPUs power to mine cryptocurrencies for monetisation.
Since recently observed cryptocurrency mining malware attacks have been found leveraging EternalBlue, which had already been patched by Microsoft last year, users are advised to keep their systems and software updated to avoid being a victim of such threats.


Siemens Patches Flaws in Plant Management Product
1.2.2018 securityweek 
Vulnerebility
Siemens has informed customers that a component of its TeleControl Basic product is affected by several vulnerabilities that can be exploited by an attacker to escalate privileges, bypass authentication, and launch denial-of-service (DoS) attacks.

Siemens’ TeleControl Basic system allows organizations to monitor and control plant processes. The solution can also be used to optimize the operation of municipal facilities, including water treatment, traffic monitoring, and energy distribution. TeleControl Server Basic is the software used for the TeleControl Basic control center.

According to advisories published by Siemens and ICS-CERT, the TeleControl Server Basic system is affected by a total of three vulnerabilities. The most serious of them, tracked as CVE-2018-4836 and rated high severity, allows an attacker with a low privileged account and access to TCP port 8000 to escalate privileges and perform administrative tasks.

Another flaw, CVE-2018-4835, allows an attacker with network access to port 8000 to bypass the system’s authentication mechanism and obtain limited information.

The last security hole, CVE-2018-4837, can be exploited by an attacker with access to the TeleControl web server on TCP ports 80 or 443 to cause the web server to enter a DoS condition. However, Siemens pointed out that the DoS condition does not affect other functionality.

CVE-2018-4835 and CVE-2018-4837 have been classified as medium severity with a CVSS score of 5.3.

Siemens has patched the vulnerabilities with the release of TeleControl Server Basic 3.1. In addition, the company has identified some workarounds and mitigations that can be used to reduce the risk of attacks.

These include blocking TCP port 8000 using the Windows firewall to mitigate CVE-2018-4835 and CVE-2018-4836, and blocking ports 80 and 443 to prevent attacks involving CVE-2018-4837.

While this is the first advisory released by Siemens and ICS-CERT for a vulnerability specific to TeleControl products, a privilege escalation flaw disclosed in November 2016 had been found to impact TeleControl Server Basic – among many other industrial solutions from Siemens. That security hole was addressed in TeleControl Server Basic with the release of version 3.0.


Mining Smominru botnet used NSA exploit to infect more than 526,000 systems
1.2.2018 securityaffairs BigBrothers

Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that is using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.
The number of cyber attacks against the cryptocurrency sector continues, vxers are focusing their efforts on the development of cryptocurrency/miner malware.

Recently security experts observed cryptocurrency miners leveraging the NSA EternalBlue SMB exploit (CVE-2017-0144) as spreading mechanism.

On August 2017, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

Now researchers Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ (aka Ismo) that is using the EternalBlue exploit (CVE-2017-0144) to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

” Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators.” states the analysis published by Proofpoint

With the help of Abuse.CH and the ShadowServer Foundation, Proofpoint conducted a sinkholing operation that allowed to profile the botnet.

The command and control infrastructure of the Smominru botnet is hosted on DDoS protection service SharkTech, Proofpoint promptly notified the abuse to the service provider without receiving any response.

According to the researchers, the Smominru botnet has been active at least since May 2017 and has already infected more than 526,000 Windows computers.

Most of the infected systems are servers distributed worldwide, most of them in Russia, India, and Taiwan. It is a profitable business, the operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).
“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the researchers said. “The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2).”

smominru botnet

The researchers at Proofpoint discovered that crooks are using at least 25 hosts to scan the Internet for EternalBlue vulnerable Windows computers and also leveraging the NSA EsteemAudit (CVE-2017-0176) for compromising the target machines.

The machines all appear to sit behind the network autonomous system AS63199, further technical details and the IoCs are included in the analysis published by Proofpoint.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.” concluded the Proofpoint.

“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”


Every little bitcoin helps
1.2.2018 Kaspersky 
Spam
It often happens that inventions and technologies that start out good end up turning into dangerous tools in the hands of criminals. Blockchain is no exception to this rule, especially in its most common cryptocurrency incarnation. Cryptocurrencies crop up in all kinds of spam: from traditional advertising (courses about investment and trade) to more fraudulent and malicious varieties. Quite often, cryptocurrencies are used by attackers as originally intended — as a means of payment (albeit from victims). We found and delved into several spam mailings in which cybercrooks exploited user paranoia about information threats and took bitcoins as payment for peace of mind. The attacks targeted employees of small companies, but such emails could be sent to any user’s personal mail.

In the first email, the attacker claimed to have installed malware on a porn site visited by the victim, and to be in possession of several videos recorded from both the device screen and cameras; not only that, a keylogger had supposedly provided access to the user’s IM, email, and social media contacts. To get the attacker off their back, the victim was asked to transfer the equivalent of $320 to the bitcoin wallet specified in the email. It was also mentioned that a built-in tracking pixel would inform the attacker that the email had been seen. And if the recipient wanted proof of that, they should reply to the message, whereupon the compromising info would be sent out to five of their contacts. As a postscript, the scammer warned against going to the police: he allegedly lived in Belarus, so the investigation would drag on for years.

The next email was wordy but imaginative, written by a hacker by the name of Andrey. The attacker informed the recipient that he had studied the latter’s company, together with its employees and their relatives, found weaknesses, and was planning to ruin it. The author listed no fewer than seven ways to achieve this goal, from simply writing negative reviews on various websites to creating fake company reports in his garage(!) and sending them to government departments. However, the hacker’s preferred outcome was for the company to see sense and transfer 3 bitcoins to his wallet. Like the previous email, it specifically mentioned not going to the cops, since “Andrey” lived in Ukraine.

Another email was the work of not one hacker, but an entire chain gang. The attackers allegedly had hacked the company’s server and got hold of information about its clients, bank accounts, tax payments, etc. Now they were threatening to damage the company’s reputation by publishing this information online. It was also stated that at some unspecified moment they would launch an attack on the company’s servers and computers, encrypting all data. To call off the attack, the blackmailers demanded 0.5 bitcoin. If the cryptopayment was not made before the start of the attack, the amount would rise to 2 bitcoins.

Sadly and (perhaps) surprisingly, some people still fall for such concoctions. The targets of these mailings are usually small companies that lack the resources for decent anti-spam protection and basic information security training for staff. So let us reiterate: be vigilant, stay calm, and take anonymous threats of this kind with a pinch of salt.


Cybercriminals target early IRS 2018 refunds now

1.2.2018 Kaspersky CyberCrime
Where is my tax refund? Wait! What are that fraud charges on my credit card??
On Monday, Jan 29th, IRS officially opened its 2018 season. Some taxpayers already filed their taxes and cybercriminals know it too. So, right after two days of the official 2018 season opening, we got phishing messages with a fake refund status Websites:

The link in the email leads to a hacked Brazilian restaurant, redirecting to Website with Australian domain zone.

So, the whole scheme is to steal credit card information of the taxpayers expecting a tax refund from IRS. Both URLs are blocked by Kaspersky Anti-Phishing now.

The mentioned Website was hacked and includes an old Webshell uploaded back to 2016.

Should we expect more campaigns like this? Definitely yes. Stay watchful and don’t lose your refunds!


Critical Oracle Micros POS Flaw Affects Over 300,000 Payment Systems
1.2.2018 thehackernews
Vulnerebility

Oracle has released a security patch update to address a critical remotely exploitable vulnerability that affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.
The fix has been released as part of Oracle's January 2018 update that patches a total of 238 security vulnerabilities in its various products.
According to public disclosure by ERPScan, the security firm which discovered and reported this issue to the company, Oracle's MICROS EGateway Application Service, deployed by over 300,000 small retailers and business worldwide, is vulnerable to directory traversal attack.
If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data and receive information about various services from vulnerable MICROS workstations without any authentication.
Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files from the MICROS workstation, including service logs and configuration files.
As explained by the researchers, two such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames and encrypted passwords for connecting to the database.
"So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise," the researchers warned.
"If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store."
ERPScan has also released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, would send a malicious request to get the content of sensitive files in response.
Besides this, Oracle's January 2018 patch update also provides fixes for Spectre and Meltdown Intel processor vulnerabilities affecting certain Oracle products.


Serious Flaws Affect Several ManageEngine Products
1.2.2018 securityweek 
Vulnerebility
Researchers at Digital Defense have uncovered several potentially serious vulnerabilities in IT management products from ManageEngine, including ones that allow an attacker to take complete control of the affected application. The vendor has released patches to address the flaws.

Zoho-owned ManageEngine provides network, data center, desktop and mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

One of the flaws found by Digital Defense affects ManageEnegine’s ServiceDesk Plus help desk software. An unauthenticated file upload vulnerability allows an attacker to upload a JavaScript web shell and use it to execute arbitrary commands with SYSTEM privileges.

Experts also discovered several blind SQL injection vulnerabilities that allow an unauthenticated attacker to take complete control of an application and possibly even the underlying host.

These types of flaws have been found in the OpManager network monitoring product, Network Configuration Manager, bandwidth monitoring and traffic analysis product NetFlow Analyzer, firewall configuration and log management product Firewall Analyzer, and IP address management app OpUtils.

These products are also impacted by an enumeration issue that can be exploited to access user information such as usernames, email addresses and phone numbers.

An attacker could gain access to the content of files on the host running ManageEngine applications by leveraging an unauthenticated XML External Entity (XXE) vulnerability.

Digital Defense said ManageEngine promptly responded to its vulnerability reports and released updates for each of the affected applications to address the security holes.

“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”

Digital Defense recently reported discovering authentication bypass, arbitrary file upload, and path traversal vulnerabilities affecting data protection products from both Dell EMC and VMware.


Malware exploiting Spectre and Meltdown flaws are currently based on available PoC
1.2.2018 securityaffairs
Virus

Malware Exploiting Spectre, Meltdown Flaws Emerges
Researchers at the antivirus testing firm AV-TEST have discovered more than 130 samples of malware that were specifically developed to exploit the Spectre and Meltdown CPU vulnerabilities.

The good news is that these samples appear to be the result of testing activities, but experts fear that we could soon start observing attacks in the wild.

Most of the codes obtained by AV-TEST are just recompiled versions of the Proof of Concept code available online. Experts at AV-TEST also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.

“We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”Andreas Marx, CEO of AV-TEST, told SecurityWeek.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.


AV-TEST GmbH

@avtestorg
#Spectre & #Meltdown: So far, the AV-TEST Institute discovered 77 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

2:49 PM - Jan 17, 2018
7 7 Replies 24 24 Retweets 27 27 likes
Twitter Ads info and privacy
The number of malware samples related to Meltdown and Spectre reached pi119 by January 23.


AV-TEST GmbH

@avtestorg
[UPDATE: 2018-01-23] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 119 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

SHA256 Hashes: https://plus.google.com/b/100383867141221115206/photos/photo/100383867141221115206/6514266175374877506 …

4:23 PM - Jan 23, 2018
2 2 Replies 14 14 Retweets 24 24 likes
Twitter Ads info and privacy
On January 31, AV-TEST confirmed to be in possession of 139 samples from various sources.


AV-TEST GmbH

@avtestorg
[UPDATE: 2018-01-23] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 119 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

SHA256 Hashes: https://plus.google.com/b/100383867141221115206/photos/photo/100383867141221115206/6514266175374877506 …

4:23 PM - Jan 23, 2018
2 2 Replies 14 14 Retweets 24 24 likes
Twitter Ads info and privacy

According to the AV-TEST CEO, several groups of experts are working on a malware that could trigger Intel flaws, most of them are re-engineering the available PoC.

“We aren’t the only ones concerned. Others in the cybersecurity community have clearly taken notice, because between January 7 and January 22 the research team at AV-Test discovered 119 new samples associated with these vulnerabilities,” reads a blog post published by Fortinet. “FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code. The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”


Mozilla fixes a critical remote code execution vulnerability in Firefox
1.2.2018 securityaffairs
Vulnerebility

Mozilla has released security updates for Firefox 58 that addresses a critical remote code vulnerability that allows a remote attacker to run arbitrary code on vulnerable systems.
Mozilla has released an update for the Firefox 58 browser (aka Firefox Quantum) that addresses a critical flaw that could be exploited by a remote attacker to execute arbitrary code on computers running the vulnerable version of the browser.
The vulnerability, tracked as CVE-2018-5124, affects Firefox versions 56 through 58, meanwhile, it doesn’t impact Firefox for Android and Firefox 52 ESR.
The development teams behind major Linux distributions have also started rolling out updated packages that fix the flaw.

It was discovered by the Mozilla developer Johann Hofmann.

According to a security advisory published by Cisco, the Firefox 58.0.1 version fixed an ‘arbitrary code execution’ flaw that originates due to ‘insufficient sanitization’ of HTML fragments in chrome-privileged documents (browser UI).

“A vulnerability in Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.” states the security advisory.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.“

Firefox 58 was released on January 23, it addresses more than 30 vulnerabilities in the popular browser, some of them rated as high severity, including a use-after-free, buffer overflow, and integer overflow flaws.

According to Mozilla, its bug bounty program has already paid out nearly $1 million to white hat hackers who reported vulnerabilities.

Don’t waste time, apply the software updates as soon as possible.


FBI Pushes for Small Business Information Sharing
31.1.2018 securityweek BigBrothers
Howard S. Marshall, Deputy Assistant Director of the Cyber Division of the FBI, spoke Tuesday before the House Small Business Committee on the subject of 'Small Business Information Sharing: Combating Foreign Cyber Threats.' The purpose was to outline the FBI's role in helping small businesses defend against cyber threats.

His statement came in two parts: first, to outline the major cyber threats to U.S. business, and then to outline the FBI's response to these threats.

"Some of the more prevalent or rising cyber threats to small businesses," he said, include business e-mail compromise (BEC); ransomware; criminal data breach activity; and the internet of things (IoT). He did not provide any statistics on these cybercrimes, but instead concentrated on a high-level description of the threats with a brief explanation of FBI advice on countering them.

The FBI's advice for BEC is that companies should require a second, independent verification on payment requests; that e-mail accounts should have regularly changed strong passwords and two-factor authentication; and that companies should use their own domain-based email rather than free web-based email. Wherever possible, the last recommendation should be supported a filter system that flags emails with look-alike domain names.

The primary advice against ransomware, which the FBI expects "to remain a significant threat to businesses in the U.S. and worldwide", is that businesses should schedule regular backups to drives not connected to their network. "These drives can be used to restore a system to the backup version without paying the ransom to the perpetrator."

There is no specific advice on whether businesses should or should not pay the ransom, although it is known that the FBI -- and LEAs generally -- would prefer that ransoms are not paid. Marshall did say, however, "It is important to note that even if a ransom is paid, there is no guarantee the business or individual will obtain their files from the cyber criminal."

In two recent ransomware incidents, two separate healthcare organizations were infected with different variants of the SamSam ransomware. One, Hancock Health, decided to pay the ransom. It was infected on January 11 and was back online by January 15. The second, Allscripts, chose not to pay the ransom. It was infected on January 18. On January 26, Allscripts emailed SecurityWeek, "We are pleased to announce that service to all affected clients has been restored." In the final analysis, whether to pay or not is a risk-based decision for each individual victim.

'Criminal data breach activity' is such a vast subject that the statement makes little attempt to discuss it in detail. This is probably a mistake since it could leave politicians with the idea that small businesses are at less risk of hacker attacks than large organizations -- which is not correct. All that Marshall says here is, "We encourage businesses to apply a variety of best practices to secure their network architecture."

The growing IoT threat is discussed as a problem with no current solution. "Increased connectivity through IoT devices will only increase the potential attack surface for networks, as cyber security is largely under-prioritized from device design through implementation." Marshall highlighted the IoT-based DDoS attacksof late 2016. He said, "Individuals and businesses can prevent their devices from being compromised by changing default user name and passwords, ensuring device firmware is up to date, implementing strong firewall rules, and by turning off or rebooting devices when not in use."

The long-term solution to the IoT threat will come from better designed and built devices, and he noted that NIST is currently developing standards to improve IoT devices.

The description of current threats provides the background for the second half of the statement: 'FBI Cyber private sector engagement', which is described as a key component of the FBI's strategy for combating cyber threats. This engagement has required a change to the FBI's traditional methods of intelligence gathering. Traditionally, intelligence has been gathered from its own operations, from intelligence services, and from other LEAs.

"However," said Marshall, "we are now also looking to integrate private industry information into our intelligence cycle to enhance our ability to identify and respond to both emerging and ongoing threats." The FBI is particularly looking to private industry to share both its understanding of sector-specific networks, and its threat intelligence in order to integrate that understanding into its own intelligence cycle. "This type of information sharing enables us to provide more specific, actionable, and timely information to our industry partners so they can protect their systems in a proactive manner."

The FBI accepts that such information sharing must be two-way. Marshall described some of the FBI's outreach projects: nearly 70 public service announcements (PSAs) over the past five years, and other notifications including FBI Liaison Alert System (FLASH) reports, and private industry notifications (PINs).

Other projects include its involvement with the National Cyber-Forensics and Training Alliance (NCFTA); its public awareness campaigns or 'open houses' to educate businesses on serious cyber threats; its workshops on specific threats (such as BEC); and its countrywide briefings, conferences, and workshops for key executives throughout industry. There have been nearly 2800 of the latter over the past five years.

This is achievable through the FBI's countrywide decentralized organization, with field offices in every state. "Cyber-trained special agents are in each field office, providing locally available expertise to deploy to victim sites immediately upon notice of an incident," he said.

One aspect of the FBI statement stands out. Marshall goes to some length to stress that the FBI will treat cyber victims as the victim. "No matter what course of action is deemed appropriate, the FBI views a company that has been attacked as a victim and will protect investigative information appropriately." This goes to the heart of the FBI's problem in engaging with small businesses. While companies will automatically consider the FBI as the first port of call in an emergency, other engagements are traditionally avoided or concerning.

Voluntarily offering operational details to the FBI is not yet in the psyche of small business -- and yet this must be achieved for the FBI to fulfil its purpose. That ultimate purpose, says the statement, is to "provide information that can be used to initiate indictments, affect arrests, generate demarches, or produce international sanctions against those who conduct cyber attacks or aggressive actions against entities in the United States."


Mozilla Patches Critical Code Execution Flaw in Firefox
31.1.2018 securityweek
Vulnerebility
An update released this week by Mozilla for Firefox 58 patches a critical vulnerability that can be exploited by a remote attacker for arbitrary code execution.

Mozilla developer Johann Hofmann discovered that arbitrary code execution is possible due to unsanitized output in the browser UI.

The vulnerability, tracked as CVE-2018-5124, affects Firefox versions 56 through 58 and it has been fixed with the release of Firefox 58.0.1. According to Mozilla, Firefox for Android and Firefox 52 ESR are not impacted. Linux distributions have also started pushing out updated packages that include the fix.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,” Cisco said in an advisory describing this flaw. “An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

Firefox 58, which Mozilla released on January 23, patches more than 30 vulnerabilities, including a potentially exploitable use-after-free bug and various memory safety issues that have been rated critical.

Firefox 58 also addresses over a dozen high severity flaws, including use-after-free, buffer overflow, and integer overflow bugs. A vulnerability that allows WebExtensions to bypass user prompts to download and open an arbitrarily file has also been classified as high severity.

Ten of these security holes were also addressed earlier this month in the Thunderbird email client with the release of version 52.6. Mozilla pointed out that the flaws typically cannot be exploited against Thunderbird using specially crafted emails.

Mozilla runs a bug bounty program for Firefox and the organization claims it has paid out nearly $1 million to experts who reported vulnerabilities. Hackers can earn between $3,000 and $7,500 for critical and high severity flaws in Mozilla software, but a novel exploit or form of exploitation can earn more than $10,000.

In addition to its software bug bounty program, Mozilla rewards flaws discovered in its websites and services with up to $5,000. The organization says it has paid out a total of roughly $3 million across its bug bounty programs.


Asus Router Flaws Disclosed by Several Researchers
31.1.2018 securityweek
Vulnerebility
Several security researchers and companies have recently disclosed the details of potentially serious vulnerabilities they discovered in the past months in various Asus routers.

Fortinet reported on Tuesday that its researchers had found a vulnerability in some Asus routers that allows an authenticated attacker to execute arbitrary commands with root privileges.

“Technically, vulnerable models are prone to OS command injections via unsanitized parameters passed to the /apply.cgi,” Fortinet explained. “In Main_Analysis_Content.asp in particular, the SystemCmd variable is created on the client side in the JavaScript function updateOptions(), which in turn uses the values from the input fields pingCNT and destIP. A web proxy can then be used to bypass the local checks that are normally done, and then /cmdRet_check.htm is used to asynchronously return the response from the request. The command is then executed with no further checks performed on the server side.”

Eugene Dokukin, aka “MustLive,” a member of the Ukrainian Cyber Forces activist group, has also disclosed the details of some cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities affecting several Asus RT-N10 models.Vulnerabilities in Asus routers

Vulnerabilities in Asus routers

Dokukin claimed that the Ukrainian Cyber Forces, who are fighting a cyberwar against the Russian government and separatists in Eastern Ukraine, have exploited these vulnerabilities to take control of devices belonging to their targets.

Researcher Pedro Ribeiro informed Asus of two vulnerabilities via Beyond Security’s SecuriTeam Secure Disclosure program, including access bypass and configuration manipulation issues.

According to Ribeiro, the AsusWRT operating system running on mid-range and high-end Asus routers is affected by vulnerabilities that allow an unauthenticated attacker with access to the local network to remotely execute arbitrary code.

One of the flaws found by the expert allows an attacker to reset the device’s administrator password by sending a specially crafted request. Once the password has been reset, the attacker can log into the web interface with the new password, enable SSH, and then access the device via SSH. Ribeiro also noted that arbitrary command execution is also possible without resetting the admin password.

Finally, Víctor Calvo of Spain-based security firm S2 Grupo, discovered that an attacker can change the credentials of any user, including the device’s administrator, by sending a specially crafted request to the password reset form.

Calvo also found that the Asus AiCloud service, which allows users to remotely access their home network, is affected by XML External Entity (XXE) vulnerabilities that can be exploited to access system files, including ones that store user credentials.

The researchers who identified these vulnerabilities informed Asus of their findings – except for Dokukin, who typically doesn’t inform vendors of the flaws exploited by his group. The company in most cases developed patches within a few weeks after being notified. Information on the latest firmware patches is available on Asus’ Product Security Advisory page.


New AMD Processors to Include Protections for Spectre-like Exploits
31.1.2018 securityweek
Exploit
AMD’s new Zen 2 and future processors will include protections against Spectre and other similar exploits, the tech giant revealed on Tuesday as it announced its earnings for 2017.

AMD CEO Lisa Su reiterated that the company’s CPUs are not vulnerable to Meltdown attacks and one variant of the Spectre attack is difficult to carry out against its products.AMD processors will include Spectre protections

“For Spectre Variant 1, we continue actively working with our ecosystem partners on mitigations, including operating system patches that have begun to roll out. We continue to believe that Variant 2 of Spectre is difficult to exploit on AMD processors, however we are deploying CPU microcode patches – in combination with OS updates – to provide additional mitigation steps,” Su explained.

The CEO highlighted that in the long-term the company plans on including protections for Specter-like exploits into all future processor cores. These protections have already been implemented into the design of recently unveiled Zen 2 CPUs, which are expected to become available next year.

AMD reported revenue of $5.33 billion for 2017, which it says represents a 25 percent increase compared to the previous year. However, the company warned that the Spectre and Meltdown exploits could have a negative impact on the company’s revenue, including as a result of lawsuits, which have already been filed against the organization.

“Actual or perceived security vulnerabilities of AMD products may subject AMD to adverse publicity, damage to its brand and reputation, and could materially harm AMD’s business or financial results,” the company stated.

Intel also informed customers that it’s working on CPUs that will include built-in protections against Meltdown and Spectre attacks.

In the meantime, existing software and microcode patches have caused problems for many users, which has led to vendors halting updates and disabling mitigations until issues are resolved.


700,000 Bad Android Apps Removed From Google Play in 2017
31.1.2018 securityweek Android
Google took down over 700,000 Android applications from the official software marketplace last year, 70% more than were removed from the store in 2016.

Additonally, Google improved its ability to identify bad applications earlier, and 99% of apps featuring abusive contents were rejected before reaching users, the company claims.

According to Andrew Ahn, Product Manager, Google Play, this was possible because of new machine learning models and techniques that power Google’s abuse detection abilities (including impersonation, inappropriate content, or malware).

Furthermore, the company focused on identifying repeat offenders and abusive developer networks, which resulted in taking down 100,000 bad developers in 2017. It also “made it more difficult for bad actors to create new accounts and attempt to publish yet another set of bad apps,” Ahn says.

Last year, Google took action against copycat apps, or those programs attempting to deceive users by posing as popular programs. Because famous programs get massive search traffic for particular keywords, the bad actors attempt to take advantage of this by publishing impersonating apps to Google Play Store.

Some of the methods employed include the use of confusable Unicode characters or the hiding of impersonating app icons in a different locale. Google says it took down over a quarter of a million such applications last year.

Applications that contain or promote inappropriate content (pornography, extreme violence, hate, and illegal activities) aren’t accepted in the app store either, and Google removed tens of thousands of such programs from the Android marketplace last year.

Potentially Harmful Applications (PHAs) – malware that performs SMS fraud, acts as Trojans, or phishes user's information – can harm people or their devices despite going to lengths to appear as legitimate programs. According to Ahn, Google Play Protect helped the Internet giant reduce the annual PHA installs rates on Google Play by 50% last year.

“Despite the new and enhanced detection capabilities that led to a record-high takedowns of bad apps and malicious developers, we know a few still manage to evade and trick our layers of defense. We take these extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them,” Ahn says.


Malware Exploiting Spectre, Meltdown Flaws Emerges
31.1.2018 securityweek
Virus
Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks.

The Meltdown and Spectre attack methods allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Shortly after Spectre and Meltdown were disclosed on January 3, experts warned that we could soon see remote attacks, especially since a JavaScript-based proof-of-concept (PoC) exploit for Spectre had been made available.

On January 17, antivirus testing firm AV-TEST reported that it had seen 77 malware samples apparently related to the CPU vulnerabilities, and the number had increased to 119 by January 23.

On Wednesday, AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies.

Number of Spectre/Meltdown malware samples

“Most appear to be recompiled/extended versions of the PoCs - interestingly, for various platforms like Windows, Linux and MacOS,” Andreas Marx, CEO of AV-TEST, told SecurityWeek. “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available PoC code.

Marx believes different groups are working on the PoC exploits to determine if they can be used for some purpose. “Most likely, malicious purposes at some point,” he said.

The expert believes the current malware samples are still in the “research phase” and attackers are most likely looking for ways to extract information from computers, particularly from web browsers. He would not be surprised if we started seeing targeted and even widespread attacks in the future.

Processor and operating system vendors have been working on microcode and software mitigations for the Meltdown and Spectre attacks, but the patches have often caused problems, leading to companies halting updates and disabling mitigations until instability issues are resolved.

In addition to installing operating system and BIOS updates, Marx has two other recommendations that should reduce the chances of a successful attack: switching off the PC when it’s not needed for more than an hour, and closing the web browser during work breaks. “This should decrease your attack surface a lot and also save quite some energy,” Marx said.


Remotely Exploitable Vulnerability Could Impact 300,000 Oracle PoS Systems
31.1.2018 securityweek
Vulnerebility
A vulnerability Oracle addressed in the MICROS Point-of-Sale (PoS) terminals with the January 2018 Critical Patch Update could impact more than 300,000 payment systems worldwide.

Tracked as CVE-2018-2636 and featuring a CVSS v3 score of 8.1, the vulnerability was discovered in September 2017 as a directory traversal vulnerability. Hackers looking to abuse it could read any file by sending a packet to a particular web service of a PoS terminal.

The security bug can be exploited remotely without authentication to read files from the impacted PoS systems. Furthermore, attackers could abuse it to access configuration files that store sensitive information including passwords.

Attackers looking to exploit the flaw could gain full access to the operating system for espionage, sabotage or fraud operations, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. By exploiting the flaw, cybercriminals could, for example, pilfer credit card numbers, the company says.

Because of the wide use of MICROS PoS terminals, the impact of such a security issue could be dire. At the moment, Oracle’s MICROS has more than 330,000 cash registers worldwide. The terminals can be found in over 200,000 food and beverage outlets and more than 30,000 hotels across 180 countries, ERPScan points out.

The vulnerability was discovered as a directory traversal in Oracle MICROS EGateway Application Service. With access to the URL, an attacker could exfiltrate files from the MICROS workstations, including services logs, and could also read files that contain usernames and encrypted passwords to gain full access to the database with all business data.

“After sending a malicious request, for example, the request to read SeviceHost.xml file, the vulnerable MICROS server sends back a special response with the SeviceHost.xml contents,” the security firm explains.

The vulnerability was addressed in Oracle’s January 2018 CPU, but the patch was unlikely to have been already deployed to all of the vulnerable MICROS PoS systems out there.

“POS systems directly process and transmit our payment orders, so it’s self-evident that they are extremely important and valuable. We use them on the daily and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense,” Alexander Polyakov, CTO of ERPScan, says.


Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?
31.1.2018 securityaffairs
Virus

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.
Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN
Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.
The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

Marc Miller is a web journalist, focused on cybercrime.
He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.


Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded
31.1.2018 securityaffairs
Ransomware

What do you get when you add Bitcoin, with a TOR network proxy and cybercriminals? Even more cybercrime!
Bitcoin is the preferred cryptocurrency for ransomware payments. Like most cryptocurrencies it is largely anonymous, allowing the ransoming cybercriminals to collect their money while staying safely in the shadows. Even though Bitcoin is the most popular cryptocurrency, the majority of victims do not have a ready cache of Bitcoin to pay ransom with so the cybercriminals came up with a process to facilitate these ransom payments.

Payment websites are hosted on the Tor network where victims login, purchase Bitcoin and deposit them into the wallet of the bad actors. Sounds convenient, unless there is another bad actor in the middle. To understand how that happens, we first need to explain the Tor network.

Tor is an acronym based on a software project called The Onion Router. It “[redirects] Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage…“, Tor (anonymity network), Wikipedia. In other words, you must use a Tor client to connect to the Tor network and in doing so, you participate as a relay in the network helping to provide anonymity for all other users.

There are many situations where this type of Internet anonymity would be useful: researching a company without alerting them to who is looking, researching a controversial topic without being identified, avoiding oppressive government restrictions or spying, and facilitating Bitcoin payments while hiding the location of the web server. The challenge for the ransomers is that victims are even less likely to be set up with a Tor client than they are to have Bitcoin! To solve this problem, there are individuals who run “Tor proxies.” These proxies are accessible with a regular browser on the Internet so no special software is required. For example, the hidden server on the Tor network might be addressed by hxxps://sketchwebsite.onion which requires a Tor browser to connect. However by entering hxxps://sketchwebsite.onion.to into a regular browser, a connection is made with a “regular server” on the Internet which redirects (proxies) the request to sketchwebsite.onion on your behalf. You can surf the Tor network, and make your Bitcoin payments with no special software required. By design, a proxy takes a connection from one party and passes it to another. This involves looking at the incoming request to understand where it needs to be forwarded. This also creates an opportunity for the proxy to make changes in between.

Proofpoint is the security vendor that identified cybercriminals taking advantage of Tor proxies to steal from victims and the ransoming cybercriminals. They discovered that when victims attempted to connect to the ransomers’ website through a Tor proxy, the criminals operating the proxy made changes to the stream. Instead of the Bitcoin being deposited to the intended ransomer’s digital wallets, the funds were redirected to the proxy operator’s wallet. While you won’t be sympathetic to the ransoming cybercriminals’ loss of revenue, the real problem is that without payment they won’t release the decryption key to the victim. The ransomware victim thought they were paying Bitcoin to the ransomer for the decryption key, but with the man-in-the-middle attack at the Tor proxy they paid for nothing.

Through some very detailed analysis documented here, Proofpoint estimates that approximately 2 BTC have been redirected (around $20,000 at the time they published their article.) It was a notice on the LockeR ransomware payment portal that alerted Proofpoint researchers that something was amiss in the cybercrime underworld:

bitcoin ransomware

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms,” Proofpoint researchers said. “This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users.”


US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking
31.1.2018 securityaffairs CyberCrime

The US Attorney General announced the creation of the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking.
Tor network is still a privileged ecosystem for cyber criminals and pedos, law enforcement and intelligence agencies worldwide reserve a significative effort in fighting any illegal practice that leverages anonymizing networks.

The US Attorney General has set up a task force, dubbed Joint Criminal Opioid Darknet Enforcement (J-CODE), composed of federal agents and cyber experts to dismantle black marketplaces that offer for sale any kind of drug.

The Joint Criminal Opioid Darknet Enforcement team will be distributed in many cities across the US, the feds are tasked to infiltrate the black markets, identify the operators, and shut down them.

The darknet, and in particular black marketplaces, have a relevant aggregation role for the distribution of illegal opioids. Even if many sellers are overseas, the Joint Criminal Opioid Darknet Enforcement team will be focused on domestic operators.


During the official announcement of the task force, Attorney General Jeff explained the abuses of anonymizing networks, but he also highlighted that they can be used for good purposes, such as to avoid censorship. Sessions added that the hard work of law enforcement agencies allowed the infiltration of illegal rings.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.

“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.”

Drugs represent a serious threat to the state, it has been estimated that opioids kill more than 90 Americans every day through overdoses, and this is the tip of the iceberg of a phenomenon that has many other dramatic consequences.

The creation of the Joint Criminal Opioid Darknet Enforcement is an important investment in fighting online opioid trafficking in term or resources and cyber capabilities.

“J-CODE will more than double the FBI’s investment in fighting online opioid trafficking. The FBI is dedicating dozens more Special Agents, Intelligence Analysts, and professional staff to J-CODE so that they can focus on this one issue of online opioid trafficking.” concluded the press release published by the DoJ.


Once again, Oracle MICROS PoS have been breached
31.1.2018 securityweek
Vulnerebility

Security experts from ERPScan discovered a new flaw in Oracle MICROS PoS terminals that could be exploited by an attacker to read sensitive data from devices.
Security experts from ERPScan discovered a new directory traversal vulnerability in Oracle MICROS Point-of-Sale terminals, tracked as CVE-2018-2636, which could be exploited by an attacker to read sensitive data from devices without authentication from a vulnerable workstation.

“CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.” reads the analysis published by ERPScan.

“So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.”

Oracle’s MICROS has more than 330,000 cash registers worldwide, it is widely adopted in food and beverage outlets (200,000+) and hotels (30,000).

The researchers explained that it could be easy for a local attacker to access a MICRO POS URL, for example, he can find a digital scales or other devices that use RJ45 in the outlet and connect it to Raspberry PI, then scan the internal network. Another option is to locate such kind of devices exposed on the Internet, at the time of writing, there are 139 MICROS POS systems exposed online, most of them located in US and Canada.

Oracle MICROS POS

This is not the first time when MICROS security is touched. In 2016, there was an incident where hackers attacked MICROS through the Customer Support Portal.

The vulnerability received the 8.1 CVSS v3 score.

“If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor. In our case, refer to Oracle CPU January 2018.” concluded the post.

This isn’t the first time that we approach the security of Oracle MICROS PoS systems, on August 2016, the systems of the Oracle MICROS payment terminals division were infected with a malware.


Tenable, Cylance Disclose Revenue Metrics
30.1.2018 securityweek IT
Cybersecurity solutions providers Tenable and Cylance this week shared financial metrics for 2017, with both privately-held companies showing strong revenue growth.

Cylance reported revenue of more than $100 million last year, which the company says represents a year-over-year growth of 177 percent.

The company’s AI-powered endpoint protection and threat detection solutions are used by over 3,800 enterprises, including 87 percent of Fortune 500 firms. Cylance’s customers include The Gap, Dell, Panasonic, Noble Energy, the National Hockey League Players Association, United Service Organizations (USO), and Partners In Health.

Cylance has raised more than $170 million in funding, including $20 million in February 2014, $42 million in June 2015, and $100 million in June 2016.

When announcing its financial results, Cylance highlighted that its growth rate and the time it took the company to reach $100 million in annual revenue surpassed other cybersecurity firms, including Palo Alto Networks, FireEye, Symantec and CyberArk.

Tenable announced record billings of more than $250 million in 2017, which it says represents a 45 percent growth. The company has attributed this success to strong performance in North America, Europe and Asia. The fourth quarter of 2017 was the seventh consecutive quarter of greater than 40 percent year-over-year billings growth.

As for revenue, Tenable reported $189 million for the 12-month period that ended on December 31, 2017, which represents over 50 percent growth.

Tenable, makers of vulnerability scanners and software solutions that help find network security gaps, has more than 24,000 customers across 160 countries. The list includes more than 50 percent of Fortune 500 companies, over 20 percent of Global 2000 firms, and the ten largest tech companies in the U.S.

Tenable recently announced a partnership with Siemens that aims to provide asset discovery and vulnerability management solutions for industrial networks.

Tenable has raised more than $300 million, including $250 million in November 2015 and $50 million in September 2012.


RELX Group to Acquire Fraud Fighting Firm ThreatMetrix for $815 Million
30.1.2018 securityweek IT

RELX Group, a provider of b2b Information and analytics services, announced on Monday that it has agreed to acquire fraud detection firm ThreatMetrix for £580 million (approximately $815 million) in cash.

Founded in 2005, San Jose, Calif.-based ThreatMetrix’s technology analyzes connections among devices, locations, identity information and threat intelligence, and combines the data with behavioral analytics to identify high-risk transactions in real time.

“ThreatMetrix has built the largest digital identity network that can determine when an individual’s credentials are being used by cybercriminals in real time, which enables businesses to better understand the global footprint of stolen identities,” Alisdair Faulkner, chief products officer at ThreatMetrix, said in 2015 when the company launched its ThreatMetrix Digital Identity Network.

The company says the network currently analyzes more than 100 million transactions per day across 35,000 websites from 5,000 customers.

According to a report published by ThreatMetrix in mid-2017, the United States was the world's primary target for cyber fraud attacks, and Europe has emerged as the major source of attacks, now accounting for 50% more attacks than the US. The report also found that growth in attacks was outpacing the growth of transactions; and that in a 90-day period, 130 million fraud attacks were detected.

Accoding to the company, ThreatMetrix will become part of Risk & Business Analytics, which under the LexisNexis Risk Solutions brand addresses fraud and authentication challenges by "applying advanced analytics to physical identity attributes, including identity credentials, addresses and asset ownership."

LexisNexis Risk Solutions has an existing partnership with ThreatMetrix, as ThreatMetrix’s device intelligence solutions are already integrated into its Risk Defense Platform.

“Further integration of ThreatMetrix’s capabilities in device, email and social intelligence will build a more complete picture of risk in today’s global, mobile digital economy, providing both physical and digital identity solutions,” the company said.

ThreatMetrix has raised more than $90 million in funding, including $20 million in Series E funding in March 2014, $30 million in growth funding from Silicon Valley Bank in October 2016, and $12.1 million in 2010.

The transaction is expected to close during the first half of 2018.


Cisco Patches Critical Code Execution Flaw in Security Appliances
30.1.2018 securityweek
Vulnerebility
Cisco informed customers on Monday that updates released for its Adaptive Security Appliance (ASA) software patch a critical vulnerability that can be exploited to gain full control of devices or cause them to reload.

The security hole, tracked as CVE-2018-0101 and assigned a CVSS score of 10, allows a remote and unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition.

The flaw exists in the Secure Sockets Layer (SSL) VPN functionality of the ASA software. If this “webvpn” feature is enabled on a device, an attempt to double free a memory region occurs. A remote attacker can trigger the bug by sending specially crafted XML packets to a webvpn-configured interface.

Several security appliances using ASA software are affected, including 3000 Series Industrial Security Appliances (ISA), ASA 5500 security appliances and firewalls, ASA services modules for Catalyst 6500 series switches and 7600 series routers, ASA cloud firewalls, ASAv virtual appliances, and various Firepower devices.

Cisco has released fixes for each of the affected ASA releases, except for ones that are no longer supported.

Cisco is not aware of any malicious attacks exploiting this flaw, but its product security incident response team (PSIRT) “is aware of public knowledge of the vulnerability.”

Cedric Halbronn, the NCC Group researcher who reported the weakness to Cisco, will disclose its details on February 2 at the Recon Brussels 2018 conference.

Researchers at NCC Group have been investigating Cisco ASA devices and their firmware, and they have released a series of tools and blog posts dedicated to analyzing ASA firmware and finding vulnerabilities.

The experts started analyzing Cisco’s ASA software following the discovery of two critical vulnerabilities back in 2016, namely the IKEv1/IKEv2 buffer overflow tracked as CVE-2016-1287, and CVE-2016-6366, which Cisco identified following the release of an Equation Group exploit by the Shadow Brokers hacker group.


Security Explorations Launches New Research Program
30.1.2018 securityweek Safety
After 10 years of conducting complex research often without expecting any monetary rewards, Poland-based Security Explorations has now decided to launch a commercial offering that gives organizations the chance to gain exclusive or non-exclusive access to the company’s most interesting and unique projects.

Security Explorations is known for conducting in-depth research into digital satellite platforms, Nokia phones, and Java, including Java SE, Oracle Java Cloud Service and the Java VM in Oracle Database, Apple Quicktime for Java, and Google App Engine for Java. The firm’s findings - a total of more than 200 vulnerabilities - were reported to the respective vendors and in many cases made public.

Google did award the company $100,000 following the discovery of more than 30 vulnerabilities in the search giant’s App Engine product. However, Security Explorations said most of its research so far was done pro bono in an effort to raise awareness of flaws that put both users and vendors at risk.

In addition to its on-demand security analysis service, Security Explorations has now decided to launch a Security Research Program (SRP) that allows organizations to obtain access to the results of complex and unique research conducted by the company.Security Explorations launches Security Research Program

The first research offered through the SRP targets digital video broadcasting (DVB) devices from STMicroelectronics. The vendor’s products were analyzed several years ago as part of Security Explorations’ analysis of digital satellite TV platforms. Security Explorations believes STMicroelectronics, which exited the set-top box business two years ago, and other vendors have done little to address vulnerabilities, leaving devices at risk of attacks and failing to prevent premium TV piracy.

According to Security Explorations, its research into STMicroelectronics chipsets can be useful to other companies in this industry as it can help them identify the presence of vulnerabilities, develop patches, and conduct further security research.

Companies interested in Security Explorations research offered via the SRP can opt for an exclusive purchase (EP) and become the owner of the research material - the information will not be provided to anyone else from that point on - or they can choose the access only (AO) option and obtain a copy of the materials. Both options provide access to research reports, proof-of-concept (PoC) code, and tools, and Security Explorations is prepared to provide clarifications if needed, but the offer does not include ongoing support.

In the case of the STMicroelectronics research, pricing for the AO option is 50,000 EUR (roughly 62,000 USD). Information on pricing for exclusive purchases is only provided under a non-disclosure agreement (NDA).

“Each material released as part of our SRP program is separately priced,” Adam Gowdiak, CEO and founder of Security Explorations, told SecurityWeek. “The final price depends on the complexity of the research process and the amount of hours dedicated by Security Explorations to complete it. The impact of discovered vulnerabilities is also taken into account.”

“For our first material, the SRP AO price is less than the offers we have received for reverse engineering work of some PayTV solutions. The SRP EP price is set to be a fraction of the costs of replacing vulnerable ST chipsets / STB devices still deployed to the market,” Gowdiak added. “In general, SRP AO will be below the costs of conducting a given research (it should be always more attractive to purchase access to SRP material than to engage its own resources / achieve given research results on its own).”

Gowdiak says his company is currently working on two undisclosed projects, one of which will be released to the public for free, while the other one will be offered through the new program. He says the goal of the new offering is to help fund the firm’s non-commercial research.

Security Explorations will typically pick its research targets and once the analysis has been completed the company will announce it on its website and reach out to potentially interested parties. The vendor whose products have been analyzed can acquire exclusive rights to the materials to ensure that it cannot fall into the wrong hands, it can acquire access to the research, or ignore the report and instead work on improving the security of its products on its own.

“While the latter does not warrant that vulnerabilities or exploitation techniques targeted by SRP get found or remediated, the net effect should be always positive: a vendor putting additional resources into security, new weaknesses being discovered and fixed, flawed products being recalled/replaced from the market,” Security Explorations said.

Gowdiak has described the new offering as an alternative to bug bounty programs and security evaluations - with some significant differences.

“For Bug Bounties, a researcher decides about a target, a vendor decides about a reward (if any). For a consulting work, a customer decides about a target, a provider decides about a price for security evaluation services. For SRP, we decide both about a target and a price for our work,” Gowdiak explained.

The advantages of this approach for the company conducting the research include not being “the vendor’s hostage for consulting gigs and bug bounties,” which results in unbiased and independent research, and eliminating the issues that can arise during the disclosure process, Gowdiak said.

Security Explorations has reserved the right to deny access to any organization to its research, but the company has admitted that it has no way of enforcing its license terms and ensuring that its findings are not abused.


Tech Support Scammers Fined in US, Jailed in UK
30.1.2018 securityweek
Spam
Ohio Attorney General Mike DeWine and the Federal Trade Commission (FTC) announced Monday that operators of a nationwide computer repair scam have been banned from the tech support business as part of settlements with the FTC and Ohio.

Commonly known as the 'tech support scam', repair fraud has become a global problem. A Microsoft survey with details published in October 2017 suggests that 2 out of 3 people have experienced a tech support scam in the last 12 months.

One in five U.S. respondents to this survey reported losing money to the scammers. "Since 2014," wrote Microsoft Assistant General Counsel Courtney Gregoire in an associated blog, "Microsoft has supported law enforcement agencies across the country who took legal action against known fraudsters responsible for approximately $165 million in consumer losses."

The scam attempts to engage victims in a telephone discussion about their computer, and to persuade them that it has problems that can be fixed for a price. In the current case, the scammers first caused pop-ups to appear on their victims' computers resembling security alerts from well-known technology companies. These are usually Apple and Microsoft.

ESET senior research fellow David Harley (who has been monitoring support scams for many years), calls them "opportunistic SEO-friendly ads claiming to be from real vendor helplines."

The false alerts claimed the computers had been breached by a virus or hacker, and urged the 'victims' to call a toll-free number for assistance. Telemarketers then took over and asked for remote access to the 'infected' computer. They then ran 'diagnostic tests' that falsely claimed to find major problems that could be solved through the purchase of a one-time fix or a long-term service plan that would cost hundreds of dollars.

The FTC filed a complaint in Ohio last year as part of an ongoing campaign called Operation Tech Trap. The defendants were Repair All PC LLC; Pro PC Repair LLC; I Fix PC LLC; WebTech World LLC; Online Assist LLC; Datadeck LLC; I Fix PC (also doing business as Techers 247, I Fix PC, and I Fix PC 247); Jessica Marie Serrano; Dishant Khanna; Mohit Malik; Romil Bhatia; Lalit Chadha; and Roopkala Chadha.

The settlements announced Monday resolve the case. The defendants have been barred from offering tech support products or services, whether genuine or fraudulent, and misrepresenting their affiliation with another company. Perhaps more to the point, the settlements also impose a $12.4 million judgement that will be suspended upon payment by the defendants of a total of $122,376.

"This scheme affected people in Ohio and across the country, and we were pleased to work with the Federal Trade Commission to shut it down," said Attorney General DeWine. "Scams regularly cross state and national borders, so this kind of collaboration is an important part of protecting consumers."

In the UK, the National Trading Standards (NTS) announced on Friday that Narendra Harilal Vadgama (age 56) has been sentenced to 12 months in prison (reduced to 9 months on a guilty plea) for a very similar offense. "Mr Vadgama's victims were targeted through cold-calling or with computer pop-ups," said the NTS. "In many of the cold-calls Mr Vadgama's company gained the trust of their victims by falsely claiming to be computer technicians from companies like Microsoft. They then claimed that the victim's computer had been compromised or their routers had been hacked or infected and needed urgent action to stop the victim's computer or data from being compromised."

Vadgama was discovered following a joint investigation by NTS, Microsoft, the UK's National Fraud Intelligence Bureau and Leicestershire police. "This case demonstrates precisely why public-private partnership is critical to tackling modern day fraud operating at global scale," commented the City of London Police's Commander Dave Clark (the national coordinator for economic crime). "Partnerships like this are increasingly being used and should send a warning to criminals that the UK is increasingly becoming a hostile environment to commit fraud in."

Whether individual successes against the support tech criminals in both the U.S. and the UK will have any great effect on the overall crime rate is a different matter. "How effective the FTC's ruling will be in practice is another question," Harley told SecurityWeek. "I suspect that it will do little to discourage the many other companies executing similar spams (though we can always hope). While there may be individual call-center operatives who don't realize that they're executing a scam -- they're not always the sharpest knives in the drawer -- I imagine that the companies who employ them are usually fully cognizant from day one. Even if the FTC sanctions are sufficiently scary to stop them operating in the same way, I suspect that there's little to stop them cashing out and/or regrouping."

Ultimately, the best defense against tech support scams is heightened user awareness. Reputable firms like Apple and Microsoft and (especially in the UK, BT) simply do not cold call their customers. Interestingly, the Microsoft survey figures suggest that aged consumers are not, as one might expect, either the prime targets or main victims. According to Microsoft, 50% of its respondents "who continued with a fraudulent interaction" were millennials aged between 18 and 34. Only 17% were over 55.

Security professionals should make sure that both their children and their parents are aware of this scam.

[Update] The FTC has just announced that it is sending 3,791 checks averaging around $176 (a total of $668,000) to victims of a tech support scam action that was settled in May 2017. Part of the settlement included turning over financial assets to the FTC. "These are legitimate checks," says the announcement. "The FTC never requires consumers to pay money or provide account information to cash a refund check."

Interestingly, the FTC also issued a warning today on a different scam: an email claiming to be Secretary Tillerson announcing a $1.8million government refund, provided the recipient sends him $320 plus personal information.

FTC law enforcement actions provided more than $6.4 billion dollars in refunds to consumers between July 2016 and June 2017.


ATM Jackpotting Attacks Strike in U.S.
30.1.2018 securityweek Hacking
Hackers have been targeting automated teller machines (ATMs) in the United States to make them spill out cash using an attack technique known as “jackpotting.”

As part of the attacks, individuals with physical access to the machines connect to them and “install malware, or specialized electronics, or a combination of both to control the operations of the ATM,” The United States Secret Service revealed in a warning issued on Friday.

The attackers targeted stand-alone ATMs located in pharmacies, big box retailers, and drive thru ATMs, the alert reads. Both individual suspects and large organized groups (both local and international organized crime syndicates) are engaged in such attacks.

“The Secret Service recently obtained credible information about planned jackpotting attacks in the U.S. through partners of our Electronic Crimes Task Force (ECTF). Subsequently, we alerted other law enforcement partners and financial institutions who could potentially be impacted by this crime,” the Secret Service warning (PDF) reads.

“The two most common ways to implement jackpotting are via Trojans and Blackbox attacks,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, explained in an email to SecurityWeek.

When performing jackpotting via Trojans, the attackers connect a flash drive or a CD-ROM to upload the malware to the ATM, or attempt to compromise the machine via the network, Golovanov said.

“The second scenario, Blackbox, assumes that third party equipment (such as a laptop, or raspberry pie) is connected to the cash dispenser, which is responsible for collecting the money and cashing it out to the client,” Golovanov continued.

These and other compromise methods were detailed by Kaspersky Lab researchers in an interview with SecurityWeek at the DefCamp conference in Bucharest late last year.

Specific protection methods exist for both jackpotting attack methods, but ultimately it’s up to the bank to implement them or not, Golovanov said.

Although they have been long observed in Europe and Asia, jackpotting attacks haven’t targeted U.S. ATM operators until earlier this month. As part of the recently observed attacks, miscreants relied on the Blackbox technique to drain the cash from the ATMs.

In addition to the Secret Service, ATM vendors such as NCR and Diebold Nixdorf also sent out alerts last week, security blogger Brian Krebs reported.

“NCR confirms the matters reported by Brian Krebs, and had previously issued its own alert and guidance on this situation. NCR regularly and actively works with our financial solutions customers to address the security and fraud issues that impact this industry,” Owen Wild, security marketing director, NCR, told SecurityWeek via email.

“NCR has received reports from the U.S Secret Service and other sources of logical (jackpot) attacks on ATMs in the US. While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue. This represents the first confirmed cases of losses due to logical attacks in the US,” the company’s last week alert, which was shared with SecurityWeek, reads.

The company also provided guidance on how ATM deployers could protect their machines against these attacks and mitigate any consequences.

SecurityWeek has also contacted Diebold Nixdorf for comment, but haven’t heard back yet.

In the U.S., the attackers appear to be mainly targeting the Opteva 500 and 700 series ATMs from Diebold. With the help of an endoscope, they look inside the cash machine to locate ports to connect a laptop that contains a mirror image of the ATMs operating system, Krebs reports.

The Ploutus.D malware is also said to have been used in these attacks. Ploutus was first discovered in 2013 targeting ATMs in Mexico, and by 2014 it could also be used to withdraw cash using SMS messages.

Ploutus.D was first detailed in January last year, observed as part of attacks where money mules would open the top portion of the ATM, connect to the machine’s internals, and wait for activation codes from the actor in charge of the operation. Mainly targeting Diebold ATMs, the malware could easily be repurposed to hit machines from 40 different vendors in 80 countries.

Even unsophisticated attackers can defraud an ATM, David Vergara, Head of Global Product Marketing, VASCO Data Security, told SecurityWeek in an emailed comment. Anyone can become “a professional thief in this segment with a modest investment in cash,” Vergara says. He also urges banks to look “at and beyond reader devices and hidden cameras” when it comes to securing ATMs.

"With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following. The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers,” Vergara said.


Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job?
30.1.2018 securityaffairs
Attack

Three Dutch Banks (ABN AMRO, ING Bank, Rabobank) and Tax Agency were targeted by a coordinated DDoS Attacks a few days the revelation of the Russian APT Hack.
Early this week a massive DDoS attack targeted three Dutch banks, ABN AMRO, ING Bank, Rabobank, and the Dutch Taxation Authority (Belastingdienst).

The attack against the system of ABN AMRO started over the weekend, while both ING Bank and Rabobank suffered coordinated DDoS attacks on Monday.
while the other two banks were hit on Monday.
The DDoS attacks caused severe accessibility problems to the bank infrastructure, they prevented customers from accessing the web services.

The attack against the Dutch Tax Authority prevented taxpayers filing tax-related documents.

DDoS%20attack%20three%20dutch%20banks%20ABN_AMRO_Hoofdkantoor_04

Who is behind the attack?

According to security experts from ESET, the origins of the attacks are servers in Russia.

“The DDoS attacks that hit ABN Amro, ING and Rabobank over the weekend and on Monday, came from servers in Russia, according to security company ESET. The company adds that this does not automatically mean that the perpetrators are also in Russia, the Telegraaf reports.” states NL Times.

“The perpetrators used a so-called botnet – an army of hijacked computers and smart devices – to commit the DDoS attacks. Using the program Zbot, they remotely ordered these devices to visit a certain site en masse, thereby overloading the site’s server and crashing the site. The command and control servers are mainly in Russia, ESET determined.”

It is difficult to attribute the attack to a specific threat actor. anyway, the cybersecurity expert Richey Gevers noted that the attacks came a few days after the story of the Cozy Bear hack operated by the Dutch Intelligence Agency AIVD. According to Gevers, the DDoS attack peaked 40 Gbps in volume of traffic.


Rickey Gevers
@UID_
Hey fellow DFIR people. Jan 25th the story broke the Dutch Intelligence Agency AIVD hacked Cozy Bear. At this moment critical Dutch infra is under (40Gbps) DDoS attack. Has anyone seen infected clients/network traffic performing a DDoS attack on Dutch infra? Please let me know.

7:51 PM - Jan 29, 2018
5 5 Replies 67 67 Retweets 57 57 likes
Twitter Ads info and privacy
The expert also added that the attackers powered the attacks using a botnet composed of home routers.

29 Jan

x0rz
@x0rz
Replying to @UID_
What are the source IPs? IoT devices?


Rickey Gevers
@UID_
The banks are not sharing much info. But they said some IPs look like routers. Thats all I know.

9:20 PM - Jan 29, 2018
Replies Retweets 2 2 likes
Twitter Ads info and privacy

The Ministry of Justice and Security called the attacks on the Dutch institutions very advanced, according to BNR. “But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Researchers from ESET claimed the attackers used the Zbot malware, a very old threat based on the infamous ZeuS banking trojan.

According to BNR, even is the malware is not complex, the Ministry of Justice and Security has classified the attacks on the Dutch institutions as very complex

“But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.


Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US
30.1.2018 securityaffairs Hacking

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.
According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

Barnaby%20Jack%20Jackpotting%20video

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Ploutus-D

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

endoscope%20jackpotting

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).


Cisco ASA software is affected by a flaw with 10 out of 10 severity rating. Patch it asap
30.1.2018 securityaffairs
Vulnerebility

Cisco released security updates to address a critical security vulnerability, tracked as CVE-2018-0101, in Cisco ASA software
Cisco addressed a critical security flaw, tracked as CVE-2018-0101, in Adaptive Security Appliance (ASA) software.

The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.


The vulnerability was discovered by the researcher Cedric Halbronn from NCC Group, he will disclose technical details on February 2 at the Recon Brussels 2018 conference.

The flaw resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software.

According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

“A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” reads the security advisory published by CISCO.

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”

Below the list of affected CISCO ASA products:

3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
The vulnerability was introduced in Firepower Threat Defense 6.2.2 that implemented the remote access VPN feature since September 2017.

Cisco has addressed the vulnerability by issuing security updates for each of the affected CISCO ASA software that are still supported by the company.

The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability, but Cisco confirmed that it is not aware of any attacks in the wild that are exploiting this vulnerability.


Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases
30.1.2018 thehackernews BigBrothers

Every one of us now has at least one internet-connected smart device, which makes this question even more prominent —how much does your smart device know about you?
Over the weekend, the popular fitness tracking app Strava proudly published a "2017 heat map" showing activities from its users around the world, but unfortunately, the map revealed what it shouldn't—locations of the United States military bases worldwide.
Strava which markets itself as a "social-networking app for athletes" publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit.
Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.
With a total of one billion activities logged on the Strava's activity map, it is a whole lot of useful data from all over the world.
Although Strava's publicly available activity map was live as of November 2017, Ruser recently noticed that the map includes the fitness routes of army soldiers and agents in secret base locations, including U.S. military bases in Afghanistan and Syria, a suspected CIA base in Somalia and even Area 51.

Besides American military bases, the map also revealed the UK's RAF Mount Pleasant airbase in the Falkland Islands, Lake Macphee and Gull Island Pond, among others. Russian bases have also been showed up by the Strava data.
What's more? Security experts on Twitter have also discovered potentially sensitive American military bases in Somalia, Afghanistan and Syria; secret Russian military bases in Ukraine; a secret missile base in Taiwan, as well as an NSA base in Hawaii.
Ruser said that the map allowed him to find out regular jogging routes for military personnel, which is bad news for security, as it establishes reliable "pattern of life" information that would otherwise be secret from the rest of the world.
"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away," Ruser tweeted.
Should Strava be blamed entirely for this revelation?
Strava said its heat map is based only on publically available data, and the company does offer a private mode that allows its users to turn off data sharing outside of the app.
However, it appears that many American and foreign military personnel using the app were sharing the confidential information publicly—perhaps without the knowledge or realising the implication, which is terrible.
What's even worse?
A security researcher told the Washington Post that this publically available data could even help enemy forces plan an "attack or ambush U.S. troops in or around the bases."
To make things even worse, some experts have also found ways to deanonymize the Strava heatmap, identifying individuals and their location where they have been exercising.
Strava has reminded its users that they could turn off location services for the app and that the map does not include private activities or areas deemed private.
"Our global heat map represents an aggregated and anonymised view of over a billion activities uploaded to our platform," Strava said in a statement. "It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share."
The incident is a great reminder for people, especially for those working in or around sensitive locations, to turn off location sharing services for everything.
Moreover, militaries should also consider limiting smartphones and wearables use in sensitive areas as well as educate their soldiers on the importance of privacy.


Someone Stole Almost Half a BILLION Dollars from Japanese Cryptocurrency Exchange
30.1.2018 thehackernews CyberCrime

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples).
In 2014, Mt Gox, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins.
Apparently, the cryptocurrency markets reacted negatively to the news, which resulted in 5% drop in Bitcoin price early this morning.
In a blog post published today, the Tokyo-based cryptocurrency exchange confirmed the cyber heist without explaining how the tokens were stolen, and abruptly froze most of its services, including deposits, withdrawals and trade of almost all cryptocurrencies, except Bitcoin.
Coincheck also said the exchange had even stopped deposits into NEM cryptocurrencies, which resulted in 16.5% drop in NEM coin value, as well as other deposit methods including credit cards.
During a late-night press conference at the Tokyo Stock Exchange, Coincheck Inc. co-founder Yusuke Otsuka also said that over 500 million NEM tokens (then worth around $420 million) were taken from Coincheck's digital wallets on Friday, but the company didn’t know how the tokens went missing, according to new source Asahi.
The digital-token exchange has already reported the incident to the law enforcement authorities and to Japan's Financial Services Agency to investigate the cause of the missing tokens.
"We will report on the damage situation and cause of the case, measures to prevent recurrence, but first we would like you to take every possible measure to protect our customers," said Executives of the Financial Services Agency (translated).
This incident marks yet another embarrassing hack in the world of digital currency technology, once again reminding us that the volatility in cryptocurrency prices is not going away anytime soon.
So far, the exchange has not provided any official statement regarding the cause of this hack. We will keep you updated about this incident. Stay Tuned!


Nearly 2000 WordPress Websites Infected with a Keylogger
30.1.2018 thehackernews
Virus

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke.
Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.
Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.
Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.
Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.
The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.
The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.
The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).
Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme's functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme's functions.php file.
The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.
Researchers said it's likely that the majority of the websites have not been indexed yet.
"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn't even notice the original infection," Sucuri researchers concluded.
If your website has already been compromised with this infection, you will require to remove the malicious code from theme's functions.php and scan wp_posts table for any possible injection.
Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.


Hard-coded Password Lets Attackers Bypass Lenovo's Fingerprint Scanner
30.1.2018 thehackernews Safety

Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users.
Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint.
In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.
According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, that made the software accessible to all users with local non-administrative access.
"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said in its advisory, giving brief about the vulnerability.

 

The vulnerability impacts Lenovo ThinkPad, ThinkCentre and ThinkStation laptops, and affects more than two dozen Lenovo ThinkPad models, five ThinkStation Models and eight ThinkCentre models that run Windows 7, 8 and the 8.1 operating systems.
Here's the full list of Lenovo devices compatible with Fingerprint Manager Pro and impacted by the vulnerability:
ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
Lenovo has credited security researcher Jackson Thuraisamy with Security Compass for discovering and responsibly reporting the vulnerability.
The popular Chinese computer manufacturer strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro version 8.01.87 or later to address the issue. You can also head on to the company's official website to do so.
Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.


Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws
30.1.2018 securityaffairs  BigBrothers

According to the Wall Stree Journal, Intel reportedly alerted Chinese companies before US Gov about Meltdown and Spectre vulnerabilities.
There is no peace for Intel, according to a report published by The Wall Street Journal the company warned Chinese tech giants about the Meltdown and Spectre vulnerabilities before notifying them to the US government.

Citing unnamed people familiar with the matter and some of the companies involved, The WSJ revealed that the list of Chinese companies includes Lenovo and Alibaba.

It is not clear when Intel notified the flaw to Lenovo, but a leaked memo from Intel to computer makers suggests the company reported the issues to an unnamed group of on November 29 via a non-disclosure agreement. The same day, the Intel CEO Brian Krzanich sold off his shares.

Last week, French tech publication LeMagIT’s Christophe Bardy disclosed the first page of the “Technical Advisory” issued by the Intel Product Security Incident Response Team.

Of course, security experts speculate the companies might have passed this information to the Chinese Government, but Alibaba spokesman refused any accusation.

I personally believe that the Chinese Government was informed by the companies about the Meltdown and Spectre vulnerabilities and it is disconcerting that the US intelligence agencies neither US CERTs were not aware of the flaws.

Meltdown Spectre patches

We also know that the Meltdown flaw is easy to exploit, this means that it is likely that threat actors might have triggered it to extract passwords and other sensitive data from a target machine. The situation is worrisome in cloud-computing environments were many customers share the same servers, in this scenario an attacker can launch a Meltdown attack to steal info belonging to other clients with applications hosted on the same server.

El Reg reached Intel for a comment, below the reply of the chip vendor:

“The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure. Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others.” states the El Reg.

Let me close with this eloquent Tweet published by security journalist Zach Whittaker:

Zack Whittaker

@zackwhittaker
This is grade A crap. Several people told me Meltdown/Spectre's planned disclosure was set for Jan. 9 but was revealed on Jan. 3 after a PoC came out. Based on WSJ, Intel was going to tell the US gov. only a week before disclosure?! It knew since June! https://techmeme.com/#a180128p6

8:39 PM - Jan 28, 2018 · Manhattan, NY


#ThinkBeyond – Security solutions from market leaders may all fail in your particular environment
30.1.2018 securityaffairs Security

Buying solutions proposed by analyst firms without carefully analyzing your organization expose it to cyber threats. It’s time to #ThinkBeyond this broken paradigm.
The cybersecurity market is expected to double by 2022, analysts estimated the growth could reach three hundred thousand dollars, at a Compound Annual Growth Rate (CAGR) of 11.0%. In the same period, the number of cyber attacks are expected to increase, hackers will adopt new sophisticated techniques while the surface of attacks of companies and organizations is enlarging due to the adoption of paradigms such as the Internet of Things, Cloud computing, and mobile computing.

Another important element that will characterize the next months it the adoption of new regulations and directives, such as the GDPR and the NIS directive, that will influence the evolution of the market.

Businesses will face the “perfect storm,” the ideal condition for security firms that continue to develop new solutions designed to cover a specific portion of the market instead of responding to the real needs for cyber security of their customers.

The increasing number of successful cyber attacks and the daily security breaches reported by experts demonstrate that most of the companies are still far from an adequate security posture.

In origin it was mainly a problem of awareness on cyber threats, but now the critical issue is represented by the ability of businesses and decision makers in buying security solutions that match their needs.

The purchase of a new security solution or a service is often driven by the recommendations of analysts that produce any kind of report to influence the final decision of the management and the IT staff.

The emulation is part of the human nature, for C-Level personnel is easy to select their business partners by choosing them from the companies listed in authoritative studies and publications such as the Gartner Magic Quadrant.

Evidently, this approach is not sufficient to ensure the resilience to cyber attacks of a modern business.

In many cases the same security companies suggested by these reports were involved in embarrassing incidents, this is the case of the accountancy firm Deloitte that was awarded as the best Security Consulting Services providers by Gartner, but that was victims itself of a sophisticated hack that compromised its global email server in 2016.

These studies could influence a blind and an unaware choice of security solutions, they could give businesses a false sense of security.

It is absurd to compose a security infrastructure only by implementing the recommendations of the analyst firms while the events in the threat landscape demonstrate that such an approach is ruinous.

A model of cyber security driven by profits could not be effective against cyber threats. Threat actors rapidly and continuously change their Tactics, Techniques, and Procedures (TTPs ), and security industry is not able to follow them.

Security investments should be measured by the amount of cyber risk mitigated per dollar spent, only in this way it is possible to evaluate real enhancement of the resilience of an architecture while adding new components to the mosaic.

Before deciding to read a report from major analyst companies that suggest products from IT giants, it is essential for any organization to assess and prioritize all cyber risks and business processes.

The risk assessment must involve as many stakeholders, this is the best way to protect our infrastructure from several threat actors.

Once all the risks are identified and prioritized, the company will have to mitigate them by using systems inside their infrastructure and eventually integrating them with proper solutions. Instruments like Gartner’s Magic Quadrant could help companies to select vendors with a filtrated vision of the market, however, we cannot forget that security solutions from market leaders may all fail in a particular environment.

The adoption of security solutions that are recognized by the analysis as leading products of the cyber security industry will not protect our organizations for multiple reasons.

The reality is disconcerting, in most of the security breaches the attackers were able to bypass the stack of security solutions deployed by the victims to defend their infrastructure.

We cannot continue to build our defence implementing a model of cyber security that is imposed by a restricted number of firms. From the attacker’s perspective, #ThinkBeyondit is easy to predict the type of defence measures in place and adopt the necessary changes in their attack chain.

Don’t forget that threat actors continuously monitor our infrastructure and companies need to avoid in providing points of reference that could be the starting points for their offensive.

The choice of the components for the infrastructure of a company must be driven by an objective analysis of the context in which they operate and carefully considering the evolution of cyber threats.

Security solutions must be user-friendly, overly-complex systems make it hard to use. Another problem related to the choice of security products and services is related to the capability of the organization in processing their output of the defence systems. In a real scenario, cyber security analysts often miss the vast majority of alerts and warnings because of the huge volume of information generated by security solutions.

Most of the leading security firms urge a layered approach in cyber security, but what happens if these layers are not able to “correctly” exchange information each other, or in a worst scenario there are affected by vulnerabilities that can be triggered to compromise the security of the overall architecture.

Building a layered defense system doesn’t mean to simply put together the security products and service suggested by prominent studies, but the analysis must go beyond.

The integration is the most complicated part in setting up a security infrastructure, every time the IT staff intends to add another piece to their cyber barricade it needs to carefully understand the way various components interact and which are the behavior of the resulting system.

Buying solutions proposed by analyst firms will not protect the organizations, spending more doesn’t necessarily mean you will be secure, this must be clear to anyone that works to increase the resilience of its systems to cyber attacks. It’s time to #ThinkBeyond this broken paradigm.


Dridex banking Trojan and the FriedEx ransomware were developed by the same group
30.1.2018 securityaffairs
Ransomware

Security researchers from ESET have tied another family of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.
The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

In April 2017, millions of people were targeted by a phishing campaign exploiting a Microsoft Word 0day and aimed to spread the Dridex Banking Trojan, a few days ago security researchers at Forcepoint spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.

Now, security researchers from ESET have tied another strain of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.

FriedEx was first spotted in July, and in August it was responsible for infections at NHS hospitals in Scotland.

The FriedEx ransomware was involved in attacks against high profile targets, researchers believe it was delivered via Remote Desktop Protocol (RDP) brute force attacks.

The ransomware encrypts each file using a randomly generated RC4 key that is then encrypted with a hardcoded 1024-bit RSA public key.

“Initially dubbed BitPaymer, based on text in its ransom demand web site, this ransomware was discovered in early July 2017 by Michael Gillespie. In August, it returned to the spotlight and made headlines by infecting NHS hospitals in Scotland.” states the analysis published by ESET.

“FriedEx focuses on higher profile targets and companies rather than regular end users and is usually delivered via an RDP brute force attack. The ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.”

The analysis of FriedEx code revealed that many similarities with Dridex code.

For example, the Dridex and FriedEx binaries share the same portion of a function used for generating UserID, the experts also noticed that the order of the functions in the binaries is the same in both malware families, a circumstance that suggests the two malware share the same codebase.

FriedEx

“It resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis.” states ESET.

Both Dridex and FriedEx use the same packer, but experts explained that the same packer is also used by other malware families like QBot, Emotet or Ursnif also use it.

Another similarity discovered by the researchers is related to the PDB (Program Database) paths included in both malware. PDB paths point to a file that contains debug symbols used by vxers to identify crashes, the paths revealed the binaries of both threats are compiled in Visual Studio 2015.

The experts also analyzed the timestamps of the binaries and discovered in many cases they had the same date of compilation, but it is not a coincidence.

“Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection.” continues the analysis.

The experts concluded that FriedEx was developed by the Dridex development team, they believe that the criminal gang not only will continue to improve the banking Trojan but it will also follow malware “trends” developing their own strain of ransomware.


Microsoft Disables Spectre Mitigations Due to Instability
30.1.2018 securityweek 
Vulnerebility
Out-of-band Windows updates released by Microsoft over the weekend disable mitigations for one of the Spectre attack variants as they can cause systems to become unstable.

Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently. Intel has suspended its patches until the issue is resolved and advised customers to stop deploying the updates.

HP, Dell, Lenovo, VMware, Red Hat and others had paused the patches and now Microsoft has done the same.

The problem appears to be related to CVE-2017-5715, which has been described as a “branch target injection vulnerability.” This is one of the flaws that allows Spectre attacks, specifically Spectre Variant 2 attacks.

Microsoft has confirmed that Intel’s patches cause system instability and can in some cases lead to data loss or corruption. Update KB4078130 released by the company over the weekend for Windows 7, Windows 8.1 and Windows 10 – for both clients and servers – disables the mitigation for CVE-2017-5715.

The company has also provided instructions for advanced users on how to manually enable and disable Spectre Variant 2 mitigations through registry settings.

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” Microsoft said in its advisory.

Microsoft quickly released mitigations for Meltdown and Spectre after the attack methods were disclosed, but the company’s own updates were also buggy. Shortly after it had started rolling them out, Microsoft was forced to suspend patches for devices with AMD processors due to instability issues.

The Spectre and Meltdown vulnerabilities allow malicious applications to bypass memory isolation mechanisms and access sensitive data. The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).

Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities. However, Intel does not appear too concerned that the incident will affect its bottom line – the company expects 2018 to be a record year in terms of revenue.


Exercise Tracking App Reveals Details of Military Sites
30.1.2018 securityweek  BigBrothers
A map showing paths taken by users of an exercise tracking app reveals potentially sensitive information about American and allied military personnel in places including Afghanistan, Iraq and Syria.

While some bases are well known to groups that want to attack them, the map also shows what appear to be routes taken by forces moving outside of bases -- information that could be used in planning bombings or ambushes.

The map, made by Strava Labs, shows the movements of its app users around the world, indicating the intensity of travel along a given path -- a "direct visualization of Strava's global network of athletes," it says.

Routes are highlighted over large parts of some countries, but in others, specific locations stand out.

The map of Iraq is largely dark, indicating limited use of the Strava app, but a series of well-known military bases where American and allied forces have been deployed as part of their war against the Islamic State (IS) group are highlighted in detail.

These include Taji north of Baghdad, Qayyarah south of Mosul and Al-Asad in Anbar Province. Strava%20heatmap%20exposes%20military%20sites%20-%20credits%3A%20Tobias%20Schneider

 

Smaller sites also appear on the map in northern and western Iraq, indicating the presence of other, lesser-known installations.

Stretches of road are also highlighted, indicating that Strava users kept their devices on while traveling, potentially providing details about commonly-taken routes.

In Afghanistan, Bagram Airfield north of Kabul is a hive of activity, as are several locations in the country's south and west.

- Opting out an option -

Tobias Schneider, a security analyst who was among the group of people who highlighted the military bases shown on the map, noted that it shows military sites in Syria and Iraq as well as the Madama base used by French forces in Niger.

"In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable coloring for Iranian bases," Schneider wrote on Twitter.

US troops are deployed in support of local forces battling IS in Syria as well as Iraq, while Russian and Iranian units are backing President Bashar al-Assad's Syria government in that country's civil war.

"A lot of people are going to have to sit thru lectures come Monday morning," Schneider wrote, referring to soldiers likely to be taken to task for inadvertently revealing sensitive information while trying to keep in shape.

"Bases are fixed & hard to conceal," he wrote, so the "biggest potential threat is to tracking movement."

The US Department of Defense said it is "reviewing" the situation.

"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Major Audricia Harris, a Pentagon spokeswoman, told AFP.

"DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad," Harris said.

The Pentagon "recommends limiting public profiles on the internet, including personal social media accounts," she said.

The issue could have been fairly easily avoided. According to Strava, "athletes with the Metro/heatmap opt-out privacy setting have all data excluded" from the mapping project.


Top Dutch Banks, Revenue Service Hit by Cyber Attacks
30.1.2018 securityweek 
Attack
The top three banks in the Netherlands have been targeted in multiple cyber attacks over the past week, blocking access to websites and internet banking services, they said on Monday.

The Dutch Revenue Service was also briefly targeted on Monday by a similar attack, but services were quickly restored, a spokesman said.

The number one Dutch bank, ING, was hit by a so-called distributed denial of service (DDoS) attack on Sunday evening while the eurozone nation's third largest lender, ABN Amro, suffered three attacks over the weekend in a total of seven over the last week, Dutch media reported.

Rabobank, the country's number two lender, saw its internet banking services go down on Monday morning.

"We have been targeted by a DDoS attack since 9.10 am (0810 GMT) this morning (Monday) and our clients don't have access or very little access to online banking," Rabobank spokeswoman Margo van Wijgerden said. "We are working to resolve the problem as quickly as possible," she told AFP.

Also on Monday, the Dutch Revenue Services saw its website go down for about 10 minutes due to an attack, spokesman Andre Karels said.

"Things are running as normal and we are investigating the incident," Karels told AFP.

ING, which has some eight million private clients, experienced an attack on Sunday evening, it said on its website.

"During the DDoS attack ING's internet site was blasted with data traffic causing our servers to overload and which put pressure on the availability of online banking," ING said, adding services had been restored.

ABN Amro experienced a similar attack but also said services were restored. It will "keep monitoring availability and is extra alert since the weekend's attacks," it said in a statement.

The banks all stressed that clients' banking details were not compromised or leaked.

It is not the first time Dutch banks were targeted in a DDoS attack with central bank chief Klaas Knot telling a TV news programme Sunday there were "thousands of attacks a day" on his own institution.

"I think these (recent) attacks are serious, but our own website is being attacked thousands of times per day," Knot told the Buitenhof talk show. "That is the reality in 2018," he said.

*UPDATED with brief cyber attack on Dutch Revenue services


phpBB Website Served Malicious Packages
30.1.2018 securityweek 
Virus
The developers of the free and open source forum software phpBB informed users over the weekend that the official website had served malicious files for roughly three hours on Friday.

According to phpBB staff, the download URLs for two packages, namely version 3.2.2 of the full package and the automatic updater package for 3.2.1 to 3.2.2, pointed to a third-party server. Users who downloaded one of these packages between 12:02 PM and 15:03 PM UTC on January 26 likely obtained the malicious version.

phpBB hacked

It’s unclear how the links were replaced, but phpBB noted that the “point of entry was a third-party site” and the attack did not exploit any vulnerabilities in the phpBB software or website.

The modified packages contain malicious code designed to load JavaScript from a remote server. The domain hosting that JavaScript code is now controlled by phpBB, which neutralizes the attack.

“We can additionally say that due to the limited window during which the packages were live, we estimate the total number of affected downloads does not exceed 500,” the phpBB team said in a security alert.

Users who believe they have downloaded the malicious packages have been advised to check the validity of the file by comparing its SHA256 hash to the one listed on the downloads page.

Users who have already installed one of the compromised packages can file an incident report and the phpBB team will help them remove the malicious code.

This is not the first time malicious actors have targeted phpBB. Back in 2009, hackers managed to obtain 400,000 email addresses belonging to phpBB users after exploiting a vulnerability in the email marketing tool phpList.

In 2014, phpBB shut down its network and asked users to change their passwords after hackers breached several of its servers.


Dridex Authors Build New Ransomware
30.1.2018 securityweek 
Ransomware
The authors of the infamous Dridex banking Trojan have created a sophisticated ransomware family, ESET warns.

Around since 2014, Dridex has been one of the most prolific financial threats over the past several years, and the actors behind it have been constantly adopting new techniques, improving their malware, and changing resources to ensure increased efficiency.

Thus, it did not come too much as a surprise when the Locky ransomware was tied to Dridex two years ago, when ransomware was booming. Locky became a top threat fast, catching a lot of attention from the security community as well, and its developers attempted alternatives such as Bart in 2016 and Jaff in May 2017.

Now, security researchers have tied yet another ransomware family to the Dridex authors, namely FriedEx, which is also known as BitPaymer.

This ransomware was initially discovered in July 2017 and made it to the headlines in August, when it infected NHS hospitals in Scotland.

Mainly focused on high profile targets and companies rather than end users, the malware is typically delivered via Remote Desktop Protocol (RDP) brute force attacks. Once it has managed to infect a system, the malware encrypts each file on it with a randomly generated RC4 key (which it then encrypts using a hardcoded 1024-bit RSA public key and saves it in a .readme_txt file).

While analyzing FriedEx, ESET discovered that it features code resemblance to Dridex. The ransomware also uses the same techniques as the banking Trojan, hiding as much information about its behavior as possible.

The malware “resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis,” ESET explains.

The researchers discovered that the very same part of a function used for generating UserID that is present across all Dridex binaries can be found in the FriedEx binaries as well. The order of the functions in the binaries is the same in both malware families, which suggests they use the same codebase or static library.

Both Dridex and FriedEx use the same malware packer, but that is not proof that they are connected, since other well-known families like QBot, Emotet or Ursnif also use it.

ESET also discovered that samples of both Dridex and FriedEx include PDB (Program Database) paths, which revealed that their binaries are being built in the same, distinctively named directory. The binaries of both Dridex and FriedEx are compiled in Visual Studio 2015.

Some binaries for both projects revealed the same date of compilation, and the researchers say this isn’t coincidence. The samples have time differences of several minutes at most and feature identical randomly generated constants (these constants change with each compilation to hinder analysis), which suggests they were probably built during the same compilation session.

“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers. This discovery gives us a better picture of the group’s activities – we can see that the group continues to be active and not only consistently updates their banking Trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware “trends”, creating their own ransomware,” ESET says.


UK Warns Critical Industries to Boost Cyber Defense or Face Hefty Fines
30.1.2018 securityweek  BigBrothers
The UK government has warned that Britain's most critical industries must boost their cybersecurity or face potentially hefty fines under the EU's Networks and Information Systems Directive (NISD).

The warning comes less than four months before the deadline for the NISD, adopted by the EU on July 6, 2016, to be transposed into EU member states' national laws (May 9, 2018, which aligns with the date for GDPR enforcement).

NISD is designed to ensure the security of network systems not already covered by the GDPR -- but its primary purpose is to ensure the security of the industries that comprise the critical infrastructure (such as power and water, healthcare and transport). These companies, or covered entities, are defined within the directive as 'operators of essential services' (OES), and 'digital service providers' (DSPs).

Since it is a Directive rather than a Regulation, the NIS Directive has some national flexibility in its implementation. For example, the UK government had earlier proposed that maximum fines under the directive should be between €10 million and €20 million or 2% to 4% of annual global turnover. It has now settled on a maximum fine of €17 million.

The government announcement on Sunday stems from its published response (PDF) to a public consultation it initiated in August 2017.

The UK has made it clear that a breach of an OES will not automatically trigger a fine. This will depend on the judgment of separate industry sector regulators, or competent authorities. The primary factor will be whether the breached OES/DSP has made adequate cyber security provisions -- in practice, this will probably depend upon how well the firm has implemented the 'NIS Directive: Top-level objectives' guidelines published by the National Cyber Security Centre (NCSC, part of GCHQ) Sunday. However, the government also states, "New regulators will be able to assess critical industries to make sure plans are as robust as possible."

The key part of the EU's NIS Directive is Article 14: Security requirements and incident notification. This specifies, "Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems."

The NCSC guidelines say this can be implemented through conforming to four top-level objectives comprising 14 security principles. The top-level objectives are: managing security risk; protecting against cyber-attack; detecting cyber security events; and minimizing the impact of cyber security incidents. Each of the objectives is then broken into the series of sector-agnostic security principles. "Each principle," states the NCSC, "describes mandatory security outcomes to be achieved."

Only one of the four objectives takes the traditional view of cyber security: protecting against cyber-attack -- recognizing the difference between commercial and critical organizations. For the former, personal information and profitability are the primary motivations; for the latter, it is continuity (or recovery) of operation that is important. "This legislation clearly signals the move away from pure protection-based cybersecurity thinking," comments Steve Malone, director of security product management at Mimecast. "Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards."

The objective that concentrates on protection against a cyber-attack recognizes that technology is not a complete solution. For example, Principle B1 deals with policies and procedures. Principle B6 handles staff awareness and training. This latter is particularly welcomed by Stephen Burke, Founder and CEO at Cyber Risk Aware.

Noting that the critical infrastructure is actively targeted by nation state actors more than cyber criminals, he asks, "But how do nation states get in? The simple answer is through people. For example, the Saudi Aramco breach affected 35,000 machines and the attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email and meant 10 percent of the world's supply was at risk.

"This emphasizes the fact that any institutions no matter how big they are and no matter how sophisticated their technical defenses are, they need to help staff and make them become aware of the cyber dangers they face as that’s how actors are going to breach defenses.”

But it isn't just about cyber-attacks and data loss. NISD "will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards," says the government announcement. "Under the new measures recent cyber breaches such as WannaCry and high-profile systems failures would be covered by the Network and Information Systems (NIS) Directive.

"These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties."

This raises another issue. Most of the critical industries will have customer databases, and that could make them liable to GDPR as well as NISD, plus any existing sector-specific regulations. "Under this new legislation," warns Andy Miles, CEO of ThinkMarble, "companies could potentially be fined under the GDPR, the Government and by a regulator, so there is a risk of double or even triple jeopardy here."

The government's response document specifies the regulator (or 'competent authority') for the different critical sectors. This is often the government itself; that is, the relevant Secretary of State for that sector -- although it is the Information Commissioner (ICO) who is the competent authority for digital service providers just as with the GDPR. This could lead to confusion and lack of consistency since Secretaries of State change, and different enforcement levels could change rapidly in line with a changing political situation. "I believe that the NCSC, working alongside the ICO, should take the lead in putting these sanctions in place -- and the regulators should feed into them, not the other way around," suggests Miles.

There is a danger that NISD has simply been overshadowed by GDPR. There is concern that many of the covered entities will not be ready for its implementation in May 2018. Miles warns that "27% of respondents [to the governments consultation period] had no plans to implement further security measures, and 31% did not know if they would make any changes. This suggests that there is much still to be done in educating companies about the importance of protecting themselves from cyber-attacks."

Lorena Marciano, EMEAR data protection & privacy officer at Cisco, told SecurityWeek that organizations seen as privacy-immature experience far greater losses than those considered as privacy-mature. The implication, she said, is that NISD provisions, "shouldn’t be adopted for the single purpose of avoiding fines, but that organizations which are willing to go beyond the set compliances will reap the long-term financial benefits as well as protecting customer data.”

This means that the NCSC's guidelines should be considered as the base-line for critical industries, and that they should then go beyond them. The first step would clearly be a gap analysis between existing security controls and the NCSC's guidelines.

"Importantly, meeting those four objectives and 14 principles will demand a degree of cyber maturity that is far removed from prescriptive, compliance-based tick-box exercises," comments Robert Orr, cyber security principal consultant CNI, Context Information Security. "This means that [covered entities] will need to put as much emphasis on NIS as they should be putting on that other EU regulation, GDPR; not least because the level of fine for non-compliance is similarly punitive." That will require OES and DSPs to assess their existing cyber security and resilience, to identify any gaps in meeting the NIS outcomes, and to develop improvement plans to close those gaps -- and then go beyond them.