English Articles - Úvod  Odborné èlánky  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ÈlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


Ransomware/RAT combo searches for solvent businesses

12.8.2016 helpnetsecurity Virus

The latest version of the Shade ransomware comes with a stealthy remote access Trojan, likely used to better gauge the amount of money the criminals can demand from the victims.

This variant of the Shade ransomware (also known as Troldesh) was made with specific targets in mind: companies in Russia and the CIS region.

The Trojan searches the list of installed applications and looks for strings associated with bank software

The Trojan searches the list of installed applications and looks for strings associated with bank software

“For the initial check, the updated Trojan searches the list of installed applications and looks for strings associated with bank software. After that the ransomware looks for ‘BUH’, ‘BUGAL’, ‘БУХ’, ‘БУГАЛ’ (accounting) in the names of the computer and its user. If a match is found, the Trojan skips the standard file search and encryption procedure and instead downloads and executes a file from the URL stored in the Trojan’s configuration, and then exits,” Kaspersky Lab researchers have discovered.

The downloaded file is Teamspy, a modified version of the TeamViewer 6 legal remote control utility that doesn’t have a GUI or an icon. It also comes with two plugins: one that covertly installs the TeamViewer VPN driver, and one that installs the RDP Wrapper Library and opens a RDP connection on the computer.

Thus equipped, the infected computer is ready to be spied on.

Among the things Teamspy can do is record audio and video, allow the attackers to remotely access the machine, and to download and execute other malicious files.

That last capability will come in handy if the attackers decide that the target could be forced into paying a considerable ransom.

“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” Kaspersky’s Fedor Sinitsyn noted.

They might ultimately opt for stealing banking credentials and try to syphon as much money as possible from the company account.

Victims of Shade ransomware versions 1 or 2 can try to decrypt encrypted files through the No More Ransom website, set up by the Dutch National Police, Europol, Intel Security and Kaspersky Lab.

Information warfare – The Rise of the Cyber Offense
12.8.2016 securityaffairs Security

Information warfare – The development of cyber capabilities is strategic for any governments, computer systems and Internet of Things even more at risk.
By the mid-1990’s the US intelligence agencies, especially the NSA, were beginning to wake up to a grim reality – the world was quickly becoming connected and the tools to connect that world were no longer confined to the government and universities, but now were in the hands of smart and very capable people outside of academia and government snoops.

In 1998, Richard A. Clarke, then Security Advisor the Clinton administration, took a quick flight from D.C. up to Cambridge, Massachusetts to meet with a team of hackers that would change forever, the way the US government looked at the world.

Clarke’s contact in Cambridge was to be a hacker known as “Mudge.” Mudge was the mouthpiece for a hacker group known as the L0pht. After about an hour of waiting patiently in a local bar, Clarke grew tired thinking Mudge got cold feet. As he started to get up from the table, the gentle next to him introduced himself as Mudge, who had been sitting beside Clarke the whole time. Not only was Mudge observing Clarke from afar, but so was the entire L0pht team: Brain Oblivion, tan, Kingpin, Weld Pond, Space Rogue, and Stefan Von Neuman, who later would drive right on through the gate of the NSA parking lot with nothing more than a salute!

After small talk, Mudge took Clarke to “the L0pht”, the second floor of a Cambridge warehouse where the L0pht team kludged and cobbled together an impressive arsenal of computing power capable of doing some serious damage if the team so desired.

Clarke left that night with more than an uneasy feeling. Though not a cyber security person himself, he knew damn well that if a group of college students and geeks could dumpster dive enough equipment to be a serious threat, so could a nation-state actor! Clarke invited L0pht to testify to Congress. Though Congress was certainly concerned, little changed in the way Congress went about its business but for the Department of Defense, FBI, CIA, and especially the NSA, the situation couldn’t have been bleaker – unfortunately, the prognosis has changed little.

Over the past decade, the offensive capabilities of nation-state actors has grown exponentially. China, Israel, and Russia all of whom have had robust offensive capabilities for years have become efficient and well manage espionage machines likely equal to that of the United States. Other countries are quickly catching up: Syria, Iran, and a rabble of former Soviet States, have formidable offensive expertise. It’s not just governments either, hacking tools and techniques are becoming so ubiquitous it is nearly impossible for anyone to keep up.

Of particular concern is the world’s critical infrastructure. The last couple of years has been earmarked with attacks on power plants, distribution systems, and even water treatment facilities. More recently, a report surfaced that the world’s Global Positioning System (GPS), the space-based navigational system the world’s relies on is now at risk of illegal jamming.

Information Warfare
Information Warfare (Source Akamai)

Experts have warned for years the GPS system is vulnerable to attack not just to jamming but to spoofing as well – though encryption is provided for the military’s use only. Great, but it won’t help the wave of new and next generation devices that will be part of the so-called Internet of Things (IOT).

The everyday devices that power our lives will soon be connected to the Internet – refrigerators, dish washers, in-home camera systems, and even the watering bowl for your dog will be connected to the web where Fido’s water can be refreshed by simply tapping an app on your cellphone. So who cares is a hacker gets my carpet wet? It’s a fair question, but if a hacker can exploit the insecure code on the dog’s watering bowl, it likely will act as a portal to more important areas of our life, like our bank accounts!

The real takeaway from the GPS jamming device and precisely what worried Richard Clarke on that fateful night in Cambridge, was the reality that offensive capabilities were being wrestled out of the realm, and control, of the spooks and the military. Simple jamming techniques have been used to disable key fobs, popular in today’s new automobiles. On a larger scale, jamming devices were used to steal a truck full of pharmaceuticals in Florida. Even the North Koreans are in on the act, recently jamming the GPS of about 280 South Korean vessels.

On a larger scale, jamming devices were used to steal a truck full of pharmaceuticals in Florida. Even the North Koreans are in on the act, recently jamming the GPS of about 280 South Korean vessels.

L0pht’s contributions to the history of the security of the United States shouldn’t be diminished by the fact that we have seemingly seen little progress. In fact, they should be applauded for taking the risk of going to D.C. in the first place, particularly in the late nineties where computer geeks were just that – geeks! Perhaps the team’s biggest contribution is killing the myth that only a well-funded government can wreak havoc; clearly, not true. Mudge knew it, Clarke knew it, and now we’re all waking up to this new reality.

Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
11.8.2016 thehackernews Attack
If you are using the Internet, there are the possibilities that you are open to attack.
The Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (version 3.6 and above of the Linux kernel) poses a serious threat to Internet users, whether or not they use Linux directly.
This issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs.
Researchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet.
The vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays.
The flaw actually resides in the design and implementation of the Request for Comments: 5961 (RFC 5961) – a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks.
TCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP.
Web servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them.
A team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a proof-of-concept exploit at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic.

Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
Typically, TCP protocol assembles messages into a series of data packets that are identified by unique sequence numbers and transmitted to the receiver. When received, the data packets are then reassembled by the receiver into the original message.
Researchers found that 'Side channels' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties.
This means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet.
The researchers detailed their findings in the paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous' [PDF], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website.

You can watch the video demonstration above that shows the attack in work.

The researchers also show how the flaw (CVE-2016-5696) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network.
"In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the paper reads.
"The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays."
The team also provided recommendations on how to mitigate the attack.
Here's How to Mitigate TCP Attack
While patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached.
For this, you are required to append the following to /etc/sysctl.conf:
net.ipv4.tcp_challenge_ack_limit = 999999999
Once done, use sysctl -p to activate the new rule. You need to perform root to do this.
The researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.

CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS

11.8.2016 netsecurity Hacking

compression oracle attacksThe HEIST vulnerability was presented at Black Hat USA 2016 by Mathy Vanhoef and Tom Van Goethem. In this presentation, new techniques were presented that enhanced previously presented padding oracle attacks on HTTPS, making them more practical.

In a padding oracle attack, the attacker has partial control of part of a message that contains secret information, and is compressed, then encrypted before being sent over the network. An example of this is a web page that contains a CSRF token and echoes an attacker’s message.

This type of attack is not new, it was originally proposed by John Kelsey in 2002, then practically demonstrated by Juliano Rizzo and Thai Duong as CRIME in 2012 at ekoparty. CRIME worked by exploiting TLS compression on messages sent from the client to the server. This technique required a man-in-the-middle position.

In March 2013 at Black Hat EU, Tal Be’ery presented an extension of CRIME called TIME that introduced two new enhancements:

1. Using CRIME for server-to-client messages.

2. Exploiting TCP window sizes to allow the attack to take place without a man-in-the-middle position.

Later in 2013 at Black Hat USA, Angelo Prado, Neal Harris and Yoel Gluck presented BREACH, an attack that reproduced enhancement 1. from the TIME attack.

BREACH got more press than TIME did, and was generally much more well-known in the infosec community (for example, the Wikipedia article on CRIME mentions BREACH but not TIME).

The HEIST presentation in 2016 re-introduced the forgotten enhancement 2. from TIME, but used a slightly different technique (the Fetch API, which did not exist in 2013), and applied the attack in a novel way to HTTP/2 (also did not exist in 2013).

It turns out that each of these presentations introduced something that was previously discovered as if it were new.

1. The original CRIME presentation described the server-to-client attack that was presented as new in both TIME and BREACH. Note: the BREACH team retroactively added references to TIME and the original CRIME slides that introduced the attack in the final version of their paper.

2. TIME described the TCP window timing side-channel that was re-discovered in HEIST.

In conclusion, it’s hard to find truly original ideas in information security. When presenting results that build on previous research, it occasionally happens that other people may have found the same results. The information security community should try to be as thorough as possible when researching prior art and crediting existing research.

Blackhat Firm Offers $500,000 for Zero-day iOS Exploit; Double Than Apple’s Highest Bounty
11.8.2016 thehackernews Vulnerebility

Last week, Apple finally announced a bug bounty program for researchers and white hat hackers to find and get paid for reporting details of zero-day vulnerabilities in its software and devices.
The company offers the biggest payout of $200,000, which is 10 times the maximum reward that Google offers and double the highest bounty paid by Microsoft.
But now Apple is going to face competition from a blackhat company named, Exodus Intelligence.
Exodus Intelligence is offering more than double Apple's maximum payout for zero-day vulnerabilities affecting the newest versions of iOS.
The company is willing to pay more than $500,000 for zero-day vulnerabilities and exploits affecting iOS 9.3 and above.
Although Exodus labeled itself as ‘Research Sponsorship Program,’ the company actually makes money by buying and selling zero-day vulnerabilities and exploits.
On Wednesday, Exodus launched its new bonus structure for the acquisition of details and exploits for zero-day vulnerabilities.
Zero-Day Hit-list:
Exodus Intelligence's hit-list also shows that the firm will pay:
Up to $150,000 for a zero day in Google Chrome (which is 50% more than the Google's highest payout)
Up to $125,000 for a serious flaw in Microsoft's Edge browser (which is $500 and $1,500 currently offered by Microsoft)
Up to $80,000 for a serious flaw in Mozilla's Firefox.
Up to $75,000 reward for a local privilege escalation vulnerability in Windows 10
Also, Smaller payouts of $60,000 for flaws in both Adobe Reader and Flash Player
The zero-day market has long been a lucrative business for private companies that regularly offer more payouts for vulnerabilities than big technology firms.
Last year, security firm Zerodium paid $1 Million to a group of hackers for an iPhone hack, though that figure was later lowered to "up to $500,000" for subsequent iOS exploits.
The market for zero-day and exploits has become strong because governments, law enforcements, criminals, and the private sector shop for zero-days for surveillance or research purposes.
The well-known example is the latest fight between Apple and the FBI, which came to end when the FBI reportedly paid over $1 Million for an iPhone exploit that helped the FBI to break into the iPhone of one of the San Bernardino shooters.
There's one more thing Apple should be worried about: While Apple’s bug bounty program is invitation-only, at least for the time being, anyone can register on Exodus’s website and participate in the program to submit vulnerabilities.

Serious Linux design flaw CVE-2016-569 allows Traffic Hijacking
11.8.2016 securityaffairs Vulnerebility

A severe design flaw in the Linux kernel could be exploited by attackers to hijack traffic, inject malware into connections, and run a wide range of attacks.
A severe flaw in the Linux kernel could be exploited by attackers to hijack traffic, inject malware into downloads and web pages, and run a wide range of attacks, break Tor connections.

“In general, we believe that a DoS attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide,” the team wrote in a white paper .

The flaw is widespread, vulnerable Linux distros are everywhere, in PC, servers, mobile devices and IoT devices.

The serious flaw (CVE-2016-5696) exists since version 3.6, deployed in 2012. It was discovered by researchers from the University of California, Riverside, and the U.S. Army Research Laboratory that present their findings at USENIX Security Symposium. The study is detailed in a paper titled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous,” that also includes recommendations on how to mitigate the issue.

The TCP/IP networking flaw allows attackers to spot communications between two entities and can be exploited to hijack the traffic and manipulate it if the exchange is not encrypted.

The attack is not considerable a man-in-the-middle attack, the attackers just need to send spoofed packets to both sides of the connection by simply knowing their IP addresses and destination ports.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out,” explained Zhiyun Qian project leader.

“Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain.”

Giving a close look at the RFC 5961 we can note that it addresses spoofed packet injection attacks by introducing challenge ACK packets.

The researchers exploited the feature that Linux rate limits the output of these challenge ACKs.

The attacker can send malicious packets to confuse to the server, that in turn sends challenge ACKs to the client until it reaches its limit and temporarily stops sending them. In this phase, the attacker can turn to the client and send spoofed IP packets to break the connection or to substitute the silenced server in the connection.

Linux design flaw attack

“The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets.” explained the researchers.

“Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection. To demonstrate the impact, we perform case studies on a wide range of applications.

The basic idea is to repeat the following steps: 1) send spoofed packets to the connection under test (with a specific four-tuple), 2) create contention on the global challenge ACK rate limit, ie, by creating a regular connection from the attacker to the server and intentionally triggering the maximum allowed challenge ACKs per second, and 3) count the actual number of challenge ACKs received on that connection. If this number is less than the system limit, some challenge ACKs must have been sent over the connection under test, as responses to the spoofed packets.”

Waiting for a patch, users can raise the rate limit for the challenge ACK packets so that it cannot be reached, it can be done by modifying the rule it in the /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999
then execute sysctl -p to activate it and root the machine.

Tha attack could be also effective on encrypted communication, but just to break them. The researchers also added that Windows, OS X and FreeBSD aren’t vulnerable because partially implemented the RFC 5961.
Below a video PoC of the attack:

Exodus announces a bug bounty program. Who will pay more for a zero-day?
11.8.2016 securityaffairs Vulnerebility

The bug hunting company Exodus announced its bug bounty program. Who will pay more for a 0-day exploit? Reflecting on the zero-day market.
Almost every IT giant has launched its bug bounty program, the last in order of time is Apple that last week announced the initiative during the Black Hat Conference.

How much is a vulnerability in Apple product?

The awards are very interesting, bug hunters can earn up to $200,000 for a critical vulnerability affecting the secure boot firmware components, up to $100,000 for a flaw that could be exploit to extract sensitive data protected by the Secure Enclave, up to $50,000 for arbitrary code execution with kernel privileges and unauthorized access to iCloud account data, and up to $25,000 for access from a sandboxed process to user data outside the sandbox.

But we all know that zero-day market is crowded by private firms and nation-state actors that could decide to pay much more for an exploit of unknown flaws in most popular products.

The zero-day broker company Exodus Intelligence has announced its new acquisition programme for both vulnerabilities and exploits.

Today, Exodus Intelligence has unveiled the new Research Sponsorship Program (RSP), focused on acquiring vulnerability research and exploits from the global cybersecurity research community. While continuing to acquire Zero-Day research, the RSP is the first widely available acquisition program to offer bounties for exploits that exercise N-Day vulnerabilities.” reads the official statement released by the firm.

“Exodus is also excited to be rolling out a new bonus structure for the acquisition of research that leads to Zero-Day vulnerabilities.”

Exodus will share details of vulnerabilities and exploits to customers who pay a subscription fee of roughly $200,000 per year.

Let’s compare the awards offered by the company with the Apple ones.

iOS vulnerabilities are paid by Exodus more than double Apple’s maximum payout, the bug-hunting company will pay a maximum of $500,000 for zero-day in iOS 9.3 or above.

Zero-day Prices Exodus

Now it is clear that a bug hunter searching for a remuneration for his efforts will contact companies like Exodus, instead IT giants like Apple because their bug bounty programs pay more for 0-day exploits.

There is also another incentive for bug hunters that will contact Exodus, the company will pay an extra cash for every quarter that the zero-day is still effective.

“For each new Zero-Day acquired, Exodus will offer the researcher an initial payment, received after the request is reviewed and accepted. Once accepted, the researcher could receive payments every quarter the Zero-Day exploit is still alive. The specific values of the initial payment and quarterly bonus will be included in an offer presented to the researcher, following the review of their work. Additionally, Exodus also offers payment in the form of Bitcoin for Zero-Day research.” continues the announcement.

Speaking about Apple zero-day exploits, let’s remind that last year the zero-day vendor Zerodium paid a $1 million payout for disclosing a iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone.

The bug bounty program launched by Exodus is open, everyone can submit vulnerabilities to the company, meanwhile, other programs are by invitation-only.

For further information on Exodus’ program give a look at the new RSP website.

Backdoor keys allow attackers to the bypass UEFI Secure Boot
11.8.2016 securityaffairs Vulnerebility

Once again Microsoft failed in fixing a severe Secure Boot vulnerability that can be exploited to install rootkits on Windows devices.
Microsoft has accidentally leaked the Secret keys to Bypass UEFI Secure Boot. The Secure Boot is a UEFI (Unified Extensible Firmware Interface) feature that should prevent the execution of unauthorized code during the boot process. The Secure Boot is implemented in devices running Windows 8 and later, it ensures that every component loaded at boot is trustable because it is signed and validated.
The Secure Book prevents rootkit infections and also prevents the execution of non-Microsoft operating system on the device.

The Secret keys were disclosed by two security researchers, using the monikers MY123 and Slipstream.

The security duo discovered that Microsoft introduced a new policy for the Secure Boot during the development of Windows 10 Anniversary Update (v1607).

The experts discovered that the new policies, called “supplemental” policies, are loaded by the boot manager without implementing the proper checks.

The supplemental policy was implemented to allow developers to install self-signed third-party drivers on a Windows machine, the feature is also known as “test-signing.”

An attacker can exploit this feature to bypass the Secure Boot and load a rootkit at the device boot.

“The “supplemental” policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don’t contain any BCD rules either, which means that if they are loaded, you can enable testsigning. Not just for windows (to load unsigned driver, ie rootkit), but for the {bootmgr} element as well, which allows bootmgr to run what is effectively an unsigned .efi (ie bootkit)!!! (In practise, the .efi file must be signed, but it can be self-signed) You can see how this is very bad!!” reads a blog post published by Slipstream. “A backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!”

Secure boot uefi

The bad news for Microsoft is that it is impossible to fully revoke the leaked keys, this means that any Windows-based device can be potentially unlocked due to the presence of the backdoor.

Microsoft has recently released the August Patch Tuesday that tried to fix the issue in the Secure Boot, but for the second consecutive month, it evidently has failed.

Over 300 new cyber threats pop up on underground markets each week

10.8.2016 helpsecuritynet Security

Approximately 305 new cyber threats are added each week on cybercrime markets and forums, mostly located on dark nets and the deep web.

The threats include information on newly developed malware and exploits that have not yet been deployed in a cyber-attack – information that could be very useful for cyber defenders.

cyber threats underground markets

The discovery was made by Arizona State University researchers, who have developed and deployed a system for cyber threat intelligence gathering and used it on 27 marketplaces and 21 hacking forums.

The group, some members of which have also recently released the results of an investigation into the supply on 17 underground hacker markets, also noted that, in a period spanning four weeks, 16 exploits for zero-day vulnerabilities had been offered for sale.

Among these was an exploit for a remote code execution flaw in Internet Explorer 11 (priced at a little over 20 BTC), and for a RCE flaw in Android Web View (price: nearly 41 BTC).

“The Android WebView zero-day affects a vulnerability in the rendering of web pages in Android devices. It affects devices running on Android 4.3 Jelly Bean or earlier versions of the operating system. This comprised of more than 60% of the Android devices in 2015,” they explained.

“After the original posting of this zero-day, a patch was released in Android KitKit 4.4 and Lollipop 5.0 which required devices to upgrade their operating system. As not all users have/will update to the new operating system, the exploit continues to be sold for a high price. Detection of these zero-day exploits at an earlier stage can help organizations avoid an attack on their system or minimize the damage. For instance, in this case, an organization may decide to prioritize patching, updating, or replacing certain systems using the Android operating system.”

Not to mention that the vendors whose software is obviously vulnerable could try to come up with a patch or at least temporary mitigations that could minimize the risk of these exploits being leveraged against users.

The researchers’ system has also shown some promise when it comes to mapping the underlying social network of vendors.

The group is currently in the process of transitioning the system to a commercial partner, but the database they created by using it has been made available to security professionals, to help them identify emerging cyber threats and capabilities.

Microsoft Releases 9 Security Updates to Patch 34 Vulnerabilities
10.8.2016 thehackernews Vulnerebility

Microsoft's August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows.
A security bulletin, MS16-102, patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by getting you to view specially-crafted PDF content in your web browser.
Users of Microsoft Edge on Windows 10 systems are at a significant risk for remote code execution (RCE) attacks through a malicious PDF file.
Web Page with PDF Can Hack Your Windows Computer
Since Edge automatically renders PDF content when the browser is set as a default browser, this vulnerability only affects Windows 10 users with Microsoft Edge set as the default browser, as the exploit would execute by simply by viewing a PDF online.
Web browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have to convince users into opening a specially crafted PDF file, typically via an email or instant message, Microsoft said in its advisory.
Once exploited, the flaw corrupts memory, allowing a hacker to run malicious code with the same privileges as the user. All the hacker needs is to either lure victims to a website containing a malicious PDF or add an infected PDF file to a website that accepts user-provided content.
While this vulnerability has not been publicly disclosed nor seen in any attacked, it is expected to be an attractive attack vector for hackers.
Other Critical Bugs can Take Complete Control of Your PC
A separate critical update for Edge listed in MS16-096 patches five remote code execution (RCE) flaws and three information disclosure bugs.
The company also released its monthly cumulative security update, MS16-095, for Internet Explorer (IE), patching nine vulnerabilities that can be exploited by a malicious web page to pull off remote code execution through memory corruption bug or disclose information about the system.
Another critical update includes Microsoft Office Patch MS16-099 that addresses four memory corruption bugs in Office that can be exploited by booby-trapped documents remotely to execute malicious code on a victim's system, taking full control of the victim machines.
The update also includes a patch for an information disclosure hole in Microsoft OneNote, which discloses memory contents and information that could be used to compromise a machine.
In addition to Windows versions of Office going back to Office 2007, Microsoft is also releasing a patch for Office for Mac 2011 and 2016.
The final critical bulletin, MS16-097, patches three Remote Code Execution flaws in the font handling library of Microsoft Graphics Component found in Windows, Office, Skype for Business and Lync that can be exploited by a malicious web page or an Office document.
For the second time, the technology giant also released a security update for Secure Boot. Rated important, MS16-100, the update patches a security feature bypass vulnerability that occurs when Secure Boot loads a vulnerable (install a hidden bootkit or rootkit) boot manager.
This designing flaw has been fixed in all supported versions of Windows and Windows Server.
Other important bulletins address vulnerabilities that lead to man-in-the-middle attacks on Windows and Windows Server, an information disclosure vulnerability in the Universal Outlook component for Windows 10, and four elevation of privilege flaws in kernel-mode drivers for Windows Vista through Windows 10 and Windows Server 2008 and 2012.
The company has also issued Cumulative Updates (KB3176493, KB3176495, KB3176492) for Windows 10 users, so those who have upgraded their systems to the Microsoft's new operating system should install the updates as soon as possible.
Users are advised to patch their system and software as soon as possible.

Oops! Microsoft Accidentally Leaks Backdoor Keys to Bypass UEFI Secure Boot
10.8.2016 thehackernews Vulnerebility
Microsoft has accidentally leaked the Secret keys that allow hackers to unlock devices protected by UEFI (Unified Extensible Firmware Interface) Secure Boot feature.
What's even worse?
It will be impossible for Microsoft to undo its leak.
Secure Boot is a security feature that protects your device from certain types of malware, such as a rootkit, which can hijack your system bootloader, as well as, Secure Boot restricts you from running any non-Microsoft operating system on your device.
In other words, when Secure Boot is enabled, you will only be able to boot Microsoft approved (cryptographically signature checking) operating systems.
However, the Golden Keys disclosed by two security researchers, using alias MY123 and Slipstream, can be used to install non-Windows operating systems, say GNU/Linux or Android, on the devices protected by Secure Boot.
Moreover, according to the blog post published by researchers, it is impossible for Microsoft to fully revoke the leaked keys, potentially giving law enforcement (such as FBI and NSA) special backdoor that can be used to unlock Windows-powered devices in criminal cases.
The issue actually resides in the Secure Boot policy loading system, where a specially signed policy loads early and disables the operating system signature checks, the reg reports.
This specific Secure Boot policy was created and signed by Microsoft for developers, testers, and programmers for debugging purposes.
"During the development of Windows 10 v1607 'Redstone,' MS added a new type of secure boot policy. Namely, "supplemental" policies that are located in the EFIESP partition…" researcher said.
"...a backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!"
Yesterday, Microsoft released August Patch Tuesday that includes a security patch for designing flaw in Secure Boot for the second time in two months, but unfortunately, the patch is not complete.

Linux.Lady, a Go-based Linux Trojan that mines cryptocurrency

10.8.2016 securityaffairs Virus

Russian antivirus company Doctor Web discovered a new Linux Trojan dubbed Linux.Lady that is used by crooks to mine cryptocurrency.
According to a new report published by the antivirus company Doctor Web, a Go-Based Linux Trojan, Dubbed Linux.Lady.1, is exploited by cyber criminals for cryptocurrency mining.

“Doctor Web analysts have detected and examined a new Linux Trojan which is able to run a cryptocurrency mining program on an infected computer. Its key feature lies in the fact that it is written in Go, a language developed by Google.” states the report published by Doctor Web.

The Linux.Lady Linux Trojan is written in Google’s Go programming language and it uses various libraries that are available on GitHub. Go was introduced by Google in 2009, the use of the Go programming language to develop a malicious code is not a novelty, it was first used with the intent of creating malware in 2012 despite it isn’t so popular in the vxer community.

When the Linux.Lady infects a system, it gathers information on the system, including the Linux operating system version, the number of CPUs and processes.

Once collected info on the infected host, the malware sent it back to a command and control (C&C) server, which in turn provides a configuration file for downloading a cryptocurrency mining application.

The sample of Linux.Lady analyzed by Doctor Web was mining a cryptocurrency named Monero.

Linux.lady malware

Another interesting feature implemented in the Linux.Lady allows the malware to spread to other Linux computers on the infected network.

“The Trojan receives a configuration file containing information necessary for the Trojan’s operation. Then it downloads and launches a cryptocurrency mining program. The malware determines an external IP address of the infected computer using special websites specified in the configuration file.” states the report on the threat. “The Trojan then calculates the mask of the subnet External_ip\8 (mask is and tries to connect to the remote hosts via port 6379 (redis) without entering a password. If the connection is established, Linux.Lady.1 opens the URL specified in the configuration file, downloads a script detected as Linux.DownLoader.196, and adds it to the cron scheduler of the infected computer:”

In the past other Linux malware were discovered by the experts at Doctor Web, including the Encoder ransomware and the Ekoms malware.

Mining activities are a profitable business for cyber criminals that exploits victims’ computational resources to make money.

Remote Butler attack: APT groups’ dream come true

8.8.2016 helpnetsecurity APT

Microsoft security researchers have come up with an extension of the “Evil Maid” attack that allows attackers to bypass local Windows authentication to defeat full disk encryption: “Remote Butler”.

Evil Maid and Remote Butler attacks, illustrated (triangles are Domain Controllers)

Evil Maid and Remote Butler attacks, illustrated (triangles are Domain Controllers)

Demonstrated at Black Hat USA 2016 by researchers Tal Be’ery and Chaim Hoch, the Remote Butler attack has one crucial improvement over Evil Maid: it can be effected by attackers who do not have physical access to the target Windows computer that has, at one time, been part of a domain, i.e. enterprise virtual network, and was authenticated to it via a domain controller.

Evil Maid attacks got the name from the fact that even a hotel maid (or someone posing as one) could execute the attack while the computer is left unattended in a hotel room.

The most recent of those was demonstrated by researcher Ian Haken at Black Hat Europe 2015, when he managed to access the target user’s data even when the disk of its computer was encrypted by BitLocker, Windows’ full disk encryption feature.

The vulnerability that allowed this attack was definitely patched by Microsoft in February 2016, and the good news is that this patch also prevents attackers from effecting a “Remote Butler” attack.

But its unlikely that everybody applied the patch.

“While being a clever attack, the physical access requirement for [Haken’s Evil Maid attack] seems to be prohibitive and would prevent it from being used on most APT campaigns. As a result, defenders might not correctly prioritize the importance of patching it,” Be’ery and Hoch explained, and urged those admins who haven’t already implemented it to do so as soon as possible.

Or, if that’s not possible, to implement some network and system hardening and defense-in-depth policy to minimize the risk of the attack being executed.

More technical details about the attack, as well as mitigation options are detailed in this whitepaper.

Cerber2 ransomware released, no decryption tool available

8.8.2016 helpnetsecurity Virus

The author of the widely distributed Cerber ransomware has released a newer version, and files encrypted with Cerber2, unfortunately, can’t be decrypted without paying the ransom.


Several weeks ago, Trend Micro released a tool that can be used to decrypt files encrypted by a number of popular ransomware families and versions. Among these is the first version of Cerber (with certain limitations), but also CryptXXX, BadBlock, and TeslaCrypt.

But, as a Trend Micro researcher that goes by the online handle PanicAll recently discovered, the Cerber ransomware author must have looked at the Trend Micro tool’s code and found a way to foil it.

Files encrypted by Cerber2 get the .cerber2 extension, and the malware shows a new ransom message.

The encryption method has also changed: Cerber2 now uses the Microsoft API CryptGenRandom to generate the 32-bytes-long encryption key.

Finally, the new variant also uses a packer to make malware analysis more difficult.

The Trend Micro Ransomware File Decryptor tool has been updated on Friday, but unfortunately there is no solution yet for stumping Cerber2.

Users who have been hit can back up all their encrypted files and hope that one will be provided soon.

Warning! Over 900 Million Android Phones Vulnerable to New 'QuadRooter' Attack
8.8.2016 Android
Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide.
What's even worse: Most of those affected Android devices will probably never be patched.
Dubbed "Quadrooter," the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device.
The chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones.
That's a very big number.
The vulnerabilities have been disclosed by a team of Check Point researchers at the DEF CON 24 security conference in Las Vegas.
Critical Quadrooter Vulnerabilities:
The four security vulnerabilities are:
CVE-2016-2503 discovered in Qualcomm's GPU driver and fixed in Google's Android Security Bulletin for July 2016.
CVE-2016-2504 found in Qualcomm GPU driver and fixed in Google's Android Security Bulletin for August 2016.
CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.
Qualcomm is the world's leading designer of LTE (Long Term Evolution) chipsets with a 65% share of the LTE modem baseband market. If any one of the four flaws is exploited, an attacker can trigger privilege escalations for gaining root access to an affected device.
All an attacker needs is to write a piece of malware and send it to the victim. When installed, the malware offers the attacker privilege escalation on the affected devices.
According to the researchers, the attack can also be conducted through a malicious app. An attacker needs to trick a user into installing a malicious app that, unlike other malware, would execute without requiring any special permission checks.
"Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing," Check Point researchers write in a blog post.
If any of the four vulnerabilities are successfully exploited, an attacker could gain root access to an affected device, giving the attacker full access to the device, including its data, camera and microphone.
List of Affected Devices (Popular)
More than 900 Million Android devices that ship with Qualcomm chip are vulnerable to the flaws.
Here's the list of some of the popular affected devices, though there are far more devices that are impacted by one or more Quadrooter vulnerabilities.
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra
OnePlus One, OnePlus 2 and OnePlus 3
Google Nexus 5X, Nexus 6 and Nexus 6P
Blackphone 1 and Blackphone 2
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
BlackBerry Priv
How to Check if Your Device is Vulnerable?
You can check if your smartphone or tablet is vulnerable to Quadrooter attack using Check Point's free app.
Since the vulnerable software drivers, which control communication between Qualcomm chipset components, come pre-installed on these devices at the time of manufacturing, they can only be fixed by installing a patch from the devices' distributors or carriers after receiving fixed driver packs from Qualcomm.
"This situation highlights the inherent risks in the Android security model," the researchers say. "Critical security updates must pass through the entire supply chain before they can be made available to end users."
Three of the four vulnerabilities have already been fixed in Google's latest set of monthly security updates, and a patch for the remaining flaw will be rolled out in the upcoming September update.
Since Qualcomm has already released the code, the phone manufacturers could be able to issue patches to the individual devices as soon as possible.
Android Nexus devices are already patched via the over-the-air updates, but other smartphone models will need to wait until their lazy phone manufacturers integrate the fixes into their own custom Android ROMs.

Analyzing CIA Director BRENNAN’s talk at Council on Foreign Relations (CFR)
5.8.2016 securityaffeirs Security

We bring to the attention of the Security Affairs readers the interesting speech and interview dated 29/06/2016 of CIA Director John O. BRENNAN at the Council on Foreign Relations (CFR). The main themes addressed are:

Relations with the European partners in the USA and after BREXIT-axis ENGLAND
Terrorism, DAESH, the situation in Syria and Iraq
Geoengineering and SAI program
Cia Director BRENNAN email hacked

Brennan interviewed by journalist Judy Woodruff of the PBS “NewsHour” has pointed out that Europe must forge better than the request for a referendum by the Eurosceptics after the UK exit. The Brexit, however, will not affect the collaboration of intelligence between the US and the UK in the months and years to come, rather it will be strengthened. The effects of global instability and conflict scenarios are producing movements of displaced persons of the order of 65 million units.

In the Middle East, the geographic borders and national identities are constantly being redefined. The real threat of the ISIL than Al-Qaeda is that it has gone from a few hundred fighters to tens of thousands also improved their ability to conceal their communications.

As for the environment, Brennan estimates that $ 10 billion a year for the next government intervention limiting SAI programs of global warming or sowing methods with stratospheric particles that can help reflect the sun’s heat more or less in the same way in which volcanic eruptions do.

With respect to this last issue, there are questions with concern if behind these operations do not conceal stratosphere military domain. Global warming and the reduction of CO2 could be addressed without introducing potentially harmful elements as in the example of volcanic eruptions but more simply and at lower cost with the repopulation of the great forests.

Another concern for Brennan is the North Korea and the nuclear threat from Kim Jung with its continuous and frantic search of military capabilities in the nuclear field. We come now to the point that concerns us more closely, or the threat cyber, on this issue there is strong concern as to the public and private companies attacks are still rising and are becoming more sophisticated; here is the thought and words of Brennan:

Regarding the domain of Cyber threat here is the thought and words of Brennan:

“Another strategic challenge is dealing with the tremendous power, potential, opportunities, and risks resident in the digital domain. No matter how many geopolitical crises one sees in the headlines, the reliability, security, vulnerability, and the range of human activity taking place within cyberspace are constantly on my mind.

On the cybersecurity front, organizations of all kinds are under constant attack from a range of actors—foreign governments, criminal gangs, extremist groups, cyber-activists, and many others. In this new and relatively uncharted frontier, speed and agility are king. Malicious actors have shown that they can penetrate a network and withdraw in very short order, plundering systems without anyone knowing they were there until maybe after the damage is already done.

While I served at the White House, cyber was part of my portfolio, and it was always the subject that gave me the biggest headache. Cyber-attackers are determined and adaptive. They often collaborate and share expertise, and they come at you in so many different ways, with an ever-changing array of tools, tactics, and techniques.

Moreover, our laws have not yet adequately adapted to the emergence of this new digital frontier. Most worrisome from my perspective is that there is still no political or national consensus on the appropriate role of the government—law enforcement, homeland security, and intelligence agencies—in safeguarding the security, the reliability, the resiliency, and the prosperity of the digital domain.

The intelligence community is making great strides in countering cyber-threats, but much work needs to be done. As we move forward on this issue, one thing we know is that private industry will have a huge role to play as the vast majority of the Internet is in private hands. Protecting it is not something the government can do on its own.

Right up there with terrorism, global instability, and cybersecurity is nuclear proliferation and the accompanying development of delivery systems, both tactical and strategic, that make all too real the potential for a nuclear event.

Unsurprisingly, top of my list of countries of concern is North Korea, whose authoritarian and brutal leader has wantonly pursued a nuclear-weapons program to threaten regional states and the United States instead of taking care of the impoverished and politically repressed men, women, and children of North Korea.

So what else is there besides terrorism, global instability, cybersecurity, and nuclear proliferation that worries the CIA director and keeps CIA officers busy around the clock and around the globe? Well, as a liberal-arts guy from the baby-boomer generation, the rapid pace of technological change during my lifetime has been simply dizzying. Moreover, as we have seen with just about every scientific leap forward, new technologies often carry substantial risks, to the same degree that they hold tremendous promise…”

This ATM Hack Allows Crooks to Steal Money From Chip-and-Pin Cards
5.8.2016 thehackernews Hacking

Forget about security! It turns out that the Chip-and-PIN cards are just as easy to clone as magnetic stripe cards.
It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.
We have been told that EMV (Europay, MasterCard and Visa) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards.
But, it turns out to be just a myth.
A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions.
The demonstration was part of their presentation titled, "Hacking Next-Gen ATMs: From Capture to Washout," [PDF]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.
Here's How the Hack Work
The hack requires two processes to be performed.
First, the criminals need to add a small device known as a Shimmer to a point-of-sale (POS) machine (here, ATM's card reader) in order to pull off a man-in-the-middle (MITM) attack against an ATM.
The shimmer sits between the victim's chip and the card reader in the ATM and can record the data on the chip, including PIN, as the ATM reads it. It then transmits this data to the criminals.
The criminals then use a smartphone to download this stolen data and recreate the victim's card in an ATM, instructing it to eject cash constantly.
Tod Beardsley, a security research manager for Rapid7, told the BBC that shimmer is basically a tiny RaspBerry-Pi-powered device that could be installed quickly to the outside of the ATM without access to the internals of the cash machine.
"It's really just a card that is capable of impersonating a chip," Beardsley said. "It's not cloning."
The perpetrators would only be able to replicate each card for a few minutes and use it to fraudulently withdraw money, enabling them to make between up to $50,000, but Beardsley suggests that a network of hacked chip-and-pin machines could create a constant stream of victims.
Researchers have disclosed full details about the issue in Chip-and-PIN ATMs to banks and major ATM manufacturers and said they hope the institutions (currently unnamed) are examining the issue.

Torrentz.eu Shuts Down Forever! End of Biggest Torrent Search Engine
5.8.2016 thehackernews Security
Over two weeks after the shutdown of Kickass Torrents and arrest of its admin in Poland, the world's biggest BitTorrent meta-search engine Torrentz.eu has apparently shut down its operation.
The surprise shutdown of Torrentz marks the end of an era.
Torrentz.eu was a free, fast and powerful meta-search engine that hosted no torrents of its own, but combined results from dozens of other torrent search engine sites including The Pirate Bay, Kickass Torrents and ExtraTorrent.
The meta-search engine has announced "farewell" to its millions of torrent users without much fanfare, suddenly ceasing its operation and disabling its search functionality.
At the time of writing, the Torrentz.eu Web page is displaying a message that reads in the past tense:
"Torrentz was a free, fast and powerful meta-search engine combining results from dozens of search engines."
When try to run any search or click any link on the site, the search engine refuses to show any search result, instead displays a message that reads:
"Torrentz will always love you. Farewell."
Launched back in 2003, Torrentz has entertained the torrent community for more than 13 years with millions of visitors per day.
However, today, the popular meta-search engine has shut down its operation from all Torrentz domains, including the main .EU domain (both HTTP and HTTPS version) as well as other backups such as .ME, .CH, and .IN.
Although many copyright holders were not happy with the site with both RIAA and MPAA have reported the site to the U.S. Government in recent years, says TorrentFreak, there is no news of any arrest or legal takedown of the site in this case.
Still, it would be fair enough to wait for an official announcement from the site owners.

Hack Apple & Get Paid up to $200,000 Bug Bounty Reward
5.8.2016 thehackernews Apple
So finally, Apple will pay you for your efforts of finding bugs in its products.
While major technology companies, including Microsoft, Facebook and Google, have launched bug bounty programs over last few years to reward researchers and hackers who report vulnerabilities in their products, Apple remained a holdout.
But, not now.
On Thursday, Apple announced at the Black Hat security conference that the company would be launching a bug bounty program starting this fall to pay outside security researchers and white hat hackers privately disclose security flaws in the company's products.
How much is a vulnerability in Apple software worth? Any Guesses?
It's up to $200,000.
Head of Apple security team, Ivan Krstic, said the company plans to offer rewards of up to $200,000 (£152,433) to researchers who report critical security vulnerabilities in certain Apple software.
While that's certainly a sizable bounty reward — one of the highest rewards offered in corporate bug bounty programs.
Apple Bug Bounty Program — Invite Only, For Now
Well, for now, Apple is intentionally keeping the scope of its bug bounty program small by launching the program as invitation-only that will be open only to limited security researchers who have previously made valuable bug disclosures to Apple.
The company will slowly expand the bug bounty program.
Launching in September, the program will offer bounties for a small range of iOS and iCloud flaws.
Here's the full list of risk and reward:
Flaws in secure boot firmware components: Up to $200,000.
Flaws that could allow extraction of confidential data protected by the Secure Enclave: Up to $100,000.
Vulnerabilities that allow executions of malicious or arbitrary code with kernel privileges: Up to $50,000.
Flaws that grant unauthorized access to iCloud account data on Apple servers (remember celebrity photo leak?): Up to $50,000.
Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
For the eligibility of a reward, researchers will need to provide a proof-of-concept (POC) on the latest iOS and hardware with the clarity of the bug report, the novelty of the bounty problem and the possibility of user exposure, and the degree of user interaction necessary to exploit the flaw.
Decision Comes in the Wake of the FBI Scandal
Earlier this year, Apple fought a much-publicized battle with the FBI over a court order to access the locked San Bernardino shooter's iPhone.
When the FBI forced Apple to unlock the shooter's iPhone, it refused, eventually making the bureau hire professional hackers to break into the iPhone -- supposedly paying out over $1 Million.
Perhaps the company is trying to eliminate these lucrative backdoors into its software to make its iOS devices so secure that even the company can not crack them.

4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers
4.8.2016 thehackernews Vulnerebility

If you think that the HTTP/2 protocol is more secure than the standard HTTP (Hypertext Transfer Protocol), then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol.
HTTP/2 was launched properly just in May last year after Google bundled its SPDY project into HTTP/2 in February in an effort to speed up the loading of web pages as well as the browsing experience of the online users.
Now, security researchers from data center security vendor Imperva today at Black Hat conference revealed details on at least four high-profile vulnerabilities in HTTP/2 – a major revision of the HTTP network protocol that the today’s web is based on.
The vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash.
The HTTP/2 protocol can be divided into three layers:
The transmission layer that includes streams, frames and flow control
The HPACK binary encoding and compression protocol
The semantic layer – an enhanced version of HTTP/1.1 enriched with server-push capabilities.
The researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2 and discovered exploitable flaws in all major HTTP/2 implementations, including two that are similar to well-known and widely exploited bugs in HTTP/1.x.
The four key vulnerabilities found in HTTP/2 include:
1. Slow Read (CVE-2016-1546)

This attack is identical to the well-known Slowloris DDoS (distributed denial-of-service) attack that major credit card processors experienced in 2010. The Slow Read attack calls on a malicious client to read responses very slowly.
The Slow Read attacks were well-studied in the HTTP/1.x ecosystem and they are still alive in the application layer of HTTP/2 implementations.
"The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2," says Imperva.
2. HPACK Bomb (CVE-2016-1544, CVE-2016-2525)

HPACK Bomb is a compression layer attack that resembles a zip bomb attack or a 'decompression bomb'.
HPACK is used to reduce the size of packet headers. Basically, the sender can tell the receiver the maximum size of the header compression table used to decode the headers.
In this attack, a potential hacker creates small and innocent-looking messages that actually unpack into gigabytes of data on the server, thereby consuming all the server memory resources and effectively slowing down or crashing targeted systems.
Imperva created a header that was 4KB size -- the same size as the entire compression table. Then on the same connection, it opened up new streams with each stream that referred to the initial header as many times as possible (up to 16K of header references).
After sending 14 such streams, the connection consumed 896MB of server memory after decompression, which crashed the server, Imperva researchers explain.
3. Dependency Cycle Attack (CVE-2015-8659)

This attack leverages the flow control mechanisms that HTTP/2 uses for network optimization.
A bad intent client can use specially crafted requests to prompt a dependency cycle, thus forcing the server into an infinite loop.
The flaw could allow an attacker to cause Denial of Service (DoS) or even run arbitrary code on a vulnerable system.
4. Stream Multiplexing Abuse (CVE-2016-0150)

The attack allows an attacker to exploit vulnerabilities in the way servers implement the stream multiplexing functionality in order to crash the server. This attack eventually results in a denial of service (DoS) to legitimate users.
All the four vulnerabilities have already been fixed in HTTP/2, which is currently being used by some 85 Million websites, or around 9 percent of all websites, on the Internet, according to W3Techs.
Here's what Imperva co-founder and chief technology officer Amichai Shulman says:
"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users. However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers."
"While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats."
The vulnerabilities took advantage of HTTP/2 features that were meant to reduce bandwidth use and round trips while speeding up the loading time of websites.
According to Imperva researchers, by implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to prevent their critical data and applications from cyber attack while introducing HTTP/2.
You can get more details of Imperva’s research in a report [PDF] dubbed "HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol."

FBI 'Double Agent' Pleads Guilty to Selling 'Classified Information' to China
2.8.2016 Zdroj: thehackernews.com BigBrothers
An FBI electronics technician has pleaded guilty to acting as a Chinese secret agent and passing along sensitive information about the Feds to a Chinese government official.
Kun Shan "Joey" Chun, 46, admitted in federal court in Manhattan on Monday that he violated his security clearance on several occasions between 2011 and 2016 in an effort to pass on secret information to China in exchange for money.
Chun is a 19-year FBI veteran from Brooklyn who was born in China but was employed by the FBI in 1997. His duties with the FBI included "accessing sensitive and, in some instance, classified information."
The g-man, as a double agent, sent confidential government information – including the identity and travel plans of an FBI special agent, the internal structure of the FBI and spying technology used by the Bureau – to a Chinese official.
Chun, who was initially arrested in March, got a top secret security clearance in 1998, at the time he did not reveal he had ties to China.
A court document unsealed on Monday stated Chun had built relationships with associates in China since 2006 and had ties to China-based Zhuhai Kolion Technology Company and one individual who described himself as a Chinese government official.
Chun acted as a double agent – working both for the FBI and China – and began passing sensitive information to the Chinese official between 2011 and 2016.
In addition, Chun had long-standing and illegal ties to China-based Zhuhai Kolion Technology Company, for which he did research and consulting work, including collecting information about flash drive tech.
In exchange for his research, Chun was paid-for vacations and nights with prostitutes by Zhuhai Kolion Technology, and his parents were given money, officials said.
Preet Bharara, Manhattan’s top prosecutor, said the crime "betrays our nation and threatens our security. When the perpetrator is an FBI employee, like Kun Shan Chun, the threat is all the more serious and the betrayal all the more duplicitous."
Chun was caught by a fellow FBI undercover agent, who posed as a contractor for the Department of Defense (DoD) in a 2015 sting operation.
The techie fell for the trap and recruited the agent to pass on "sensitive information to his Chinese associates," in exchange for a cut of any profits.
The maximum sentence for Chun's criminal charge is ten years behind bars. He was released on bail following the court hearing. He is scheduled to be sentenced on 2 December.

Hacker Selling 200 Million Yahoo Accounts On Dark Web
2.8.2016 Zdroj: thehackernews.com Crime
Hardly a day goes without headlines about any significant data breach. In the past few months, over 1 Billion account credentials from popular social network sites, including LinkedIn, Tumblr, MySpace and VK.com were exposed on the Internet.
Now, the same hacker who was responsible for selling data dumps for LinkedIn, MySpace, Tumblr and VK.com is now selling what is said to be the login information of 200 Million Yahoo! users on the Dark Web.
200 Million Yahoo! Logins for 3 BTC
The hacker, who goes by the pseudonym "Peace" or "peace_of_mind," has uploaded 200 Million Yahoo! credentials up for sale on an underground marketplace called The Real Deal for 3 Bitcoins (US$1,824).
Yahoo! admitted the company was "aware" of the potential leak, but did not confirm the authenticity of the data.
The leaked database includes usernames, MD5-hashed passwords and date of births from 200 Million Yahoo! Users. In some cases, there is also the backup email addresses used for the account, country of origin, as well as the ZIP codes for United States users.
Since the passwords are MD5-encrypted, hackers could easily decrypt them using an MD5 decrypter available online, making Yahoo! users open to hackers.
In a brief description, Peace says the Yahoo! database "most likely" comes from 2012, the same year when Marissa Mayer became Yahoo's CEO.
Just last week, Verizon acquired Yahoo! for $4.8 Billion. So, the hacker decided to monetize the stolen user accounts before the data lose its value.
When reached out, the company said in a statement:
"We are committed to protecting the security of our users' information and we take such claim very seriously. Our security team is working to determine the facts...we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."
Use Password Managers to Secure Your Online Accounts
Although the company has not confirmed the breach, users are still advised to change their passwords (and keep a longer and stronger one using a good password manager) and enable two-factor authentication for online accounts immediately, especially if you are using the same password for multiple websites.
You can also adopt a good password manager that allows you to create complex passwords for different sites as well as remember them for you.
We have listed some best password managers here that could help you understand the importance of password manager and help you choose a suitable one, according to your requirement.

36000 SAP systems exposed online, most open to attacks

2.8.2016 Zdroj: helpnetsecurity.com Exploit

ERPScan released the first comprehensive SAP Cybersecurity Threat Report, which covers three main angles: Product Security, Implementation Security, and Security Awareness.

The company used its own scanning method to gather information.

“Protocols used to interact with and between SAP servers are often proprietary and not well-known outside of the SAP IT world. It means that open scan resources don’t include those specific protocols in their scans,” Mathieu Geli, Director of SAP Threat intelligence, explained.

“That’s why we built a database of probe requests and then matches probe response to determine the state of the service. When we perform a check for a vulnerability; if there is no friendly payload, we try to fingerprint the version of a remote service to compute potential statistics.”

The key finding of the research are as follows:

SAP Product Security

The average number of security patches for SAP products per year has slightly decreased. However, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one. In that period SAP has released 3662 patches. Most of them (73%) were rated high priority and hot news, which means they pose significant risks to an organization security.
The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA. Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA.
There are vulnerabilities in almost every SAP module: CRM takes the leading position among them. According to this study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps, as they attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional modules.
The number of vulnerabilities in industry-specific solutions has grown significantly. SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in these solutions. The most vulnerable types of industry-specific solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.
SAP Implementation Security

Worldwide threat landscape grew up to more than 36000 systems. Most of those services (69%) should not be available directly via the Internet.
Countries where most of the exposed system are located

Critical Infrastructures and IoT devices are at risk. SAP does not only manage enterprise resources but also acts as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.
SAP Security Awareness

Almost half of unnecessarily exposed services is located in 3 countries where wide adoption of new technologies takes place (such as USA, India, and China).
Exposed systems around the globe

The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (Comparing to the total number of implemented systems). Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.

Kaspersky Safe Browser iOS app sports MITM SSL certificate bug

1.8.2016 helpnetsecurity.com Vulnerebility

Security researcher David Coomber has unearthed a vulnerability (CVE-2016-6231) in the Kaspersky Safe Browser iOS app that effectively contradicts its name.

Kaspersky Safe Browser iOS app

As it turns out, the app does not validate SSL certificates it receives when connecting to secure sites, and this could be exploited by attackers with Man-in-the-Middle capabilities to “present a bogus SSL certificate for a secure site which the application will accept silently.”

After that, all the information that is exchanged between the app and the server hosting the site can be then easily captured by the attacker – usernames and passwords come to mind.

Kaspersky Safe Browser aims to detect and blocks malicious and counterfeit websites, so fixing this vulnerability should be crucial for its effectiveness.

Kaspersky already did it, after being informed of the existence of the flaw by Coomber, and the latest version of the app (v1.7.0) is free of it, and available for download.

They also noted that “this vulnerability could have been exploited only if user opens malware HTTPS link that is not detected by antiphishing or other antimalware engines embedded in the application.”

QRLJacking: A new attack vector for hijacking online accounts

1.8.2016 helpnetsecurity.com Attack

We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use.

Many web apps and services offer the option of using QR codes for logging into the service: chat apps like WhatsApp and Weibo, email service QQ Mail, e-commerce services like Alibaba and Aliexpress, and others.

As detailed by Seekurity Labs researcher Mohamed Abdelbasset Elnouby, QRLJacking (i.e. Quick Response Code Login Jacking) is a method for tricking users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code.

A QRLJacking attack follows these basic steps:


Ultimately, the attacker can take over the victim’s account completely and gather information about the victim’s device and its current location.

“All what the attackers need to do to initial a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones that is displayed in the phishing website they created,” says Elnouby.

He demonstrated the attack against a WhatsApp user in this video:

More details about the attack vector, its usability, possible mitigations, and PoC attack code can be found on GitHub.

Intel Crosswalk bug invalidates SSL protection

1.8.2016 Helpnetsecurity.com Vulnerebility

A bug in the Intel Crosswalk Project library for cross-platform mobile development can open users to man-in-the-middle attacks, researchers from Nightwatch Cybersecurity have found.

What is the Intel Crosswalk Project?

“The Crosswalk Project, created by Intel’s Open Source Technology Center, allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase,” the researchers explained.

The project supports deployment to iOS, Windows Phone and Android, but the discovered bug affects only the Android implementation. The framework has been used to build many popular apps (predominantly games), the most popular of which has been downloaded by over 10 million users.

Apps built with Intel Crosswalk

The bug

“When a user makes a network request, an app using the Crosswalk project shows an initial error message if an invalid SSL certificate is found. If the user selects ‘OK’, the app then accepts all future SSL certificates without validation,” Carnegie Mellon University’s CERT Coordination Center (CERT/CC) succinctly explained.

“The app does not make it clear that the dialog grants permanent permission to accept invalid certificates; the user is never prompted again.”

The researchers discovered the flaw while testing a third-party Android app using this library, and responsibly reported it to Intel so that it can get fixed before it’s discovered and exploited by someone with malicious intentions.

What to do?

App developers are advised to rebuild their apps using the latest Crosswalk versions – 19.49.514.5 (stable), 20.50.533.11 and 21.51.546.0 (beta), and 22.51.549.0 (canary).

Users of apps based on the Crosswalk framework are advised to be on the lookout for updates that fix the problem. Pushing app developers who haven’t already done it to do it as soon as possible is also a good idea.

Brazil Freezes $11.7 Million of Facebook Funds for Not Complying with Court Orders

1.8.2016 Thehackernews.com Social

Facebook's legal war with Brazilian government seems to be never-ending.
Facebook-owned cross-platform messaging service WhatsApp has already been blocked a total of three times in Brazil since December for failing to comply with a court order asking the company to access WhatsApp data under criminal investigation.
But, now the Brazilian government has taken an even tougher step.
On Wednesday, the public federal prosecutor in the Brazilian state of Amazonas said the court froze 38 Million real (US $11.7 Million) of funds held in Facebook's bank account, Reuters reports.
The prosecutor has said that the decision to freeze Facebook funds was made after the social media giant failed to comply with the court order to hand over data of WhatsApp users who are under criminal investigation.
Since WhatsApp communications are end-to-end encrypted, even the company would not be able to access any message exchanged between users.
Facebook representatives weren't immediately available for comment on the recent decision by the Brazilian court.
Previously, when WhatsApp was blackout in Brazil, a WhatsApp spokesman said in a statement:
"In recent months, people from all across Brazil have rejected judicial blocks of services like WhatsApp. Indiscriminate steps like these threaten people's ability to communicate, to run their businesses, and to live their lives. As we have said in the past, we cannot share information we don't have access to."
The court case between the Brazilian government and Facebook has been long-running now.
The court has previously banned WhatsApp for three days, but the most recent ban came last week when Brazillian judge Daniela Barbosa ordered the telecom operators to shut down WhatsApp nationwide. But a few hours later, Brazil’s supreme court suspended the ruling.
In March, Judge Marcel Maia Montalvão of Sergipe state ordered the incarceration of a Facebook executive for not turning over data from a WhatsApp account tied to a drug-trafficking investigation.
Facebook Vice President Diego Jorge Dzodan was arrested on his way to work in São Paulo and jailed, but subsequently released the next day.

Using VPN in the UAE? You'll Be Fined Up To $545,000 If Get Caught!
1.8.2016 Thehackernews.com Privacy

If you get caught using a VPN (Virtual Private Network) in Abu Dhabi, Dubai and the broader of United Arab Emirates (UAE), you could face temporary imprisonment and fines of up to $545,000 (~Dhs2 Million).
Yes, you heard that right.
Online Privacy is one of the biggest challenges in today's interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance.
Here VPNs and proxy servers come into Play.
VPNs and proxy servers are being used by many digital activists and protesters, who are living under the most oppressive regimes, to protect their online activity from prying eyes.
However, using VPN or proxy in the UAE could land you into great difficulty.
The UAE President Sheikh Khalifa bin Zayed Al Nahyan has issued new sovereign laws for combating cyber crimes, which includes a regulation that prohibits anyone, even travelers, in the UAE from using VPNs to secure their web traffic from prying eyes.
Best VPN Services for Fast, Anonymous and Secure Browsing
According to the laws, anyone using a VPN or proxy server can be imprisoned and fined between $136,000 and $545,000 (Dhs500,000 and Dhs2 Million).
The laws have already been issued by the UAE President and have now been reported to the official government news service WAM.
For those unfamiliar, Virtual Private Network (VPN) securely routes your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.
Nowadays, VPNs have become a valuable tool not just for large companies, but also for individuals to dodge content restrictions as well as to counter growing threat of cyber attacks.
The UAE's top two telecom companies, Etislat and Du, have banned VoIP -- the phone calling features in popular apps like WhatsApp, Viber, Facebook Messenger and SnapChat that deliver voice calls over the Internet for free -- from within the Gulf nation.
Opera Browser Now Offers Free and Unlimited Built-in VPN Service
However, soon the vast number of UAE residents who use VPNs and proxies within the UAE for years to bypass the VoIP ban could be in difficulty.
Out of two new laws issued last week, one lays out fines for anyone who uses a VPN or proxy server, local news reports. The new law regarding VPNs states:
"Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs500,000 and not exceeding Dhs2 million, or either of these two penalties."

China – Authorities arrested 10 members of the Wooyun ethical hacking group
1.8.2016 securityaffairs.co Security

The Chinese authorities have arrested 10 members of the popular Wooyun ethical hacking community, including the founder Fang Xaiodun.
Chinese authorities have arrested popular white hats operating in the country, including the founder of one of the larger online ethical hacker community. The reason behind the arrest is still a mystery, the news was reported first by the Chinese website Caixinwang and spread by the Hong Kong Free Press (HKFP).

Fang Xaiodun founder Wooyun

The young hacker, Fang Xaiodun, is the founder of the Wooyun community, he was arrested with other ten senior members of the group on July 22, a couple of weeks after the group held its annual convention in Beijing. The convention is considered one of the most interesting in the country and attracted that captured the interest of high-profile organizations.

“Around ten senior members of Wooyun – including Fang – were taken away by police without specific charges being made a week ago, according to a source cited by Caixinwang.” reported the Hong Kong Free Press.

“Everything happened very abruptly, even members within Wooyun were kept in the dark,” said the source. “People from Wooyun said there was no administrative procedures nor prior notice for the arrest,” the source added.”

Fang founded the hacking community in 2010, previously he was the head of security at Chinese search engine Baidu.

The Wooyun was known for its bug hunting activity, as similar groups worldwide its members only disclosed vulnerabilities if they were unable to receive a satisfactory answer from the vulnerable system operators.

Xaiodun is literally disappeared since July 18, he hasn’t posted any content to his WeChat account, and the official website of the Wooyun group has been suspended since July 20.

The Hong Kong Free Press speculates that the Wooyun group has shut down the website as a precaution fearing possible repercussions.

At the time I was writing there is no official statement of the case, experts speculate the members of the Wooyun group may have targeted a government entity for testing purpose, causing the reaction of the authorities.

“Multiple theories regarding the arrest have surfaced in the community. Some speculate that Wooyun was involved in legal issues after publicising certain websites’ system loopholes shortly before they were hacked by a third-party. Others suspect that Wooyun members were involved in testing the vulnerabilities of government networks without authorisation.”

The Internet Society of China’s legal consultant Zhao Zhanling told HKFP the Wooyun site was used only as the disclosure platform.

PayPal accounts abused to distribute the Chthonic Banking Trojan
1.8.2016 securityaffairs.co Virus

Experts from Proofpoint discovered that the Banking trojan Chthonic was distributed via ‘legitimate’ PayPal accounts by abusing the “money request” feature.
The imagination of cyber criminals is a never ending pit, according to the security firm Proofpoint, crooks are abusing PayPal to distribute the Chtonic banking trojan. Chtonic is a strain of the most notorious Zeus Trojan, the researchers spotted a new campaign leveraging on emails sent by genuine PayPal accounts.

The attackers in this way could bypass anti-spam filters and antivirus solutions because the emails come via genuine PayPal accounts.

One sample analyzed by Proofpoint was not detected by Gmail because the message appeared to be legitimate.

“Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.” We are not sure how much of this process was automated and how much manual, but the email volume was low.” reported a security advisory from Proofpoint.

The attackers abused the “request money” feature that gives PayPal the possibility to include notes when sending money request messages.

Chthonic Banking Trojan PayPal

“PayPal’s money request feature allows adding a note along with the request [and] the attacker crafted a personalised message and included a malicious URL,” continues the advisory. “In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.”

When the victim clicks on the link embedded in the message it will be redirected to a non-PayPal website that downloads an obfuscated JavaScript file called paypalTransactionDetails.jpeg.js. Opening the JavaScript file downloads the Chthonic Trojan. The link included in the message was generated with the Google URL shortener (it is a Goo.gl link).

“If the user does click on the Goo.gl link, they are redirected to katyaflash[.]com/pp.php, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user’s system. If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe. This executable is Chthonic, a variant of the Zeus banking Trojan. ” added Proofpoint.

It is interesting to note that Chthonic executable also downloads a second-stage payload that is a totally new called AZORult.

The analysis of the URL included in the message, a Goo.gl link, revealed that it has been clicked only 27 times.

Give a look to the ProofPoint analysis, it includes also Indicators of compromise (IOC’s).

Phineas Fisher hacked a bank to support anti-capitalists in the Rojava region
20.5.2016 Hacking

Phineas Fisher, the notorious Hacking Team hacker, stole $10,000 from a bank and donated the equivalent in Bitcoin to Kurdish anticapitalists in Rojava.
Phineas Fisher (@GammaGroupPR), revealed on Reddit that he breached a bank and turned the stolen money to a Kurdish anti-capitalists that operate in the Rojava autonomous region. The region in located in the north of the Syria, near to the territories controlled by the ISIL. The hacker did not reveal the name of the breached financial institution nor provided details of the cyber heist.
Phineas Fisher explained that it is quite easy to steal money from the bank, he cited the Carbanak group, but took the distance from the motivation of the Russian criminal crew. Phineas Fisher is a hacker, not a thief, he hasn’t financial motivation, he follows his own ideals.

“Banks are being robbed more than ever, it’s just done differently these days.” he explained. The money did come from robbing a bank. As I said in an earlier comment, bank robbing is more viable than ever, it’s just done differently these days. There’s a reason in the last hacking guide I wrote (spanish original english translation) I spoke in favor of expropriating money from banks, said you used to need a gun but can now do it from bed with a laptop in hand, and linked a technical report on the Carbanak group. Not that I’m a fan of Russian gangsters robbing banks so they can buy luxury cars or whatever, but there’s a lot to learn from their methods.

Phineas Fisher became very popular in the security industry because he is the hacker that breached the surveillance firms Hacking Team and the surveillance company Gamma International.

He is coherent with his thoughts about surveillance and the support offered by IT companies to totalitarian regimes, for this reason, he decided to target them and interfere with their “dirty” affairs.

The enemies of freedom are Phineas Fisher enemies.

Now the popular hacker has donated 25 Bitcoin (worth around US$11,000) to a crowdfunding campaign known as the Rojan Plan, which has been launched by the members of the Rojava’s economic committee. described by Fisher as “one of the most inspiring revolutionary projects in the world.”

Fisher defined the campaign as “one of the most inspiring revolutionary projects in the world.”

The campaign aims to help the local population and that are oppressed by the ISIL and treated by nearby governments. The project is ambitious and has a long list of goals, including the organizations of training in the neighborhood centers and schools, the production of educational material (pamphlets, short films) about the need to separate waste, the establishment of facilities for processing the waste and making fertilizer.

This is the list of things this people needs.

2 trucks: $45000
Small bulldozer: $35000
Pool for liquid fertilizer: $500
Machine: $1500
Plastic buckets for waste: $2000
Structure: $3000
Thermometer: $50
Big plastic canvas: $2500
Worker clothes: $300
Scale: $500
Airsystem: $500
Hangar: $40000
Material: $33000
Mixer: $15000
Other: $10000
9 workers: $10800

Phineas Fisher hack bank

Some experts already verified the Bitcoin transaction made by Phineas Fisher, THN of one of them

“When deeply investigated, it was found that the Rojava Plan’s Bitcoin address received a 25 BTC (Bitcoin) transaction timestamped 5th May 2016, which means the donation has publicly been recorded on the blockchain ledger.” reported the THN.

“You can see the payments made to our campaign on the campaign page. You can also check our Bitcoin address, which is public,” Deniz Tarî from Rojava Plan told Ars. The page lists a €10,000 donation by “Hack Back!”

How to trigger DoS flaws in CISCO WSA. Apply fixes asap

20.5.2016 Vulnerebility

Cisco issued a series of patches for the AsyncOS operating on CISCO WSA that fix multiple high severity Denial-of-Service (DoS) vulnerabilities.
Cisco has released security patches for the AsyncOS operating system that run on the Web Security Appliance, also called CISCO WSA. The security updates fix multiple high severity Denial-of-Service (DoS) vulnerabilities.


Below the details of the flaws in the CISCO WSA fixed by the last series of patches:

CVE-2016-1380 is a flaw ranked as high that is triggered when parsing an HTTP POST request with Cisco AsyncOS for Cisco WSA, it could be exploited by an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the proxy process becoming unresponsive.
The flaw is caused by the lack of proper input validation of the packets that compose an HTTP POST request.

CVE-2016-1381 resides in the cached file-range request functionality implemented by Cisco AsyncOS. A remote, unauthenticated attacker can trigger it to cause a denial of service (DoS) condition. The flaw, is ranked as high, could exploit by opening multiple connections that request file ranges through the affected device. When the memory is saturated to attack causes the WSA to stop passing traffic.

CVE-2016-1382 is a vulnerability that resides in the HTTP request parsing in Cisco AsyncOS for the Cisco WSA. The flaw could allow a remote, unauthenticated attacker to trigger a denial of service (DoS) condition when the proxy process unexpectedly restarts.

In order to exploit the flaw, the attacker just needs to send a specifically crafted HTTP request to the vulnerable device, the OS will not properly allocate the sufficient space for the HTTP header and any expected HTTP payload.

CVE-2016-1383 is a flaw ranked as high that resides in the way the operating system handles certain HTTP response code. The flaw could be exploited by an unauthenticated, remote attacker to cause a DoS condition by simply sending to the device a specially crafted HTTP request causing it to run out of memory.

Cisco confirmed that the security issues affect various versions of the AsyncOS running on CISCO WSA on both hardware and virtual appliances.

Cisco confirmed that it isn’t aware that the flaw has been exploited by hackers in the wild.

John McAfee and his crew claim to have hacked a WhatsApp Message, But …
20.5.2016 Hacking

The popular security expert John McAfee and a team of four hackers demonstrated that is is possible to read WhatsApp message.
The cybersecurity expert John McAfee and four hackers demonstrated that is is possible to read a WhatsApp message even if it is encrypted. The hacker crew used their servers located in a remote section in the mountains of Colorado

McAfee reported the success to the Cybersecurity Ventures and shared the details of the clamorous hack.

The hacked message was exchanged between two researchers located at the New York City headquarters office of the digital forensics firm LIFARS. The researchers used two brand new Android phones running a tiny app written by McAfee and his colleagues.

Cybersecurity Ventures reported the message was sent at 2:45pm EST in New York, and the hackers read it in Colorado one minute later. Wait, but WhatsApp implements end-to-end encryption. How is it possible?

hacked whatsapp message

McAfee explained that the problem doesn’t affect WhatsApp but the Android OS that is affected by a serious design flaw. The exploitation of the vulnerability allowed McAfee’s team to take full control of the information managed by the mobile device.

We have no information about the components of the team, we only know that one of them is Chris Roberts, a security researcher that in May 2015 announced via Twitter that he was able to hack the flight he was on. Roberts was arrested by the FBI, the experts claimed he had burrowed through the aircraft’s onboard entertainment system to gain control over critical systems of the airplane.

“I have been warning the world for years that we are teetering on the edge of an abyss, that our cyber security paradigms no longer function, and that chaos will descend if something is not done” said McAfee, commenting the successfully hack of the WhatsApp message. “The fundamental operating system (Android), used by 90% of the world, and that should be the first bulwark against malicious intrusion, is flawed. Should I not bring this to the world’s attention through a dramatic demonstration? Do I not owe it to the world?”

Experts from LIFARS who analyzed the mobile phones reported the presence of “malware traces,” a memo issued by the CEO Ondrej Krehel confirms the smartphones have been infected by a spyware app that allowed hackers to log keystrokes. According to Krehel, the hackers haven’t rooted the device in order to exploit the flaw, more information will be disclosed after that McAfee and his team will discuss the flaw with Google, and I believe it is important to highlight that McAfee is doing this not for money.

“McAfee said he is open to dialogue with Google and WhatsApp in order to help remedy the vulnerability, and there would be no cost for his services. “This in no way was done for financial gain. This was my obligation to my tribe” said McAfee.” continues Cybersecurity Ventures.

Are you a SnapChat user? Bad news also for you, McAfee confirmed that similar problems have been noticed also with other messaging apps.

Facebook Sued for illegally Scanning Users' Private Messages
20.5.2016 Social
Facebook is in trouble once again regarding its users' privacy.
Facebook is facing a class-action lawsuit in Northern California over allegations that the company systematically scans its users' private messages on the social network without their consent and makes the profit by sharing the data with advertisers and marketers.
According to the lawsuit filing, Facebook might have violated federal privacy laws by scanning users' private messages.
Facebook routinely scans the URLs within users' private messages for several purposes like anti-malware protection and industry-standard searches for child pornography, but it has been claimed that the company is also using this data for advertising and other user-targeting services.
Google to Face a Record $3.4 Billion AntiTrust Fine in Europe
The plaintiffs, Matthew Campbell, and Michael Hurley argue that the Facebook is scanning and collecting URLs-related data in a searchable form, violating both the Electronic Communications Privacy Act and California Invasion of Privacy Act, reported the Verge.
Facebook argues that the company scans users' private messages in bulk, and maintains the URL records in an anonymized way, which is only used in aggregate form.
However, according to a technical analysis done on behalf of the plaintiffs, each URL-related message is stored in "Titan," a private message database that displays the date and time the message was sent, along with the user IDs of both the sender and the recipient.
However, it turns out that Facebook used this practice in past, but the company claimed to have stopped such practices a long time ago.
"We agree with the court's finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis," a Facebook spokesperson told CNET.
"The remaining claims relate to historical practices that are entirely lawful, and we look forward to resolving those claims on the merits."
However according to the plaintiffs, Facebook is still continuing to collect links from users' private messages.
"Facebook's source code not only reveals that Facebook continues to acquire URL content from private messages, but that it also continues to make use of the content it acquires."
Meanwhile, you can check out the lawsuit here. The lawsuit was originally filed in 2012 and for now, the case is expected to proceed.
Plaintiffs have until June 8 to file an amended complaint, following a scheduled conference toward the end of the month.


Spam and phishing in Q1 2016

Spam: features of the quarter

Trending: dramatic increase in volume of malicious spam

The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.

Spam and phishing in Q1 2016

Number of email antivirus detections on computers with a Kaspersky Lab product installed

In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year.

With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it. It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors). This is something that built-in protection at the email client level does not provide yet. Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email.

What’s inside?

The variety of malicious attachments is impressive. They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others).

Spam and phishing in Q1 2016

Attachment containing a Trojan downloader written in Java

Also worth noting is the diversity of languages used in malicious spam. In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages.

Spam and phishing in Q1 2016

Attachment containing the Trojan banker Gozi

Most emails imitated notifications of unpaid bills, or business correspondence.

Spam and phishing in Q1 2016

The malicious .doc file in the attachment is a Trojan downloader. It downloads and runs the encryptor Cryakl using macros written in Visual Basic

Spam and phishing in Q1 2016

Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine

Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor. The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts. In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique. In addition, the emails had different content and were written in different languages. This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world.

Spam and phishing in Q1 2016

Examples of emails with the Locky encryptor

The content of the emails was related to financial documents and prompted users to open the attachment.

If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands. This process was analyzed in more detail in our blog.

As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic.

Spam terrorism

Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet. Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users.

In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage. They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate. The email claimed the technology came from the US Department of Defense, was easy to use and widely available. The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc.

Spam and phishing in Q1 2016

‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories. The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime. Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money. Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money.

Spam and phishing in Q1 2016

Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime. This was an attempt to dispel any doubts about their honesty and persuade recipients to reply.

Spam and phishing in Q1 2016

The theme of terrorism came up again in tales related to the current situation in the Middle East. For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds. A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money.

Spam and phishing in Q1 2016

Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users.

Spam and phishing in Q1 2016

We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products.

Spam and phishing in Q1 2016

Also trending: significant increase in volume of ‘Nigerian’ spam

It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity. In Q1 2016 we observed a significant increase in the volume of this type of mailing. In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch. Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from.

Spam and phishing in Q1 2016

Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers.

Spammer methods and tricks: short URL services and obfuscation

In our spam and phishing report for 2015 we wrote about obfuscation of domains. In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal.

Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed.

First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link.

Spam and phishing in Q1 2016

Both the link which the user follows and the link to the uploaded image in the email are obfuscated:

Spam and phishing in Q1 2016

In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links:

Spam and phishing in Q1 2016


Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”. In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing.

Russian-language spam also used obfuscation and short URL services, but the algorithm was different.


For example, to obfuscate links the @ symbol was used. To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used). If the site does not require authentication, everything that precedes the @ symbol will simply be ignored. It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service.


The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing.


Proportion of spam in email traffic

Spam and phishing in Q1 2016

Percentage of spam in global email traffic, Q1 2016

The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p. By February, however, the amount of spam in email traffic had dropped to its previous level. In March it grew again, though less dramatically. As a result, the average percentage of spam in Q1 2016 amounted to 56.92%.

Sources of spam by country

Spam and phishing in Q1 2016

Sources of spam by country, Q1 2016

The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%). China rounded off the Top 5, accounting for 5.09% of global spam.

Russia fell from last year’s second place to seventh (4.89%) in Q1 2016. It followed closely behind France (4.90%), which was sixth biggest source of spam.

Spam email size

Spam and phishing in Q1 2016

Spam email size distribution, Q4 2015 and Q1 2016

The most commonly distributed emails were very small – up to 2 KB (79.05%). The proportion of these emails grew by 2.7 p.p. from the previous quarter. The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%. The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the Top 10 malware families.

Top 10 malware families

A typical representative of this family is an obfuscated Java script. This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files.

This is a family of VBS scripts. As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software.

The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer.

Backdoor.Win32.Androm. Andromeda.
This is a family of universal Andromeda/Gamarue modular bots. The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves. The bot functionality is extended with plug-ins that can be loaded at any time.

The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server. They are used to distribute spam and steal personal data.

A typical representative of this family is an obfuscated Java script. The malicious programs of this family download and run ransomware on the user’s computer.

This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts. The stolen information is sent to the criminals’ server. Some members of the Trojan Fareit family are capable of downloading and running other malware.

The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks.

The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza. The main aim of this family of Trojan bankers is to steal payment data from users.

The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc. The user has to enter their personal data on this page, which is then forwarded to cybercriminals.

Countries targeted by malicious mailshots

There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016.

Spam and phishing in Q1 2016

Distribution of email antivirus verdicts by country, Q1 2016

Germany (18.93%) remained on top. China (9.43%), which ended 2015 in 14th place, unexpectedly came second. Brazil (7.35%) rounded off the Top 3.

Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%.

The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth.


In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users.

Geography of attacks

The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter. The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p.

Spam and phishing in Q1 2016

Geography of phishing attacks*, Q1 2016

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

Brazil 21.5%
China 16.7%
United Kingdom 14.6%
Japan 13.8%
India 13.1%
Australia 12.9%
Bangladesh 12.4%
Canada 12.4%
Ecuador 12.2%
Ireland 12.0%
Organizations under attack

The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases. It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity. After the security system is activated, the user sees a banner in the browser warning about a potential threat.

Spam and phishing in Q1 2016

Distribution of organizations affected by phishing attacks, by category, Q1 2016

In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter. Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively.

Online stores

Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information.

Spam and phishing in Q1 2016

Distribution of online stores subject to phishing attacks, Q1 2016

Apple Store was the most popular online store with phishers. In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%. Behind it in second place was another popular online store –Amazon (21.6%).

Spam and phishing in Q1 2016

Example of a phishing page designed to steal Apple ID and bank card data

Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3. It came 19th in the overall ranking of organizations affected by phishing attacks.

Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email.

Spam and phishing in Q1 2016

Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers.

Top 3 organizations attacked<

Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies. These companies have lots of customers around the world which enhances the chances of a successful phishing attack.

The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016.

Organization % of detected phishing links
1 Yahoo! 8.51
2 Microsoft 7.49
3 Facebook 5.71
In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.).

Interestingly, phishing on Facebook is delivered in almost all languages.

Spam and phishing in Q1 2016

Spam and phishing in Q1 2016

Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog.


In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter. But it is too early to speak about a growth trend. The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period.

The US remained the biggest source of spam in Q1 2016. The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection.

Spam messages are becoming shorter. In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam.

Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically. The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average. This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader.

This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic. The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage. The picture of malware distribution by email has changed significantly this year. In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots.

Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016.

It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments. Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.

Hacker Steals Money from Bank and Donates $11,000 to Anti-ISIS Group
20.5.2016 Hacking
Meet this Robin Hood Hacker:
Phineas Fisher, who breached Hacking Team last year, revealed on Reddit Wednesday that he hacked a bank and donated the money to Kurdish anti-capitalists in Rojava autonomous region in northern Syria that borders territory held by the ISIS (Islamic State militant group).
Fisher, also known as "Hack Back" and "@GammaGroupPR," claimed responsibility for both the Hacking Team and Gamma Group data breaches.
The vigilant hacker donated 25 Bitcoin (worth around US$11,000) to a crowdfunding campaign known as the Rojan Plan, which has been set up by members of the Rojava’s economic committee, described by Fisher as "one of the most inspiring revolutionary projects in the world."
Also Read: Here's How Hackers Stole $80 Million from Bangladesh Bank
The funds donated to the campaign came from a bank heist, though the hacker neither revealed the name of the bank nor provided any further details of the bank heist.
When deeply investigated, it was found that the Rojava Plan's Bitcoin address received a 25 BTC (Bitcoin) transaction timestamped 5th May 2016, which means the donation has publicly been recorded on the blockchain ledger.
"You can see the payments made to our campaign on the campaign page. You can also check our Bitcoin address, which is public," Deniz Tarî from Rojava Plan told Ars. The page lists a €10,000 donation by "Hack Back!"
Also Read: 25 Line Exploit Code that could let anyone steal $25 Billion from a Bank
Fisher on Reddit even urged another hacker to set up ATM skimming campaigns or rob banks and then donate all the money to the Rojava campaign in order to help the cause.

Telephone metadata by NSA can reveal deeply personal information
20.5.2016 BigBrothers

A study conducted by the NSA confirms that telephone metadata from phone logs reveals individuals’ Personal Information to government surveillance agencies.
It has been argued in the past that the mass collection of phone records by government surveillance agencies poses a significant threat to privacy rights. Now, however, a new study confirms what privacy advocates have been arguing for years. This is according to US researchers who used basic phone logs and were able to identify individuals and access their confidential information.

All of these personal details were derived from anonymous “metadata” found on individuals’ calls and texts. The two scientists at Stanford University who conducted the research were able to figure out individuals’ names, where they lived and association information.

But that’s not all they found.

They also uncovered details such as gun ownership, medical and disability information and activities involving recreational drugs.When the results were paired with public information already available on services such as Yelp, Google and Facebook, a much bigger, more detailed picture of a given individual’s life can be seen.

Former general counsel at the US National Security Agency (NSA), Stewart Baker has said that, “metadata absolutely tells you everything about somebody’s life.”

“For the study, the researchers signed up 823 people who agreed to have metadata collected from their phones through an Android app. The app also received information from their Facebook accounts, which the scientists used to check the accuracy of their results. In all, the researchers gathered metadata on more than 250,000 calls and over 1.2m texts.” read an article published by the The Guardian.

“Analysts who logged into the NSA’s metadata gathering system were initially allowed to examine data up to three hops away from an individual. A call from the target individual’s phone to another number was one hop. From that phone to another was two hops. And so on. The records available to analysts stretched back for five years. The collection window has now been restricted to two hops and 18 months at most.”

Alarmingly, the Stanford study revealed that given just one phone number to start with, the NSA program would have access to telephone metadata for tens of millions of people. With restrictions in place, however, the number plummets–but still indicates that armed with just one phone number, it is possible to retrieve metadata on 25,000 people.

Telephone metadata NSA

Patrick Mutchler, a computer security researcher at Stanford, writing in the journal Proceedings of the National Academy of Sciences, goes over some key points:

A wealth of personal information was disclosed, some of it sensitive, about people who took part in the study.
“Through automatic and manual searches, they identified 82% of people’s names.”
This same technique revealed the names of businesses those individuals had contacted.
When plotted on a map, clusters of local businesses appeared, which the scientists predicted would be located near the given individuals’ home addresses.
“In this way, they named the city people lived in 57% of the time, and were nearly 90% accurate in placing people within 50 miles of their home.”
The scientists were eventually able to determine relationships based on analyzing individuals’ call patterns. Following that, they “gathered details on calls made to and from a list of organisations, including hospitals, pharmacies, religious groups, legal services, firearms retailers and repair firms, marijuana dispensaries, and sex establishments. From these, they pieced together some extraordinary vignettes from people’s lives.”

Mutchler hopes these findings will give legislators pause in regard to to authorizing mass surveillance programs: “Large-scale metadata surveillance programs, like the NSA’s, will necessarily expose highly confidential information about ordinary citizens,” he wrote. Mutchler went on to write: “To strike an appropriate balance between national security and civil liberties, future policymaking must be informed by input from relevant sciences.”

Similarly, Ross Anderson, professor of security engineering at Cambridge University argues that the study presents data that discussions can now be based on, saying: “With the right analytics running over nation-scale comms data you can infer huge amounts of sensitive information on everyone. We always suspected that of course, but here’s the data.”

Japanese Docomo makes its smartphone covertly trackable
19.5.2016 Mobil

The Japanese Mobile carrier NTT Docomo announced that its mobile devices will allow authorities to covertly track the locations of the users.
The Japanese Mobile carrier NTT Docomo announced that five of its new smartphone models will allow authorities to track the locations without users being aware of it.

Today, users are alerted when the GPS locator is activated remotely, even if it is turned on by the mobile carrier.

The Docomo spokesman explained that the tracking feature will be used by the Japanese authorities in crime investigation, the company hasn’t denied to have already supported law enforcement in the past for the same reason.

“If requested, we provided positional information using the GPS systems on phones to emergency services such as the police, ambulance services and the Japan Coast Guard, in line with proper guidelines,” the spokesman told The Japan Times.

Docomo new smartphones

Another significant change in the surveillance activity arrived in June 2015, according to the Ministry of Internal Affairs and Communications starting from this date, carriers are no more obliged to obtain the permission of users before providing location data to law enforcement and intelligence agencies.

The change stimulated the Docomo to provide new smartphone models that covertly track the users.

Docomo also disclosed the models that will implement this new feature, they are all Android models, and specifically the Xperia X Performance, the Galaxy S7 Edge, the Aquos Zeta, the Arrows SV and the Disney Mobile.

According to the mobile carrier, a version of trackable Galaxy S7 Edge will be available in stores from Thursday, the remaining models will go on the market in June.

Of course, also other smartphones will be upgraded by the Docomo in order to implement the new tracker feature, but at the time I’m writing there is no news about a possible deadline for the updates.

The news is raising heated discussion in the country, some experts consider the new feature disturbing. Many privacy advocates consider illegal for carriers to provide user locations without informing it.

“This is an extreme invasion of privacy. It’s nothing like acknowledging merely which country you’re in,” the lawyer Tsutomu Shimizu told the Japan Times. “Positional information is highly private because it reveals people’s movements. However, I understand that investigative authorities would need such information in certain situations, so there should be a law passed to help public understanding.”

“It is a common practice and belief internationally that personal information should not be distributed to external organizations,” he said.

Teslacrypt decryption tool allows victims to restore their files
19.5.2016 Virus

A security researcher from ESET security firm issue a Teslacrypt decryption tool after the author closed the project and released a free master key.
The victims of the dreaded TeslaCrypt Ransomware now have the opportunity to restore their files by using a decryptor developed by experts from the ESET security Firm.

“Today, ESET® released a decryptor for recent variants of the TeslaCrypt ransomware. If you have been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt and the encrypted files have the extensions .xxx, .ttt, .micro, .mp3 or remained unchanged, then ESET has good news for you.” announced ESET.

A researcher from the company observed a decline in the number of victims of the TeslaCrypt ransomware, so he decided to the decryption key to the authors.

Incredibly, the author provided a free master key to the expert that developed a free universal Teslacrypt decryption tool.
Teslacrypt decryption tool

Teslacrypt decryption tool

“In surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware. ” reported Lawrence Abrams from bleepingcomputer.com that also published a step by step guide to use the Teslacrypt decryption Tool.

“When the ESET researcher realized what was happening, he took a shot in the dark and used the support chat on the Tesla payment site to ask if they would release the master TeslaCrypt decryption key. To his surprise and pleasure, they agreed to do so and posted it on their now defunct payment site.”

Teslacrypt decryption tool
Ransomware is one of the most widespread threats. The last iteration of the TeslaCrypt ransomware spotted by experts at Endgame Inc. has been improved by the implementation of new sophisticated evasion techniques and the ability to target new file types.
The malware was used by crooks in numerous malvertising campaigns targeting high-traffic websites. The ransomware represents a serious threat for netizens and organizations. It is important to maintain aligned fresh backups of data in offline sources.

Recently experts at Kaspersky have issued a decryption tool for another ransomware, the Cryptxxx.

If you are one of the TeslaCrypt victims and want to have instruction on the Teslacrypt decryption tool, give a look to the step-by-step guide published by bleepingcomputer.com.

Android Instant Apps — Run Apps Quickly Without Installation
19.5.2016 Android

Downloading an app is a real pain sometimes when you don't want to install the complete app on your smartphone just for booking a movie ticket, or buying something online. Isn't that?
Now, Imagine the world where you can use any Android app without actually the need to download or even install it on your smartphone.
This is exactly what Google has intended to offer you with its all new Instant Apps feature.
Announced at Google I/O event Wednesday, Android Instant Apps will break down the walls between websites and Android apps by allowing people to tap on a URL and open an Android app instantly, without even having to install it.
As a live demonstration, Google's presenter on stage showed how just clicking a Buzzfeed Video link, which has a dedicated app, opened the relevant part of an app — all in just 2 seconds.
In another demonstration, the presenter showed a link to buy a camera bag at B&H Photo and complete the purchasing process instantly through the shopping cart inside the company's touchscreen-friendly Android app, without even installing the whole app.
For Developers:

Android Instant Apps
Developers who want to provide Instant Apps will have to modularize their already existing apps that can start within a few seconds and users don't have to install the whole app just to use some of its features.
According to Google, some developers with basic apps could even implement Instant Apps support to their apps in as little as a day.
Additionally, alongside with their Instant apps, developers can provide "call to action" links to encourage users to download and install their complete apps if users find them particularly useful.
For Users:

When users click on a Web URL and if that URL has an associated Instant App, users will get a tiny version of that app instead of the website. Once tap, the smartphone fetches some part of the app that users want to use, allowing the app to instantly and seamlessly install.
The user experience with Android Instant Apps is as fast as loading up a web page with the same functionality. So, just don’t bother about Loading…
Instant Apps will run in a secure sandbox and once released, Android Instant Apps feature will work on all smartphones running Android 4.2 (Jelly Bean) or later.
The company will make the feature available via an update to the Google Play Services software coming "later this year."

This App Lets You Find Anyone's Social Profile Just By Taking Their Photo
19.5.2016 Social Site
Is Google or Facebook evil? Forget it!
Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.
FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.
The FindFace app was launched two months ago on Google Play and Apple’s App Store and currently has 500,000 registered users and processed nearly 3 Million searches, according to its co-founders, 26-year-old Artem Kukharenko, and 29-year-old Alexander Kabakov.
According to The Guardian, FindFace uses image recognition technology to compare faces against profile pictures on Vkontakte, a very popular social networking site in Russia that has over 200 Million users.
Besides showing the social media account of the one you are searching for, FindFace also shows you social media accounts of people who look very much like the person in the photograph.
"It also looks for similar people," Kabakov told The Guardian. "So you could just upload a photo of a movie star you like or your ex, and then find ten girls who look similar to her and send them messages."
Although many people may find the app useful, possibly girls who do not want pervs to contact them and harass them would definitely find this app as a stalking tool.
FindFace has marketed itself as a dating app, but its founders hope to make big money from licensing its algorithm to retail companies and law enforcement, claiming their algorithm can search through a Billion photographs in a matter of seconds on a normal computer.
They said that Russian police had already contacted them about using their facial recognition technology.
Just after the launch of this app, Security firm Kaspersky also tested the FindFace's algorithm in April and found that the app works as accurate as it claims to.
When the security company uploaded posed photographs, the app correctly identified people 90 percent of the time, although when it uploaded photos taken sneakily in public, accuracy decreased.
Are you finding the whole thing a bit scary?
This is the entirely new world of technology and gadgets where nothing is hidden; nobody is anonymous.
So, the app leaves just two option for you: Either wear something on your face to trick the camera, like wearing a hoodie, mask, glasses, while roaming on a street, or you better get used to having no privacy in your new society.
Kaspersky also advised Vkontakte users to make their pictures private and delete old photos from the profile pictures album, if they do not want to be identified by strangers.

Hackers target the campaigns of presidential contenders
19.5.2016 Hacking

The US Director of National Intelligence James Clapper revealed that attackers are targeting the campaigns of US presidential contenders.
At the end of 2015, I published a post titled “2016 Cyber Security Predictions,” one of my prediction is related the rise of cyber attacks related to the US elections.

“Social media are a primary communication method for politicians, the online activity will be intense in the period before the elections and cyber criminals and nation-state actors will try to exploit the event to launch cyber-attacks.” I wrote in the post.

According to the US Director of National Intelligence James Clapper, hackers are targeting the campaigns of Democratic and Republican presidential contenders.

“We already have some indications of that,” he explained during a discussion at the Bipartisan Policy Center in Washington. “I anticipate that as the campaign intensifies, we are probably going to have more of it.”

presidential contenders

The US authorities are aware that threat actors are targeting the US politicians, the Department of Homeland Security and the FBI are issuing multiple warnings to educate them in assuming a proper security posture and avoid being hacked.

“There is a long-standing practice of briefing each of the candidates once they are officially designated, and that shifts in to a higher gear in terms of details after the president-elect is known,” Clapper said.

Clapper confirmed that the US intelligence gathered evidence of several hacking campaigns targeting the campaigns of presidential contenders with different motivations (e.g. cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, hacktivism, financial motivation).

“We’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations — from philosophical differences to espionage,” said the FBI spokesman Brian Hale.

He also reported that the attacks ranged from “from defacements to intrusions.” According to US Intelligence, its experts tracked intrusions by foreign intelligence services into the campaigns for president back in 2008.

According to Clapper, the two candidates would receive “exactly the same” briefings that will be filed to avoid any interference with the programs of the candidates.

“We’ve been doing this for many years, it’s not designed to shape anybody’s worldview,” Clapper addedworldview,” Clapper added

Cyber spies from Suckfly group hacked organizations in India
19.5.2016 Hacking

A crew of cyber spies named Suckfly group is targeting organizations in India, it conducted long-term espionage campaigns against entities in the country.
A group of high professional hackers called Suckfly is targeting organizations in India, according to the experts at Symantec the crew conducted long-term espionage campaigns against the country.

Symantec did not disclose the names of the targeted organizations, it only revealed that the list of the victims includes one of India’s largest financial institutions, a top five IT firm, two government organizations, another a large e-commerce company, and the Indian business unit of a US healthcare company.

In March 2016, experts from Symantec, discovered Suckfly targeting South Korean organizations, the hackers were searching for digital certificates to steal. Later the group launched long-term espionage campaigns against organizations across the world, most of them located in India.

“In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations.” states a blog post published by Symantec. “These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.”

The principal weapon in the arsenal of the Suckfly group is the a backdoor called Nidiran that leverage Windows known vulnerabilities to compromise the targets and move laterally within the corporate network.

The experts noticed that the group spent a significant effort to compromise an Indian government department that installs network software for other ministries and departments.

Symantec analyzed the tactics, techniques, and procedures (TTPs) of the hacker group profiling the modus operandi of the attackers. The hackers use to identify employees in the target organization trying to compromise their systems, likely through a spear-phishing attack.

Once inside the target network, the hackers search for other targets to compromise by using hacking tools to move laterally and escalate privileges.

Suckfly group

The nature of the targets, the TTPs of the Suckfly group and the working days in which the group is active (The group operates from Monday to Friday) led the experts into believing that it is a nation-state actor.

“These steps were taken over a 13-day period, but only on specific days. While tracking what days of the week Suckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no activity from the group on weekends. We were able to determine this because the attackers’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working. Figure 4 shows the attackers’ activity levels throughout the week. This activity supports our theory, mentioned in the previous Suckfly blog, that this is a professional organized group.” states Symantec.

Who is behind the Suckfly group?

It is hard to link the Suckfly group to a specific Government, Symantec highlighted that its targets have been India, South Korea, Saudi Arabia, and India.

Giving a look to the C&C infrastructure used by the group, we can notice that several domains were registered by users with the addresses of the Russian email service provider Yandex. Of course, this information alone gives us no added value for the attribution, the unique certainly is that the hackers will continue their campaign in the next months.

“The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly’s operations.” states Symantec.

The Rio Olympics: Scammers Already Competing
18.5.2016 Zdroj:Kaspersky Spam

A few years ago, spammers and scammers were not as interested in the Olympics as they were in football (the World Cup and European Championships). The first major increase in the number of spam messages devoted to the Olympic Games occurred in the run-up to the Winter Olympics in Sochi in 2014. Since then, their interest in the Olympics has shown no sign of weakening and the upcoming event in Brazil is no exception.

Back in 2015, a year before the Olympics in Rio, we registered fake notifications of lottery wins allegedly organized by the country’s government and the International Olympic Committee. Similar emails continue to be sent in 2016. The vast majority of these messages contain a DOC or PDF attachment, while the body of the message includes only a brief text asking the recipient to open the attachment.

The Rio Olympics: Scammers Already Competing

The name of the DOC file, the name of the sender and the subject line of the email often mention the Olympic Games.

The Rio Olympics: Scammers Already Competing

The content of these attachments is fairly standard: a lottery was held by an official organization; the recipient’s address was randomly selected from a large number of email addresses, and to claim their winnings the recipient has to respond to the email and provide the necessary personal information.

We also came across emails without attachments; the text written by the scammers was included in the body of the message.

English is undoubtedly the most popular language used in fraudulent emails exploiting the Olympics theme, but we have also registered messages in other languages, for example Portuguese. In these the spammers stuck to the same story of a lottery win, trying to convince the recipient that the email is genuine.

The Rio Olympics: Scammers Already Competing

In addition to fraudulent spam, we have registered unsolicited advertising messages containing offers for various goods and services that, one way or another, use the Olympics to grab the attention of recipients.

For example, spammers have been pushing new TVs for watching sporting events.

The Rio Olympics: Scammers Already Competing

They also promised to make the recipient an “Olympic champion” with the help of magic pills.

The Rio Olympics: Scammers Already Competing

Taking any of these emails seriously enough to reply to them could well leave you out of pocket. But the biggest hit that sporting fans’ wallets are likely to take are from fake ticketing services. We are constantly blocking dozens of newly registered domains with names containing the words “rio”, “rio2016” and so on. Each of these domains hosted good quality imitations of official services offering tickets to sporting events at this summer’s games in Rio de Janeiro.

The Rio Olympics: Scammers Already Competing

The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates. These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate. The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired “https” at the beginning of their address.

The Rio Olympics: Scammers Already Competing

If you examine the whois data for such domains, you will find that they have only been registered recently, for a short period of time (usually a year) and in the names of individuals. Moreover, the detailed information is often hidden, and the hosting provider could be located anywhere, from Latin America to Russia.

The Rio Olympics: Scammers Already Competing

The sites are necessary to implement a simple scam whereby the phishers ask for bank card information, allegedly to pay for tickets, and then use it to steal money from the victim’s bank account. In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event.

The Rio Olympics: Scammers Already Competing

As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account.

According to our information, the creation of these fake sites usually involves international cybercriminal groups, each fulfilling its own part of the scam. One group creates a website, the second registers the domains, the third collects people’s personal information and sells it, and the fourth withdraws the cash.

To avoid falling victim to the scammers’ tricks, sports fans should be careful and only buy tickets from authorized reseller sites and ignore resources offering tickets at very low prices. The official website of the Olympic Games provides a list of official ticket sellers in your region and a service that allows you to check the legitimacy of sites selling tickets.

The Rio Olympics: Scammers Already Competing

Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics. At best, you’ll end up with non-certified goods of dubious quality, and at worst – you’ll just be wasting your money. For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it. This will help to avoid serious losses if your banking information is stolen.

117 Million LinkedIn credentials offered for sale
18.5.2016 Social Site

A hacker who goes by the name “Peace,” is offering 117 million LinkedIn credentials for 5 bitcoin, the precious data come from the 2012 hack.
According to Motherboard, a hacker who goes by the name “Peace,” is offering personal details of 117 million LinkedIn users for 5 bitcoin (around $2,200). The hacker is offering the data in the popular black marketplace The Real Deal, he confirmed to Motherboard that data results from the data breach suffered by LinkedIn in 2012.

LinkedIn credentials and Stolen Data

Following the hack, around 6.5 million encrypted passwords were leaked online, but clearly the incident has a greter magnitude.

“LinkedIn.com was hacked in June 2012 and a copy of data for 167,370,910 accounts has been obtained by LeakedSource which contained emails only and passwords. You can search the hacked LinkedIn.com database and many others on our main site. If you are in this database, contact us and we will remove you from our copy for free.” states LeakedSource who analyzed the archive that includes 167 million accounts, on them roughly 117 million have both emails and encrypted passwords.

According to LeakedSource, the precious archive was kept by a Russian hacker crew.

LeakedSource confirmed that the passwords were hashed with the SHA1 algorithm, with no “salt.”

“One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours.” reported Lorenzo Bicchierai from Motherboard.

Giving a look to the top passwords in the LinkedIn credentials included in the archive we can notice that the top 5 are:

1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
Every other comment is superfluous … shall we?

Of course, all the users that are still using the same credentials included in the archive are at risk and urge to change it as soon as possible.

Hacker puts up 167 Million LinkedIn Passwords for Sale
18.5.2016 Hacking

LinkedIn's 2012 data breach was much worse than anybody first thought.
In 2012, LinkedIn suffered a massive data breach in which more than 6 Million users accounts login details, including encrypted passwords, were posted online by a Russian hacker.
Now, it turns out that it was not just 6 Million users who got their login details stolen.
Latest reports emerged that the 2012's LinkedIn data breach may have resulted in the online sale of sensitive account information, including emails and passwords, of about 117 Million LinkedIn users.
Almost after 4 years, a hacker under the nickname "Peace" is offering for sale what he/she claims to be the database of 167 Million emails and hashed passwords, which included 117 Million already cracked passwords, belonging to LinkedIn users.
The hacker, who is selling the stolen data on the illegal Dark Web marketplace "The Real Deal" for 5 Bitcoins (roughly $2,200), has spoken to Motherboard, confirming these logins come from the 2012 data breach.
Since the passwords have been initially encrypted with the SHA1 algorithm, with "no salt," it just took 'LeakedSource', the paid search engine for hacked data, 72 hours to crack roughly 90% of the passwords.
Troy Hunt, an independent researcher who operates "Have I Been Pwned?" site, reached out to a number of the victims who confirmed to Hunt that the leaked credentials were legitimate.
The whole incident proved that LinkedIn stored your passwords in an insecure way and that the company did not make it known exactly how widespread the data breach was at the time.
In response to this incident, a LinkedIn spokesperson informs that the company is investigating the matter.
In 2015, Linkedin also agreed to settle a class-action lawsuit over 2012's security breach by paying a total of $1.25 million to victims in the U.S, means $50 to each of them.
According to the lawsuit, the company violated its privacy policy and an agreement with premium subscribers that promised it would keep their personal information safe.
However, now new reports suggest that a total 167 Million LinkedIn accounts were breached, instead of just 6 million.
Assuming, if at least 30% of hacked LinkedIn Accounts belongs to Americans, then the company has to pay more than $15 Million.
Meanwhile, I recommend you to change your passwords (and keep a longer and stronger one this time) and enable two-factor authentication for your LinkedIn accounts as soon as possible. Also, do the same for other online accounts if you are using same passwords on multiple sites.

Core Tor Developer who accuses FBI of Harassment moves to Germany
18.5.2016 Safety
One of TOR's primary software developers, Isis Agora Lovecruft, has fled to Germany, following the threat of a federal subpoena.
Lovecruft is a well-known cryptographer and lead software developer for Tor project from many years. She has worked for a variety of other security and encryption products, such as Open Whisper Systems and the LEAP Encryption Access Project.
Since November 2015, the FBI special agents in the United States have been trying to meet with her, but they will not tell her or her lawyer exactly why.
When her lawyer reached out the FBI Special Agent Mark Burnett and asked why he wanted to meet with her, the agent assured the lawyer that she is not the target of any investigation, but also said that…
Also Read: Mozilla asks Court to disclose Firefox Exploit used by FBI to hack Tor users.
The FBI have their agents on the streets in 5 cities in the United States hunting for her, intending to simply ask her some questions without her lawyer's presence.
Lovecruft's lawyer responded by saying that all questions should be directed to him rather than to Lovecruft or her family, but Burnett said that he will not tell her or her lawyer what this involves.
In general, it's not a big deal to have at least a meeting with the FBI agents to know what exactly are the federal agents looking for.
But Lovecruft fears that the federal agents will serve her with some kind of secret warrant, possibly to get her to insert a backdoor in the TOR system and expose TOR users around the world to potential spying.
Must Read: Former Tor Developer Created Malware for FBI to Unmask Tor Users.
So, she packed her suitcase and left the United States for Germany on December 7 last year, accusing the FBI of harassment for the past 6 months.
"I had already been in the process of moving, permanently, to Germany, and had retained a German immigrations lawyer several months prior to these events," Lovecruft wrote in her blog post titled, 'FBI Harassment.'
Although unsure if she was breaking any laws by leaving the country, she booked a flight to Berlin – despite the fact that she didn't intend to use the return ticket – just to avoid raising suspicions.
However, this didn't end the matter, and the FBI Special Agent Kelvin Porter in Atlanta called Lovecruft's lawyer last month, asking him where to send a subpoena for Lovecruft to help testify in a criminal hacking case.
Also Read: Judge Ordered the FBI to Reveal the Source Code of its Tor Hacking Exploit.
Following the Lovecruft's blog post, the Tor Project official Twitter tweeted out in support of their developer, saying "We support our colleague Isis."
In response to this issue, an FBI spokesperson told IBTimes:
"The FBI, as a general policy, does not confirm nor deny investigations, nor comment on the investigative activity unless it is a matter of public record. If someone is alleging harassment of any kind that should be brought to the attention of the government, though it is unclear what specific activity is even being characterized as harassment."
TOR is an anonymity software that provides a safe haven to human rights activists, government, journalists but also is a place where drugs, child pornography, assassins for hire and other illegal activities has allegedly been traded.
Since last few years, the FBI has been trying to break TOR and unmask TOR users identity in several investigations.
The agency has accused of hacking TOR users in an investigation of the world’s largest dark web child pornography site 'Playpen.' The FBI has also compelled Carnegie Mellon University to help them hack TOR users.

CVE-2016-4010 – Watch out a critical bug can fully compromise your Magento shop
18.5.2016 Vulnerebility

The vulnerability CVE-2016-4010 allows an unauthenticated attacker to execute PHP code at the vulnerable Magento server and fully compromise the shop.
The Israeli security expert Nethanel Rubin (@na7irub) has reported a critical flaw (CVE-2016-4010) in the eBay Magento e-commerce platform that could be exploited by hackers to completely compromise shops online.

The vulnerability rated 9.8/10 has been fixed with the Magento version 2.0.6 published yesterday. The fix prevents unauthenticated user or user with minimal permissions to access the platform installation code and execute arbitrary PHP code on the server.

“Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)” states the company security advisory.

The independent researcher Nethanel Rubin confirmed that attackers can execute arbitrary PHP code in unpatched systems exploiting several smaller flaws.

“The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.” reads a blog post published by Rubin .

“This vulnerability works on both the Community Edition and Enterprise Edition of the system.”


In his post, Rubin has detailed the attack chain explaining how the attacker can exploit the flaw in the Magento platform. The attack chain relies on REST or SOAP RPCs that are enable by default in the majority of installations.

“The “API” directory is made out of different PHP files, each containing one PHP class, responsible for exposing some of the module functionality to the rest of the system.” wrote Rubin. “Magento’s Web API is allowing two different RPCs – a REST RPC, and a SOAP API. Both RPCs provide the same functionality, the only difference between the two is that one is using JSON and the HTTP query string to transfer its input, while the other uses XML envelopes.
As both are enabled by default, I will use SOAP API in this document as I find it more understandable.”

Experts at Magento have spent a significant effort to release the fix in a short time, they had improved the code in a significant way.

Rubin defined the effort as a “huge step forward.”

If you are running a Magento online store you have to update it to the 2.0.6 patch asap.

Hacker Interviews – Speaking with GhostShell
18.5.2016 Hacking

GhostShell is back and I had the opportunity to interview him. It is important to understand the thoughts and opinion of talented minds like GhostShell.
Yesterday I reported the news of the return of one of the most popular hacker, Ghost Shell who exposed data from 32 companies and launched a new campaign to punish negligent network administrators.

Who is GhostShell? It is too simple to label it as a hacker or hacktivist … I decided to go behind the scene and reach him for an interview. … I decided to go behind the scene and reach him for an interview.

GhostShell Tweet

I believe it is important to understand the thoughts and opinion of talented minds like GhostShell. Hackers have their codes, their experiences, their growth paths, knowledge of which is crucial for people who actually live cyber security.

Let me thank GhostShell for his availability, I really appreciated it.

Enjoy the Interview!

What are your motivations? Why do you hack?

I have plenty of reasons for hacking. For starters I’m a hacktivist so my public hacks and leaks are politically

motivated. The reasons vary for each of them. In the past they’ve been focused on topics such as the educational sector or the abuse of governments towards its people in places like Russia or China. Other times they were more aimed at the authorities in the US for arresting other fellow hackers across the world. Or even widespread corruption in other parts of the world, like Africa.

Behind the scene, I take pleasure in exploring the internet without any restrictions or anyone judging me for it.

To be able to explore any part of this new and ever-changing world to your heart’s desire gives you a brief taste of true freedom. Like a cold breeze in a hot summer day, short but memorable.

What is your technical background and are you an IT professional?

Can’t really say that I have an official (technical) background in this industry. Everything that I know or can do I’ve studied and learned on my own. In fact, when I first appeared on the scene, it was just me with a twitter account and zero followers. I literally had no friends or contacts. The reason why I even bring this up is to prove that you don’t need any sort of professional help from a private class course or governmental training to learn about cybersecurity. Anyone with a bit of curiosity and determination can pursue any topic out there associated with this field.

Some of the topics that I have been attracted to over the years have ranged from general pen testing, general programming in various languages, cryptology – cryptography although with a bigger focus on cryptanalysis, since code breakers are almost non-existent nowadays. Infiltrating and extracting private data is one thing but what happens when you stumble upon encrypted data? Being a regular MD5 password cracker with rainbow tables just doesn’t cut it anymore. Hackers have to evolve and adapt in parallel with this ever-changing environment.

As an exclusive tidbit of information that I would like to share is that I have a presence in plenty of other industries, not just this one. I have been a game developer for years, both as a game programmer and designer. Or a theory hardware hacker in robotics, mostly engaged in breadboard simulation and light programming. But also involved in other non-IT industries.

I cannot really mention more or even go into too many details. As mentioned before, earlier this year in my outing, the moment you release any sort of private information about yourself or others it no longer becomes yours but everyone else’s. However, if there’s someone out there interested in cybersecurity and wants to learn how to pen test then they should start by looking up every single tutorial on the open net.

Most of the information, exploits, step-by-step tutorials can all be found online. Places like OWASP are pretty cool for beginners to read more on the different types of attacks out there and pretty much every source of freely available information, from blogs to online videos, can help tremendously, especially when you’re a newcomer.

Newcomers should never feel discouraged in their pursuit for knowledge. Regardless of what any and every paid troll or ignorant researcher may label us as, take pride in the knowledge you have accumulated so far and make way to acquire even more. For me, when it comes to cybersecurity, hacking is basically coding and security testing. People, especially outsiders or the usual upper-class middle-aged men from the west that are part of this industry, are too bent on name branding everything/everyone and micromanaging the cultural aspect of things. My only advice to them would be less judging, more security testing.

What was your greatest challenge?

My greatest challenge for me was holding back from the systematic destruction of every single person from the industry working on my case. This started back at the beginning of 2013 when I took my first break because of them and has lasted up until this very day. I have been aware of the people assigned to my case since the start, from the federal agents to the private companies aiding them. In 2013, I was prepared to leak all their identities and point fingers at all the exact honeypots from the scene where hackers are herded and actively entrapped, but I held back.

To put someone’s identity and life on display for the world to judge and critique while you laugh at their own misfortune is something that the authorities do for a living.

I wasn’t about to become the same medieval animal as them.

What was your greatest hacking challenge?

I don’t really have a specific target in mind but I’m pretty sure that the most difficult and equally irritating cyberspace for me was South Africa’s slow connections, poorly configured encodings on the site, and overall tricky measures incorporated into their systems made my campaign there one of the worst hacker experiences I’ve ever had.

I suppose that’s me complimenting their cyberspace since they made me feel like I was stuck in quicksand while pen testing their domains. Props.

Another challenging territory to attack is China. The slow connections play a huge role here as well, add to that the new and unique encodings never seen before in western networks all the while you’re trying to map out a hermit cyberspace that houses a solid population of over 500 million netizens and you end up with quite a handful of things to worry about. There are more than half a billion users there but realistically how many people on Twitter can name at least 10 websites from mainland China? The ignorance and lack of information in the west will one day end up in our own downfall.

What scares you the most on the internet?

People. People scare me. Especially those with even a shred of power at their disposal that are incapable of suppressing their urges from abusing it.

I have the knowledge to make and break this digital reality yet you don’t see me actively taking down websites, altering server data or leaking compromising information about any individual such as up to date banking information or private medical records. Even in this recent leak dubbed Light Hacktivism where I’ve strayed a bit away from that, the few examples given were either outdated/expired credentials or redacted medical data that had nothing to do in general with a patient but with the establishment itself. That’s a courtesy that you don’t see all too often around here, considering how a lot of this information is available en mass on the internet, unprotected for anyone to see.

I can’t claim all the higher moral ground here either since I also have my faults and failures but they don’t even come close to those of grown ass men working for or with governments to both surveil and entrap children and young people. It makes me sick to my stomach to witness federal agencies parading around 15 year olds through the press, branding them criminals or terrorists simply because they were curious to test a network’s security or naive enough to fall into another one of the usual generic entrapments.

What would you change about the cybersecurity industry and why?

You mean apart from the medieval practices of using children and young people as escape goats for an industry that basically exploits them? How many times have we seen news about the end of days on the internet?

Companies overreacting to our hacks while peddling their own broken products, the feds entrapping us with whatever is politically trendy, all the while the bystanders sit on the fence calling us criminals or terrorists that need to be put behind bars.

If I had to pick a set of topics that need everyone’s attention in the near future, it would be these:

The changing of federal practices when it comes to official investigations of hackers, especially hacktivists.The psychological trauma of being constantly obfuscated, being surveilled and misinformed for years is far greater than any of the people working on the scene could think. Paranoia, insomnia, depression, panic attacks, various other disorders end up causing a permanent scar on our minds, even after we’ve been caught and reintegrated back into society.
The on-going exploitation of children and young hackers by the corporations has to end. How much money have they all made off our backs? How many customers did they acquire after pointing their fingers in our direction and claiming that the cyberarrmagedon is upon us and that the only salvation is through their software? I can’t even call these people businessmen but rather a new digital form of religious fanatics, piggy-back riding on our infamy.
The cybersecurity industry needs more women. And I’m not talking about chicks that rock the chair in marketing, public relations, recruiting, and accounting or as secretaries. I’m talking about actual cybersecurity experts.
How many women do you know that are hackers or pen testers? What about as networking architects? Data mining experts?

Hacktivists? If anyone out there can name 5 of them from each of those categories then you’ve just won the internet but if you can’t even name 1 or 2 without looking it up then you know we have a problem. A diverse industry leads to a diverse set of ideas, which leads to more innovative creations. That much is a no brainer to anyone. Let’s try to make a change for the better. Together.

A serious talk about the future of cybersecurity. And here I mean less the software and more the people. Because at the end of the day the people are the ones that make up the industry. We should talk more often about the sensitive problems we’re facing, like drugs abuse or alcohol. We have been pointing it out in the past but we never really came to any conclusion. Can we do something about it? Can we help prevent hackers and security professionals from becoming drug addicts or alcoholics? Maybe we need a support group for them. Maybe we need to stop being so judgmental and more understanding when bringing up the subject. Maybe that’s how we prevent certain disasters.

Maybe it’s all linked to those three other points above.

Why did you agree to this interview? You’re usually reserved in giving them so why give one now?

Because I respect you as a journalist. You’re one of the original team of independent people that have reported on the hacker scene since before I even arrived. You’ve reported on my projects and activities from the very beginning and I wanted to thank you for it. Same goes for all the other infosecurity enthusiast. You guys have no idea how amazing it is to have journalists that report on our activities while sitting at the same level as us. It helps bridge that gap between hacker and journalist. After the Hacker Team journo list was formed I thought things were going to change and some hacker activities obfuscated but I’m glad that things have remained the same.

We all need down-to-earth journalists that can do their job of reporting on real-time news and for that I’m thankful.

Hacker finds flaws that could let anyone steal $25 Billion from a Bank
18.5.2016 Hacking
A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Also Read: Hackers Stole $80 Million from Bangladesh Bank.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim's current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
"So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren't on my beneficiary list," Prakash wrote in his blog post.
"It was a matter of 5 lines of code [exploit] to enumerate the bank's customer records (Current Account Balance, and Deposits)."
Stealing Money from Anyone Else's Account
If this wasn't enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender's account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else's account, reported by Motherboard.
"I tested [the hack] with a bunch of accounts belonging to my family. Few of those accounts don't even have net banking or mobile banking activated," Prakash added. "And it all worked like a charm."
However, instead of taking advantage of these bugs, Prakash responsibly emailed the bank on November 13, 2015, and within few days, bank’s deputy general manager informed him that the security flaws had been fixed, without rewarding him with a bug bounty, that's unfair.

1 Million Computers Hacked for making big Money from Adsense
18.5.2016 Hacking
A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy.
Security researchers from Romania-based security firm Bitdefender revealed the presence of this massive click-fraud botnet, which the researchers named Million-Machine Campaign.
For those unaware, Botnets are networks of computers infected with malware designed to take control of the infected system without the owner's knowledge, potentially being used for launching distributed denial-of-service (DDoS) attacks against websites.
The malware in question is known as Redirector.Paco that alone has infected over 900,000 machines around the world since its release in 2014.
The Redirector.Paco Trojan infects users when they download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, KMSPico, Connectify, or Stardock Start8.
Once infected, Paco modifies the computer's local registry keys and adds two new entries disguised as "Adobe Flash Update" and "Adobe Flash Scheduler," to make sure the malware starts after every computer boot-up process.
Besides this, the malware drops JavaScript files that downloads and implements a PAC (Proxy Auto Configuration) file that hijacks all Web traffic, ensuring traffic routes through an attacker-controlled server.
Search Engine Display Fake Results even Over HTTPS
Paco then sniffs all Web traffic originating from the infected computer and looks for queries made over popular search engines like Google, Bing, or Yahoo! and replace the actual results with fake Web pages, mimicking their real User Interface.
The botnet has the ability to redirect search engine results even when the results are served over encrypted HTTPS connections. To do so, the malware uses a free root certificate ‒ DO_NOT_TRUST_FiddlerRoot ‒ that avoid your browser showing HTTPS errors.
"The goal is to help cyber-criminals earn money from the AdSense program," Bitdefender's Alexandra Gheorghe said in a blog post. "Google's AdSense for Search program places contextually relevant ads on Custom Search Engine's search results pages and shares a portion of its advertising revenue with AdSense partners."
Although the malware tries to make the search results look authentic, some markers can raise suspicions, like messages showing "Waiting for proxy tunnel" or "Downloading proxy script" in the status bar of your web browser.
Additionally, the search engine takes longer than usual to load results, and the typical yellow 'O' characters in Google above the page numbers are not displayed, according to researchers.
The security firm says that majority of victims are from India, Malaysia, Greece, the United States, Italy, Pakistan, Brazil, and Algeria.
However, to avoid these kinds of cyber threats, following standard security measures could save your ass, such as keep your system and antivirus up-to-date, and always keep an eye on warning that says something is not right with your computer.

Watson Is Getting Ready from IBM to Deal with Hackers
18.5.2016 Hacking

IBM has targeted hackers, bringing Watson (its computer brain) in the game, with the help of eight prominent US universities
IBM’s computer brain, or else Watson, has been known to multitask, already involved in fighting cancer and cooking and so many other things. Right now, the focus of IBM has been placed towards dealing with hackers and therefore a whole campaign has got ready for educating Watson accordingly. In specific, Watson for Cybersecurity is the new project launched by IBM, including the participation of eight universities for offering their knowledge to Watson. The target is of course cybercrime!

Since there is a lot to take in, the primary educational goal is to process about 15,000 documents on a monthly basis. All the documents will be related to cyber security, so as for Watson to develop a deep and thorough understanding of the terms used and the concepts involved. Even though the contribution of the universities is going to be crucial at first, eventually Watson will be properly educated towards processing everything on its own.

ibm watson

Apparently, in the long run the goal of IBM is to have a powerful ally that will handle a gigantic volume of data related to cyber security. As a result, Watson is going to be super-efficient in dealing with any threats emerging and coming up with the perfect solutions to all similar problems. Due to the fact that there are quite a few false positives in the alerts sent over to tech specialists, it is extremely difficult to address the threats and either classify them as serious or ignore them. Watson will be able to do that, unlike humans.

Instead of replacing the tech specialists, Watson is going to provide exceptional knowledge and invaluable help to them. With the help of Watson in dealing with excessive quantities of data and with the personalized look of the experts, cyber security will be proven exquisitely effective! Rather than just blocking the threat, they will be able to prevent similar threats coming up in the future. This is definitely precious, especially in the delicate environment of cyberspace.

Among the universities laying a helping hand in this ambitious, optimistic scheme, we find MIT (Massachusetts Institute of Technology), New York University and California State Polytechnic University Pomona. Good luck to IBM and its computer brain!

Ukrainian Hacker Admits Stealing Corporate Press Releases for $30 Million Profit
17.5.2016 Hacking

A 28-year-old Ukrainian hacker has pleaded guilty in the United States to stealing unpublished news releases and using that non-public information in illegal trading to generate more than $30 Million (£20.8 Million) in illicit profits.
Vadym Iermolovych, 28, admitted Monday that he worked with two other Ukrainian hackers to hack into computer networks at PR Newswire, Marketwired and Business Wire, and steal 150,000 press releases to gain the advantage in the stock market.
The defendants then used nearly 800 of those stolen news releases to make trades before the publication of the information, exploiting a time gap ranging from hours to 3 days.
The trades would occur in "extremely short windows of time between when the hackers illegally accessed and shared the [news] releases and when the press releases were disseminated to the public by the Newswires, usually shortly after the close of the markets," said the Department of Justice in a press release.
Thirty-two people have been charged in connection with the global scheme to hack into services that distribute corporate news releases and then rapidly pass the stolen information to stock market traders in the US, resulting in more than $100 Million of profit.
The group hacked the computer networks of Marketwired LP, PR Newswire Association LLC, and Business Wire between February 2010 and August 2014 using phishing and SQL injection techniques, the Justice Department says.
The group traded the stolen information with the companies including Align Technology, Caterpillar, Hewlett Packard, Home Depot, Panera Bread and Verisign.
Iermolovych was initially arrested in November 2014 on credit card fraud and computer hacking-related charges, the U.S. Attorney Paul Fishman in New Jersey said.
Iermolovych has pleaded guilty to up to three charges including conspiracy to commit computer hacking, conspiracy to commit wire fraud, and aggravated identity theft.
The other accused Ukrainian hackers include Oleksandr Ieremenko and Ivan Turchynov.
Iermolovych will be sentenced on August 22 in Newark, New Jersey and could face up to 20 years in jail.

GhostShell is back and exposed data from 32 companies hacked through Open FTP

17.5.2016 Hacking

GhostShell is back, it exposed data from 32 companies and launched a new campaign to punish negligent network administrators.
The popular hacker crew GhostShell is back and is launching a new campaign to sensitize administrators to the importance of a proper security posture, but he’s doing it in his own way.

GhostShell Tweet

GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.

Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.

In March 2016, G.Razvan Eugen (24) claimed to be the founder of the popular collective Team GhostShell.

Now the dreaded collective is back and leaked data \, their system administrators left FTP directories open. In some cases, the GhostShell hackers exploited poor FTP configuration as the entry point in the target networks and then to move laterally compromising other systems.

GhostShell leaked dumped data online from the following 32 organizations:

ghostshell targets

The leaked data contains several types of information, including credit card details, user name and email combinations some with and without encryption. Experts at Risk Security Based firm who analyzed the leaked data have found 1,181 unique email addresses from 521 different providers.

“The Light Hacktivism leak is a similar style and format as to what we have seen in the past from Razvan. It is comprised of data collected from 30 unique sites and contains varying types of data including credit card details, user name and email combinations some with and without encryption. All together, we have detected 1,181 unique email addresses from 521 different providers. A large portion of the affected sites appear to be data from educational institutions which have been open on the Internet for some time.” wrote RSB.

The hackers leaked the data online end left the following message on Pastebin, at the time I was writing the post has been removed by the administrator of the service.

“This is me raising awareness to the on-going open FTP directories that still plague the net even after all these decades. Despite warnings in the past about the dangers posed by leaving your ports open and unprotected, netizens small and large are still paying no attention to it effectively leaving their networks unprotected to even the newbies of this industry.

I’ve comprised a list of targets that range across the field, from government, educational, medical, industrial, retail, personal and many others. Since I wanted to clear and taken serious about this I have leaked some credit cards information, however it is recently expired, however I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports. Medical data is also present but it has been censored, the sensitive stuff. Still, accounts – usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there.

Never underestimate the most simple vulnerabilities out there as they often time end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched.

Millions of people at risk everyday due to sheer laziness and incompetence.”

It seems that the group has the intention to hit more targets in the short period and their negligent admins.

Stay Tuned …

Apple Patches DROWN, Lockscreen Bypass Vulnerability, With Latest Round of Updates

17.5.2016 Apple

Apple on Monday rolled out a series of patches for nearly all of its operating systems, OS X, iOS, its smart watch operating system, watchOS, and Apple TV’s tvOS, along with fixes for both iTunes and Safari. OS X received the lion’s share of the updates, 67 in total, bringing Apple’s operating system El Capitan to version 10.11.5. Among the fixes, the OS X update finally resolves the DROWN vulnerability, first detailed back in March by a cooperative of 15 researchers. The vulnerability stems from a flaw in SSLv2 that relates to export-grade cryptography and could have let an attacker leak user information. Apple claims it fixed the issue by disabling SSLv2 in Tcl, an embeddable dynamic language interpreter. Roughly 25 of the 67 OS X patches address vulnerabilities that could ultimately lead to code execution, including 19 issues that could trigger an application to execute code with kernel privileges. Six more could result in either application termination or arbitrary code execution and primarily stem from flaws in graphics standards and frameworks like SceneKit, Quicktime, and OpenGL, and libraries like libxml2 and libxslt. While most of the issues exist in Apple’s most recent operating system, El Capitan, 12 bugs were fixed in Mavericks 10.9.5 and 14 in Yosemite 10.10.5. The libxslt issue in particular, dug up by Sebastian Apelt, a researcher at the German pentesting firm Siberas, exists in all three operating systems. The vulnerability also affects iOS, tvOS, and watchOS by extension, since the XSLT C library exists in each operating system. If an attacker tricked a user into visiting a malicious site, the vulnerability could lead to code execution. The same 19 issues that could let an application execute code with kernel privileges in OS X also affect iOS but were fixed Monday. In addition, two issues in Messages – also present in OS X – were fixed, including one that could have let an attacker modify a users’ contact list, and another that could have let attackers leak sensitive user information. The iOS update also remedies a lockscreen bypass vulnerability that could have allowed access to contacts and photos. Spanish iPhone researcher, Jose Rodriguez a.k.a videodebarraquito, has dug up a handful of lockscreen bypass bugs in the past and is credited by Apple for finding this particular vulnerability. Apple also took the opportunity on Monday to patch a handful of issues in platforms like watchOS and tvOS, many of the same bugs it patched in iOS and OS X. Just a single issue needed to be fixed in iTunes: A dynamic library loading issue that could have led to code execution. Only seven vulnerabilities were addressed with this week’s Safari update, five that could lead to code execution and two that could lead to the leaking of data. The vulnerabilities could still easily make their way into attackers’ toolkits however, experts claim. “Such vulnerabilities are hooks for phishers to use to bait users to visit malicious websites and compromise their systems,” warned Chris Goettl, director of product management at LANDESK. “If you have any doubt, make sure Safari is up to date quickly as the five arbitrary code vulnerabilities will undoubtedly be useful for targeting users,” Goettl said. The updates come roughly two weeks after Apple’s last set of patches, when it fixed two issues in its development environment Xcode, as they relate to its implementation of git.

ATM infector
17.5.2016 Zdroj: Kaspersky Virus

Seven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been called on for an incident response. They discovered a new, improved, version of Skimer.

Virus style infections

Criminals often obscured their malware with packers to make analysis more difficult for researchers. The criminals behind Skimer also did this, using the commercially available packer Themida, which packs both the infector and the dropper.

Once the malware is executed it checks if the file system is FAT32. If it is, it drops the file netmgr.dll in the folder C:\Windows\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to make forensic analysis more difficult.

After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file. This file is also protected by Themida.

ATM infector

Entry point in SpiService.exe before infection

ATM infector

Entry point in SpiService.exe after infection

After a successful installation the ATM is rebooted. The malicious library will be loaded into the SpiService.exe thanks to the new LoadLibrary call, providing it with full access to XFS.


Unlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer only wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted. It is a smart way to implement access control to the malware’s functionality.

Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:

Card type 1 – request commands through the interface
Card type 2 – execute the command hardcoded in the Track2
After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:

Show installation details;
Dispense money – 40 notes from the specified cassette;
Start collecting the details of inserted cards;
Print collected card details;
Self delete;
Debug mode;
Update (the updated malware code is embedded on the card).
During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

C:\Windows\Temp\attrib1 card data collected from network traffic or from the card reader;
C:\Windows\Temp\attrib4 logs data from different APIs responsible for the communication with the keyboard (effectively logging data such as the pin);
C:\Windows\Temp\mk32 same as attrib4;
C:\Windows\Temp:attrib1 same as the homologue file;
C:\Windows\Temp:attrib4 same as the homologue file;
C:\Windows\Temp:mk32 same as the homologue file;
C:\Windows\Temp:opt logs mule´s activity.
ATM infector

Main window

The following video details the scenario on how money mules interact with an infected ATM as described above.


During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak and black box attacks. The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals.

One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.

We also recommend regular AV scans, the use of whitelisting technologies, a good device management policy, full disk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the ATM network from any other internal bank networks.

Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.

All samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are detected as Trojan.Win32.Patched.rb

As this is still an ongoing investigation, we have already shared the full report with different LEAs, CERTs, financial institutions and Kaspersky Lab Threat Intelligence-Service customers. For more information please contact intelreports@kaspersky.com

Appendix I. Indicators of Compromise





Track 2 data


Bug in Symantec’s anti-virus engine can lead to system compromise

17.5.2016 Vulnerebility

Google Project Zero researcher Tavis Ormandy has unearthed a critical remote code execution vulnerability in the anti-virus engine powering Symantec’s endpoint security products (including Norton-branded ones).

The flaw (CVE-2016-2208) has been responsibly disclosed to the company, and it released a new version of its Anti-Virus Engine (v20151.1.1.4) with the fix incorporated. It will delivered to customers via LiveUpdate along with the usual definition and signature updates, Symantec reassured.

In the security advisory accompanying the security update, Symantec noted twice that “the most common symptom of successful exploitation resulted in an immediate system crash,” aka the “Blue Screen of Death.”

anti-virus engine

There’s more to it, though.

“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get,” Ormandy explained.

“On Windows with Symantec Endpoint Antivirus, this vulnerability permits code execution as NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.”

The flaw can be triggered without any user interaction. It’s enough that the user receives a malformed portable-executable (PE) header file via email or downloads it (intentionally or unintentionally) from a website, and Symantec software will start scanning it for malware and trigger the exploit.

There is no indication that the flaw is currently being exploited in the wild.

Ormandy said that aside from this Anti-Virus Engine bug, he discovered and notified the company about other (7 or 8) critical RCE vulnerabilities in their products. To fix these, users will have to download a patch (when made available).

The blackmarket Silk Road 3.0 emerged from the Dark Web

17.5.2016 Crime

The administrator of Crypto Market launched Silk Road 3.0, the fourth iteration of the popular black market (Silk Road, Silk Road 2.0, Silk Road Reloaded).
We all know that Silk Road was one of the greatest black marketplaces in the criminal underground, but many ignore that someone is still running the fourth iteration of the popular black market (previous are Silk Road, Silk Road 2.0, Silk Road Reloaded), Silk Road 3.0.

It was announced recently on Reddit and other crime forums, it is being managed by the same by the administrator of the Crypto Market black market.

silk road 3

The access to the Silk Road 3.0 black market is very easy, the registration is open and it is easy to note the number of illegal goods offered for sale is growing day by day.

Silk Road first appeared online back in February 2011, it operated until the FBI seized it and arrested its main operator Ross Ulbricht, who has since been sentenced to life in prison. A second iteration, Silk Road 2.0 appeared on the dark web a few months later the seizure of the original black markets, but the US law enforcement immediately shut down it and arrested Blake “Defcon” Benthall, the alleged operator of the popular underground black market.

In January 2015, a third incarnation of the black market dubbed Silk Road Reloaded appeared in the dark web, it implemented new anonymizing features, including I2P connectivity and the possibility to pay for the goods with several virtual currencies, including Bitcoin, Darkcoin, Dogecoin, and Anoncoin.

The marketplace closed very soon because it was not able to attract users.

What will happen to the new born market?

Difficult to say, the evolution of the Silk Road brand in the last years suggests that it could be a new commercial failure. Many experts consider the Silk Road saga ended, this new black market is not related to the original one, but we cannot ignore the association with Crypto Market, which is considered in the criminal community a reliable market.

The onion address for the Silk Road 3.0 is

The popular crime forum Nulled.io pwned by hackers
17.5.2016 Hacking

The popular crime forum Nulled.io has suffered a serious security breach that exposed personal details of more than 500K users and their activities.
Nulled.io is a popular crime forum with roughly 500,000 users that but and sell any kind of product and services and share information regarding illegal practices.

According to the Risk Based Security, last week the Nulled.io forum has suffered a security breached that exposed details of its members and more than 800,000 personal messages exchanged by the users of the hacker forum.

“Last week a well known “hacker” forum became victim to the fast growing list of over 1,076 data breaches that have occurred so far in 2016. The Nulled.IO forum was compromised and data was leaked on May 6th consisting of a 1.3GB tar.gz compressed archive which when expanded is a 9.45GB SQL file named db.sql.” reported Risk Based Security.

On May 6, the attackers leaked a 1.3Gb compressed archive containing a 9.45Gb database that included the details of more than 536,000 user accounts (usernames, hashed passwords, registration dates, email addresses, and IP addresses).

The popular cyber security expert Troy Hunt has already added the stolen account credentials to the Have I Been Pwned service.

Have I been pwned? ‎@haveibeenpwned
New breach: Nulled cracking forum had 599k email addresses exposed last week. 25% were already in @haveibeenpwned https://haveibeenpwned.com/
2:12 PM - 9 May 2016
24 24 Retweets 15 15 likes
The hackers also leaked thousands of purchase records and invoices.

“If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” continues the post.

The experts that analyzed the archive noticed the presence of a table containing personal details of VIP users.

The archive includes detailed information about transactions completed by VIP users, including their PayPal email addresses.

“Further we find API credentials for 3 payment gateways (Paypal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with geolocation data, member id and ip addresses, and 256 user donation records that are able to be matched to the user with member id.” continues the post.

The experts from Risk Based Security several email addresses belonging to government across the world, including United States, Jordan, and Brazil.

At the time I was writing it is still unknown who is behind the attack neither how the hackers breached the Nulled.io crime forum that is powered by the IP.Board forum framework. Experts speculate that the attackers might have exploited a flaw in the IP.Board forum software.

Experts at Sucuri reported multiple attacks against IP.Board forums leveraging on the ImageMagick flaw.

Daniel Cid ‎@danielcid
In addtiion to vBulletin, seeing a few #ImageTragick attempts against "app=members&module=profile&section=photo&do=save" on IP.Board
5:47 AM - 9 May 2016
3 3 Retweets 2 2 likes
Daniel Cid, founder and CTO of Web security firm Sucuri, noted last week that IP.Board forums had been targeted in attacks exploiting a recently disclosed ImageMagick flaw.

Currently the Nulled.io crime forum is down.

Nulled io data breach

Nulled io data breach

Redirector.Paco, a Million-Machine Clickfraud Botnet

17.5.2016 BotNet

According to the experts at Bitdefender an HTTPS hijacking click-fraud botnet dubbed Redirector.Paco infected almost 1 million devices since now.
Security experts at Bitdefender spotted a new click fraud botnet dubbed Redirector.Paco that has been around at least since September 2014 and has already infected more than 900,000 devices over the years.

Crooks behind the Redirector.Paco aimed to create a clickbot that is able to redirect all traffic performed when using a search engine (i.e. Google, Yahoo or Bing) and to replace the legitimate results with others decided by hackers to earn money from the AdSense program.

“To redirect the traffic the malware performs a few simple registry tweaks. It modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried. This file tells the browser to redirect the traffic to a different address.” states a blog post from BitDefender.

The experts highlighted the existence of some indicators that could be associated with the fraudulent activity of the botnet, including:

Displaying messages like “Waiting for proxy tunnel” or “Downloading proxy script” in the status bar of the browser.
Long page loading time for Google page.
Missing “o” characters above the number of search result pages.
The threat actors behind the Redirector.Paco botnet used to deliver the malware by bundling it with installers for benign applications, such as WinRAR and YouTube Downloader.

In one of the attacks spotted by the experts at Bitdefender, the installers dropped JavaScript files that modify the “Internet Settings” registry key in order to change the behavior of the web browser and force it into using a proxy auto-configuration (PAC) file created by the attacker to provide fake search results. The attackers also rely on a root certificate so that any connection that goes through the server specified in the PAC file looks private without raising suspicion.

“As shown, any request to any page that starts with https://www.google or https://cse.google will be redirected to the IP 93.*.*.240 on port 8484. However, at this point, since the requests are made on the HTTPS protocol, they will be accompanied by a warning that alerts the user that there is a problem with the certificate.” continues the post. “Update.txt downloads and installs a root certificate so that any connection that goes through the server specified in the PAC file looks private.”

The experts also spotted a variant of the Redirector.Paco botnet that relies on a .NET component that modifies search results locally by setting up a local server without redirecting traffic to an external server.

Most infected devices are located in India, but experts observed several infections also in the United States, Malaysia, Greece, Italy, Brazil and other African countries.

Redirector.Paco botnet infections

Redirector.Paco botnet infections

Google to Face a Record $3.4 Billion AntiTrust Fine in Europe
16.5.2016 IT
Google faces a record anti-trust penalty of about 3 BILLION Euros (US$3.4 Billion) from the European Commission in the coming days, according to reports.
After 7-years of the investigation, the European Commission filed anti-trust charges against Google last year for violating antitrust laws.
The European Union accused the search engine giant that it had abused its dominance in search by unfairly prioritize and displaying its own comparison shopping service at the top of its search results at the expense of rival products.
British newspaper The Sunday Telegraph reports that the European Union is currently preparing a fine of about 3 Billion Euros ($3.4 billion), which is almost triple the amount (1.06 Billion Euro) that Intel was levied several year ago over violating antitrust law.
According to the newspaper's sources, the EU officials, led by Margrethe Vestager, are planning to openly announce the fine against Google as early as next month, although the exact figure of the fine has yet to be finalized.
Reportedly, the European Commission regulators can impose a maximum penalty of up to 10 percent of the company's annual sales, which, in the case of Google, is possibly more than 6.6 Billion Euros.
Not just fine, but Google will also be banned from manipulating its search results in the region so that it does not continue to favor its homebrew products.
In a separate antitrust case, Google has also been accused of abusing its dominant position in the smartphone industry with Android by pre-installing its own apps, like Google Search, Chrome, YouTube, Gmail as default apps, making it harder for other companies to compete.
"Anyone can use Android with or without Google applications. Hardware manufacturers and carriers can decide how to use Android and consumers have the last word about which apps they want to use," Google spokesperson says.
The EU is also looking into the transparency of paid reviews and the conditions of use of services like Google Maps and Apple's iOS mobile operating system.

The Lucrative But Vulnerable Gaming Industry is Ripe For Cyberattacks
16.5.2016 Vulnerebility
As the gaming industry continues to become a more lucrative market, it has also increasingly become more attractive to cybercriminals.

These cyber attackers are employing the same tactics used to hack online banks and retailers.

The reader may recall late last year when Steam, one of the world’s largest online video game platforms, publicly admitted that 77,000 of its gamer accounts are hacked every month. It was the first time a major video game company acknowledged itself as a cybercrime target.

Kaspersky Lab researcher Santiago Pontiroli launched an investigation into how many gamers are being exploited by cybercriminals. Pontiroli and his team uncovered the existence of a new type of malware developed specifically to hack Steam accounts. The “Steam Stealer,” is able to bypass the Steam client’s built-in multifactor authentication (MFA) protocols, which enables hackers to gain the access necessary to compromise the integrity of a player’s account.

Cyber threats are significantly underreported, though the video game industry is, according to Dark Reading, “as big, if not bigger, than any industry in the world. Of the 1.2 billion video game players worldwide, nearly 700 million of them play online. For the video game industry, providing entertainment for one seventh of the world’s populace equates to revenues of more than $86.8 billion annually. This is nearly double the amount of the film industry, yet the Sony Pictures hack was covered for months. For financially motivated hackers, and fraudsters, there is perhaps no bigger opportunity to profit than the video game industry provides.”

Online video games are indeed vulnerable to attacks. Unfortunately, the video game industry is still largely in denial over the fact that it is a systemic problem. Dark Reading reports:

“In-video game attacks occur when a player’s account is hijacked using readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and other hacks. Once inside, cyber criminals can steal player credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the ‘grey market,’ an unauthorized, but not necessarily illegal place that is used to sell virtual items and currency for real money.”

Additionally, the emergence of a ‘grey market’ is perhaps the most significant unintended consequence of video games moving online. The demand for virtual items is massive and many people strive to gain virtual items through regular game play and then sell them for real money. Known as ‘gold farming,’ it is so rampant and profitable that in a World Bank report it is estimated that it generates $3 billion a year for people in developing countries.

Now, because the demand for virtual items is so high, gold farmers have automated their operations and are able to run hundreds or thousands of bots to speed up the accumulation process. This has flooded the online gaming economies and has caused publishers to lose as much as 40 percent of in-game revenue per month, not to mention the reputational damage done to the businesses.

Video games are attractive targets for hackers longing for better scores, more money and notoriety. But, hackers are also fixated on game services.

Companies in the Gaming industry may not appear to be a prime target for cybercriminals, but consider the fact that one of the biggest hacks of all time, of Sony’s PlayStation Network in 2011, resulted in 77 million account holder details being compromised. Twelve thousand credit card details were also leaked, and the company’s stock price crashed overnight.

gaming industry

Currently, the following are the most common ways attackers are targeting the businesses in the gaming industry and their users:

DDoS attacks to cause disruption – Denial-of-service (DoS) or distributed denial of service (DDoS) attacks are frequently used by hackers to shut down a website or web service. It’s done by basically flooding the recipient’s web server with too much traffic, which forces the server to ‘fall over’ and the service to go offline. According to WeLiveSecurity, “a number of so-called hacktivism groups, including ‘Lizard Squad’, have used DDoS attacks in the past, including on gaming sites. Perhaps most famously, the Lizard Squad knocked Sony’s PlayStation Network and Microsoft’s Xbox Live offline last Christmas Day, causing thousands of gamers to be unable to access both services.”
Spoofed websites for grabbing credentials and more – In these cases, malware is served up to unsuspecting users by way of fake websites designed to steal from them.
Stealing money with ransomware and scareware – In March 2015, it was discovered that cybercriminals were infecting gamers’ machines with ransomware. This caused users to be unable to continue playing their games until they paid a Bitcoin ransom.
Brute force attacks and keyloggers to spy on passwords – Log-in usernames and passwords are always sought after by cyber criminals–irrespective of what sector the victim’s business is in. And, gaming sites are no exception, as Sony, Ubisoft and others know well.
Utilizing social engineering to achieve all of the above – Attackers are employing social engineering techniques, such as phishing, to find and attack their victims. “For instance, perhaps he would look you up on Twitter or Facebook before sending targeted spear phishing emails directing you to a spoofed website. Or maybe the same email would be sent with a weaponised document containing malicious code,” WeLiveSecurity explains.
Currently, online video game cybersecurity is focused on protecting and monitoring the login and monetary transaction processes. Unfortunately, that’s the same plan used by banks–and anyone who has been watching the news knows how ineffective that strategy has been. It has cost the banking industry billions of dollars over time. Online gaming also depends on MFA to protect the login process, but this safeguard is no match for the widely available keylogging and screen-scrape technology. Then too, device reputation technology is vulnerable to man-in-the-middle hacks. And, rules-based security is deeply flawed.

So, it is expected that large-scale attacks will continue to occur until the video game industry wakes up and begins tightening up on cybersecurity. Cyber criminals aren’t going to stop until they’re stopped.

CVE-2016-4117 – FireEye revealed the exploit chain of recent attacks
16.5.2016 Exploit

The FireEye researcher Genwei Jiang revealed the exploit chain related to phishing attacks leveraging CVE-2016-4117 flaw recently fixed by Adobe.
Security experts at FireEye have recently spotted an attack leveraging on an Adobe zero-day vulnerability (CVE-2016-4117) recently patched.

The CVE-2016-4117 flaw affects older versions of the Adobe Flash, a few days ago the company was informed of a new zero-day vulnerability in the Flash Player software that was being exploited in cyber attacks in the wild. The company announced the fix for the CVE-2016-4117 on May 12 and confirmed that it affected Windows, Mac OS X, Linux and Chrome OS.

Adobe rated as critical the vulnerability, the issue was discovered by the security expert Genwei Jiang from FireEye, which also confirmed that it is being used in targeted attacks.

“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” reads the advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”

After the flaw was fixed, Genwei Jiang revealed the details of the previously undisclosed phishing attacks he reported to Adobe.

The experts explained that threat actors used phishing links and files to compromise Windows systems running Flash, and Microsoft Office.

The expert explained that threat actors embedded the Flash exploit inside a Microsoft Office document, which they then hosted on a web server they controlled. They used a Dynamic DNS (DDNS) domain to reference the document and the malicious payload.

When victims open the malicious document, then the exploit downloads and executes the payload hosted on the crooks’ server. In order to avoid suspicion and make the attack stealth, threat actors then display victims a decoy document.

“On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability inAPSB16-15 just four days later.” reads a blog post published by FireEye.

“Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.”

The post published by FireEye details the attack that proceeds as follows:

The victim opens the malicious Office document.
The Office document renders an embedded Flash file.
If the Flash Player version is older than, the attack aborts.
Otherwise, the attack runs the encoded Flash exploit.
The exploit runs embedded native shellcode.
The shellcode downloads and executes a second shellcode from the attacker’s server.
The second shellcode:
Downloads and executes malware.
Downloads and displays a decoy document.
The malware connects to a second server for command and control (C2) and waits for further instructions.
CVE-2016-4117 attack chain
Experts are warning about a possible spike in the attacks exploiting this flaw that was recently fixed.

Users should install the latest Adobe patch as soon as possible and FireEye suggests them to employ additional mitigations, such as Microsoft EMET to prevent exploit attacks.

Experts also cracked the CryptXXX ransomware 2.0
16.5.2016 Virus

Security Experts at Kaspersky have updated their decryption tool to adapt to the second version of CryptXXX ransomware in the RannohDecryptor
A couple of hours ago I published an interesting post the summarizes the ransomware activities in the last week, and unfortunately, this kind of malware is becoming even more popular in the criminal underground.

A few weeks ago a new threat appeared in the wild, it is the CryptXXX ransomware that was first spotted by the experts from Proofpoint in April. Researchers at ProofPoint discovered a number of compromised websites hosting the Angler exploit kit that were abused by crooks to serve the CryptXXX ransomware and infect Windows machines.

The CryptXXX ransomware has the ability to encrypt local files and any other document present on every connected data storage a short time after the PC has been infected. The threat also steals Bitcoins from the victim’s machines.

The malware authors use the delay in order to make harder for victims the identifications of the malicious website used to compromise their machines.

The files are encrypted with RSA4096 encryption and the CryptXXX ransomware demands the payment of a $500 ransom in bitcoins for decrypting the data back. Like other ransomware, CryptXXX instructs victims about the payment process, it drops an image on the desktop containing the instructions to download the Tor browser and access an Onion service containing the instructions.

CryptXXX ransomware instructions

In April, experts at Kaspersky cracked the CryptXXX ransomware and released the RannohDecryptor utility, that was initially designed to recover files encrypted by the Rannoh ransomware.

A few days ago, the researchers from ProofPoint discovered that the CryptXXX ransomware had evolved making ineffective the RannohDecryptor.

In response, the experts from Kaspersky Lab have updated the decryption tool to defeat the second variant the CryptXXX ransomware, they released the RannohDecryptor tool version

Victims of the new strain of the CryptXXX ransomware doesn’t need original copies to decrypt the file.

Below some notes published by the experts:

1. We support decryption of about 40 popular file formats, including documents, archives, images, etc. Unfortunately, there is no possibility to decrypt any arbitrary file format.

2. Decryption may take some time. Generally, the 1st file gets decrypted within several minutes, and all subsequent files in a matter of seconds (each). In the worst case every file will take several minutes. The utility notifies the user prior to start with the following message:

3. Original copy is not needed for Cryptxxx v2.

While this tool will help those infected decrypt their .crypt files, we know that criminals will always look to evolve to stop workarounds from good guys in cybersecurity. It is an unfortunate reality in the current world we live in. But fear not, we won’t rest and will stay vigilant to protect you.

ATM Skimming attacks are skyrocketing
16.5.2016 Crime

Security and fraud experts are observing a significant increase in the number of ATM skimming attacks across the world. It’s an emergency!
Security and fraud experts are observing a significant increase in the number of cyber attacks against the ATMs, in particular, skimming attacks. The popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase of skimming attacks for both American and European banks.

“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”

The FICO Card Alert Service issued several warning about a spikes in ATM skimming attacks.

On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

“The number of ATMs in the US compromised by criminals rose 546 percent in 2015 over 2014, analytic software firm FICO reported today. The number of ATM compromises in 2015 was the highest ever recorded by the FICO® Card Alert Service, which monitors hundreds of thousands of ATMs in the US. Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014. FICO first reported on the sharp growth in ATM fraud on its blog last May.” states the note. “

FICO highlighted that the ATM attacks were taking place over fewer days, but experts are worried by the quick-hit approach to ATM.

“Criminals are taking a quick-hit approach to ATM theft and card fraud,” said TJ Horan, vice president of fraud solutions at FICO. “They are moving faster to make it harder for banks to react and shut down the compromises. They are targeting non-bank ATMs, which are more vulnerable — in 2015, non-bank ATMs accounted for 60 percent of all compromises, up from 39 percent in 2014.”

In the US, the last wave of ATM skimming attacks was spread out across the entire territory.

In February, The ATM maker NCR issued a warning about ATM skimming attacks that involved hidden cameras, skimming devices plugged into the ATM network cables to steal customer card data and keypad overlays.

The company observed a number of attacks targeting NCR and Diebold ATMs leveraging the use of external skimming devices that crooks use to hijack the phone or Internet jack.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” reads the alert issued by the NCR “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

ATM skimming attacks Brian KrebsATM skimming attacks Brian Krebs 2
Source Brian Krebs’s website

The situation is worrisome, some financial institutions preferred to shut down the ATM machines in order to mitigate the fraudulent activities.

Unfortunately, the number of ATM skimming attacks is increasing also in Europe as confirmed by the data shared by the European ATM Security Team (EAST). This kind of fraudulent activity has increased by 19% from 2014 to 2015.

“During 2015 total losses of 327.48 million euros were reported,” EAST wrote. “This is a 17% increase when compared to the total losses of 279.86 million euros reported for 2014 and equates to losses of 884,069 euros per 1000 ATMs over the period.”

Experts suggest bank users cover with their hand while entering a PIN to foil ATM attacks leveraging on hidden cameras to capture the PIN.

The Verizon Data Breach Investigations Report confirmed that over 90 percent of the security breaches last year involved skimmers used a tiny hidden camera.

“Payment card skimming remains one of the most lucrative and easy to pull off crimes, both for organized criminals and the occasional independent pilferer (he’s just a poor boy, from a poor family)” states the Verizon Report.

“The physical action of ‘surveillance’ was selected in over 90% of cases—this is due to the installation of pinhole cameras designed to capture PIN codes on the devices in question.”

Experts have no doubts, ATM skimming attacks are the easiest way to gather payment card data, most exposed are peripheral machines located at gas stations and malls.

Hacker claims to have full access to Pornhub and already sold it
16.5.2016 Hacking

A 19-year-old hacker who goes by the name Revolver claims to have breached into Pornhub server and already sold the access for $1,000.
It happened during the weekend, a researcher using the 1×0123 Twitter account announced the availability of a shell access to a subdomain on Pornhub and offered it for $1,000.

The figure is obviously ridiculous when you consider the high traffic that daily reach the server, more than 2.1 million visits per hour.

View image on Twitter
View image on Twitter
1x0123 ‎@1x0123
#pornhub command injection + shell on subdomain + src for sale
xmpp : revolver@rows.io
1:08 AM - 15 May 2016
151 151 Retweets 157 157 likes
In order to prove the access to the Pornhub platform, 1×0123 posted on Twitter a couple of pictures. The researchers explained to have compromised the server by exploiting uploading a shell by exploiting a flaw in the mechanism used to upload the picture in the user profile.

Once the shell is uploaded on the server it is possible to have full control over the environment.

pornhub shellpornhub shell 2

Salted Hash reached 1×0123 who confirmed that he had sold access to three people.

“2 guys with shell, 1 guy for a command injection script,” he told Salted Hash.

“Pornhub contacted Revolver for more information. He offered to share those details, and help patch the vulnerability that allowed such access, for total cost of $5,000 USD. It isn’t clear if the adult entertainment giant agreed to those terms.” states Salted Hash.

1×0123 hasn’t provided further information on the hack, he only stated the vulnerability affecting the user profile isn’t the ImageMagick flaw recently disclosed.

A Pornhub spokesperson confirmed the presence of the shell that appears to be on a non-production server and confirmed the company is currently investigating the issue.

1×0123 is a known in the security industry, he offered a similar access to the LA Times website in April after he exploited a vulnerability in the Advanced XML Reader WordPress plugin.

During the same period, he revealed to have found an SQL injection flaw on one of the servers of Mossack Fonseca (a custom online payment system called Orion House).

In March, he designed a website called VNC Roulette that displayed screenshots of random hackable computers.

On April 10, 2016, Edward Snowden publicly thanked 1×0123 for reporting a vulnerability in Piwik to the Freedom of the Press Foundation.

On May 9, Pornhub announced a bounty program through HackerOne with a maximum bounty set at $25K.

“The public launch of Pornhub’s Bug Bounty Program follows a private, invite-only beta program that the adult entertainment site ran last year, which compensated participants for helping to identify and fix about two dozen bugs. ” states the announcement.

Unfortunately for Pornhub, 1×0123 has a bad opinion of the bounty program has he confirmed in the following statement published on Twitter.

“i don’t report vulnerabilities anymore go underground or go away ” reads the Tweet.

OpIcarus: Anonymous crusade against the sick banking industry
15.5.2016 Hacking

Anonymous alongside with BannedOffline and Ghost Squad crews are resuming the OpIcarus targeting banking websites around the world.
Hackers of the Anonymous collective alongside with Ghost Squad and BannedOffline continued their attacks on the banks worldwide under the campaign named OpIcarus.

The Operation OpIcarus was resumed in March 2016, both Anonymous and Ghost Squad launched several attacks on financial institutions worldwide, including the bank of Greece, HSBC, Bank of England, Dutch Central Bank, , Central Bank of Bosnia and Herzegovina, the central bank of Cyprus, and Central Bank of Guernsey and Maldives Monetary Authority (Central bank and banking regulator), and Turkish Banks.

After a temporary suspension of the attack, the hacktivists are back and hit the websites of banks in South Korea, Jordan, Montenegro and Monegasque.

“OpIcarus will continue,” announced Anonymous

The hackers launched a series of DDoS attacks that shut down the websites of the Central Bank of Jordan, Central bank of South Korea and Bank of Compagnie, Monegasque.


The HackRead.com reached one of the attackers and reported the following statement:

“Montenegro is at the heart of elite political corruption. Most of the ISIS/ISIL terrorist group looted money flows through Jordanian banks and South Korea is pretty much a US army base in the Asia-Pacific. Sites are staying offline for much longer periods now as more people are joining in the Operation. All targets so far have been central banks and no innocent people were harmed. We aim to keep it that way. OpIcarus will continue.”

A couple of days ago, Hackers claimed to have taken down the Bank of England’s internal email server as part of an operation dubbed ‘OpIcarus.’

Hackers affiliated with Anonymous also claimed to have hit several international banks last week, including the Federal Reserve Bank of Boston, the central banks of Sweden, National Reserve Bank of Tonga, and Myanmar and Laos.

The hacktivist “S1ege,” who is an alleged member of the Ghost Squad crew, claimed responsibility for the attacks announcing ” an online revolution” to retaliate against the “elite banking cartels putting the world in a perpetual state of chaos.”

Malware used in the recent banking cyberheists is linked to Sony Pictures hack
15.5.2016 Virus

Experts at the BAE security firms collected evidence that demonstrates the malware used in the recent cyberheists is linked to 2014 Sony Pictures hack.
A second bank was a victim of a malware-based attack, the news was recently confirmed by the SWIFT. The investigation conducted by the security researchers at BAE Systems are making the situation very intriguing because according to experts the cyberheist at the Bangladesh Bank, and at an unnamed commercial bank in Vietnam are linked could be linked to the clamorous Sony Pictures hack.

At the time of the Sony hack, the US authorities blamed the North Korea for the attack, the Obama administration decided to exacerbate the economic sanctions against 10 senior North Korean officials and three entities of the country.

At this point we have two options, the North Korea is targeting the global financial or we are in front of a false flag operation conducted by someone that is conducting a diversionary operation relying on the code used in the Sony hack.

Security experts Sergei Shevchenko and Adrian Nish from BAE Systems have collected evidence of the link between the malware used in the recent cyber attacks against the financial institutions and the malicious code used to compromise Sony Pictures systems in 2014.

The security duo has demonstrated that the malware used in the attacks against the banks relies on the same wiper component.

“The implementation of this function is very unique – it involves complete filling of the file with the random data in order to occupy all associated disk sectors, before the file is deleted. The file-delete function itself is also unique – the file is first renamed into a temporary file with a random name, and that temporary file is also deleted.” states the analysis published by the experts.

Sony Pictures Hack bangladesh bank heist malware 2

Extending their analysis to previous malware samples with similar features, the duo has found one wiper component called msoutc.exe. The wiper component was compiled on Oct. 24, 2014 and first uploaded to the malware database on March 4, 2016, by a US users.

The wiper-malware once executed checks if there is another instance of itself running on the infected system to prevent multiple copies of the same malware running on it.

If it finds another running instance it runs a script to delete itself from the system.

The experts also discovered that the malicious code encrypted its log file with a key:


exactly the same key used by another destructive malware reported by PwC in 2015 and also described in the Alert TA14-353A issued by the US CERT in December 2014 following the Sony Pictures hack.

Shevchenko and Nish confirmed that the script used by the malware to erase itself from the infected machine is the same reported in the analysis published by the Novetta security firm on a malware used by the Lazarus APT Group. That’s the group Novetta blamed for the Sony Pictures attack in its report “Operation Blockbuster.”

“Further details of this same toolkit were disclosed in the ‘Op Blockbuster’ report in February 2016. msoutc.exe matches the description of the ‘Sierra Charlie’ variants in their report. From their analysis this is described as a spreader type of malware, presumably used to gain a foothold on multiple devices within a target environment before launching further actions.” continues the report.

Despite the revelations made by Shevchenko and Nish, it is possible that a threat actor reused the code of the Sony Pictures hack to make harder the attribution, but the duo seems to have a different opinion:

“The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade,” they concluded.

Week in Ransomware – Week of May 13th, 2016

15.5.2016 Virus

Just in a week several new ransomware variants, services, and updates have been discovered in-the-wild, disclosed publicly, and thoroughly analyzed.
Statistical Summary

This week, in a span of just five (5) days (Monday, May 9th, 2016 – Friday, May 13th, 2016), through the collaborative efforts of several organizations and individual analysts around the globe, several new ransomware variants, services, and updates have been discovered in-the-wild, disclosed publicly, and thoroughly analyzed.

At the time of this writing (5/13/2016), the following metrics have been reported:

(6) New Ransomware Variants

(1) New Ransomware-as-a-Service (RaaS) Offering

(1) Update to an Existing Ransomware

Monday, May 9th, 2016
CryptXXX 2.0

The 2nd member of the CryptXXX family was released, dubbed CryptXXX 2.0.
Kaspersky released a decryption utility that decrypted files encrypted by CryptXXX’s first version.
However, Kaspersky’s decryption tool cannot decrypt files affected by this version of CryptXXX.
Appends the. crypt extension to all affected files.
Generates and assigns a unique identifier to the victim device.
Generates ransom notes whose filenames are created using this unique ID.
Its ransom notes are saved with the. html

Targets Russian-speaking victims
Appends the. enigma extension to all affected files
Generates ransom notes named: txt
Tuesday, May 10th, 2016

May possibly be the first ransomware discovered to be targeting only Chinese users
All associated files (including ransom notes) are written in Chinese
Generates ransom notes named: 文件解密帮助.txt
Wednesday, May 11th, 2016
German Netherlands Locker (GNL Locker)

Queries the target computer’s IP address and determine its geolocation
Only begins encryption process if device is located in either Germany or the Netherlands
Appends the. locked extension to all affected files.
Generates ransom notes using the following filenames and extensions:
Thursday, May 12th, 2016

Actually a new version of the Jigsaw ransomware (created by the same developers)
Performs the same activities as the Jigsaw ransomware; the only differences between CryptoHitman and Jigsaw are, for the most part, aesthetic:
It now uses “Agent 47” of the “Hitman” videogame and movie series as their
logo, and includes an image of this character on the locker screen
The locker screen, however, also contains several pornographic images
Appends the. porno extension to all affected files.

Heavily publicized this week, but has been around for a while.
Appends the. encrypted extension to all affected files.
Generates ransom notes named: html
New Version of Petya Ransomware with Additional Mischa Ransomware

New Version of Petya Ransomware

Utilizes a significantly modified installer
Some of the observed changes:
When executed, Petya will check to see if it can escalate to administrative privileges.
If so: the Petya ransomware will be installed
If not: the Mischa ransomware will be installed
Petya encrypts the Master File Table (MFT) of the victim device.
It displays then an illegitimate screen created to resemble a legitimate “chkdsk” screen.
While the fake chkdsk screen is being displayed, encryption of the MFT is underway.
Once the encryption activities are finished, the victim device will present a lock screen with ransom payment instructions displayed.

Generates ransom notes using the following filenames and extensions:
Unique in that it also encrypts executable files.
Friday, May 13th, 2016
Petya and Mischa Offered as Ransomware-as-a-Service (RaaS)

Allows distributors of malware to earn a portion of the revenue generated by Petya/Mischa by distributing their own unique installer of the malware.
Affiliate program is called “Janus”.
The name “Janus” is based on the criminal organization from the James Bond film, Goldeneye, which is named the “Janus Syndicate”.
RaaS has an official Twitter handle, @janussec
Alleged revenue share percentages are displayed below:
Volume/Week Shared %
< 5 BTC 25%
< 25 BTC 50%
< 125 BTC 75%
>= 125 BC 85%
petya ransomware

CryptXXX 2.0 Decryption Utility Released by Kaspersky

Kaspersky, who released a decryption utility for the earlier version of the CryptXXX ransomware, have thwarted the efforts of the CryptXXX authors once again.
Kaspersky modified their original CryptXXX decryption tool and released an updated version capable of decrypting files affected by the 2nd member of the CryptXXX family, CryptXXX 2.0.

A hacker compromised several Reddit accounts to prove it needs 2FA
14.5.2016 Hacking

A mysterious hacker is responsible for a mass Reddit defacement of 70 subreddits, he wants to demonstrate the lack of security of the popular platform.
Someone is creating the panic on Reddits, a mysterious user behind the name TehBVM (@TehBVM) claims to have already popped more than 100 Reddit subreddits. The user already targeted subreddits related to Battlefield One game, Marvel Studios, Star Wars, How to Hack, and Game of Thrones, he also defaced popular subreddits like TIFU (today I f**ked up).

The hacker spent the last weeks hijacking Reddit moderator accounts and defacing their subreddit pages, changing cover images and CSS.

Which is the motivation behind the defacements?

Apparently, TehBVM is doing it partly to demonstrate the lack of security posture of Reddit, the hacker hasn’t disclosed personal information belonging to the Reddit users.

“Around 70 or more subreddits have been defaced since 4 May – including /r/gameofthrones,/r/starwars, /r/pics, /r/books, /r/marvel, /r/robocraft and others.”

TehBVM did not explain how he compromised the Reddit accounts the unique certainly seems to be that he hasn’t launched a brute force attack against the platform. It is likely that the hacker is using login credentials related to other data breaches with the hope that users have shared it among multiple online services.

Reddit hack

TehBVM is also offering moderator account credentials on the hacked subreddits.
Clearly this kind of incidents could be simply avoided by introducing a two-factor authentication mechanism.

Reddit has already planned the introduction of the 2FA feature, but it is still to develop a beta.

The lack of a strong authentication method was already exploited in the past by hackers, in 2013 other subreddits have been popped in similar circumstances.

Reddit hack 2

Also the Giant Google has recently faced a data breach via benefits provider
14.5.2016 Security

Google started sending out notifications to employees about a data breach that occurred at a third party company that operates as a benefits provider.
We all make mistakes, sometime they are small, some other big. But what if the mistake is so important to indirectly affect one the biggest companies in the world? “Oooops!” This is what happened to an employee working on a benefits management service provider, a company Google has partnered with to provide its employee comprehensive benefits packaged, had discovered.

On May 8th, 2016, Google Inc started notifying affected stakeholders of a breach of data that contain their personal sensitive information due to an email “fumble” —a mistake of email (recipient) identify where the email client auto-complete address resolver feature may have played a part. The disclosure came after a vendor, specializing in employee/staff benefits management services, realized that an email that

The disclosure came after a vendor, specializing in employee/staff benefits management services, realized that an email that contains sensitive private information on Google employees have been inadvertently sent to the “wrong person”. In a notice filed with the Attorney-General’s office in California, Teri Wisness, Benefits Director of United States at Google, said Google had been notified immediately of the data breach by the sender themselves and appreciates the efforts of disclosing this leak as quickly as possible.

“We recently learned that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our Googlers to a benefits manager at another company. Promptly upon viewing the document, the benefits manager deleted it and notified Google’s vendor of the issue. After the vendor informed us of the issue, we conducted an investigation to determine the fact” reads the notice.

The email contains a document with an undisclosed number of Google’s staff names and US Social Security Numbers (SSN). Acknowledging the mishap, Google dispatched its incident responders to investigate and mitigate; however, from initial reports, no misuse, abuse or malicious intent was discovered. Also, logs from both parties indicate nobody else had viewed this document nor intentionally saved elsewhere locally or remotely or disclosed to another party. In fact, the unintended recipient simply deleted the email and its contents upon having it viewed once and contacted the sender.

Google will offer a three-year credit monitoring and protection for the affected employees, and recommends its employees to producing a credit rating score report.

Malware-Laced Porn Apps Behind Wave of Android Lockscreen Attacks
14.5.2016 Android

Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the app to win back control of their phone or tablet. The warning comes from Dell SonicWALL Threats Research Team that said this yet-to-be-named variant of lockscreen malware is immature, but potent. “We have found over a 100 different apps that contain this malware and suspect that the authors behind the apps are gearing up for a much larger more deadly assault,” said Alex Dubrovsky, director of software engineering and threat research at Dell. Unlike other lockscreen malware such as ICE, Jisut and Cyber.Police that locks the user’s screen and asks them to pay a ransom, the lockscreen malware that Dell found does not appear to be financially motivated, yet. The malware is closely tied to porn websites. Users are enticed to download porn-themed apps via links or SMS message requests that link users to third-party Android app stores. Once a target downloads the advertised malicious porn app, it requests for Device Administrator privileges. When users click the application or open the System Settings app a screen, what appears to be the ransom or lockscreen message appears. But that lockscreen can be easily circumvented by clicking the Home or Recent Apps buttons, according to a SonicWALL team research blog about the discovery posted Thursday. At this time, Dubrovsky said, attackers are not employing a command and control backend to manipulate the device. Neither are attackers executing remote code or taking control over a user’s Android device. However, “once the application starts running, encoded data is transmitted to multiple domains in the background,” SonicWALL reports. Dubrovsky said his team is still dissecting the malware and at this time he suspects that data transmitted from the phone could possibly be personal in nature, but couldn’t be sure. “This is clearly beta software that attackers are refining in real time. Many of the obvious features you’d expect with malware are just not feature complete.” One thing is certain about this strain of lockscreen malware is it is hard to remove. “If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out,” write Dell’s SonicWALL security team. Dell said that the obvious solution of running your Android device in Safe Mode to remove app doesn’t work in this instance. Once in Safe Mode the malicious app starts blocking the System Settings after a few moments making it impossible to uninstall. The alternative is to disable the running app via Android Debug Bridge, a software developer’s tool. The other option for non-technical users is simply, reset your Android device. “Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the ‘lock’ state,” Dell wrote. “Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components.” Dubrovsky said his researchers are bracing for more mature variants of this lockscreen malware that will be much more technically adept at demanding a ransom in some form from mobile porn surfers and apps that have a broader non-adult themed appeal.

VIDEO – RedTeam Hackers Crack Businesses’ Security
14.5.2016 Hacking

A few days ago group of white hat hackers from RedTeam traveled to the Midwest to test the systems of a major power company and breach it with Social Engineering.
RedTeam Security is a group of ethical hackers who specialize in offensive security, believing that the best defense is a good offense. We wrote about their initiative and the recent hack of the Midwest power company.

social engineering RedTeam hackers

Now the hackers shared a video that documents their attack …. enjoy it!

Microsoft removes its controversial Windows 10 Wi-Fi Sense Password Sharing Feature
14.5.2016 Safety
Microsoft has finally decided to remove one of its controversial features Wi-Fi Sense network sharing feature from Windows 10 that shares your WiFi password with your Facebook, Skype and Outlook friends and enabled by default.
With the launch of Windows 10 last year, Microsoft introduced Wi-Fi Sense network sharing feature aimed at making it easy to share your password-protected WiFi network with your contacts within range, eliminating the hassle of manually logging in when they visit.
This WiFi password-sharing option immediately stirred up concerns from Windows 10 users especially those who thought the feature automatically shared your WiFi network with all your contacts who wanted access.
Must Read: Here's How to run Ubuntu Linux on Windows 10.
But Wi-Fi Sense actually hands over its users controls so they can select which networks to share and which contact list can access their Wi-Fi.
Also, the feature doesn't share the actual password used to protect your Wi-Fi, but it does give your contacts access to your network.
However, the biggest threat comes in when you choose to share your Wi-Fi access with any of your contact lists.
But, Who really wants to share their Wi-Fi codes with everyone in the contacts?

Of course, nobody wants.
Since the feature doesn't give you the option to share your network with selected individuals on Facebook, Skype or Outlook, anyone in your contact list with a malicious mind can perform Man-in-the-Middle (MITM) attacks.
Also Read: How to Turn Off Windows 10 Keylogger
We have written a detailed article on Wi-Fi Sense, so you can read the article to know its actual security threat to Windows 10 users.
Although Microsoft defended Wi-Fi Sense network-sharing as a useful feature, Windows users did not give it a good response, making the company remove WiFi Sense's contact sharing feature in its latest Windows 10 build 14342.
"The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment," said Microsoft Vice President Gabe Aul. "Wi-Fi Sense, if enabled, will continue to get you connected to open Wi-Fi hotspots that it knows about through crowdsourcing."
Microsoft just released its latest Windows 10 build for testers. The company will remove the Wi-Fi Sense password sharing feature as part of its Anniversary Update due in the summer, but will keep the Wi-Fi Sense feature that lets its users connect to open networks.

SWIFT warns of new attacks, Bangladesh Bank heist linked to Sony hack

14.5.2016 Attack

SWIFT, the organization that provides banks with a secure network for sending and receiving information about financial transactions, has sent out a warning about a malware attack against another bank. They believe that its customers are facing “a highly adaptive campaign targeting banks’ payment endpoints.”

In the earlier case – the heist at Bangladesh’s central bank – the attackers compromised the bank’s environment, obtained valid operator credentials that allowed them to submit fraudulent SWIFT messages, and to hide evidence by removing some of the traces of the fraudulent messages.

“In this new case we have now learnt that a piece of malware was used to target the PDF reader application used by the customer to read user generated PDF reports of payment confirmations,” the organization explained.

“Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software. When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.”

They made sure to note that the malware can’t create new or modify outgoing messages, and does not affect SWIFT’s network, interface software or core messaging services.

“In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT,” they pointed out. “The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.”

SWIFT did not identify the victim of this latest attack nor did they say whether it was ultimately successful.

But Sergei Shevchenko and Adrian Nish, two BAE Systems researchers who are analyzing the malware, revealed that the financial institution that has been hit is a commercial bank in Vietnam.

What’s more, their analysis of the malware used in both attacks revealed that:

The malware was custom-made in both cases
It sported unique “file-wipe-out” and “file-delete” functions that are the same or have been only minimally modified
The malware exhibits the same unique characteristics, such as mutex names and encryption keys, as other tools from a larger toolkit described in US-CERT Alert TA14-353A – the alert that is widely believed to describe the 2014 attack against Sony Entertainment.
It contains some of the same typos, and exhibits evidence of being developed in the same environment.

“The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade,” they pointed out.

“It is possible that this particular file-delete function exists as shared code, distributed between multiple coders who look to achieve similar results. However, we have noted that this code isn’t publically available or present in any other software after searching through tens of millions of files. The unique decision to move and rename the file before deletion after overwriting is unusual, and not a common step we would expect to see when implementing this capability.”

They admit that it’s possible that different coders were involved, and tried to made it look like they were one and the same, but they say it’s unlikely.

“Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone,” they say, and hope that further investigation of command infrastructure and related tools will give more definitive answers.

In the meantime, SWIFT urged its customers to review controls in their payments environments, to all their messaging, payments and ebanking channels and, if they have been attacked, to share the info they have with SWIFT and the authorities.

Cerber Ransomware On The Rise, Fueled By Dridex Botnets

14.5.2016 Virus

Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous. Cerber, which is best known for its high-creep factor in using text-to-speech to “speak” its ransom note to victims, was first spotted in the wild in February. Its typical distribution method was via exploit kits, with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). But as recently as May 4, FireEye reports, Cerber is now part of a spam campaign linked to Dridex botnets. “By partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky,” wrote FireEye security analysts in a research blog posted Thursday. Dridex is a financial Trojan that has emerged as a significant threat to consumers and business, targeting the acquisition of financially related credentials. Its chief means of distribution is Dridex botnets that have been behind massive spam campaigns since February and are responsible for pushing out millions of targeted spam messages a day. Cerber ransomware, according to FireEye, follows the same spam framework as Dridex. Targets are sent emails with an attachment disguised as an invoice that contains malicious VBScript. Once the user opens the document, they’re encouraged to enable macros. In the case of Cerber, the malicious attachment obfuscates the offending VBScript that may be detected by an email gateway or spam filter. Instead, the macro downloads and installs the VBScript in the %appdata% path of the targeted PC. The VBScript is further manipulated to avoid detection and reverse engineering through the injection of junk code. Next, Cerber sniffs out whether a victim has an internet connection. If it does, the last piece of the Cerber ransomware is delivered. That’s when the VBScript sends an HTTP Range Request to fetch a JPEG file from a URL. “In the HTTP Request Headers, it sets the value of Range Header to: “bytes=11193-“. This indicates to the web server to return only the content starting at offset 11,193 of the JPG file,” FireEye wrote. This multi-stage technique of delivering the Cerber payload, FireEye said, is similar to HTTP Range Request checks leveraged by Dridex and Ursnif Trojans. Other similarities that Cerber has to Dridex include the fact that spam campaigns are typically English language only and are financially motivated booby-trapped with invoice, receipt, and order attachments. Once Cerber goes to work on a system, it targets email, Word documents, and Steam (gaming) related files appending encrypted files with the ‘.cerber’ file extension. Victims are directed to visit various versions of the “decrypttozxybarc” domain. In some instances, FireEye said, Cerber also installs a spambot module on the host PC. Attackers, FireEye suspect, are in the test stages of using infected PCs for distributing spam.

CryptXXX 2.0 foils decryption tool, locks PCs

14.5.2016 Virus

CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It’s also on its way to become one of the top ransomware families in the wild.

The malware’s first version would encrypt files but leave the rest of the infected computer alone, and victims would be able to use it to buy Bitcoin and pay the required ransom.

This also allowed them to deploy a decryption tool, developed by Kaspersky Lab researchers only a week after the first instance of the ransomware was spotted. The AV maker added the decryption capability to its decryptor tool meant initially for decrypting files taken hostage by the Rannoh ransomware.

But that option is not available any more, as CryptXXX 2.0 not only bypasses the decryption tool, but also locks the computer’s screen after popping-up the ransom request:

CryptXXX 2.0 ransom request

In addition to all this, the page where the crooks explain how the victims can effect the ransom payment mentions a Google Decrypter tool they will be able to use to decrypt their files. Proofpoint researchers believe that’s just a misdirection, to prevent victims to identify with which ransomware they have been hit.

“While new decryption tools may emerge, CryptXXX’s active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems,” the researchers noted.

“As always, best practices for avoiding infection include patching systems and software, updating endpoint antimalware, deploying robust network protections, and regularly backing up all critical systems.”

The Pirate Bay loses its Main Domain Name in Court Battle
13.5.2016 Crime

The Pirate Bay has fought many legal battles since its launch in 2003 to keep the website operational for the last 13 years.
However, this time The Pirate Bay is suffering a major blow after the Swedish Court ruled Thursday that it will take away the domain names 'ThePirateBay.se' and 'PirateBay.se' of the world's most popular torrent website and will hand over them to the state.
As its name suggests, The Pirate Bay is one of the most popular file-sharing torrent site predominantly used for downloading pirated or copyrighted media and programs free of charge.
Despite the criminal convictions, the torrent site remains functioning although it has moved to different Web domains several times.
However, this time, The Pirate Bay loses its main .SE domain, the world's 225th most popular website according to the Alexa ranking, according to Swedish newspaper DN.
"In common with the District Court ruling the Court of Appeal finds that there is a basis for confiscation since the domain names assisted crimes under the Copyright Act," a statement on the site of the Svea Court of Appeal reads. "This means that the right to the domain names falls to the state."
Back in 2013, the anti-piracy prosecutor Fredrik Ingblad took a different approach to shutting down the file-sharing website.
Must Read: The Pirate Bay Founders Free Of Criminal Copyright Case.
Instead of suing the operators of the site or going after The Pirate Bay directly, the prosecutor decided to take two of its more popular domains from it and filed a complaint against Punkt SE (IIS), the company that manages .SE domain names.
The lawsuit filed against Punkt SE claimed that The Pirate Bay was an illegal torrent site and that all tools, including the domain names thepiratebay.se and piratebay.se, used in connection with the illegal site should be suspended.
Last year, the Stockholm District Court ruled in favor of the prosecution, saying that both ThePirateBay.se and PirateBay.se would be taken from the owners of The Pirate Bay.
Punkt SE then appealed and won the case and also awarded the body compensation of US$40,000 for legal costs.
Also Read: The Pirate Bay Runs on 21 "Raid-Proof" Virtual Machines To Avoids Detection.
As a result, the prosecution appealed, and now the decision came in the prosecution's favor, which means The Pirate Bay’s popular domains names are set to be forfeited to the Swedish state.
Both ThePirateBay.se and PirateBay.se are held in the name of The Pirate Bay co-founder Fredrik Neij, so the next step of the legal battle will now be against him.
Although there is still the possibility of another appeal, it is hard to say at this time whether both .SE domains of The Pirate Bay will still be active in the coming months.

Talking with Azeem Aleem about the evolution of cyber threats
13.52016 Safety

Azeem Aleem, Director for the Advanced Cyber Defense Services Practice – EMEA at RSA, shares its vision on the evolution of threats in the next future.
The last 14 months have highlighted that attacks domains are expanding. We have seen the trends with OPM data breach, to sensitive PII information leak at Anthem breach and Vtech breach. The extortion malware impacting organizations, to an advanced coordinated attack at Ukrainian Power grid highlights the complexity around the anatomy of attacks.

To better understand the topic we have been talking with Azeem Aleem Director for the Advanced Cyber Defense Services Practice – EMEA at RSA. Azeem is responsible for overall professional services engagement for Global Incident Response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and proactive computer network defense. Prior to RSA, Azeem was the Director for the Centre for E-crime and earlier, led cyber security consultancy services for advanced cyber threats to the law enforcement agencies, Big 4, public sector and the private financial services.

Azeem Aleem RSA cybercrime

Which are the most targets of cyber attack actually? People, industries or companies? And which differences or similarities in the attack methods can we underline?
Aristotle (Aristotle, 384-322BC) said, “ It must be expected that something unexpected must occur” . The current time is the unexpected as we are passing through an era of phenomenon technological revolution. From the realm of the international space exploration ( Scott Kelly and Mikhail Kornienko returned on 2 March after spending 340 days in the space ) to the immense growth of the smart tablets (Apple’s iPad 2 rivals the Cray 2 supercomputer, the world’s fastest computer in 1985) highlights how technology is molding our civilisation to the new heights.

Unfortunately, crime follows opportunity and with this technological advancement we are seeing a rise in the advanced cyber attacks . These days the attacks we are seeing are more focused towards Zero day attack bringing in sophistication and complexity. Rogue Nation-state actors are on the rise and have developed a more diverse and stealthy network of operations. They are devising intelligent way of using the leak data for commercial and national security implications. The hunt for these attacks is not an easy phenomenon. Cyber Criminals are not bound with any rules; their attacks are shielded/ hidden across the organization network. Traditional perimeter is melting and the attack service is increasing which requires holistic view of how we protect the echo systems. Not in my back yard Siloed approach does not work anymore. No doubt there is a long journey for Security industry to cover however, the Security Industry leaps and bound towards maturity – Simultaneously the customer familiarity of security has increased and they now expect from vendors security as an essential discriminator.

Which are in your opinion the majors risks facing to cybercrime today for a company?
The threat landscape is shifting fast – every day there is a new threat domain that hackers have utilized to impact the organisations. We can divide the threat landscape around four main areas:

OS attacks: OS- Attacks are on the rise, they are becoming and persistent for example, attack on the windows OS PowerShell is continuing as it provides cyber criminals with the organized sophisticated exploitation capabilities. While on the other side MAC OSX leverage by bypassing the Gatekeeper using SSH reverse tunnel is on the rise.
Mobile Device: Vulnerabilities in Android OS and now IOS is on the rise- Attacks like stage freight and Xcode Ghost, which allowed malware code execution via text messaging/ video viewing in emails or browsing highlights that attackers are exhibiting innovative methods of undermining the mobile OS. Non-trusted apps are on the rise and are creating a grave concern among the organizations.
Industrial Control Systems : From the days of Slammer, Stuxnet, Shamoon etc to the recent Ukrainian (black energy) Power Grid Attacks narrate the advancement in these attacks. The shift from legacy systems towards process control networks with connectivity around enterprise and Internet is creating extensive backdoors exploit around the industrial control systems. We are seeing that organizations are even not aware of these devices connectivity pattern inside and outside their ICS environment. Attack via cloud service provider at ICS is on the rise and there is a dire need of intelligence correlations / reporting mechanism around SCADA attacks through behavioral analytics.
IoTs: The computer vacuum is difficult to get secured. IOTs have created a technological disruption development where it is difficult to contain the gene in the bottle. The revolution of IOT is already underway; businesses are under pressure to accommodate the flux of IOTs. The potential vulnerabilities from IOTs across the organization network to home appliances even stretching to medical devices can be used as additional vector exploit against the organizations. Already we are seeing evidence of IOT connections on corporate enterprise network creating 3rd party breaches frequent and simplistic. From the early days of TRENDnet camera hack, the recent growth in IOT has brought extreme anxiety across the security sector. Gartner predicts that by 2020 there would be 26 billion units installed channeling huge volume of data traffic. This will create a 50 Trillions GBS of data hovering across these technologies.
Ransomware: These are not new attacks – they been hovering around for some time. Traditionally these attacks have been targeted against SMES (small to medium size organizations) where the adversary acted on a hit and run strategy i.e. encrypt the business data and call for small amount as a ransom. Recent attacks trends have shown ransomware attacks are becoming more aggressive and diversify by attacking a multitude of attack vectors.
What can we do to protect the sensible infrastructures against possible attack? What Ukrain case has shown and what we have learned, if we have
Two areas where we are going wrong are: Preventive Mindset and Analysis Paralysis Syndrome. In the first case we need to understand the attack telemetry; while there is an agreement on the complexity of advanced attack, what we see is that organizations are still trying to protect them using traditional controls around signature based framework. Organizations are lacking in the right visibility and still relying on the traditional tools like SIEM for advanced monitoring – which is only able to detect 1% of the Advanced Attacks. We are witnessing that traditional prevention approach has become a failed strategy. You will be get breach and it is the move towards proactive defense that will enable organizations to preempt where the next attack would be forthcoming from. Comprehensive visibility for full packet capture to gather what is happening in your network is the way forward. In the second aspect what we see as those organizations that understand rational of collecting the data from end points, network flow/packets, cloud based apps and network perimeter are facing a problem flux of data. To detect the pattern they have a task of finding a needle in the haystack; they lack the capability to integrate into a single normalized platform to detect the behavioral classification of these cyber criminals.

What kind of suggestions, projects or good practices could you share or could you speak about to help people and company to implement awareness into the cybersecurity topics?
Security programmes solely focus on compliance won’t work. There is no such thing as an isolated incident and there is a need to manage the whole incident space by developing the threat intelligence capability – pervasive visibility is essential but they need to develop the capability to tackle TTPs (Tactics, Techniques & Procedures). The element of time has changed its now a matter of minutes and seconds on how do we respond to an attack. Nurturing threat intelligence capability will enable them to act as hunters, and help them classify the behaviour and pattern of cyber criminals. The value of the threat Intel is how we use it and put it to action- operationalize the platform- automating the raw data into a tangible Intel is the key. Developing the niche capability will help unveil the opponents and force the adversaries to change/edit their strategies which in turn enhancing the ability to respond. Organization requires a mindset change to develop hunting methodology and enable their staff. Breeding the right culture is very important. To nurture the hunting capabilities you need to accept mistakes. Our industry is building itself on illusions (one fix work all)- organizations need to develop filters to chalk out the white noise and follow patterns of attacks that are specific to organizations.

Changing any culture is not easy. Within the security department, training, education and new norms for doing security hunting need to be established. This may also require bringing in new staff members fresh to the new ways of doing things. It is also necessary to evangelize the new approach to those more senior staff in the organisation, to ensure that they understand and support the new approaches, as well as to those personnel and departments that interact with security. Central to this is promoting the metrics ( whether security is working or not ) so that the success (or the failure) can be clearly seen by all. Azeem Aleem has been staunch supporter of convergence and been actively writing to highlight the need for converged methodology to tackle these advanced attacks

What is your opinion about the future scenario in the cybersecurity field related to trending topics?
Development of educational route is very important to develop talent career progression. The recent move of recognizing Masters degree by GCHQ for selected 10 UK universities will enable the students to take security as a career. We need a stronger partnership among academia, public and private sector – universities students final year MSc project and PHD thesis could be an excellent route to work on Industry live work case examples. Element of research needs to be enabled by developing this partnership. For example at RSA we are working with number of universities such as Brighton, Napier and Macquarie University to develop various areas of research where university researchers can contribute towards our efforts in fights against advanced adversaries. From technology viewpoint organizations are overwhelmed with legacy technologies. This is creating an impact around productivity and creating a dizzying whirlpool of reality (that we are secured). They are getting all the alerts but no real credibility and tangible intel. Traditional Perimeter have melted away and this requires holistic view of how we protect the echo system. Closer integration of the supply chain is very important- continuous monitoring needs to be done and silted approach needs to be taken out.

Second Bank hit by Malware attack similar to $81 Million Bangladesh Heist
13.52016 Virus

SWIFT, the global Society for Worldwide Interbank Financial Telecommunications, warned on Thursday of a second malware attack similar to the Bangladesh central bank hack one that led to $81 million cyber heist.
In February, $81 Million cyberheist at the Bangladesh central bank was carried out by hacking into SWIFT, the global financial messaging system that thousands of banks and companies around the world use to transfer billions of dollars every day.
However, the hackers behind the cyber heist appear to be part of a comprehensive online attack on global banking and financial infrastructure.
The second attack involving SWIFT targeted a commercial bank, which the company declined to identify. SWIFT also did not immediately clear how much money, if any, was stolen in the attack.
However, SWIFT spokeswoman Natasha de Teran said that the second attack and the Bangladesh bank heist contained numerous similarities and were very likely part of a "wider and highly adaptive campaign targeting banks," the NY Times reported.
The malware involved in the Bangladesh cyber heist was used to manipulate logs and erase the history of the fraudulent transactions, and even prevented printers from printing the fraudulent transactions.
The malware used in the attack also has the capability to intercept and destroy incoming messages confirming the money transfers, preventing hackers to remain undetected.
SWIFT said in a statement that the attackers clearly exhibited "a deep and sophisticated knowledge of specific operation controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both."
News of a second attack involving SWIFT comes as law enforcement authorities in Bangladesh and elsewhere investigate the February's $81 Million cyberheist at the Bangladesh central bank account at the New York Federal Reserve Bank.
The hackers had attempted to steal $951 Million in total from Bangladesh central bank account using fraudulent transactions, but a simple typo by hackers halted the further transfers of the $850 Million funds.
SWIFT has acknowledged that the scheme involved Bangladesh cyberheist did not harm its core messaging system.
However in both the cases, insiders or hackers had successfully penetrated the targeted banks' systems, pilfering user credentials and submitting fraudulent messages that correspond with money transfers.

Mozilla asks Court to disclose Firefox Exploit used by FBI to hack Tor users
13.5.2016 Security
Mozilla has filed a brief with a U.S. District Court asking the FBI to disclose the potential vulnerabilities in its Firefox browser that the agency exploited to unmask TOR users in a criminal investigation.
Last year, the FBI used a zero-day flaw to hack TOR browser and de-anonymize users visiting child sex websites.
Now, Mozilla is requesting the government to ask the FBI about the details of the hack so that it can ensure the security of its Firefox browser.
TOR is an anonymity software that provides a safe haven to human rights activists, government, journalists but also is a place where drugs, child pornography, assassins for hire and other illegal activities has allegedly been traded.
TOR Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the user's anonymity via Tor and Vidalia.
In 2015, the FBI seized computer servers running the world’s largest dark web child pornography site ‘Playpen’ from a web host in Lenoir, North Carolina. However, after the seizure, the site was not immediately shut down.
Instead, the FBI agents continued to run Playpen from its own servers in Newington, Virginia, from February 20 to March 4. During that period, the agency deployed its so-called Network Investigative Technique (NIT) to identify the real IP addresses of users visiting this illegal site.
Recently, an investigation revealed that Matthew J. Edman, a former employee of TOR Project, created malware for the FBI that has been used by US law enforcement and intelligence agencies in several investigations to unmask Tor users.
The FBI hacked more than a thousand computers in the US alone and over three thousand abroad. The Internet Service Providers (ISPs) were then forced to hand over the target customer’s details, following their arrest.
Two months back, a judge ordered the FBI to reveal the complete source code for the TOR exploit that not only affected the Tor Browser, which would have likely been used to hack visitors of PlayPen, but also Firefox.
Here’s what Mozilla’s top lawyer Denelle Dixon-Thayer explained in a blog post:
"The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base."
Mozilla has now filed a motion with a US district court in Washington, asking the government to disclose the vulnerability within 14 days before any disclosure to the Defendant requiring the FBI to hand over the source code of the exploit to the defense team.
It is because Mozilla wants time to analyze the vulnerability, prepare a patch, and update its products before any malicious actor could exploit the flaw to compromise its Firefox browser, which is being used by millions of people.

Results of PoC Publishing
13.5.2016 Virus Zdroj: Kaspersky
Malware Analyst
Dreams of a Threat Actor

There are two crucial features of the Android OS protection system:

it is impossible to download a file without user’s knowledge on a clean device;
it is impossible to initialize installation of a third-party app without user’s knowledge on a clean device.
These approaches greatly complicate malware writers’ lives: to infect a mobile device, they have to resort to ruses of social engineering. The victim is literally tricked into force-installing a Trojan. This is definitely not always possible, as users become more aware, and it is not that easy to trick them.

Invisible installation of a malware app onto a mobile device without a user’s knowledge is definitely a daydream of many a malware writer. To do that, it is necessary to find and exploit an Android system vulnerability. These vulnerabilities have been found: we are talking about CVE-2012-6636, CVE-2013-4710, and CVE-2014-1939.

These vulnerabilities allow to execute any code on a device by means of a custom-made HTML page with a JavaScript code. The vulnerabilities have been closed, starting with Android 4.1.2.

It would be great to say that everything is fine now, but, alas, that is not so. We should not forget about the third feature of the Android OS: a device manufacturer is responsible for creating and deploying updates for its specific device model.

Updating the Android operating system is decentralized: each company uses its own custom version of Android, compiled with its own compilers and supplied with its own optimization and drivers. Regardless of who has found a vulnerability and whether that person has informed the OS developer about it, releasing updates is a prerogative of each manufacturer. Only manufacturers are capable of helping the users.

Nevertheless, updates are released somewhat periodically but mostly for the leading models: not all of the manufacturers actively support all of their models.

A publically available detailed description of vulnerabilities for the Android OS provides malware writers with all of the required knowledge. Incidentally, a potential victim of the vulnerability exploits can remain such for a long period of time: let us call it “an endless 0-day”. The problem can be solved only by buying a new device.

This, in particular, coupled with publically available descriptions of the vulnerabilities and examples of the vulnerabilities being exploited, incited malware writers into developing an exploit and performing drive-by attacks onto mobile devices.

Web Site Infection

Drive-by attacks on computers of unsuspecting users give a large audience to threat actors (if they manage to post a malicious code on popular web sites) as well as invisibility (inasmuch as users do not suspect being infected). Owners of compromised web sites may not suspect being infected for a long time as well.

The method of code placement and other attack features allow one to distinguish web sites infected with the same “infection”. For quite long, we observed a typical infection within a group of minimum several dozens of Russian web sites of different types and attendances, including quite well-known and popular resources (for example, web sites with a daily turn-out of 25,000 and 115,000 users). Web-site infection from this group is characterized by the usage of the same intermediate domains, the similarity of the malicious code placed onto them, the method of code placement (in most cases, it is placed on the same domain as an individual JavaScript file), as well as speed and synchronicity of changes in the code on all of the infected web sites after the malicious code has been detected.

The attack method has been standard (even though it has gone through some changes), and it has been used at least since 2014. It has been standard also owing to its targeting Windows OS users. However, some time ago, after threat actors performed a regular modification of the code on infected web sites, we discovered a new script instead of a “common” one that uploads flash exploits. It checked for the “Android 4” setting in User-Agent and operated with tools uncommon for Windows. This anomaly urged us to study the functionality of the script meticulously and watch the infection more closely.

Thus, on the 22nd of January 2016, we discovered a JavaScript code that exploited an Android vulnerability. Only within 3 days, on the 25th of January 2016, we found a new modification of this script with more threatening features.


We managed to detect two main script modifications.

Script 1: Sending SMS

The only goal of the first script is to send an SMS message to a phone number of threat actors with the word “test”. For that, the malware writers took advantage of the Android Debug Bridge (ADB) client that exists on all of the devices. The script executes a command to check for the ADB version on a device using the Android Debug Bridge Daemon (ADBD). The result of the command execution is sent to the server of the threat actors.

The code for sending an SMS is commented. In fact, it cannot be executed. However, if it is uncommented, then devices with the Android version below 4.2.2 could execute the commands given by malware writers. For newer versions of Android, the ADBD local connection (in the Loopback mode) is forbidden on the device.

Results of PoC Publishing

Sending an SMS to a regular number does not promise big losses for the victim, but nothing prevents the malware writers from replacing the test number with a premium-rate number.

The first malicious script modification should not cause any big problems for users, even if the threat actors would be able to send an SMS to a short code. Most mobile carriers have the Advice-of-Charge feature, which does not apply any charges for the first SMS to a premium-rate number: one more message with a specific text must be sent. This is impossible to do from within a JavaScript code for the specific case. This is why, most likely, a second modification of the script has appeared.

Script 2: SD-Card File

The second script, in effect, is a dropper. It drops a malicious file from itself onto an SD card.

By resorting to unsophisticated instructions, part of the script body is decrypted. First of all, separators are removed from the string:

Results of PoC Publishing

Then, the string is recorded onto an SD card into the MNAS.APK file:

Results of PoC Publishing

The string must be executed. As a result, the created app should be installed onto the system:

Results of PoC Publishing

However, this code is yet still commented.

Let us review the script in more detail. The script has a check for a specific Android version (it has to be 4).

Results of PoC Publishing

Obviously, the malware writers know which versions are vulnerable, and they are not trying to run the script on Android 5 or 6.

Just like with the first script, the second has an ADB check at the control center side:

Results of PoC Publishing

Results of PoC Publishing

In this case, the check will not affect anything; however, the ADB version is really essential, since not all of the versions support a local connection with ADBD.

We analyzed several modifications of the second script, which allowed us to track the flow of thought of the malware writers. Apparently, their main goal was to deliver the APK file to the victim.

Thus, some earlier script modifications send data about each executed command to the control center:

Results of PoC Publishing

In this case, the SD card is checked for the MNAS.lock file. If it is not there, then the script tries to create the MNAS.APK file with a zero size by using a touch utility.

In later script modifications, the task of the APK file delivery to the victim was solved by using the ECHO command, which allows to create any file with any content on a device:

Results of PoC Publishing

As a result of the ECHO command execution, a malicious APK file is created on the SD card.


The second script, in the state as we have discovered it, created and wrote a malicious file, which also needed to be executed, onto an SD card. Inasmuch as the dropper script does not contain a Trojan execution mechanism, the task has to be fulfilled by the user.

The APK file dropped from the script can be detected by Kaspersky Lab as Trojan-Spy.AndroidOS.SmsThief.ay. Since the beginning of 2016, we have managed to find four modifications of the Trojan.

Malware writers use the “example.training” name inside the Trojan code:

Results of PoC Publishing

At the same time, the malicious file has enough privileges to carry out fully fledged attacks onto the wallet of the victim by sending SMS messages:

Results of PoC Publishing

Results of PoC Publishing

The first action that the malicious code does after its execution is requesting administrator rights for the device. After obtaining the rights, it will conceal itself on the application list, thus making it difficult to detect and remove it:

Results of PoC Publishing

The Trojan will wait for incoming SMS messages. If they fall under given rules, for example, if the come from a number of one of the biggest Russian banks, then these messages will be forwarded at once to the malware writers as an SMS:

Results of PoC Publishing

Also, the intercepted messages will be forwarded to the server of the threat actors:

Results of PoC Publishing

Aside from the controlling server, the threat actors use a control number to communicate with the Trojan: the data exchange occurs within SMS messages.

The control number initially exists in the malicious code:

Results of PoC Publishing

The Trojan awaits specific commands from the control center and in SMS messages from the control number.

A command to change the control number can come from the server of threat actors:

Results of PoC Publishing

The following commands can come from a control number:

SEND: send an SMS to an indicated number with indicated text;
STOP: stop forwarding SMS messages;
START: start forwarding SMS messages.
For the moment, the functionality of the Trojan is limited to intercepting and sending SMS messages.


The task of carrying out a mass attack on mobile users is solved by infecting a popular resource that harbors a malicious code that is capable of executing any threat actors’ command on an infected mobile device. In case of the attacks described in the article, the emphasis has been placed on devices of Russian users: these devices are old and not up-to-date (notably, Russian domains have been infected).

It is unlikely that the interest of the malware writers towards drive-by attacks on mobile devices will decrease, and they will keep finding methods of carrying out these attacks.

It can be inferred that it is obvious that the attention of malware writers towards publications of research laboratories regarding the topic of Remote Code Execution vulnerabilities will increase, and the attempts to implement attacks by using mobile exploits will persist.

It is also obvious that no matter how enticing publishing is for a 0-day vulnerability, it is worth to refrain from showing detailed exploit examples (Proof of concept). Publishing the mentioned examples most likely will lead to someone creating a fully functional version of a malicious code.

There is a good news for the owners of old devices: our Kaspersky Internet Security solution is capable of protecting your device by tracking changes on the SD card in real time and removing a malicious code as soon as it is written to the SD card. Therefore, our users are protected from the threats known to Kaspersky Lab, which are delivered by the drive-by download method.

Pawn Storm hackers hit the German Christian Democratic Union party
13.5.2016 Attack

Researchers at Trend Micro discovered that Pawn Storm threat actor targeted the political party of Chancellor Angela Merkel, the Christian Democratic Union.
Security experts follow a long time the operations of the Russian-linked Pawn Storm cyber spies, aka APT 28, Sednit, Sofacy, Fancy Bear and Tsar Team.

In October 2014, security experts at Trend Micro spotted a cyber espionage operation targeting military, government and media agencies across the world.

A new cyber espionage operation targeting military, government and media agencies on a global scale has been discovered by security experts at Trend Micro. The researchers speculate the threat actors behind the campaign have been active since at least 2004 and are still running espionage campaigns.

“Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

Military agencies, embassies, and defense contractors in the US and its allies
Opposition politicians and dissidents of the Russian government
International media
The national security department of a US ally
wrote Trend Micro in a blog post.

Now the group has been observed targeting the political party of Chancellor Angela Merkel, the Christian Democratic Union of Germany.

Last year, the computer systems at the German Parliament Bundestag were infected by a malware developed by Pawn Storm.

A spokeswoman for the Bundestag confirmed that unknown hackers stole data during the cyber attack.

In April 2015, security experts at Trend Micro spotted a number of phishing attacks targeting members of the Christian Democratic Union (CDU) and high-profile users of German freemail providers GMX and WEB.DE.

“In April 2016, we discovered that Pawn Storm started a new attack against the German Christian Democratic Union (CDU), the political party of the Chancellor of Germany, Angela Merkel.” States Trend Micro “The attack consisted of seemingly coordinated credential phishing attacks against the CDU and high profile users of two German freemail providers.”

The hackers set up a bogus webmail server of Christian Democratic Union in Latvia with the intent to launch phishing attacks.


They also registered three domains for web.de and gmx.de with the same intent, they targeted high-profile individual users of two German free webmail providers.

The three domains are:

The experts noticed that attackers used a VPS provider registered in the United Arab Emirates that has also servers in the Netherlands and Romania. The VPS provider was linked by the experts to other campaigns conducted by the Pawn Storm around the world.

“Credential phishing is an important espionage tool: we have witnessed Pawn Storm downloading complete online e-mail boxes and securing future access by e.g. setting up a forwarding e-mail addresses secretly.” states Trend Micro.

“It is a recurring theme in recent Pawn Storm attacks; organizations get hit from different angles simultaneously. We have seen that happening time and time again against various governments, armed forces, defense companies and media.”

Experts at Trend Micro have observed more than a dozen active command and control (C&C) servers used to control a strain of espionage malware dubbed X-Agent that was used by hackers against high-value targets.

In March, the Pawn Storm targeted organizations in Turkey, including the government’s Directorate General of Press and Information, the Grand National Assembly, the newspaper Hürriyet, and the Prime Minister’s Office.

Flawed 7-Zip compression tool opens systems to hack.Update it now!
12.5.2016 Vulnerebility

Recently security experts at Cisco Talos have discovered multiple exploitable vulnerabilities in 7-Zip that open users to cyber attacks.
According to the Cisco security researcher Jaeson Schultz, multiple flaws in the 7-Zip compression tool could be exploited by hackers to gain the complete control on the target machine running the popular software.

“Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries.” states a blog post published by CISCO Talos.

The first issue discovered by the expert is an out-of-bounds read vulnerability (CVE-2016-2335)” that exists in the way 7-Zip handles Universal Disk Format (UDF) files.

“An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files. This vulnerability can be triggered by any entry that contains a malformed Long Allocation Descriptor,” states Talos.

7-Zip flaws

The experts at CISCO discovered also a second heap overflow vulnerability (CVE-2016-2334) that exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip.

The expert reported the security issues to the maintainers of the open source 7-Zip platform that promptly worked to a patch. Schultz explained that attackers could exploit the flaw to compromise updated machines and get the same access rights as the logged-in users.

“Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” explained Schultz. “A fully patched Windows 10 box lacking the 7-Zip fixes would not help you.” continues the post. “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFilemethod functionality of 7-Zip.” “There is no check whether the size of the block is bigger than size of the buffer buf, which can result in a malformed block size which exceeds the mentioned buf size. This will cause a buffer overflow and subsequent heap corruption.”

The issues are caused by the failure of input validation process, but the most worrisome aspect of the story is that several software solutions rely on the 7-Zip compression tool. By simply querying Google for the 7-Zip licence (http://7-zip.org/license.txt) it is possible to retrieve a long list of solutions that use it.

“This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”

Users are urged to update their 7-Zip software to the latest version 16.00.

Root Kernel Backdoor found in China-made Popular ARM Processors
12.5.2016 Virus

Secret Kernel Backdoor found in China-made Popular ARM Processors
How to Hack an Android device?
It is possibly one of the most frequently asked questions on the Internet.
Although it's not pretty simple to hack an Android device, sometimes you just get lucky to find a backdoor access.
Thanks to Allwinner, a Chinese ARM system-on-a-chip maker, which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in root backdoor.
Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets, ARM-based PCs, set-top boxes, and other electronic devices worldwide.
Simple Backdoor Exploit to Hack Android Device
All you need to do to gain root access of an affected Android device is…
Send the text "rootmydevice" to any undocumented debugging process.
The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices, though the mainstream kernel source is unaffected.
The backdoor code is believed to have been left by mistake by the authors after completing the debugging process.
For exploiting this issue, any process running with any UID can be converted into root easily by simply using the following command:
echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug
The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM processors for tablets, but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs, Orange Pi, and other devices.
At the forum of the Armbian operating system, a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable "if combined with networked services that might allow access to /proc."
This security hole is currently present in every operating system image for A83T, H3 or H8 devices that rely on kernel 3.4, he added.
This blunder made by the company has been frustrating to many developers. Allwinner has also been less transparent about the backdoor code. David Manouchehri released the information about the backdoor through its own Github account (Pastebin) and then apparently deleted it.

Bad actors used a Windows zero-day in financial attacks
12.5.2016 Vulnerebility

In March 2016 experts from FireEye spotted a malicious campaign conducted by a financially motivated threat actor that leveraged on a zero-day exploit.
According to security experts at FireEye, a sophisticated criminal organization targeted more than 100 organizations in North America. Most of the victims are in the retail, hospitality and restaurant sectors. Threat actor leverages windows zero-day exploit in payment card data attacks.

The attackers relied on a zero-day privilege escalation vulnerability affecting Windows systems, hackers used spear-phishing emails and malicious macro-enabled Word documents to deliver the threat PUNCHBUGGY.

PoS zero-day

PUNCHBUGGY is a DLL downloader that used to compromise the target and move laterally within the victim’s network. The criminal crew also used a new point-of-sale (PoS) malware dubbed “PUNCHTRACK.” The malware is a memory scraper that is able to capture both Track 1 and Track 2 payment card data.

“FireEye identified more than 100 organizations in North America that fell victim to this campaign. FireEye investigated a number of these breaches and observed that the threat actor had access to relatively sophisticated tools including a previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale (POS) memory scraping tool that we refer to as PUNCHTRACK. ” states FireEye. “Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk.”

As reported by FireEye, in some of the attacks the criminal organization exploited a local privilege escalation vulnerability in Windows (CVE-2016-0167). The CVE-2016-0167 flaw was exploited by hackers to run malicious code with SYSTEM privileges.

The flaw was unknown at the time of the attacks, experts at FireEye worked with Microsoft to fix the issue on April 12, 2016. Patch Tuesday (MS16-039).

FireEye confirmed that the flaw was exploited in limited, targeted attacks dating back to March 8.

“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” continues FireEye in the post.

Covert Communication Techniques Used By Next Gen High Tech Terrorists
12.5.2016 Crime

With the advent of technology, terrorists have changed their strategies and converted themselves into high-tech & sophisticated groups.
“While Osama Bin Laden had his fingers on the trigger, his children have their fingers on the mouse.”


Until now people have fought for food, water or territory, but today the definition and motivation of fighting is changed i.e. terrorism. Terrorists often strike soft targets such innocent citizens and government infrastructure. The aim of terrorists is to turn people against the government. Terrorists are ahead of the Law Enforcement Agencies adapting to latest changing technology and use it as a medium to spread terror across the globe. In the recent past, terrorists had been physically present to carry out acts of terrorism. But with the advent of technology, they have changed their strategies and converted themselves into high-tech & sophisticated groups to name a few like ISIS and Al Qaeda. They have their own cyber cells and command & control centers, which are used to monitor and control their activities. This article throws light on covert communication techniques used by terrorists to communicate using various techniques.


The increased dependency on communication and data networks, storage of information in cyber domain and their vulnerabilities to the outside world, lack of mutual consent between countries on effective control of operations in cyber domain has brought a new type of threat. Cyberspace the fifth space of warfare after land, sea, air, and space is all about the computer networks in the world and everything they connect and control via cable, fiber-optic or wireless. The internet is used for interconnecting people, including terrorists who are amongst the first to use the latest technologies even before the government agencies.

The Hyderabad Police arrested three students on 26 Dec2015 for allegedly planning to join ISIS and had “decided” to meet separatist leader Asiya Andrabi’s to seek her help to enter Pakistan-occupied Kashmir e route to Syria. ‘Youtube’ was used as a communication medium to seek help from Asiya Andrabi. In another case Delhi Police on 29 Dec 2015 arrested a former Indian Air Force official from Punjab for allegedly sharing secret documents with Pakistan’s ISI after he was “honey trapped” by a woman with links to the spy agency. Ranjith was allegedly introduced to the spy ring by an unidentified woman whom he had met over a social networking site and shared information through a fake ‘Facebook’ account.

In May 2015, when two terrorists attempted to kill a whole bunch of people in Garland, Texas, they were stopped by local law enforcement it was revealed that the morning before one of those terrorists exchanged 109 messages with an overseas terrorist. The government agencies replied, “We have no idea what he said because those messages were encrypted. That’s a big problem, and we have to grapple with it.” So here encryption played a role in the obstruction and helped in secure communication between the terrorists. In Paris Massive attack ISIS used encrypted communications via TOR and social media. For communication purpose, they used Telegram like apps, which securely communicate the messages to the other group members involved in that attack.

During the Mumbai attacks on November 2008, 10 Pakistani members of Lashkar-e-Taiba, an Islamic militant organization based in Pakistan, carried out a series of 12 coordinated shooting and bombing attacks lasting four days across Mumbai. They used GPS based maps; Satellite based phones for the communication purpose and live telecasts to monitor the event. The communication medium changed during every stage the attack. Thus it becomes very difficult for the Law Enforcement Agencies to hunt them down.

A study has shown that the commonly terrorists communicate through normal network channel using secret encoding techniques, which may not be traced out by Intelligence agencies i.e. Steganography and Hidden watermarking. These techniques with high tech encrypted communication may not be traced out through interception. They have analyzed the various social media platforms and categorized them so that their sympathizers can use these platforms with caution.

Practical Case Study Scenarios

High tech terrorist groups like LET, ISIS, etc. are using techniques such as steganography and watermarking for communicating covertly with each other. Some of the examples are discussed with actual implementations.

Common Techniques.
Using Mores Codes or DTMF audio files to send confidential codes.
Barcodes or QR Codes for GPS coordinates or location, map, auto message.
DTMF & Morse Code For Covert Communication Of Code Exchange

A person had recently identified as a suspected terrorist named Tom Corty. He was suspected of stealing missile activation codes from the Air force, which were handed to officials for a brief period of time. If suspect misuses the code then Air force may have to face some serious trouble. Thumb drive of Tom was found in formatted state and the same was used to store the activation code. Fortunately, the system had made a backup image of the drive. One of the Investigators handles this case, for getting activation code details.

The file name is win7.bak, which is back up of windows FAT file system machine. Investigator creates an image file of that backup file for fetching potential artifacts.


Found Encrypted Archive File

terrorists 2

DTMF Code Audio File Is There In Encrypted Archive File

terrorists 3

DTMF Code is Decoded

terrorists 4

The Code Is Decoded i.e. AA6B A4A8 3C67 DDC7

Thus investigator successfully fetched the activation code detail from the above-mentioned code.

Barcodes or Qr Codes For GPS Coordinates or Location, Map, Auto Message

Barcode generally has 12- to 20-digit number. It is primarily used for serial numbers, pricing and inventory control of the products worldwide. The most common barcode in North America is the 12-digit Universal Product Code (UPC) code. UPC codes used with groceries and books and could be used to track any merchandise if needed. Marketers track consumer choices by analyzing what they are purchasing. With the advent of free barcode scanners on mobile devices, marketers can also pinpoint what age groups are buying what.

But barcode or Quick response code may also be used for communication too. If any terrorist group wants to communicate via covert communication, they can use this technology as a secure message passing system. Figure below shows the meeting will be held at Theatre Royal at 24 February 2016.

terrorists 5

Qr Code of Meeting Place

Hacker reports Vulnerability in Mr. Robot Season 2 Website
12.5.2016 Hacking

Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on Wednesday 13th of July 2016.
However, the new promotional website for season two of Mr. Robot has recently patched a security flaw that could have easily allowed a hacker to target millions of fans of the show.
A White Hat hacker going by the alias Zemnmez discovered a Cross-Site Scripting (XSS) vulnerability in Mr. Robot website on Tuesday, the same day Mr. Robot launched a promo for its second series.
The second season of the television show had already received praise from both critics and viewers for its relatively accurate portrayal of cyber security and hacking, something other cyber crime movies and shows have failed at badly.
The new series also features a surprising yet welcome guest: President Barack Obama, who is giving a speech about a cyber threat faced by the nation.
The flaw Zemnmez discovered on the show's website could have given him the ability to perform many malicious tasks, but being a white hat, the hacker responsibly reported the XSS flaw to Sam Esmail, the creator of Mr. Robot series, Forbes reported.
USA Network’s owner NBC Universal confirmed that the website was patched late Tuesday night, hours after Zemnmez reported the flaw.
According to Zemnmez, the flaw could allow an attacker to inject malicious Javascript to steal user information, including Facebook data that Mr. Robot website visitors enter to participate in its quiz.
"A threat actor with XSS on whoismrrobot.com could [have used] the XSS to inject Javascript, which inherits the ability to read Facebook information from the fsociety game," Zemnmez told Forbes. "This could be done mostly silently if correctly engineered with a short popup window."
Also, the flaw could also be exploited using some simple social engineering technique like phishing to get site victims to click on a malicious link that executes the Javascript code, enabling attackers to steal Facebook user's real name, email address, photos and pictures they are tagged in, Zemnmez added.

Old flaw exposes SAP BUSINESS Applications across the world
12.5.2016 Vulnerebility

Security experts collected evidence that up to 36 global organizations have been hacked via exploits against an old flaw in SAP Business Applications
A five-year-old flaw in SAP software is threatening business worldwide, at least 36 global organizations have been hacked via exploits used to trigger a vulnerability in SAP Business Applications.

The flaw resides on the SAP application layer, this means that it is independent of the operating system and database application that support the SAP system.

Affected organizations operated in several industries, including energy, steel manufacturing, telecommunications, utilities, retail, and automotive.

As we have anticipated, it is an old vulnerability that was patched more than five years ago by SAP in 2010. The flaw affects the built-in functionality in SAP NetWeaver Application Server Java systems.

Experts from Onapsis security firm confirmed the existence of indicators of exploitation against 36 large-scale global enterprises across the world.

Unauthenticated remote hackers could exploit the vulnerability in SAP BUSINESS apps to gain full access to the vulnerable platforms, resulting in the disclosure of business data and processes.

“The exploitation of the SAP systems of at least 36 global organizations was publicly disclosed during 2013-2016 at a digital forum registered in China. In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements.” reads a blog post published by the Onapsis. “The Onapsis Research Labs decided to dig deeper into this topic and realized that public information about these exploitations had been sitting in the public domain for several years. As our research indicates, companies could be actively being exploited.”

Affected companies are located in many countries, including the United States, UK, China, Germany, India, Japan, and South Korea.

SAP business applications

Experts at Onapsis believe that it is crucial to share this information within the security industry and report the situation to the affected businesses.

The US Computer Emergency Readiness Team issued a specific Alert (TA16-132A) on the discovery made by the experts at Onapsis.

“The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.” states the US-CERT.

“The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems,” US-CERT warned.

The US CERT published the list of the SAP business solutions that may be affected by the flaw:

SAP Enterprise Resource Planning (ERP)
SAP Product Life-cycle Management (PLM)
SAP Customer Relationship Management (CRM)
SAP Supply Chain Management (SCM)
SAP Supplier Relationship Management (SRM)
SAP Enterprise Portal (EP)
SAP Process Integration (PI)
SAP Exchange Infrastructure (XI)
SAP Solution Manager (SolMan)
SAP NetWeaver Business Warehouse (BW)
SAP Business Intelligence (BI)
SAP NetWeaver Mobile Infrastructure (MI)
SAP NetWeaver Development Infrastructure (NWDI)
SAP Central Process Scheduling (CPS)
SAP NetWeaver Composition Environment (CE)
SAP NetWeaver Enterprise Search
SAP NetWeaver Identity Management (IdM)
SAP Governance, Risk & Control 5.x (GRC)

WhatsApp launches Desktop Software for Windows and Mac Users
11.5.2016 IT

 The most popular messaging app WhatsApp now has a fully functional desktop app – both for Mac as well as Windows platform.
Facebook-owned WhatsApp messaging software has been a mobile-only messaging platform forever, but from Tuesday, the company is offering you its desktop application for both Windows and OS X.
Few months back, WhatsApp launched a Web client that can be run through your browser to use WhatsApp on your desktop, but now users running Windows 8 or Mac OS 10.9 and above can use the new desktop app that mirrors WhatsApp messages from a user's mobile device.
According to the company's blog post, the WhatsApp desktop app is similar to WhatsApp Web with synchronized conversations and messages
Since WhatsApp desktop app is native for both Windows and OS X platform, it can support desktop notifications and keyboard shortcuts.
WhatsApp has been rising at an extraordinary pace recently. The service has over 1 Billion monthly active users.
At the beginning of the year, the company removed its yearly $1 subscription fee. Just last month, the company rolled out end-to-end encryption for all its users' communication by default.
Here's how to Download WhatsApp Desktop Software:
WhatsApp launches Desktop Software for Windows and Mac Users
Users running Windows 8 (or newer) or OS X 10.9 (or newer) can download WhatsApp desktop app available for direct downloading.
Once Downloaded, open the WhatsApp desktop app.
Scan the QR code with your mobile phone to Sync your device.
Now enjoy WhatsApping your friends and family straight from your desktop.

Facebook Open Sources its Capture the Flag (CTF) Platform
11.5.2016 Social Site
Hacking into computer, networks and websites could easily land you in jail. But what if you could freely test and practice your hacking skills in a legally safe environment?
Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practices.
Capture the Flag hacking competitions are conducted at various cyber security events and conferences, including Def Con, in order to highlight the real-world exploits and cyber attacks.
The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised.
Facebook CTF Video Demo:

Since 2013, Facebook has itself hosted CTF competitions at events across the world and now, it is opening the platform to masses by releasing its source code on GitHub.
"We built a free platform for everyone to use that takes care of the backend requirements of running a CTF, including the game map, team registration, and scoring," said Gulshan Singh, Software Engineer at Facebook Threat Infrastructure.
In general, Capture The Flag competition hosts a series of security challenges, where participants have to hack into defined targets and then defending them from other skilled hackers.
"The current set of challenges include problems in reverse-engineering, forensics, web application security, cryptography, and binary exploitation. You can also build your own challenges to use with the Facebook platform for a customized competition," Mr. Singh said.
Many institutions and organizations now have realized that gamification of cyber security and hacking is beyond the traditional ways to train your mental muscles and keep sharp your skills that otherwise only come up when doomsday scenarios happen.

Pornhub Launches Bug Bounty Program; Offering Reward up to $25,000
11.5.2016 Safety

With the growing number of cyber attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward.
Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security.
The world's most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website.
Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find.
Also Read: 10-year-old Boy becomes the youngest Bug Bounty Hacker.
HackeOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.
"Like other major tech players have been doing as of late, we’re tapping some of the most talented security researchers as a proactive and precautionary measure – in addition to our dedicated developer and security teams – to ensure not only the security of our site but that of our users, which is paramount to us," said PornHub Vice President Corey Price.
"The brand new program provides some of our developer-savvy fans a chance to earn some extra cash – upwards to $25K – and the opportunity to be included in helping to protect and enhance the site for our 60 Million daily visitors."
How to Earn $25,000 Reward
To qualify for a bounty reward, security researchers and bug hunters must meet the following requirements:
Be the first to report a security bug directly related to the company infrastructure.
Send a description of your bug report, explaining the type of vulnerability and how it works.
Include screenshots and proof of concept code to substantiate your claim.
Disclose your finding directly and exclusively with Pornhub.
The company is currently considering serious flaws that could compromise its server and entire website.
Vulnerabilities such as cross-site request forgery (CSRF), information disclosure, cross domain leakage, XSS attacks via Post requests, HTTPS related (such as HSTS), HttpOnly and Secure cookie flags, missing SPF records and session timeout will not be considered for the bounty program.
The bounty program has currently been in a beta phase, with the company extending it via invite only. You can read complete eligibility for the bounty program on HackerOne website.